I understand that it is considered a less than 'best practice' to use a few ports in a VLAN-able switch matrix to "logically" isolate a DMZ from the private network. The better practice is to "physically" isolate the DMZ by putting it on a completely separate piece of switch hardware not related to the VLAN-able devices. I've reviewed some white papers but none have been terribly specific about this. There is a comment recommending the better practice in my GSEC study material but no references beyond a year 2000 document alluding to VLAN Hopping. Can any of you point me to a good source or two that document good rationale for the better practice? It looks and sounds perfectly logical to me - but that may not be forceful enough in this work environment.
Thanks.
roberto