A topic that I blocked about, VLANs in the DMZ was taken up both by Ivan Pepelnjak and Colin McNamara . Colin points out that security is more about what is done in the complete path and not at a single point. There are a few extra points I would mention: Data should not be stored in a DMZ terminating incoming external connections. These should be limited to processing. It is a theoretical physical exploit and not a remote one. There has been no major security incident attributed to VLAN hopping as a cause. After all these years, with cloud and virtualization up to our eyeballs, I wonder if Ivan will admit I was right?