Hi, many people diskussing about this. In my opinion "standard-eth-int" is the better solution for a DMZ. Because i think its easyer to hack the tagging if a computer is hijacked than hacking the firewall from the hijacked computer in the DMZ.
that sounds good. but i have to learn more about vlans to understand what you are meaning with tagging. if i use standard interface for the dmz and if someone breaks a system in the dmz he´ll need to hack the interface to the internal net. so it´s something like a firewall behind a firwall. are i´m on the right way? and what is then the difference between the vlan?
A VLAN is a logical seperation of networks on the same physical (or not) networks. In order for a device to "talk" to another device that not is on a different subnet, but also is on a different VLAN, you need some sort of layer-3 device (router or firewall).
Whathe was talking about is that packets still traverse on the same physical network when there are other VLAN's in place. someone with a network sniffer can capture packets (broadbcast packets), learn what VLANs are on the network, and attempt to hijack packets, or gain access to a specific subnet that is on a different VLAN than another subnet. Read the article I posted, and that can help you understand what the potential risks are with VLANs.
