Hi, I'm looking for some ideas to help decide if I want to push to host a DMZ on a physical interface other than the inside interface of the ASA. The issue here is cost. Right now we have a vmware environment hosted in a blade center. What I wanted was to move a couple blades to a segment on the ASA's DMZ interface. This would require 2 new blades and esx licenses. The alternative is to build a trunk on the inside interface, create a subinterface, assign it a less trusted security level and have that subinterface be the logical DMZ interface. This would allow the vmware guys to create vm guests using their existing blades and vmware environment. I'm trying to come up with a list of pros and cons. Apart from physically separating the traffic and part of the bandwidth consumed, I can't think of any substantial downfalls to the approach of hosting the dmz interface on the inside interface since I can modify the subinterface's trust level. Does anyone have any input?