I already have an answer I like on this one, "YES!".
Unfortunately I don't live in Mike-land while I'm at work. I need some reference architectures or authoritative security guides that explain why this is a best-practice, (at least where MPLS VRF's are available for use).
My short list of reasons is:
- More refined segementation
- Easier standardization practices and associated documentation for tier I/IIs support staffs
- Easier to trouble-shoot when route tables are differentiated, (wireless VRF's and wired VRF's)
- Easier to observe and isolate traffic, (at firewall or router) in case of security breach
...I could go on.
Any good documentation on this out there? I can't find much.