Hi Terence,
Any chance you could elaborate on your statement about not relying on VLAN segregation for traffic separation? I'm struggling to understand your reasoning behind using a layer III filter ('firewall') to separate traffic on two logically separate layer II networks.
For example, in schools I commonly see BYOD implemented on it's own ESSID which drops to separate VLAN on tagged uplink via the wired switching network. On the BYOD VLAN there is a separate router and internet firewall. There is no layer III interface for the core switch on this network.
In this scenario there is no logical way for packets to be forwarded from the BYOD devices to the school's server's or internal network as there is no possible layer III path (without them first egressing onto the public internet and coming in via the internal network's firewall).
Can you expand on the reasons for your distrust in the separation provided via this model?
Pete