I have a DMZ that has a Cisco Nexus switch with VRFs as well as a physical firewall. Is it common in a DMZ environment to put the gateways for the DMZ systems on a Nexus VRF? Or should they be on the physical firewall? If they are on the VRF, then it would be much easier for a misconfiguration to allow traffic between two subnets where traffic shouldn't flow. If they are on the physical firewall, then there is a greater performance hit to the firewall to process more traffic, but greater visibility and centralized enforcement traffic flow policies between subnets.
Your experiences and recommendations welcome...