Between the two designs, I would certainly recommend the first design as you wouldn't want to connect the core switch(s) to the outside directly. Any massive DOS attack from outside has the potential of bringing the core down which would result in communication problems on the inside (trusted) of your network as well.

If possible, it would be good to use different physical hardware for inside and outside connections, though logical (vlan) does provide you separation of inside and outside a sophisticated attack from outside can result in problem on the trusted side of your network.

HTH

Sundar

Both designs work just fine except most people would fear the logical separation and prefer physical separation as you did with the C2950G switches.

The option where you have 2960G, the Pros will give you more options to insert probes for monitoring, IDS, websense, etc. Pretty much anything that needs to monitor traffic egress towards or incoming from the outside network. In addition it will give it an extra layer from someone misconfiguring something on the 6500 that may lead to a huge security risk. Cons is that it mosts a tiny bit more.

The solution of having the logical separation of the 3800s into the 6500 in a separate VLAN will work too but if someone fat fingers something (misconfigures) or add ports into the WRONG VLAN, you are in trouble. If you need to monitor traffic, 6500 PFC3 limits you to 2 Local SPAN, 23 ERSPAN and 64 RSPAN sessions.

I am in agreement with the previous post, use the 2950Gs to be safe and secure while giving you more flexibility to add more monitoring devices later. The L2 switches can serve as an ethernet tap.