The first I would say is to be very careful about the words you choose as there is some ambiguity in your above description that makes a huge difference. For example you said "trust": are you talking about domain trusts? From the context I'd say no,
but that's not clear. You also said "domain", do you really mean domain in a separated untrusted forest? Also, just because it's a separate VLAN doesn't imply traffic can't flow -- I suspect that's your intention of saying it's not trusted, but it's honestly
not clear.
This all sounds like semantics, but it truly, truly does make a difference in how things are architected.
Another important piece of information needed is whether there is any NATing going between the VLANs and whether or not there will be additional VLANs with similar requirements.
Jason | http://blog.configmgrftw.com