Option 2 but the management network for the DMZ hosts doesn't need to be in a "dmz" network. You could have it on the same management network as your current hosts or a new seperate internal network that's still routable to your current vCenter server. Then have your VM dmz networks hanging off those hosts and handle all of your firewall config at that level for those networks.
↧