This is really a risk management issue rather then a design best practice. There are a lot of ways to ensure proper segmentation and/or isolation of the DMZ from Production systems.
I have built perfectly secure solutions where DMZ VMs run on the same hardware (including physical switches) that Production uses.
It really depends on (to name but a few considerations);
1) Budget.
2) Corporate Policies.
3) Network Topology .
If we start with the concept that the business is not comfortable sharing hardware with Prod (typically old school thinking), then I pitch the following idea;
Build a DMZ cluster connected to seperate physical switches for VM Networking. For Managment, vMotion and Storage use the same infrastructure as Production systems. There is no "VM bleed through" between the physical and virtual layer unless the vSphere platform is built incorrectly. There are plenty of good vSphere Consultants who can help you build a safe and secure design solution. In this situation the question of vShield become redundant, unless you would like to have segmentation within the DMZ itself, in which case there is a good usage case for vShield App.
Regards,
Paul
