Hello,
You can also use the following setup to ensure things are properly segregated, which is what I do:
Management Network contains all ESXi hosts + vCenter and any other management tools
Desktop Network contains my desktops connection broker etc.
VM Network is all other VMs
Segregation is achieved by using different networking constructs for the different critical networks. For example, I use a VSS for my management network (a hold over from when vDS had issues when vCenter died) and a vDS for all else. I have 2 Portgroups on my VDS and I use vCNS Edge to segregate all networks from each other. I really like having my management network on a different control plane than my other workloads. You could use VSS, VDS, Nexus, NSX, etc. but that is a level of segregation not everyone needs.
Check out the following for some thoughts on this: vSphere Upgrade Saga: vShield Edge Missing Manual | AstroArch Consulting, Inc. the vShield Edge discussion and elements is a bit dated (it is far easier now w/VCNS) but the concepts are correct.
You can also use VLANs assigned to a portgroup to handle this segregation as well but if you ever need to cross VLAN/portgroup/subnet boundaries you still need a firewall/gateway device. So I put Edge(s) in place as needed.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
