Consider these best practices for configuring your network.

Separate network services from one another to achieve greater security or better performance.

To have a particular set of virtual machines function at the highest performance levels, put them on a separate physical NIC. This separation allows for a portion of the total networking workload to be more evenly shared across multiple CPUs. The isolated virtual machines can then better serve traffic from a Web client, for instance.

You can satisfy the following recommendations either by using VLANs to segment a single physical network or separate physical networks (the latter is preferable).

Keeping the service console on its own network is an important part of securing the ESX system. Consider the service console network connectivity in the same light as any remote access device in a host, because compromising the service console gives an attacker full control of all virtual machines running on the system.

Keeping the vMotion connection on a separate network devoted to vMotion is important because when migration with vMotion occurs, the contents of the guest operating system’s memory is transmitted over the network.

When using passthrough devices with a Linux kernel version 2.6.20 or earlier, avoid MSI and MSI-X modes because these modes have significant performance impact.

To physically separate network services and to dedicate a particular set of NICs to a specific network service, create a vSwitch for each service. If this is not possible, separate them on a single vSwitch by attaching them to port groups with different VLAN IDs. In either case, confirm with your network administrator that the networks or VLANs you choose are isolated in the rest of your environment and that no routers connect them.

You can add and remove NICs from the vSwitch without affecting the virtual machines or the network service that is running behind that vSwitch. If you remove all the running hardware, the virtual machines can still communicate among themselves. Moreover, if you leave one NIC intact, all the virtual machines can still connect with the physical network.

To protect your most sensitive virtual machines, deploy firewalls in virtual machines that route between virtual networks with uplinks to physical networks and pure virtual networks with no uplinks.