How to setup private vlans on ESX4/VSphere?

How many NICs are available in your vSphere Hosts ?

6 nics for 2 of the main hosts we are trying to get vds + private vlans setup on.  There are an additional 4 hosts in the same datacenter that we have not added addl nics to, that still have the factory 2 onboard gig.

I suggest that you use 1 NIC for Service Console and then use vSwitches for segregating your VLAN Traffic.

Are you using Promiscuous Mode for deploying IDS / IPS ?

ok, so the service console nic needs to keep separate from the vds?  in 3.5 we had the 2 onboard nics bound to vswitch0 and had all traffic going through that.  That included vmotion, service console 1 & 2, as well as the guest networks, all using a single network.

What would the ideal setup be, use the 2 onboard nics for service console and vmotion, then the addl nics for vds stuff?

Also we are looking at doing promiscuous in the private vlans for default machines and the inside fw interface that all machines should have access to.  My understanding is that promiscuous in regards to private vlans is related to layer2 switch segmenting rather than the promiscuous in terms of nics and accepting all packets (like for sniffer, ids/ips) Does that sound right?

Its not a good security practice to use a single NIC for VM Traffic and Service Console Traffic.

An ideal config would be to have six NICs in total, 1 for SC, 1 for vMotion and the rest for your VM Traffic. In case you have iSCSI SAN then that would need a NIC as well.

great advice thank you.  Can you explain how private vlans settings need to be configured in vcenter?  I am trying to get my brain wrapped around the notion of trunks, switches, port groups and private vlans in vcenter.

Are you vSphere ESX 4.0 or ESX4i ?

vsphere esx 4.0 enterprise with vcenter server standard

you are awesome!!  I have been looking for something like on their site since Saturday!

Thank you!

extremely helpful and knowledgeable!

You are most welcome.