I don't think you will be PCI compliant with that configuration. With only 2 NIC you would have your management and data traffic on the same NIC's.
I would put another 2 NIC's in the server, create a separate vSwitch and use those NIC's for dedicated DMZ traffic. Or you can split the 2 exisitng NIC's -have one for each vswitch, but then you have no resilience or redundancy if the NIC fails.
Until the new guidance is released from PCI Council your config is not PCI compliant just by virtue of virtualizing.... However in either case the network for your DMZ should be 100% separate from your other networks.... It is all about trust zones. ESX can have 6 or more trust zones. So how you divide them up means quite a bit... I suggest you visit http://www.virtualizationpractice.com/blog/?page_id=4931 as a starting point on virtualization security. It contains quite a few links on VMware networking, etc. Once you understand the networking you can understand why just 2 pNICs may be a bad combination... It really depends on how things work within your physical environment today in many ways.
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010
Now Available: url=http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available url=http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise'VMWare ESX Server in the Enterprise'[/url]
Blogging: url=http://www.virtualizationpractice.comThe Virtualization Practice[/url]|url=http://www.astroarch.com/blogBlue Gears[/url]|url=http://itknowledgeexchange.techtarget.com/virtualization-pro/TechTarget[/url]|url=http://www.networkworld.com/community/haletkyNetwork World[/url]
Podcast: url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_PodcastVirtualization Security Round Table Podcast[/url]|Twitter: url=http://www.twitter.com/TexiwillTexiwll[/url]
Texi is the security guru so whatever he says I would listen to. I'll throw my two cents in and share how we run some websites off our ESX hosts. If you only have 2 pNIC's in your ESX host I would recommend buying atleast another NIC card, or dual port NIC card that's on the HCL.
The way we have our DMZ setup is we have a dual port pNIC card handling all of our DMZ traffic, from there those pNICs are cabled directly to our DMZ pSwitch then to our firewall. At least in my mind, and Ed can correct me if I'm wrong, the DMZ is completely physically separated from our mgmt/vMotion/LAN traffic by going out a completely separate pNIC card (besides having a dedicated DMZ ESX host).
"RParker wrote: I guess I was wrong, everything CAN be virtualized "