If you just need to protect other VMs then I wouldn't have any concerns with a VM firewall.  You can setup a dual vSwitch setup which when paired with a VM firewall will effectively isolated your other VMs. However,  if you also need to protect ESXi which I would assume would be the case, then I would go with a hardware device. 1)  If you used a VM firewall to protect VMs and ESXi then if it failed you have no access to ESXi. 2)  To patch ESXi the host must be placed in maintenance mode.  In maintenance mode you can't have any VMs running on the host, hence a VM firewall protecting ESXi couldn't be running.

hi,

I assume that you are comparing a physical firewall to a VMware appliance firewall like Vyatta?

Using something like Vyatta and isolating VMs on an ESX host is pretty simple - It provides you with NAT / DHCP / / FIREWALL etc and still allows you to isolate local traffic etc.

From an administartion point of view, it is pretty good as everything is in one location etc.

The downside is that it is very easy to bridge anew VM beyond this firewall onto your production network, simply by misconfiguring a PortGroup.

For my lab, I use almost exclusively Routing appliances, but for production I use a physical Router / Firewall.

In my lab though, I host an ESX instance specifically for support tools (Vyatta, NAS emulator etc) and then use other ESX hosts for normal ESX lab work. The ESX that hosts the NAS / Vyatta etc is not in my normal Lab cluster and does not get modified much at all. Having it isolated mean that I am unable to bridge a VM from my LAB into my production environment without going via the firewall etc as the physical cabling only allows routing via the pNIC on  the ESX host that runs the Firewall appliance etc.