Is VSI = Virtual Server Infrastructure?
NSX 6.3 has several cross-vcenter enhancements including Universal Security Tags NSX-V 6.3: Cross-VC NSX Security Enhancements - The Network Virtualization Blog
It depends on your requirements and environment.
VDI environment (including the vCenter) is normally separated to provide isolation of environment, usability & administrative purposes, change management, and upgrades.
So you can make any changes or upgrades independently.
Therefore, I would not go with option 3.
Option 2 is required when you need to create security policies across server virtualisation & VDI environment using Universal Objects or rules across both environment using objects.
For example, you have some VDI grouped using Security Group e.g. VDI_Finance using VM name or IDFW, then you have Finance App in server virtualisation environment under Security Group (SG) Finance_App. If you have Cross-vCenter, you can create Security Policy Allow from SG VDI_Finance to Finance_App and apply to both environment or to all DFW.
Now with the same security policy requirements, if you are going with Option 1, you would need to create and apply two separate Security Policy
1. Allow from SG VDI_Finance to IP Set Finance_App (range of IP addresses) apply to NSX Manager/vCenter VDI
2. Allow from IP Set VDI_Finance (range of IP addresses) to SG Finance_App (range of IP addresses) apply to NSX Manager/vCenter server virtualisation
IP Set must be used on objects that is not visible from the local NSX/vCenter
If you have many security policy requirements across different environment, then its worth to use Cross-VC.
If you don't have that many or even no security policy across environment, then option 1 would be sufficient.
Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
