Thanks for the reply. So am I understanding correctly that VMware port groups are essentially like VLANS? And if so, one can have multiple port groups on one vswitch?

Also, am I able to create an entire DMZ inside the hosts?

One more thing... Should I have a single, separate interface to manage the host (vkernal??), and then use another port or an etherchannel port to do the trunking as the main data conduit? How does that work in configuring it?

We have a collapsed core and these hosts (x2) interface into layer 3 switches (3560s). We could also make the data portion come from layer 2s (2960s). But bottom line, you're saying we can do the management and data via different Ethernet ports--is that correct?

Thanks in advance...

>>> So am I understanding correctly that VMware port groups are essentially like VLANS? And if so, one can have multiple port groups on one vswitch?
Yes, you can setup a VLAN-ID on each port group. You can actually have multiple port groups with the same VLAN-ID if needed (e.g. with different Teaming&Failover settings), so that you could - if you want - assign a dedicated active vmnic to the Management port group.

>>> Also, am I able to create an entire DMZ inside the hosts?
Yes from a technical perspective. From a security perspective this may be another question depending on your company policies.

>>> Should I have a single, separate interface to manage the host (vkernal??), 
Not necessarily. I usually don't, because I consider it a waste of available bandwidth in most cases.

Regarding EtherChannel: In order to benefit from this you'll need distributed virtual switches. When you mentioned trunking, I was actually thinking of an 802.1Q port configuration.With standard vSwitches consider to stay with the default settings, which allow you to connect uplinks to different physical switches without the need of e.g. stacking etc. I usually configure 802.1Q tagged ports, and set the VLAN on the virtual port groups.

André

I really appreciate your help on this.

So if I want to configure an ether-channel trunk on two (or more) links, and send both data and management traffic across it to the host, if it then needs to route, will it act like a router-on-a-stick and send traffic from one VLAN (port group?) over the trunk to the layer 3 switch, and then routed back over the other VLAN/PG to the VMware host?

Is this how it would work?... I've kinda come to understand that no routing goes on on the internal host's networks/switches--is that correct?

Sorry for what could easily be considered dumb questions, but I'm a security engineer (Cisco ASAs and NGFWs) and never got heavy into the route/switch side of things. Architecture is my weak spot.

I've limped along with two ESXi's over a single link each that carries all data and management traffic. I wanted to set up a mini-enterprise style edge--complete with a collapsed core of redundant layer 3 swtiches--to act as a "live lab" (at my home office) for all things network security. Hence the desire for a DMZ, a guest network, a OOB management network, etc.

Thanks in advance for any further feedback...

A channel has nothing to do with routing, and/or VLAN tagging.
In case you want to route traffic from one subnet to another, you'd need a router, or configure your layer 3 switch accordingly.

As a side not. If you have more than one uplink to an ESXi host, you can use them on a single vSwitch without the need to configure a channel. By default ESXi will assign an uplink to a VM in a round-robin manner to distribute the traffic across the available uplinks.

André