You have options regarding segmenting the VxRail network traffic at the virtual-distributed switch level. You can configure all the required VxRail networks to a single virtual-distributed switch, or you can deploy a second virtual-distributed switch to isolate the VxRail management network traffic and the VxRail non-management network traffic.

Figure 55.    VxRail network segmentation with two virtual-distributed switches

If your company or organization has stringent security policies regarding network separation, splitting the VxRail networks between two virtual-distributed switches will enable better compliance with those policies, and simplify redirecting the VxRail management network traffic and non-management network traffic down separate physical network paths.

You can choose from the following options to align with your company or organization networking policies:

• Place all the required VxRail network traffic and guest network traffic on a single virtual-distributed switch.
• Use two virtual-distributed switches to segment the VxRail management network traffic from the VxRail non-management traffic and guest virtual machine network traffic.
• Deploy a separate virtual-distributed switch to support guest virtual machine network traffic.

Figure 56.    VxRail network segmentation with two virtual-distributed switches

VxRail supports either a single virtual-distributed switch or two virtual-distributed switches as part of the initial implementation process. If your security posture changes after the VxRail cluster initial implementation has completed, a second virtual-distributed switch can still be deployed, and the VxRail network traffic can be redirected to that second virtual-distributed switch. Any additional virtual-distributed switches beyond two switches, such as those for user requirements outside of VxRail networking can be deployed after initial implementation.