Our security team doesn't like the vShield solution, we have it in place, and they want it retired -
I now need to understand exactly when packets are forced out of the virtual switch up to the physical switch where our security can inspect the packets with its firewall device of their choice.
Here is what I know:
1) packets destined for a different VLAN will exit the host's port group \ vswitch via the vmnic uplink to the upstream switch - this allows for packet inspection
2) I can create port groups with different VLAN IDs that actually leverage the same subnet addressing
BUT - will packets from VMs in separate VLAN port groups that essentially reside on the same subnet actually exit the vswitch via the uplink to the physical switch?
or will the vswitch recognize that the packet is on the same subnet regardless of the different VLAN ID and keep it within the host's vswitch?
Also, if I were to create multiple port groups with the same VLAN ID, would packets moving between these port groups automatically be sent to the upstream switch simply because they are in different port groups or will the stay within the host vSwitch because the VLAN ID is the same?
Thanks for helping in advance!