To confirm what you are saying. The subnet does not matter, as long as they are on the same host the traffic will stay local? If i have a web front end in the DMZ and the SQL internal and they are on the same host they will not call out across the physical switch?

Traffic between DMZ and internal go via your router. If not this would be a major security risk. Vmware ESX is no router

To clarify: each Port Group on a vSwitch acts as a Layer 2 switch. Any traffic internal to that "switch" will not need to traverse the uplink (physical LAN.)

As soon as the traffic needs to exit that Port Group, it will need to traverse the physical LAN.

To give a worst-case scenario: let's say you have two Port Groups (A&B) on the same host, both connected to the same VLAN (roughly, let's say they're both connected to the same subnet.) If one VM's IP is 192.168.1.1 and it's connected to Port Group A, the other's IP address is 192.168.1.2 and it's connected to Port Group B, all traffic between the two will traverse the physical LAN (i.e. unplugging the network cable will prevent them from communicating.)

If they're connected to the same port group, the traffic will be internal to the vSwitch and will be done via a direct memory copy by ESX - unplugging the network cable will not interrupt network connectivity between the two VMs.

Message was edited by: jhanekom

(Note that it has subsequently been pointed out to me that this is incorrect. Traffic will be routed internal to the vSwitch even if it is on separate port groups, provided that the VMs are on the same VLAN.)