The argument that multiple port groups solve the problem, in my opinion, is a stretch. In a typical IDS deployment, all VMs monitored by an IDS would be in the same port group. There is no intelligence in ESX to specify a many-to-one mirror for unicast traffic. In other words, ESX has no idea which port in a port group connects to the IDS. So ultimately when a port group is set to promiscuous mode - accept, all ports in the port group are mirrored to each other. This allows the IDS appliance, along with all other VMs in the port group, to capture the unicast traffic of each VM in the port group.

IMHO, placing multiple nodes in a promiscuous-enabled port group is a security risk. Port groups alone do not solve the security issue. VMware needs to engineer a monitor port as part of the vswitch and port group architecture that allows administrators to configure many-to-one port mirroring. This would allow administrators to connect an IDS to a network segment using the same approach that's used with physical switches today.

I'm glad you enjoyed my reliability quote. :)

~Chris Wolf