vCloud Director is able to create isolated or routed layer 2 networks within Organizations or vApps on the fly thanks to network pools. The network pools can be port group backed (pre-defined portgroups on static or distributed vSwitch), VLAN backed or isolated byVMware proprietary MAC-in-MAC encapsulation called vCloud Director Network Isolation (VCDNI). Every time an isolated or routed layer 2 network has to be created it is taken from the network pool. In the case of port group backed network pool one pre-defined portgroup is used from the pool. However in the VLAN or VCDNI backed pool a new port group is created on vDSwitch automatically by vCloud Director. There is one important aspect: there is no way to specify security and NIC teaming policy for such portgroup.
VLAN backed portgroup is always using “route based on originating virtual port” teaming policy and all vDSwitch uplinks are set as active.
VCDNI backed portgroup is also always using the same load balancing policy however only one uplink is active and all the others are put into standby mode.
This means that all the uplinks on the vDSwitch which is used for the VLAN or VCDNI network pools have to be compatible. This means they should have the same VLAN trunks defined on the physical switch ports in the case of VLAN backing or the same transport VLAN defined in the case of VCDNI. It is not possible to reserve some uplinks for vMotion or management as is often the case.
If vMotion or management or any other traffic separation is required then these uplinks have to be on a separate static or distributed switch not used for network pools. Otherwise vCloud Director could use such incompatible uplink and since the VLAN is not defined on the physical switch the network traffic will get rejected.
Tom Fojta's Blog 
It’s possible to specify security and NIC teaming by changing the dvPortgroup defaults…
Do you mean setting the DVS portgroup default via API? Found your blog: http://geekafterfive.com/2011/04/04/dvportgroup-inheritance/. Nice.
That’s the one. 😉 vCD will still change the active/standby default to active/active upon creation of the portgroup, and I have a “trolling” script that runs every 5 minutes to go through and modify any new networks to be active/standby.
hello, this is good article. one question: I have vcloud 5.1 setup. If I have management network on standard switch on NIC0, and network pool on distributed switch on NIC2 both using default VLAN 0, are there any issues here?
It is recommended to have the encapsulated virtual network (either VXLAN or VCDNI) in its own VLAN, so I would not mixed it with the management VLAN unless they use different physical infrastructure. The reason is mainly security – you could spy or forge the encapsulated packets from the management network and to avoid the broadcast traffic from the virtual networks influencing management network.
Hi Tomas! thanks for the great blog, I had one question in case you can help: do I have to setup RVI/SVI on the switch for the VCD-NI port group? I’m working on a PoC based on http://www.vmware.com/pdf/vCloudIntegrationManager10_Cloud_Guidelines.pdf
VCDNI is mac-in-mac encapsulation. It means all the virtualized networks are within one VLAN which does not need to be routed anywhere. Just trunk the VLAN to all the participated hosts and if possible increase the MTU size at least to 1524 (24 bytes is the size of VCDNI encapsulation header).
Hi Tomas
Is it possible to programatically (VRO prefured or API) to add a new portgroup to a portgroup backed network pool or a new vlan range to a vlan backed network pool?
Sure: https://code.vmware.com/apis/442/vcloud#/doc/doc/operations/PUT-NetworkPool.html