i agree with Dave 'You can use VLANs to segment traffic or the Cisco Nexus / vShields / or a virtual router to ensure that if a VM's IP is changed it is not able to communicate with the different IP address.'
this is what i did and everything seems to be doing well. i just guess we have different cases though so i thought