6. Watch How You Provision Storage

Some enterprises are over-provisioning storage on SANs today, says Wolf. It's not that you're provisioning too much storage overall; it's that you may be letting the wrong VM's share a part of the SAN, he says.

If you're working with VMotion, VMware's tool for moving VMs around, you're assigning some zoned storage in SANs. But you may want to make that storage assignment more granular, as you would in the physical world, Wolf advises. Looking forward, N-port ID virtualization—a technique that lets IT assign storage to just one VM—is an option worth investigating, Wolf says.

7. Ensure Good Isolation Across Network Segments

As enterprises go virtual, they shouldn't ignore security-related network traffic risks. But some of these risks can inadvertently be overlooked, especially if IT leaders fail to bring networking and security staffers to the table while doing virtualization planning. "A lot of organizations simply use performance as the metric of how to consolidate," Wolf says. (When evaluating which application servers to co-locate as VMs on one physical box, IT teams tend to first focus on how performance-hungry those application servers will be, since you want to avoid asking any one physical box to bear too much load.) "They forget because of security restrictions on network traffic that they shouldn't locate these VMs together," Wolf says.

For example, some CIOs are deciding not to allow any virtualized servers in the DMZ (also known as demilitarized zone, the subnetwork that houses external services to the Internet, like e-commerce servers, adding a buffer between the Net and the LAN).

If you do have some VMs in the DMZ, you may want them on physically separate network segments from some of your other systems, say a critical Oracle database server, Wolf says.

At Arch Coal, the IT team thought about the DMZ from the start, Abbene says.

They've deployed virtual servers on the internal LAN but nowhere public facing. "That was a key early decision," Abbene says. For example, the company has some secure FTP servers and some servers doing lightweight electronic commerce in the DMZ; it has no plans to introduce VMs there, he says.

8. Worry About Switches

When is a switch not a switch? "Some virtual switches behave like a hub today: Every port is mirrored to all the other ports on the virtual switch," Burton Group's Wolf says. Microsoft Virtual Server, in particular today, presents this problem, Wolf says. VMware's ESX Sserver does not, nor does Citrix XenServer. "People hear the term 'switch' and think isolation exists. It really varies by vendor," Wolf says.

Microsoft has said the switch issue will be addressed in Microsoft's upcoming Viridian server virtualization software product, Wolf adds.