I think you can make this a lot simpler by not using VLANs. Remember that the vswitch acts like a switch, so guest VMs won't receive non-broadcasted ISCSI traffic destined for other guests (assuming you don't turn on promiscuous mode). That should take care of the visibility part. To solve the access part of your question, you can simply use initiator groups to not expose LUNs to the VMs IPs so they can't see them. If you're concerned about someone malicious messing with the IP addresses to get access to something they shouldn't, you can turn on CHAP authentication which would require a secret in order to access the LUNs. Personally, I always like to use CHAP authentication even if I control the entire stack.