Thank you daphnissov for your response.
Yes, you are right, I place my question regarding Management Network isolation a bit strange. OK, so I will place my Management network to my LAN network, it makes sense , since it is on the same network 192.168.1.0/24. I will then have a spare NIC and I can assign that NIC to vSwitch 1. Should I move Sophos LAN to Management Network (vSwitch0) or Management Network to Sophos LAN (vSwitch1). Does it make any difference which to move where and why. I'm asking because Management Network is on VMkernel port? Like you suggested I will then assign Management Network port group with VLAN ID (for example 10). Should Sophos LAN then be assigned with VLAN ID 4095 in that case?
Yes, I wasn't referring to Sophos VM when talking about other VMs to be isolated. I just want port groups (client, guest, server) assigned by VLAN to be isolated between each other and my Sophos LAN but still have connection to the internet. My question here is: All I need to do in ESXi is to assign the port groups with different VLAN IDs (client to 100, guest to 110 and server to 120)? I suppose routing is done via Sophos management interface? This VLAN thing is still confusing for me.