After Googling, i found a soluation liske this:
+ Create Linux VM that has security tool like snort, iptables
+ Add 2 vNics interface to this VM: one connect to internet vswitch for management with IP public (eth0), one connect to Portgroup VLAN ID 4095 (eth1)
In this scenario, i think snort can monitor all trafic flow through vswitch by monitor the eth1 interface but i don't know how the iptables can be handle this traffic?