Computers have Network Interface Controllers (NICs) which are either cards or part of the motherboard. The NIC has a level 2 address (the MAC address which is hard coded from the manufacturer)
Used as a physical computer, we will assign to the NIC a layer 3 address – the IP address.
When we use the physical computer as a virtualization host it is a bit different. In this scenario, the NIC is assigned to a software program known as a virtual switch. This software program functions just like a physical layer 2 switch. The host will then have software based virtual NICs for itself and for each virtual guest machine with different MAC addresses. And it is these virtual NICs which will be assigned a layer 3 IP address.
It is possible to segment the network by having the virtual hosts on a different network subnet (layer 3) and/or broadcast domain (layer 2) to the guests. This provides very strong isolation of the host machines to malware running on the general computer network.
Best practice to achieve this isolation is to have the host machines connected with a separate physical NIC to their own broadcast domain and subnet and to have the virtual guests connected to the virtual switch (on the host) and to not have any host virtual NIC connected to the switch. This means a minimum of 2 physical NICs in the host computer