External "provider" networks are mapped to port groups within the vCenter that is attached to vCloud Director. I don't believe it is recommended to isolate or not isolate that port group to it's own switch. You might want to take a look into the vCAT and see if there are further recommendations/best practices related to isolated vDS's.
