Nimbostratus
EmployeeSubnets for the VLANs are defined by your self IPs. So if the VIP shares the subnet with the self-IP you could say that it belongs to that VLAN (it will be in the broadcast domain); however, as you suspected "All VLANs and Tunnels" on the virtual server means that as long as there is some way for traffic to reach the VIP, it will accept connections on any VLAN even if the VIP is not on the same subnet as a self IP or any self IP. You can disable or enable specific VLANs if you want to isolate the VLANs that the VIP listens on. If not separated by the VLANs themselves, the virtual server traffic is separated by the most specific destination IP, port and source IP. Check out K14800: Order of precedence for virtual server matching (11.3.0 and later) for more info. So I don't foresee an issue with leaving the setting "All VLANs and Tunnels" on the virtual server. That's pretty common to leave at default, but you'll have to figure out what's best in your environment.