You can modify networking policies for multiple port groups on a distributed switch.


  • Open a vSphere Client connection to a vCenter Server.
  • Create a vSphere distributed switch with one or more port groups.


  1. Log in to the vSphere Client and select the Networking inventory view.
  2. Right-click the distributed switch and select Manage Port Groups.
  3. Select the policy categories to modify.
    Option Description

    Set MAC address changes, forged transmits, and promiscuous mode for the selected port groups.

    Traffic Shaping

    Set the average bandwidth, peak bandwidth, and burst size for inbound and outband traffic on the selected port groups.

    VLAN Configure how the selected port groups connect to physical VLANs.
    Teaming and Failover

    Set load balancing, failover detection, switch notification, and failover order for the selected port groups.

    Resource Allocation

    Set network resource pool association for the selected port groups. This option is available for vSphere distributed switch versions 5.0.0 and later only.

    Monitoring Enable or disable NetFlow on the selected port groups. This option is available for vSphere distributed switch versions 5.0.0 and later only.
    Miscellaneous Enable or disable port blocking on the selected port groups.
  4. Click Next.
  5. Select one or more port groups to modify and click Next.
    The policy configuration page appears. Only the policy categories you previously selected are displayed.
  6. (Optional) In the Security group, select whether to reject or accept the Security policy exceptions.
    Option Description
    Promiscuous Mode
    • Reject — Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter.
    • Accept — Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere distributed switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
    MAC Address Changes
    • Reject — If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.

      If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.

    • Accept — Changing the MAC address from the Guest OS has the intended effect: frames to the new MAC address are received.
    Forged Transmits
    • Reject — Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.
    • Accept — No filtering is performed and all outbound frames are passed.
  7. (Optional) In the Traffic Shaping group, you can configure both Ingress Traffic Shaping and Egress Traffic Shaping.
    When traffic shaping is disabled, the tunable features are dimmed.

    Status — If you enable the policy exception for either Ingress Traffic Shaping or Egress Traffic Shaping in the Status field, you are setting limits on the amount of networking bandwidth allocated for each distributed port associated with the selected port groups. If you disable the policy, the amount of network bandwidth is not limited before it reaches the physical network .

  8. (Optional) Specify network traffic parameters.
    Option Description
    Average Bandwidth Establishes the number of bits per second to allow across a port, averaged over time—the allowed average load.
    Peak Bandwidth The maximum number of bits per second to allow across a port when it is sending/receiving a burst of traffic. This tops the bandwidth used by a port whenever it is using its burst bonus.
    Burst Size The maximum number of bytes to allow in a burst. If this parameter is set, a port may gain a burst bonus when it doesn’t use all its allocated bandwidth. Whenever the port needs more bandwidth than specified by Average Bandwidth, it may be allowed to temporarily transmit data at a higher speed if a burst bonus is available. This parameter tops the number of bytes that may be accumulated in the burst bonus and thus transferred at a higher speed.
  9. (Optional) Select the VLAN Type to use.
    Option Description
    None Do not use VLAN.
    VLAN In the VLAN ID field, enter a number between 1 and 4094.
    VLAN Trunking Enter a VLAN trunk range.
    Private VLAN Select an available private VLAN to use.
  10. (Optional) In the Teaming and Failover group specify the following.
    Option Description
    Load Balancing Specify how to choose an uplink.
    • Route based on the originating virtual port — Choose an uplink based on the virtual port where the traffic entered the distributed switch.
    • Route based on ip hash — Choose an uplink based on a hash of the source and destination IP addresses of each packet. For non-IP packets, whatever is at those offsets is used to compute the hash.
    • Route based on source MAC hash — Choose an uplink based on a hash of the source Ethernet.
    • Route based on physical NIC load — Choose an uplink based on the current loads of physical NICs.
    • Use explicit failover order — Always use the highest order uplink from the list of Active adapters which passes failover detection criteria.
    Note: IP-based teaming requires that the physical switch be configured with etherchannel. For all other options, etherchannel should be disabled.
    Network Failover Detection Specify the method to use for failover detection.
    • Link Status only – Relies solely on the link status that the network adapter provides. This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by spanning tree or that is misconfigured to the wrong VLAN or cable pulls on the other side of a physical switch.
    • Beacon Probing – Sends out and listens for beacon probes on all NICs in the team and uses this information, in addition to link status, to determine link failure. This detects many of the failures previously mentioned that are not detected by link status alone.
    Note: Do not use beacon probing with IP-hash load balancing.
    Notify Switches

    Select Yes or No to notify switches in the case of failover.

    If you select Yes, whenever a virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic would be routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. In almost all cases, this process is desirable for the lowest latency of failover occurrences and migrations with vMotion.

    Note: Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. No such issue exists with NLB running in multicast mode.
    Failback Select Yes or No to disable or enable failback.

    This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to Yes (default), the adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement.

    Failover Order Specify how to distribute the work load for uplinks. If you want to use some uplinks but reserve others for emergencies in case the uplinks in use fail, set this condition by moving them into different groups:
    • Active Uplinks — Continue to use the uplink when the network adapter connectivity is up and active.
    • Standby Uplinks — Use this uplink if one of the active adapter’s connectivity is down.
    • Unused Uplinks — Do not use this uplink.
    Note: When using IP-hash load balancing, do not configure standby uplinks.
  11. (Optional) In the Resource Allocation group, choose the Network Resource Pool to associate the distributed port group with from the drop-down menu.
  12. (Optional) In the Monitoring group, choose the NetFlow status.
    Option Description
    Disabled NetFlow is disabled on the distributed port group.
    Enabled NetFlow is enabled on the distributed port group. NetFlow settings can be configured at the vSphere distributed switch level.
  13. (Optional) In the Miscellaneous group, choose whether to Block all ports in this distributed port group.
  14. Click Next.
    All displayed policies are applied to all selected port groups, inculding those policies that have not been changed.
  15. (Optional) If you need to make any changes, click Back to the appropriate screen.
  16. Review the port group settings and click Finish.