You can modify networking policies for multiple port groups on a vSphere Distributed Switch.
Create a vSphere Distributed Switch with one or more port groups.
- In the vSphere Web Client, navigate to the distributed switch.
- Right-click the distributed switch in the object navigator and select .
- On the Select port group policies page, select the check box next to the policy categories to modify and click Next.
Option Description Security Set MAC address changes, forged transmits, and promiscuous mode for the selected port groups. Traffic shaping Set the average bandwidth, peak bandwidth, and burst size for inbound and outbound traffic on the selected port groups. VLAN Configure how the selected port groups connect to physical VLANs. Teaming and failover Set load balancing, failover detection, switch notification, and failover order for the selected port groups. Resource allocation Set network resource pool association for the selected port groups. This option is available for vSphere Distributed Switch version 5.0. and later. Monitoring Enable or disable NetFlow on the selected port groups. This option is available for vSphere Distributed Switch version 5.0.0 and later. Traffic filtering and marking Configure policy for filtering (allow or drop) and for marking certain types of traffic through the ports of selected port groups. This option is available for vSphere Distributed Switch version 5.5 and later . Miscellaneous Enable or disable port blocking on the selected port groups.
- On the Select port groups page, select the distributed port group(s) to edit and click Next.
- (Optional) On the Security page, use the drop-down menus to edit the security exceptions and click Next.
Option Description Promiscuous mode
- Reject. Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter.
- Accept. Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere Distributed Switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
MAC address changes
- Reject. If set to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.
If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.
- Accept. Changing the MAC address from the Guest OS has the intended effect. Frames to the new MAC address are received.
- Reject. Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.
- Accept. No filtering is performed and all outbound frames are passed.
- (Optional) On the Traffic shaping page, use the drop-down menus to enable or disable Ingress or Egress traffic shaping and click Next.
Option Description Status If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting limits on the amount of networking bandwidth allocated for each VMkernel adapter or virtual network adapter associated with this port group. If you disable the policy, services have a free, clear connection to the physical network by default. Average bandwidth Establishes the number of bits per second to allow across a port, averaged over time, that is, the allowed average load. Peak bandwidth The maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic. This maximum number tops the bandwidth used by a port whenever it is using its burst bonus. Burst size The maximum number of bytes to allow in a burst. If this parameter is set, a port might gain a burst bonus when it does not use all its allocated bandwidth. Whenever the port needs more bandwidth than specified by Average bandwidth, it might be allowed to transmit data at a higher speed if a burst bonus is available. This parameter tops the number of bytes that can be accumulated in the burst bonus and transferred at a higher speed.
- (Optional) On the VLAN page, use the drop-down menus to edit the VLAN policy and click Next.
Option Description None Do not use VLAN. VLAN In the VLAN ID field, enter a number between 1 and 4094. VLAN trunking Enter a VLAN trunk range. Private VLAN Select an available private VLAN to use.
- (Optional) On the Teaming and failover page, use the drop-down menus to edit the settings and click Next.
Option Description Load balancing IP-based teaming requires that the physical switch be configured with ether channel. For all other options, ether channel should be disabled. Select how to choose an uplink.
- Route based on the originating virtual port. Choose an uplink based on the virtual port where the traffic entered the distributed switch.
- Route based on IP hash. Choose an uplink based on a hash of the source and destination IP addresses of each packet. For non-IP packets, whatever is at those offsets is used to compute the hash.
- Route based on source MAC hash. Choose an uplink based on a hash of the source Ethernet.
- Route based on physical NIC load. Choose an uplink based on the current loads of physical NICs.
- Use explicit failover order. Always use the highest order uplink, from the list of Active adapters, which passes failover detection criteria.
Network failure detection Select the method to use for failover detection.
- Link status only. Relies solely on the link status that the network adapter provides. This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by spanning tree or that is misconfigured to the wrong VLAN or cable pulls on the other side of a physical switch.
- Beacon probing. Sends out and listens for beacon probes on all NICs in the team and uses this information, in addition to link status, to determine link failure. Do not use beacon probing with IP-hash load balancing.
Select Yes or No to notify switches in the case of failover. Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode.
If you select Yes, whenever a virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic is routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. Use this process for the lowest latency of failover occurrences and migrations with vMotion.
Failback Select Yes or No to disable or enable failback.This option determines how a physical adapter is returned to active duty after recovering from a failure.
- Yes (default). The adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any.
- No. A failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement.
Failover order Select how to distribute the work load for uplinks. To use some uplinks but reserve others in case the uplinks in use fail, set this condition by moving them into different groups.
- Active uplinks. Continue to use the uplink when the network adapter connectivity is up and active.
- Standby uplinks . Use this uplink if one of the active adapter’s connectivity is down. When using IP-hash load balancing, do not configure standby uplinks.
- Unused uplinks . Do not use this uplink.
- (Optional) On the Resource allocation page, use the Network resource pool drop-down menu to add or remove resource allocations and click Next.
- (Optional) On the Monitoring page, use the drop-menu to enable or disable NetFlow and click Next.
Option Description Disabled NetFlow is disabled on the distributed port group. Enabled NetFlow is enabled on the distributed port group. You can configure NetFlow settings at the vSphere Distributed Switch level.
- (Optional) On the Traffic filtering and marking page, enable or disable traffic filtering and marking from Status drop-down menu, configure traffic rules for filtering or marking specific data flows, and click Next.
You can set the following attributes of a rule determining the target traffic and the action on it:
Option Description Name Name of the rule Action
- Allow. Grant access to traffic of a certain type.
- Drop. Deny access to traffic of a certain type.
- Tag. Classify traffic in terms of QoS by inserting or retagging traffic with a CoS and DSCP tag.
Traffic direction Set whether the rule is for incoming, outgoing or incoming and outgoing traffic.
The direction also influences how you are going to identify the traffic source and destination.
System traffic qualifier Indicate that the rule scopes over system traffic and set the type of infrastructure protocol to apply the rule on. For example, mark with a priority tag the traffic for management from vCenter Server. MAC qualifier Qualify the traffic for the rule by Layer 2 header.
- Protocol type. Set the next level protocol (IPv4, IPv6, etc.) consuming the payload.
This attribute corresponds to the EtherType field in Ethernet frames.
You can select a protocol from the drop-down menu or type its hexadecimal number
For example, to locate traffic for the Link Layer Discovery Protocol (LLDP) protocol, type 88CC.
- VLAN ID. Locate traffic by VLAN.
The VLAN ID qualifier on a distributed port group works with Virtual Guest Tagging (VGT).
If you have a flow tagged with a VLAN ID through Virtual Switch Tagging (VST), you cannot locate the flow by this ID in a distributed port group rule. The reason is that the distributed switch checks the rule conditions, including the VLAN ID, after the switch has already untagged the traffic. To match successfully traffic to a VLAN ID, use a rule for an uplink port group or uplink port.
- Source Address. Set a single MAC address or a MAC network to match packets by source address.
For a MAC network you enter the lowest address in the network and a wildcard mask. The mask contains zeroes at the positions of the network bits, and ones for the host part.
For example, for a MAC network with prefix 05:50:56 that is 23 bits long, set the address as 00:50:56:00:00:00 and the mask as 00:00:01:ff:ff:ff.
- Destination Address. Set a single MAC address or a MAC network to match packets by destination address. The MAC destination address supports the same format as the source address.
IP qualifier Qualify the traffic for the rule by Layer 3 header.
- Protocol. Set the next level protocol (TCP, UDP, etc.) consuming the payload.
You can select a protocol from the drop-down menu or type its decimal number according to RFC 1700, Assigned Numbers.
For TCP and UDP protocol, you can also set source and destination port.
- Source port. Match TCP or UDP packets to a source port. Consider the direction of the traffic that is within the scope of the rule when determining the source port to match packets to.
- Destination port. Match TCP or UDP packets by the source port. Consider the direction of the traffic that is within the scope of the rule when determining the destination port to match packets to.
- Source Address. Set the IP version, a single IP address or a subnet to match packets by source address.
For a subnet you enter the lowest address and the bit length of the prefix.
- Destination Address. Set the IP version, a single IP address or a subnet to match packets by source address. The IP destination address supports the same format as the source address.
- (Optional) On the Miscellaneous page, select Yes or No from the drop-down menu and click Next.
Select Yes to shut down all ports in the port group. This shutdown might disrupt the normal network operations of the hosts or virtual machines using the ports.
- Review your settings on the Ready to complete page and click Finish.
Use the Back button to change any settings.