Assign priority tags in a rule for traffic that needs special treatment such as VoIP and streaming video. You can mark the traffic for a virtual machine, VMkernel adapter, or physical adapter with a CoS tag in Layer 2 of the network protocol stack or with a DSCP tag in Layer 3.

Priority tagging is a mechanism to mark traffic that has higher QoS demands. In this way, the network can recognize different classes of traffic. The network devices can handle the traffic from each class according to its priority and requirements.

You can also re-tag traffic to either raise or lower the importance of the flow. By using a low QoS tag, you can restrict data tagged in a guest operating system.


To override a policy on distributed port level, enable the port-level override option for this policy. See Configure Overriding Networking Policies on Port Level.


  1. Navigate to a distributed switch and then navigate to a distributed port or an uplink port.
    • To navigate to the distributed ports of the switch, click Networks > Distributed Port Groups, double-click a distributed port group from the list, and click the Ports tab.
    • To navigate to the uplink ports of an uplink port group, click Networks > Uplink Port Groups, double-click an uplink port group from the list, and click the Ports tab.
  2. Select a port from the list.
  3. Click Edit distributed port settings.
  4. If traffic filtering and marking is not enabled at the port level, click Override, and from the Status drop-down menu, select Enabled.
  5. Click New to create a new rule, or select a rule and click Edit to edit it.
    You can change a rule inherited from the distributed port group or uplink port group. In this way, the rule becomes unique within the scope of the port.
  6. In the network traffic rule dialog box, select the Tag option from the Action drop-down menu.
  7. Set the priority tag for the traffic within the scope of the rule.
    Option Description
    CoS value Mark the traffic matching the rule with a CoS priority tag in network Layer 2. Select Update CoS tag and type a value from 0 to 7.
    DSCP value Mark the traffic associated with the rule with a DSCP tag in network Layer 3. Select Update DSCP value and type a value from 0 to 63.
  8. Specify the kind of traffic that the rule is applicable to.
    To determine if a data flow is in the scope of a rule for marking or filtering, the vSphere distributed switch examines the direction of the traffic, and properties like source and destination, VLAN, next level protocol, infrastructure traffic type, and so on.
    1. From the Traffic direction drop-down menu, select whether the traffic must be ingress, egress, or both so that the rule recognizes it as matching.

      The direction also influences how you are going to identify the traffic source and destination.

    2. By using qualifiers for system data type, Layer 2 packet attributes, and Layer 3 packet attributes set the properties that packets must have to match the rule.

      A qualifier represents a set of matching criteria related to a networking layer. You can match traffic to system data type, Layer 2 traffic properties, and Layer 3 traffic properties. You can use the qualifier for a specific networking layer or can combine qualifiers to match packets more precisely.

      • Use the system traffic qualifier to match packets to the type of virtual infrastructure data that is flowing through the ports of the group . For example, you can select NFS for data transfers to network storage.
      • Use the MAC traffic qualifier to match packets by MAC address, VLAN ID, and next level protocol.

        Locating traffic with a VLAN ID on a distributed port group works with Virtual Guest Tagging (VGT). To match traffic to VLAN ID if Virtual Switch Tagging (VST) is active, use a rule on an uplink port group or uplink port.

      • Use the IP traffic qualifier to match packets by IP version, IP address, and next level protocol and port.
  9. In the rule dialog box, click OK to save the rule.