To enhance networking security and improve networking performance in the VMware Host Client, you can edit various port group settings, such as the port group name, VLAN ID, and virtual switch. You can also configure security, NIC teaming, and traffic shaping components.


  1. Click Networking in the VMware Host Client inventory and click Port groups.
  2. Right-click the port group in the list that you want to edit and select Edit settings.
  3. (Optional) Enter a new port group name.
  4. (Optional) Enter a new value for the VLAN ID.
    The VLAN ID reflects the VLAN tagging mode in the port group.
    VLAN Tagging Mode VLAN ID Description

    External Switch Tagging (EST)


    The virtual switch does not pass traffic associated with a VLAN.

    Virtual Switch Tagging (VST)

    From 1 to 4094

    The virtual switch tags traffic with the tag that you entered.

    Virtual Guest Tagging (VGT)


    Virtual machines handle VLANs. The virtual switch permits traffic from any VLAN.

  5. (Optional) Select a virtual switch from the drop-down menu.
  6. (Optional) Expand Security and select whether to reject, accept, or inherit the Security policy exceptions from vSwitch.
    Option Description
    Promiscuous Mode
    • Reject. Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter.
    • Accept. Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere distributed switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
    • Inherit from vSwitch. Placing a guest adapter in promiscuous mode causes it to inherit the configuration from the associated virtual switch.
    MAC Address Changes
    • Reject. If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.

      If the guest operating system changes back the MAC address to match the MAC address in the .vmx configuration file, inbound frames are passed again.

    • Accept. Changing the MAC address from the guest operating system has the intended effect: frames to the new MAC address are received.
    • Inherit from vSwitch. If you set MAC Address Changes to Inherit from vSwitch, the MAC address changes to one of the associated virtual switches.
    Forged Transmits
    • Reject. Any outbound frame with a source MAC address that is different from the one set on the adapter are dropped.
    • Accept. No filtering is performed and all outbound frames are passed.
    • Inherit from vSwitch. The outbound frame configuration is inherited from the associated virtual switch.
  7. (Optional) Expand NIC teaming and configure the following components.
    Option Description
    Load Balancing Specify how to choose an uplink.
    • Inherit from vSwitch. Choose the uplink that is selected for the associated virtual switch.
    • Route based on IP hash. Choose an uplink based on a hash of the source and destination IP addresses of each packet. For non-IP packets, whatever is at those offsets is used to compute the hash.
    • Route based on source MAC hash. Choose an uplink based on a hash of the source Ethernet.
    • Route based on originating port ID. Choose an uplink based on the originating port ID.
    • Use explicit failover order. Always use the highest order uplink from the list of active adapters which passes failover detection criteria .
    Note: IP-based teaming requires the physical switch to be configured with EtherChannel. For all other options, EtherChannel must be disabled.
    Network Failover Detection Specify the method to use for failover detection.
    • Inherit from vSwitch. Inherits the respective configuration of the associated virtual switch.
    • Link Status only. Relies only on the link status that the network adapter provides. This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by a spanning tree or that is misconfigured to the wrong VLAN or cable pulls on the other side of a physical switch.
    • Beacon only. Sends out and listens for beacon probes on all NICs in the team and uses this information, in addition to link status, to determine a link failure. This detects many of the failures that are not detected by link status only.
    Note: Do not use beacon probing with IP-hash load balancing.
    Notify Switches

    Select Yes, No, or Inherit from vSwitch to notify switches if a failover occurs.

    If you select Yes, when a virtual NIC is connected to the distributed switch or that virtual NIC’s traffic is routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. In almost all cases, this process is preferred for the lowest latency of failover occurrences and migrations with vMotion.

    Note: Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. No such issue exists with NLB running in multicast mode.
    Failback Select Yes, No, or Inherit from vSwitch to disable or enable failback.

    This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to the default setting of Yes, the adapter returns to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement.

    Failover Order Specify how to distribute the workload for uplinks. If you want to use some uplinks but reserve others for emergencies in case the uplinks in use fail, set this condition by moving them into different groups:
    • Active Uplinks. Continue to use the uplink when the network adapter connectivity is up and active.
    • Standby Uplinks . Use this uplink if one of the active adapter’s connectivities is down.
    Note: When using IP-hash load balancing, do not configure standby uplinks. You cannot configure failover order if any of the port group components are configured to inherit the configuration from the associated virtual switch.
  8. (Optional) To configure traffic shaping, expand Traffic shaping, click Enabled, and specify the following parameters.
    Option Description
    Average Bandwidth Establishes the number of bits per second to limit across a port, averaged over time—the allowed average load.
    Peak Bandwidth The maximum number of bits per second to limit across a port when it is sending/receiving a burst of traffic. This is the maximum bandwidth used by a port whenever it is using its burst bonus.
    Burst Size The maximum number of bytes to limit in a burst. If this parameter is set, a port might gain a burst bonus when it does not use all its allocated bandwidth. Whenever the port needs more bandwidth than specified by Average Bandwidth, it might be allowed to temporarily transmit data at a higher speed if a burst bonus is available. This parameter represents the maximum number of bytes that might be accumulated in the burst bonus and so transferred at a higher speed.
    Traffic shaping policy is applied to the traffic of each virtual network adapter attached to the virtual switch.
  9. Click Save to apply your changes.