Manage Policies for Multiple Port Groups on a vSphere Distributed Switch

On the vSphere Client Home page, click Networking and navigate to the distributed switch.

Right-click the distributed switch in the object navigator and select Distributed Port Group > Manage Distributed Port Groups.

On the Select port group policies page, select the check box next to the policy categories to modify and click Next.

Option	Description
Security	Set MAC address changes, forged transmits, and promiscuous mode for the selected port groups.
Traffic shaping	Set the average bandwidth, peak bandwidth, and burst size for inbound and outbound traffic on the selected port groups.
VLAN	Configure how the selected port groups connect to physical VLANs.
Teaming and failover	Set load balancing, failover detection, switch notification, and failover order for the selected port groups.
Resource allocation	Set network resource pool association for the selected port groups.
Monitoring	Enable or disable NetFlow on the selected port groups.
Miscellaneous	Enable or disable port blocking on the selected port groups.

On the Select port groups page, select the distributed port group(s) to edit and click Next.

(Optional) On the Security page, use the drop-down menus to edit the security exceptions and click Next.

Option	Description
Promiscuous mode	Reject. Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter. Accept. Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere Distributed Switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
MAC address changes	Reject. If set to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped. If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again. Accept. Changing the MAC address from the Guest OS has the intended effect. Frames to the new MAC address are received.
Forged transmits	Reject. Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped. Accept. No filtering is performed and all outbound frames are passed.

(Optional) On the VLAN page, use the drop-down menus to edit the VLAN policy and click Next.

Option	Description
None	Do not use VLAN.
VLAN	In the VLAN ID field, enter a number between 1 and 4094.
VLAN trunking	Enter a VLAN trunk range.
Private VLAN	Select an available private VLAN to use.

(Optional) On the Traffic shaping page, use the drop-down menus to enable or disable Ingress or Egress traffic shaping and click Next.

Option	Description
Status	If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting limits on the amount of networking bandwidth allocated for each VMkernel adapter or virtual network adapter associated with this port group. If you disable the policy, services have a free, clear connection to the physical network by default.
Average bandwidth	Establishes the number of bits per second to allow across a port, averaged over time, that is, the allowed average load.
Peak bandwidth	The maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic. This maximum number tops the bandwidth used by a port whenever it is using its burst bonus.
Burst size	The maximum number of bytes to allow in a burst. If this parameter is set, a port might gain a burst bonus when it does not use all its allocated bandwidth. Whenever the port needs more bandwidth than specified by Average bandwidth, it might be allowed to transmit data at a higher speed if a burst bonus is available. This parameter tops the number of bytes that can be accumulated in the burst bonus and transferred at a higher speed.

(Optional) On the Teaming and failover page, use the drop-down menus to edit the settings and click Next.

Option	Description
Load balancing	IP-based teaming requires that the physical switch be configured with ether channel. For all other options, ether channel should be disabled. Select how to choose an uplink. Route based on the originating virtual port. Choose an uplink based on the virtual port where the traffic entered the distributed switch. Route based on IP hash. Choose an uplink based on a hash of the source and destination IP addresses of each packet. For non-IP packets, whatever is at those offsets is used to compute the hash. Route based on source MAC hash. Choose an uplink based on a hash of the source Ethernet. Route based on physical NIC load. Choose an uplink based on the current loads of physical NICs. Use explicit failover order. Always use the highest order uplink, from the list of Active adapters, which passes failover detection criteria.
Network failure detection	Select the method to use for failover detection. Link status only. Relies solely on the link status that the network adapter provides. This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by spanning tree or that is misconfigured to the wrong VLAN or cable pulls on the other side of a physical switch. Beacon probing. Sends out and listens for beacon probes on all NICs in the team and uses this information, in addition to link status, to determine link failure. Do not use beacon probing with IP-hash load balancing.
Notify switches	Select Yes or No to notify switches in the case of failover. Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. If you select Yes, whenever a virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic is routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. Use this process for the lowest latency of failover occurrences and migrations with vMotion. If the Notify switches is set to Yes, then all the connected ports, port groups, and distributed switches are connected back to the host when vCenter Server reconnects with ESXi hosts.
Failback	Select Yes or No to disable or enable failback. This option determines how a physical adapter is returned to active duty after recovering from a failure. Yes (default). The adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. No. A failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement.
Failover order	Select how to distribute the work load for uplinks. To use some uplinks but reserve others in case the uplinks in use fail, set this condition by moving them into different groups. Active uplinks. Continue to use the uplink when the network adapter connectivity is up and active. Standby uplinks . Use this uplink if one of the active adapter’s connectivity is down. When using IP-hash load balancing, do not configure standby uplinks. Unused uplinks . Do not use this uplink.

(Optional) On the Resource allocation page, use the Network resource pool drop-down menu to add or remove resource allocations and click Next.

(Optional) On the Monitoring page, use the drop-down menu to enable or disable NetFlow and click Next.

Option	Description
Disabled	NetFlow is disabled on the distributed port group.
Enabled	NetFlow is enabled on the distributed port group. You can configure NetFlow settings at the vSphere Distributed Switch level.

(Optional) On the Miscellaneous page, select Yes or No from the drop-down menu and click Next.

Select Yes to shut down all ports in the port group. This shutdown might disrupt the normal network operations of the hosts or virtual machines using the ports.

Review your settings on the Ready to complete page and click Finish.

Use the Back button to change any settings.

Prerequisites

Procedure