Learn how to allow or stop traffic for securing the data that flows through the ports of a distributed port group or uplink port group.
Procedure
- Locate a distributed port group or an uplink port group in the vSphere Client.
- Select a distributed switch and click the Networks tab.
- Click Distributed Port Groups to see the list of distributed port groups, or click Uplink Port Groups to see the list of uplink port groups.
- Click a distributed port group or an uplink port group and select the Configure tab.
- Under Settings, select Traffic Filtering And Marking.
- If traffic filtering and marking is disabled, click Enable and reorder > Enable all traffic rules > OK.
- Click Add to create a new rule, or select a rule and click Edit to edit it.
- In the network traffic rule dialog box, use the Action options to let traffic pass through the ports of the distributed port group or uplink port group, or to restrict it.
- Specify the kind of traffic that the rule is applicable to.
To determine if a data flow is in the scope of a rule for marking or filtering, the vSphere distributed switch examines the direction of the traffic, and properties like source and destination, VLAN, next level protocol, infrastructure traffic type, and so on.
- From the Traffic direction drop-down menu, select whether the traffic must be ingress, egress, or both so that the rule recognizes it as matching.
The direction also influences how you are going to identify the traffic source and destination.
- By using qualifiers for system data type, Layer 2 packet attributes, and Layer 3 packet attributes set the properties that packets must have to match the rule.
A qualifier represents a set of matching criteria related to a networking layer. You can match traffic to system data type, Layer 2 traffic properties, and Layer 3 traffic properties. You can use the qualifier for a specific networking layer or can combine qualifiers to match packets more precisely.
- Use the system traffic qualifier to match packets to the type of virtual infrastructure data that is flowing through the ports of the group . For example, you can select NFS for data transfers to network storage.
- Use the MAC traffic qualifier to match packets by MAC address, VLAN ID, and next level protocol.
Locating traffic with a VLAN ID on a distributed port group works with Virtual Guest Tagging (VGT). To match traffic to VLAN ID if Virtual Switch Tagging (VST) is active, use a rule on an uplink port group or uplink port.
- Use the IP traffic qualifier to match packets by IP version, IP address, and next level protocol and port.
- From the Traffic direction drop-down menu, select whether the traffic must be ingress, egress, or both so that the rule recognizes it as matching.
- In the rule dialog box, click OK to save the rule.