Blog post

1.7.3 – Describe networking policies

Policies that are set at the standard switch level apply to all port groups on the standard switch by default

Available network policies:

  • Security: protects against MAC address impersonation and unwanted port scanning
  • Traffic shaping: Limit the amount of traffic to a VM or a group of VMs
  • NIC teaming and failover: How traffic should be rerouted if an adapter fails and how to route traffic from VMs and VMkernel adapters that are connected to the switch. You can also increase the network capacity of a virtual switch by including multiple NICs.

Policy levels:

  • Standard switch level: default policies for all ports on the standard switch
  • Port group level: effective policies defined at this level override the default policies that are set at the standard switch level

Security settings:

  • Promiscuous mode: allows a virtual switch or port group to forward all traffic regardless of the destinations. Default is reject. This could be used to sniff packets (wireshark)
  • MAC address changes: If this is set to reject and the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames
  • Forged transmits: frame source address might be altered by the guest OS and contain a MAC address other than the assigned vNIC MAC address. These can be accepted or rejected

Traffic Shaping settings:

  • Limits a VM consumption of available bandwidth
  • Average rate, peak rate and burst size are configurable
  • It shapes only outbound traffic


  • Average bandwidth: Set the number of Kb/s to allow across a port, averaged over time
  • Peak bandwidth: Maximum number of Kb/s to allow across a port when it is sending a burst of traffic
  • Burst size: Maximum number of KB to allow in a burst. If this is set, the port might gain a burst bonus if it does not use all its allocated bandwidth.

NIC teaming and failover settings:

  • Load balancing policy: determines how network traffic is distributed between the adapters in a NIC team.
  • Fallback policy: Is by default active on a NIC team. It puts one NIC in passive mode and another in active mode. If the active NIC fails, the passive NIC is made active
  • Notify Switches policy: Determines how the ESXi host communicates failover events. If anything happens, the vSwitch will send out notifications over the network to update the lookup tables on physical switches.

Load balancing methods:

  • Originating virtual port ID: a VM outbound traffic is mapped to a specific physical NIC
  • Source MAC Hash: each VM outbound traffic is mapped to a specific physical NIC that is based on the VM Virtual NIC’s MAC address
  • Source and Destination IP Hash: a NIC for each outbound packet is selected based on its source and destination IP addresses

You can configure network policies for a standard switch either on the entire switch or a standard port group.

You can configure network policies for a distributed switch on a distributed port or port group and a uplink port or uplink port group.