In our last post related to this series, we did a quick introduction to standard switch and walked through the various options available while creating a standard switch that includes configuring VMkernel Port, configuring a Virtual Machine Port Group and Physical Network Adapter.

In this post, we will focus on various policies we can apply on the Standard Switch which propagates to all the standard port groups on that switch and also on applying different policies on individual port groups by overriding the policies that are inherited from the switch.


Security policies provide protection against mac address changes and port scanning with three features which are Promiscuous mode, Mac Address Change and Forged Transmits with the default behavior being Reject, and Accept. The Accept which can be overridden as required.

Promiscuous mode

The default behavior of promiscuous mode will reject, so the network adapter will only receive those packets which are meant for that virtual machine. However, if we are using such applications inside the virtual machine responsible for analyzing the packet, we can set the promiscuous mode to accept – that allows Virtual Switch to forward all frames to the Virtual Machines.

Vembu BDR Suite

Backup your Virtual & Physical Machines
Free Forever
Agentless Backups, Flexible Scheduling, Multiple Recovery Options


MAC address changes

If the Mac address change is set to reject, then any changes done to the guest OS by changing the effective MAC address of the virtual machine to a value different from the MAC address of the VM network adapter (written in the .vmx configuration file given to the Virtual Machine at the time of creation), the virtual switch drops all inbound frames to the adapter.

However, the default behavior is accept, which means if there is a change of the effective MAC address of the Virtual Machine in Guest OS and differs from the initial Mac address – given to the VM at the time of creation (written in .vmx file), then the virtual switch will allow the traffic.

Forged Transmits

The default behavior is accept, which means no filtering is performed by the switch and allows all outbound frames. However, if it’s in reject mode then switch drops any outbound frame from a virtual machine adapter which has a different Mac address from the one which is written in the .VMX file of the virtual machine.

** Mac address change is for the incoming traffic and Forged transmits is for the outgoing traffic.

Traffic Shaping

To control the Virtual Machine’s bandwidth, we can make use of traffic shaping for outbound traffic. For inbound traffic shaping, we need to enable it on the physical router.

Network traffic shaping is disabled by default and can be enabled by changing the different parameters.

Average bandwidth (Kbps): Number of kilobits per second to allow across a port. The average bandwidth is the allowed average load and not the minimum bandwidth.

Peak bandwidth (Kbps): is the maximum bandwidth which means the maximum number of kilobits per second allowed across a port when it is sending a burst of traffic.


Burst size (KB): The maximum number of kilobytes to allow in a burst. If this parameter is set, a port might gain a burst bonus (accumulation done over time) if it’s not using all of its allocated bandwidth. This means, if the port needs more bandwidth than mentioned in Average bandwidth, the port allows to temporarily transmit data at a higher speed if a burst bonus is available.

Teaming and Failover

Nic teaming policies are used to connect a virtual switch to multiple physical NICs on a host to increase the overall network bandwidth of the switch and to avoid any single point of failure.

Load balancing policy help distribute the network traffic between the network adapters teamed together.

Failback policy is enabled on a NIC team by default allowing a failed NIC to return to the active duty immediately after it has come online.

Network Failure and detection policy work in two modes:

Link Status Only – Detects physical switch failures and cable related failures.

However, detects none failures related to port block or the cable connects to an upstream switch to make use of Beacon Probing. This sends out and listens for beacon probes, that physical NICs send to detect a link failure in all physical NICs in a team.

ESXi hosts send beacon packets every second and it works with three or more NIC’s in a team to detect failures of a single adapter.


Route based on Originating Virtual Port ID is the default policy wherein the uplinks are selected based on the virtual machine port IDs.

The virtual switch uses the virtual machine port ID and the number of uplinks in the NIC team.
After the virtual switch selects an uplink for a virtual machine, it always forwards traffic through the same uplink for this virtual machine as long as the machine runs on the same port.

This policy provides the least overhead on the VMkernel as the calculation is made only once. However, the virtual switch is not aware of the traffic load on the uplinks and doesn’t load balance the traffic to uplinks which are less used.

Route Based on Source Mac Hash is another load balancing policy.

The uplink used by the Virtual Machine is selected based on Virtual Machine’s mac address. The VMkernel calculates the Hash Value using the least significant bit of the Mac address of the source Virtual Machine. Route based on Source Mac hash provides a more even distribution of traffic compared to Route Based on Originating Virtual Port Id. However, the bandwidth available to a Virtual Machine is limited to the speed of the uplink associated with the port id.

Route Based on IP Hash – Uplinks are selected for virtual machines based on the source and destination IP address of each packet.

The operation is performed by taking the last octet of both source and destination IP address and putting them through the XOR operation in conjunction with the number of uplinks, With Route Based On IP Hash, Virtual Machine can use any uplink in the NIC team depending on the source and destination IP address ensuring virtual machine can use the bandwidth of any uplink in the team. To ensure that IP hash load balancing works correctly, we need to configure EtherChannel (multiple network adapters into a single logical link) on the physical switch.


In the vSphere Standard Switch series, we talked about the basic introduction to a standard switch in VMware vSphere and discussed the options available while configuring the standard switch. Also, we focussed on the policies which can be configured on the standard switch and at the port group level.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Like what you read? Rate us
How to Configure Standard Switch in VMware vSphere Part 2
Rate this post