Traffic Filtering in vSphere Distributed Switch

I was looking for an solution to disable the ICMP packet in between the Management server and inter vLAN,mostly pVLAN will solve the problem and of course need to do R&D before deploy to production network.

pVLAN does the micro segmentation of the your network to avoid the inter vLAN traffic which require invest on the time to re-architect your network and environment.Yes indeed most of the environment which is not plan or forecast the out come,some cool feature in vSphere will help you to overcome the burdens.

1.Traffic Filtering in vSphere Distributed switch

2.pVLAN configuration in Infra Network and ESXi Switches

3.Placing the Firewall solution like vShield,PFsense or other 3rd party provider firewall appliance.

Let’s first discuss about the vSphere distributed switch level,traffic filter.In each port group there is default option traffic filtering and Marking,which placing the firewall rule IP based,MAC based and system traffic qualifier which basically creating the ACL(Access control list) in your vDS.

Understanding CoS and DSCP(QOS):

CoS(Class of Service) : based on a very simple concept. In an Ethernet switch, packets arrive on the ports. The packets are then stored and forwarded to another port. Assuming that the total bandwidth of the arriving packets and the ports they are going to is less than the available capacity (30% or less) than the actual bandwidth of the ports and networks), the switching will not be congested. While there is still an potential issue when a device sends a large number of packets in a TCP/IP stream and those packets are in front of a realtime packet, the impact is not large. For example, on a 100 Mbps port, a burst of 16 maximum size packets is equivalent to a delay of 2 msecs. for a packet that has to wait for the others to be transmitted.

DSCP which related to Quality of service(QOS),where how good we are sending the packet even in the event of traffic congestion.QOS less the value best performer.

ACL’s allow you to create fine grain control of what traffic is allowed in(Ingress) or out(egress) of a VM, set of VM’s or an entire port group. The feature is configured at the port group level and allows for an unlimited number of rules. The rules are processed in the VMkernel, meaning no external appliance is needed which equates to no single point of failure and faster processing of rules and in some cases reduced network traffic since rule processing happens before the traffic leaves the ESXi host.

There are blogs which provide the set by set to enable/disable the rule,here is the video demonstration of traffic filtering in vDS.

Try this blog setup which provide more in detail.


  1. IP based – Drop/Allow the packet in between specified IP segment.
  2. MAC based – Drop/Allow the packet in between specified MAC based.
  3. System traffic qualifier – Type of System packet which need to allow in the port group,eg vMotion,FT,ETC..



Let me discuss more about the PVLAN concept in the next blog post.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s