Configuring QoS and Traffic Filtering in vSphere 6

During my VCAP6-Deploy exam preparation, I found this topic quiet a bit interesting and difficult as well as I have never ever laid my hands on Quality of Service type of thinks in respect of networking. Also my concepts were not very clear on topics like DSCP, QoS, COS etc, so I decided to learn more about these this time and write a blog post on the same.

What is Quality of Service (QoS) and Traffic filtering?

In a vSphere distributed switch 5.5 and later, by using the traffic filtering and marking policy, you can protect the virtual network from unwanted traffic and security attacks or apply a QoS tag to a certain type of traffic.

The goal of using QoS for network is to ensure that the most important network traffic gets to where it needs to go while suffering least amount of latency when there is congestion in network.  Lets try to understand this with a simple example.

Suppose your environment consists of server which are handling the traffic of Credit/Debit card payment gateways. Since this type of traffic is very time sensitive, it deserves more priority than any other type of traffic in your production environment. Using QoS for network, you can dictate how your priority traffic will be handled in network congestion situation.

The traffic filtering and marking policy represents an ordered set of network traffic rules for security and for QoS tagging of the data flow through the ports of a vDS. A rule consists of a qualifier for traffic, and of an action for restricting or prioritizing the matching traffic.

vDS applies rules on traffic at different places in the data stream. The distributed switch applies traffic filter rules on the data path between the virtual machine network adapter and distributed port, or between the uplink port and physical network adapter for rules on uplinks.

Traffic filtering can be compared to ACL feature which is available on physical network devices. ACL’s allow you to create fine grain control of what traffic is allowed in(Ingress) or out(egress) of a VM, set of VM’s or an entire port group. The feature is configured at the port group level and allows for an unlimited number of rules.  The rules are processed in the VMkernel, meaning no external appliance is needed.

How to configure QoS and Traffic filtering?

To configure traffic filtering, login to vSphere Web Client and navigate to Networking view. Select the distributed portgroup on which you want to configure traffic filtering and select Manage > Settings > Properties and click on Edit button.


From the status dropdown menu, select Enabled and click on green + button to add a new filtering rule.


Provide a name for the rule and select the appropriate action from the drop down menu. I am creating a filtering rule for dropping ICMP traffic from one of my VM to one of my Esxi host in this example.


Click on green + button to define which traffic is qualified for this rule.

Lets discuss a little bit about available option before moving forward. There are 3 options for traffic qualifiers:

  • System Traffic Type : You can select the type of traffic through the ports of the group that carries system data, that is, traffic for management from vCenter Server, storage, vMotion, and vSphere Fault Tolerance. You can mark or filter only a specific traffic type, or for all system data traffic. For example, you can mark with a QoS value or filter the traffic for management from vCenter Server, storage and vMotion, but not the traffic carrying the Fault Tolerance data.
  • MAC Traffic Qualifier: By using the MAC traffic qualifier in a rule, you can define matching criteria for the Layer 2 (Data Link Layer) properties of packets such as MAC address, VLAN ID, and next level protocol that consumes the frame payload.
  • IP Traffic Qualifier: By using the IP traffic qualifier in a rule, you can define criteria for matching traffic to the Layer 3 (Network Layer) properties such as IP version, IP address, next level protocol, and port.

In my example, I am using qualifier type as IP.


Select the protocol and define the source and destination IP address for this rule.


Hit OK to finish the traffic rule creation wizard.


Review your settings to ensure traffic filtering and marking is now displayed as Allowed for the selected distributed portgroup.


And thats it for this post. Believe me the example demonstrated by me is a very very simple example of traffic filtering. In reality this is far bit complex and use case varies with how infrastructure is laid out.

Sources and Inspirations

Traffic Filtering and DSCP Marking in vDS 5.5

Enable Traffic Filtering and Marking on a Distributed Port Group or Uplink Port Group

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂