Runtime Zero
ESC
Browse by topic
VMware9 AI/ML2 Platform Engineering3 Tech Trends2 vSphere6 Kubernetes11 DevOps3 Cloud Native8 Networking4 Tanzu3 Observability1 NSX2 Security2 vSAN2 Storage1
Articles  /  vSphere
vSphere Networking VMware

vSphere Distributed Switch: Advanced Configuration Guide

The vSphere Distributed Switch is more capable than most admins use it. This guide covers LACP, NetFlow, traffic shaping, and the port mirroring features that eliminate the need for a dedicated network tap.

CS
Oct 14 2024 · 2 min read

Most vSphere environments use VDS with the defaults: an uplink portgroup, a VM portgroup, VLAN tags, and done. The VDS has a lot more to offer. This guide covers the advanced features worth knowing.

LACP: Proper Link Aggregation

vSphere Standard Switch supports only Active-Passive or Active-Active NIC teaming (basic failover). VDS adds LACP (Link Aggregation Control Protocol), which bonds physical NICs at the switch level for both higher throughput and faster failover.

Configure it at the VDS level, not the portgroup level:

  1. Create a Link Aggregation Group (LAG) on the VDS with the number of ports matching your physical NIC count per host.
  2. Set the LACP mode to Active on both the VDS and the physical switch.
  3. Choose a load balancing algorithmIP hash is the most common, but Destination MAC hash is preferable if your physical switch doesn't support IP hash properly.
VDS LACP Settings:
  Mode: Active
  Load Balancing: Source and Destination IP and TCP/UDP Port
  LAG Ports: 2 (matching dual 25GbE uplinks per host)

One gotcha: when adding a host to a VDS with LACP, you must migrate the physical uplinks one at a time. Pulling both simultaneously will disconnect the host.

NetFlow: VM-Level Traffic Visibility

VDS NetFlow (IPFIX) exports per-flow statistics to any NetFlow v10 collector. Unlike host-level NetFlow, VDS captures east-west traffic between VMs on the same host — traffic that never leaves the server.

Enable it at the VDS level:

VDS → Edit Settings → Advanced → NetFlow
Collector IP: 10.0.0.50
Collector Port: 4739
Active flow timeout: 60 seconds
Idle flow timeout: 15 seconds

Then enable NetFlow monitoring per portgroup. In environments running NSX, you'll have NSX's flow monitoring as an alternative, but VDS NetFlow is useful for non-NSX workloads.

Traffic Shaping: Protecting Bandwidth for Critical VMs

Traffic shaping on VDS operates at ingress and egress independently. A common use case: cap backup traffic to 2 Gbps so it doesn't saturate uplinks during production hours.

Create a Network I/O Control resource pool:

Resource Pool: Backup-Traffic
  Shares: Low (25)
  Reservation: 0 Mbps
  Limit: 2000 Mbps

Assign this pool to the portgroup used by backup agents. Even under network saturation, production VMs retain their higher-priority bandwidth.

Port Mirroring: A Built-In Network Tap

VDS supports Distributed Port Mirroring — copy traffic from one VM's vNIC to another VM running a network capture tool. No physical TAP or SPAN port required.

Configure from the VDS → Port Mirroring page:

  • Source: specific VM ports or entire portgroups
  • Destination: a dedicated VM running Wireshark or Zeek
  • Direction: ingress, egress, or both

This is genuinely useful for troubleshooting and security monitoring. The destination VM gets a copy of all mirrored traffic without impacting source VM performance — the VDS handles the replication in the hypervisor.

For production security monitoring, pair port mirroring with a Zeek-based IDS. You get network-level visibility into east-west traffic without deploying a hardware appliance.

← ALL ARTICLES