Posted in VMware

Traffic Filtering and Masking

Traffic Filtering and Masking Posted on 14/05/2018

On last week, I spoke with a friend about Traffic Filtering on vSphere. I realised that he has not been really knowledge about this feature. So, I decided to post a new article about it, because I think it’s a great feature and it’s useful as well. For example, I think it’s very useful to tag some traffic like vSAN or Tag/Drop/Allow traffic between some Virtual Machines. Anyway, I think it’s just useful for design and implementation. I’m going to explain how you can implement it, but be careful with some options.
First, enable it on your distributed port group and click on the green button “+” to add a new rule.
Add New Rule
At this point, you can choose three actions options (Tag, Allow or Drop). Guess what ? If you choose tag, you can apply a QOS (COS or/and DSCP) for your rule, contrary to Allow or Drop options.
Traffic Rule Options
Next, you have to specify traffic qualifier. Select direction of your traffic, Ingress, Egress or both. For reminder, when the traffic is entering to the dvSwitch, we can say that traffic is Ingress. And when the traffic is going out from the dvSwitch, we can say that traffic is Egress.
Ingress - Egress
Then, click on the green button “+” as well as select traffic type qualifier (Mac qualifier, IP qualifier or System Traffic qualifier).
Traffic Qualifier
System Traffic qualifier is a little bit different as MAC and IP Qualifier. It’s based on flow only, so this rule is applied on all of this traffic flow. I don’t detail these options later on this post, so if you would like more details, please look at documentation on VMware web site or take a look at your environment.

Here’s a quick overview around these three options.

Traffic qualifier, you can filter any traffic flow of your infrastructure. These options are a part of the system setup by default. In my knowledge, you couldn’t add anything else, but it’s enough.
System Traffic Qualifier
Mac qualifier, you can add any kind of these protocols type (TCPv4, TCPv6, or ARP) as well as a VLAN ID. After that, select your source and destination address, you can select a lot of options to meet your requirement.
MAC Qualifier
IP Qualifier, you can add any kind of these protocols type (TCP, UDP, ICMP, IPv6-ICMP) as well as the source and the destination port. Same as Mac Qualifier, you can add a lot of options to meet your requirement.
IP Qualifier

Finally, you can up or down any rules depending on his priority. Here’s the Dashboard.
Rules Dashboard

Have fun !!