With a distributed switch, by using the traffic filtering and marking policy, you can protect the virtual network from unwanted traffic and security attacks or apply a Quality of Service (QoS) tag to a specific type of traffic.

The traffic filtering and marking policy represents an ordered set of network traffic rules for security and QoS tagging of the data flow through the ports of a distributed switch. In general, a rule consists of a qualifier for traffic, and of an action for restricting or prioritizing the matching traffic.

The vSphere distributed switch applies rules to traffic at different places in the data stream. The distributed switch applies traffic filter rules to the data path between the VM network adapter and distributed port, or between the uplink port and physical network adapter for rules on uplinks:

To configure filtering and marking follow this procedure:

1. On the selected port group, switch to the Configure tab and the Traffic Filtering and Marking section.
2. Add rules that you want to apply.
3. Action: Allow, drop (for filtering) and tag (for marking). If you select Tag, then you can assign required DSCP or CoS tag.
4. Traffic Direction: Ingress, egress, or both.
5. Traffic Qualifiers: These allow you to mark or filter only specific traffic. You have a broad set of options including the simple source/destination MAC addresses, but you can go all the way up to the TCP/IP layer and specify specific TCP ports that should be allowed, blocked, or marked.

Once the rules are created, enable the traffic filtering by clicking on the ENABLE AND REORDER button.