VMware vSphere

https://blogs.virtualmaestro.in/2016/02/what-is-promiscuous-mode-in-vmware.html

Going through above web link...

we enable the Promiscuous Mode in the properties of portgroup QA so that only VM3 can capture the traffic being delivered to VMs connected to PROD poertgroup as it gets the visibility of traffic now.

If PROD and QA portgroups configured with different VLAN id and I enable Promiscuous Mode on QA port group. Is it still possible to capture (or) see the traffic of the both the portgroups ?

Hi,

Promiscuous mode can be set on vSwitch/dvSwitch basis and then overwritten on each Port group.

In vSphere there are 3 VLAN tagging possibilities:

- VST (default) set in Port groups and made by vSwitch (vmkernel)

- VGT - tagging by NIC driver in a VM

- EST - tagging by external physical switch.

As stated in "Network for VMware Administrators" Ch. Wahl, S. Pantol:

"Virtual Switch Tagging (VST) occurs when the virtual switch itself is inspecting and adding or removing the VLAN tags.

When the frame arrives at the virtual switch, it inspects the VLAN tag to see what VLAN it belongs to and the destination MAC address. Assuming it finds a VM NIC or VMkernel

port that matches the VLAN and MAC address, the frame is delivered with the VLAN tag removed. Otherwise, the frame is discarded.

When traffic is sent from a VM NIC or VMkernel port, the virtual switch makes sure to add the VLAN tag before sending the frame to a physical uplink."

If You set different VLAN Ids on each port group even if You set Promiscouous mode on vSwitch basis, You are not going to capture the traffic from other port group.