By using the MAC traffic qualifier in a rule, you can define matching criteria for the Layer 2 (Data Link Layer) properties of packets such as MAC address, VLAN ID, and next level protocol that consumes the frame payload.

The Protocol type attribute of the MAC traffic qualifier corresponds to the EtherType field in Ethernet frames. EtherType represents the type of next level protocol that is going to consume the payload of the frame.

You can select a protocol from the drop-down menu or type its hexadecimal number. For example, to capture traffic for the Link Layer Discovery Protocol (LLDP) protocol, type 88CC.

You can use the VLAN ID attribute of the MAC traffic qualifier to mark or filter traffic in a particular VLAN.


The VLAN ID qualifier on a distributed port group works with Virtual Guest Tagging (VGT).

If a flow is tagged with a VLAN ID through Virtual Switch Tagging (VST), it cannot be located by using this ID in a rule on a distributed port group or distributed port. The reason is that the distributed switch checks the rule conditions, including the VLAN ID, after the switch has already untagged the traffic. In this case, to match traffic by VLAN ID successfully, you must use a rule on an uplink port group or uplink port.

By using the Source Address group of attributes, you can match packets by the source MAC address or network.

You can use a comparison operator to mark or filter packets that have or do not have the specified source address or network.

You can match the traffic source in several ways.

Patterns for Filtering or Marking Traffic by MAC Source Address

Parameters to Match Traffic Source Address

Comparison Operator

Networking Argument Format

MAC address

is or is not

Type the MAC address for matching. Use colons to separate the octets in it.

MAC network

matches or does not match

Type the lowest address in the network and a wildcard mask. Set zeroes at the positions of the network bits, and ones for the host part.

For example, for a MAC network with prefix 05:50:56 that is 23 bits long, set the address as 00:50:56:00:00:00 and mask as 00:00:01:ff:ff:ff.

By using the Destination Address group of attributes, you can match packets to their destination address. The MAC destination address options have the same format as those for the source address.

To match traffic in a MAC qualifier more closely to your needs, you can use affirmative comparison or negation. You can use operators such that all packets except the ones with certain attributes fall in the scope of a rule.