By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest adapter in promiscuous mode causes it to detect all frames passed on the virtual switch on that host only that are allowed under the VLAN policy for the associated port group. This can be useful for intrusion detection monitoring or if a sniffer needs to be run to analyze all traffic on the wire.

Promiscuous mode is disabled by default, and should not be turned on unless specifically required. Software running inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter promiscuous mode.

VMware ESXi 7.0 

VMware ESXi 8.0

To configure a portgroup or virtual switch to allow promiscuous mode:

1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
2. Select the ESXi/ESX host in the inventory.
3. Click the Configure tab.
4. Under the Networking section, click the Virtual switches. 
   
   1. Confirm the switch and the Port group and navigate to the Networking Inventory tab. 

1. Select the Switch and then the Port Group. 
2. Click Actions and select Edit Settings.
3. Click the Security tab.
4. From the Promiscuous Mode dropdown menu, click Accept.

Note: The setting on the portgroup overrides the virtual switch setting. For more information, see How promiscuous mode works at the virtual switch and portgroup levels.

You likely need to the set the VLAN 4095 at the port group level. On a Standard Switch set VLAN ID to 4095. On a distributed switch set VLAN type to VLAN trunking and you would need to specify the range of VLANs to trunk, to improve security.


Note: From esxcli you can enable promiscuous mode. But this command is only available for Standard Switches and not for Distributed Switches:

# esxcli network vswitch standard policy security set -p true --vswitch-name vSwitchName
The vSwitchName can be retrieved from "esxcli network vswitch standard list"