I just almost find out method to out VM traffic with fixed VLAN, but allow in traffic to VM with selected VLANS. I have network where all equippments have their own VLAN (ingress/egress in different VLAN-s). L2 physical switch commutates traffic. But as ESXi have many VM-s, then I cant send traffic from physical switch to ESXi untaged. And also I want VM-s send out traffic with different VLAN-s. But ESXi itself is unable to selectively commutate traffic the same as physical L2 switch can. So, example, I have VM-1 that I want send out traffic with VLAN6. But receive traffic from VLAN 6, 10 and 18. Now I use between physical L2 switch and ESXi, Mikrotik SWOS switch, that is able to cange VLAN10 and 18 -> to VLAN6 and then to ESXi distributed switch. But how about without Mikrotik. I find out such thing as "port mirroring" in distributed switch. In theory, I must make 2 portgroups. One for out traffic and VLAN6, connected to VM-1. And other trunk portgroup for VLAN10 and 18 (set to - 10, 18), connected to some dummy VM port. Now I must mirror this "dummy" port (set direction to egress) to VM-1 port. BUT, the drawback is - how I can untag traffic from trunk portgroup. In port mirror settings, there is option to overwrite VLAN tag, but unfortunately I cant set it to "0". The lowerst number is "1" that is taged VLAN1. And VM-s dont accept taged traffic. Why VMWare dont allow there some "0" or untaging option? Its sounds like joke.