When promiscuous mode is enabled (Accept) on a port group, all of the virtual machine vNICs connected to the port group can see all of the traffic on the virtual switch. This is why it is always disabled (Reject) by default. When set to Reject, a vNIC will only see traffic destined for its MAC address. Promiscuous mode is particularly useful if you need to let VMs running Network Monitoring tools analyze traffic on the virtual switch. As a best practice, on a vSS, such VMs are placed into a separate port group with Promiscuous Mode set to Accept. By doing so, you are enabling only those VMs to see the desired traffic. However, on a vDS, these setting can be configured for each of the dvPorts the monitoring VM's vNICs are connected to.