The MAC discovery segment profile supports two functionalities: MAC learning and MAC address change.
The MAC address change feature allows a VM to change its MAC address. A VM connected to a port can run an administrative command to change the MAC address of its vNIC and still send and receive traffic on that vNIC. This feature is supported on ESXi only. In the default MAC discovery segment profile, this property is enabled.
MAC learning provides network connectivity to deployments where multiple MAC addresses get configured behind one vNIC, for example, in a nested hypervisor deployment where an ESXi VM runs on an ESXi host and multiple VMs run inside the ESXi VM. Without MAC learning, when the vNIC of the ESXi VM connects to a segment port, its MAC address is static. VMs running inside the ESXi VM do not have network connectivity because their packets have different source MAC addresses. With MAC learning, the vSwitch inspects the source MAC address of every packet coming from the vNIC, learns the MAC address and allows the packet to proceed. If a MAC address that is learned is not used for a certain period of time, it is removed. This time period is not configurable. The field MAC Learning Aging Time displays the pre-defined value, which is 600.
MAC Learning will not learn a MAC address if it is already a known static MAC address on the host. For example, the MAC address belongs to another VM's vNIC, a vmknic, or a VDR (virtual distributed router) port. This is true regardless of the VLAN or VNI of the existing static MAC address port and the port that the new MAC address belongs to.
Note: A VDR port is always configured to send and receive traffic on any possible VNI (similar to how a trunk VLAN port behaves when it is configured on 0-4094). So the usage of a VDR port MAC address on any overlay segment through MAC learning is not possible.
MAC learning also supports unknown unicast flooding. Normally, when a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is enabled by default, but only if MAC learning is enabled.
- Drop - Packets from an unknown source MAC address are dropped. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
- Allow - Packets from an unknown source MAC address are forwarded although the address will not be learned. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
If you enable MAC learning or MAC address change, to improve security, configure SpoofGuard as well.