By using the security policy on a port group you can accept or reject promiscuous mode and MAC address changes in the guest operating system of a virtual machine connected to the group.

Procedure

  1. In the vSphere Web Client, navigate to the host.
  2. On the Manage tab, click Networking, and select Virtual switches.
  3. Select a standard switch from the list.

    The topology diagram of the standard switch appears.

  4. In the topology diagram of the standard switch, click the name of the standard port group to configure.
  5. Click Edit settings.
  6. In the Security section, select the check boxes next to the security policies to override and use the drop-down menus to configure security over the virtual machine traffic through the ports of the group.

    By default, enabling promiscuous mode and MAC address changes for both inbound and outbound traffic is not accepted.

    Option

    Description

    Promiscuous mode

    • Reject: Placing an adapter in promiscuous mode from the guest operating system does not result in receiving frames for other virtual machines.

    • Accept: If an adapter is placed in promiscuous mode from the guest operating system, the switch allows the guest adapter to receive all frames passed on the switch in compliance with the active VLAN policy for the port to which the adapter is connected.

      Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode.

    MAC address changes

    • Reject: If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to a value different from the address in the virtual machine configuration file (.vmx), the switch drops all inbound frames to the virtual machine adapter.

      If the guest operating system changes the MAC address back, the virtual machine receives frames again.

    • Accept: If the guest operating system changes the MAC address of a network adapter, the switch allows frames to the new address of the adapter to pass.

    Forged transmits

    • Reject: The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

    • Accept: The switch does not perform filtering and permits all outbound frames.

  7. Click OK.