On a distributed port you can override the policy inherited from the distributed port group to accept or reject enabling promiscuous mode and MAC address changes in the guest operating system of the virtual machine connected to the port.

Before you begin

Enable port-level overrides. See Edit Advanced Distributed Port Group Settings with the vSphere Web Client

Procedure

  1. Navigate to a distributed switch in the vSphere Web Client.
  2. Click the Manage tab, and select Ports.
  3. Select a port from the list.
  4. Click Edit distributed port settings.
  5. Click Security and select the check box for the settings you want to override for the traffic through the port.

    By default, enabling promiscuous mode and MAC address changes for both inbound and outbound traffic is not accepted.

    Option

    Description

    Promiscuous mode

    • Reject: Placing an adapter in promiscuous mode from the guest operating system does not result in receiving frames for other virtual machines.

    • Accept: If an adapter is placed in promiscuous mode from the guest operating system, the switch allows the guest adapter to receive all frames passed on the switch in compliance with the active VLAN policy for the port to which the adapter is connected.

      Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode.

    MAC address changes

    • Reject: If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to a value different from the address in the virtual machine configuration file (.vmx), the switch drops all inbound frames to the virtual machine adapter.

      If the guest operating system changes the MAC address back, the virtual machine receives frames again.

    • Accept: If the guest operating system changes the MAC address of a network adapter, the switch allows frames to the new address of the adapter to pass.

    Forged transmits

    • Reject: The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

    • Accept: The switch does not perform filtering and permits all outbound frames.

  6. Click OK.