For a vSphere standard switch you can configure security policy to reject MAC address and promiscuous mode changes in the guest operating system of a virtual machine.

About this task

You can configure security policy for an individual standard port group as well.

Procedure

  1. In the vSphere Web Client, navigate to the host.
  2. On the Manage tab, click Networking, and select Virtual switches.
  3. Select a standard switch from the list and click Edit settings.
  4. Select Security, and reject or accept promiscuous mode activation or MAC address changes in the guest operating system of the virtual machines attached to the standard switch.

    By default, enabling promiscuous mode and MAC address changes for both inbound and outbound traffic is not accepted.

    Option

    Description

    Promiscuous mode

    • Reject: Placing an adapter in promiscuous mode from the guest operating system does not result in receiving frames for other virtual machines.

    • Accept: If an adapter is placed in promiscuous mode from the guest operating system, the switch allows the guest adapter to receive all frames passed on the switch in compliance with the active VLAN policy for the port to which the adapter is connected.

      Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode.

    MAC address changes

    • Reject: If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to a value different from the address in the virtual machine configuration file (.vmx), the switch drops all inbound frames to the virtual machine adapter.

      If the guest operating system changes the MAC address back, the virtual machine receives frames again.

    • Accept: If the guest operating system changes the MAC address of a network adapter, the switch allows frames to the new address of the adapter to pass.

    Forged transmits

    • Reject: The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

    • Accept: The switch does not perform filtering and permits all outbound frames.

  5. Click OK.