You can set a security policy on a distributed port group to allow or reject enabling promiscuous mode and MAC address changes from the guest operating system of a virtual machine associated with the port group.

About this task

You can configure security policy for an individual distributed port as well.

Procedure

  1. Navigate to a distributed switch in the vSphere Web Client .
  2. Right-click the distributed switch and select Manage Distributed Port Groups.
  3. Click the Security check box and click Next.
  4. Select the distributed port group to configure and click Next.
  5. Use the drop-down menus to edit the security settings on the traffic through the ports of the group, and click Next.

    By default, enabling promiscuous mode and MAC address changes for both inbound and outbound traffic is not accepted.

    Option

    Description

    Promiscuous mode

    • Reject: Placing an adapter in promiscuous mode from the guest operating system does not result in receiving frames for other virtual machines.

    • Accept: If an adapter is placed in promiscuous mode from the guest operating system, the switch allows the guest adapter to receive all frames passed on the switch in compliance with the active VLAN policy for the port to which the adapter is connected.

      Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode.

    MAC address changes

    • Reject: If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to a value different from the address in the virtual machine configuration file (.vmx), the switch drops all inbound frames to the virtual machine adapter.

      If the guest operating system changes the MAC address back, the virtual machine receives frames again.

    • Accept: If the guest operating system changes the MAC address of a network adapter, the switch allows frames to the new address of the adapter to pass.

    Forged transmits

    • Reject: The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

    • Accept: The switch does not perform filtering and permits all outbound frames.

  6. Review your settings and click Finish.