Control how inbound and outbound frames are handled by editing Layer 2 Security policies.


Launch the vSphere Client and log in to a vCenter Server system.


  1. Log in to the vSphere Client and select a host in the inventory pane.
  2. On the host Configuration tab, click Networking.
  3. Choose the vSphere Standard Switch view and click Properties for the port group to edit.
  4. In the Properties dialog box, click the Ports tab.
  5. Select the port group item and click Edit.
  6. In the Properties dialog box for the port group, click the Security tab.

    By default, Promiscuous Mode is set to Reject. MAC Address Changes and Forged Transmits are set to Accept.

    The policy exception overrides any policy set at the standard switch level.

  7. In the Policy Exceptions pane, select whether to reject or accept the security policy exceptions.
    Table 1. Policy Exceptions
    Mode Reject Accept
    Promiscuous Mode Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter. Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the standard switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
    MAC Address Changes If the guest OS changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.

    If the guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are sent again.

    If the MAC address from the guest OS changes, frames to the new MAC address are received.
    Forged Transmits Outbound frames with a source MAC address that is different from the one set on the adapter are dropped. No filtering is performed, and all outbound frames are passed.
  8. Click OK.