You can set a security policy on a distributed port group to override the policy set for the distributed switch.
Before you begin
Launch the vSphere Client and log in to a vCenter Server system.
About this task
The three elements of the Security policy are promiscuous mode, MAC address changes, and forged transmits.
In nonpromiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.
- Log in to the vSphere Client and select the Networking inventory view.
- Right-click the distributed port group in the inventory pane, and select Edit Settings.
- Select Policies.
By default, Promiscuous Mode is set to Reject. MAC Address Changes and Forced Transmits are set to Accept.
- In the Security group, select whether to reject or accept the Security policy exceptions.
Reject — Placing a guest adapter in promiscuous mode has no effect on which frames are received by the adapter.
Accept — Placing a guest adapter in promiscuous mode causes it to detect all frames passed on the vSphere standard switch that are allowed under the VLAN policy for the port group that the adapter is connected to.
MAC Address Changes
Reject — If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.
If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.
Accept — Changing the MAC address from the Guest OS has the intended effect: frames to the new MAC address are received.
Reject — Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.
Accept — No filtering is performed and all outbound frames are passed.
- Click OK.