Set a security policy on a distributed port group to allow or reject promiscuous mode and MAC address changes from the guest operating system of the virtual machines associated with the port group. You can override the security policy inherited from the distributed port groups on individual ports.

Before you begin

To override a policy on distributed port level, enable the port-level override option for this policy. See Configure Overriding Networking Policies on Port Level.

Procedure

  1. In the vSphere Web Client, navigate to the distributed switch.
  2. Navigate to the Security policy for the distributed port group or port.

    Option

    Action

    Distributed port group

    1. From the Actions menu, select Distributed Port Group > Manage Distributed Port Groups.

    2. Select Security.

    3. Select the port group and click Next.

    Distributed port

    1. Select Related Object, and select Distributed Port Groups.

    2. Select a distributed port group.

    3. Under Manage select Ports.

    4. Select a port and click Edit distributed port settings.

    5. Select Security.

    6. Select Override next to the properties to override.

  3. Reject or accept promiscuous mode activation or MAC address changes in the guest operating system of the virtual machines attached to the distributed port group or port.

    Option

    Description

    Promiscuous mode

    • Reject. The VM network adapter receives only frames that are addressed to the virtual machine.

    • Accept.The virtual switch forwards all frames to the virtual machine in compliance with the active VLAN policy for the port to which the VM network adapter is connected.

    Note:

    Promiscuous mode is insecure mode of operation. Firewalls, port scanners, intrusion detection systems, must run in promiscuous mode.

    MAC address changes

    • Reject. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter (set in the .vmx configuration file), the switch drops all inbound frames to the adapter.

      If the guest OS changes the effective MAC address of the virtual machine back to the MAC address of the VM network adapter, the virtual machine receives frames again.

    • Accept. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch allows frames to the new address to pass.

    Forged transmits

    • Reject. The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

    • Accept. The switch does not perform filtering, and permits all outbound frames.

  4. Review your settings and apply the configuration.