You can secure standard switch traffic against Layer 2 attacks by restricting some of the MAC address modes of the VM network adapters.
Each VM network adapter has an initial MAC address and an effective MAC address.
- Initial MAC address
- The initial MAC address is assigned when the adapter is created. Although the initial MAC address can be reconfigured from outside the guest operating system, it cannot be changed by the guest operating system.
- Effective MAC address
- Each adapter has an effective MAC address that filters out incoming network traffic with a destination MAC address that is different from the effective MAC address. The guest operating system is responsible for setting the effective MAC address and typically matches the effective MAC address to the initial MAC address.
Upon creating a VM network adapter, the effective MAC address and initial MAC address are the same. The guest operating system can alter the effective MAC address to another value at any time. If an operating system changes the effective MAC address, its network adapter receives network traffic that is destined for the new MAC address.
When sending packets through a network adapter, the guest operating system typically places its own adapter effective MAC address in the source MAC address field of the Ethernet frames. It places the MAC address for the receiving network adapter in the destination MAC address field. The receiving adapter accepts packets only if the destination MAC address in the packet matches its own effective MAC address.
An operating system can send frames with an impersonated source MAC address. An operating system can therefore impersonate a network adapter that the receiving network authorizes, and stage malicious attacks on the devices in a network.
Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports.
The security policy on distributed port groups and ports includes the following options:
- MAC address changes (see MAC Address Changes)
- Promiscuous mode (see Promiscuous Mode Operation)
- Forged transmits (see Forged Transmits)
You can view and change the default settings by selecting the virtual switch associated with the host from the vSphere Web Client. See the vSphere Networking documentation.