For a vSphere standard switch, you can configure the security policy to reject MAC address and promiscuous mode changes in the guest operating system of a virtual machine. You can override the security policy that is inherited from the standard switch on individual port groups.
Procedure
- In the vSphere Client, navigate to the host.
- On the Configure tab, expand Networking and select Virtual Switches.
- Navigate to the Security policy for the standard switch or port group.
Option Action vSphere Standard Switch - Select a standard switch from the list.
- Click Edit settings.
- Select Security.
Standard port group - Select the standard switch where the port group resides.
- In the topology diagram, select a standard port group.
- Click Edit settings.
- Select Security and select Override next to the options to override.
- Reject or accept promiscuous mode activation or MAC address changes in the guest operating system of the virtual machines attached to the standard switch or port group.
Option Description Promiscuous mode - Reject. The VM network adapter receives only frames that are addressed to the virtual machine.
- Accept.The virtual switch forwards all frames to the virtual machine in compliance with the active VLAN policy for the port to which the VM network adapter is connected.
Note: Promiscuous mode is insecure mode of operation. Firewalls, port scanners, intrusion detection systems, must run in promiscuous mode.MAC address changes - Reject. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter (set in the .vmx configuration file), the switch drops all inbound frames to the adapter.
If the guest OS changes the effective MAC address of the virtual machine back to the MAC address of the VM network adapter, the virtual machine receives frames again.
- Accept. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch allows frames to the new address to pass.
Forged transmits - Reject. The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.
- Accept. The switch does not perform filtering, and permits all outbound frames.
- Click OK.