The Forged transmits option affects traffic that is transmitted from a virtual machine.

When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses.

To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.

The guest operating system does not detect that its virtual machine adapter cannot send packets by using the impersonated MAC address. The ESXi host intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets are dropped.

Note: Starting in vSphere 7.0, the defaults for Forged transmits and MAC address changes have been changed to Reject instead of Accept.