The security policy of a virtual switch includes a MAC address changes option. This option allows virtual machines to receive frames with a Mac Address that is different from the one configured in the VMX.

When the Mac address changes option is set to Accept, ESXi accepts requests to change the effective MAC address of a virtual machine to a different address than the initial MAC address.

When the Mac address changes option is set to Reject, ESXi does not honor requests to change the effective MAC address of a virtual machine to a different address than the initial MAC address. This setting protects the host against MAC impersonation. The port that the virtual machine adapter used to send the request is disabled and the virtual machine adapter does not receive any more frames until the effective MAC address matches the initial MAC address. The guest operating system does not detect that the MAC address change request was not honored.

Note: The iSCSI initiator relies on being able to get MAC address changes from certain types of storage. If you are using ESXi iSCSI with iSCSI storage, set the MAC address changes option to Accept.

In some situations, you can have a legitimate need for more than one adapter to have the same MAC address on a network, for example, if you are using Microsoft Network Load Balancing in unicast mode. When Microsoft Network Load Balancing is used in the standard multicast mode, adapters do not share MAC addresses.

Note: Starting in vSphere 7.0, the defaults for Forged transmits and MAC address changes have been changed to Reject instead of Accept. Contact your storage vendor to validate.