Networking security policy provides protection of traffic against MAC address impersonation and unwanted port scanning

The security policy of a standard or distributed switch is implemented in Layer 2 (Data Link Layer) of the network protocol stack. The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits. See the vSphere Security documentation for information about potential networking threats.

Configure the Security Policy for a vSphere Standard Switch or Standard Port Group

For a vSphere standard switch, you can configure the security policy to reject MAC address and promiscuous mode changes in the guest operating system of a virtual machine. You can override the security policy that is inherited from the standard switch on individual port groups.

Procedure

  1. In the vSphere Client, navigate to the host.
  2. On the Configure tab, expand Networking and select Virtual Switches.
  3. Navigate to the Security policy for the standard switch or port group.
    Option Action
    vSphere Standard Switch
    1. Select a standard switch from the list.
    2. Click Edit settings.
    3. Select Security.
    Standard port group
    1. Select the standard switch where the port group resides.
    2. In the topology diagram, select a standard port group.
    3. Click Edit settings.
    4. Select Security and select Override next to the options to override.
  4. Reject or accept promiscuous mode activation or MAC address changes in the guest operating system of the virtual machines attached to the standard switch or port group.
    Option Description
    Promiscuous mode
    • Reject. The VM network adapter receives only frames that are addressed to the virtual machine.
    • Accept.The virtual switch forwards all frames to the virtual machine in compliance with the active VLAN policy for the port to which the VM network adapter is connected.
    Note: Promiscuous mode is insecure mode of operation. Firewalls, port scanners, intrusion detection systems, must run in promiscuous mode.
    MAC address changes
    • Reject. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch drops all inbound frames to the adapter.

      If the guest OS changes the effective MAC address of the virtual machine back to the MAC address of the VM network adapter, the virtual machine receives frames again.

    • Accept. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch allows frames to the new address to pass.
    Forged transmits
    • Reject. The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.
    • Accept. The switch does not perform filtering, and permits all outbound frames.
    Status Enable or disable the MAC learning feature. The default is disabled.
    Allow unicast flooding When a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is enabled by default, if MAC learning is enabled.
    MAC Limit The number of MAC addresses that can be learned is configurable. The maximum value is 4096 per port, which is the default.
    MAC Limit Policy The policy for when the MAC limit is reached. The options are:
    • Drop - Packets from an unknown source MAC address are dropped. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
    • Allow - Packets from an unknown source MAC address are forwarded although the address will not be learned. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
  5. Click OK.

Configure the Security Policy for a Distributed Port Group or Distributed Port

Learn how to set a security policy on a distributed port group to allow or reject promiscuous mode and MAC address changes from the guest operating system of the virtual machines associated with the port group. You can override the security policy inherited from the distributed port groups on individual ports.

Prerequisites

To override a policy on distributed port level, enable the port-level override option for this policy. See Configure Overriding Networking Policies on Port Level.

Procedure

  1. On the vSphere Client Home page, click Networking and navigate to the distributed switch.
  2. Navigate to the Security policy for the distributed port group or port.
    Option Action
    Distributed port group
    1. From the Actions menu, select Distributed Port Group > Manage Distributed Port Groups.
    2. Select Security and click Next.
    3. Select the port group and click Next.
    Distributed port
    1. On the Networks tab, click Distributed Port Groups and double-click a distributed port group .
    2. On the Ports tab, select a port and click the Edit settings icon.
    3. Select Security.
    4. Select Override next to the properties to override.
  3. Reject or accept promiscuous mode activation or MAC address changes in the guest operating system of the virtual machines attached to the distributed port group or port.
    Option Description
    Promiscuous mode
    • Reject. The VM network adapter receives only frames that are addressed to the virtual machine.
    • Accept.The virtual switch forwards all frames to the virtual machine in compliance with the active VLAN policy for the port to which the VM network adapter is connected.
    Note: Promiscuous mode is insecure mode of operation. Firewalls, port scanners, intrusion detection systems, must run in promiscuous mode.
    MAC address changes
    • Reject. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch drops all inbound frames to the adapter.

      If the guest OS changes the effective MAC address of the virtual machine back to the MAC address of the VM network adapter, the virtual machine receives frames again.

    • Accept. If the guest OS changes the effective MAC address of the virtual machine to a value that is different from the MAC address of the VM network adapter, the switch allows frames to the new address to pass.
    Forged transmits
    • Reject. The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.
    • Accept. The switch does not perform filtering, and permits all outbound frames.
    Status Enable or disable the MAC learning feature. The default is disabled.
    Allow unicast flooding When a packet that is received by a port has an unknown destination MAC address, the packet is dropped. With unknown unicast flooding enabled, the port floods unknown unicast traffic to every port on the switch that has MAC learning and unknown unicast flooding enabled. This property is enabled by default, if MAC learning is enabled.
    MAC Limit The number of MAC addresses that can be learned is configurable. The maximum value is 4096 per port, which is the default.
    MAC Limit Policy The policy for when the MAC limit is reached. The options are:
    • Drop - Packets from an unknown source MAC address are dropped. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
    • Allow - Packets from an unknown source MAC address are forwarded although the address will not be learned. Packets inbound to this MAC address will be treated as unknown unicast. The port will receive the packets only if it has unknown unicast flooding enabled.
  4. Review your settings and apply the configuration.