Information
Set the vSwitch Forged Transmits policy is set to reject for each vSwitch.
*Rationale*
If the virtual machine operating system changes the MAC address, the operating system can
send frames with an impersonated source MAC address at any time. This allows an
operating system to stage malicious attacks on the devices in a network by impersonating a
network adaptor authorized by the receiving network. Forged transmissions should be set
to accept by default. This means the virtual switch does not compare the source and
effective MAC addresses. To protect against MAC address impersonation, all virtual
switches should have forged transmissions set to reject. Reject Forged Transmit can be set
at the vSwitch and/or the Portgroup level. You can override switch level settings at the
Portgroup level.
Solution
1. In the vSphere Web Client, navigate to the host.
2. 'Hosts and Clusters' -> 'vCenter' -> host.
3. On the Manage tab, click Networking, and select Virtual switches.
4. Select a standard switch from the list and click the pencil icon to edit settings.
5. Select Security.
6. Set Forged transmits to 'Reject'.
7. Click 'OK'.Additionally, the following ESXi shell command may be used-# esxcli network vswitch standard policy security set -v vSwitch2 -f false
Impact-This will prevent VMs from changing their effective MAC address. This will affect
applications that require this functionality. An example of an application like this is
Microsoft Clustering, which requires systems to effectively share a MAC address. This will
also affect how a layer 2 bridge will operate. This will also affect applications that require a
specific MAC address for licensing. An exception should be made for the port groups that
these applications are connected to.