5.6 (L1) Host should reject forged transmits on standard virtual switches and port groups

Information

Setting the "Forged transmits" option to "Reject" helps prevent MAC impersonation by comparing the source MAC address from the guest operating system with the effective MAC address of its virtual machine adapter. If there's a mismatch, the packet is dropped, preventing potential malicious activities through impersonated MAC addresses.

Rejecting forged transmits enhances network security by preventing unauthorized network access and malicious activities stemming from MAC impersonation. This setting upholds network integrity by ensuring only authorized communications occur within the network.

Solution

To set the policy to reject forged transmissions, perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then expand Networking
- Select Virtual switches then click Edit
- Click on Security
- Set Forged transmits to Reject in the dropdown.
- Click on OK

Alternately, the following ESXi shell command may be used:

# esxcli network vswitch standard policy security set -v vSwitch2 -f false

Impact:

This setting may affect workloads like clustered applications and network devices/functions that rely on MAC address modifications. Creating a separate port group for authorized virtual machines that require such behavior is recommended to balance operational needs with network security.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|12.4

Plugin: VMware

Control ID: ff734c1a5a152932cb07e0f0759c42f669b3cd21911c97e8c6ffbce31db215b8