Skip to content

Things I Keep Forgetting

  • Last Updated: June, 2024

VMware portgroup security settings

You may have come across these VMware vswitch portgroup security settings but never known what they do. I've had to use them with network simulation software like Cisco Modeling Labs and also when running virtual firewalls such as the vFTD.

  • Promiscuous Mode:
    • When enabled, a virtual network adapter can observe all traffic on the virtual switch, regardless of the destination MAC address.
    • The vFTD won't see any traffic if this is not enabled.
  • MAC Address Changes:
    • This controls whether the virtual switch accepts requests to change the effective MAC address used by the VM's operating system.
  • Forged Transmits:
    • Determines whether the hypervisor allows a virtual machine to send network traffic with a MAC address different from the one assigned to its virtual network adapter by the hypervisor.
    • In my use case the vFTD was in transparent mode ("bump in the wire") and therefore acts as a Layer 2 bridge between segments which means it does not modify the MAC address of the passing traffic. It receives a frame from 192.168.10.1 and sends it to 192.168.10.2 but keeps the original MAC address (endpoint 1) as the source. Since it will be forwarding frames with a source MAC address (endpoint 1) that does not match its own vNIC's MAC address without this configured as Accept the traffic would be dropped.

Comments