Something that I can not get a clear documentation of is what the exact difference between the two security options: "Forged MAC" and "Change MAC adress".
The forged mac shall be that a VM is not allowed to send a frame with a different SRC MAC than it should have, but what is really the difference between that and the Change MAC, which also results in the VM sending frames with a SRC MAC different from the specified one in the vmx file?
Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.
Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.
Chris Wahl wrote:
Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.
Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.
Thank you for your reply Chris. This explanation is the one I have seen most often, but I am still kind of unsure what it really means technically here.
If "Change MAC" is just for inbound, that is - the vSwitch should accept incoming frames destined to another MAC address than the VMX, if the setting is allow.
And "forged transmits" is just for transmit making the vSwitch drop all outgoing frames with SRC other than the VMX defined mac.
But should for example this be possible in practice?
Change MAC: allow
Forged Transmit: deny
That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC really be used if not Forged is allow also?
ricnob wrote:
But, should for example this be possible:
Change MAC: allow
Forged Transmit: deny
That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC be used if not Forged is allow also?
Correct, these security settings are essentially two sides of the same coin. It boils down to:
MAC Address Changes = incoming IP traffic
Forged Transmits = outgoing IP traffic
In both cases, the vSwitch compares the value of the MAC in the vmx file against what the frame contains to determine a difference.
Only Forged Transmit set to reject | ||
Ping | VM1 | VM2 |
VM1 | NA | Fails |
VM2 | Fails | NA |
Only MAC address changes set to reject | ||
Ping | VM1 | VM2 |
VM1 | NA | Fails |
VM2 | Fails | NA |
Both Forged/MAC address - reject | ||
Ping | VM1 | VM2 |
VM1 | NA | Fails |
VM2 | Fails | NA |
Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense.
.
vprof24 wrote:
Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense..A possible use case for only allow "Forged transmits" could be when using applications like Microsoft NLB cluster which does some interesting actions with the outgoing frames and manipulation of the MAC SRC field in the ethernet header.