VMware Cloud Community
rickardnobel
Champion
Champion
‎04-11-2011 11:39 AM

"Forged MAC" vs "Change MAC address", what is really the difference?

Something that I can not get a clear documentation of is what the exact difference between the two security options: "Forged MAC" and "Change MAC adress".

The forged mac shall be that a VM is not allowed to send a frame with a different SRC MAC than it should have, but what is really the difference between that and the Change MAC, which also results in the VM sending frames with a SRC MAC different from the specified one in the vmx file?

My VMware blog: www.rickardnobel.se
0 Kudos
5 Replies
chriswahl
Virtuoso
Virtuoso
‎04-11-2011 02:11 PM

Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.

Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
rickardnobel
Champion
Champion
‎04-11-2011 03:22 PM

Chris Wahl wrote:

Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.

Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.

Thank you for your reply Chris. This explanation is the one I have seen most often, but I am still kind of unsure what it really means technically here.

If "Change MAC" is just for inbound, that is - the vSwitch should accept incoming frames destined to another MAC address than the VMX, if the setting is allow.

And "forged transmits" is just for transmit making the vSwitch drop all outgoing frames with SRC other than the VMX defined mac.

But should for example this be possible in practice?

Change MAC: allow

Forged Transmit: deny

That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC really be used if not Forged is allow also?

My VMware blog: www.rickardnobel.se
0 Kudos
chriswahl
Virtuoso
Virtuoso
‎04-12-2011 07:05 AM

ricnob wrote:

But, should for example this be possible:

Change MAC: allow

Forged Transmit: deny

That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC be used if not Forged is allow also?

Correct, these security settings are essentially two sides of the same coin. It boils down to:

MAC Address Changes = incoming IP traffic

Forged Transmits = outgoing IP traffic

In both cases, the vSwitch compares the value of the MAC in the vmx file against what the frame contains to determine a difference.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
vprof24
Contributor
Contributor
‎04-08-2013 05:59 AM

    Had this question on the above topic and this was the nearest discussion I could find and hence am replying to check if I can get some answers. I have run some tests in my environment.

Test Environment:
1) I have 2 esxi servers with VM1 running on ESXi1 and VM2 running on ESXi2.
2) Inside the Properties of the Network card for VM1, I changed the MAC addess to something different than  what is in the VMX file
3) Now with "Mac address changes" and "Forged transmit" set to default(Allow), My VM1 is able to ping VM2 and vice versa.
4) When I start enabling the options,mentioned below are the results:
                                                                                                       
Only Forged Transmit set to reject
PingVM1VM2
VM1NAFails
VM2FailsNA



Only MAC address changes set to reject
PingVM1VM2
VM1NAFails
VM2FailsNA



Both Forged/MAC address - reject
PingVM1VM2
VM1NAFails
VM2FailsNA

Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense.

.

0 Kudos
rickardnobel
Champion
Champion
‎04-08-2013 06:06 AM

vprof24 wrote:

Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense..

A possible use case for only allow "Forged transmits" could be when using applications like Microsoft NLB cluster which does some interesting actions with the outgoing frames and manipulation of the MAC SRC field in the ethernet header.

My VMware blog: www.rickardnobel.se
0 Kudos