VMware Cloud Community
tobyfan
Contributor
Contributor
‎02-19-2016 11:25 AM

How to turn-off anti-spoofing on a Virtual Function?

I have a ubuntu VM running in an ESXi5.5 host. I attached two SR-IOV NICs to the VM, and inside VM I create a bond with the two NICs. The issue is that mac address of packets will be the same no matter which slave they are transmitting. However, when a packets is transmitting through the slave with different mac, it is considered as spoofing packets. 

On the host I can see the following messages in vmkernel.log. I guess it is because the bonding changes the MAC of a packet, and the anti-spoofing on the host physical NIC does not allow it.

2016-02-16T19:46:37.162Z cpu4:33541)<4>ixgbe 0000:02:00.1: vmnic1: 1 Spoofed packets detected

2016-02-16T19:46:39.348Z cpu22:33551)<4>ixgbe 0000:02:00.1: vmnic1: 2 Spoofed packets detected

In linux, we can do following, but how to do it in ESXi?  Does setting the corrsponding portgroup security policy to promiscuous mode do the trick?

ip link set eth2 vf 1 spoofchk on

Thanks,

Toby

0 Kudos
7 Replies
continuum
Immortal
Immortal
‎02-19-2016 01:18 PM

See my notes for the promisc parameter

sanbarrow.com


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
tobyfan
Contributor
Contributor
‎02-19-2016 01:23 PM

Do you mean I need to go to the vmx file to change the settings?  Is there a way to do it in UI or API?

Thanks,

0 Kudos
continuum
Immortal
Immortal
‎02-19-2016 01:34 PM

I doubleclick the vmx-file in WinSCP - it cant get easier so I never searched for more complicated ways


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
tobyfan
Contributor
Contributor
‎02-19-2016 02:09 PM

I modified the vmx file and set noForgedSrcAddr and noPromisc to "false" for both the two SRIOV NICs.

It does not change anything.  The packets do not go through, and I got " spoofed packets detected" message.

Screen Shot 2016-02-19 at 2.08.08 PM.png

0 Kudos
continuum
Immortal
Immortal
‎02-19-2016 10:12 PM

Do you have

Promiscuos Mode

Mac Address Changes
Forged Transmits
set to accept - using properties tab of Virtual switches


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
tobyfan
Contributor
Contributor
‎02-23-2016 12:17 PM

I set all the three properties as Accept on both switch and portgroup the NICs are associated with.

I am afraid the portgroup settings does not apply to VF.  However, according to the doc at vSphere 5.5 Documentation Center, it should.    In guest OS, when I use ip link to change the MAC of the sr-iov nic, I can see following messages in the host's log.  I am afraid it is an issue in ixgbevf driver.

2016-02-23T19:45:35.180Z cpu23:32819)<4>ixgbe 0000:01:00.0: vmnic2: VF 3 attempted to set a new MAC address but it already has an administratively set MAC address  00:50:56:ba:f7:b9

2016-02-23T19:45:35.180Z cpu23:32819)<4>ixgbe 0000:01:00.0: vmnic2: Check the VF driver and if it is not using the correct MAC address you may need to reload the VF driver

0 Kudos
bundy_boy
Contributor
Contributor
‎07-19-2023 06:50 AM

Hi,

7 years later i have the same question!  I am setting-up a fortigate firewall VM with SRIOV and I have troubles having several vlans over the same VF. Apparently I need to disable spoof check and activate trust on the VF but all examples I find are for intel nics and I use mellanox...

I tried the bellow settings for pci passthough interfaces in the vm options but with no luck.  

Any idea? 

0 Kudos