VMware Cloud Community
StephenMoll
Expert
Expert
‎08-05-2018 06:36 AM
Jump to solution

vSwitch and Portgroup Security settings

It is possible to edit the security settings for "Promiscuous Mode", "MAC address changes" and "Forged Transmits" in two places:

On the vSwitch and on each individual portgroup on a vSwitch.

Can the settings on a portgroup override the vSwitch settings?

So for example if the vSwitch has "Promiscuous Mode : Reject", what happens if I have a portgroup on the same vSwitch with "Promiscuous Mode : Accept"? Would a VM on that portgroup be able to receive all packets on the VLAN, or only those originating within the vSwitch?

In short, what is the hierarchical relationship between the security settings on a vSwitch and its portgroups?

1 Solution

Accepted Solutions
SupreetK
Commander
Commander
‎08-05-2018 07:00 AM
Jump to solution

PortGroup settings will take priority. The monitoring VM will be able to receive all the packets on that vLAN.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

View solution in original post

6 Replies
SupreetK
Commander
Commander
‎08-05-2018 07:00 AM
Jump to solution

PortGroup settings will take priority. The monitoring VM will be able to receive all the packets on that vLAN.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

IRIX201110141
Champion
Champion
‎08-05-2018 07:30 AM
Jump to solution

Yes the Portgroup can override the settings from vSwitch.  I have seen security or monitoring VA which needs to see all kind of network traffic so there is a reason to enable Promiscuous Mode.

Regards,

Joerg

Ardaneh
Enthusiast
Enthusiast
‎08-05-2018 08:37 AM
Jump to solution

Hi,

You can override the switch-level settings for individual standard port groups by editing the settings for the port group.

StephenMoll
Expert
Expert
‎08-05-2018 09:41 AM
Jump to solution

I think I have it now:

The vSwitch Security settings will be applied by default to new portgroups, because they will not have the override box checked.

So I should have my most secure settings applied at the vSwitch and only override at a portgroup when it is necessary. Where is it necessary then create a new portgroup just for VMs that need lighter security settings, e.g. for MS Windows Server VMs running WSFC and network monitoring appliances.

SupreetK
Commander
Commander
‎08-05-2018 10:22 AM
Jump to solution

Yes, you can create a dedicated PortGroup for the monitoring appliances and have Promiscuous mode enabled (from the override switch) only on that PortGroup.

Please consider marking this answer as "correct" or "helpful" if you think your questions have been answered.

Cheers,

Supreet

Ardaneh
Enthusiast
Enthusiast
‎08-06-2018 12:52 AM
Jump to solution

Completely correct, All rules should be applied in VSS Level and then override whatever you want in PG level

0 Kudos