5 Replies Latest reply on Apr 8, 2013 6:06 AM by rickardnobel

    "Forged MAC" vs "Change MAC address", what is really the difference?

    rickardnobel Virtuoso

      Something that I can not get a clear documentation of is what the exact difference between the two security options: "Forged MAC" and "Change MAC adress".

       

      The forged mac shall be that a VM is not allowed to send a frame with a different SRC MAC than it should have, but what is really the difference between that and the Change MAC, which also results in the VM sending frames with a SRC MAC different from the specified one in the vmx file?

        • 1. Re: "Forged MAC" vs "Change MAC address", what is really the difference?
          Chris Wahl Master

          Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.

           

          Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.

          VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
          • 2. Re: "Forged MAC" vs "Change MAC address", what is really the difference?
            rickardnobel Virtuoso

            Chris Wahl wrote:

             

            Change MAC address is referring to the vNIC. If the guest attempts to change the MAC address assigned to the vNIC, it stops receiving frames.

             

            Forged MAC (Forged Transmits) just looks to see if the transmit contains the source MAC; if not, it drops the frame.

             

             

             

            Thank you for your reply Chris. This explanation is the one I have seen most often, but I am still kind of unsure what it really means technically here.

             

            If "Change MAC" is just for inbound, that is - the vSwitch should accept incoming frames destined to another MAC address than the VMX, if the setting is allow.

             

            And "forged transmits" is just for transmit making the vSwitch drop all outgoing frames with SRC other than the VMX defined mac.

             

            But should for example this be possible in practice?

             

            Change MAC: allow

            Forged Transmit: deny

             

            That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC really be used if not Forged is allow also?

            • 3. Re: "Forged MAC" vs "Change MAC address", what is really the difference?
              Chris Wahl Master

              ricnob wrote:

               

              But, should for example this be possible:

               

              Change MAC: allow

              Forged Transmit: deny

               

              That should mean that it could recieve, but not send as the new MAC? That is, could Change MAC be used if not Forged is allow also?

               

              Correct, these security settings are essentially two sides of the same coin. It boils down to:

               

              MAC Address Changes = incoming IP traffic

               

              Forged Transmits = outgoing IP traffic

               

              In both cases, the vSwitch compares the value of the MAC in the vmx file against what the frame contains to determine a difference.

              VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
              • 4. Re: "Forged MAC" vs "Change MAC address", what is really the difference?
                vprof24 Lurker
                    Had this question on the above topic and this was the nearest discussion I could find and hence am replying to check if I can get some answers. I have run some tests in my environment.

                Test Environment:
                1) I have 2 esxi servers with VM1 running on ESXi1 and VM2 running on ESXi2.
                2) Inside the Properties of the Network card for VM1, I changed the MAC addess to something different than  what is in the VMX file
                3) Now with "Mac address changes" and "Forged transmit" set to default(Allow), My VM1 is able to ping VM2 and vice versa.
                4) When I start enabling the options,mentioned below are the results:
                                                                                                                       
                Only Forged Transmit set to reject
                PingVM1VM2
                VM1NAFails
                VM2FailsNA



                Only MAC address changes set to reject
                PingVM1VM2
                VM1NAFails
                VM2FailsNA



                Both Forged/MAC address - reject
                PingVM1VM2
                VM1NAFails
                VM2FailsNA

                 

                Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense.

                .

                • 5. Re: "Forged MAC" vs "Change MAC address", what is really the difference?
                  rickardnobel Virtuoso

                  vprof24 wrote:

                   

                  Since, both the settings seem to be affecting incomig and outgoing traffic, where exactly does setting Forged Trasmit vs Mac Address changes setting make sense..

                   

                  A possible use case for only allow "Forged transmits" could be when using applications like Microsoft NLB cluster which does some interesting actions with the outgoing frames and manipulation of the MAC SRC field in the ethernet header.