VMware Cloud Community
santosh42
Enthusiast
Enthusiast
‎03-08-2012 02:48 AM

security policies - MAC address changes and Forged transmits

Hi,

I came across these below 2 settings (with defaut values) for security in the vswitch for the ports:

MAC address changes - Accept

Forged transmits - Accept

I want to understand what is the scenario where you want to set the above policies to "Reject"

Also, what is the advantage or the application where you set the :

  • MAC address changes to "reject"
  • Forged transmits - Accept

Please share your thoughts.

Thanks.

0 Kudos
5 Replies
gvenkatsumanth
Contributor
Contributor
‎03-08-2012 03:27 AM

Mac address changes reject ensures that when someone changes a MAC within the OS all inbound packets are dropped.

Forged Transmit reject ensures that the originator of the packet is validated. Any outbound frame with a MAC address that is different from the one currently set on the adapter will be dropped.

0 Kudos
santosh42
Enthusiast
Enthusiast
‎03-08-2012 03:37 AM

Thanks for the info.

I understand that.

But i am trying to understand the scenario where we can use these.

I mean- for instance in case of forged transmits, why would there be a change in the mac address of the guest OS than from the one specified in the .vmx.

is there any application as such which do these changes - be it MAC address change scenario or the forged transmits scenario. ?

Thanks.

0 Kudos
vGuy
Expert
Expert
‎03-08-2012 03:51 AM

I have seen the use case of enabling these policies mostly in P2V'd environment where the application's licenses are tied to Physical MAC address. In that case, you can assign the physical MAC addr on the VM from within the Guest OS, and vmx still has it's proprietary MAC (typically 00:50:56).

But take note, we only used this as a temporary solution while working with the application vendor to generate new licenses. I would recommend both the policies including promiscous to be set to Reject always.

rickardnobel
Champion
Champion
‎03-08-2012 04:46 AM

Some applications, like Microsoft Network Load Balancing feature, uses some strange tricks with source and destination MAC addresses and must be allow for these two settings to ACCEPT.

There is also a (small) risk that a rouge VM administrator could use some layer two network attack tool to cause trouble and this could be made harder with the settings to REJECT.

My VMware blog: www.rickardnobel.se
santosh42
Enthusiast
Enthusiast
‎03-08-2012 11:31 PM

Thanks folks.

that's useful info.....

Thanks again.

0 Kudos