I need some low-level clarification on VMWARE vswitch/dvs behaviour on ESXI 6.5 and above. I have read numerous blogs and the community discussions pertaining to ESXi Nested Virtualisation, unfortunately I am unable to find the right answer to the problem I encounter in enterprise environment.
Here's the ESXI guest deployment details. I have a guest (Debian 9) running on a ESXi host, sitting on a port-group which has Promiscuous Mode & Forged Transmit enabled. The guest never changes its primary mac address (the management mac and hence MAC changes is disabled on the port-group). However the guest constructs several ip network namespaces (akin to nested virtualisation) and sends out packet with random mac address. The switching inside the guest kernel is taken care by openvswitch.
In this situation, we have been noticed that, whenever a nested guest/ip namespace sends out a packet with a random source mac address (i.e forged transmit) the exact same packet is copied back into the guest interface, however the packet does go out to the uplink switch and the layer2/3 communication works fine. The only concern here is the egress packet being looped back into the guest interface is something I can't explain. Why this is important in my application is the fact that, in such cases our packet processor reports this as a mac collision, although the neighbourhood has no such host having the same MAC address as that of the nested guest/ip namespace (which in fact is a random mac).
I am not able to reproduce this issue on my local test-bed, however I can assert that this is the case in enterprise deployments, I am not sure whether this can occur when you have a distributed vSwitch spanning over multiple ESXi host or a standard vswitch on a single ESXI host. Any help will be appreciated, if it's a known issue or a duplicate topic, would be obliged if someone can point me to the appropriate forum.