7.1 Ensure the vSwitch Forged Transmits policy is set to reject

Information

Set the vSwitch Forged Transmits policy to reject for each vSwitch. Reject Forged Transmit can be set at the vSwitch and/or the Portgroup level. You can override switch-level settings at the Portgroup level.

Rationale:

If the virtual machine operating system changes the MAC address, the operating system can send frames with an impersonated source MAC address at any time. This allows an operating system to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Setting forged transmissions to accept means the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to reject.

Impact:

This will prevent VMs from changing their effective MAC address. This will affect applications that require this functionality, such as Microsoft Clustering, which requires systems to effectively share a MAC address. This will affect how a layer 2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.

Solution

To set the policy to reject forged transmissions, perform the following:

From the vSphere Web Client, select the host.

Click Configure then expand Networking.

Select Virtual switches then click Edit.

Click on Security.

Set Forged transmits to Reject in the dropdown.

Click on OK.

Alternately, the following ESXi shell command may be used:

# esxcli network vswitch standard policy security set -v vSwitch2 -f false

See Also

https://workbench.cisecurity.org/files/3473