Information Technology Reference
In-Depth Information
addressable through the security policy of a vSwitch or distributed switch. The remaining two
settings of a virtual switch security policy are MAC Address Changes and Forged Transmits.
These security policies allow or deny differences between the initial MAC address in the coni g-
uration i le and the effective MAC address in the guest OS. As noted earlier, the default security
policy is to accept the differences and process trafi c as needed.
The difference between the MAC Address Changes and Forged Transmits security settings
involves the direction of the trafi c. MAC Address Changes is concerned with the integrity
of incoming trafi c, while Forged Transmits oversees the integrity of outgoing trafi c. If the
MAC Address Changes option is set to Reject, trafi c will not be passed through the vSwitch to
the VM (incoming) if the initial and the effective MAC addresses do not match. If the Forged
Transmits option is set to Reject, trafi c will not be passed from the VM to the vSwitch (outgo-
ing) if the initial and the effective MAC addresses do not match. Figure 5.80 highlights the secu-
rity restrictions implemented when MAC Address Changes and Forged Transmits are
set to Reject.
Figure 5.80
h e MAC Address
Changes and Forged
Transmits secu-
rity options deal
with incoming and
outgoing tra c,
respectively.
Initial MAC:
00:50:56:a4:22:4c
Effective MAC:
01:4d:2b:a3:11:1c
Initial MAC:
00:50:56:a4:24:5d
Effective MAC:
01:1C:2d:a4:33:5f
Forged Transmits: Reject
MAC Address Changes: Reject
vSwitch0
vmnic0
vmnic1
vmnic2
vmnic3
For the highest level of security, VMware recommends setting MAC Address Changes,
Forged Transmits, and Promiscuous Mode on each vSwitch or distributed switch/distributed
port group to Reject. When warranted or necessary, use port groups to loosen the security for a
subset of VMs to connect to the port group.
Virtual Switch Policies for Microsoft Network Load Balancing
As with anything, there are, of course, exceptions to the general recommendations for how a virtual
switch should be confi gured. h e recommendations for allowing MAC address changes and forged
transmits is one great example. For VMs that will be confi gured as part of a Microsoft Network
Load Balancing (NLB) cluster set in Unicast mode, the VM port group must allow MAC address
changes and forged transmits. Systems that are part of an NLB cluster will share a common IP
address and virtual MAC address.
Search WWH ::




Custom Search