Configure advanced vSS settings – Objective 2.1 – Implement and manage virtual standard switch (vSS) networks


· Initial Address = Similar to a burned in address, this MAC is set by the configuration file (vmx) for the virtual network adapter. Cannot be changed by the guest OS, but can be changed by a vSphere Admin via the GUI or editing the vmx file.

· Effective Address = The address assigned by the guest OS to the network adapter. In most situations, the guest OS will simply copy the initial address.

· Runtime Address = The effective address as viewed by a port on the virtual switch.

From <>



Promiscuous mode

Reject: Placing an adapter in promiscuous mode from the guest operating system does not result in receiving frames for other virtual machines.

Accept: If an adapter is placed in promiscuous mode from the guest operating system, the switch allows the guest adapter to receive all frames passed on the switch in compliance with the active VLAN policy for the port to which the adapter is connected.

Firewalls, port scanners, intrusion detection systems and so on, need to run in promiscuous mode.

Use Case:

There are some situations where we really do want a VM to see traffic that is intended for another device. Imagine having some sort of network monitoring VM that needs to sniff traffic. This is where Promiscuous Mode comes in handy. By setting it to Accept, we are ordering the vSwitch to share traffic on each VLAN among other VMs on the same VLAN.


Promiscuous mode does not allow a VM to see traffic on VLANs that aren’t specified by the port group. It can still only see traffic for the VLAN(s) that it belongs to. This is a very common misconception.

MAC address changes

Reject: If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to a value different from the address in the virtual machine configuration file (.vmx), the switch drops all inbound frames to the virtual machine adapter.

If the guest operating system changes the MAC address back, the virtual machine receives frames again.

Accept: If the guest operating system changes the MAC address of a network adapter, the switch allows frames to the new address of the adapter to pass.

Use Case:

When set to “Accept,” the vSwitch allows the Initial MAC address to differ from the Effective MAC address, meaning the guest OS has been allowed to change the MAC address for itself. Typically, we don’t want this to happen as a malicious user could try to impersonate another VM by using the same MAC address, but there are use cases, such as with Microsoft Network Load Balancing (NLB) where it makes sense.

When set to “Reject,” the vSwitch will disable the port if it sees that the guest OS is trying to change the Effective MAC address to something other than the Initial MAC address. The port will no longer receive traffic until you either change the security policy or make sure that the Effective MAC address is the same value as the Initial MAC address.

Forged transmits

Reject: The switch drops any outbound frame from a virtual machine adapter with a source MAC address that is different from the one in the .vmx configuration file.

Accept: The switch does not perform filtering and permits all outbound frames.

Use Case:

It’s very common to see issues with the Forged Transmit policy when doing nested virtualization. Nesting is the term used to describe running the ESXi hypervisor inside a VM, which then runs other nested VMs with their own unique MAC addresses. The many different MAC addresses will be seen by the port used by the nested hypervisor VM because the nested guest VMs are sending traffic. In this case, you would have to configure the policy for Forged Transmits to Accept.


The difference between the MAC Address Changes and Forged Transmits security settings involves the direction of the traffic. MAC Address Changes is concerned with the integrity of incoming traffic, while Forged Transmits oversees the integrity of outgoing traffic. If the MAC Address Changes option is set to Reject, traffic will not be

passed through the vSwitch to the VM (incoming) if the initial and the effective MAC addresses do not match. If the Forged Transmits option is set to Reject, traffic will not

be passed from the VM to the vSwitch (outgoing) if the initial and the effective MAC addresses do not match.

#REF: Mastering_VMware_vSphere_5.5


There are two modes of traffic shaping, INGRESS and EGRESS.
INGRESS handles incoming traffic and EGRESS outgoing traffic.


About Ahmad Sabry ElGendi
This entry was posted in VCAP5-DCA, Vmware. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s