Trouble due to changed vDS default security policy

A customer contacted me, because he had trouble to move a VM between two clusters. The hosts in the source cluster used vNetwork Standard Switches (vSS), the hosts in the destination cluster vNetwork Distributed Switch (dVS). Because of this, a host in the destionation cluster had an additional vSS with the same port groups, that were used in the source cluster. This configuration allowed the customer to do vMotion without shared storage between the two clusters. The setup worked fine, until the customer moved a specific VM to the new cluster and switched the port group of the VM from the vSS to the vDS: The VM lost the connect to the network. A switch back to the vSS restored network connectivity for the VM. While troubleshooting this issue I noticed that the port was blocked due to a L2 security violation.

dvs_port_blocked

If you take a closer look at the mac-address of the VM with the blocked port, you will notice, that it differs from the usually used range of mac-addresses. Now VMware KB2030982 comes into play. It describes a change to the default security policy for vDS distributed port groups. This table was taken from  VMware KB2030982 and shows the differences between the security settins.

Default Setting vSphere v5.0 and earlier vSphere v5.1 and later
Promiscuous Mode Reject Reject
MAC Address Changes Accept Reject
Forged Transmit Accept Reject

dvs_security_settings

But why was the VM hit by this change? The VM is the result of a P2V migration and it’s running an application, that relies on a specific mac-address. Because of this, the mac-address of the old physical server was entered in the network driver properties. The changed security settings prevent the usage of forged mac-addresses. The host compares the source mac-address being transmitted by the OS with the effective mac-address for its adapter to see if they match. If not, the hosts drops the packet. To allow the usage of forged mac-addresses, the security settings “Forged transmits”, and optional, “MAC address changes” needs to be changed from “Reject” to “Accept”. You can modify these settigns per port group and there is no need to change it for all port groups of a dVS.

Trouble due to changed vDS default security policy
5 (100%) 2 votes
Patrick Terlisten
Follow me

Patrick Terlisten

vcloudnine.de is the personal blog of Patrick Terlisten. Patrick has over 15 years experience in IT, especially in the areas infrastructure, cloud, automation and industrialization. Patrick was selected as VMware vExpert (2014 - 2016), as well as PernixData PernixPro.

Feel free to follow him on Twitter and/ or leave a comment.
Patrick Terlisten
Follow me

Latest posts by Patrick Terlisten (see all)

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *