When any of the VMs attempt to talk to the outside network via the virtual ESXi network adapter, the virtual switch will check the source address of the 802.3 Ethernet frame. The virtual ESXi server is running three nested VMs with a MAC address of A, B, and C. A virtual ESXi VM has been created with a MAC address of “D” (not valid, but pretend it is). You would need to Accept Forged Transmits in order for a nested virtual guest to communicate outside of the virtual ESXi host.
In this case, multiple MAC addresses will appear in the Source Address 802.3 field, as each virtual workload hosted by the VM would need to communicate using the virtual ESXi network adapter. Prime Example: Nested VirtualizationĪ much more common scenario today is the situation where a virtual machine is hosting traffic for a variety of other workloads, such as with a virtual ESXi server running nested virtual guests. Realistically, you won’t encounter all that many use cases that require Forged Transmits, and the default distributed switch security setting is to Reject any MAC impersonations (the standard switch still Accepts them by default). Other cases revolve around the concept of utilizing a common MAC address to own a cluster resource when one or more nodes fail. In this scenario, multiple virtual machines are participating in the NLB cluster and all have the same MAC address. The host compares the Effective Address to the 802.3 Source Address generated by the virtual machine When Does A Forged Transmit Make Sense?Ī common poster child for Forged Transmits is the use of Microsoft’s Network Load Balancing (NLB) unicast mode configuration. The policy does not compare the virtual machine’s configured MAC address, also called the Initial Address, as that duty is handled by the MAC Address Changes policy. The key thing to note about Forged Transmits is that the security policy is only policing the Effective Address of the network adapter, which is the address set by the guest OS. If the security policy for Forged Transmits is set to Reject, the frame will be dropped.
If they don’t match, a Forged Transmit has occurred – sometimes this is known as MAC impersonation. To simplify the idea behind the policy, a Forged Transmit occurs when a network adapter starts sending out traffic that identifies itself as someone else. This security policy compares the Effective Address of the virtual network adapter and the source address inside of an 802.3 Ethernet frame generated by the virtual machine to make sure they match. One virtual switch security policy that tends to trip folks up is the idea of rejecting or accepting MAC address Forged Transmits. 0.2 Prime Example: Nested Virtualization.0.1 When Does A Forged Transmit Make Sense?.Tunnel adapter Local Area Connection* 15:ĭescription.
ID AdapterFriendlyName ForceCompatibilityMode
0 kommentar(er)
