You can set a security policy on a distributed port to override the policy set for the distributed switch.

The three elements of the security policy are promiscuous mode, MAC address changes, and forged transmits.

In nonpromiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to nonpromiscuous mode.


Browse to a distributed switch in the vSphere Web Client navigator.


Click the Manage tab, and select Ports.


Select a port from the list.


Click Edit distributed port settings.


Click Security and select the check box for the policy you want to override.

Use the drop-down menus to edit the settings for the port.



Promiscuous Mode

Reject: No effect on which frames are received by the adapter.

Accept: Causes the guest adapter to detect all frames passed on the standard switch that are allowed under the VLAN policy for the port group that the adapter is connected to.

MAC Address

Reject: Changes if the guest OS changes the MAC address of the adapter to anything other than what is in the .vmx configuration file. All inbound frames are dropped. If the guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are sent again.

Accept: If the MAC address from the guest OS changes, frames to the new MAC address are received.

Forged Transmits

Reject: Outbound frames with a source MAC address that is different from the one set on the adapter are dropped.

Accept: No filtering is performed, and all outbound frames are passed.


Click OK.