You can edit Layer 2 security policies, such as MAC address changes and forged transmits, for a vSphere standard switch.

Layer 2 is the data link layer. The three elements of the Layer 2 Security policy are promiscuous mode, MAC address changes, and forged transmits. In nonpromiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to nonpromiscuous mode.

You can override the switch-level settings for individual standard port groups by editing the settings for the port group. For more information about security, see the vSphere Security documentation.


Browse to a host in the vSphere Web Client navigator.


Click the Manage tab, and click Networking > Virtual Switches.


Select a standard switch from the list and click Edit settings.


Select whether to reject or accept the Layer 2 Security policy exceptions using the drop-down menus.



Promiscuous mode

Reject: No effect on which frames are received by the adapter.

Accept: Causes the guest adapter to detect all frames passed on the vSphere standard switch that are allowed under the VLAN policy for the port group to which the adapter is connected to.

MAC address changes

Reject: If you set the MAC Address Changes to Reject and the guest OS changes the MAC address of the adapter to anything other than what is in the .vmx configuration file, all inbound frames are dropped.

If the guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.

Accept: Changing the MAC address from the guest OS has the intended effect. Frames to the new MAC address are received.

Forged transmits

Reject: Any outbound frame with a source MAC address that is different from the one currently set on the adapter are dropped.

Accept:No filtering is performed and all outbound frames are passed.


Click OK.