The vSwitch or vSwitch port group policy setting that allows a virtual machine to transmit packets that contain a MAC address other than the address defined for the VM is:
A. Promiscuous Mode
B. Forged Transmits
C. Traffic Shaping
D. MAC Address Changes
Correct Answer: B
Explanation/Reference:
Most pundits and vmware folk agree that:
Outbound IP Traffic: Forged Transmits
Inbound IP Traffic: MAC Address Changes
The setting for the Forged Transmits option affects traffic that is transmitted from a virtual machine.
When the option is set to Accept, ESXi does not compare source and effective MAC addresses.
To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESXi drops the packet.
The guest operating system does not detect that its virtual network adapter cannot send packets by using the impersonated MAC address. The ESXi host intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets are dropped.
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html?resultof=%2522%2566%256f%2572%2567%2565%2564%2522%2520%2522%2566%256f%2572%2567%2522%2520%2522%2574%2572%2561%256e%2573%256d%2569%2574%2573%2522%2520%2522%2574%2572%2561%256e%2573%256d%2569%2574%2522%2520
The setting for the MAC Address Changes option affects traffic that a virtual machine receives.
When the option is set to Accept, ESXi accepts requests to change the effective MAC address to other than the initial MAC address.
When the option is set to Reject, ESXi does not honor requests to change the effective MAC address to anything other than the initial MAC address, which protects the host against MAC impersonation. The port that the virtual adapter used to send the request is disabled and the virtual adapter does not receive any more frames until it changes the effective MAC address to match the initial MAC address. The guest operating system does not detect that the MAC address change was not honored.
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html?resultof=%2522%256d%2561%2563%2522%2520%2522%2561%2564%2564%2572%2565%2573%2573%2522%2520%2522%2563%2568%2561%256e%2567%2565%2573%2522%2520%2522%2563%2568%2561%256e%2567%2522%2520
But according to VMware’s Mock Exam: MAC Address Changes affects outbound traffic but not the traffic to which a VM can listen. I’m confused 😉
Explanation/Reference:
Most pundits and vmware folk agree that:
Outbound IP Traffic: Forged Transmits
Inbound IP Traffic: MAC Address Changes
The setting for the Forged Transmits option affects traffic that is transmitted from a virtual machine.
When the option is set to Accept, ESXi does not compare source and effective MAC addresses.
To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESXi drops the packet.
The guest operating system does not detect that its virtual network adapter cannot send packets by using the impersonated MAC address. The ESXi host intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets are dropped.
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html?resultof=%2522%2566%256f%2572%2567%2565%2564%2522%2520%2522%2566%256f%2572%2567%2522%2520%2522%2574%2572%2561%256e%2573%256d%2569%2574%2573%2522%2520%2522%2574%2572%2561%256e%2573%256d%2569%2574%2522%2520
The setting for the MAC Address Changes option affects traffic that a virtual machine receives.
When the option is set to Accept, ESXi accepts requests to change the effective MAC address to other than the initial MAC address.
When the option is set to Reject, ESXi does not honor requests to change the effective MAC address to anything other than the initial MAC address, which protects the host against MAC impersonation. The port that the virtual adapter used to send the request is disabled and the virtual adapter does not receive any more frames until it changes the effective MAC address to match the initial MAC address. The guest operating system does not detect that the MAC address change was not honored.
http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html?resultof=%2522%256d%2561%2563%2522%2520%2522%2561%2564%2564%2572%2565%2573%2573%2522%2520%2522%2563%2568%2561%256e%2567%2565%2573%2522%2520%2522%2563%2568%2561%256e%2567%2522%2520
But according to VMware’s Mock Exam: MAC Address Changes affects outbound traffic but not the traffic to which a VM can listen. I’m confused 😉