vDS ports go into blocked state for security violations even when the security policy is enabled
search cancel

vDS ports go into blocked state for security violations even when the security policy is enabled

book

Article ID: 317477

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

A VM is experiencing network connectivity loss when attached to a distributed portgroup that has "MAC address changes", "Promiscuous mode" or "Forged transmits" set to "Accept".

The VM, or an application on the VM, is intentionally operating in a way that would require one or more of the security policies to be enabled, such as a MAC address requesting to be changed from within the guest OS for CARP/VIP failover.

The logs show the VM's port is blocked due to a L2 security violation - despite the configuration in the vCenter UI showing the policy for such changes is set to "Accept."

Example logs in the vmkernel.log file:

cpu#:cccc)etherswitch: L2Sec_EnforcePortCompliance: client <vmname> requested mac address change to <mac> on port 0x# #######, disallowed by vswitch policy
cpu#:cccc)etherswitch: L2Sec_EnforcePortCompliance: client <vmname> has policy violations on port 0x#######. Port is blocked

"net-dvs -l " command output shows the effective parameters: deny mac change and Allow Mac Change = False

    com.vmware.vswitch.port.security = deny promiscuous; deny mac change; deny forged frames
            propType = POLICY
    com.vmware.vswitch.port.macManagement:
            Allow MAC Change = False
            MAC Learning = False
            Unknown Unicast Flooding = False
            MAC Limit = 4096
            MAC Limit Policy = ALLOW
            propType = CONFIG

Cause

This situation was introduced in vCenter 8.0 with the feature "MAC Learning configuration."
 
Although the setting appears to have applied successfully in the vSphere UI, the setting is not propagated properly to the host itself so the setting is effectively set to "Deny". Therefore when a guest OS or application in a VM acts in a way related to the policy, such as requesting a MAC address change, it is detected as a violation and the VM's port is consequently blocked.

Resolution

This issue is resolved in ESXi 8.0 Update 2b - Build 23305546.

ESXi 8.0 Update 2b - Build 23305546 Release Notes

  • PR 3308461: When MAC learning is not active, newly added ports on a vSphere Distributed Switch (VDS) might go into blocked state

    If MAC learning on a VDS is not active, when from the guest OS you change the MAC address of a virtual machine to a new proxy switch port, the newly added port might be in a blocked state due to a L2 violation error, even when the Mac address changes option is set to Accept. The issue occurs only when MAC learning on a VDS is not active.

    This issue is resolved in this release.



Workaround:
Use a virtual standard switch (vSS).

Additional Information

Impact/Risks:
It only impacts distributed portgroups created or modified after the upgrade to (or on a fresh install of) vCenter 8.0 prior to 8.0 Update 2b - Build 23305546, when MAC Learning is set to Disabled.
Powered by Wolken Software