To prevent an untrusted virtual machine from changing its MAC address or sending packets on behalf of other virtual machines, the default settings for the security policy have changed for distributed virtual switch port groups in distributed virtual switches created by using versions later than vSphere 5.0.

With the new settings, if the MAC address changes, the virtual machine driver is not notified of the new MAC address. This policy change can cause virtual applications and virtual machines that rely on the MAC address (or on a forged transmit) to fail if the MAC address is changed for a virtual machine NIC.

If this new default policy has caused ports to be blocked, edit the distributed virtual switch security policy manually for that distributed virtual port group, allowing MAC address change and forged transmit. Use the following table to see the changes in default settings.

See also

• Configuring promiscuous mode on a virtual switch or portgroup (KB 1004099)
  
• Network Distributed PortGroup configuration (KB 1010593)