Creating an uplink distributed port group using the VIM API must allow forged transmits
book
Article ID: 343867
calendar_today
Updated On:
Products
VMware vCenter ServerVMware vSphere ESXi
Issue/Introduction
Background
Beginning with vSphere 5.1, the default port setting for distributed virtual switches disallows forged transmits. This change has been implemented to provide greater security with the default settings.
Note: The information in this article only applies to uplinks on distributed port groups that are created using the VIM API.
Symptom
When using the VIM API to create an uplink distributed port group on distributed virtual switch, if forged transmits are not allowed the uplinks drop received packets whose destination addresses do not match the MAC addresses of the uplinks. This is because packets from outside of ESXi that are received by uplinks do not have the MAC addresses that match the MAC address known to the uplink. ESXi drops the packets, and port clients fail to connect to outside the ESXi system.
Do not disable forged transmit on a distributed virtual switch port group security policy, or use Vim::Dvs::VmwareDistributedVirtualSwitch::VmwarePortConfigPolicy to enable or re-enable forged transmits on a distributed switch port group.
Additional Information
Note: In vSphere6.7 Forged Transmits are not allowed to be set to False on the Uplink Port Groups by default.