Symptoms:

• Virtual machines intermittently experience a loss of network connectivity.
• The VMkernel log contains errors similar to:
  
  cpuN:cccc)etherswitch: L2Sec_EnforcePortCompliance: 0x100000f: peer not allowed to change address, blocking port
  
  
• You may also get errors:
  
  cpuN:cccc)etherswitch: L2Sec_EnforcePortCompliance: client <vmname> requested mac address change to <mac> on port 0xN nnnnnnn, disallowed by vswitch policy
  cpuN:cccc)etherswitch: L2Sec_EnforcePortCompliance: client <vmname> has policy violations on port 0xnnnnnnn. Port is blocked

VMware vSphere ESXi 7.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.7.x
VMware vSphere ESXi 6.7.x
VMware vSphere ESXi 8.0.x
VMware vCenter Server 8.0.x

These errors are generated when a virtual machine tries to change a MAC address and when the virtual switch security options MAC address change is set to Reject. The attempt to change a MAC address is considered a Layer 2 Security violation. This violation causes the virtual switch port to go in to a blocked state, and cannot send or receive traffic.

If software running in the virtual machine should not be attempting to change the virtual network interface MAC addresses, investigate the Guest operating system and other software within the virtual machine.

If MAC address changes are legitimate or desired in an environment, configure the virtual switch and portgroup security policy MAC address change to Accept.

To set the MAC address change option to Accept:

1. Log in to ESX host or vCenter Server using vSphere Client.
2. Select the ESX host and click the Configuration tab.
3. Click Properties next to the virtual switch or portgroup.
4. Select the virtual switch or portgroup and click Edit.
5. Click the Security tab.
6. From the dropdown for MAC Address Changes, choose Accept.

For vNetwork Distributed Switches, see, vNetwork Distributed PortGroup (dvPortGroup) configuration (1010593).