Configuring L2 port security settings on an NSX backed port such as promiscuous mode
search cancel

Configuring L2 port security settings on an NSX backed port such as promiscuous mode

book

Article ID: 394260

calendar_today

Updated On: 04-14-2025

Products

VMware NSX

Issue/Introduction

NSX-T networks do not have an option for configuring settings such as promiscuous mode under their security profiles

Environment

2.x
3.x
4.x

Cause

NSX-T favors the utilization of segment profiles for applying L2 security settings, these profiles do not have some settings such as Promiscuous mode in favor of newer technologies such as Mac Learning.

Resolution

Utilization of segment profiles such as Mac Discovery profiles are the preferred method for a persistent setting when dealing with NSX backed networks, please refer to NSX-T - Segment Profiles for additional information.

Workaround:

On a static virtual machine port there is an ability using nsxdp-cli to apply a non-persistent configuration for testing purposes of settings such as:

    • Promiscuous Mode
    • Mac Address Changes
    • Forged Transmits
  1. Via an SSH session to the ESXi host, utilize the following to identify the DVS Port ID:

    nsxcli -c get ports

     
    PortNum     Switch                Client                          DVSPort                         MAC                   Uplink
==================================================================================================================================
00000001    DvsPortset-0          TestVM1.eth0  ########-####-####-####-############  00:00:00:00:00:00     vmnic#
00000002    DvsPortset-0          TestVM2.eth0  ########-####-####-####-############  00:00:00:00:00:00     vmnic#
00000003    DvsPortset-1          TestVM3.eth0  ########-####-####-####-############  00:00:00:00:00:00     vmnic#

     

  2. Run the following command to check the current port settings:

    nsxdp-cli vswitch l2sec get --dvport ########-####-####-####-############ -dvs <DVS_NAME>

    Replace the dvport and dvs values with your own environments data

    deny promiscuous
deny mac change
deny forged frames

     

  3. Run the following to modify the port with the desired settings, the command can be edited by removing the highlighted settings at the end you do not wish to apply:

    nsxdp-cli vswitch l2sec set --dvport ########-####-####-####-############ -dvs <DVS_NAME> --mac-change --forge-src --promisc

  4. Check the port settings once more using the command from step 2 to confirm the settings have changed as desired.

    nsxdp-cli vswitch l2sec get --dvport ########-####-####-####-############ -dvs <DVS_NAME>

    allow promiscuous
allow mac change
allow forged frames

NOTE: This is a non persistent change, if the VM reboots or is vMotioned the settings will revert back to their defaults.

Powered by Wolken Software