Today I’m gonna show you, how to be alerted when VM port is being blocked by security policy defined on portgroup or vSwitch level.
If you are not aware so far, these settings prevents VM users (or attackers) to change MAC address from the operating system.
There are three security policies which you can specify:
Promiscuous mode: Allows virtual adapters connected to this dvPortgroup to see all frames passed on the host proxy switch that are allowed under the VLAN policy for the dvPortgroup
Mac address changes: Allows virtual machines to receive frames with a Mac Address that is different from the one configured in the VMX.
Forged Transmits: Allows virtual machines to send frames with a Mac Address that is different from the one specified in the VMX.
I suggest you to set all policies to Reject as simple security precaution. Of course only if you don’t explicitly require it because of some network specific application i.e. Microsoft NLB in unicast mode. I believe this is by default since vSphere 5.1. If you do require to have it enabled I suggest you to create specific portgroup only for such VMs.
Once some port is blocked it is logged inside vmkernel.log of ESXi. Easiest way to be alerted once it happens is to create alert by using vRealize Log Insight, which is included in your vCenter license.
It is logged in the following format:
2017-05-31T11:30:25.980Z esx.domain.local vmkernel: cpu14:4446484)etherswitch: L2Sec_EnforcePortCompliance:257: client VMNAME.eth2 has policy vialations on port 0x900004c. Port is blocked
To create an alert
- Log in to Log Insight and navigate to Interactive Analytics
- Define query to:
- Click Create Alert from Query…
- Type name, email, Raise an alert condition and Save
You are done 🙂
Latest posts by Dusan Tekeljak (see all)
- Bricked QLogic Broadcom BCM57840 after driver update - July 21, 2017
- Set up an alert for port blocked by vSwitch security policy - June 12, 2017
- Enabling agentless Guest (VM) RAM monitoring with vRealize Operations 6.3+ - February 14, 2017