Details
http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.networking.doc/GUID-74E2059A-CC5E-4B06-81B5-3881C80E46CE.html
Solution
Verify by using the vSphere Client to connect to the vCenter Server and as administrator-1. Go to ‘Home > Inventory > Hosts and clusters’.
2. Select each ESXi host with active virtual switches connected to active VM’s requiring
securing.
3. Go to tab ‘Configuration > Network > vSwitch(?) > Properties > Ports > vSwitch >
Default Policies > Security’
4. Set ‘Forged Transmits’ to ‘Reject’. Additionally, the following ESXi shell command may be used-# esxcli network vswitch standard policy security set -v vSwitch2 -f false
Impact-This will prevent VMs from changing their effective MAC address. This will affect
applications that require this functionality. An example of an application like this is
Microsoft Clustering, which requires systems to effectively share a MAC address. This will
also affect how a layer 2 bridge will operate. This will also affect applications that require a
specific MAC address for licensing. An exception should be made for the port groups that
these applications are connected to.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system VMware.