Switch network security policies

There are network security policies for virtual switches that enable you to protect virtual machines from impersonation or interception attacks. These policies are:

1. Promiscuous Mode – set to Reject by default to prevent guest operating systems from observing all traffic passing through a virtual switch. Set this mode to Accept only if you use a packet sniffer or intrusion detection system in the guest operating system.

2. MAC Address Changes – when set to Reject and the guest operating systems attempts to change the MAC address assigned to the virtual NIC, the virtual machine will stop receiving traffic. Set to Accept by default.

3. Forget Transmits – affects traffic that is transmitted from a virtual machine. When set to Reject, the virtual NIC drops frames that the guest operating system sends if the source MAC address is different than the one assigned to the virtual NIC. Set to Accept by default.


Network security policies can be defined at the standard switch level or at the port group level. The policies defined at the port group level override the policies set at the standard switch level.


To set the security policies using the vSphere Web Client, go to the host’s Manage > Networking tab. Choose the virtual switch you would like to modify and select the Edit settings icon:

edit virtual switch

Select the Security menu and specify the settings:

edit virtual switch security

Geek University 2021