Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX] Security Policy of Interfaces in VMWare Switches/Port-Groups

0

0

Article ID: KB36396 KB Last Updated: 29 Dec 2020Version: 1.0
Summary:

This article provides a summary of security policy settings (Promiscuous mode, MAC Address Changes and Forged Transmits) that needs to be configured in the VMWare port-group or ports so that vSRX2.0 or vSRX3.0 interfaces are able to send/receive packets.

Solution:

The VMWare security policy on port groups and ports includes the following options:

  1. MAC address changes 
  2. Promiscuous mode
  3. Forged transmits

Before getting onto the meaning of each security policy setting, it is important to understand two terms: "Effective MAC Address" and "Initial MAC Address". The initial MAC address is assigned when the adapter is created. The Effective MAC address is configured within the VM by the guest operating system (OS). Typically, the guest OS uses the Initial MAC address, much like your PC will use the BIA or your NIC by default.

  1. MAC Address Changes: This option affects traffic that a virtual machine receives. When the Mac address changes, the option is set to Accept. ESXi accepts requests to change the effective MAC address to a different address than the initial MAC address. When set to “Reject,” the vSwitch will disable the port if it sees that the guest OS is trying to change the Effective MAC address to something other than the Initial MAC address.

  2. Forged transmits: This option affects traffic that is transmitted from a virtual machine. When the Forged transmits option is set to Accept, ESXi does not compare source and effective MAC addresses. If the policy is set to “Reject,” the port will interrogate all the traffic that is generated by the VM. The policy will check to see if the source MAC address field has been tampered with. As long as the source MAC field is the same as the Effective MAC address, the frame is allowed by the port. However, if it finds a non-matching MAC address, the frame is dropped.

  3. Promiscuous mode: ​ This option allows the guest operating system to receive all traffic observed on the wire. By setting it to Accept, we are ordering the vSwitch to share traffic on each VLAN among other VMs on the same VLAN​. Note that promiscuous mode does not allow a VM to see traffic on VLANs that are not specified by the port group. It can still only see traffic for the VLAN(s) that it belongs. ​

The default settings in VMWare ESXi for interfaces is Promiscuous - Reject; Forged Transmits - Accept and MAC Address Changes - Accept. 

The vSwitch Port mandatory requirement for vSRX2.0 and vSRX3.0 is mentioned in below table. The "-" can be left as system default (recommended) or configured as needed.

vSRX2.0:
  MTU Promiscuous
MAC Address Changes

Forged Transmits
Regular port(ge) - - - -
Reth port - -
Accept

Accept
Mgt (fxp0) port -
Accept

Accept
-
Control Link (em0) port 1500+ Accept -
Accept
Fabric Link port 9000 -
Accept

Accept
 
vSRX3.0: 
  MTU Promiscuous
MAC Address Changes

Forged Transmits
Regular port(ge) - - - -
Reth port - -
Accept

Accept
Mgt (fxp0) port -
-
- -
Control Link (em0) port 1500+ - -
-
Fabric Link port 9000 -
Accept

Accept
 
 

Note: ​Promiscuous mode on Only supported if enabled on the interfaces hypervisor.

The fabric link uses jumbo frames, hence you need to have 9000 as MTU. For further details, refer to vSRX Deployment Guide for VMware

Junos OS Release 18.4R1 supports a new software architecture vSRX 3.0 that removes dual OS and nested virtualization requirement of existing vSRX architecture. The architecture has an added advantage of not using enabling Promiscuous as mandatory requirement. 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search