In pervious post of this series, we learned about pretty simple steps regarding creation of standard switch. In this post, we’ll see what policies can be applied on standard switch to protect virtual environment against unwanted scanning. If you missed previous posts if this series, you can follow:
Policies that are set at the standard switch level apply to all port groups on the standard switch by default.
Following network policies are available at standard switch
- Traffic Shaping
- NIC Teaming and Failover
1. Security: Networking security policy provides protection against MAC address impersonation and unwanted scanning.
2. Traffic Shaping: Traffic shaping is useful when you want to limit the amount of traffic to a VM or a group of VMs. Traffic shaping can be done either to protect a VM or traffic in an oversubscribed network.
3. NIC Teaming and Failover: Using Teaming and Failover policy to determine how the network traffic of VMs and VMkernel adapters that are connected to the vSwitch is distributed between physical adapters, and how the traffic should be rerouted if an adapter fails.
These policies are defined for the entire standard switch and can also be defined for a VMkernel port or a VM port group. When a policy is defined for an individual port or port groups, the policy at this level overrides the default policies defined for the standard switch.
Configuring Security Policies
Security policies can be applied at both standard switch level and port group level. Following are the policies:
- Promiscuous Mode: It allows a VM or port group to forward all traffic regardless of the destination. By default, it is Reject.
- MAC Address Changes: When set to Reject, when the guest attempts to change the MAC address will not receive any frame on the vNIC. By default, it is Accept.
3. Forged Transmits: A host does not compare source and effective MAC addresses transmitted from a virtual machine. By default, it’s
In general, these policies give the option of disallowing certain behaviors that might compromise security. For example, a hacker might use a promiscuous mode device to capture network traffic for unscrupulous activities.
I hope you enjoyed reading this post, and if you feel it should be shared on social media, you can. Be friendly and sociable…