Set up an alert for port blocked by vSwitch security policy

Today I’m gonna show you, how to be alerted when VM port is being blocked by security policy defined on portgroup or vSwitch level.

If you are not aware so far, these settings prevents VM users (or attackers) to change MAC address from the operating system.

There are three security policies which you can specify:

Promiscuous mode: Allows virtual adapters connected to this dvPortgroup to see all frames passed on the host proxy switch that are allowed under the VLAN policy for the dvPortgroup

Mac address changes: Allows virtual machines to receive frames with a Mac Address that is different from the one configured in the VMX.

Forged Transmits: Allows virtual machines to send frames with a Mac Address that is different from the one specified in the VMX.

I suggest you to set all policies to Reject as simple security precaution. Of course only if you don’t explicitly require it because of some network specific application i.e. Microsoft NLB in unicast mode. I believe this is by default since vSphere 5.1. If you do require to have it enabled I suggest you to create specific portgroup only for such VMs.

Once some port is blocked it is logged inside vmkernel.log of ESXi. Easiest way to be alerted once it happens is to create alert by using vRealize Log Insight, which is included in your vCenter license.

It is logged in the following format:

2017-05-31T11:30:25.980Z esx.domain.local vmkernel: cpu14:4446484)etherswitch: L2Sec_EnforcePortCompliance:257: client VMNAME.eth2 has policy vialations on port 0x900004c. Port is blocked


To create an alert

1. Log in to Log Insight and navigate to Interactive Analytics
2. Define query to:
   1. Match all of the following filters
   2. vmw_esxi_vmk_component contains etherswitch
   3. text contains port is blocked
      
3. Click Create Alert from Query…
4. Type name, email, Raise an alert condition and Save
   

You are done 🙂

The following two tabs change content below.

• Bio
• Latest Posts

Dusan Tekeljak

With over 12 years of experience in the Virtualization field, currently working as a Senior Consultant for Evoila, contracted to VMware PSO, helping customers with Telco Cloud Platform bundle. Previous roles include VMware Architect for Public Cloud services at Etisalat and Senior Architect for the VMware platform at the largest retail bank in Slovakia. Background in closely related technologies includes server operating systems, networking, and storage. A former member of the VMware Center of Excellence at IBM and co-author of several Redpapers. The main scope of work involves designing and optimizing the performance of business-critical virtualized solutions on vSphere, including, but not limited to, Oracle WebLogic, MSSQL, and others. Holding several industry-leading IT certifications such as VCAP-DCD, VCAP-DCA, VCAP-NV, and MCITP. Honored with #vExpert2015-2019 awards by VMware for contributions to the community. Opinions are my own!

Latest posts by Dusan Tekeljak (see all)

• VM Latency Sensitivity set to High still fails with no (proper) warning - June 27, 2024
• ESXi 6.7 U1 fixes: APD and VMCP is not triggered even when no paths can service I/Os - November 30, 2018
• Update manager error: hosts could not enter maintenance mode - November 19, 2018