How promiscuous mode works at the virtual switch and portgroup levels
search cancel

How promiscuous mode works at the virtual switch and portgroup levels

book

Article ID: 324553

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch.

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch on that host only that are allowed under the VLAN policy for the associated port group. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.

For more information on configuring a virtual switch or portgroup to allow promiscuous mode, see Configuring promiscuous mode on a virtual switch or portgroup (1004099).


Environment

VMware vSphere ESXi 6.5
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.0
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.0
VMware ESXi 3.5.x Installable
VMware ESX 4.0.x
VMware ESX 4.1.x
VMware ESX Server 3.5.x
VMware vSphere ESXi 6.7
VMware ESXi 3.5.x Embedded
VMware vSphere ESXi 5.1
VMware ESX Server 3.0.x
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 5.5
VMware ESXi 4.0.x Embedded
VMware ESXi 4.1.x Installable

Resolution

When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the same port group on that same host. Interfaces and virtual machines within the port group will be able to see all traffic passing on the portgroup on that host, but all other portgroups within the same virtual switch do not.

When promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch, which override the vSwitch defined default.

If software within a virtual machine is attempting to put the guest network adapter in promiscuous mode, contrary to the defined vSwitch or portgroup security policy, it may be necessary to investigate if the virtual machine is running undesired software. For more information, see Identifying virtual machines attempting to use promiscuous network mode on ESX/ESXi (1023341).

NOTE: Any change done on a port group may have unintended consequences. In general, changes are not to be done unless asked to for a specific reason.

Additional Information

For translated versions of this article, see: