How to configure Virtual Switch (vSwitch) for cluster of Security Gateways Virtual Edition in Network Mode
Note: Security Settings may change between ESXi configurations and versions.
The following three options were found to be crucial for cluster of Security Gateways Virtual Edition in Network Mode. Their values must be set to Accept under "Security Settings" in the ESXi.
Crucial for allowing communication to the Security Gateway VE.
Quote from VMWare Knowledge Base - How promiscuous mode works at the virtual switch and portgroup levels (1002934):
When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the vSwitch. Interfaces and virtual machines within the portgroup will be able to see all traffic passing on the vSwitch, but all other portgroups within the same virtual switch do not.
Crucial for cluster configuration, where CCP packets are sent from different Source MAC addresses.
Quote from VMWare ESXi and vCenter Server 5.1 Documentation > vSphere Security > Securing ESXi Configurations > Securing Standard Switch Ports:
The setting for the Forged Transmits option affects traffic that is transmitted from a virtual machine.
When the option is set to Accept, ESXi does not compare source and effective MAC addresses.
To protect against MAC impersonation, you can set this option to Reject. If you do, the host compares the source MAC address being transmitted by the operating system with the effective MAC address for its adapter to see if they match. If the addresses do not match, ESXi drops the packet.
The guest operating system does not detect that its virtual network adapter cannot send packets by using the impersonated MAC address. The ESXi host intercepts any packets with impersonated addresses before they are delivered, and the guest operating system might assume that the packets are dropped.
Ensures that the outgoing traffic is accepted even though the MAC address differs from the MAC address provided / assigned by the ESX.
Quote from VMWare Labs - ESXi Mac Learning dvFilter:
MAC learning functionality solves performance problems for use cases like nested ESX. This ESX extension adds functionality to ESX to support MAC-learning on vswitch ports. For most ESX use cases, MAC learning is not required as ESX knows exactly which MAC address will be used by a VM. However, for applications like running nested ESX, i.e. ESX as a guest-VM on ESX, the situation is different. As an ESX VM may emit packets for a multitude of different MAC addresses, it currently requires the vswitch port to be put in promiscuous mode. That however will lead to too many packets delivered into the ESX VM, as it leads to all packets on the vswitch being seen by all ESX VMs. When running several ESX VMs, this can lead to very significant CPU overhead and noticeable degradation in network throughput. Combining MAC learning with promiscuous mode solves this problem.
Note: For vSphere 6.7 and above - When enabling MAC learning Promiscuous mode is no longer required and can be turned off.
Both VMware VSS (Virtual Standard Switch) and VDS (vSphere Distributed Switch) do not implement MAC Learning like a traditional network switch, since the vSphere platform already knows which MAC addresses are assigned to a particular Virtual Machine. This means that the virtual switch will only forward network packets to a Virtual Machine if the destination MAC Address matches the ESXi vmnic's (pNIC) MAC Address.
In a Nested ESXi environment where you can have Nested Virtual Machines, the destination MAC Address for network packets destined to those Virtual Machines will differ from the Nested ESXi vmnic's MAC Address. Due to this, the physical ESXi host's virtual switch will drop the packet if Promiscuous Mode is not enabled. Promiscuous Mode allows the underlying Nested ESXi VM vmnic to monitor all traffic of the virtual switch it is connected to and thus providing connectivity to the underlying Nested Virtual Machines.
Promiscuous Mode allows all traffic from the virtual switch to be visible on the configured portgroup, there is definitely going to be some amount of overhead when enabling this setting. If you drive a large amount of network traffic for your regular Virtual Machines, you may want to consider separating out your Nested ESXi environment.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.