VMware vSphere

 View Only
  • 1.  How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 19, 2016 07:26 PM

    I have a ubuntu VM running in an ESXi5.5 host. I attached two SR-IOV NICs to the VM, and inside VM I create a bond with the two NICs. The issue is that mac address of packets will be the same no matter which slave they are transmitting. However, when a packets is transmitting through the slave with different mac, it is considered as spoofing packets. 

    On the host I can see the following messages in vmkernel.log. I guess it is because the bonding changes the MAC of a packet, and the anti-spoofing on the host physical NIC does not allow it.

    2016-02-16T19:46:37.162Z cpu4:33541)<4>ixgbe 0000:02:00.1: vmnic1: 1 Spoofed packets detected

    2016-02-16T19:46:39.348Z cpu22:33551)<4>ixgbe 0000:02:00.1: vmnic1: 2 Spoofed packets detected

    In linux, we can do following, but how to do it in ESXi?  Does setting the corrsponding portgroup security policy to promiscuous mode do the trick?

    ip link set eth2 vf 1 spoofchk on

    Thanks,

    Toby



  • 2.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 19, 2016 09:18 PM

    See my notes for the promisc parameter

    sanbarrow.com



  • 3.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 19, 2016 09:23 PM

    Do you mean I need to go to the vmx file to change the settings?  Is there a way to do it in UI or API?

    Thanks,



  • 4.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 19, 2016 09:35 PM

    I doubleclick the vmx-file in WinSCP - it cant get easier so I never searched for more complicated ways



  • 5.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 19, 2016 10:09 PM

    I modified the vmx file and set noForgedSrcAddr and noPromisc to "false" for both the two SRIOV NICs.

    It does not change anything.  The packets do not go through, and I got " spoofed packets detected" message.



  • 6.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 20, 2016 06:13 AM

    Do you have

    Promiscuos Mode

    Mac Address Changes
    Forged Transmits
    set to accept - using properties tab of Virtual switches



  • 7.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Feb 23, 2016 08:17 PM

    I set all the three properties as Accept on both switch and portgroup the NICs are associated with.

    I am afraid the portgroup settings does not apply to VF.  However, according to the doc at vSphere 5.5 Documentation Center, it should.    In guest OS, when I use ip link to change the MAC of the sr-iov nic, I can see following messages in the host's log.  I am afraid it is an issue in ixgbevf driver.

    2016-02-23T19:45:35.180Z cpu23:32819)<4>ixgbe 0000:01:00.0: vmnic2: VF 3 attempted to set a new MAC address but it already has an administratively set MAC address  00:50:56:ba:f7:b9

    2016-02-23T19:45:35.180Z cpu23:32819)<4>ixgbe 0000:01:00.0: vmnic2: Check the VF driver and if it is not using the correct MAC address you may need to reload the VF driver



  • 8.  RE: How to turn-off anti-spoofing on a Virtual Function?

    Posted Jul 19, 2023 01:51 PM

    Hi,

    7 years later i have the same question!  I am setting-up a fortigate firewall VM with SRIOV and I have troubles having several vlans over the same VF. Apparently I need to disable spoof check and activate trust on the VF but all examples I find are for intel nics and I use mellanox...

    I tried the bellow settings for pci passthough interfaces in the vm options but with no luck.  

    Any idea?