VMcheck
Basic Validation
© Copyright Lenovo 2017
The G8264CS primarily identifies virtual machines by their MAC addresses. An
untrusted server or a VM could identify itself by a trusted MAC address leading to
MAC spoofing attacks. Sometimes, MAC addresses get transferred to another VM,
or they get duplicated.
The VMcheck solution addresses these security concerns by validating the MAC
addresses assigned to VMs. The switch periodically sends hello messages on server
ports. These messages include the switch identifier and port number. The hypervisor
listens to these messages on physical NICs and stores the information, which can be
retrieved using the VMware Infrastructure Application Programming Interface (VI
API). This information is used to validate VM MAC addresses. Two modes of
validation are available: Basic and Advanced.
Use the following command to select the validation mode or to disable validation:
RS 8264CS(config)# [no] virt vmgroup <VM group number> validate
{basic|advanced}
This mode provides port‐based validation by identifying the port used by a
hypervisor. It is suitable for environments in which MAC reassignment or
duplication cannot occur.
The switch, using the hello message information, identifies a hypervisor port. If the
hypervisor port is found in the hello message information, it is deemed to be a
trusted port. Basic validation should be enabled when:
A VM is added to a VM group, and the MAC address of the VM interface is in
the Layer 2 table of the switch.
A VM interface that belongs to a VM group experiences a "source miss" i.e. is
not able to learn new MAC address.
A trusted port goes down. Port validation must be performed to ensure that the
port does not get connected to an untrusted source when it comes back up.
Use the following command to set the action to be performed if the switch is
unable to validate the VM MAC address:
RS 8264CS(config)# virt vmcheck action basic {log|link}
log - generates a log
link - disables the port
283
Chapter 16: VMready