It turns out that my issue came from the difference in default behavior between a vSS (Standard Switch) and a vDS (Distributed Switch). For those that want the TL:DR -> Set all security settings to “accept”.
There are three security settings for switches in VMware.
- Promiscuous Mode – Allows the virtual networking adapter to observer any of the traffic submitted through the vSwitch.
- MAC Address Changes – Allows differences in the initial MAC address and the effective MAC on incoming traffic.
- Forged Transmits – Allows differences in the initial MAC address and the effective MAC on outgoing traffic.
The initial MAC is the one assigned by VMware, and the effective MAC is the one used by the guest OS to transmit data. By default these are the same, but as a system administrator you can change the MAC in the guest OS.
My issue came from the default settings for these three options on the vSS versus the vDS.
On the vSS:
On the vDS:
In all the blog posts I have seen about doing this, every one mentions to set “Promiscuous Mode” to accept, but they fail to tell you that you need to have “Forged Transmits” set to accept as well. To be safe I actually set them all to accept.
I think this is the result of most people doing this in their home lab and only using vSS, and since I was using vDS I didn’t notice at the time that the default options are different.
This makes sense since as soon as you add another vmk to the virtual switch you are transmitting from a different virtual MAC address, which “Forged Transmits” would block.