After posting the “Let’s Talk Security …” blog entry last week, our engineering director reminded me of a few more things worth pointing out. Virtual switches are very much like physical switches, but they do differ in a few ways relevant to the security discussion around MAC flooding and spanning tree attacks.
Virtual switches know the MAC addresses of the VMs and vmkernel ports by registration. It’s all controlled by the ESX hypervisor, so there is no need to “learn” any MAC addresses. vSwitches will also toss any frames with a destination MAC address outside what is registered. Hence, they’re not susceptible to MAC flooding.
Frames received on an uplink will never be forwarded out an uplink—they’re either forwarded to the correct virtual port (with registered MAC address) or ports (multicast or broadcast) or thrown away (destination is not attached to this virtual switch). This simple rule means ESX cannot introduce a loop in the network (unless someone deliberately provisions a bridge inside a VM with two vnics). This also means ESX does not need to participate in Spanning Tree and will not put an uplink in a blocked state so you get full use of all uplinks. Note: this does not mean you should turn off spanning tree on your access switches—ESX just ignores the BPDU updates. (of course, always configure portfast or portfast trunk on the physical switchports to immediately get to the STP forwarding state)
