Hi Canuck,
I and assume if you need to enable promiscuous support for the vswitch in esxi.
In that case you need to see use of VLAN groups (CR137596)
Use of VLAN groups with BIG-IP Local Traffic Manager VE requires proper configuration of VMware vSwitch or VMware vSwitch portgroup security policies. The Promiscuous Mode and Forged Transmits properties must be set to Accept.
By default, Promiscuous Mode is set to Reject.
For information on how to configure these options, refer to the vSwitch sections of VMware's vSphere manuals.
To configure BIG-IP VE MAC masquerade on an ESX environment without using Promiscuous mode, leverage the "MAC Learning" feature on the virtual switch, which allows the ESXi host to learn MAC addresses on the network while preventing unauthorized traffic by setting Promiscuous mode to "Reject" on the relevant port group or virtual switch where the BIG-IP VM resides; this effectively achieves MAC masquerade functionality without relying on promiscuous mode.
Key points to remember:
- Enable MAC Learning:
- Navigate to your ESXi host's virtual switch settings and enable MAC Learning on the port group or switch where the BIG-IP VM is attached.
- Set Promiscuous Mode to Reject:
- Within the same virtual switch settings, ensure that Promiscuous Mode is set to "Reject" to prevent unauthorized traffic while still allowing the BIG-IP to learn MAC addresses.
- Configure MAC Masquerade on BIG-IP:
- On the BIG-IP device, configure the MAC masquerade feature according to your specific network requirements, assigning a unique MAC address for each traffic group or as needed.
Benefits of using MAC Learning instead of Promiscuous mode:
- Enhanced Security:
- By only allowing the ESXi host to learn MAC addresses on the network, you mitigate the security risks associated with promiscuous mode where all traffic is captured.
- Improved Performance:
- When properly configured, MAC Learning can provide better network performance compared to promiscuous mode.
Important considerations:
Please mark it as solution in case if you feel your query has been responded and saved your time and giving pointers toward resolving your issue, as it will help other to use your query scenario to solve their similar issue.
Best Regards,
F5 Design Engineer