"
Hi,
if you haven't found another solution I suggest you ask your provider to reconsider his choices;
"* My provider blocks this setting because it allows packet sniffing and is not secure"
This is not really relevant for a router/firewall, it will see all traffic going in/out of the network anyway and it having promiscuous mode capability will not change much.
"* I don't want my CPU to be overstressed receiving packets from all VMs"
You set the options as override on a per vlan basis, so it will not get traffic from things outside the vlans you enable this on.
Also make a note of this KB, it might be you need Net.ReversePathFwdCheckPromisc = 1 on the VMware server:
https://kb.vmware.com/s/article/59235
My setup is fairly similar to yours, but I don't use distributed switches as my VMware-servers are standalone and used to utilize the hardware better and has no shared storage. It works great, CARP failover with PFSYNC gives a few packets dropped when one of the nodes goes down.
if you haven't found another solution I suggest you ask your provider to reconsider his choices;
"* My provider blocks this setting because it allows packet sniffing and is not secure"
This is not really relevant for a router/firewall, it will see all traffic going in/out of the network anyway and it having promiscuous mode capability will not change much.
"* I don't want my CPU to be overstressed receiving packets from all VMs"
You set the options as override on a per vlan basis, so it will not get traffic from things outside the vlans you enable this on.
Also make a note of this KB, it might be you need Net.ReversePathFwdCheckPromisc = 1 on the VMware server:
https://kb.vmware.com/s/article/59235
My setup is fairly similar to yours, but I don't use distributed switches as my VMware-servers are standalone and used to utilize the hardware better and has no shared storage. It works great, CARP failover with PFSYNC gives a few packets dropped when one of the nodes goes down.
