Every virtual machine has two MAC addresses by definition. The MAC address that is assigned to the vNIC of a virtual machine when the vNIC is created is called the initial MAC address. The MAC address that a guest operating system configures for the network interface it detects is called the effective MAC address. The effective MAC address should generally match the initial MAC address (which is the actual MAC on the NIC).

MAC address changes (Default: Reject): This applies to the traffic entering a virtual machine from the virtual switch. If MAC address' changes are set to Accept, then it means that you allow the virtual machine to receive traffic that was originally intended for another VM by impersonating the other VM's MAC address.

For example, if VM-A wanted to receive traffic intended for VM-B, then VM-A will need to present itself with a MAC address belonging to VM-B. This is usually achieved by changing the effective MAC address (OS level). Such a VM's initial MAC address will remain unchanged. With MAC address changes set to Accept, the virtual switch will allow the effective MAC address to be different from the initial MAC address. With MAC address changes set to Reject, the port/dvPort to which the vNIC is connected will be blocked if the effective MAC doesn't match the initial MAC address. Consequently, the VM will stop receiving any traffic.

Forged transmits (Default: Reject): This applies to traffic exiting a virtual machine and entering the virtual switch. If forged transmits are set to Accept, it allows for MAC address spoofing. This means that a virtual machine will be allowed to send out Ethernet frames with a source MAC address that is different from the effective/initial MAC address. When set to Reject, the virtual switch will drop the Ethernet frame with a source MAC address that is different from the effective/initial MAC.