VMware Tools runs on a VM and provides several services. One service that is essential to distributed firewall is associating a VM and its vNICs with IP addresses. Before NSX 6.2, if VMware Tools was not installed on a VM, its IP address was not learned. In NSX 6.2 and later, you can configure clusters to detect virtual machine IP addresses with DHCP snooping, ARP snooping, or both. This allows NSX to detect the IP address if VMware Tools is not installed on the virtual machine. If VMware Tools is installed, it can work in conjunction with DHCP and ARP snooping.

VMware recommends that you install VMware Tools on each virtual machine in your environment. In addition to providing vCenter with the IP address of VMs, it provides many other functions:

  • allowing copy and paste between VM and host or client desktop
  • synchronizing time with the host operating system
  • allowing shutdown or restart of the VM from vCenter
  • collecting network, disk, and memory usage from the VM and sending it to the host
  • determining VM availability by sending and collecting heartbeat

Note that having two vNICs for a VM on the same network is not supported and can lead to unpredictable results around which traffic is blocked or allowed.

For those VMs that do not have VMware Tools installed, NSX will learn the IP address through ARP or DHCP snooping, if ARP and DHCP snooping is enabled on the VM's cluster.