SpoofGuard protects against IP spoofing by maintaining a reference table of VM name and IP address. SpoofGuard maintains this reference table by using the IP addresses that the NSX Manager retrieves from VMware Tools when a VM initially starts.

After synchronizing with the vCenter Server, NSX Manager collects the IP addresses of all vCenter guest virtual machines from VMware Tools on each virtual machine. If a virtual machine has been compromised, the IP address can be spoofed and malicious transmissions can bypass firewall policies.

SpoofGuard is inactive by default, and you must explicitly enable it on each logical switch or VDS port-group. When a VM IP address change is detected, the Distributed Firewall (DFW) blocks the traffic from or to this VM until you approve this new IP address.

You create a SpoofGuard policy for specific networks that allows you to authorize the IP addresses reported by VMware Tools and alter them if necessary to prevent spoofing. SpoofGuard inherently trusts the MAC addresses of virtual machines collected from the VMX files and vSphere SDK. Operating separately from Firewall rules, you can use SpoofGuard to block traffic determined to be spoofed.

Important: SpoofGuard works only when Distributed Firewall (DFW) is enabled.

SpoofGuard supports both IPv4 and IPv6 addresses. The SpoofGuard policy supports multiple IP addresses assigned to a vNIC when using VMwareTools and DHCP snooping. ARP snooping supports up to 128 addresses discovered per VM, per vNIC. The SpoofGuard policy monitors and manages the IP addresses reported by your virtual machines in one of the following modes.

Automatically Trust IP Assignments On Their First Use
This mode allows all traffic from your virtual machines to pass while building a table of vNIC-to-IP address assignments. You can review this table at your convenience and make IP address changes. This mode automatically approves all IPv4 and IPv6 addresses that are first seen on a vNIC.
Manually Inspect and Approve All IP Assignments Before Use
This mode blocks all traffic until you approve each vNIC-to-IP address assignment. In this mode, multiple IPv4 addresses can be approved.
Note: SpoofGuard inherently allows DHCP requests regardless of enabled mode. However, if in manual inspection mode, traffic does not pass until the DHCP-assigned IP address has been approved.

SpoofGuard includes a system-generated default policy that applies to port groups and logical networks not covered by the other SpoofGuard policies. A newly added network is automatically added to the default policy until you add the network to an existing policy or create a new policy for it.

SpoofGuard is one of the ways that an NSX distributed firewall policy can determine the IP address of a virtual machine. For information, see IP Discovery for Virtual Machines.