The IP address of a virtual machine can be detected by VMware Tools, which is installed on the VM, or by DHCP snooping and ARP snooping. These IP discovery methods can be used together in the same NSX installation.

You can specify the IP detection types either at a global level or at the host cluster level. Typically, users with security administrator and security engineer roles might prefer to specify the IP detection type at a global level. They use the detected VM IP addresses to configure the SpoofGuard policies and the distributed firewall policies.

Users with an enterprise administrator role usually have a much wider view of the complete virtual network, and might prefer to control the IP detection type by editing the settings at the host cluster level. The IP detection settings at the host cluster level override the settings that are specified at the global level.

Procedure

  1. Navigate to the Change IP Detection Type page.
    IP Detection Level Steps
    Global IP Detection
    1. Navigate to Networking & Security > Security > SpoofGuard.
    2. Next to IP Detection Type, click the Gear icon icon.
    Host Cluster IP Detection
    1. Navigate to Networking & Security > Installation and Upgrade > Host Preparation.
    2. Click the cluster for which you want to change the IP detection type, and then click Actions > Change IP Detection Type.
  2. Select the desired IP detection types, and click Save or OK.
    IP Detection Type Description
    DHCP Snooping NSX detects the IP addresses of the VMs in the network by reading the DHCP snooping entries.
    ARP Snooping NSX detects the IP addresses of the VMs by using the ARP snooping mechanism.
    Recommendation: Configure SpoofGuard when you use ARP snooping to detect IP addresses. SpoofGuard helps you to defend your network against ARP poison attacks.
  3. If you selected ARP snooping, enter the maximum ARP IP addresses that must be detected per vNIC, per VM. The default value is 1.
    ARP snooping can detect a maximum of 128 IP addresses per vNIC, per VM. The valid range of values are 1 through 128. For example, if you specify a value of 5, it means that a maximum of first five IP addresses are detected per vNIC per VM.

    IP addresses detected using ARP snooping are not removed automatically. In other words, there is no timeout for vNIC IP addresses that are detected using ARP snooping.

What to do next

  • If you enabled ARP snooping, consider the option to configure SpoofGuard to defend your network against ARP poison attacks.
  • Configure the default firewall rule.