You can create a SpoofGuard policy to specify the operation mode for specific networks. The system-generated (default) policy applies to port groups and logical switches not covered by existing SpoofGuard policies.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > Security > SpoofGuard.
  2. Click Add.
  3. Enter a name for the policy.
  4. Enable or Disable the policy.
  5. Select one of the following Operation Mode:
    Option Description
    Automatically Trust IP Assignments on Their First Use Select this option to trust all IP assignments upon initial registration with the NSX Manager.
    Manually Inspect and Approve All IP Assignments Before Use Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.
  6. Click Allow local address as valid address in this namespace to allow local IP addresses in your setup.

    When you power on a virtual machine and it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.

  7. Click Next.
  8. Select the object type this policy should apply to, then select the objects you want.
    • In NSX 6.4.0, click the Add icon. Select the object type this policy should apply to, then select the objects you want.
    A port group or logical switch can belong to only one SpoofGuard policy.
  9. Click OK or Finish.

What to do next

You can edit a policy by clicking the Edit icon and delete a policy by clicking the Delete icon.