You can create a SpoofGuard policy to specify the operation mode for specific networks. The system-generated (default) policy applies to port groups and logical switches not covered by existing SpoofGuard policies.

About this task

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > SpoofGuard.
  2. Click the Add icon.
  3. Type a name for the policy.
  4. Select Enabled or Disabled to indicate whether the policy is enabled.
  5. For Operation Mode, select one of the following:

    Option

    Description

    Automatically Trust IP Assignments on Their First Use

    Select this option to trust all IP assignments upon initial registration with the NSX Manager.

    Manually Inspect and Approve All IP Assignments Before Use

    Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.

  6. Click Allow local address as valid address in this namespace to allow local IP addresses in your setup.

    When you power on a virtual machine and it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.

  7. Click Next.
  8. To specify the scope for the policy, click Add and select the networks, distributed port groups, or logical switches that this policy should apply to.

    A port group or logical switch can belong to only one SpoofGuard policy.

  9. Click OK and then click Finish.

What to do next

You can edit a policy by clicking the Edit icon and delete a policy by clicking the Delete icon.