NSX | IP Discovery

Of course, NSX need to know the IP address of any VM and to find the IP address of any VM it uses below methods

- VMware Tool installed on every VM
- DHCP Snooping (Enabled on host cluster)
- ARP Snooping (Enabled on host cluster)

Multiple methods can be used to discover the IP and can be used in below operations\task by NSX Manger

- Firewall Rules
- Spoofguard

IP Discovery with VMware Tools-

VMware tools use thin agent that must be installed on each and every VMs which needs to be protected.
Virtual Machine with installed VMware tool is automatically secured whenever they are started up on any ESXi host having NSX VIB installed.
Protected virtual machines retains the security protection through shutdown and restart and even afrter vMotion move to another host with installed NSX VIBs.
If Vmware tool is not installed then other methods can be used like DHCP and ARP snoopiong.

IP Discovery with DHCP Snooping-

As you already know that DHCP snooping can discover IP without Vmware Tools installed. The four broadcast (DORA) frames that DHCP uses to provide IP address is visible to logical switch or distributed port group as these frames are processed. The assigned IP address then mapped to vNIC. This mapping can be used by NSX Manager to assign firewall rules for this object.

The option to enable and disable the dhcp snooping is available on each cluster.

IP Discovery with ARP Snooping-

It can also be used when there is no VMtools installed in the GuestOS. The ARP request and ARP reply passes throught the logical switch are read and IP addresses associated with vNIC. This association can be used by NSX Manager to apply firewall rules for this object.

Please note that SppofGuard is a feature that in some cases, can prevent ARP snooping in virtual environment.

Happy Learning Friends!

Thank you,
Team vCloudNotes


Post a Comment