Traffic bypassing SVMs after vMotion in NSX-T
Article ID: 311841
Updated On:
Products
VMware NSX
Issue/Introduction
Guest VM connected to NSX-T segment and integrates with 3rd party SVM for traffic processing. After Guest VM vMotion, the traffic is no longer redirecting to SVM for processing and bypass it completely.
Guest VM need to start a new session to redirect traffic to SVM for processing again.
This can be verified by running esxtop command on the ESXi host where the SVM reside, press n for networking view to confirm traffic going through the SVM interface.
Environment
VMware NSX-T Data Center
Cause
During Guest VM vMotion, NSX is not able to learn the IP address of the VM since VMware tools service will be stop and start again after vMotion is completed. Therefore, Guest VM traffic will not match the security policies and redirect to SVM for processing during this time.
Resolution
This is a known issue in NSX-T 3.x. DHCP snooping and VM tools is vMotion aware from NSX-T 4.1.1.
Workaround
Create a new IP discovery profile, disable DHCP snooping and enabled ARP snooping while keep everything else as default. Apply it to the NSX segment. This will allow NSX to also learn IP address of the Guest VM via ARP snooping rather relying on only VMware tools running.
Please refer to KB below for more details.
IP not discovered by ARP snooping when DHCP snooping is enabled
Workaround
Create a new IP discovery profile, disable DHCP snooping and enabled ARP snooping while keep everything else as default. Apply it to the NSX segment. This will allow NSX to also learn IP address of the Guest VM via ARP snooping rather relying on only VMware tools running.
Please refer to KB below for more details.
IP not discovered by ARP snooping when DHCP snooping is enabled
Feedback
Yes
No
Powered by
