IP not discovered by ARP snooping when DHCP snooping is enabled
Article ID: 316294
Updated On:
Products
VMware NSX
Issue/Introduction
The purpose is to make user aware that DHCP snooping can implicitly disable ARP snooping, causing workflows relying on TOFU and ARP snooping not working as expected. For example: NSX Distributed and Gateway Firewalls drop VM traffic during vMotion or Storage vMotion when IP discovery is through VM Tools. Those workarounds may not work if DHCP snooping is enabled.
Symptoms:
1. DHCP snooping, ARP snooping, are enabled (this is true in default profile)
2. VM's IP is only discovered/realized as DHCP discovered IP and not as ARP discovered IP.
Environment
VMware NSX
VMware NSX-T Data Center
Cause
DHCP snooping takes a high priority compared to ARP snooping. When DHCP is used and DHCP picked up an IP, ARP snooping will not report the same IP (as a more trusted IP discovery method already reports it) and TOFU will not be applied.
Resolution
DHCP being prioritized over ARP is by design in NSX-T. This behavior holds for all NSX-T versions.
Workaround:
Disable DHCP Snooping in IP discovery profile if TOFU based workflow is required.
Steps to Disable DHCP Snooping in the IP Discovery Profile
Create a new IP discovery Profile.
Add the required number of ARP bindings in ARP binding limit, as by default the limit is 1, if the VM has a VIP, then it should be at least 2.
Networking --> Segments --> Segments Profile --> ADD SEGMENT Profile --> IP Discovery --> DHCP Snooping (Disable) --> leave the other as default. --> Save
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-9AED56D8-B5AE-4711-952E-B3E7DEECBC8F.html
Apply the newly created IP Discovery Profile to the Segment
Default IP Discovery Profile with DHCP Snooping Enabled
Newly created IP Discovery Profile with DHCP Snooping Disabled
Workaround:
Disable DHCP Snooping in IP discovery profile if TOFU based workflow is required.
Steps to Disable DHCP Snooping in the IP Discovery Profile
Create a new IP discovery Profile.
Add the required number of ARP bindings in ARP binding limit, as by default the limit is 1, if the VM has a VIP, then it should be at least 2.
Networking --> Segments --> Segments Profile --> ADD SEGMENT Profile --> IP Discovery --> DHCP Snooping (Disable) --> leave the other as default. --> Save
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-9AED56D8-B5AE-4711-952E-B3E7DEECBC8F.html
Apply the newly created IP Discovery Profile to the Segment
Default IP Discovery Profile with DHCP Snooping Enabled
Newly created IP Discovery Profile with DHCP Snooping Disabled
Additional Information
Impact/Risks:
The IP address binding to the Group (Dynamic IP to VM binding) will not be correctly applied to the DFW and Gateway Firewall Rules resulting in communication issue (Traffic that arrives while the address set is different will be processed in accordance to the address set configured at the time that traffic arrives. Therefore, a different rule may well be hit, depending on how the rule set and address sets are written).
The IP address binding to the Group (Dynamic IP to VM binding) will not be correctly applied to the DFW and Gateway Firewall Rules resulting in communication issue (Traffic that arrives while the address set is different will be processed in accordance to the address set configured at the time that traffic arrives. Therefore, a different rule may well be hit, depending on how the rule set and address sets are written).
Feedback
Yes
No
Powered by
