HCX-NE: Considerations of "MAC address changes & Forged transmits" policies under DVS port-group
search cancel

HCX-NE: Considerations of "MAC address changes & Forged transmits" policies under DVS port-group

book

Article ID: 321612

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

A Cloud VM is not able to communicate to OnPrem VM over L2C extended segment.

Packet Analysis

In the packet capture taken on Cloud and OnPrem NE appliances both, ARP request packets from OnPrem and ARP reply packets from Cloud could be seen on the OnPrem NE appliance's vNIC interface attached to the extended segment. This indicates that the data path across the L2E is functioning properly, but the return packets from Cloud are not reaching the OnPrem VM.

Log Indicators

When the DVS port-group policies for "MAC address changes & Forged transmits" are not configured correctly, you may observe the following error messages in the HCX Network Extension appliance logs:

[Err-macUpdate] : Cannot send mac entries: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp <IP_ADDRESS>:8182: connect: connection refused"

or

[Err-macUpdate] : Failed to stream update: rpc error: code = DeadlineExceeded desc = context deadline exceeded

Log Locations:

  • /var/log/messages* on the NE appliances
  • In HCX support bundle: <bundle>/HCX/<appliance-name>-NE-*/var/log/messages*

Note: The presence of these [Err-macUpdate] messages in conjunction with L2 extension connectivity issues is a strong indicator that the DVS port-group security policies need to be reviewed and updated.

Environment

VMware HCX

Cause

When using HCX-NE to extend VLAN Port Groups associated with DVS (Distributed Virtual Switch), we need to make sure "MAC address changes & Forged transmits" policies under DVS port-group should be in Accept state. Otherwise, A packet originated from Cloud VM could able to reach to OnPrem NE appliance's sink port attached to the extended segment but it will be dropped on the DVS PG itself, and not reach to OnPrem VM.

The difference between the MAC Address Changes and Forged Transmits security settings involves the direction of the traffic. MAC Address Changes is concerned with the integrity of incoming traffic, while Forged Transmits oversees the integrity of outgoing traffic. If the MAC Address Changes option is set to Reject, traffic from HCX vNIC will not be passed through the DVS to the virtual machine (incoming), if the initial and the effective MAC addresses do not match. If the Forged Transmits option is set to Reject, traffic will not be passed from the virtual machine to the DVS (outgoing) if the initial and the effective MAC addresses do not match.

Resolution

  1. Go to OnPrem vCenter UI >> Networking >> DVS Port-Group >> Configure >> Settings >> Policies
  2. Check "MAC address changes & Forged transmits" policies whether they are Accept/Reject state. Use Edit button to modify the policy as shown below:
    • Set MAC address changes to Accept
    • Set Forged transmits to Accept



Powered by Wolken Software