Standalone Edge in L2VPN setup GARP reply is allowed by default
book
Article ID: 327359
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms: The Workload VM will refresh its ARP table for a gateway MAC due to which the workload VM will have a wrong MAC address of its gateway.
Environment
VMware NSX for vSphere 6.4.x
Resolution
This is a known issue affecting VMware NSX for vSphere 6.4.x.
This issue is resolved in VMware NSX for vSphere 6.4.2.
Workaround: To work around this issue, add a filter for the GARP reply on standalone Edge.
This policy is added by editing a file in /opt/vmware/vshield/Plugins/configurators/arptables.
The new policy that should be added:
sub createL2vpnArpRules{ my ($dev, $ip)=@_; my @cmds = (); push @cmds, "-A FORWARD -s $ip -p 2 -j DROP"; <--- NEW ENTRY
Restart the Standalone Edge so that the Egress IP will be included in the ARPTABLE -L list.
Additional Information
Impact/Risks: If there is any GARP reply from the gateway IP, this reply is allowed through L2VPN by default. This GARP reply poisons the ARP table entries on all the workloads and can cause traffic disruption. This issue is seen if there is any HA failover in FHRP IP in physical environment.
Note: When Egress optimization is not configured, the above scenario is expected.