Standalone Edge in L2VPN setup GARP reply is allowed by default
search cancel

Standalone Edge in L2VPN setup GARP reply is allowed by default


Article ID: 327359


Updated On:


VMware NSX Networking


The Workload VM will refresh its ARP table for a gateway MAC due to which the workload VM will have a wrong MAC address of its gateway.


VMware NSX for vSphere 6.4.x


This is a known issue affecting VMware NSX for vSphere 6.4.x.

This issue is resolved in VMware NSX for vSphere 6.4.2.

To work around this issue, add a filter for the GARP reply on standalone Edge.
  1. This policy is added by editing a file in /opt/vmware/vshield/Plugins/configurators/arptables.

    The new policy that should be added:
    sub createL2vpnArpRules{
    my ($dev, $ip)=@_;
    my @cmds = ();
    push @cmds, "-A FORWARD -s $ip -p 2 -j DROP";
    <--- NEW ENTRY
  2. Restart the Standalone Edge so that the Egress IP will be included in the ARPTABLE -L list.

Additional Information

If there is any GARP reply from the gateway IP, this reply is allowed through L2VPN by default. This GARP reply poisons the ARP table entries on all the workloads and can cause traffic disruption. This issue is seen if there is any HA failover in FHRP IP in physical environment.

Note: When Egress optimization is not configured, the above scenario is expected.