Standalone Edge in L2VPN setup GARP reply is allowed by default
search cancel

Standalone Edge in L2VPN setup GARP reply is allowed by default

book

Article ID: 327359

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
The Workload VM will refresh its ARP table for a gateway MAC due to which the workload VM will have a wrong MAC address of its gateway.

Environment

VMware NSX for vSphere 6.4.x

Resolution

This is a known issue affecting VMware NSX for vSphere 6.4.x.

This issue is resolved in VMware NSX for vSphere 6.4.2.

Workaround:
To work around this issue, add a filter for the GARP reply on standalone Edge.
  1. This policy is added by editing a file in /opt/vmware/vshield/Plugins/configurators/arptables.

    The new policy that should be added:
     
    sub createL2vpnArpRules{
    my ($dev, $ip)=@_;
    my @cmds = ();
    push @cmds, "-A FORWARD -s $ip -p 2 -j DROP";
    <--- NEW ENTRY
     
  2. Restart the Standalone Edge so that the Egress IP will be included in the ARPTABLE -L list.


Additional Information

Impact/Risks:
If there is any GARP reply from the gateway IP, this reply is allowed through L2VPN by default. This GARP reply poisons the ARP table entries on all the workloads and can cause traffic disruption. This issue is seen if there is any HA failover in FHRP IP in physical environment.

Note: When Egress optimization is not configured, the above scenario is expected.