Unicast traceflow packet is delivered to multiple virtual machines in NSX-T Data Center 2.4.x and later versions
Article ID: 327362
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
Traceflow packet is delivered to multiple virtual machines even if the source and destination VMs are explicitly specified.
Traceflow packet is delivered to multiple virtual machines even if the source and destination VMs are explicitly specified.
Environment
VMware NSX-T Data Center
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center 2.x
Cause
This issue occurs as NSX datapath determines where a packet is destined by querying the logical switch MAC table and N-VDS MAC table.
Logical switch MAC table determines which remote TEP the packet is destined to. If no entry is hit, the packet will be replicated to remote TEPs or MTEPs with respect to the replication mode configured for the certain logical switch.
N-VDS MAC table determines which switch port(s) the packet is destined to. If N-VDS has MAC learning and unknown unicast flooding enabled, and no MAC table entry is hit, the packet will be flooded to the entire L2 network.
Logical switch MAC table determines which remote TEP the packet is destined to. If no entry is hit, the packet will be replicated to remote TEPs or MTEPs with respect to the replication mode configured for the certain logical switch.
N-VDS MAC table determines which switch port(s) the packet is destined to. If N-VDS has MAC learning and unknown unicast flooding enabled, and no MAC table entry is hit, the packet will be flooded to the entire L2 network.
Resolution
This is by design of the NSX datapath and traceflow results reflect the actual behavior of NSX datapath.
Workaround:
To work around this issue, for the flooding caused by logical switch replication, a second traceflow on the same request in a short time should yield only one delivered observation provided that the overlay/underlay network is configured correctly. Furthermore, in NSX-T 2.5.0 and newer versions, you can observe a logical replication observation if the traceflow packet is replicated in logical forwarding.
For the flooding caused by N-VDS flooding, make sure two endpoints have two-way communication (like TCP connection or ICMP echo/reply exchange) and then perform a second traceflow on the same request in a short time, then there should be only one delivered observation provided that the overlay/underlay network is configured correctly.
Workaround:
To work around this issue, for the flooding caused by logical switch replication, a second traceflow on the same request in a short time should yield only one delivered observation provided that the overlay/underlay network is configured correctly. Furthermore, in NSX-T 2.5.0 and newer versions, you can observe a logical replication observation if the traceflow packet is replicated in logical forwarding.
For the flooding caused by N-VDS flooding, make sure two endpoints have two-way communication (like TCP connection or ICMP echo/reply exchange) and then perform a second traceflow on the same request in a short time, then there should be only one delivered observation provided that the overlay/underlay network is configured correctly.
Feedback
Yes
No
Powered by
