Stale IPs in LSP Realized Bindings with TOFU Enabled result in wrong IP(s) present in the NSGroup, affecting DFW rule match
search cancel

Stale IPs in LSP Realized Bindings with TOFU Enabled result in wrong IP(s) present in the NSGroup, affecting DFW rule match

book

Article ID: 329047

calendar_today

Updated On:

Products

VMware NSX VMware vDefend Firewall

Issue/Introduction

The purpose is to inform the reader of required manual steps to handle IP change use case when TOFU is enabled. (TOFU is enabled by default currently).

Symptoms:

1. An IP discovery configuration with Trust on First Use(TOFU) is used.
2. Incorrect/stale IP is present in NS group which affects DFW rule match.
3. IP have changed on the port previously. A Stale IP discovered by ARP/ND snooping is realized in the realized bindings of the LSP.

Environment

VMware NSX-T

Cause

This behavior is by design. TOFU means that the NSX system trusts the first few configured IP address on a LSP. Thus, the user is expected to manually approve any new IP in the case of IP change.

Resolution

The following steps can be used to manually approve an IP change in NSX UI.

  • Navigate to the VM’s Segment:

    • Go to the segment where the VM is connected.
    • Click on the Segment Profiles tab and confirm that it is using the default-ip-discovery-profile.

  • View Interfaces:

    • Click on the "1" in blue under Ports/Interfaces.
    • This displays the current interfaces associated with the selected VM (filter by VM name if there are several ports).

  • View Address Bindings:

    • Click on the ">" icon to expand the Address Bindings section.

  • Review Realized Bindings:

    • Click on Realized Bindings to see a list of all discovered IP addresses.
    • Locate the old IP address that needs removal.

  • Move the Old IP to Ignored Bindings:

    • Select the old IP address and click Copy to Ignore Bindings.
    • This action moves the old IP from Realized Bindings to Ignored Bindings, so only the new IP will be actively associated with the VM in Realized Bindings.

  • Permanently Remove the Ignored Binding:

    • Click on the "1" under Ignored Bindings and select Edit.
    • Choose Delete to permanently remove the old IP from the Ignored Bindings list.
    • Now, only the new IP address remains associated with the NSGroup, and the old IP is fully removed.

NOTE: For NSX-T versions 3.1.X, you will need apply it  from the MANAGER view instead.

Workaround:

Rely on DHCP snooping or vmtools based IP discovery. Those are enabled by default but does make assumptions on VM is getting IP from DHCP and VM has vmtools installed.

Additional Information

This behavior has been introduced since the early version of NSX-T.

Powered by Wolken Software