Stale IPs in LSP Realized Bindings with TOFU Enabled result in wrong IP(s) present in the NSGroup, affecting DFW rule match
book
Article ID: 329047
calendar_today
Updated On:
Products
VMware NSXVMware vDefend Firewall
Issue/Introduction
The purpose is to inform the reader of required manual steps to handle IP change use case when TOFU is enabled. (TOFU is enabled by default currently).
Symptoms:
1. An IP discovery configuration with Trust on First Use(TOFU) is used. 2. Incorrect/stale IP is present in NS group which affects DFW rule match. 3. IP have changed on the port previously. A Stale IP discovered by ARP/ND snooping is realized in the realized bindings of the LSP.
Environment
VMware NSX-T
Cause
This behavior is by design. TOFU means that the NSX system trusts the first few configured IP address on a LSP. Thus, the user is expected to manually approve any new IP in the case of IP change.
Resolution
The following steps can be used to manually approve an IP change in NSX UI.
Navigate to the VM’s Segment:
Go to the segment where the VM is connected.
Click on the Segment Profiles tab and confirm that it is using the default-ip-discovery-profile.
View Interfaces:
Click on the "1" in blue under Ports/Interfaces.
This displays the current interfaces associated with the selected VM (filter by VM name if there are several ports).
View Address Bindings:
Click on the ">" icon to expand the Address Bindings section.
Review Realized Bindings:
Click on Realized Bindings to see a list of all discovered IP addresses.
Locate the old IP address that needs removal.
Move the Old IP to Ignored Bindings:
Select the old IP address and click Copy to Ignore Bindings.
This action moves the old IP from Realized Bindings to Ignored Bindings, so only the new IP will be actively associated with the VM in Realized Bindings.
Permanently Remove the Ignored Binding:
Click on the "1" under Ignored Bindings and select Edit.
Choose Delete to permanently remove the old IP from the Ignored Bindings list.
Now, only the new IP address remains associated with the NSGroup, and the old IP is fully removed.
NOTE: For NSX-T versions 3.1.X, you will need apply it from the MANAGER view instead.
Workaround:
Rely on DHCP snooping or vmtools based IP discovery. Those are enabled by default but does make assumptions on VM is getting IP from DHCP and VM has vmtools installed.
Additional Information
This behavior has been introduced since the early version of NSX-T.