Virtual machines in an NSX for vSphere firewall security group retain IP addresses after power-cycle or have been assigned a new vnic
Article ID: 343364
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- After powering off a virtual machine which is a member of a security group, the IP address of the virtual machine vNIC continues to be shown.
- If the network adapter is removed and re-added and then the virtual machine is again powered on, the virtual machine does not receive an IP address through DHCP, and the virtual machine continues to be assigned the original IP address.
Environment
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.2.x
Cause
This behavior results from how the vCenter Server retain the IP address with the NSX for vSphere distributed firewall with and without SpoofGuard.
Resolution
This section describes the expected behavior of NSX for vSphere.
Without SpoofGuard
DHCP-Based Addressing
When using DHCP to assign an IP address to a virtual machine with a single vNIC, vCenter retains the IP address after the virtual machine is powered off. The vCenter Server continues to retain the same IP address if the vNIC is removed, a new vNIC is added, and a virtual machine is powered on.
When a virtual machine sends a DHCP request to get a new IP, the vCenter Server updates the virtual machine IP address and then updates NSX Manager, which then enforces the new IP address on the data path.
Static IP Addressing
With static IP address assignment for a single virtual machine, the vCenter Server retain the IP address when a virtual machine is power cycled or a new vNIC is attached to the virtual machine. The datapath and NSX Manager use the same IP address.
With Spoofguard
With SpoofGuard enabled, a key behavior is changed -- the new vNIC is auto-approved in TOFU mode.
TOFU stands for Trust on First Use and is one of the IP validation mechanism in Spoofguard. This means whatever IP reported by the vNIC (VMTools vCenter Inventory) to NSX Manager is considered as trusted IP and all the packets from that IP and vNIC combination are allowed. Unlike the Manual mode where the User has to approve the IP even for the first time.
Though in case of a virtual machine with DHCP IP address when the lease expires and if a virtual machine gets a new IP address, it has to be approved/published by the Admin. Otherwise, Spoofguard will drop all the outgoing traffic.
DHCP-Based Addressing
When using DHCP to assign an IP address to a virtual machine with a single vNIC, the vCenter Server retain the IP address after the virtual machine is power cycled or a new vNIC is attached. When the virtual machine is powered on, a new NIC notification is received, the vCenter Server reports the old IP address, and this address is auto-approved in TOFU mode. The virtual machine then sends a DHCP request for a new IP address, and vCenter reflects this new IP. However, the datapath uses the old IP address until the new IP address is explicitly approved.
Static IP Addressing
Static IP address assignment generally follows the same behavior as DHCP-based assignment, although no approval workflow is needed as the same IP address is seen.
Without SpoofGuard
DHCP-Based Addressing
When using DHCP to assign an IP address to a virtual machine with a single vNIC, vCenter retains the IP address after the virtual machine is powered off. The vCenter Server continues to retain the same IP address if the vNIC is removed, a new vNIC is added, and a virtual machine is powered on.
When a virtual machine sends a DHCP request to get a new IP, the vCenter Server updates the virtual machine IP address and then updates NSX Manager, which then enforces the new IP address on the data path.
Static IP Addressing
With static IP address assignment for a single virtual machine, the vCenter Server retain the IP address when a virtual machine is power cycled or a new vNIC is attached to the virtual machine. The datapath and NSX Manager use the same IP address.
With Spoofguard
With SpoofGuard enabled, a key behavior is changed -- the new vNIC is auto-approved in TOFU mode.
TOFU stands for Trust on First Use and is one of the IP validation mechanism in Spoofguard. This means whatever IP reported by the vNIC (VMTools vCenter Inventory) to NSX Manager is considered as trusted IP and all the packets from that IP and vNIC combination are allowed. Unlike the Manual mode where the User has to approve the IP even for the first time.
Though in case of a virtual machine with DHCP IP address when the lease expires and if a virtual machine gets a new IP address, it has to be approved/published by the Admin. Otherwise, Spoofguard will drop all the outgoing traffic.
DHCP-Based Addressing
When using DHCP to assign an IP address to a virtual machine with a single vNIC, the vCenter Server retain the IP address after the virtual machine is power cycled or a new vNIC is attached. When the virtual machine is powered on, a new NIC notification is received, the vCenter Server reports the old IP address, and this address is auto-approved in TOFU mode. The virtual machine then sends a DHCP request for a new IP address, and vCenter reflects this new IP. However, the datapath uses the old IP address until the new IP address is explicitly approved.
Static IP Addressing
Static IP address assignment generally follows the same behavior as DHCP-based assignment, although no approval workflow is needed as the same IP address is seen.
Feedback
Yes
No
Powered by
