- Realized binding includes Incorrect IP along with correct IP assigned

- Incorrect security group IP memberships due to realized bindings

VMware NSX

VMware NSX-T Data Center

This is not a bug, but a feature where an IP Discovery Profile with TOFU (Trust on first use - which uses ARP/NS snooping) which is enabled by default. Once the VM is setup with an IP, that IP is realized (ARP/ND snooping entries will not age out) forever in the realized bindings and if incase the IP changes at a later time, old IP will still be in the realized list causing the incorrect security group memberships. 

Workaround:

1.Create a new IP Discovery Profile with TOFU disabled

2.Ensure that the IP discovery profile applied has an ARP Binding Limit greater than or equal to the maximum number of IPs configured on a single port

3.Apply this profile to the segment

4.After which we can see that the old IP is removed from realized bindings as the TOFU is disabled, means its Trust on Every Use (TOEU) where the ARP/ND snooped entries will age out in 10 min.

If TOFU feature is needed, we can again configure the default IP Discovery Profile back on the Segment which will learn the new VM IP