How to view IP Discovery methods for an NSX Segment or DVPG
search cancel

How to view IP Discovery methods for an NSX Segment or DVPG

book

Article ID: 429430

calendar_today

Updated On:

Products

VMware NSX VMware vSphere ESXi 8.0

Issue/Introduction

In network security, particularly within the context of NSX, a binding refers to the association of a specific IP address, MAC address, and often a VLAN. These bindings are fundamental for various network functions, including ARP/ND suppression, SpoofGuard, and distributed firewall (DFW) operations.

IP Discovery mechanisms, such as ARP snooping, Neighbor Discovery (ND) snooping, DHCP snooping, and VM Tools, are used to learn and compile these MAC and IP address bindings into a "realized bindings list."   Details of each method can be found here.

NOTE:  DVPGs only support VM Tools.

Order of Discovery
IP Discovery methods are not applied in a strict order of precedence but rather they work concurrently and complementarily. NSX listens for multiple types of IP-to-MAC binding data at the same time and whichever method provides a valid and verifiable binding first will be used.    These results in an implicit preference* based on data reliability and trust level, which NSX uses when multiple sources report different IPs for the same MAC.  Below is a general trust hierarchy (from most to least reliable):

  1. VMware Tools:     Most trusted, as it comes directly from the guest OS via hypervisor.
  2. DHCP Snooping: Trusted because it sees the actual IP assignment from the DHCP server
  3. ARP Snooping:    Less trusted; passive and can be spoofed.
  4. ND Snooping:      Similar trust as ARP, but for IPv6

These settings are found under Networking>Segments>Profiles>Segment Profiles

The following section discuss how to display which IP Discovery methods are used for a given VM, whether attached to an NSX segment or DVPG.

Environment

NSX
ESXi

Resolution

NSX UI
The following steps apply to both segments and DVPG

1. Go to Networking>Segments>NSX.   Note: DVPGs are located under Networking>Segments>Distributed Port Groups
2. Expand your segment
3. Click on the number populated for "Ports/Interfaces".   If this value is "0", your VM is not attached.

 

4. Find your VM and expand it




5. Scroll down to the Address Bindings section



6. Click on Discovered Bindings

Here we find two method types used to discover this VM and bind it to an IP address:  ARP Snooping and VM Tools

7.  Close this window and click on Realized Bindings
These will be identical but per the order of trust, VM Tools will be used.   To display the actual method used, you will need to use the CLI.


ESXi CLI
1. Login as  root user
2. Enter nsxdp-cli kcp vif list

Each discovery method is assigned a unique value:

Vmware Tools:  32
DHCP Snooping: 1              
ARP Snooping:  2

 

Example:  This VM contains two interfaces; each one was discovered and bound to an IP address using different IP discovery methods

[root@ESXi:~] nsxdp-cli kcp vif list
VIF Count: 2
--------------------
No.  VIF ID                                  dvPort ID                               Switch ID                                         Port ID   isVMotion isPrimary snFlag
1    f7c8d732-d355-461d-be06-6013343b2117    07090621-138d-4e00-8d2f-d4a1324fb0a9    50 00 37 7e c9 e5 aa 8b-b4 34 e4 a8 da 2e 25 d0   167772189 0         1         0
MAC Address {
00:50:56:##:##:##
}
Discovered Bindings Count: 2
Discovered Bindings {
1> IPv4            : 192.168.219.51
   Mac             : 00:50:56:##:##:##
   VlanId          : 0
   DiscoveryMethod : 32
   TimeStamp       : 1771008330308
2> IPv4            : 192.168.219.51
   Mac             : 00:50:56:##:##:##
   VlanId          : 0
   DiscoveryMethod : 1
   TimeStamp       : 1771009376188
}
 
--------------------

 

 

 

Powered by Wolken Software