This document explains the specifications of the "ARP Binding Limit" within the IP Discovery Profile of VMware NSX, its impact on communication, and common use cases where modifying the default value is required.
In environments where multiple IP addresses are assigned to a Virtual Machine (VM) or in cluster configurations using Virtual IPs (VIP), this setting may be the root cause if communication is being blocked.

VMware NSX

1. What is the ARP Binding Limit?
   The "ARP Binding Limit" is a setting that defines the maximum number of IPv4 addresses that can be bound and learned for a single logical port (i.e., a single vNIC of a VM).
   Location: [Networking] > [Segments] > [Segment Profiles] > [IP Discovery] profile.
   Default Value: 1 / Configurable Range: 1 to 256.
   
   
2. Importance of the Limit (Interaction with SpoofGuard)
   The NSX IP Discovery feature snoops (monitors) ARP packets sent by VMs to learn the "IP-to-MAC address" mapping for each port.
   These learned IP-MAC bindings are utilized by SpoofGuard to prevent impersonation, and as objects for the Distributed Firewall (DFW).
   If a VM responds with more IPv4 addresses than specified by the "ARP Binding Limit," the excess addresses will not be learned (bound) by NSX.
   Consequently, SpoofGuard may identify this as "traffic from an unauthorized IP address," causing the communication to be dropped.
   
   
3. Use Cases Requiring an Increase in the Limit
   HA Cluster Configurations using Virtual IP (VIP):
   - When using cluster software such as WSFC, Pacemaker, or Keepalived, the Active VM responds to ARP requests for both its physical IP and the VIP, requiring at least "2" learned addresses per port.
   
   Secondary IP (Alias) Configured in Guest OS:
   - In cases such as web servers where multiple IPs are assigned to a single vNIC, the limit must be increased to allow NSX to learn all assigned IP addresses.
     VMs as Container Hosts: When running Docker or Kubernetes within a VM and routing traffic for multiple containers through the VM's vNIC, the limit must be adjusted accordingly.
   
   Resolution and Configuration Steps
   a. Log in to the NSX Manager UI and navigate to [Networking] > [Segments] > [Segment Profiles].
   b. Click [Add Segment Profile], select [IP Discovery], and enter a profile name.
   c. Modify the [ARP Binding Limit] value according to requirements (e.g., 2 or more) and save.
   d. Apply the created profile to the relevant segment or individual logical port.

Additional Resource:

• Understanding IP Discovery Segment Profile
• Create an NSX IP Discovery Segment Profile