Flows with broadcast IP addresses were incorrectly classified as unicast when multiple overlapping CIDR block are configured in Private IP ranges in SSP UI.
search cancel

Flows with broadcast IP addresses were incorrectly classified as unicast when multiple overlapping CIDR block are configured in Private IP ranges in SSP UI.

book

Article ID: 432085

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

When a flow has a broadcast IP address that matches multiple CIDR block in Private IP ranges, broadcast IP detection fails. If a broader range (ex: /8) appears before a more specific range (ex: /22) in Private IPs in SSP UI, the broadcast detection doesn't work correctly.

As a result, such broadcast flows are incorrectly sent to NSX Intelligence as regular unicast flows instead of being identified as broadcast traffic.

Environment

NSX version 4.2.1.x and earlier releases.
SSP version SSP 5.0, SSP 5.1, 5.1.1

Cause

When a broader Private IP range (ex: /8) is configured before a more specific overlapping range (ex: /22),  they are checked in the order they are listed and broadcast flow detection fails.

Run “nsxcli -c get intelligence flow config” command on ESX host to check the order of Private IP range configuration.

Resolution

Configure Private IP ranges in the order from most specific to least specific(narrower CIDR prefix lengths before broader ones). This ensures that broadcast addresses are correctly identified within their specific subnets before being matched against broader ranges.
Or remove the broader Private IP range to avoid the overlap.

Example: For a flow with destination ip address 10.##.##.255 to be categorized as broadcast, 10.##.##.0/22 CIDR block should be evaluated before 10.0.0.0/8 CIDR block.

Sample nsxcli command "nsxcli -c get intelligence flow config" output :
              NSX Intelligence Host Flows Configuration
----------------------------------------------------------------------
Enabled Max Active Max Nonactive Interval(min) Long Lived(min)
  True    25000                   50000       5                      3

             Kafka broker: 10.##.##.##:9092
      Prioritization mode: INTEL
   LSP-based Profile mode: False
       Affected LSP count: 0
      V4 Private IP count: 0
    V4 Private CIDR count: 11
                        1. ip  ##.##.##.0/16
                        2. ip  ##.##.##.0/16
                        3. ip  ##.##.##.0/16
                        4. ip  ##.##.##.0/16
                        5. ip  ##.##.##.0/16
                        6. ip  ##.##.##.0/16
                        7. ip  ##.##.##.0/16
                        8. ip  ##.##.##.0/16
                        9. ip  ##.##.##.0/16
                       10. ip 10.##.##.0/22
                       11. ip 10.0.0.0/8
      V6 Private IP count: 0
    V6 Private CIDR count: 2
                        1. ip ###::/7
                        2. ip ###::/10

Powered by Wolken Software