NSX Segment Administrative State DOWN Does Not Shut Down the Associated Tier-0/Tier-1 Gateway Interface
Article ID: 442325
Updated On:
Products
Issue/Introduction
You observe that even when you set an NSX-T segment to Admin State: Down, the gateway IP interface remains active. This results in the following behaviors:
- The gateway IP address continues to respond to traffic or ARP requests.
- Traffic intended for an external gateway with a conflicting IP is intercepted by the NSX-T gateway.
- Routing and L3 topology remain active despite the L2 segment being administratively down.
Environment
VMware NSX
Cause
In the NSX-T Policy architecture, the Layer 2 Segment and the Layer 3 Gateway Interface (Logical Router Port) operate as decoupled entities. Toggling the Segment admin_state to DOWN only suspends Layer 2 forwarding across the logical switch data plane.
The admin_state property represents the desired state of the segment itself and does not reflect or control the state of other logical entities, such as Tier-0 or Tier-1 gateways, that are connected to it. Consequently, the connected gateway interface remains fully instantiated and active within the VRF, maintaining an L3 routing topology that is independent of the L2 administrative state.
Resolution
This is expected behavior.
The administrative state of a segment does not propagate to the connected gateway interfaces. To prevent a gateway IP from attracting traffic, you must modify the configuration of the Tier-0 or Tier-1 gateway interface directly rather than relying on the segment's administrative state.
Additional Information
For more information on the impact of toggling segment states, see Impact of Toggling Segment Admin State to Up or Down
Feedback
