The SpoofGuard feature seems pretty dumb to me, to be blunt. It seems to rely on what the VMware tools report and shuts down the port if it detects a different IP bound on the NIC. It can be easily bypassed by simply not binding the other IP to an interface, for example SpoofGuard will not block generated packets from "hping2 --spoof ba.d.i.p".
Going on to do an initial approval of IP Address on SpoofGuard I saw that I don't see those aliases on the interface so I think they will not work.
I haven't tested it myself, but if it doesn't detect your interface aliases as new IPs, then I assume it won't see any reason to block anything and just work "out of the box". Whether this behavior is really intended or satisfactory is another question.
Hi , Does spoofguard in vshield 5.5 support approval of IPaddress aliases eth0:1, eth0:2 configured, so that traffic is allowed from the alias ipaddresses also?
Seems not be possible to set (approve) more than one ip to one mac.
in NSX it's possible.
I am agree there are some serious limiations of spoof guard in vCNS, not posssible to approve secondary addresses