I've been asked if we should enable Spoofguard in NSX-T 3.x and I can see that the process is relatively easy.
What has me concerned is: does enabling it incurr any overhead for the hosts or other elements given that it needs to record all of the IPs against MAC addresses and also check them?
There is no major overhead when we enable it. That being said, you need to check the type of applications and IP Stack that is there in your setup and confirm if spoofguard is the ideal candidate to detect the change and block the traffic accordingly.
Thanks for that, i's good to hear.
When you say to check if Spoofguard is the ideal candidate - are there apps or IP stacks for which it isn't ideal?
From the description, it's an OS related feature to block traffic using the wrong IP/MAC so I'm curious what kind of app would make a difference.
Apps that share IP addresses do not work with Spoofguard. One example is VRRP.