HPCraig
Contributor
Contributor

NSX-T 3.x and spoofguard - does it incur an overhead?

I've been asked if we should enable Spoofguard in NSX-T 3.x and I can see that the process is relatively easy.

What has me concerned is: does enabling it incurr any overhead for the hosts or other elements given that it needs to record all of the IPs against MAC addresses and also check them?

Thanks

0 Kudos
3 Replies
Sreec
VMware Employee
VMware Employee

There is no major overhead when we enable it. That being said, you need to check the type of applications and IP Stack that is there in your setup and confirm if spoofguard is the ideal candidate to detect the change and block the traffic accordingly. 

Cheers,
Sree | VCIX-4X| VCAP-4X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
HPCraig
Contributor
Contributor

Thanks for that, i's good to hear.

When you say to check if Spoofguard is the ideal candidate - are there apps or IP stacks for which it isn't ideal?

From the description, it's an OS related feature to block traffic using the wrong IP/MAC so I'm curious what kind of app would make a difference.

Thanks

0 Kudos
mauricioamorim
VMware Employee
VMware Employee

Apps that share IP addresses do not work with Spoofguard. One example is VRRP.

0 Kudos