HPCraig
Contributor
Contributor
‎02-04-2021 01:46 AM

NSX-T 3.x and spoofguard - does it incur an overhead?

I've been asked if we should enable Spoofguard in NSX-T 3.x and I can see that the process is relatively easy.

What has me concerned is: does enabling it incurr any overhead for the hosts or other elements given that it needs to record all of the IPs against MAC addresses and also check them?

Thanks

Reply
0 Kudos
Sreec
VMware Employee
VMware Employee
‎02-04-2021 02:14 AM

There is no major overhead when we enable it. That being said, you need to check the type of applications and IP Stack that is there in your setup and confirm if spoofguard is the ideal candidate to detect the change and block the traffic accordingly. 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 6x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
Reply
HPCraig
Contributor
Contributor
‎02-04-2021 02:27 AM

Thanks for that, i's good to hear.

When you say to check if Spoofguard is the ideal candidate - are there apps or IP stacks for which it isn't ideal?

From the description, it's an OS related feature to block traffic using the wrong IP/MAC so I'm curious what kind of app would make a difference.

Thanks

Reply
0 Kudos
mauricioamorim
VMware Employee
VMware Employee
‎02-04-2021 06:51 AM

Apps that share IP addresses do not work with Spoofguard. One example is VRRP.

Reply
0 Kudos