VMware Networking Community
rajeevsrikant
Expert
Expert
Jump to solution

NSX Version 6.2.2 + DFW

Hi bayuwibowo‌ & Community

I have NSX version 6.2.2 with DFW. Under spoof guard IP Detection Type is set to "None"

So NSX DFW will be detecting the IP Address of the VM from the VMware tools.

What will happen to the VMs which don`t have VMware tools. So NSX DFW treat these VMs without VMware tools.

http://bayupw.blogspot.jp/2016/12/troubleshoot-nsx-dfw-distributed.html

1 Solution

Accepted Solutions
DaleCoghlan
VMware Employee
VMware Employee
Jump to solution

Here is a bit of a write up I did on why you need either VM Tools or DHCP/ARP snooping when working with with the DFW.

NSX-v 6.2 What’s New: IP Discovery – SneakU

View solution in original post

11 Replies
rajeevsrikant
Expert
Expert
Jump to solution

Typo

So how NSX DFW treat these VMs without VMware tools.

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

If you do not have VMware Tools installed on the VM, NSX 6.2.x offers ARP / DHCP Snooping to detect IP address

VMware NSX for vSphere 6.2 Documentation Center - IP Discovery for Virtual Machines

"Before NSX 6.2, if VMware Tools was not installed on a VM, its IP address was not learned.

In NSX 6.2 you can configure clusters to detect virtual machine IP addresses with DHCP snooping, ARP snooping, or both.

This allows NSX to detect the IP address if VMware Tools is not installed on the virtual machine.

If VMware Tools is installed, it can work in conjunction with DHCP and ARP snooping.

VMware recommends that you install VMware Tools on each virtual machine in your environment. In addition to providing vCenter with the IP address of VMs, it provides many other functions"


VMware NSX for vSphere 6.2 Documentation Center - Change IP Detection Type

"The IP address of a virtual machine can be detected by VMware Tools, which are installed on the VM, or by DHCP snooping and ARP snooping, which are enabled on the host cluster. These IP discovery methods can be used together in the same NSX installation.

Procedure

1. In the vSphere Web client, navigate to Networking & Security > Installation > Host Preparation.

2. Click the cluster you want to change, then click Actions > Change IP Detection Type.

3. Select the desired detection types and click OK."

pastedImage_3.png

pastedImage_1.png

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

Thanks got your point.

What will happen to the VMs where it does not have VMware tools & the IP Detection method was set to None. ( I have not enabled ARP / DHCP Snooping to detect IP address)

How NSX DFW treats this ?

Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

If no VMware tools & no other method enabled to detect the VM IP, will DFW not apply any firewall policies.

It will be like no rules applied & will be out of DFW

Correct if my above understanding is wrong.

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

If DFW cannot detect the IP, the traffic will most likely hit the default rule (any or deny depends on your Default Rule)

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
rajeevsrikant
Expert
Expert
Jump to solution

Thanks bayuwibowo

Is there any official document from VMware which explains that. I need this to be shared with my Manager.

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee
Jump to solution

Here is a bit of a write up I did on why you need either VM Tools or DHCP/ARP snooping when working with with the DFW.

NSX-v 6.2 What’s New: IP Discovery – SneakU

rajeevsrikant
Expert
Expert
Jump to solution

Thanks.

So i have a virtual machine VM A without VMware tools & i have  the below rule.

        Source - Any     Destination -  VM B   Action - Block  Applied to Distributed Firewall

Since there is no VMware tools installed the IP address of the VM A will not be detected by the DFW.

But still the above firewall rule will be applied & the traffic will be blocked , since the source is ANY

Let me know if my above understanding is right.

Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

@DaleCoghlan


Could you please help in reply to the below query ?

Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

Got the attached details from the below link.

If the VMTools was stopped or removed the vCenter removes the IP address entry immediately. An update notification will send to NSX manager cause to firewall module send a list updates to all the vShiled-Statefull-Firewal processes using protobuf format. If we configure firewall rules using vCenter objects (not IP address) as show in screenshot below, there will be a match on the last firewall rule (most of the time called catch-all rule).



http://www.routetocloud.com/2015/04/nsx-distributed-firewall-deep-dive/

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee
Jump to solution

Yes your understanding is correct.

Since the rule is applied to the "DISTRIBUTED FIREWALL", on the source VM (VM A), the outbound packet will match the source (which is defined as ANY address) and the packet will be blocked.

And in actual fact, your rule will block ANY traffic leaving ANY VM with a destination of VM B, but also on VM B itself, it will block all inbound traffic with a destination of VM B, regardless if it originated from a VM or not.

Dale

Reply
0 Kudos