Solved: What is the impact of VMWare tools on being able t...

vmmedmed · ‎08-19-2019

On a previous assignment, I ran into an issue where once in a while a Distributed Firewall Rule would not be effective

in permitting the intended traffic. The resolution would be to change from using the VM Name to using an IP

address instead. At a later time we became pretty sure that the problem was related to some VMs not

having been updated with the latest VMWare Tools.

Does anyone have any more insight into this? Seen this issue? Is there a particular version of VMWare Tools where being

able to use the VM name in your DFW rules becomes enabled?

Thank you.

nipanwar · ‎08-19-2019

In NSX DFW all rules are published to ESXi hots based on source/destination IP. If you write a rule where source/destination is VM name/cluster/port-group etc then NSX manager needs to figure out the IP/IPs to which this rule has to be applied. Without Vmware tools the vCenter cannot figure out IP and that info cannot be passed to NSX manager, hence NSX manager doesnt publish that rule to esxi host.

To fix it you can use DHCP snooping and ARP snooping to detect VM IP.

Refer to below article for more details.

VMware Knowledge Base

---------------------------------------------------------------------------------------------------------

Was it helpful? Let us know by completing this short survey here.

View solution in original post

nipanwar · ‎08-19-2019