3 Replies Latest reply on Mar 24, 2020 5:36 AM by mauricioamorim

    DHCP with NSX-T

    chadc1979 Novice

      When NSX-T is managing an environment does DHCP relay on a VLAN not work?


      For example I have a segment backed by a VLAN and in that VLAN I have a DHCP server.


      After deploying NSX-T and creating the VLAN backed segments and moving the VMs from vDS to N-DVS I am no longer able to obtain a DHCP lease from the Windows Server on the same segment.


      Looking at how NSX-T DHCP Relay works you can't use it with a VLAN backed segment unless I am missing something.

        • 1. Re: DHCP with NSX-T
          mauricioamorim Expert
          VMware Employees

          Every segment in NSX-T, regardless if it is Overlay or VLAN backed has segment profiles attached to it. One of these is the security profile which, among other security features, has DHCP protections to prevent unknow/undesired DHCP servers on the network. This might be preventing the DHCP packets from the VMs reach the DHCP server. Have you taken a look at the segment profiles attached to this segment?

          • 2. Re: DHCP with NSX-T
            chadc1979 Novice

            Never thought there would be a firewall rule on the switchport blocking DHCP but sure enough.


            For someone else finding this thread:


            Advanced Networking & Security > Networking > Switches > Switching Profiles


            Select nsx-default-switch-security-vif-profile > Actions >  Clone Profile


            Uncheck Server Block under DHCP


            Then click on Ports and select your DHCP server(s) > Edit > Switching Profiles


            Change Switch Security to the new profile you just created


            That'll keep DHCP Server blocked for all other servers except the one(s) you want DHCP available from



            • 3. Re: DHCP with NSX-T
              mauricioamorim Expert
              VMware Employees

              It is not actually a firewall but common security features available on L2 switches. This control regarding DHCP is like DHCP snooping with trusted interfaces on any common switch.