Tuesday 7 October 2014

Configuring Spoofguard in NSX

NSX includes Spoofguard which allows you to authorise IP addresses reported by VMware tools running inside a virtual machine.  You can configure multiple policies for a different networks (Logical Switches and Distributed Port Groups) depending on your requirements.  If Spoofguard is enabled you will not be able to communicate with a VM until the IP address has been approved (Either automatically or manually)

Spoofguard is configured via the NSX plugin in the vSphere Web Client and by default it's disabled so traffic to all VM's is allowed.  You can see a list of active vNIC's and which IP addresses (IPv4 and IPv6) are associated with those VM's:

In order to enable Spoofguard across all networks simply edit the Default Policy and check the Enabled option.  You then have two options to either automatically trust IP assignments on their first use which basically will automatically approve the first IP address of the VM.  You also have the option to manually inspect and approve all IP assignments before use which basically means that you have to approve all IP addresses before you can establish connectivity with them.  In this example I'm going to manually approve all IP address assignments.  Once finished click Finish:

Don't forget to Publish Changes:

Once configured you should loose connectivity to all VM's.  I've sent a continuous ping to my test WEB01 VM ( and as you can see, once spoofguard was enabled it stopped responding to pings:

We can also see that Active Virtual NICs view is empty:

If we change the view to Virtual NICs IP Required Approval we can see a list of all NICs that we need to approve.  If we configured the default policy with the automatically trust IP assignments on their first use then these would have been pre-approved but subsequent IP changes would require manual intervention:

Once I approve the WEB01 IP address and Publish the changes connectivity is restored:

If the IP address were to change then VMware tool would detect this and you would have to approve the new IP address.  In this example I changed the IP address of the VM from to

If you only wanted Spoofguard enabled on a particular Logical Switch or Distributed Port Group such as a DMZ then you can set the default policy to disabled which will trust all IP addresses.  You can then enable Spoofguard for a particular network which requires approval of all IP address changes.  To create a new policy simply click the green plus icon and give the new policy a name and set the required policy.  In this example I want Spoofguard on the DB network to be enabled and all IP address changes manually approved.  Click Next when ready:

Finally click the green plus icon and add the required Distributed Port Group or Logical Switch that you want to enable Spoofguard for.  You can add multiple networks to same policy if you wish.  Once finished click Finish and don't forget to Publish the changes:

We can now see the new policy and all the VM's that require their IP address approved before you can communicate with them:

Hope this helps with understanding Spoofguard a little more and how to configure it within NSX

1 comment:

  1. Nice post , thanks for taking the time to put it togethor