Working with SpoofGuard
SpoofGuard is a feature that can be used to prevent virtual machine IP address spoofing. SpoofGuard comes with a default policy, and it is disabled by default. In this recipe, we will learn how to enable SpoofGuard on a logical switch.
Getting ready
Make sure you have Security Administrator or Enterprise Administrator access to NSX. The SpoofGuard default policy will include all networks, but a newly-created SpoofGuard policy can be created for specific networks (PortGroup or logical switch). A newly-added network is automatically added to the default policy.
A SpoofGuard policy has the following operating modes:
- Automatically trust IP assignments on their first use: This mode allows all traffic from the virtual machine to pass while building a table of vNIC-to-IP address assignments. The administrator can review this table at their convenience and make IP address changes. This mode automatically approves all IPv4 and IPv6 addresses on a vNIC.
- Manually inspect and approve...
