Steer Traffic from Guests that are not Running VMware Tools

VMware Tools contains a utility that allows the NSX-V Manager to collect the IP address(es) of each guest running in the cluster. NSX-V Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If you do not have VMware tools installed on each guest, the IP address(es) of the guest is unavailable to the NSX-V Manager and traffic cannot be steered to the VM-Series firewall.
The following steps allow you to manually provision guests without VMware Tools so that traffic from each of these guests can be managed by the VM-Series firewall.
  1. Create an IP set that includes the guests that need to be secured by the VM-Series firewall. This IP set will be used as the source or destination object in an NSX-V distributed firewall rule in step Step 2 below.
    1. Select
      NSX-V Managers
      Manage
      Grouping Objects
      IP Sets
      .
    2. Click
      Add
      and enter the IP address of each guest that does not have VMware tools installed, and needs to be secured by the VM-Series firewall. Use commas to separate individual IP addresses; IP ranges or subnets are not valid.
    tr-nsx-spoofguard-3.PNG
  2. Attach the IP sets to the Security Groups on NSX-V, to enforce policy.
    1. Select
      Networking and Security
      Service Composer
      Security Groups
      .
    2. Select
      Select objects to include
      IP Sets
      , add the IP set object to include.

Related Documentation