80
VM-Series
Deployment
Guide
Steer Traffic from Guests that are not Running VMware Tools
Set Up a VM-Series NSX Edition Firewall
Steer Traffic from Guests that are not Running VMware
Tools
VMware Tools contains a utility that allows the NSX Manager to collect the IP address(es) of each guest running
in the cluster. NSX Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall.
If you do not have VMware tools installed on each guest, the IP address(es) of the guest is unavailable to the
NSX Manager and traffic cannot be steered to the VM-Series firewall.
The following steps allow you to manually provision guests without VMware Tools so that traffic from each of
these guests can be managed by the VM-Series firewall.
Steer Traffic from Guests that are not Running VMware Tools
Step 1
Create an IP set that includes the guests that need to be secured by the VM-Series firewall. This IP set will be
used as the source or destination object in an NSX distributed firewall rule in
Step 4
below.
1.
Select
NSX Managers > Manage > Grouping Objects > IP Sets
.
2.
Click
Add
and enter the IP address of each guest that does not have VMware tools installed, and needs to be
secured by the VM-Series firewall. Use commas to separate individual IP addresses; IP ranges or subnets are
not valid.
Step 2
Verify that SpoofGaurd is enabled. If not enabled, see
Enable SpoofGuard
.
Step 3
Manually approve the IP address(es) for each guest in Spoofguard; this validates that the approved IP addresses
is the accurate address for that network adapter. For a manually-configured IP address, make sure to add the IP
address to the IP set before approving it in SpoofGuard.
1.
Select the new SpoofGuard policy you created to earlier and
View: Inactive Virtual NICs
.
2.
Select the guest and add the IP address in the Approved IP field and Publish changes.
3.
Review and approve all previously approved IP addresses too.
Step 4
Attach the IP sets to the Security Groups on NSX, to enforce policy.
1.
Select
Networking and Security > Service Composer > Security Groups.
2.
Select
Select objects to include > IP Sets
, add the IP set object to include.