On a previous assignment, I ran into an issue where once in a while a Distributed Firewall Rule would not be effective
in permitting the intended traffic. The resolution would be to change from using the VM Name to using an IP
address instead. At a later time we became pretty sure that the problem was related to some VMs not
having been updated with the latest VMWare Tools.
Does anyone have any more insight into this? Seen this issue? Is there a particular version of VMWare Tools where being
able to use the VM name in your DFW rules becomes enabled?
Thank you.
In NSX DFW all rules are published to ESXi hots based on source/destination IP. If you write a rule where source/destination is VM name/cluster/port-group etc then NSX manager needs to figure out the IP/IPs to which this rule has to be applied. Without Vmware tools the vCenter cannot figure out IP and that info cannot be passed to NSX manager, hence NSX manager doesnt publish that rule to esxi host.
To fix it you can use DHCP snooping and ARP snooping to detect VM IP.
Refer to below article for more details.
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.
In NSX DFW all rules are published to ESXi hots based on source/destination IP. If you write a rule where source/destination is VM name/cluster/port-group etc then NSX manager needs to figure out the IP/IPs to which this rule has to be applied. Without Vmware tools the vCenter cannot figure out IP and that info cannot be passed to NSX manager, hence NSX manager doesnt publish that rule to esxi host.
To fix it you can use DHCP snooping and ARP snooping to detect VM IP.
Refer to below article for more details.
---------------------------------------------------------------------------------------------------------
Was it helpful? Let us know by completing this short survey here.