You can create a SpoofGuard policy to specify the operation mode for specific networks. The system generated policy applies to port groups and logical switches not covered by existing SpoofGuard policies.


Log in to the vSphere Web Client.


Click Networking & Security and then click SpoofGuard.


Click the Add icon.


Type a name for the policy.


Select Enabled or Disabled to indicate whether the policy is enabled.


For Operation Mode, select one of the following:



Automatically Trust IP Assignments on Their First Use

Select this option to trust all IP assignments upon initial registration with the NSX Manager.

Manually Inspect and Approve All IP Assignments Before Use

Select this option to require manual approval of all IP addresses. All traffic to and from unapproved IP addresses is blocked.


Click Allow local address as valid address in this namespace to allow local IP addresses in your setup.

When you power on a virtual machine but it is unable to connect to the DHCP server, a local IP address is assigned to it. This local IP address is considered valid only if the SpoofGuard mode is set to Allow local address as valid address in this namespace. Otherwise, the local IP address is ignored.


Click Next.


To specify the scope for the policy, click Add and select the networks, distributed port groups, or logical switches that this policy should apply to.

A port group or logical switch can belong to only one SpoofGuard policy.


Click OK and then click Finish.

You can edit a policy by clicking the Edit icon and delete a policy by clicking the Delete icon.