Is it possible that the Proxy Arp Mechanism which uses arp or DHCP protocols to discover IP and MAC, it may be enabled/disabled on the Logical Switch level? Also does the rules contain MAC-Set or object level?
Thefollowing links may be helpful:
http://www.sneaku.com/2015/08/28/nsx-v-6-2-whats-new-ip-discovery/
New IP address discovery mechanisms for VMs: Authoritative enforcement of security policies based on VM names or other vCenter-based attributes requires that NSX know the IP address of the VM. In NSX 6.1 and earlier, IP address discovery for each VM relied on the presence of VMware Tools (vmtools) on that VM or the manual authorization of the IP address for that VM. NSX 6.2 introduces the option to discover the VM’s IP address using DHCP snooping or ARP snooping. These new discovery mechanisms enable NSX to enforce IP address-based security rules on VMs that do not have VMware Tools installed.
Vxlan arp suppression mechanism, using swsec updates the Controllers through VM IP Update messages (which includes IP and MAC address of the VM. Since the rule-set on the Vnic should contain only IP address and MAC address.
https://telecomoccasionally.wordpress.com/2014/10/27/nsx-v-under-the-hood-vxlan-arp-suppression/
NSX Distributed Firewall Deep Dive – VMware Professional Services
Slot 1: sw-sec (Switch Security): sw-sec module learns VMs IP and MAC address. sw-sec is critical component capture DHCP Ack and ARP broadcast message and forward this info as unicast to NSX Controller to perform the ARP suppression feature. sw-sec is the layer where NSX IP spoofgurd is implemented,
Cluster, DC, VDS port-group, Logical Switch, IPSets, Resource Pool, vAPP, VM, vNIC and Security Groups. The NSX firewall enforce point at the VMware-sfw can only understand IP address or MAC address.
NSX Edge and L2 (MAC-Set) Rule not working