You can create a custom switch security switching profile with MAC destination addresses from the allowed BPDU list and configure rate limiting.


Familiarize yourself with the switch security switching profile concept. See Understanding Switch Security Switching Profile.


  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Select Networking > Switching from the navigation panel.
  3. Click the Switching Profiles tab.
  4. Click Add and select Switch Security.
  5. Complete the switch security profile details.
    Option Description
    Name and Description

    Assign a name to the custom switch security profile.

    You can optionally describe the setting that you modified in the profile.

    BPDU Filter

    Toggle the BPDU filter button to enable BPDU filtering.

    When the BPDU filter is enabled, all of the traffic to BPDU destination MAC address is blocked. The BPDU filter when enabled also disables STP on the logical switch ports because these ports are not expected to take part in STP.

    BPDU Filter Allow List Click the destination MAC address from the BPDU destination MAC addresses list to allow traffic to the permitted destination.
    DHCP Filter

    Toggle the Server Block button and Client Block button to enable DHCP filtering.

    DHCP Server Block blocks traffic from a DHCP server to a DHCP client. Note that it does not block traffic from a DHCP server to a DHCP relay agent.

    DHCP Client Block prevents a VM from acquiring a DHCP IP address by blocking DHCP requests.

    Block Non-IP Traffic

    Toggle the Block Non-IP Traffic button to allow only IPv4, IPv6, ARP, GARP and BPDU traffic.

    The rest of the non-IP traffic is blocked. The permitted IPv4, IPv6, ARP, GARP and BPDU traffic is based on other policies set in address binding and SpoofGuard configuration.

    By default, this option is disabled to allow non-IP traffic to be handled as regular traffic.

    Rate Limits

    Set a rate limit for the ingress or egress Broadcast and Multicast traffic.

    Rate limits are configured to protect the logical switch or the VM from for example, broadcast traffic storms.

    To avoid any connectivity problems, the minimum rate limit value must be >= 10 pps.

  6. Click Add.


A custom switch security profile appears as a link.

What to do next

Attach this switch security customized switching profile to a logical switch or logical port so that the modified parameters in the switching profile are applied to the network traffic. See Associate a Custom Profile with a Logical Switch or Associate a Custom Profile with a Logical Port.