You can create a custom switch security switching profile with MAC destination addresses from the allowed BPDU list and configure rate limiting.
Prerequisites
-
Familiarize yourself with the switch security switching profile concept. See Understanding Switch Security Switching Profile.
-
Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.
Procedure
- With admin privileges, log in to NSX Manager.
- Select .
- Click the Switching Profiles tab.
- Click Add and select Switch Security.
- Complete the switch security profile details.
Option Description Name and Description Assign a name to the custom switch security profile.
You can optionally describe the setting that you modified in the profile.
BPDU Filter Toggle the BPDU Filter button to enable BPDU filtering. Disabled by default.
When the BPDU filter is enabled, all of the traffic to BPDU destination MAC address is blocked. The BPDU filter when enabled also disables STP on the logical switch ports because these ports are not expected to take part in STP.
BPDU Filter Allow List Click the destination MAC address from the BPDU destination MAC addresses list to allow traffic to the permitted destination. You must enable BPDU Filter to be able to select from this list. DHCP Filter Toggle the Server Block button and Client Block button to enable DHCP filtering. Both are disabled by default.
DHCP Server Block blocks traffic from a DHCP server to a DHCP client. Packets whose UDP destination port number is 68 are blocked. Note that it does not block traffic from a DHCP server to a DHCP relay agent and DHCP Server replying to a DHCP relay agent must have DHCP Client Block disabled.
DHCP Client Block prevents a VM from acquiring a DHCP IP address by blocking DHCP requests. Packets whose UDP destination port number is 67 are blocked.
DHCPv6 Filter Toggle the V6 Server Block button and V6 Client Block button to enable DHCP filtering. Both are disabled by default.
DHCPv6 Server Block blocks traffic from a DHCPv6 server to a DHCPv6 client. Packets whose UDP destination port number is 546 are blocked. Note that it does not block traffic from a DHCPv6 server to a DHCPv6 relay agent and DHCPv6 Server replying to a DHCPv6 relay agent must have DHCPv6 Client Block disabled.
DHCPv6 Client Block prevents a VM from acquiring a DHCPv6 IP address by blocking DHCPv6 requests. Packets whose UDP destination port number is 547 are blocked.
Block Non-IP Traffic Toggle the Block Non-IP Traffic button to allow only IPv4, IPv6, ARP, and BPDU traffic.
The rest of the non-IP traffic is blocked. The permitted IPv4, IPv6, ARP, GARP and BPDU traffic is based on other policies set in address binding and SpoofGuard configuration.
By default, this option is disabled to allow non-IP traffic to be handled as regular traffic.
RA Guard Toggle the RA Guard button to filter out ingress IPv6 router advertisements. ICMPv6 type 134 packets are filtered out. This option is enabled by default. Rate Limits Set a rate limit for broadcast and multicast traffic. This option is enabled by default.
Rate limits can be used to protect the logical switch or VMs from events such as broadcast storms.
To avoid any connectivity problems, the minimum rate limit value must be >= 10 pps.
- Click Add.
Results
A custom switch security profile appears as a link.
What to do next
Attach this switch security customized switching profile to a logical switch or logical port so that the modified parameters in the switching profile are applied to the network traffic. See Associate a Custom Profile with a Logical Switch in Manager Mode or Associate a Custom Profile with a Logical Port in Manager Mode.