A virtual machine sending Bridge Protocol Data Unit (BPDU) frames, for example, a VPN client, causes some virtual machines connected to the same port group to lose connectivity. The transmission of BPDU frames might also break the connection of the host or of the parent vSphere HA cluster.
Problem
A virtual machine that is expected to send BPDU frames causes the traffic to the external network of the virtual machines in the same port group to be blocked.
If the virtual machine runs on a host that is a part of a vSphere HA cluster, and the host becomes network-isolated under certain conditions, you observe Denial of Service (DoS) on the hosts in the cluster.
Cause
As a best practice, a physical switch port that is connected to an ESXi host has the Port Fast and BPDU guard enabled to enforce the boundary of the Spanning Tree Protocol (STP). A standard or distributed switch does not support STP, and it does not send any BPDU frames to the switch port. However, if any BPDU frame from a compromised virtual machine arrives at a physical switch port facing an ESXi host , the BPDU guard feature deactivates the port to stop the frames from affecting the Spanning Tree Topology of the network.
In certain cases a virtual machine is expected to send BPDU frames, for example, when deploying VPN that is connected through a Windows bridge device or through a bridge function. If the physical switch port paired with the physical adapter that handles the traffic from this virtual machine has the BPDU guard on, the port is error-disabled, and the virtual machines and VMkernel adapters using the host physical adapter cannot communicate with the external network anymore.
If the teaming and failover policy of the port group contains more active uplinks, the BPDU traffic is moved to the adapter for the next active uplink. The new physical switch port becomes deactivated, and more workloads become unable to exchange packets with the network. Eventually, almost all entities on the ESXi host might become unreachable.
If the virtual machine runs on a host that is a part of a vSphere HA cluster, and the host becomes network-isolated because most of the physical switch ports connected to it are deactivated, the active primary host in the cluster moves the BPDU sender virtual machine to another host. The virtual machine starts disabling the physical switch ports connected to the new host. The migration across the vSphere HA cluster eventually leads to accumulated DoS across the entire cluster.
Solution
- If the VPN software must continue its work on the virtual machine, allow the traffic out of the virtual machine and configure the physical switch port individually to pass the BPDU frames.
Network Device |
Configuration |
Distributed or standard switch |
Set the Forged Transmit security property on the port group to Accept to allow BPDU frames to leave the host and reach the physical switch port. You can isolate the settings and the physical adapter for the VPN traffic by placing the virtual machine in a separate port group and assigning the physical adapter to the group.
Caution: Setting the Forged Transmit security property to
Accept to enable a host to send BPDU frames carries a security risk because a compromised virtual machine can perform spoofing attacks.
|
Physical switch |
- Keep the Port Fast enabled.
- Enable the BPDU filter on the individual port. When a BPDU frame arrives at the port, it is filtered out.
Note: Do not enable the BPDU filter globally. If the BPDU filter is enabled globally, the Port Fast mode becomes deactivated and all physical switch ports perform the full set of STP functions.
|
- To deploy a bridge device between two virtual machine NICs connected to the same Layer 2 network, allow the BPDU traffic out of the virtual machines and deactivate Port Fast and BPDU loop prevention features.
Network Device |
Configuration |
Distributed or standard switch |
Set the Forged Transmit property of the security policy on the port groups to Accept to allow BPDU frames to leave the host and reach the physical switch port. You can isolate the settings and one or more physical adapters for the bridge traffic by placing the virtual machine in a separate port group and assigning the physical adapters to the group.
Caution: Setting the Forged Transmit security property to
Accept to enable bridge deployment carries a security risk because a compromised virtual machine can perform spoofing attacks.
|
Physical switch |
- Deactivate Port Fast on the ports to the virtual bridge device to run STP on them.
- Deactivate BPDU guard and filter on the ports facing the bridge device.
|
- Protect the environment from DoS attacks in any case by activating the BPDU filter on the ESXi host or on the physical switch.
- On a host that does not have the Guest BPDU filter implemented enable the BPDU filter on the physical switch port to the virtual bridge device.
Network Device |
Configuration |
Distributed or standard switch |
Set the Forged Transmit property of the security policy on the port group to Reject. |
Physical switch |
- Keep the Port Fast configuration.
- Enable the BPDU filter on the individual physical switch port. When a BPDU frame arrives at the physical port, it is filtered out.
Note: Do not enable the BPDU filter globally. If the BPDU filter is enabled globally, the Port Fast mode is deactivated and all physical switch ports perform the full set of STP functions.
|