Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Denial of service due to BPDU Guard configuration (2017193)

Symptoms

  • With a Physical Switch, the Spanning Tree Protocol is enabled to avoid any loops in the network. Typically, network loops are created when customers connect two or more ports of the same switch to an adjacent switch. This loop scenario creates havoc in the network because the same packet is bounced around the loop and ultimately brings the network down. Spanning Tree Protocol detects such loops and blocks certain switch ports to remove the loops. VMware Virtual Switch does not support Spanning Tree Protocol because it differs from the Physical switch in terms of transparent bridging function and topology learning. Virtual Switch has the knowledge where each MAC address is connected to and does not depend on the learning through packet headers and also does not create loops. As a networking best practice, customers should do this configuration on their physical switches:
    • Use PortFast on an ESXi host-facing physical switch ports. With this setting, network convergence on these switch ports takes place quickly after the failure because the port will enter the STP forwarding state immediately, bypassing the listening and learning states.
    • Use the PortFast Bridge Protocol Data Unit (BPDU) guard feature to enforce the STP boundary. This configuration protects against any invalid device connection on the ESXi host-facing access switch ports. As previously mentioned, VDS does not support STP, so it does not send any BPDU frames to the switch port. However, if any BPDU is seen on these ESXi host-facing access switch ports, the BPDU guard feature puts that particular switch port in error-disabled state. The switch port is completely shut down and prevents affecting the Spanning Tree Topology.
  • This setting of PortFast and BPDU Guard could cause issues in customer's virtual infrastructure when a virtual machine starts sending BPDU frames and in turn disables the physical switch port on which the virtual machine traffic is sent across. When the VMware vSphere infrastructure detects the physical switch port failure, it moves the virtual machine traffic to another vmnic connected to  another physical switch port. Now the BPDU packets are seen on this new physical switch port and the switch blocks that port, too. This ultimately causes a Denial of Service attack situation across the virtual infrastructure cluster.
  • In a data center that hosts virtualized servers on the vSphere platform, the default configuration of PortFast and BPDU guard is the recommended configuration. Virtual servers with applications running on them are less prone to generate BPDU frames. However, there are two other scenarios where BPDU frames can be generated in the virtual infrastructure.
    • Valid use case: Customers deploying VPN that is connected through a Windows Bridge device or Bridge function running on a virtual machine.  
    • Security vulnerability: Virtual machine is generating BPDUs.

Purpose

This article provides guidance on the physical switch configuration in such unique scenarios.
 
 

Cause

The DoS attack occurs in the deployments where a client VPN software is running on a virtual machine and BPDU guard is enabled on physical switches.
 
This issue can also occur if a virtual machine is compromised and begins sending BPDU packets.
  

Resolution

This section provides information on unique use cases and the recommended configurations.

Use Case 1: Default (No VPN and no Bridging function on a virtual machine)

On the Virtual Switch:
  • Under Security Properties of the port group,m change Forged Transmit to Reject. This configuration stops the BPDU frames going out to the physical switch ports.
On the Physical Switch:
  • Keep the PortFast and BPDU guard configuration.

Use Case 2: To resolve the issue of VPN deployment on a virtual machine, you must do these configuration changes:

On the Virtual Switch
  • Under Security Properties of the port group, change Forged Transmit to Accept. This configuration allows the BPDU frames to go out on the physical switch ports.
On the Physical Switch
  • Keep the PortFast configuration.
  • Configure BPDU filter on individual physical switch port. With this configuration, when a BPDU is received on the physical port, those packets are filtered out. DO not configure BPDU filter globally. If configured globally, the PortFast mode is disabled and all physical switch ports perform full STP functions.

Use Case 3: Bridge

Bridge running on a virtual machine with two vnics connected to the same layer 2 network. This is the suggested configuration with such deployments.
 
On the Virtual Switch
  • Under Security Properties of the port group, change Forged Transmit to Accept. This configuration allows the BPDU frames to go out on the physical switch ports.
On the Physical Switch
  • Do not choose PortFast configuration. Run STP on the ports where the virtual bridge device is connected to the external switch ports.
  • Do not choose BPDU guard or BPDU filter.

Use Case 4: In Security Vulnerability cases, this configuration protects from any DoS attack 

On the Virtual Switch
  • Under security properties of the port group, change Forged Transmit to Reject. This configuration stops the BPDU frames that go out on the physical switch ports with different source MAC address.
On the Physical Switch
  • Keep the PortFast configuration.
  • Configure BPDU filter on an individual physical switch port. With this configuration, when a BPDU is received on the physical port, those packets are filtered out. Do not configure BPDU filter globally. If configured globally, the PortFast mode is disabled and all physical switch ports perform full STP functions.
Some customers may experience more than one of the issues described in the use cases while running in their virtual infrastructure. These customers can support various use cases by creating different port group configurations for each use case. Customers can define the security specific configuration such as Forged Transmit as Reject or Accept per port group. Depending on the physical switch port configuration requirements, customers can assign the same or different physical NICs to these port groups.

For example, if customers have default use cases 1 and 2 in their environment, they can create two different port groups and configure the Forged Transmit Reject on one port group and Forged Transmit Accept on another. Due to the separate configuration required on the physical switch port side, customers have to associate different physical NICs with the different port groups in this deployment.
 

Impact/Risks

Caution: Be aware of the following risks stemming from the described configuration changes:
  1. Forged Transmit Accept setting to help the deployment of VPN use case opens a security hole where the compromised virtual machine can perform spoofing attacks.
  2. BPDU Filter configuration on an individual switch port interface causes filtering of BPDU frames and thus stops loop detection across the network. The cases where there are loops created in the virtual infrastructure when a virtual machine with two vnics are connected to the same layer, two networks will not be detected through the BPDU filter setting.

Additional Information

Update History

02/25/14 - Added ESXi and vCenter Server 5.1/5.5 to products

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 6 Ratings
Actions
KB: