HCX Network Extension and BPDUs

This question pops up on occasion in my day to day: How does HCX handle BPDUs?

What is a BPDU? Network Frames (Configuration and Topology Change Notifications) that Spanning Tree uses to build Spanning Tree switch topologies.

Image from the RFC museum.

The short answer in most best practices deployments, the HCX L2 appliance (or other virtual machines) will not see BPDUs. The BPDU question tends to come from vSphere or Mobility/Migration project staff in regards to the HCX L2 Network Extension appliance, because of the nature of the service it provides. I personally like to consider things holistically, and there are definitely some good general questions that can be asked about BDPUs:

This image has an empty alt attribute; its file name is screenshot-2020-04-01-11.50.23-1.png

How are BPDUs handled at the network access/TOR layer?

In most datacenter networks, the physical network fabric demarcs the spanning tree domain so that access nodes (ESXi clusters in the case of vSphere Deployments) do not participate by implementing some form of BPDU protection.

Ideally compute nodes will not receive BPDUs. If you live in the world of compute without access to switch configuration, your network team can easily confirm the BDPU configuration at the Switch Top of Rack (TOR). The implementation varies by switch vendor. Here’s a few examples

The filtering configuration may exist globally on Cisco switches:

 spanning-tree portfast bpdufilter default

The configuration may exist per port on Arista switches:

spanning-tree bpdufilter enable

How are BPDUs handled at the Virtual Switch?

Lets say that BPDU filtering is not happening at the TOR. The packets will enter the vSphere land. How does the hypervisor handle BPDUs? In this scenario, one can prevent all virtual machines from seeing BDPUs (and potentially disruptively interacting with spanning tree) by implementing BPDU filtering at the virtual switch. This information is well documented in VMware KB 2047822.

How are BDPUs handled by the HCX Network Extension appliances?

If we are asking this question, the BPDUs have not been prevented from being sent to the Access Layer, and the Virtual Switch has not been configured to filter those frames. And the same question should be asked of every VM in the environment.

Ideally the vSphere layer is BPDUs before HCX sees them. Ideally+, the physical network systems are filtering BPDUs from ever entering the compute edge/access nodes.

If BPDUs are still being passed in, the HCX Network Extension L2 appliance at the source environment receives a BPDU, it will forward the BPDU into the target site’s NSX overlay, where it will die without being actioned.

HTH – Happy WFH days. Stay safe!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s