HCX Network Extension and BPDUs

This question pops up on occasion in my day to day: How does HCX handle BPDUs?

What is a BPDU? Network Frames (Configuration and Topology Change Notifications) that Spanning Tree uses to build Spanning Tree switch topologies.

Image from the RFC museum.

The short answer in most best practices deployments, the HCX L2 appliance (or other virtual machines) will not see BPDUs. The BPDU question tends to come from vSphere or Mobility/Migration project staff in regards to the HCX L2 Network Extension appliance, because of the nature of the service it provides. I personally like to consider things holistically, and there are definitely some good general questions that can be asked about BPDUs:

This image has an empty alt attribute; its file name is screenshot-2020-04-01-11.50.23-1.png

How are BPDUs handled at the network access/TOR layer?

In most datacenter networks, the physical network fabric demarcs the spanning tree domain so that access nodes (ESXi clusters in the case of vSphere Deployments) do not participate by implementing some form of BPDU protection.

Ideally compute nodes will not receive BPDUs. If you live in the world of compute without access to switch configuration, your network team can easily confirm the BPDU configuration at the Switch Top of Rack (TOR). The implementation varies by switch vendor. Here’s a few examples

The filtering configuration may exist globally on Cisco switches:

 spanning-tree portfast bpdufilter default

The configuration may exist per port on Arista switches:

spanning-tree bpdufilter enable

How are BPDUs handled at the Virtual Switch?

Lets say that BPDU filtering is not happening at the TOR. The packets will enter the vSphere land. How does the hypervisor handle BPDUs? In this scenario, one can prevent all virtual machines from seeing BPDUs (and potentially disruptively interacting with spanning tree) by implementing BPDU filtering at the virtual switch. This information is well documented in VMware KB 2047822.

How are BPDUs handled by the HCX Network Extension appliances?

If we are asking this question, the BPDUs have not been prevented from being sent to the Access Layer, and the Virtual Switch has not been configured to filter those frames. And the same question should be asked of every VM in the environment.

Ideally the vSphere layer is BPDUs before HCX sees them. Ideally+, the physical network systems are filtering BPDUs from ever entering the compute edge/access nodes.

If BPDUs are still being passed in, the HCX Network Extension L2 appliance at the source environment receives a BPDU, it will forward the BPDU into the target site’s NSX overlay, where it will die without being actioned.

HTH – Happy WFH days. Stay safe!



  1. That is not entirely true, Yes best network practices would recommend configuring the ports going to an ESXi host as “spanning-tree portfast trunk edge” so BPDUs should never go to an ESXi host. And yes best practices also recommends the vDS to also filters/Drops BPDUs (but that is not the default).

    So I have actually faced a situation where the onprem BPDU did reach the HCX NE appliance (because we were stretching a Vlan that had BPDUs) and the BPDU got encapsulated to GENEVE and got carried away to the target DC where it should have died as GENEVE is L3 BUT the client was also doing GENEVEVLAN bridging and the BPDU was actually carried to the network on the target side and the target network BPDU guard blocked the ports to the target hosts that had the NSX-Edges (doing the GENEVEVlan bridging)

    It is an extreme case but the answer for your question, HCX NE simply does not filter BPDUs, they are carried and encapsulated to the target env and there is a potential to cause switching loops/trigger bpdu guard to block packets to the target hosts. You should always insure that the network is properly configured (on SRC and target) before stretching a portgroup.


    • We’re sort of saying the same thing on different wavelengths. There is no implication that HCX filters BPDUs (this is why I’m even mentioning some of the other mechanisms). More recently I know of a customer who was dropping BPDUs in DFW. When I say “NE does not see” what I mean is that we are not seeing it as a BPDU and taking any action based on that fact, NE simply forwards it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s