5.4 (L1) Host must filter Bridge Protocol Data Unit (BPDU) packets

Information

To prevent cascading lockout of uplink interfaces from the ESXi host, the Net.BlockGuestBPDU parameter can be set to 1, enabling BPDU Filter to drop BPDU packets sent from virtual machines to the physical switch. This is crucial as ESXi's Standard and Distributed Virtual Switches do not support STP, making them prone to network loops if BPDUs are unfiltered. The parameter governing this behavior is Net.BlockGuestBPDU with a recommended setting of 1.

Configuring Net.BlockGuestBPDU aids in maintaining network stability by preventing potential disruptions caused by BPDU packets. This configuration is vital for avoiding unintended network lockouts and ensuring robust network communications.

Solution

Impact:

While beneficial for network stability, enabling BPDU filtering could block legitimate BPDU packets from network-oriented workloads. Ensure no legitimate BPDU packets are generated by virtual machines on the ESXi host before enabling this control.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(3), 800-53|SC-7(4), CSCv7|7.4

Plugin: VMware

Control ID: 4406ca32c006509e8a574a5681a11a359f6e5c31e40670cf4a98cb0659668cf1