BPDU Filter Packet Drops Observed on VM Connected to NSX Segment

search cancel

BPDU Filter Packet Drops Observed on VM Connected to NSX Segment

book

Article ID: 401289

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Packet drops observed on VM connected to NSX segment.

BPDU Filter Drop Count for VM dvPort displays dropped packets.

Run the following commands from the ESXi host where the VM currently resides:

1.  #esxcfg-vswitch -l                                                     <---------  To display DVS Name and VM dvPort UUID

2. #nsxcli -c get switch-security stats <DVS Name> <VM dvPort UUID>        <--------- To display segment security profile configuration for dvPort
Thu Jun 19 2025 UTC 08:00:38.289
                           Switch Security Stats
---------------------------------------------------------------------------

Rate Limit Bcast Tx Drop Count     : 0
Rate Limit Bcast Rx Drop Count     : 0
Rate Limit Mcast Tx Drop Count     : 0
Rate Limit Mcast Rx Drop Count     : 0
DHCPv4 Server Block Drop Count     : 0
DHCPv6 Server Block Drop Count     : 0
DHCPv4 Client Block Drop Count     : 0
DHCPv6 Client Block Drop Count     : 0
BPDU Filter Drop Count             : 146081     <---------
RA Guard Drop Count                : 0
Rate Limit Bcast Tx Drop Bytes     : 0
Rate Limit Bcast Rx Drop Bytes     : 0
Rate Limit Mcast Tx Drop Bytes     : 0
Rate Limit Mcast Rx Drop Bytes     : 0
DHCPv4 Server Block Drop Bytes     : 0
DHCPv6 Server Block Drop Bytes     : 0
DHCPv4 Client Block Drop Bytes     : 0
DHCPv6 Client Block Drop Bytes     : 0
BPDU Filter Drop Bytes             : 0
RA Guard Drop Bytes                : 0

Environment

VMware NSX-T Data Center

VMware NSX

Cause

Enabling BPDU filter on an NSX segment security profile blocks (drops) all BPDU frames for each port on the segment:

BPDU frames sent from segment connected VMs will be dropped.
VMs running an L2 bridging function or VMs compromised by a security vulnerablitiy may generate and send BPDU frames for example.
Enabling BPDU filter also disables STP on the logical switch ports as these ports are not expected to take part in STP.
BPDU filtter is enabled by default for 'default-segment-security-profile'.
BPDU filtter is disabled by default for newly created segment security profiles.

Resolution

This is a condition that may occur in a VMware NSX environment.

Additional Information

To confirm if BPDU Filter is enabled on the impacted VMs Segment Security Profile:

NSX UI: Networking > Segments > Profiles (View the impacted VMs Segment Security Profile to confirm that BPDU Filter is enabled.

To view further information about NSX segment security profiles and features:

Create a Segment Security Segment Profile

Feedback

thumb_up Yes

thumb_down No