BPDU Features

This chapter contains the following sections:

Understanding Bridge Protocol Data Unit Features

The following sections describe supported bridge protocol data unit (BPDU) features on the Cisco ACI Virtual Edge with the Cisco APIC. BPDU Guard and BPDU filtering are switch-wide features, and they are applicable only for VM virtual Ethernet (vEth) ports.

BPDU Guard

BPDU Guard prevents loops by moving a nontrunking port into an errdisable state when a BPDU is received on that port. When you enable BPDU Guard on the switch, the interface is moved to blocking state on receiving a BPDU.

BPDU Guard provides a secure response to invalid configurations because the administrator must manually put the interface back in service. To put the interface back in service, disconnect the VM port and then reconnect it to the Cisco ACI Virtual Edge or an EPG port group through vCenter.

BPDU Filtering

BPDU filtering prevents sending and receiving of BPDUs on ports. Any BPDU that is received is dropped when filtering is enabled. BPDU filtering is enabled on VM vEth ports by default. When you enable this feature, Cisco ACI Virtual Edge drops all BPDUs received on uplink ports.


Note
We recommend that you configure BPDU policy in a single policy interface group. Configuring BPDU in multiple policy interface groups leads to inconsistent behavior.

Note

In an L2 switch extended topology, we recommend that you configure BPDU policy through an attached entity profile vSwitch policy override. If the interface policy group is used for configuration, then BPDU Guard or filter is enabled on the Leaf ports. This causes those ports to become error-disabled when they receive BPDU packets from an L2 switch.

For information about configuring BPDU policy through an override policy, see the section "Modifying the Interface Policy Group to Override the vSwitch-Side Policies" in the Cisco Application Virtual Edge Installation Guide.

Configure BPDU Features Using the GUI

Procedure

Step 1

Log in to the Cisco APIC.

Step 2

On the menu bar, choose Fabric > Access Policies.

Step 3

In the Policies navigation pane, expand the Policies and the Interface folders.

Step 4

Right-click the Spanning Tree Interface folder and choose Create Spanning Tree Interface Policy.

Step 5

In the Create Spanning Tree Interface Policy dialog, complete the following actions:

  1. In the Name field, enter a name for the policy.

  2. (Optional) In the Description field, enter a description of the policy.

  3. In the Interface controls area, check the BPDU Guard enabled check box or the BPDU filter enabled check box.

  4. Click Submit to save the policy.

Step 6

Attach the spanning tree interface policy that you created in Step 5 by completing the following steps:

  1. Go to Virtual Networking > Inventory and then expand the VMM Domains and VMware folders.

  2. Click the VMM domain where you want to attach the policy.

  3. Click the VSwitch Policy tab on the right side of the work pane.

  4. From the STP Policy drop-down list, choose the policy that you created in Step 5.

  5. Click Submit.

Step 7

Verify the configuration by opening an ESXi CLI session to the ESXi hypervisor and entering the vemcmd show card command.

Example:

cisco-ave# vemcmd show card
Global BPDU Guard: Enabled && Global BPDU Filter: Enabled
The output indicates that BPDU filtering and BPDU Guard are enabled.