What can cause BPDU packets

jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
We had an issue with our vmware infrastructure today where one host went offline. We fond out that the Arista switches shut the ports for his host as a VM sent BPDU packets - causing the spanningtree protection to kick in and disable these ports.

At the same time we installed a new Linux VM which was being prepared as a template. Nothing was installed on the VM, this was a plain CentOS install with all patches and iptables / seliunx disabled.

The times of BPDU packets are exactly the time that particular VM powered on.

Now I am lost - what could cause Linux to send out these packets ? Bear in mind, there was nothing installed, no switch software / NAT / KVM .. this was a plain 6.3 install "out of the box" - only additional packages were GNOME / XServer ...
My own knowledge base made public: http://open902.com :p

Comments

  • QHaloQHalo Member Posts: 1,488
    Have you deployed from that template before and not had this issue?
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    No, this was a fresh VM I intended to turn into a template but didn't get that far. At that point it was a plain VM (not a template yet) sending out that packet for no apparent reason.
    My own knowledge base made public: http://open902.com :p
  • QHaloQHalo Member Posts: 1,488
    reading comprehension FTW on my part icon_sad.gif

    I'm doing some googling and not coming up with much but bridged NICs and transparent proxy stuff.
  • it_consultantit_consultant Member Posts: 1,903
    The Arista port must be configured with BPDU guard, which violated the port into a disabled state when it detected BPDUs. I expect it is not the guest that sent the BPDU but the virtual switch in the VMWARE infrastructure. I would disable the BPDU guard on ports plugged into the VMWARE infrastructure since the likelihood of a loop being introduced within the VMWARE infrastructure is pretty low. Or...disable BPDU guard and put the port in 'admin-pt2pt-mac' mode which will allow the switch to "see" the vmware device as a switch. It will still participate in spanning tree but it will learn the port instead of immediately violating the port when it gets a BPDU.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    I have had to disable spanguard on ports with Ubuntu servers and NIC teaming / dual nics (not sure how the server was set up, I just do the switches).
  • QHaloQHalo Member Posts: 1,488
    VMware switches don't support Spanning-Tree, so they could never send a BPDU unless it was passed from a VM.

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2032597
  • it_consultantit_consultant Member Posts: 1,903
    I didn't know that the vswitch did not participate in STP. I looked it up on VMWARE's website and it looks like you can configure the virtual network to block vm BPDUs. This would solve the OP's issue.

    vSphere 5.1 – VDS New Features – BPDU Filter | VMware vSphere Blog - VMware Blogs
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    THe VM only had a single NIC and did not do any switching at all.
    My own knowledge base made public: http://open902.com :p
  • QHaloQHalo Member Posts: 1,488
    Take a look at my link. It looks like you can disable the ability to send BPDU from a guest via the CLI in 5.0, but it has to be at least that patch level. While the why is way more important, this would at least give you a starting point. Got a test environment at all?
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    QHalo wrote: »
    Take a look at my link. It looks like you can disable the ability to send BPDU from a guest via the CLI in 5.0, but it has to be at least that patch level. While the why is way more important, this would at least give you a starting point. Got a test environment at all?

    Ah yea thanks a lot. Very usefull. One for tomorrow's change control meeting :)
    My own knowledge base made public: http://open902.com :p
Sign In or Register to comment.