The purpose of globally configured BPDU Guard is to disable (err-disable) all portfast-enabled ports should they ever receive BPDU frames and global BPDU Filter is configured as part of global “portfast” configuration. The purpose of BPDU Filter is to prevent the switch from sending BPDU frames on ports that are enabled with portfast but i want to track which vm sent the bad bpdu.

There is no Spanning Tree support on the ESXi virtual switches and by that no BPDUs being sent. There is also no possibility to enable any BPDU-guard or similar techniques.

When should an ordinary VM send a BPDU?

Check this out:-

http://blog.ioshints.info/2011/11/virtual-switches-need-bpdu-guard.html

as mentioned by the rickardnobel

the vswitch wont generate these, and inside the vm delibarately with some application only you can generate this. As per the best practice you need to enable the portfast, STP and BPDU in the pswitch. Some times when your vm is compromise the hacker can send BPDU packets, thats why you need to enable the BPDU guard in the pswitch

more info on BPDU see below

https://supportforums.cisco.com/docs/DOC-11825

http://www.ciscozine.com/2009/03/17/how-to-protect-against-bpdu-attack/

http://etherealmind.com/basics-whats-the-difference-between-stp-bpdu-guard-and-root-guard/

How to check from these particular VM's BPDU is generated?

Ranjna Aggarwal wrote:

Check this out:-

http://blog.ioshints.info/2011/11/virtual-switches-need-bpdu-guard.html

I must admit I thought this thread was a bit misguided until I read this link.

If it can be put this way:

Imagine I'm a hosting company. A customer owns a VM. Or maybe, a single VM is hacked. Either way, someone has administrative access and can run an application that spoofs BPDUs.

At this point, BPDUGuard on the pswitch drops the HOST port. This is effectively a DoS attack on VMware - sounds like a security issue.

Gopinath Keerthyrajan wrote:

Some times when your vm is compromise the hacker can send BPDU packets, thats why you need to enable the BPDU guard in the pswitch

This means the hacker has the ability to impact on other virtual machines on the host.

Ranjna Aggarwal wrote:

Check this out:-

http://blog.ioshints.info/2011/11/virtual-switches-need-bpdu-guard.html

So your question is actually: if a hacker inside a VM sends a faked BPDU, can we later see which VM sent this frame?

exactly that's my question

For me the answer to this is no, there are no frame tracking functionality inside the vSwitches.

If that would happen, we would have no way to see which VM was the culprit unfortunately.

ngarjuna wrote:

http://blog.ioshints.info/2010/11/vmware-virtual-switch-no-need-for-stp.html

It is an interesting article, but I think it is good to point out what you want to refer to more specifically inside that post?

ngarjuna wrote:

http://blog.ioshints.info/2010/11/vmware-virtual-switch-no-need-for-stp.html

That it's not needed to assure loop free topologies does not mean that the current, non existent implementation is secure.

In ESXi 5.1 there will finally be a solution for this, the new BPDU Block feature will prevent a denial-of-service attack from a VM running on ESXi 5.1.

Not totally obvious how to enable this however: http://rickardnobel.se/esxi-5-1-bdpu-guard

Even if it is not common for a VM to deliberate create faked BPDU frames it is still a dangerous situation where a single VM could shut down the whole host networking and bring all other VMs to a disconnected state.