All port groups must not be configured to VLAN values reserved by upstream physical switches.

From VMware ESXi Server 5.0 Security Technical Implementation Guide

Part of ESXI5-VMNET

Associated with: CCI-000366

SV-51227r1_rule All port groups must not be configured to VLAN values reserved by upstream physical switches.

Vulnerability discussion

Physical vendor-specific switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. Use of reserved VLAN IDs can result in a network denial-of-service.

Check content

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell and Options, respectively. Start the ESXi Shell service, where/as required. Determine the site-specific switch reserved VLAN, configuration requirements via vendor documentation. For example, Cisco Catalyst switches typically reserve VLANs 1001-1024 and 4094 and Nexus switches typically reserve 3968-4047 and 4094. As root, log in to the ESXi Shell and run the command: # esxcli network vswitch standard portgroup list If the VLAN ID is set to a vendor-reserved value, this is a finding. Re-enable Lockdown Mode on the host.

Fix text

Temporarily disable Lockdown Mode and enable the ESXi Shell via the vSphere Client. Open the vSphere/VMware Infrastructure (VI) Client and log in with appropriate credentials. If connecting to vCenter Server, click on the desired host. Click the Configuration tab. Click Software, Security Profile, Services, Properties, ESXi Shell, and Options, respectively. Start the ESXi Shell service, where/as required. As root, log in to the ESXi Shell and run the command to set the value to something other than the vendor-specific reserved value. esxcli network vswitch standard portgroup set --portgroup-name= --vlan-id=; Re-enable Lockdown Mode on the host.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer