From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of ESXI5-VMNET
Associated with: CCI-000366
The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.
If a vNetwork Distributed Switch (vDS) is not configured, this is not applicable. As administrator, find all dvSwitches from the vSphere Client/vCenter, Home >> Inventory >> Networking view. For any dvSwitches with dvPortgroups, verify the settings for that dvPortgroup. Compare the number of ports in that port group to the number of vNICs connecting to that port group. The number of ports must match, or approximate to the nearest number of menu selectable ports, the number of vNICs residing in that port group. If the number of ports in the port group do not match (or approximate to the nearest number of menu selectable ports) the number of VM NICs connecting to that port group, this is a finding.
As administrator, find all dvSwitches from the vSphere Client/vCenter: Home >> Inventory >> Networking view. For dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit (match or approximate) the number of ports in that port group to the number of vNICs residing in that port group.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer