From VMware ESXi Server 5.0 Security Technical Implementation Guide
Part of ESXI5-VMNET
Associated with: CCI-000366
If an ESXi host guest VM is configured to perform a bridging function, the VM will generate BPDU frames to send out to the VDS. The VDS forwards the BPDU frames through the network adapter to the physical switch port. When the switch port configured with "BPDU guard" receives the BPDU frame, the switch will disable the port and the VM will lose connectivity. To avoid this network failure scenario while running a software-bridging function on an ESXi host, the "portfast" and "BPDU guard" configuration must be disabled on the port and spanning tree protocol must be enabled.
Organization and vendor specific check. Ask the SA if any ESXi host guest VM is configured to perform a bridging function. If any host VM is configured to perform a bridging function, ask the SA to confirm that port spanning tree protocol is enabled. Note that this check refers to an entity outside the scope of the ESXi server system. If a guest VM is configured to perform a bridging function and spanning tree protocol is not enabled, this is a finding.
Organization and vendor specific fix. If a guest VM is configured to perform a bridging function, enable spanning tree protocol for the VMs switch port. Note that this check refers to an entity outside the scope of the ESXi server system.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer