All port groups must be configured to a value other than that of the native VLAN.

From VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide

Part of SRG-APP-000516

Associated with: CCI-000366

SV-78463r1_rule All port groups must be configured to a value other than that of the native VLAN.

Vulnerability discussion

ESXi does not use the concept of native VLAN. Frames with VLAN specified in the port group will have a tag, but frames with VLAN not specified in the port group are not tagged and therefore will end up as belonging to native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a "1"; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a "1" instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

Check content

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Review the port group VLAN tags and verify they are not set to the native VLAN ID of the attached physical switch. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup | select Name, VlanConfiguration If any port group is configured with the native VLAN of the ESXi hosts attached physical switch, this is a finding.

Fix text

From the vSphere Web Client go to Networking >> Select a distributed port group >> Manage >> Settings >> Policies. Click Edit and under the VLAN section change the VLAN ID to a non-native VLAN and click OK. or From a PowerCLI command prompt while connected to the vCenter server run the following command: Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer