External physical switch ports configured for EST mode are configured with spanning-tree enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15820 | ESX0290 | SV-16759r1_rule | Medium |
| Description |
|---|
| EST mode has a one-to-one relationship, the number of VLANs supported on the ESX Server system is limited to the number of physical network adapter ports assigned to the VMkernel. EST is enabled when the port group’s VLAN ID is set to 0 or left blank. Due to the integration of the ESX Server into the physical network, the physical network adapters will need to have spanning-tree disabled or portfast configured for external switches, since VMware virtual switches do not support STP. If these are not set, potential performance and connectivity issues could arise. Virtual switch uplinks do not create loops within the physical switch network. |
| STIG | Date |
|---|---|
| VMware ESX 3 Server | 2016-05-13 |
Details
| Check Text ( C-16130r1_chk ) |
|---|
| Request a copy of the external switch configuration that the ESX Server is connected to. Work with the network reviewer and system administrator to review the configuration to ensure that either spanning-tree is disabled for those ports or spanning-tree is configured to portfast. If either one of these conditions is not configured, this is a finding. Cisco IOS panning-tree portfast: Switch# show running-config interface Interface gigabit 5/1 No ip address Switchport Switchport access vlan Switchport mode access Spanning-tree portfast End Switch# Cisco IOS spanning-tree disabled: Switch# show running config …. No spanning-tree vlan …. Should see the VLAN number in the no spanning-tree vlan command. |
| Fix Text (F-15772r1_fix) |
|---|
| Disable spanning-tree or configure spanning-tree to portfast for the external switch ports. |