UCF STIG Viewer Logo

Virtual switch port group is configured to VLAN 4095.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15809 ESX0200 SV-16748r1_rule Medium
Description
The VLAN ID restricts port group traffic to a logical Ethernet segment within the physical network. Port groups may have a VLAN ID of 0 to 4095. VLAN IDs that have VLAN ID 4095 are able reach other port groups located on other VLANs. Basically, VLAN ID 4095 specifies that the port group should use trunk mode or VGT mode, which allows the guest operating system to manage its own VLAN tags. Guest operating systems typically do not manage their VLAN membership on networks. VLAN 1001 through 1024 are Cisco reserved VLANs. VLANs 1, 1001 to 1024, and 4095 will be not be used for virtual switch port groups since they may cause an unexpected operation.
STIG Date
VMware ESX 3 Virtual Center 2016-05-03

Details

Check Text ( C-16051r1_chk )
1. Log into VirtualCenter with the VI Client and select the ESX server from the inventory panel.
2. Click the Configuration tab and click Networking.
Virtual switches are presented in a layout that shows an overview and details.
3. On the right side of the window, click Properties for a network.
4. Click the Ports tab.
5. In the Properties dialog box for the port group, click the General tab to check the VLAN ID. If the VLAN ID is set to 4095, this is a finding.

Caveat: This check is Not Applicable if the number of VLANs needed for the virtual machine exceeds 4 VLANs, and it is documented with the IAO/SA.
Fix Text (F-15753r1_fix)
Do not configure virtual switch VLAN IDs s to be VLAN 1, 1001-1024, and 4095.