UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Virtual switch VLANs must be fully documented and have only the required VLANs.


Overview

Finding ID Version Rule ID IA Controls Severity
ESXI5-VMNET-000004 ESXI5-VMNET-000004 ESXI5-VMNET-000004_rule Low
Description
When defining a physical switch port for trunk mode, only specified VLANs must be configured on the VLAN trunk link. The risk with not fully documenting all VLANs on the vSwitch is that it is possible that a physical trunk port might be configured without needed VLANs, or with unneeded VLANs, potentially enabling an administrator to either accidentally or maliciously connect a VM to an unauthorized VLAN.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-ESXI5-VMNET-000004_chk )
Both standard and distributed vSwitch configurations can be viewed in the vSphere Client. For vSwitch: Home>> Inventory>> Hosts and Clusters, then select an ESXi host in Inventory panel on left. In the Configuration tab, Hardware window, under Networking, select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN IDs used. For dvSwitches, go to Home>> Inventory>> Networking and for each dvSwitch in the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings>> Policies>> VLAN and verify the recorded VLAN IDs. If the system VLAN IDs do not match the VLAN IDs on record, this is a finding.
Fix Text (F-ESXI5-VMNET-000004_fix)
Both standard and distributed vSwitch configurations can be viewed in the vSphere Client. For vSwitch: Home>> Inventory>> Hosts and Clusters, then select an ESXi host in Inventory panel on left. In the Configuration tab, Hardware window, under Networking, select each vSwitch, and for each port group on the vSwitch, verify and record the VLAN IDs used. For dvSwitches, go to Home>> Inventory>> Networking and for each dvSwitch in the inventory, and for each dvPortGroup in each dvSwitch, select Edit Settings>> Policies>> VLAN and record all VLAN IDs.