UCF STIG Viewer Logo

The system must ensure there are no unused ports on a distributed virtual port group.


Overview

Finding ID Version Rule ID IA Controls Severity
ESXI5-VMNET-000020 ESXI5-VMNET-000020 ESXI5-VMNET-000020_rule Low
Description
The number of ports available on a dvSwitch distributed port group must be adjusted to exactly match the number of virtual machine vNICs that need to be assigned to that dvPortgroup. Limiting the number of ports to just what is needed also limits the accidental or malicious potential to move a virtual machine to an unauthorized network. This is especially relevant if the management network is on a dvPortgroup, because it could help prevent putting a rogue virtual machine on this network.
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-ESXI5-VMNET-000020_chk )
As administrator, find all dvSwitches from the vSphere Client/vCenter, Home>> Inventory>> Networking view. For any dvSwitches with dvPortgroups, verify the settings for that dvPortgroup. Compare the number of ports in that port group to the number of allowed VM NICs connecting to that port group. The number of vNICs must match the number of ports in that port group.

If the number of ports in the port group exceed the number of VM NICs connecting to that port group, this is a finding.
Fix Text (F-ESXI5-VMNET-000020_fix)
As administrator, find all dvSwitches from the vSphere Client/vCenter:
Home>> Inventory>> Networking view.

For any dvSwitches with dvPortgroups, edit the settings for that dvPortgroup. Limit the number of ports in that port group to the number of allowed VM NICs connecting to that port group.