7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)

Information

Port groups should not be configured to VLAN 4095 except for Virtual Guest Tagging (VGT). When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest virtual machine without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself.

Rationale:

If VGT is enabled inappropriately, it might cause a denial of service or allow a guest virtual machine to interact with traffic on an unauthorized VLAN.

Solution

To set port groups to values other than 4095 unless VGT is required, perform the following:

From the vSphere web client, select the host.

On the Configure tab, click Networking, and select Virtual switches.

Select a standard switch from the list.

View the topology diagram of the switch, which shows the various port groups associated with that switch.

For each port group on the vSwitch, verify and record the VLAN IDs used.

If a VLAN ID change is needed, click the name of the port group in the topology diagram of the virtual switch.

Click the 'Edit settings' pencil icon under the topology diagram title.

In the Properties section, name the port group in the Network Label text field.

Choose an existing VLAN ID drop-down menu or type in a new one.

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, 800-53|SI-4(4), CSCv7|9.2, CSCv7|12.4

Plugin: VMware

Control ID: 405f13a5035d2f8a58da24628409c93116bd384b2c84a4de3297f371efff97a9