7.6 (L1) Ensure port groups are not configured to VLAN 4095 and 0 except for Virtual Guest Tagging (VGT)

Information

This recommendation is intended to address configuring pyrtgroups for a standard switch. Port groups should not be configured to VLAN 4095 or 0 except for Virtual Guest Tagging (VGT). When a port group is set to VLAN 4095, this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest virtual machine without modifying the VLAN tags, leaving it up to the guest to deal with them. VLAN 4095 should be used only if the guest has been specifically configured to manage VLAN tags itself.

If VGT is enabled inappropriately, it might cause a denial of service or allow a guest virtual machine to interact with traffic on an unauthorized VLAN.

Solution

To set port groups to values other than 4095 and 0 unless VGT is required, perform the following:

- From the vSphere Web Client, select the host.
- Click Configure then expand Networking
- Select Virtual switches
- Expand the Standard vSwitch.
- View the topology diagram of the switch, which shows the various port groups associated with that switch.
- For each port group on the vSwitch, verify and record the VLAN IDs used.
- If a VLAN ID change is needed, click the name of the port group in the topology diagram of the virtual switch.
- Click the Edit settings option.
- In the Properties section, enter an appropriate name in the Network label field.
- In the VLAN ID dropdown select or type a new VLAN.
- Click OK

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.2, CSCv7|12.4

Plugin: VMware

Control ID: cbf0a04a4ffb9687e2c2bb6f4b069612557229352d67809f072b8a94b191c0bc