ESXI-67-000067 - All ESXi host-connected physical switch ports must be configured with spanning tree disabled.

Information

Since VMware virtual switches do not support STP, the ESXi host-connected physical switch ports must have portfast configured if spanning tree is enabled to avoid loops within the physical switch network. If these are not set, potential performance and connectivity issues might arise.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Note that this check refers to an entity outside the scope of the ESXi server system.

Document the upstream physical switch configuration for spanning tree protocol disablement and/or portfast configuration for all physical ports connected to ESXi hosts.

Log in to the physical switch(es) and disable spanning tree protocol and/or configure portfast for all physical ports connected to ESXi hosts.

Update the documentation on an organization defined frequency or whenever modifications are made to either ESXi hosts or the upstream physical switches.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-239321r674892_rule, STIG-ID|ESXI-67-000067, Vuln-ID|V-239321

Plugin: VMware

Control ID: 538daca4769a24a5a8586c17d01efce4e7ad02d9afbdb2ea9aa30343d5bba163