VCSA-70-000273 - The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When a port group is set to VLAN Trunking, the vSwitch passes all network frames in the specified range to the attached virtual machines without modifying the virtual local area network (VLAN) tags. In vSphere, this is referred to as VGT.

The virtual machine must process the VLAN information itself via an 802.1Q driver in the operating system. VLAN Trunking must only be implemented if the attached virtual machines have been specifically authorized and are capable of managing VLAN tags themselves.

If VLAN Trunking is enabled inappropriately, it may cause a denial of service or allow a virtual machine to interact with traffic on an unauthorized VLAN.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to 'Networking'.

Select a distributed switch >> distributed port group >> Configure >> Settings >> Policies.

Click 'Edit'.

Click the 'VLAN' tab.

If 'VLAN trunking' is not authorized, remove it by setting 'VLAN type' to 'VLAN' and configure an appropriate VLAN ID. Click 'OK'.

If 'VLAN trunking' is authorized but the range is too broad, modify the range in the 'VLAN trunk range' field to the minimum necessary and authorized range. An example range would be '1,3-5,8'. Click 'OK'.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command to configure trunking:

Get-VDPortgroup 'Portgroup Name' | Set-VDVlanConfiguration -VlanTrunkRange '<VLAN Range(s) comma separated>'

or

Run this command to configure a single VLAN ID:

Get-VDPortgroup 'Portgroup Name' | Set-VDVlanConfiguration -VlanId '<New VLAN#>'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-256353r885670_rule, STIG-ID|VCSA-70-000273, Vuln-ID|V-256353

Plugin: VMware

Control ID: a11ca89122743d0ad0c04964de1f0f9c4ef530bedeec0e64cb8362c605309d2c