7.4 Ensure port groups are not configured to the value of the native VLAN

Information

ESXi does not use the concept of native VLAN, so do not configure port groups to use the native VLAN ID. If the default value of 1 for the native VLAN is being used, the ESXi Server virtual switch port groups should be configured with any value between 2 and 4094. Otherwise, ensure that the port group is not configured to use whatever value is set for the native VLAN.

Rationale:

Frames with VLAN specified in the port group will have a tag, but frames without a VLAN specified in the port group are not tagged and therefore will end up as belonging to the native VLAN of the physical switch. For example, frames on VLAN 1 from a Cisco physical switch will be untagged, because this is considered as the native VLAN. However, frames from ESXi specified as VLAN 1 will be tagged with a '1'; therefore, traffic from ESXi that is destined for the native VLAN will not be correctly routed (because it is tagged with a '1' instead of being untagged), and traffic from the physical switch coming from the native VLAN will not be visible (because it is not tagged). If the ESXi virtual switch port group uses the native VLAN ID, traffic from those VMs will not be visible to the native VLAN on the switch, because the switch is expecting untagged traffic.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To stop using the native VLAN ID for port groups, perform the following:

From the vSphere Web Client, select the host.

Click Configure then expand Networking.

Select Virtual switches.

Expand the Standard vSwitch.

View the topology diagram of the switch, which shows the various port groups associated with that switch.

For each port group on the vSwitch, verify and record the VLAN IDs used.

If a VLAN ID change is needed, click the name of the port group in the topology diagram of the virtual switch.

Click the Edit settings option.

In the Properties section, enter an appropriate name in the Network label field.

In the VLAN ID dropdown select or type a new VLAN.

Click OK.

See Also

https://workbench.cisecurity.org/files/3473