Detections
Analytics
VCTR-67-000020 - The vCenter Server must not configure all port groups to VLAN values reserved by upstream physical switches.
Information
Certain physical switches reserve certain VLAN IDs for internal purposes and often disallow traffic configured to these values. For example, Cisco Catalyst switches typically reserve VLANs 1001-1024 and 4094, while Nexus switches typically reserve 3968-4047 and 4094.Check with the documentation for the specific switch. Using a reserved VLAN might result in a denial of service on the network.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.Click 'Edit'.
Under the VLAN section, change the VLAN ID to an unreserved VLAN ID and click 'OK'.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDPortgroup 'portgroup name' | Set-VDVlanConfiguration -VlanId 'New VLAN#'
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 6.7 vCenter v1r4
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243088r879887_rule, STIG-ID|VCTR-67-000020, Vuln-ID|V-243088
Plugin: VMware
Control ID: 17fb2b068ad61646ee70d5db7777c433526de4b6c745228a2b6e930ae035494c