XenServer - Enable port locking by default on the VM guest network

Information

Port locking prevents ARP and IP spoofing by unknown or untrusted VM guests. It limits their ability to pretend they have a MAC or IP address that was not assigned to them. This setting is the default for the network. If this is set to locked then each VM must be configured with a list of valid IPv4 and IPv6 addresses. A VM that tries to use an address that is not on its allowed list will not be able to send or receive network traffic.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Set the default locking mode for the VM guest network by running the following command:


xe network-param-set uuid=<network-uuid> default-locking-mode=locked

NOTE: Any VM on this network must have an allowed list of IPv4 and IPv6 addresses or it will not be able to send or receive network traffic. See the XenServer 6.2 Administrator's Guide for more information.