STIGQter STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:

The vCenter Server must not configure VLAN Trunking unless Virtual Guest Tagging (VGT) is required and authorized.

DISA Rule

SV-243087r719504_rule

Vulnerability Number

V-243087

Group Title

SRG-APP-000516

Rule Version

VCTR-67-000019

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.

Click "Edit".

Click the "VLAN" tab.

If "VLAN trunking" is not authorized, remove it by setting "VLAN type" to "VLAN" and configure an appropriate VLAN ID. Click "OK".

If "VLAN trunking" is authorized but the range is too broad, modify the range in the "VLAN trunk range" field to the minimum necessary and authorized range. An example range would be "1,3-5,8". Click "OK".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command to configure trunking:

Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanTrunkRange "<VLAN Range(s) comma separated>"

or

Run this command to configure a single VLAN ID:

Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanId "<New VLAN#>"

Check Contents

From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.

Review the port group "VLAN Type" and "VLAN trunk range", if present.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne "True"} | select Name,VlanConfiguration

If any port group is configured with "VLAN Trunk" and is not documented as a needed exception (such as NSX appliances), this is a finding.

If any port group is authorized to be configured with "VLAN trunking" but is not configured with the most limited range necessary, this is a finding.

Vulnerability Number

V-243087

Documentable

False

Rule Version

VCTR-67-000019

Severity Override Guidance

From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.

Review the port group "VLAN Type" and "VLAN trunk range", if present.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne "True"} | select Name,VlanConfiguration

If any port group is configured with "VLAN Trunk" and is not documented as a needed exception (such as NSX appliances), this is a finding.

If any port group is authorized to be configured with "VLAN trunking" but is not configured with the most limited range necessary, this is a finding.

Check Content Reference

M

Target Key

5399

Comments