STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021: STIGQter: STIG Summary: VMware vSphere 6.7 vCenter Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 09 Mar 2021:SV-243087r719504_rule
V-243087
SRG-APP-000516
VCTR-67-000019
CAT II
10
From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.
Click "Edit".
Click the "VLAN" tab.
If "VLAN trunking" is not authorized, remove it by setting "VLAN type" to "VLAN" and configure an appropriate VLAN ID. Click "OK".
If "VLAN trunking" is authorized but the range is too broad, modify the range in the "VLAN trunk range" field to the minimum necessary and authorized range. An example range would be "1,3-5,8". Click "OK".
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command to configure trunking:
Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanTrunkRange "<VLAN Range(s) comma separated>"
or
Run this command to configure a single VLAN ID:
Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanId "<New VLAN#>"
From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.
Review the port group "VLAN Type" and "VLAN trunk range", if present.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne "True"} | select Name,VlanConfiguration
If any port group is configured with "VLAN Trunk" and is not documented as a needed exception (such as NSX appliances), this is a finding.
If any port group is authorized to be configured with "VLAN trunking" but is not configured with the most limited range necessary, this is a finding.
V-243087
False
VCTR-67-000019
From the vSphere Client, go to Networking >> select a distributed switch >> select a distributed port group >> Configure >> Settings >> Policies.
Review the port group "VLAN Type" and "VLAN trunk range", if present.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDPortgroup | Where {$_.ExtensionData.Config.Uplink -ne "True"} | select Name,VlanConfiguration
If any port group is configured with "VLAN Trunk" and is not documented as a needed exception (such as NSX appliances), this is a finding.
If any port group is authorized to be configured with "VLAN trunking" but is not configured with the most limited range necessary, this is a finding.
M
5399