Title

The ESX Server external physical switch ports are configured to VLAN 1. (Cat II impact)

Discussion

Physical switches use the native VLAN for switch control and management protocol. Native VLAN frames are not tagged with any VLAN ID in many types of switches. The trunk ports implicitly treat all untagged frames as native VLAN frames. VLAN 1 is the default native VLAN ID for many commercial switches. However, in many enterprise networks, the native VLAN might be VLAN 1 or any number depending on the switch type. ESX Server does not support virtual switch port groups configured to VLAN 1. If the physical switch port that the ESX Server is connected to is configured with VLAN 1, the ESX Server will drop all packets. The ESX Server virtual switch port groups will be configured with any value between 2 and 4094. Utilizing VLAN 1 will cause a denial of service since the ESX Server drops this traffic.

Check Content

Work with the network reviewer and system administrator to determine compliance. Go to the switch that connects the ESX Server to the network. Request a copy of the switch configuration to verify the ports that the ESX Server plugs into are not configured to VLAN 1. Below is an example of disabling VLAN 1 and creating a VLAN that may be used for ESX Server traffic. Cisco IOS Example: Interface VLAN1 no ip address shutdown interface VLAN 12 ip address 10.0.0.25 255.255.255.0 no shutdown set interface sc0 10.0.0.25 255.255.255.0

Fix Text

Configure ESX Server external physical switches to something other than VLAN 1.

Additional Identifiers

Rule ID: SV-16743r1_rule

Vulnerability ID: V-15804

Group Title: External physical switch ports are set to VLAN 1.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.