Title

Undocumented VLANs are configured on ESX Server in VST mode. (Cat II impact)

Discussion

When defining a physical switch port for trunk mode, care must be taken to ensure only specified VLANs are configured. It is considered best practice to restrict only those VLANs required on the VLAN trunk link.

Check Content

1. Request from the IAO/SA the documentation that details the VLANs configured on the physical switch port to the ESX Server. 2. Request a copy of the external switch port configurations to verify the documented VLANs match the configured VLANs. If there are undocumented VLANs configured on the external switch ports, this is a finding.

Fix Text

Document all trunk VLANs between ESX Server and external switches.

Additional Identifiers

Rule ID: SV-16761r1_rule

Vulnerability ID: V-15822

Group Title: Undocumented VLANs set in VST mode.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.