Title

Unused port groups have not been removed (Cat II impact)

Discussion

Port groups define how virtual machine connections are made through the virtual switch. Port groups may be configured with bandwidth limitations and VLAN tagging policies for each member port. Multiple ports may be aggregated under port groups to provide a local point for virtual machines to connect to a network. The maximum number of port groups that may be configured on a virtual switch is 512. Each port group is identified by a network label and a VLAN ID. As with any physical switch, all unused virtual switch port groups will be removed if not in use. Physical switches place these unused ports in unused VLANs and shutdown the port. For the ESX Server, these port groups must be removed to ensure that they are not used by mistake.

Check Content

Work with the system administrator to gain access to the ESX Server service console to perform the following command. # esxcfg-vswitch –l If the ‘Used Ports’ has the number 0, this is a finding. Caveat: VMotion, HA, and DRS virtual switches may have unused port groups. This check is not applicable to these switches. Also, if VMotion is configured for a virtual machine(s), then when VMotion occurs, a duplicate virtual switch will be configured so the virtual machine can run once the migration is complete. These virtual switches will have 0 used ports until it is VMotioned to the ESX Server host. Therefore, virtual switches in this scenario are not applicable to this check. These virtual switches must be available for proper VMotion, HA, and DRS purposes.

Fix Text

Remove all unused port groups from virtual switches.

Additional Identifiers

Rule ID: SV-16750r1_rule

Vulnerability ID: V-15811

Group Title: ESX0220

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.