The vCenter Server must disable CDP/LLDP on distributed switches.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258964	VCSA-80-000299	SV-258964r934550_rule		Low

Description
The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.

Description

The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62704r934548_chk )
If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Review the "Discovery Protocol" configuration. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch \| Select Name,LinkDiscoveryProtocolOperation If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.

Check Text ( C-62704r934548_chk )

If distributed switches are not used, this is not applicable.

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Properties.

Review the "Discovery Protocol" configuration.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDSwitch | Select Name,LinkDiscoveryProtocolOperation

If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.

Fix Text (F-62613r934549_fix)
From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Click "Edit". Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch -Name "DSwitch" \| Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"

Fix Text (F-62613r934549_fix)

From the vSphere Client, go to "Networking".

Select a distributed switch >> Configure >> Settings >> Properties.

Click "Edit".

Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"