Administrators have several options for securing a vSphere Distributed Switches in their vSphere environment.


  1. Verify that the Auto Expand feature for the distributed port groups with static binding is disabled.

    Auto Expand is enabled by default in vSphere 5.1 and later.

    To disable Auto Expand, configure the autoExpand property under the distributed port group with the vSphere Web Services SDK or with a command-line interface . See the vSphere API/SDK Documentation.

  2. Ensure that all private VLAN IDs of any vSphere Distributed Switch are fully documented.
  3. Ensure that no unused ports exist on a virtual port group associated with a vSphere Distributed Switch.
  4. Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports.

    The security policy on distributed port groups and ports includes the following options:

    You can view and change the current settings by selecting Manage Distributed Port Groups from the right-button menu of the distributed switch and selecting Security in the wizard. See the vSphere Networking documentation.