Administrators have several options for securing a vSphere Distributed Switches in their vSphere environment.


  1. For distributed port groups with static binding, verify that the Auto Expand feature is disabled.

    Auto Expand is enabled by default in vSphere 5.1 and later.

    To disable Auto Expand, configure the autoExpand property under the distributed port group with the vSphere Web Services SDK or with a command-line interface. See the vSphere Web Services SDK documentation.

  2. Ensure that all private VLAN IDs of any vSphere Distributed Switch are fully documented.
  3. If you are using VLAN tagging on a dvPortgroup, VLAN IDs must correspond to the IDs on external VLAN-aware upstream switches. If VLAN IDs are not tracked completely, mistaken reuse of IDs could allow traffic between inappropriate physical and virtual machines. Similarly, wrong or missing VLAN IDs may lead to traffic not passing between physical and virtual machines.
  4. Ensure that no unused ports exist on a virtual port group associated with a vSphere Distributed Switch.
  5. Label all vSphere Distributed Switches.

    vSphere Distributed Switches associated with an ESXi host require a field for the name of the switch. This label serves as a functional descriptor for the switch, just as the host name associated with a physical switch. The label on the vSphere Distributed Switch indicates the function or the IP subnet of the switch. For example, you can label the switch as internal to indicate that it is only for internal networking between a virtual machine’s private virtual switch with no physical network adaptors bound to it.

  6. Disable network healthcheck for your vSphere Distributed Switches if you are not actively using it.

    Network healthcheck is disabled by default. Once enabled, the healthcheck packets contain information about the host, switch, and port that an attacker can potentially use. Use network healthcheck only for troubleshooting, and turn it off when troubleshooting is finished.

  7. Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports.

    The security policy on distributed port groups and ports includes the following options:

    You can view and change the current settings by selecting Manage Distributed Port Groups from the right-button menu of the distributed switch and selecting Security in the wizard. See the vSphere Networking documentation.