Administrators have several options for securing the VLANs in their vSphere environment.


  1. Ensure that port groups are not configured to VLAN values that are reserved by upstream physical switches
    Do not set VLAN IDs to values reserved for the physical switch.
  2. Ensure that port groups are not configured to VLAN 4095 unless you are using for Virtual Guest Tagging (VGT).
    Three types of VLAN tagging exist in vSphere:
    • External Switch Tagging (EST)
    • Virtual Switch Tagging (VST) - The virtual switch tags with the configured VLAN ID the traffic that is incoming to the attached virtual machines and removes the VLAN tag from the traffic that is leaving them. To set up VST mode, assign a VLAN ID between 1 and 4095.
    • Virtual Guest Tagging (VGT) - Virtual machines handle VLAN traffic. To activate VGT mode, set the VLAN ID to 4095. On a distributed switch, you can also allow virtual machine traffic based on its VLAN by using the VLAN Trunking option.

    On a standard switch you can configure VLAN networking mode at switch or port group level, and on a distributed switch at distributed port group or port level.

  3. Ensure that all VLANs on each virtual switch are fully documented and that each virtual switch has all required VLANs and only required VLANs.