Administrators have several options for securing vSphere Distributed Switches in their vSphere environment.

The same rules apply for VLANs in a vSphere Distributed Switch as they do in a standard switch. For more information, see Standard Switch Protection and VLANs.


  1. For distributed port groups with static binding, disable the Auto Expand feature.

    Auto Expand is enabled by default in vSphere 5.1 and later.

    To disable Auto Expand, configure the autoExpand property under the distributed port group with the vSphere Web Services SDK or with a command-line interface. See the vSphere Web Services SDK documentation.
  2. Ensure that all private VLAN IDs of any vSphere Distributed Switch are fully documented.
  3. If you are using VLAN tagging on a dvPortgroup, VLAN IDs must correspond to the IDs on external VLAN-aware upstream switches. If VLAN IDs are not tracked correctly, mistaken reuse of IDs might allow unintended traffic. Similarly, wrong or missing VLAN IDs might lead to traffic not passing between physical and virtual machines.
  4. Ensure that no unused ports exist on a virtual port group associated with a vSphere Distributed Switch.
  5. Label all vSphere Distributed Switches.
    vSphere Distributed Switches associated with an ESXi host require a text box for the name of the switch. This label serves as a functional descriptor for the switch, just like the host name associated with a physical switch. The label on the vSphere Distributed Switch indicates the function or the IP subnet of the switch. For example, you can label the switch as internal to indicate that it is only for internal networking on a virtual machine’s private virtual switch. No traffic goes over physical network adapters.
  6. Disable network health check for your vSphere Distributed Switches if you are not actively using it.
    Network health check is disabled by default. Once enabled, the health check packets contain information about the host, switch, and port that an attacker can potentially use. Use network health check only for troubleshooting, and turn it off when troubleshooting is finished.
  7. Protect virtual traffic against impersonation and interception Layer 2 attacks by configuring a security policy on port groups or ports.
    The security policy on distributed port groups and ports includes the following options:
    You can view and change the current settings by selecting Manage Distributed Port Groups from the right-button menu of the distributed switch and selecting Security in the wizard. See the vSphere Networking documentation.