Secure the physical switch on each ESXi host to prevent attackers from gaining access to the host and its virtual machines.

For best protection of your hosts, ensure that physical switch ports are configured with spanning tree deactivated and ensure that the non-negotiate option is configured for trunk links between external physical switches and virtual switches in Virtual Switch Tagging (VST) mode.

Procedure

  1. Log in to the physical switch and ensure that spanning tree protocol is deactivated or that Port Fast is configured for all physical switch ports that are connected to ESXi hosts.
  2. For virtual machines that perform bridging or routing, check periodically that the first upstream physical switch port is configured with BPDU Guard and Port Fast deactivated and with spanning tree protocol activated.
    To prevent the physical switch from potential Denial of Service (DoS) attacks, you can turn on the guest BPDU filter on the ESXi hosts.
  3. Log in to the physical switch and ensure that Dynamic Trunking Protocol (DTP) is not activated on the physical switch ports that are connected to the ESXi hosts.
  4. Routinely check physical switch ports to ensure that they are properly configured as trunk ports if connected to virtual switch VLAN trunking ports.