Details
Ensure the Promiscuous Mode Policy within the vSwitch is set to reject. Promiscuous mode
can be set at the vSwitch and/or the Portgroup level. You can override switch-level settings
at the Portgroup level.
*Rationale*
When promiscuous mode is enabled for a virtual switch all virtual machines connected to
the dvPortgroup have the potential of reading all packets crossing that network.
This could enable unauthorized access to the contents of those packets.
Solution
1. In the vSphere Web Client, navigate to the host.
2. ‘Hosts and Clusters’ -> ‘vCenter’ -> host.
3. On the Manage tab, click Networking, and select Virtual switches.
4. Select a standard switch from the list and click the pencil icon to edit settings.
5. Select Security.
6. Set Promiscuous Mode to ‘Reject’.
7. Click ‘OK’.
Additionally, perform the following to implement the recommended configuration state via
the ESXi shell-
# esxcli network vswitch standard policy security set -v vSwitch2 -p false
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system VMware.