Hi All,
I haven't found reference to this yet (although it may be my search skills) and wondered if anyone has seen similar.
We're experimenting with the free Compliance checker tool to audit security on a proof of concept vSphere 5.5 Enterprise Plus with Ops Manager environment. The hosts in question are blades and commit their dual 10GbE NICs as uplinks to a single distributed virtual switch. For security I've removed the single standard vSwitch0 once the migration of management VMK to the distributed switch was complete.
Upon running the compliance checker we found that hosts were failing the following checks
Reject-mac-changes
Reject-forged-transmit
reject-promiscuous-mode
No-VGT-VLAN-4095
Clue was the last part as this indicated the failure was part of a standard switch - that we no longer had. Running the PowerCLI assessment as per the hardening guide confirmed that 4095 wasn't used as a VLAN on any portgroups.
The first three compliance failures are cleared if I add a standard vSwitch without a virtual portgroup and without a physical adaptor with the three security options set to reject.
I have to create a virtual port group on this switch with default no VLAN set to clear the VLAN-4095 error.
So it looks like I have to create an empty vSwitch and portgroup in order for the compliance checker to confirm that I have no standard switches with Accept or 4095 VGT enabled?
Have I missed something? Thanks