The vCenter Server must disable CDP/LLDP on distributed switches.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-258964 | SRG-APP-000516 | VCSA-80-000299 | SV-258964r961863_rule | 2025-06-09 | 2 |
Description
The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.
ℹ️ Check
If distributed switches are not used, this is not applicable.
From the vSphere Client, go to "Networking".
Select a distributed switch >> Configure >> Settings >> Properties.
Review the "Discovery Protocol" configuration.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDSwitch | Select Name,LinkDiscoveryProtocolOperation
If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.
✔️ Fix
From the vSphere Client, go to "Networking".
Select a distributed switch >> Configure >> Settings >> Properties.
Click "Edit".
Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK".
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"