Configure Multiple Security Settings on Unassigned ESXi Hosts by Using PowerCLI
You perform this procedure on all unassigned ESXi hosts in the SDDC inventory to configure non-native VLAN ID, Virtual Guest Tagging (VGT), and unreserved VLAN ID on all the port groups on the standard switch.
These controls apply only to unassigned hosts in VMware Cloud Foundation. An unassigned host is a host that is commissioned but not assigned to a workload domain. Once the host is added to a VMware Cloud Foundation workload domain, the standard switch on the host is removed and the host is added to a distributed switch.
The following configurations address ESXi standard switches only. Distributed switches are addressed in the Securing vCenter Server section (see Securing vCenter Server). If your environment does not have ESXi hosts with standard switches, you can skip this procedure.
- Log in to the unassigned ESXi host you want to reconfigure by using a PowerCLI console and provide the credentials.Connect-VIServer -Serverhost-fqdn -Protocol https
- Configure VLAN settings on the standard switch.Configuration IDDescriptionVMW-ESXI-01103Configure port groups on standard switches to a value other than that of the native VLAN.VMW-ESXI-01104Do not configure the port groups on standard switches to VLAN 4095 unless Virtual Guest Tagging (VGT) is required.VMW-ESXI-01105Do not configure the port groups on standard switches to VLAN values reserved by upstream physical switches.Get-VirtualPortGroup -Name "portgroup name" | Set-VirtualPortGroup -VLanId "New VLAN#"