VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configure Security Settings for vCenter Server by Using PowerCLI

To configure host password length, native VLAN, reserved VLAN, and VGT, you perform the procedure on all vCenter Servers instances.
  1. Log in to vCenter Server by using a PowerCLI console.​
    Setting
    Value
    Command
    Connect-VIServer -Server
    management-domain-vcenter-server-fqdn
    ​​ -Protocol https
    User name​
    administrator@vsphere.local​
  2. VMW-VC-01201
     Configure all port groups to a value different from the value of the native VLAN.
    Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#"
  3. VMW-VC-01202
     Configure all port groups to VLAN values not reserved by upstream physical switches
    Get-VDPortgroup "portgroup name" | Set-VDVlanConfiguration -VlanId "New VLAN#" 
  4. VMW-VC-01227
     Do not configure VLAN trunking in vCenter Server unless Virtual Guest Tagging (VGT) is required and authorized.
    1. If you use VLAN ranges, enter VLAN ranges with a comma separated value to configure trunking.
      Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanTrunkRange "<VLAN Range(s) comma separated>"
    2. If you use a single VLAN, enter a single VLAN ID to configure trunking.
      Get-VDPortgroup "Portgroup Name" | Set-VDVlanConfiguration -VlanId "<New VLAN#>"
  5. VMW-VC-01247
     Services that may be unnecessary should be disabled such as CDP or LLDP network discovery protocols.
    Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"
  6. VMW-VC-01265
     vCenter must reset port configuration when virtual machines are disconnected.
    $pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$spec.Policy.PortConfigResetAtDisconnect = $True
$pg.ReconfigureDVPortgroup_Task($spec)
}
  7. VMW-VC-01266
     vCenter must not override port group settings at the port level on distributed switches, except for block ports.
    $pgs = Get-VDPortgroup | Get-View
ForEach($pg in $pgs){
$spec = New-Object VMware.Vim.DVPortgroupConfigSpec
$spec.configversion = $pg.Config.ConfigVersion
$spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
$spec.Policy.VlanOverrideAllowed = $False
$spec.Policy.UplinkTeamingOverrideAllowed = $False
$spec.Policy.SecurityPolicyOverrideAllowed = $False
$spec.Policy.IpfixOverrideAllowed = $False
$spec.Policy.BlockOverrideAllowed = $True
$spec.Policy.ShapingOverrideAllowed = $False
$spec.Policy.VendorConfigOverrideAllowed = $False
$spec.Policy.TrafficFilterOverrideAllowed = $False
$pg.ReconfigureDVPortgroup_Task($spec)
}
  8. VMW-VC-01275
     Configure the vCenter Server login banner text for access via SSH.
    Get-AdvancedSetting -Entity $VC -Name etc.issue | Set-AdvancedSetting -Value "Authorized login banner"

Content feedback and comments