"Vendor Configuration" parameter set to "Allowed" in the DVS port group settings
search cancel

"Vendor Configuration" parameter set to "Allowed" in the DVS port group settings

book

Article ID: 421197

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The value of the DVS portgroup advanced parameter "Vendor Configuration" is set to "Allowed" when the portgroup configurations are pushed from SDDC in a VCF setup.

Example:

  • The default value of this parameter is "Disabled"

Environment

VCF 5.2
VMware Vsphere ESXi

Cause

This is a known bug in VCF 5.2 where every  DVPortGroup created via SDDC allows Vendor Configuration by default.

 

Resolution

Workaround:

  • Since allowing "Vendor Configuration" overriding can be a security concern, manually set it to Disabled from the Distributed Port Group Edit settings from the vCenter if you do not intend to enable it.
  • You can disable it by clicking on edit settings of the Portgroup --> Advanced --> Vendor config --> Disabled.

 

A Permanent fix will be provided in the future releases of VCF. (VCF 5.3 and VCF 9.1)

Additional Information

Why allowing Vendor Configuration overriding could be a security concern?
Allowing Vendor Configuration overriding on the DVS portgroup is a security risk because this allows a VM to override its portgroup policies.
For example, if a port group is configured to reject MAC address changes and promiscuous mode, a malicious VM could use this override (Vendor configuration allow) to enable them, allowing it to "sniff" network traffic destined for other VMs on the same port group.

Powered by Wolken Software