The vCenter Server must disable CDP/LLDP on distributed switches.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-258964	SRG-APP-000516	VCSA-80-000299	SV-258964r961863_rule	2024-12-16	2

Description
The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.

Description

The vSphere Distributed Virtual Switch can participate in Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as a listener, advertiser, or both. The information is sensitive, including IP addresses, system names, software versions, and more. It can be used by an adversary to gain a better understanding of your environment, and to impersonate devices. It is also transmitted unencrypted on the network, and as such the recommendation is to disable it.

ℹ️ Check
If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Review the "Discovery Protocol" configuration. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch \| Select Name,LinkDiscoveryProtocolOperation If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.

ℹ️ Check

If distributed switches are not used, this is not applicable. From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Review the "Discovery Protocol" configuration. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch | Select Name,LinkDiscoveryProtocolOperation If any distributed switch does not have "Discovery Protocols" disabled, this is a finding.

✔️ Fix
From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Click "Edit". Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch -Name "DSwitch" \| Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"

✔️ Fix

From the vSphere Client, go to "Networking". Select a distributed switch >> Configure >> Settings >> Properties. Click "Edit". Select the advanced tab and update the "Type" under "Discovery Protocol" to disabled and click "OK". or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Get-VDSwitch -Name "DSwitch" | Set-VDSwitch -LinkDiscoveryProtocolOperation "Disabled"