Skip navigation
VMware
Up to Discussions in VMware vSphere™ PowerCLI

This Question is Answered (go to answer)

1,299 Views 9 Replies Last post: Jan 27, 2011 2:11 PM by Chamon RSS
Chamon Master
Chamon
976 posts since
Aug 15, 2007
Currently Being Moderated

May 19, 2010 1:13 PM

Script to Configure Security on vSwitch error

Here is my issue. I am putting together a script to configure our ESXi 4 U1 hosts. During the configuration we need to set the vSwitch security to reject for allowPromiscuous, forgedTransmits, and macChanges. Here is the section and the error.

 

$vh01=get-vmhost myhost.domain.com                                                                               

$vh01vsw0=$vh01 |get-virtualswitch -name "vSwitch2"

$vh01moref=$vh01 |% {get-view $_.Id}

$vh01morefconfig=$vh01moref.configmanager                                                                               

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

$swspec= New-Object Vmware.Vim.HostVirtualSwitchSpec

$swspec.NumPorts=24

$swspec.policy= New-Object Vmware.Vim.HostNetworkPolicy

$swspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

$swspec.policy.security.allowPromiscuous=$false

$swspec.policy.security.forgedTransmits=$false

$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

 

And the error I get is :

Exception calling "UpdateVirtualSwitch" with "2" argument(s): "A specified parame

ter was not correct.

"

At C:\ Docs\PowershellScripts\StateConfigScripts\switchsec_test.ps1:17 char:3

7

+ $vh01netsysmoref.UpdateVirtualSwitch <<<< ($vh01vsw0.name,$swspec)

    + CategoryInfo          : NotSpecified: ( [], MethodInvocationException

    + FullyQualifiedErrorId : DotNetMethodException

 

If I run $vh01vsw0.name I get the correct vSwitch string reported back. I have a script section to set the same on the portgroups and it works just fine. Here is that script section.

 

$vh01=get-vmhost myhost.domain.com                                                                               

$vh01moref=$vh01 |% {get-view $_.Id}                                                                               

$vh01morefconfig=$vh01moref.configmanager                                                                               

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

$pgspec= New-Object Vmware.vim.HostPortGroupSpec

$pgspec.vswitchname="vSwitch0"

$pgspec.name="Management Network"

$pgspec.vlanid="0"

$pgspec.policy=New-Object Vmware.Vim.HostnetworkPolicy

$pgspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

$pgspec.policy.security.allowPromiscuous=$false

$pgspec.policy.security.forgedTransmits=$false

$pgspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdatePortgroup($pgspec.name,$pgspec)

 

Is this something that has to be done during the vSwitch creation and can’t be changed after? Any help is greatly apprecieated!! Thanks in advance!!

LucD Guru User Moderators vExpert
LucD
8,981 posts since
Oct 31, 2005
Currently Being Moderated
1. May 19, 2010 1:56 PM in response to: Chamon
Re: Script to Configure Security on vSwitch error

No, it can be done.

But since this is an existing switch you can't "nullify" some of the properties that are already there.

Even though the SDK Reference says that some properties are optional, when they are defined on an existing vswitch, you have to include them in the spec.

The easiest way is to just copy the existing spec and only modify the properties you want to modify.

Something like this


$vh01=get-vmhost myhost.domain.com 

$vh01moref=$vh01 |% {get-view $_.Id}
$vh01morefconfig=$vh01moref.configmanager
$vh01netsys=$vh01morefconfig.networksystem
$vh01netsysmoref=get-view $vh01netsys
$vh01vsw0=$vh01netsysmoref.NetworkConfig.Vswitch | where {$_.Name -eq "vSwitch2"}

$swspec= $vh01vsw0.Spec   # here you copy the existing spec object

$swspec.policy.security.allowPromiscuous=$false
$swspec.policy.security.forgedTransmits=$false
$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

 

 

 

 

 

____________

Blog: LucD notes

Twitter: lucd22

Blog: http://lucd.info | Twitter: @LucD22 | Book co-author: http://powerclibook.com
Chamon Master
Chamon
976 posts since
Aug 15, 2007
Currently Being Moderated
2. May 19, 2010 2:19 PM in response to: LucD
Re: Script to Configure Security on vSwitch error

That did it! Thanks for the help! I was hoping you were out there listening.

 

So it looks like I can shorten my script a lot by copying what I don't want to change. Is this a best practice then. Insted of trusting what is the SDK reference for what is required and not. Thanks again. I am just starting to learn how to do work with powercli with out using the built-in cmdlets. I am learning from here http://vinternals.com/powercli-mastery/ I will have to look at your blog for some tips like this one. Any link to where to start on your site?

LucD Guru User Moderators vExpert
LucD
8,981 posts since
Oct 31, 2005
Currently Being Moderated
3. May 19, 2010 9:48 PM in response to: Chamon
Re: Script to Configure Security on vSwitch error

The SDK Reference is quite good. But there are some few facts to know (or learn) when you start using it.

 

Currently the best guide, although it is using Java, is Steve's book called VMware VI and vSphere SDK: Managing the VMware Infrastructure and vSphere.

On my blog I started collecting some tips and tricks on the SDK page. The page contains pointers to Steve's tips & tricks.

Several of my other posts use the SDK's methods or properties in one way or the other.

 

The book, see (We’re writing a book!), Alan and myself are writing will of course contain a SDK chapter.

 

 

 

 

____________

Blog: LucD notes

Twitter: lucd22

Blog: http://lucd.info | Twitter: @LucD22 | Book co-author: http://powerclibook.com
chouse Hot Shot
chouse
193 posts since
Sep 20, 2006
Currently Being Moderated
4. Jul 7, 2010 5:14 AM in response to: LucD
Re: Script to Configure Security on vSwitch error

 

Thanks for this, did exactly what I needed.

 

 

Just a note, be careful when choosing to reject MAC Address Changes and Forged Transmits for ESX hosts that are running VMs participating in Microsoft Network Load Balancing - NLB legitamately changes the MAC address of the VM adapters in order to participate in NLB. If you reject these modifications via the vSwitch security policy, those VMs will drop off the network (found this out after the fact!)

 

 

Chamon Master
Chamon
976 posts since
Aug 15, 2007
Currently Being Moderated
5. Jul 7, 2010 6:50 AM in response to: chouse
Re: Script to Configure Security on vSwitch error

With LucD's help we us what is below to set these on all vSwitches and portgroups on a Host. You may or may not want this but something else to work with.

 

##Now we will lockdown the vSwitches on this host

###Use this to set this config on all vSwitches on this one host

write-host -ForeGroundColor Green "Configuring Security on all vSwitches and PortGroups"

 

 

$vh01=get-vmhost                                                                               

$vh01moref=$vh01 |% {get-view $_.Id}

$vh01morefconfig=$vh01moref.configmanager                                                                               

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

 

foreach ($vh01vsw0 in $vh01netsysmoref.NetworkConfig.Vswitch){

     

    $swspec= $vh01vsw0.Spec # here you copy the existing spec object

    $swspec.policy.security.allowPromiscuous=$false

    $swspec.policy.security.forgedTransmits=$false

    $swspec.policy.security.macChanges=$false

    $vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

}

 

##Now we will lockdown the Portgroups on this host

###Use this to set this config on all Portgroups on this one host

 

Foreach ($vh01 in (Get-View -ViewType HostSystem)){

    Write $vh01.Name

   $NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    Foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){

             

            $pgspec=$pg.spec

            $pgspec.policy.security.allowPromiscuous=$false

            $pgspec.policy.security.forgedTransmits=$false

            $pgspec.policy.security.macChanges=$false

            $pgspec.policy.nicteaming.policy="loadbalance_srcid"

            $pgspec.policy.nicteaming.notifySwitches=$true

            $NetworkSystem.UpdatePortgroup($pgspec.name,$pgspec)

            }

       }

chouse Hot Shot
chouse
193 posts since
Sep 20, 2006
Currently Being Moderated
6. Jul 7, 2010 7:03 AM in response to: Chamon
Re: Script to Configure Security on vSwitch error

 

Good point, I am reminded that this can be set on portgroups. So I shall plan to set this on the vswitch but override it for our NLB VLAN. That should solve the problem of the hosts dropping off.

 

 

Attached is the script I put together to do every switch on every host in a vcenter.

 

 

 

 

 

Attachments:
maxdrury Novice
maxdrury
7 posts since
Jul 18, 2007
Currently Being Moderated
7. Jan 26, 2011 12:44 PM in response to: chouse
Re: Script to Configure Security on vSwitch error

I've been using the Get-View command to drill down through the managed objects and I can get all the way to the Security layer and manually set a value to False but it does not update in vcenter.

 

[vSphere PowerCLI] C:\> $vSwitch0Security = $vSwitch0Policy.Security
[vSphere PowerCLI] C:\> $vSwitch0Security


AllowPromiscuous : False
MacChanges       : True
ForgedTransmits  : True
DynamicType      :
DynamicProperty  :

 

[vSphere PowerCLI] C:\> $vSwitch0Security.MacChanges = $false
[vSphere PowerCLI] C:\> $vSwitch0Security


AllowPromiscuous : False
MacChanges       : False
ForgedTransmits  : True
DynamicType      :
DynamicProperty  :

 

 

How is it I can update a value in PowerCLI that doesn't get reflected in the vcenter?  I get that UpdateVirtualSwitch is required but I didn't see that object anywhere (if it even is an object).  Up to this point I was able to see all the objects I used to drill further down the hierarchy - like ConfigManager > NetworkSystem etc.  I got lost at UpdateVirtualSwitch.  Where do I find that and what's the syntax?  In other words, if I drill down to a property of another object type, how do I know what Update command to use?

avlieshout Expert VMware Employees vExpert
avlieshout
503 posts since
Jul 27, 2007
Currently Being Moderated
8. Jan 26, 2011 12:57 PM in response to: maxdrury
Re: Script to Configure Security on vSwitch error

You are only updating the in memory variable. You need to look for a method to update the vSwitch.

Have a look at the vswitch object using  the get-member cmdlet.

 

$vSwitch | gm

 

Look for an update method and it also shows what type of input object is required.

Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".
Chamon Master
Chamon
976 posts since
Aug 15, 2007
Currently Being Moderated
9. Jan 27, 2011 2:11 PM in response to: maxdrury
Re: Script to Configure Security on vSwitch error

When you are drilling in you need to make sure you are going into the correct one. There are Config and ConfigManager. You want the configmanager. The Config just shows the current configuration.

 

$vh01view=Get-View -ViewType HostSystem

 

$vh01view

 

 

Runtime             : VMware.Vim.HostRuntimeInfo
Summary             : VMware.Vim.HostListSummary
Hardware            : VMware.Vim.HostHardwareInfo
Capability          : VMware.Vim.HostCapability
ConfigManager       : VMware.Vim.HostConfigManager
Config              : VMware.Vim.HostConfigInfo
Vm                  : {}
Datastore           : {Datastore-4cf2b067-7ff459f6-6ac3-d4856451126a}
Network             : {Network-HaNetwork-OpenNet}
DatastoreBrowser    : HostDatastoreBrowser-ha-host-datastorebrowser
SystemResources     : VMware.Vim.HostSystemResourceInfo
Parent              : ComputeResource-ha-compute-res
CustomValue         : {}
OverallStatus       : green
ConfigStatus        : yellow
ConfigIssue         : {1}
EffectiveRole       : {-1}
Permission          : {}
Name                : localhost.localdomain
DisabledMethod      : {DisconnectHost_Task, ReconnectHost_Task, ReconfigureHost
                      ForDAS_Task, PowerUpHostFromStandBy_Task...}
RecentTask          : {Task-haTask-ha-host-vim.host.NetworkSystem.updatePhysica
                      lNicLinkSpeed-22, Task-haTask-ha-host-vim.host.NetworkSys
                      tem.updatePhysicalNicLinkSpeed-23, Task-haTask-ha-host-vi
                      m.host.NetworkSystem.updatePhysicalNicLinkSpeed-24, Task-
                      haTask-ha-host-vim.host.NetworkSystem.updatePhysicalNicLi
                      nkSpeed-25...}
DeclaredAlarmState  : {}
TriggeredAlarmState : {}
AlarmActionsEnabled : False
Tag                 : {}
Value               : {}
AvailableField      : {}
MoRef               : HostSystem-ha-host
Client              : VMware.Vim.VimClient

Incoming Links

Bookmarked By (0)

Share This Page

Communities