9 Replies Latest reply on Jan 27, 2011 2:11 PM by Chamon

    Script to Configure Security on vSwitch error

    Chamon Master

      Here is my issue. I am putting together a script to configure our ESXi 4 U1 hosts. During the configuration we need to set the vSwitch security to reject for allowPromiscuous, forgedTransmits, and macChanges. Here is the section and the error.

       

      $vh01=get-vmhost myhost.domain.com                                                                               

      $vh01vsw0=$vh01 |get-virtualswitch -name "vSwitch2"

      $vh01moref=$vh01 |% {get-view $_.Id}

      $vh01morefconfig=$vh01moref.configmanager                                                                               

      $vh01netsys=$vh01morefconfig.networksystem

      $vh01netsysmoref=get-view $vh01netsys

      $swspec= New-Object Vmware.Vim.HostVirtualSwitchSpec

      $swspec.NumPorts=24

      $swspec.policy= New-Object Vmware.Vim.HostNetworkPolicy

      $swspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

      $swspec.policy.security.allowPromiscuous=$false

      $swspec.policy.security.forgedTransmits=$false

      $swspec.policy.security.macChanges=$false

      $vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

       

      And the error I get is :

      Exception calling "UpdateVirtualSwitch" with "2" argument(s): "A specified parame

      ter was not correct.

      "

      At C:\ Docs\PowershellScripts\StateConfigScripts\switchsec_test.ps1:17 char:3

      7

      + $vh01netsysmoref.UpdateVirtualSwitch <<<< ($vh01vsw0.name,$swspec)

          + CategoryInfo          : NotSpecified: ( [], MethodInvocationException

          + FullyQualifiedErrorId : DotNetMethodException

       

      If I run $vh01vsw0.name I get the correct vSwitch string reported back. I have a script section to set the same on the portgroups and it works just fine. Here is that script section.

       

      $vh01=get-vmhost myhost.domain.com                                                                               

      $vh01moref=$vh01 |% {get-view $_.Id}                                                                               

      $vh01morefconfig=$vh01moref.configmanager                                                                               

      $vh01netsys=$vh01morefconfig.networksystem

      $vh01netsysmoref=get-view $vh01netsys

      $pgspec= New-Object Vmware.vim.HostPortGroupSpec

      $pgspec.vswitchname="vSwitch0"

      $pgspec.name="Management Network"

      $pgspec.vlanid="0"

      $pgspec.policy=New-Object Vmware.Vim.HostnetworkPolicy

      $pgspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

      $pgspec.policy.security.allowPromiscuous=$false

      $pgspec.policy.security.forgedTransmits=$false

      $pgspec.policy.security.macChanges=$false

      $vh01netsysmoref.UpdatePortgroup($pgspec.name,$pgspec)

       

      Is this something that has to be done during the vSwitch creation and can’t be changed after? Any help is greatly apprecieated!! Thanks in advance!!

        • 1. Re: Script to Configure Security on vSwitch error
          LucD Guru
          Community WarriorsUser ModeratorsvExpert

          No, it can be done.

          But since this is an existing switch you can't "nullify" some of the properties that are already there.

          Even though the SDK Reference says that some properties are optional, when they are defined on an existing vswitch, you have to include them in the spec.

          The easiest way is to just copy the existing spec and only modify the properties you want to modify.

          Something like this

          $vh01=get-vmhost myhost.domain.com 
          
          $vh01moref=$vh01 |% {get-view $_.Id}
          $vh01morefconfig=$vh01moref.configmanager
          $vh01netsys=$vh01morefconfig.networksystem
          $vh01netsysmoref=get-view $vh01netsys
          $vh01vsw0=$vh01netsysmoref.NetworkConfig.Vswitch | where {$_.Name -eq "vSwitch2"}
          
          $swspec= $vh01vsw0.Spec   # here you copy the existing spec object
          
          $swspec.policy.security.allowPromiscuous=$false
          $swspec.policy.security.forgedTransmits=$false
          $swspec.policy.security.macChanges=$false
          
          $vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)
          

           

           

           

           

           

          ____________

          Blog: LucD notes

          Twitter: lucd22

          • 2. Re: Script to Configure Security on vSwitch error
            Chamon Master

            That did it! Thanks for the help! I was hoping you were out there listening.

             

            So it looks like I can shorten my script a lot by copying what I don't want to change. Is this a best practice then. Insted of trusting what is the SDK reference for what is required and not. Thanks again. I am just starting to learn how to do work with powercli with out using the built-in cmdlets. I am learning from here http://vinternals.com/powercli-mastery/ I will have to look at your blog for some tips like this one. Any link to where to start on your site?

            • 3. Re: Script to Configure Security on vSwitch error
              LucD Guru
              User ModeratorsvExpertCommunity Warriors

              The SDK Reference is quite good. But there are some few facts to know (or learn) when you start using it.

               

              Currently the best guide, although it is using Java, is Steve's book called VMware VI and vSphere SDK: Managing the VMware Infrastructure and vSphere.

              On my blog I started collecting some tips and tricks on the SDK page. The page contains pointers to Steve's tips & tricks.

              Several of my other posts use the SDK's methods or properties in one way or the other.

               

              The book, see (We’re writing a book!), Alan and myself are writing will of course contain a SDK chapter.

               

               

               

               

              ____________

              Blog: LucD notes

              Twitter: lucd22

              1 person found this helpful
              • 4. Re: Script to Configure Security on vSwitch error
                chouse Hot Shot

                 

                Thanks for this, did exactly what I needed.

                 

                 

                Just a note, be careful when choosing to reject MAC Address Changes and Forged Transmits for ESX hosts that are running VMs participating in Microsoft Network Load Balancing - NLB legitamately changes the MAC address of the VM adapters in order to participate in NLB. If you reject these modifications via the vSwitch security policy, those VMs will drop off the network (found this out after the fact!)

                 

                 

                • 5. Re: Script to Configure Security on vSwitch error
                  Chamon Master

                  With LucD's help we us what is below to set these on all vSwitches and portgroups on a Host. You may or may not want this but something else to work with.

                   

                  ##Now we will lockdown the vSwitches on this host

                  ###Use this to set this config on all vSwitches on this one host

                  write-host -ForeGroundColor Green "Configuring Security on all vSwitches and PortGroups"

                   

                   

                  $vh01=get-vmhost                                                                               

                  $vh01moref=$vh01 |% {get-view $_.Id}

                  $vh01morefconfig=$vh01moref.configmanager                                                                               

                  $vh01netsys=$vh01morefconfig.networksystem

                  $vh01netsysmoref=get-view $vh01netsys

                   

                  foreach ($vh01vsw0 in $vh01netsysmoref.NetworkConfig.Vswitch){

                       

                      $swspec= $vh01vsw0.Spec # here you copy the existing spec object

                      $swspec.policy.security.allowPromiscuous=$false

                      $swspec.policy.security.forgedTransmits=$false

                      $swspec.policy.security.macChanges=$false

                      $vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

                  }

                   

                  ##Now we will lockdown the Portgroups on this host

                  ###Use this to set this config on all Portgroups on this one host

                   

                  Foreach ($vh01 in (Get-View -ViewType HostSystem)){

                      Write $vh01.Name

                     $NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

                      Foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){

                               

                              $pgspec=$pg.spec

                              $pgspec.policy.security.allowPromiscuous=$false

                              $pgspec.policy.security.forgedTransmits=$false

                              $pgspec.policy.security.macChanges=$false

                              $pgspec.policy.nicteaming.policy="loadbalance_srcid"

                              $pgspec.policy.nicteaming.notifySwitches=$true

                              $NetworkSystem.UpdatePortgroup($pgspec.name,$pgspec)

                              }

                         }

                  • 6. Re: Script to Configure Security on vSwitch error
                    chouse Hot Shot

                     

                    Good point, I am reminded that this can be set on portgroups. So I shall plan to set this on the vswitch but override it for our NLB VLAN. That should solve the problem of the hosts dropping off.

                     

                     

                    Attached is the script I put together to do every switch on every host in a vcenter.

                     

                     

                     

                     

                     

                    1 person found this helpful
                    • 7. Re: Script to Configure Security on vSwitch error
                      maxdrury Novice

                      I've been using the Get-View command to drill down through the managed objects and I can get all the way to the Security layer and manually set a value to False but it does not update in vcenter.

                       

                      [vSphere PowerCLI] C:\> $vSwitch0Security = $vSwitch0Policy.Security
                      [vSphere PowerCLI] C:\> $vSwitch0Security


                      AllowPromiscuous : False
                      MacChanges       : True
                      ForgedTransmits  : True
                      DynamicType      :
                      DynamicProperty  :

                       

                      [vSphere PowerCLI] C:\> $vSwitch0Security.MacChanges = $false
                      [vSphere PowerCLI] C:\> $vSwitch0Security


                      AllowPromiscuous : False
                      MacChanges       : False
                      ForgedTransmits  : True
                      DynamicType      :
                      DynamicProperty  :

                       

                       

                      How is it I can update a value in PowerCLI that doesn't get reflected in the vcenter?  I get that UpdateVirtualSwitch is required but I didn't see that object anywhere (if it even is an object).  Up to this point I was able to see all the objects I used to drill further down the hierarchy - like ConfigManager > NetworkSystem etc.  I got lost at UpdateVirtualSwitch.  Where do I find that and what's the syntax?  In other words, if I drill down to a property of another object type, how do I know what Update command to use?

                      • 8. Re: Script to Configure Security on vSwitch error
                        avlieshout Expert
                        VMware Employees

                        You are only updating the in memory variable. You need to look for a method to update the vSwitch.

                        Have a look at the vswitch object using  the get-member cmdlet.

                         

                        $vSwitch | gm

                         

                        Look for an update method and it also shows what type of input object is required.

                        • 9. Re: Script to Configure Security on vSwitch error
                          Chamon Master

                          When you are drilling in you need to make sure you are going into the correct one. There are Config and ConfigManager. You want the configmanager. The Config just shows the current configuration.

                           

                          $vh01view=Get-View -ViewType HostSystem

                           

                          $vh01view

                           

                           

                          Runtime             : VMware.Vim.HostRuntimeInfo
                          Summary             : VMware.Vim.HostListSummary
                          Hardware            : VMware.Vim.HostHardwareInfo
                          Capability          : VMware.Vim.HostCapability
                          ConfigManager       : VMware.Vim.HostConfigManager
                          Config              : VMware.Vim.HostConfigInfo
                          Vm                  : {}
                          Datastore           : {Datastore-4cf2b067-7ff459f6-6ac3-d4856451126a}
                          Network             : {Network-HaNetwork-OpenNet}
                          DatastoreBrowser    : HostDatastoreBrowser-ha-host-datastorebrowser
                          SystemResources     : VMware.Vim.HostSystemResourceInfo
                          Parent              : ComputeResource-ha-compute-res
                          CustomValue         : {}
                          OverallStatus       : green
                          ConfigStatus        : yellow
                          ConfigIssue         : {1}
                          EffectiveRole       : {-1}
                          Permission          : {}
                          Name                : localhost.localdomain
                          DisabledMethod      : {DisconnectHost_Task, ReconnectHost_Task, ReconfigureHost
                                                ForDAS_Task, PowerUpHostFromStandBy_Task...}
                          RecentTask          : {Task-haTask-ha-host-vim.host.NetworkSystem.updatePhysica
                                                lNicLinkSpeed-22, Task-haTask-ha-host-vim.host.NetworkSys
                                                tem.updatePhysicalNicLinkSpeed-23, Task-haTask-ha-host-vi
                                                m.host.NetworkSystem.updatePhysicalNicLinkSpeed-24, Task-
                                                haTask-ha-host-vim.host.NetworkSystem.updatePhysicalNicLi
                                                nkSpeed-25...}
                          DeclaredAlarmState  : {}
                          TriggeredAlarmState : {}
                          AlarmActionsEnabled : False
                          Tag                 : {}
                          Value               : {}
                          AvailableField      : {}
                          MoRef               : HostSystem-ha-host
                          Client              : VMware.Vim.VimClient