VMware Cloud Community
Chamon
Commander
Commander
Jump to solution

Script to Configure Security on vSwitch error

Here is my issue. I am putting together a script to configure our ESXi 4 U1 hosts. During the configuration we need to set the vSwitch security to reject for allowPromiscuous, forgedTransmits, and macChanges. Here is the section and the error.

$vh01=get-vmhost myhost.domain.com

$vh01vsw0=$vh01 |get-virtualswitch -name "vSwitch2"

$vh01moref=$vh01 |% {get-view $_.Id}

$vh01morefconfig=$vh01moref.configmanager

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

$swspec= New-Object Vmware.Vim.HostVirtualSwitchSpec

$swspec.NumPorts=24

$swspec.policy= New-Object Vmware.Vim.HostNetworkPolicy

$swspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

$swspec.policy.security.allowPromiscuous=$false

$swspec.policy.security.forgedTransmits=$false

$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

And the error I get is :

Exception calling "UpdateVirtualSwitch" with "2" argument(s): "A specified parame

ter was not correct.

"

At C:\ Docs\PowershellScripts\StateConfigScripts\switchsec_test.ps1:17 char:3

7

+ $vh01netsysmoref.UpdateVirtualSwitch <<<< ($vh01vsw0.name,$swspec)

+ CategoryInfo : NotSpecified: (Smiley Happy [], MethodInvocationException

+ FullyQualifiedErrorId : DotNetMethodException

If I run $vh01vsw0.name I get the correct vSwitch string reported back. I have a script section to set the same on the portgroups and it works just fine. Here is that script section.

$vh01=get-vmhost myhost.domain.com

$vh01moref=$vh01 |% {get-view $_.Id}

$vh01morefconfig=$vh01moref.configmanager

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

$pgspec= New-Object Vmware.vim.HostPortGroupSpec

$pgspec.vswitchname="vSwitch0"

$pgspec.name="Management Network"

$pgspec.vlanid="0"

$pgspec.policy=New-Object Vmware.Vim.HostnetworkPolicy

$pgspec.policy.security=New-Object Vmware.Vim.HostNetworkSecurityPolicy

$pgspec.policy.security.allowPromiscuous=$false

$pgspec.policy.security.forgedTransmits=$false

$pgspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdatePortgroup($pgspec.name,$pgspec)

Is this something that has to be done during the vSwitch creation and can’t be changed after? Any help is greatly apprecieated!! Thanks in advance!!

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

No, it can be done.

But since this is an existing switch you can't "nullify" some of the properties that are already there.

Even though the SDK Reference says that some properties are optional, when they are defined on an existing vswitch, you have to include them in the spec.

The easiest way is to just copy the existing spec and only modify the properties you want to modify.

Something like this

$vh01=get-vmhost myhost.domain.com 

$vh01moref=$vh01 |% {get-view $_.Id}
$vh01morefconfig=$vh01moref.configmanager
$vh01netsys=$vh01morefconfig.networksystem
$vh01netsysmoref=get-view $vh01netsys
$vh01vsw0=$vh01netsysmoref.NetworkConfig.Vswitch | where {$_.Name -eq "vSwitch2"}

$swspec= $vh01vsw0.Spec   # here you copy the existing spec object

$swspec.policy.security.allowPromiscuous=$false
$swspec.policy.security.forgedTransmits=$false
$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
9 Replies
LucD
Leadership
Leadership
Jump to solution

No, it can be done.

But since this is an existing switch you can't "nullify" some of the properties that are already there.

Even though the SDK Reference says that some properties are optional, when they are defined on an existing vswitch, you have to include them in the spec.

The easiest way is to just copy the existing spec and only modify the properties you want to modify.

Something like this

$vh01=get-vmhost myhost.domain.com 

$vh01moref=$vh01 |% {get-view $_.Id}
$vh01morefconfig=$vh01moref.configmanager
$vh01netsys=$vh01morefconfig.networksystem
$vh01netsysmoref=get-view $vh01netsys
$vh01vsw0=$vh01netsysmoref.NetworkConfig.Vswitch | where {$_.Name -eq "vSwitch2"}

$swspec= $vh01vsw0.Spec   # here you copy the existing spec object

$swspec.policy.security.allowPromiscuous=$false
$swspec.policy.security.forgedTransmits=$false
$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Chamon
Commander
Commander
Jump to solution

That did it! Thanks for the help! I was hoping you were out there listening.

So it looks like I can shorten my script a lot by copying what I don't want to change. Is this a best practice then. Insted of trusting what is the SDK reference for what is required and not. Thanks again. I am just starting to learn how to do work with powercli with out using the built-in cmdlets. I am learning from here http://vinternals.com/powercli-mastery/ I will have to look at your blog for some tips like this one. Any link to where to start on your site?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

The SDK Reference is quite good. But there are some few facts to know (or learn) when you start using it.

Currently the best guide, although it is using Java, is Steve's book called VMware VI and vSphere SDK: Managing the VMware Infrastructure and vSphere.

On my blog I started collecting some tips and tricks on the SDK page. The page contains pointers to Steve's tips & tricks.

Several of my other posts use the SDK's methods or properties in one way or the other.

The book, see (We’re writing a book!), Alan and myself are writing will of course contain a SDK chapter.

____________

Blog: LucD notes

Twitter: lucd22


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

chouse
Enthusiast
Enthusiast
Jump to solution

Thanks for this, did exactly what I needed.

Just a note, be careful when choosing to reject MAC Address Changes and Forged Transmits for ESX hosts that are running VMs participating in Microsoft Network Load Balancing - NLB legitamately changes the MAC address of the VM adapters in order to participate in NLB. If you reject these modifications via the vSwitch security policy, those VMs will drop off the network (found this out after the fact!)

Reply
0 Kudos
Chamon
Commander
Commander
Jump to solution

With LucD's help we us what is below to set these on all vSwitches and portgroups on a Host. You may or may not want this but something else to work with.

##Now we will lockdown the vSwitches on this host

###Use this to set this config on all vSwitches on this one host

write-host -ForeGroundColor Green "Configuring Security on all vSwitches and PortGroups"

$vh01=get-vmhost

$vh01moref=$vh01 |% {get-view $_.Id}

$vh01morefconfig=$vh01moref.configmanager

$vh01netsys=$vh01morefconfig.networksystem

$vh01netsysmoref=get-view $vh01netsys

foreach ($vh01vsw0 in $vh01netsysmoref.NetworkConfig.Vswitch){

$swspec= $vh01vsw0.Spec # here you copy the existing spec object

$swspec.policy.security.allowPromiscuous=$false

$swspec.policy.security.forgedTransmits=$false

$swspec.policy.security.macChanges=$false

$vh01netsysmoref.UpdateVirtualSwitch($vh01vsw0.name,$swspec)

}

##Now we will lockdown the Portgroups on this host

###Use this to set this config on all Portgroups on this one host

Foreach ($vh01 in (Get-View -ViewType HostSystem)){

Write $vh01.Name

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

Foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){

$pgspec=$pg.spec

$pgspec.policy.security.allowPromiscuous=$false

$pgspec.policy.security.forgedTransmits=$false

$pgspec.policy.security.macChanges=$false

$pgspec.policy.nicteaming.policy="loadbalance_srcid"

$pgspec.policy.nicteaming.notifySwitches=$true

$NetworkSystem.UpdatePortgroup($pgspec.name,$pgspec)

}

}

Reply
0 Kudos
chouse
Enthusiast
Enthusiast
Jump to solution

Good point, I am reminded that this can be set on portgroups. So I shall plan to set this on the vswitch but override it for our NLB VLAN. That should solve the problem of the hosts dropping off.

Attached is the script I put together to do every switch on every host in a vcenter.

maxdrury
Contributor
Contributor
Jump to solution

I've been using the Get-View command to drill down through the managed objects and I can get all the way to the Security layer and manually set a value to False but it does not update in vcenter.

[vSphere PowerCLI] C:\> $vSwitch0Security = $vSwitch0Policy.Security
[vSphere PowerCLI] C:\> $vSwitch0Security


AllowPromiscuous : False
MacChanges       : True
ForgedTransmits  : True
DynamicType      :
DynamicProperty  :

[vSphere PowerCLI] C:\> $vSwitch0Security.MacChanges = $false
[vSphere PowerCLI] C:\> $vSwitch0Security


AllowPromiscuous : False
MacChanges       : False
ForgedTransmits  : True
DynamicType      :
DynamicProperty  :

How is it I can update a value in PowerCLI that doesn't get reflected in the vcenter?  I get that UpdateVirtualSwitch is required but I didn't see that object anywhere (if it even is an object).  Up to this point I was able to see all the objects I used to drill further down the hierarchy - like ConfigManager > NetworkSystem etc.  I got lost at UpdateVirtualSwitch.  Where do I find that and what's the syntax?  In other words, if I drill down to a property of another object type, how do I know what Update command to use?

Reply
0 Kudos
avlieshout
VMware Employee
VMware Employee
Jump to solution

You are only updating the in memory variable. You need to look for a method to update the vSwitch.

Have a look at the vswitch object using the get-member cmdlet.

$vSwitch | gm

Look for an update method and it also shows what type of input object is required.

Arnim van Lieshout Blogging: http://www.van-lieshout.com Twitter: http://www.twitter.com/avlieshout If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
Chamon
Commander
Commander
Jump to solution

When you are drilling in you need to make sure you are going into the correct one. There are Config and ConfigManager. You want the configmanager. The Config just shows the current configuration.

$vh01view=Get-View -ViewType HostSystem

$vh01view

Runtime             : VMware.Vim.HostRuntimeInfo
Summary             : VMware.Vim.HostListSummary
Hardware            : VMware.Vim.HostHardwareInfo
Capability          : VMware.Vim.HostCapability
ConfigManager       : VMware.Vim.HostConfigManager
Config              : VMware.Vim.HostConfigInfo
Vm                  : {}
Datastore           : {Datastore-4cf2b067-7ff459f6-6ac3-d4856451126a}
Network             : {Network-HaNetwork-OpenNet}
DatastoreBrowser    : HostDatastoreBrowser-ha-host-datastorebrowser
SystemResources     : VMware.Vim.HostSystemResourceInfo
Parent              : ComputeResource-ha-compute-res
CustomValue         : {}
OverallStatus       : green
ConfigStatus        : yellow
ConfigIssue         : {1}
EffectiveRole       : {-1}
Permission          : {}
Name                : localhost.localdomain
DisabledMethod      : {DisconnectHost_Task, ReconnectHost_Task, ReconfigureHost
                      ForDAS_Task, PowerUpHostFromStandBy_Task...}
RecentTask          : {Task-haTask-ha-host-vim.host.NetworkSystem.updatePhysica
                      lNicLinkSpeed-22, Task-haTask-ha-host-vim.host.NetworkSys
                      tem.updatePhysicalNicLinkSpeed-23, Task-haTask-ha-host-vi
                      m.host.NetworkSystem.updatePhysicalNicLinkSpeed-24, Task-
                      haTask-ha-host-vim.host.NetworkSystem.updatePhysicalNicLi
                      nkSpeed-25...}
DeclaredAlarmState  : {}
TriggeredAlarmState : {}
AlarmActionsEnabled : False
Tag                 : {}
Value               : {}
AvailableField      : {}
MoRef               : HostSystem-ha-host
Client              : VMware.Vim.VimClient

Reply
0 Kudos