VMware Cloud Community
darrenoid
Enthusiast
Enthusiast

How to change VM port group security settings from vRO for individual port?

Hello vRO community,

What are some actions or workflows I can use to edit a virtual machine's port setting on a distributed virtual switch? Specifically I am looking to enable Promiscuous mode for the individual vSwitch port for a VM. How I would do it manually in vCenter is go to the Distributed Switch under networks, then go to the ports tab and locate the VM port. From there I go to edit and then security to change the settings:

pastedImage_1.png

How can I check those values and change them programmatically in vRO?

Thanks,
Darren

Reply
0 Kudos
3 Replies
Hejahida82
VMware Employee
VMware Employee

Hi darrenoid

It is possible to change the Promiscuous mode settings via vRO on a port group.

This code snippet will change Promiscuous mode on a selected port group to enabled

var spec = new VcDVPortgroupConfigSpec();

spec.configVersion = counter;

spec.defaultPortConfig = new VcVMwareDVSPortSetting();

spec.defaultPortConfig.securityPolicy = new VcDVSSecurityPolicy();

spec.defaultPortConfig.securityPolicy.inherited = false;

spec.defaultPortConfig.securityPolicy.allowPromiscuous = new VcBoolPolicy();

spec.defaultPortConfig.securityPolicy.allowPromiscuous.inherited = false;

spec.defaultPortConfig.securityPolicy.allowPromiscuous.value = true;

selectedPortGroup.reconfigureDVPortgroup_Task(spec);

where :

  1. the counter variable is a unique number from 0 onwards, each time you change the configuration you have to increment the spec.configVersion number otherwise vCenter thinks you are trying to continue a previous update
  2. the selectedPortGroup variable is the port group you want to make the change on, this is of type VC:DistributedVirtualPortgroup. If you want to find this programatically you will need some additional code, the methods listed in the Returned By section of this page will give you some ideas on how you could search for the port group(s) you want vRO API Explorer by Dr Ruurd and Flores of ITQ

To check if the value is set to true before changing it you can check the value of the following setting, if it is set to true then Promiscuous mode is already enabled.

selectedPortGroup.config.defaultPortConfig.securityPolicy.allowPromiscuous.value

Reply
0 Kudos
darrenoid
Enthusiast
Enthusiast

Hello Hejahida82,

Thank you for your reply this is good info to have. This info looks like it would work for changing the port group setting, but I was asking about changing this for a particular port ID. I want to have more fine grained control over the promiscuous setting. Rather than just allow it on the whole port group, I have the port group set to allow overrides for security settings, which allows me to set promiscuous mode per port on the switch. Please see my original screenshot to see this in the GUI.

Any advice on how to do this one level deeper for a specific port ID?

Regards,

Darren

Reply
0 Kudos
Hejahida82
VMware Employee
VMware Employee

Hi darrenoid​ sorry about that, I must have misread the original post. To set it for an individual port you can do the following

var port = new Array();

port[0] = new VcDVPortConfigSpec();

port[0].operation = "edit";

port[0].key = portName;

port[0].setting = new VcVMwareDVSPortSetting();

port[0].setting.securityPolicy = new VcDVSSecurityPolicy();

port[0].setting.securityPolicy.inherited = false;

port[0].setting.securityPolicy.allowPromiscuous = new VcBoolPolicy();

port[0].setting.securityPolicy.allowPromiscuous.inherited = false;

port[0].setting.securityPolicy.allowPromiscuous.value = false;

port[0].configVersion = counter;

selectedVDS.reconfigureDVPort_Task(port);

where selectedVDS is the vDS the port belongs to and is of type VC:vmwareDistributedSwitch, counter is again a unique number from 0 upwards and portName is the name of the port as shown in vCenter as a string.

If you need to set the Allow override of port policies on the port group you can do this using code like this

var spec = new VcDVPortgroupConfigSpec();

spec.configVersion = counter;

spec.policy.securityPolicyOverrideAllowed = true;

selectedPortGroup.reconfigureDVPortgroup_Task(spec);

hope that helps.

Reply
0 Kudos