Hi everyone,
Does anyone know how to configure a vswitch security policy on an ESXi server using the management API (the idea being to do so in a script)?
I'm thinking specifically about the macchange and forgedxmit parameters which are set to true by default and that I want to change to false. Note that I also need a way to control the value from a script.
I used to do this with vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-macchange=false vSwitchn and vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false vSwitchn in ESX 3.x service console, but I'm trying (unsuccessfully so far) to find an equivalent using RCLI or Powershell (I don't want to enable ssh on my ESXi and use vim-cmd as I want to be able to do this in a secure remote way.
ideally this would work while the host is in lockdown enabled mode (so I would only have to authenticate against my vCenter server).
Any tips would be appreciated.
Cheers,
Stephane
To update the security policy, you'll need to look at the HostNetworkSecurityPolicy :
You'll want to access the vSwitch that you're interested in by using the following:
hostSystem->configManager->networkSystem->networkConfig->vSwitch[]
Once you have the reference to the vSwitch, you'll want to create HostVirtualSwitchConfig spec: and make modifications to policy->security which will contain (allowPromiscuous,forgedTransmits,macChanges) for modifications which are just booleans parameters.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
If you find this information useful, please award points for "correct" or "helpful".
To update the security policy, you'll need to look at the HostNetworkSecurityPolicy :
You'll want to access the vSwitch that you're interested in by using the following:
hostSystem->configManager->networkSystem->networkConfig->vSwitch[]
Once you have the reference to the vSwitch, you'll want to create HostVirtualSwitchConfig spec: and make modifications to policy->security which will contain (allowPromiscuous,forgedTransmits,macChanges) for modifications which are just booleans parameters.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
If you find this information useful, please award points for "correct" or "helpful".
Thanks, that looks dead on.
I'll chew on this for a while and I'll post the code I used to do it.
Cheers,
Stephane
np, and I also forgot to mention, the easiest way is to use the UpdateVirtualSwitch()
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
If you find this information useful, please award points for "correct" or "helpful".
You can use the following:
updatevSwitch.pl
#!/usr/bin/perl -w use strict; use warnings; use VMware::VILib; use VMware::VIRuntime; my %opts = ( vswitch => { type => "=s", help => "Name of the vSwitch", required => 1, }, ap => { type => "=s", help => "allowPromiscuous (0 = disable, 1 = enabled)", required => 1, }, ft => { type => "=s", help => "forgedTransmits (0 = disable, 1 = enabled)", required => 1, }, mc => { type => "=s", help => "macChanges (0 = disable, 1 = enabled)", required => 1, }, ); Opts::add_options(%opts); Opts::parse(); Opts::validate(); Util::connect(); my $vSwitchName = Opts::get_option('vswitch'); my $ap = Opts::get_option('ap'); my $ft = Opts::get_option('ft'); my $mc = Opts::get_option('mc'); my $host_view = Vim::find_entity_view(view_type => 'HostSystem'); unless (defined $host_view){ die "No Host found.\n"; } my $network_system = Vim::get_view (mo_ref => $host_view->configManager->networkSystem); my $vs = FindVSwitchbyName($network_system, $vSwitchName); if ($vs) { print "\nSecurity Policy on ", $vs->name, " before:\n"; print "------------------------------------\n"; print "allowPromiscuous: ", ($vs->spec->policy->security->allowPromiscuous) ? "enable" : "disabled","\n"; print "forgedTransmits: ", ($vs->spec->policy->security->forgedTransmits) ? "enable" : "disabled","\n"; print "macChanges: ", ($vs->spec->policy->security->macChanges) ? "enable" : "disabled","\n"; print "\n\nUpdating security policy on ", $vs->name, " ...\n"; my $HostNetworkSecurityPolicy = HostNetworkSecurityPolicy->new(allowPromiscuous => $ap, forgedTransmits => $ft, macChanges => $mc); $vs->spec->policy->security($HostNetworkSecurityPolicy); eval { $network_system->UpdateVirtualSwitch(vswitchName => $vs->name, spec => $vs->spec); }; if ($@) { print "Error: ", $@, "\n"; } else { print "Update completed!\n"; print "\nSecurity Policy on ", $vs->name, " is now:\n"; print "------------------------------------\n"; $vs = FindVSwitchbyName($network_system, $vSwitchName); print "allowPromiscuous: ", ($vs->spec->policy->security->allowPromiscuous) ? "enable" : "disabled","\n"; print "forgedTransmits: ", ($vs->spec->policy->security->forgedTransmits) ? "enable" : "disabled","\n"; print "macChanges: ", ($vs->spec->policy->security->macChanges) ? "enable" : "disabled","\n"; } } else { print "Unable to located vSwitch: ", $vSwitchName,"\n"; } Util::disconnect(); sub FindVSwitchbyName { my ($network, $name) = @_; my $vSwitches = $network->networkInfo->vswitch; foreach my $vSwitch (@$vSwitches) { return $vSwitch if ($name eq $vSwitch->name); } return undef; }
Example of execution for accepting all ( if you want to reject, input 0 )
[vi-admin@vima ~]$ ./updatevSwitch.pl --server himalaya.primp-industries.com --ap 1 --ft 1 --mc 1 --vswitch vSwitch2 Security Policy on vSwitch2 before: ------------------------------------ allowPromiscuous: disabled forgedTransmits: disabled macChanges: disabled Updating security policy on vSwitch2 ... Update completed! Security Policy on vSwitch2 is now: ------------------------------------ allowPromiscuous: enable forgedTransmits: enable macChanges: enable
I executed this on VMware VIMA and had vi-fastpass enabled, if you're just using the standard VI Perl Toolkit you'll need to pass in --username and password credentials which you'll be prompted for.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
If you find this information useful, please award points for "correct" or "helpful".