VMware Cloud Community
sbourdeaud
Contributor
Contributor
‎04-23-2009 08:10 AM
Jump to solution

How to configure vswitch security policy using the API?

Hi everyone,

Does anyone know how to configure a vswitch security policy on an ESXi server using the management API (the idea being to do so in a script)?

I'm thinking specifically about the macchange and forgedxmit parameters which are set to true by default and that I want to change to false. Note that I also need a way to control the value from a script.

I used to do this with vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-macchange=false vSwitchn and vmware-vim-cmd hostsvc/net/vswitch_setpolicy --securepolicy-forgedxmit=false vSwitchn in ESX 3.x service console, but I'm trying (unsuccessfully so far) to find an equivalent using RCLI or Powershell (I don't want to enable ssh on my ESXi and use vim-cmd as I want to be able to do this in a secure remote way.

ideally this would work while the host is in lockdown enabled mode (so I would only have to authenticate against my vCenter server).

Any tips would be appreciated.

Cheers,

Stephane

Reply
0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
‎04-23-2009 08:48 AM
Jump to solution

To update the security policy, you'll need to look at the HostNetworkSecurityPolicy :

You'll want to access the vSwitch that you're interested in by using the following:

hostSystem->configManager->networkSystem->networkConfig->vSwitch[]

Once you have the reference to the vSwitch, you'll want to create HostVirtualSwitchConfig spec: and make modifications to policy->security which will contain (allowPromiscuous,forgedTransmits,macChanges) for modifications which are just booleans parameters.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

Reply
0 Kudos
4 Replies
lamw
Community Manager
Community Manager
‎04-23-2009 08:48 AM
Jump to solution

To update the security policy, you'll need to look at the HostNetworkSecurityPolicy :

You'll want to access the vSwitch that you're interested in by using the following:

hostSystem->configManager->networkSystem->networkConfig->vSwitch[]

Once you have the reference to the vSwitch, you'll want to create HostVirtualSwitchConfig spec: and make modifications to policy->security which will contain (allowPromiscuous,forgedTransmits,macChanges) for modifications which are just booleans parameters.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
sbourdeaud
Contributor
Contributor
‎04-23-2009 08:53 AM
Jump to solution

Thanks, that looks dead on.

I'll chew on this for a while and I'll post the code I used to do it.

Cheers,

Stephane

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎04-23-2009 09:19 AM
Jump to solution

np, and I also forgot to mention, the easiest way is to use the UpdateVirtualSwitch()

http://www.vmware.com/support/developer/vc-sdk/visdk25pubs/ReferenceGuide/vim.host.NetworkSystem.htm...

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎04-23-2009 10:43 AM
Jump to solution

You can use the following:

updatevSwitch.pl

#!/usr/bin/perl -w

use strict;
use warnings;
use VMware::VILib;
use VMware::VIRuntime;

my %opts = (
   vswitch => {
      type => "=s",
      help => "Name of the vSwitch",
      required => 1,
   },
   ap => {
      type => "=s",
      help => "allowPromiscuous (0 = disable, 1 = enabled)",
      required => 1,
   },
   ft => {
      type => "=s",
      help => "forgedTransmits (0 = disable, 1 = enabled)",
      required => 1,
   },
   mc => {
      type => "=s",
      help => "macChanges (0 = disable, 1 = enabled)",
      required => 1,
   },
);

Opts::add_options(%opts);
Opts::parse();
Opts::validate();
Util::connect();

my $vSwitchName = Opts::get_option('vswitch');
my $ap = Opts::get_option('ap');
my $ft = Opts::get_option('ft');
my $mc = Opts::get_option('mc');

my $host_view = Vim::find_entity_view(view_type => 'HostSystem');

unless (defined $host_view){
        die "No Host found.\n";
}

my $network_system = Vim::get_view (mo_ref => $host_view->configManager->networkSystem);
my $vs = FindVSwitchbyName($network_system, $vSwitchName);

if ($vs) {
        print "\nSecurity Policy on ", $vs->name, " before:\n";
        print "------------------------------------\n";
        print "allowPromiscuous: ", ($vs->spec->policy->security->allowPromiscuous) ? "enable" : "disabled","\n";
        print "forgedTransmits: ", ($vs->spec->policy->security->forgedTransmits) ? "enable" : "disabled","\n";
        print "macChanges: ", ($vs->spec->policy->security->macChanges) ? "enable" : "disabled","\n";
        print "\n\nUpdating security policy on ", $vs->name, " ...\n";
        my $HostNetworkSecurityPolicy = HostNetworkSecurityPolicy->new(allowPromiscuous => $ap, forgedTransmits => $ft, macChanges => $mc);
        $vs->spec->policy->security($HostNetworkSecurityPolicy);

        eval {
                $network_system->UpdateVirtualSwitch(vswitchName => $vs->name, spec => $vs->spec);
        };
        if ($@) {
                print "Error: ", $@, "\n";
        } else {
                print "Update completed!\n";
                print "\nSecurity Policy on ", $vs->name, " is now:\n";
                print "------------------------------------\n";
                $vs = FindVSwitchbyName($network_system, $vSwitchName);
                print "allowPromiscuous: ", ($vs->spec->policy->security->allowPromiscuous) ? "enable" : "disabled","\n";
                print "forgedTransmits: ", ($vs->spec->policy->security->forgedTransmits) ? "enable" : "disabled","\n";
                print "macChanges: ", ($vs->spec->policy->security->macChanges) ? "enable" : "disabled","\n";
        }
} else {
        print "Unable to located vSwitch: ", $vSwitchName,"\n";
}


Util::disconnect();

sub FindVSwitchbyName {
   my ($network, $name) = @_;
   my $vSwitches = $network->networkInfo->vswitch;
   foreach my $vSwitch (@$vSwitches) {
      return $vSwitch if ($name eq $vSwitch->name);
   }
   return undef;
}

Example of execution for accepting all ( if you want to reject, input 0 )

[vi-admin@vima ~]$ ./updatevSwitch.pl --server himalaya.primp-industries.com --ap 1 --ft 1 --mc 1 --vswitch vSwitch2

Security Policy on vSwitch2 before:
------------------------------------
allowPromiscuous: disabled
forgedTransmits: disabled
macChanges: disabled


Updating security policy on vSwitch2 ...
Update completed!

Security Policy on vSwitch2 is now:
------------------------------------
allowPromiscuous: enable
forgedTransmits: enable
macChanges: enable

I executed this on VMware VIMA and had vi-fastpass enabled, if you're just using the standard VI Perl Toolkit you'll need to pass in --username and password credentials which you'll be prompted for.

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

If you find this information useful, please award points for "correct" or "helpful".

Reply