I'm using the below script in order to set Network port security correctly, unfortunately it's not working fine due to configurtion used in the ENV.
some ESXi are connected to vSS and other on vDS
it's recommended that I collect the configuration before change
below the script:
$ESXs=get-vmhost -Location "MyCluster"
$file_before=".\Status_Before.txt"
"ESX SWITCH AllowPromiscuous ForgedTransmits MacChanges" > $file_before
$ESXs | ForEach-Object {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | ForEach-Object { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_before}
}
$ESXs | Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy `
-MacChanges $false `
-ForgedTransmits $false `
-AllowPromiscuous $false
$file_after=".\Status_After.txt"
"ESX SWITCH AllowPromiscuous ForgedTransmits MacChanges" > $file_after
$ESXs | ForEach-Object {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | ForEach-Object { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_after }
}
I would use in fact a construct like this one.
Get-CLuster -Name 'MyCluster' |
Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
Get-VirtualSwitch -VMHost $esx -Standard -PipelineVariable vss |
ForEach-Object -Process {
Get-SecurityPolicy -VirtualSwitch $vss
Get-VirtualPortGroup -VirtualSwitch $vss -PipelineVariable pg |
ForEach-Object -Process {
Get-SecurityPolicy -VirtualPortGroup $pg
}
}
Get-VDSwitch -VMHost $esx -PipelineVariable vds |
ForEach-Object -Process {
Get-VDSecurityPolicy -VDSwitch $vds
Get-VDPortgroup -VDSwitch $vds -PipelineVariable vdpg |
ForEach-Object -Process{
Get-VDSecurityPolicy -VDPortgroup $vdpg
}
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You can use the Standard or Distributed switch on the Get-VirtualSwitch cmdlet.
That way you could handle both types of switches in two separate parts of your script.
Are you getting any error messages?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you 🙂
yep I'm getting errors :
WARNING: The output of the command produced distributed virtual switch objects. This behavior is obsolete and may
change in the future. To retrieve distributed switches, use Get-VDSwitch cmdlet in the VDS component. To retrieve
standard switches, use -Standard.
Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy
Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy
Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy
Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy
Get-SecurityPolicy : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of
the parameters that take pipeline input.
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:12 char:30
+ $ESXs | Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy ...
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Distributed_1:PSObject) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy
Those errors are caused because you are using a cmdlet that is intended to get a portgroup from a Standard switch, but you are providing it with a portgroup from a Distributed switch.
You will have to extend your script to handle both types separately.
That is why I advised using the Standard and Distributed switches.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Ok then I should create script that check the switch type standard or distributed and proceed accordignly, I'm right?
I would use in fact a construct like this one.
Get-CLuster -Name 'MyCluster' |
Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
Get-VirtualSwitch -VMHost $esx -Standard -PipelineVariable vss |
ForEach-Object -Process {
Get-SecurityPolicy -VirtualSwitch $vss
Get-VirtualPortGroup -VirtualSwitch $vss -PipelineVariable pg |
ForEach-Object -Process {
Get-SecurityPolicy -VirtualPortGroup $pg
}
}
Get-VDSwitch -VMHost $esx -PipelineVariable vds |
ForEach-Object -Process {
Get-VDSecurityPolicy -VDSwitch $vds
Get-VDPortgroup -VDSwitch $vds -PipelineVariable vdpg |
ForEach-Object -Process{
Get-VDSecurityPolicy -VDPortgroup $vdpg
}
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you for your help and assistance