VMware Cloud Community
lElOUCHE_79
Enthusiast
Enthusiast
‎02-12-2021 01:34 AM
Jump to solution

Change vSS & vDS in one shot

I'm using the below script in order to set Network port security correctly, unfortunately it's not working fine due to configurtion used in the ENV.

some ESXi are connected to vSS and other on vDS

it's recommended that I collect the configuration before change

below the script:

$ESXs=get-vmhost -Location "MyCluster"

$file_before=".\Status_Before.txt"
"ESX SWITCH AllowPromiscuous ForgedTransmits MacChanges" > $file_before
$ESXs | ForEach-Object {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | ForEach-Object { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_before}
}

$ESXs | Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy `
-MacChanges $false `
-ForgedTransmits $false `
-AllowPromiscuous $false

$file_after=".\Status_After.txt"
"ESX SWITCH AllowPromiscuous ForgedTransmits MacChanges" > $file_after
$ESXs | ForEach-Object {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | ForEach-Object { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_after }
}

 

 

0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎02-12-2021 03:54 AM
Jump to solution

I would use in fact a construct like this one.

Get-CLuster -Name 'MyCluster' |
Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    Get-VirtualSwitch -VMHost $esx -Standard -PipelineVariable vss |
    ForEach-Object -Process {
        Get-SecurityPolicy -VirtualSwitch $vss
        Get-VirtualPortGroup -VirtualSwitch $vss -PipelineVariable pg |
        ForEach-Object -Process {
            Get-SecurityPolicy -VirtualPortGroup $pg
        }
    }

    Get-VDSwitch -VMHost $esx -PipelineVariable vds |
    ForEach-Object -Process {
        Get-VDSecurityPolicy -VDSwitch $vds
        Get-VDPortgroup -VDSwitch $vds -PipelineVariable vdpg |
        ForEach-Object -Process{
            Get-VDSecurityPolicy -VDPortgroup $vdpg
        }
    }
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
6 Replies
LucD
Leadership
Leadership
‎02-12-2021 01:38 AM
Jump to solution

You can use the Standard or Distributed switch on the Get-VirtualSwitch cmdlet.
That way you could handle both types of switches in two separate parts of your script.

Are you getting any error messages?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lElOUCHE_79
Enthusiast
Enthusiast
‎02-12-2021 01:51 AM
Jump to solution

Thank you 🙂

yep I'm getting errors :

 

WARNING: The output of the command produced distributed virtual switch objects. This behavior is obsolete and may
change in the future. To retrieve distributed switches, use Get-VDSwitch cmdlet in the VDS component. To retrieve
standard switches, use -Standard.
Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Get-SecurityPolicy : Cannot bind parameter 'VirtualPortGroup'. Cannot convert the "Distributed_1" value of type "VMware.VimAutomation.ViCore.Impl.V1.Host.Networking.DistributedSwitchImpl" to type
"VMware.VimAutomation.ViCore.Types.V1.Host.Networking.VirtualPortGroup".
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:8 char:55
+ ... $switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Get-SecurityPolicy : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of
the parameters that take pipeline input.
At E:\SABRI_Work\Network Port Security VSwitch\Change_Switch_Security.ps1:12 char:30
+ $ESXs | Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy ...
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Distributed_1:PSObject) [Get-SecurityPolicy], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

0 Kudos
LucD
Leadership
Leadership
‎02-12-2021 02:04 AM
Jump to solution

Those errors are caused because you are using a cmdlet that is intended to get a portgroup from a Standard switch, but you are providing it with a portgroup from a Distributed switch.

You will have to extend your script to handle both types separately.
That is why I advised using the Standard and Distributed switches.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lElOUCHE_79
Enthusiast
Enthusiast
‎02-12-2021 02:13 AM
Jump to solution

Ok then I should create script that check the switch type standard or distributed and proceed accordignly, I'm right?

0 Kudos
LucD
Leadership
Leadership
‎02-12-2021 03:54 AM
Jump to solution

I would use in fact a construct like this one.

Get-CLuster -Name 'MyCluster' |
Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    Get-VirtualSwitch -VMHost $esx -Standard -PipelineVariable vss |
    ForEach-Object -Process {
        Get-SecurityPolicy -VirtualSwitch $vss
        Get-VirtualPortGroup -VirtualSwitch $vss -PipelineVariable pg |
        ForEach-Object -Process {
            Get-SecurityPolicy -VirtualPortGroup $pg
        }
    }

    Get-VDSwitch -VMHost $esx -PipelineVariable vds |
    ForEach-Object -Process {
        Get-VDSecurityPolicy -VDSwitch $vds
        Get-VDPortgroup -VDSwitch $vds -PipelineVariable vdpg |
        ForEach-Object -Process{
            Get-VDSecurityPolicy -VDPortgroup $vdpg
        }
    }
}

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lElOUCHE_79
Enthusiast
Enthusiast
‎02-12-2021 10:00 AM
Jump to solution

Thank you for your help and assistance

0 Kudos