VMware Cloud Community
xofox
Contributor
Contributor
Jump to solution

Create vLans in personal folders with specific permission/role

Hi, french & junior (vmWare) but still aliveSmiley Wink

Existing :

1DC/1Cluster/3ESXI/Vsphere6.7u2

VMware PowerCLI 11.5.0 build 14912921

PowerShell 5/1/14409/1018

vswitch0(management), vswitch1(vm)

2 Usergroups (G,U)

20 users/group (G201,...G220 ; U101,...U120)

Each user got his own private space (ex for user G201)

VMs&templates/G/G201 : VM1,VM2,,,

storage/G : here, no private folder, all the G group VMs are stored here.

networking/Pedago/G/G201 : G-lan-2010, G-lan-2011,..

vSwitch2 created, nic attached, no vlan created in yet.

Expecting :

Create 10 new vlan for each user of group 'G' (using a .csv import) in vswitch2.

- With role/permission (each user can see & operate only its own vm, & same for it own vlan)

- Each user vlan should reach the network folder of the user (to not have to drag it by mouse)

Bonus :

How can I get the full path to a user folder ? Are the vPG at root or in specific folders ?

For example : Network folder of user G201 is in folder 'G', wich is (i think) in 'Students', wich is (i m still not sure) in 'Pedago', wich is in.... network folder. 'Get-Folder' gave me some informations but I m not sure of the real good fullpath. I have to manage something I didn't instal.

Thanks a lot for your help, I had already some hours of search over the net about it and tried some scripts, sadly without the expected result.

Reply
0 Kudos
47 Replies
xofox
Contributor
Contributor
Jump to solution

Strange result for me...

It seems only the last PG of the last user in the .csv file was managed by the script. A kind of loop ? 18 X "Waiting for PG UFA2149 creation  Done", instead of 3 (because 3 ESXi).

I tested with 2 users, 3 vlans, overs 3 esxi = 2*3*3=18. I'm sure you count very well Smiley Wink It's just to give you max of informations and what I asked to the script.

At the far end, only the VLan UFA2149 was created, witth VLanID : 9 (and not 2149 as expected).

Errors in the attached file.

I may modify my .csv  if it's an easiest way to go. For example, usergroupType=UFA, username=213, and in the script $user="$usergroupType"+"$username". VLanID could be $VLanID="$username"+"$vlanlist" (not sure for this last one, but just to telle you I may modify somethings if necessary.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

For the VLANId that probably needs to be -VLanId ([int]("$userId$_"))

It seems your CSV file contains 2 columns, while I assumed that there would be only 1 column (UserName).

So instead of having

UserName

UFA213

you seem to have

UserGroupType,UserName

UFA,213

Is that correct?

Because then the script needs some changes.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
xofox
Contributor
Contributor
Jump to solution

I understand and verified the .csv and it was based on our last case, managed in december (Re: Individual permissions on Esx resources (networks/portgroup, datastore/directory,...) from a lis... ). I apologize, I used to say some message above that username was UFA213. I mixed up.

User
SIO/UFA213

.csv used for the thest attached.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Ok, in that case the CSV is like I used in the last script.

Did you try the other change (for the VLANId) I suggested?

Does it work now?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
xofox
Contributor
Contributor
Jump to solution

-VLanId ([int]("$userId$_")) correction : works just fine ! Smiley Happy

Everything in the script was perfectly done.

PS C:\script> C:\Users\adminl\Desktop\10032020\NewPGPermission5.ps1

Waiting for PG UFA2137 creation ............ Done

Waiting for PG UFA2138 creation ............ Done

Waiting for PG UFA2139 creation .......... Done

Waiting for PG UFA2137 creation ............. Done

Waiting for PG UFA2138 creation ...... Done

Waiting for PG UFA2139 creation ......... Done

Waiting for PG UFA2137 creation .......... Done

Waiting for PG UFA2138 creation .......... Done

Waiting for PG UFA2139 creation .................................. Done

Wait for PG removal in UFA214  Done

Waiting for PG UFA2147 creation ........ Done

Waiting for PG UFA2148 creation .......... Done

Waiting for PG UFA2149 creation ......... Done

Waiting for PG UFA2147 creation ....... Done

Waiting for PG UFA2148 creation ...... Done

Waiting for PG UFA2149 creation ...... Done

Waiting for PG UFA2147 creation .......... Done

Waiting for PG UFA2148 creation ............ Done

Waiting for PG UFA2149 creation .......... Done

PS C:\script>

My 2 "test VMs" created for UFA213 user with the new vlan UFA2137 can ping each other. Only when they are hosted in the same esxi, when I separate them, I get this : "Destination Host Unreachable". I used to meet this problem before this script. To get around it, I have been using VM/Host Rules (Cluster Configuration), but I doubt it's the best practice, consuming vMotion & network use. Another way ?

About a script to export actual VMs using actual PG in folders I need to recreate with new PG(+same VLanID than actual PG) t?

Shall I close this discussion and open new one for each of these 2 last questions ?

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Are the pNICs used in the vSwitches connected to switch ports that have the same VLAN tagging?

This is probably not a VMware issue (since it works when on the same ESXi node) but might be a physical network issue.

Yes, for the VM migration question I would prefer a new thread.

Otherwise, this thread becomes too long and complex.

Make sure to document exactly what the current situation is and where you want to go.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
xofox
Contributor
Contributor
Jump to solution

Are the pNICs used in the vSwitches connected to switch ports that have the same VLAN tagging?

If I understand your question and to try to answer it : pNIC is used for the vSwitch2 on which we worked over your script. VLAN tagging is the same for each vSwitch in each ESXi.

In fact, during a few months after the delivery of the cluster, VMs in same VLan were able to communicate even when in different ESXi. It seems it's when we created more VMs and more PG than problems went growing.

At this moment we have 313 VMs and 157 networks. I don't think we esceeded the configuration maximums with vsphere 6.7.

I will open a new thread.

Thanks a lot for your efficacy and your patience.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Did this perhaps happen after you implemented 6.7U3?
There are some mentions of network issues after 6.7U3.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos