Hi,
We have developed a script to get the Virtual Network info. For small environment the script working fine but huge environment we are getting error message. Any inputs are appreciated.
Get-VirtualPortGroup : 8/19/2013 11:01:52 PM Get-VirtualPortGroup Index was outside the bounds of the array.
At C:\IA\Requests\Request#14 TSRStatus\NetworkHardeningLatest.ps1:21 char:40
+ foreach($VPG in (Get-VirtualPortGroup <<<< -VirtualSwitch $sw)) { $VPG |
+ CategoryInfo : NotSpecified: (:) [Get-VirtualPortGroup], ViErro
r
+ FullyQualifiedErrorId : Client20_VMHostServiceImpl_GetVirtualPortGroup_B
yVirtualSwitch_GetPortGroupNames_ViError,VMware.VimAutomation.ViCore.Cmdle
ts.Commands.Host.GetVirtualPortGroup
The script is given below
&{foreach($sw in (Get-VirtualSwitch -Standard)){
foreach($VPG in (Get-VirtualPortGroup -VirtualSwitch $sw)) { $VPG |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={if($sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}},
@{N="Forged transmits";E={if($sw.Extensiondata.Spec.Policy.Security.ForgedTransmits){"Accept"} Else {"Reject"}}},
@{N="MAC Changes";E={if($sw.Extensiondata.Spec.Policy.Security.MacChanges){"Accept"} Else {"Reject"}}},
@{N="Portgroup";E={$VPG.Name}},
@{N="Portgroup Promiscuous mode";E={if($VPG.Extensiondata.Spec.Policy.Security.AllowPromiscuous -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}}},
@{N="Portgroup Forged transmits";E={if($VPG.Extensiondata.Spec.Policy.Security.ForgedTransmits -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}}}},
@{N="Portgroup MAC Changes";E={if($VPG.Extensiondata.Spec.Policy.Security.MacChanges -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.MacChanges){"Accept"} Else {"Reject"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.MacChanges){"Accept"} Else {"Reject"}}}},
@{N="NoNativeVlan1";E={if($VPG.vLanID -eq 1) {"Accept"} Else {"Reject"}}},
@{N="NoReservedVlans";E={if(($VPG.vLanID -ge 3968 -and $VPG.vLanID -le 4047) -or ($VPG.vLanID -eq 4094)) {"Accept"} Else {"Reject"}}},
@{N="NoVGTvlan4095";E={if($VPG.vLanID -eq 4095){"Accept"} Else {"Reject"}}},
@{N="LabelVswitches";E={if (!$vSwitch.Name) {"Accept"} Else {"Reject"}}}
}}} | Export-CSV C:\Report\Networkreport.csv -NoTypeInformation -UseCulture
PowerCLI Version
----------------
VMware vSphere PowerCLI 5.1 Release 2 build 1012425
---------------
Snapin Versions
---------------
VMWare AutoDeploy PowerCLI Component 5.1 build 768137
VMWare ImageBuilder PowerCLI Component 5.1 build 768137
VMware vCloud Director PowerCLI Component 5.1 build 1012427
VMware License PowerCLI Component 5.1 build 669840
VMware VDS PowerCLI Component 5.1 build 1012428
VMware VDS vSphere PowerCLI Component 4.1.1 build 000001
VMware vSphere PowerCLI Component 5.1 build 1012428
Thanks
I have tweaked the script a little. Now, I'm getting data with out any errors..Thank you for your inputs.:)
#Network Data Array
$NetworkData = @()
ForEach ($VMHost in Get-VMHost){
$Esx = Get-View -Id $VMHost.id
ForEach($vSwitch in $Esx.Config.Network.Vswitch){
ForEach($PortGroup in ($Esx.Config.Network.Portgroup | where {$_.Vswitch -eq $vSwitch.Key})) {
$NetworkItems = "" | Select VC, Host, vswitchname , PromiscuousMode , Forgedtransmit , MacChanges , Portgroup,PGPromiscuousMode,
PGForgedTransmits, PGMACChanges, NoNativeVlan1, NoReservedVlan, NoVGTvlan4095, LabelVswitches
$NetworkItems.VC = $vCenterInstanceName
$NetworkItems.Host = $VMHost
$NetworkItems.vswitchname = $vSwitch.Name
$NetworkItems.PromiscuousMode = &{if($vSwitch.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}
$NetworkItems.Forgedtransmit = &{if($vSwitch.Spec.Policy.Security.ForgedTransmits){"Accept"} Else {"Reject"}}
$NetworkItems.MacChanges = &{if($vSwitch.Spec.Policy.Security.MacChanges){"Accept"} Else {"Reject"}}
$NetworkItems.Portgroup = $PortGroup.Spec.Name
$NetworkItems.PGPromiscuousMode = &{if($PortGroup.ComputedPolicy.Security.AllowPromiscuous -eq $null) {if($vSwitch.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}}
$NetworkItems.PGForgedTransmits = &{if($PortGroup.ComputedPolicy.Security.ForgedTransmits -eq $null) {if($vSwitch.Spec.Policy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}}}
$NetworkItems.PGMACChanges = &{if($PortGroup.ComputedPolicy.Security.MacChanges -eq $null) {if($vSwitch.Spec.Policy.Security.MacChanges) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.MacChanges) {"Accept"} Else {"Reject"}}}
$NetworkItems.NoNativeVlan1 = &{if($PortGroup.Spec.VLANID -eq 1) {"Accept"} Else {"Reject"}}
$NetworkItems.NoReservedVlan = &{if(($PortGroup.Spec.VLANID -ge 3968 -and $PortGroup.Spec.VLANID -le 4047) -or ($PortGroup.Spec.VLANID -eq 4094)) {"NonReject"} Else {"Compliant"}}
$NetworkItems.NoVGTvlan4095 = &{if($PortGroup.Spec.VLANID -eq 4095){"NonReject"} Else {"Reject"}}
$NetworkItems.LabelVswitches = &{if (!$vSwitch.Name) {"NonReject"} Else {"Reject"}}
$NetworkData += $NetworkItems
}}}
#Export the data to CSV sheet . Ensure the directory exists
$NetworkData | Export-Csv -NoTypeInformation -UseCulture -Path "C:\TSRReport\$($FileName)"
Are you by any chance running this from PowerGui ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Nope..Used PowerCLI command prompt and GUI
I see.
Does this list all your portgroups ?
foreach($sw in (Get-VirtualSwitch -Standard)){
foreach($VPG in (Get-VirtualPortGroup -VirtualSwitch $sw)) {
$VPG
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
In our environment we have 600 virtual port groups
Getting the same error message after we have received 500 Virtual port group information.
One more observation, we are not getting INACTIVE standard switch info in the given vCenter. Is there any way to handle inactive virtual switches.
Then it looks as if your PowerShell engine, on the PC where you run the script, might be running out of resources.
Perhaps the $error variable contains some more info.
Or better yet, package this in a Try-Catch construct.
Get-Process -Id $PID
Try {
Get-VirtualPortGroup
}
Catch {
Get-Process -Id $PID
$_ | Select *
$_.Exception.InnerException | Select *
}
Watch the PM (private memory) consumption that is returned by the Get-Process cmdlet.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Ok, perhaps I wasn't too clear.
The intention was that you insert those lines in your original script, and that we could monitor the increasing consumption of PM and catch the exception when it goes wrong.
Something like this
&{foreach($sw in (Get-VirtualSwitch -Standard)){
foreach($VPG in &{
Get-Process -Id $PID
Try {
Get-VirtualPortGroup -VirtualSwitch $sw
}
Catch {
Get-Process -Id $PID
$_ | Select *
$_.Exception.InnerException | Select *
}}){
$VPG
# The rest of your original script
}}}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Modified the script like below
&{foreach($sw in (Get-VirtualSwitch -Standard)){
foreach($VPG in &{
Get-Process -Id $PID
Try {
Get-VirtualPortGroup -VirtualSwitch $sw
}
Catch {
Get-Process -Id $PID
$_ | Select *
$_.Exception.InnerException | Select *
}}){
$VPG |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={if($sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"NonCompliant"} Else {"Complaint"}}},
@{N="Forged transmits";E={if($sw.Extensiondata.Spec.Policy.Security.ForgedTransmits){"NonCompliant"} Else {"Complaint"}}},
@{N="MAC Changes";E={if($sw.Extensiondata.Spec.Policy.Security.MacChanges){"NonCompliant"} Else {"Complaint"}}},
@{N="Portgroup";E={$VPG.Name}},
@{N="Portgroup Promiscuous mode";E={if($VPG.Extensiondata.Spec.Policy.Security.AllowPromiscuous -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"NonCompliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.AllowPromiscuous) {"NonCompliant"} Else {"Complaint"}}}},
@{N="Portgroup Forged transmits";E={if($VPG.Extensiondata.Spec.Policy.Security.ForgedTransmits -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.ForgedTransmits) {"NonCompliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.ForgedTransmits) {"NonCompliant"} Else {"Complaint"}}}},
@{N="Portgroup MAC Changes";E={if($VPG.Extensiondata.Spec.Policy.Security.MacChanges -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.MacChanges){"NonCompliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Spec.Policy.Security.MacChanges){"NonCompliant"} Else {"Complaint"}}}},
@{N="NoNativeVlan1";E={if($VPG.vLanID -eq 1) {"NonCompliant"} Else {"Complaint"}}},
@{N="NoReservedVlans";E={if(($VPG.vLanID -ge 3968 -and $VPG.vLanID -le 4047) -or ($VPG.vLanID -eq 4094)) {"NonComplaint"} Else {"Compliant"}}},
@{N="NoVGTvlan4095";E={if($VPG.vLanID -eq 4095){"NonComplaint"} Else {"Complaint"}}},
@{N="LabelVswitches";E={if (!$vSwitch.Name) {"NonComplaint"} Else {"Complaint"}}}
}}} | Export-CSV C:\CatchNetworkreport.csv -NoTypeInformation -UseCulture
Couldn't able to get process ID info and couldn't able to catch exception. The same error message we got.
Could you copy the exact message about the process ID you are getting ?
As a quick test from the PowerCLI prompt, enter a $PID.
Does that return anything ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
PowerCLI C:\Requests> &{foreach($sw in (Get-VirtualSwitc
h -Standard)){
>> foreach($VPG in &{
>> Get-Process -Id $PID
>> Try {
>> Get-VirtualPortGroup -VirtualSwitch $sw
>> }
>> Catch {
>> Get-Process -Id $PID
>> $_ | Select *
>> $_.Exception.InnerException | Select *
>> }}){
>> $VPG |
>>
>> Select @{N="Host";E={$sw.VMHost.Name}},
>> @{N="Switch";E={$sw.Name}},
>> @{N="Promiscuous mode";E={if($sw.Extensiondata.Spec.Policy.Security.AllowPr
omiscuous) {"NonCompliant"} Else {"Complaint"}}},
>> @{N="Forged transmits";E={if($sw.Extensiondata.Spec.Policy.Security.ForgedT
ransmits){"NonCompliant"} Else {"Complaint"}}},
>> @{N="MAC Changes";E={if($sw.Extensiondata.Spec.Policy.Security.MacChanges){
"NonCompliant"} Else {"Complaint"}}},
>> @{N="Portgroup";E={$VPG.Name}},
>> @{N="Portgroup Promiscuous mode";E={if($VPG.Extensiondata.Spec.Policy.Secur
ity.AllowPromiscuous -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.Allow
Promiscuous) {"NonCompliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Sp
ec.Policy.Security.AllowPromiscuous) {"NonCompliant"} Else {"Complaint"}}}},
>> @{N="Portgroup Forged transmits";E={if($VPG.Extensiondata.Spec.Policy.Secur
ity.ForgedTransmits -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.Forge
dTransmits) {"NonCompliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Sp
ec.Policy.Security.ForgedTransmits) {"NonCompliant"} Else {"Complaint"}}}},
>> @{N="Portgroup MAC Changes";E={if($VPG.Extensiondata.Spec.Policy.Security.M
acChanges -eq $null) {if($sw.Extensiondata.Spec.Policy.Security.MacChanges){"Non
Compliant"} Else {"Complaint"}} Else {if($VPG.Extensiondata.Spec.Policy.Security
.MacChanges){"NonCompliant"} Else {"Complaint"}}}},
>> @{N="NoNativeVlan1";E={if($VPG.vLanID -eq 1) {"NonCompliant"} Else {"Compla
int"}}},
>> @{N="NoReservedVlans";E={if(($VPG.vLanID -ge 3968 -and $VPG.vLanID -le 40
47) -or ($VPG.vLanID -eq 4094)) {"NonComplaint"} Else {"Compliant"}}},
>> @{N="NoVGTvlan4095";E={if($VPG.vLanID -eq 4095){"NonComplaint"} Else {"Compla
int"}}},
>> @{N="LabelVswitches";E={if (!$vSwitch.Name) {"NonComplaint"} Else {"Complaint
"}}}
>>
>> }}}
>>
Host : TestESX1.Domain.Com
Switch : vSwitch0
Promiscuous mode : Complaint
Forged transmits : Complaint
MAC Changes : Complaint
Portgroup : powershell
Portgroup Promiscuous mode : Complaint
Portgroup Forged transmits : Complaint
Portgroup MAC Changes : Complaint
NoNativeVlan1 : Complaint
NoReservedVlans : Compliant
NoVGTvlan4095 : Complaint
LabelVswitches : NonComplaint
Host : TestESX2.Domain.Com
Switch : vSwitch0
Promiscuous mode : Complaint
Forged transmits : Complaint
MAC Changes : Complaint
Portgroup : PortGrpA
Portgroup Promiscuous mode : Complaint
Portgroup Forged transmits : Complaint
Portgroup MAC Changes : Complaint
NoNativeVlan1 : Complaint
NoReservedVlans : Compliant
NoVGTvlan4095 : Complaint
LabelVswitches : NonComplaint
As I Said, Couldn't able to see PID
PowerCLI C:\IA\Requests> $pid
6036
I'm getting Process ID
I had a look at the error.log you attached earlier, which PowerCLI version are you using ?
And which vCenter and ESX(i) versions ?
From the error I get the impressions the PowerCLI version doesn't work with your vSPhere versions.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I also suspect it is a memory problem, and PowerShell tends to come sometimes with strange errors when this occurs.
The only valid solutions I can see, is to or run the script in 2 parts (for example first the 1st half and the 2nd half of the switches.
Or try to run the script on a box with more memory. Eventually on a 64-bit OS
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I have tweaked the script a little. Now, I'm getting data with out any errors..Thank you for your inputs.:)
#Network Data Array
$NetworkData = @()
ForEach ($VMHost in Get-VMHost){
$Esx = Get-View -Id $VMHost.id
ForEach($vSwitch in $Esx.Config.Network.Vswitch){
ForEach($PortGroup in ($Esx.Config.Network.Portgroup | where {$_.Vswitch -eq $vSwitch.Key})) {
$NetworkItems = "" | Select VC, Host, vswitchname , PromiscuousMode , Forgedtransmit , MacChanges , Portgroup,PGPromiscuousMode,
PGForgedTransmits, PGMACChanges, NoNativeVlan1, NoReservedVlan, NoVGTvlan4095, LabelVswitches
$NetworkItems.VC = $vCenterInstanceName
$NetworkItems.Host = $VMHost
$NetworkItems.vswitchname = $vSwitch.Name
$NetworkItems.PromiscuousMode = &{if($vSwitch.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}
$NetworkItems.Forgedtransmit = &{if($vSwitch.Spec.Policy.Security.ForgedTransmits){"Accept"} Else {"Reject"}}
$NetworkItems.MacChanges = &{if($vSwitch.Spec.Policy.Security.MacChanges){"Accept"} Else {"Reject"}}
$NetworkItems.Portgroup = $PortGroup.Spec.Name
$NetworkItems.PGPromiscuousMode = &{if($PortGroup.ComputedPolicy.Security.AllowPromiscuous -eq $null) {if($vSwitch.Spec.Policy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.AllowPromiscuous) {"Accept"} Else {"Reject"}}}
$NetworkItems.PGForgedTransmits = &{if($PortGroup.ComputedPolicy.Security.ForgedTransmits -eq $null) {if($vSwitch.Spec.Policy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.ForgedTransmits) {"Accept"} Else {"Reject"}}}
$NetworkItems.PGMACChanges = &{if($PortGroup.ComputedPolicy.Security.MacChanges -eq $null) {if($vSwitch.Spec.Policy.Security.MacChanges) {"Accept"} Else {"Reject"}} Else {if($PortGroup.ComputedPolicy.Security.MacChanges) {"Accept"} Else {"Reject"}}}
$NetworkItems.NoNativeVlan1 = &{if($PortGroup.Spec.VLANID -eq 1) {"Accept"} Else {"Reject"}}
$NetworkItems.NoReservedVlan = &{if(($PortGroup.Spec.VLANID -ge 3968 -and $PortGroup.Spec.VLANID -le 4047) -or ($PortGroup.Spec.VLANID -eq 4094)) {"NonReject"} Else {"Compliant"}}
$NetworkItems.NoVGTvlan4095 = &{if($PortGroup.Spec.VLANID -eq 4095){"NonReject"} Else {"Reject"}}
$NetworkItems.LabelVswitches = &{if (!$vSwitch.Name) {"NonReject"} Else {"Reject"}}
$NetworkData += $NetworkItems
}}}
#Export the data to CSV sheet . Ensure the directory exists
$NetworkData | Export-Csv -NoTypeInformation -UseCulture -Path "C:\TSRReport\$($FileName)"