WJCon
Enthusiast
Enthusiast

NSX-T 3.1.2 Update Logical Switch update REQUIRE_OVERRIDE

Jump to solution

I have a use case for a script to update Segment Profiles on a Segment - the use case is basically the Segments are spun out as Cloud Director networks, one of the vms in the vapp is a DHCP server and i need to change the Segment Security Profile to one which allows DHCP traffic

Thanks to Rudi there is a powercli script to do this (Change NSX-T Switch Profiles with PowerCLI | rudimartinsen.com)

The problem I have is when Cloud Director has the Segments created they are created with the Protection set to Require_Override in order for the script to work they need to be set to Not_Protected - see note at the bottom of Rudi's post

Is there a way through powercli to change this from Require_Override to Not_Protected

 

 

0 Kudos
1 Solution

Accepted Solutions
Zsoldier
Expert
Expert

Fixed.  It'll create a binding map if none is found and apply the profiles you defined in your variables.

Powershell: Changing NSX-T Segment Profiles enmasse. (zsoldier.com)

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier

View solution in original post

0 Kudos
23 Replies
Zsoldier
Expert
Expert

Is it possible in vCD to change a segment's security profile that it maps to?  If so, you could create a new profile and simply have vCD point to that new one for your segment.

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
0 Kudos
WJCon
Enthusiast
Enthusiast

I dont think its possible  through Cloud Director, it doesn't expose segments or segment profiles anywhere, my understanding is it just requests a segment and NSX-T provides one with all defaults,

We can change in the UI of NSX-T - but we have to do it each time we deploy a vapp, previously in NSX-V environments we done something similar and the way we automate it is through powercli tagged to Cloud Director through the Service Library, 

I think the ideal situation for me would be one of the below

a) Some powercli way to change from REQUIRE_OVERRIDE to NOT_PROTECTED

b) To change Segments that are created from Cloud Director so they all show NOT_PROTECTED as a default

c) To select the Segment Profile based on the name of the segment, maybe this is something that can be done through tags - I haven't checked yet 

 

 

0 Kudos
Zsoldier
Expert
Expert

You cannot change the require_override property from what I'm aware of.  You can however pass in an 'override' header in your call to change the default segment security profile config to what you want your default to be.

X-Allow-Overwrite=true (listed in NSX-T public API docs)

I'm not a fan of changing system defaults since you are likely to cause other issues by doing so.  If DHCP is the issue, I'd recommend utilizing NSX-T's DHCP services or setup a DHCP relay in NSX-T as the segment security profile doesn't affect those.

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
0 Kudos
WJCon
Enthusiast
Enthusiast

Sure, but can you pass that through powercli as far as I know thats just through the api - but I could be wrong - if you can use it through powercli then great that should fix my issue.

Its just a bit annoying that I can change the setting through the ui with no issue, I have the powercli  syntax to make the same change but powercli isnt allowed to change it - surely when the same users/permissions are used the logic should be the same whether run in the ui or from powercli. But powercli seems to have this added layer of security which leads to serious limitations as to what you can use it for. 

Anyways thats just me moaning - but it is a pain that when I was using V for the network backing in Cloud Director i could do this type of stuff in powercli without any issue, now tasks that were automated have to be run manually each time the segment is created, which in Cloud Director means anytime the vAPP is booted.

I get what you are saying about system defaults, but these are user configurable parameters intended to be set depending on the requirements of the segment - dhcp is one example, adding a vlan to a segment that is acting as a trunk is probably a better example and has the same issue. 

If you create the segment in Powercli you actually can change this, its just when created elsewhere (from Cloud Director in this example) you cant.

Anyway thanks for the feedback, I suspect I will need to find a different way of automating this or just add it as a manual task which would be a shame.

 

 

 

 

 

 

 

0 Kudos
Zsoldier
Expert
Expert

Not with the nsx-t powercli module.  

If you can do it through UI, that means it's not protected object, so I'm a bit confused what you are changing in UI that you are being prevented from via powercli.

Can you post some screenshots on what exactly you are referring to?  Working w/ Powershell and Invoke-RestMethod is honestly much less frustrating , in my opinion, than working w/ the NSX-T cmdlets.

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
0 Kudos
WJCon
Enthusiast
Enthusiast

Yeah, I think I need to make myself more familiar am struggling a bit with the change, we are basically slowly migrating from Cloud Director with NSX-V backing NSX-T - so I definitely need to spend some time getting use to the Invoke-RestMethod

In the image 1, you see the segment profiles towards the bottom, currently set to the defaults, if i click edit on the segment and go down to the Segment Security I see in the drop down a second choice (one i manually created) called allowdhcp-segment-security-profile - the only difference between this and the default one is that DHCP Server Block is turned off - in the ui here it allows me to change and ultimately the dhcp process between client and server Discover->Offer->Prequest->Pack is not blocked on the segment once i change- if i don't change - the server side gets blocked and dhcp doesn't work

Largely based on Rudi's sample (Change NSX-T Switch Profiles with PowerCLI | rudimartinsen.com) I have the below script

Get-VICredentialStoreItem -File c:\scriptserver\utils\nsxcreds.xml | %{Connect-NsxtServer -Server $_.host -User $_.user -Password $_.password}

$LogicalNetwork = '0-Management-192_168_0_X-77999120-a800-4455-a088-3cfe042c666b'
$ProfileType = 'SwitchSecuritySwitchingProfile'
$ProfileName = 'allowdhcp-segment-security-profile'


#Get the new profile
$nestProfile = (Get-NsxtService -Name "com.vmware.nsx.switching_profiles").list().results.Where({$_.resource_type -eq $ProfileType -and $_.display_name -eq $ProfileName})

if(!$nestProfile){
throw "No profile found!"
}

#Get the logical switch
$sw = (Get-NsxtService "com.vmware.nsx.logical_switches").list().results.Where({$_.display_name -eq $LogicalNetwork})[0]
if(!$sw){
throw "No logical switch found!"
}

#Get the current profiles and get index of profile type
$swProfiles = $sw.switching_profile_ids
$profIndex = 0;
for($i=0;$i -le $swProfiles.count;$i++){
if($swProfiles[$i].key -eq $ProfileType){
$profIndex = $i
break
}
}

#Set new value
$chgProfile = $swProfiles[$profIndex]
$chgProfile.value = $nestProfile.id

#Change existing switch
$swProfiles[$profIndex] = $chgProfile
$sw.switching_profile_ids = $swProfiles

#Update switch
(Get-NsxtService -Name "com.vmware.nsx.logical_switches").update($sw.id,$sw)

When run I get the error

A server error occurred: 'com.vmware.vapi.std.errors.invalid_request': . Check $Error[0].Exception.ServerError for more details.
At C:\scriptserver\manualscripts\NSX-T\ListSwitches.ps1:41 char:1
+ (Get-NsxtService -Name "com.vmware.nsx.logical_switches").update($sw. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], CisServerException
+ FullyQualifiedErrorId : VMware.VimAutomation.Cis.Core.Types.V1.CisServerException

PS C:\scriptserver\manualscripts\NSX-T> $Error[0].Exception.ServerError

At this point I reread Rudi's article and noticed the note towards the end mentioning the protection - my assumption but I could be wrong is this is why I hit the error

There is one very important note on the update of switch resources through the API and Powershell. Segments, as they are called when created in the Networking UI or through the new Policy API, will have the protection property set to REQUIRE_OVERRIDE by default, whereas switches created in the Advanced view or through the Management API will have their protection set to NOT_PROTECTED.

My segments are created from Cloud Director, so I dont really have any control over which view they are created in - but when I check it does appear they are set to REQUIRE_OVERRIDE

id display_name protection
-- ------------ ----------
0095a75e-03dd-4df7-843e-0f4ffa6b7858 0-Management-192_168_0_X-77999120-a800-4455-a088-3cfe042c666b REQUIRE_OVERRIDE
5255907b-98db-4ca1-b8e1-b9b8fd45e785 100-Trunk-192_168_100_X-a5c15778-291e-4073-ac8e-1700e0a9cbca REQUIRE_OVERRIDE
fe0aa1e8-f177-4a1f-b1c2-cdcedde39197 254-Access-192_168_254_X-091b1461-b594-4323-a23f-a7d54e3cad0a REQUIRE_OVERRIDE
fb93f2ce-ab8e-407e-a4e2-da286783efde external-fabric-a-seg REQUIRE_OVERRIDE
dcaaefb6-9027-4965-b1c3-2e423faab146 external-fabric-b-seg REQUIRE_OVERRIDE

 

 

Help
----
@{Documentation=The InvalidRequest error indicates that the request is malformed in such a way that the server is unable to process it. ...

 

 

 

0 Kudos
WJCon
Enthusiast
Enthusiast

Having issues replying - it keeps getting marked as spam for some reason not sure if its due to the image or the content of the description of whats happening which contains code snippets - ill try again tomorrow 

0 Kudos
WJCon
Enthusiast
Enthusiast

Based on running Rudi's script which is here ps/change_switchprofile_nsxt.ps1 at master · rumart/ps · GitHub - I get the error attached

If i go into the ui and manually change the segment profile for that logical network  to 'allowdhcp-segment-security-profile' it works fine

if i check the protection state it shows the REQUIRE_OVERRIDE - so my assumption is this is the cause of the error

id display_name protection
-- ------------ ----------
0095a75e-03dd-4df7-843e-0f4ffa6b7858 0-Management-192_168_0_X-77999120-a800-4455-a088-3cfe042c666b REQUIRE_OVERRIDE

 

 

0 Kudos
WJCon
Enthusiast
Enthusiast

Attached is the image with the setting changed in the UI - apologies for the short notes - I had done longer write ups but I suspect as they had code snippets they were getting blocked. 

 

0 Kudos
wila
Immortal
Immortal

@WJCon wrote:

Attached is the image with the setting changed in the UI - apologies for the short notes - I had done longer write ups but I suspect as they had code snippets they were getting blocked. 

 


Code can trigger the antispam mechanism as can the inclusion of links.. you did both.
Please next time, just report it, one of the moderators will unblock it, trying to repost it 6 times just gives us a lot of work (and for the record, we have no saying in that antispam filter, just volunteer work 😞 )

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
Zsoldier
Expert
Expert

If you are changing the segment profile on an existing segment, I've written code to do that and it shouldn't need override, but you can include it if it gives you guff.

Powershell: Changing NSX-T Segment Profiles enmasse. (zsoldier.com)

 

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
0 Kudos
Zsoldier
Expert
Expert

You don't need the override switch as long as you are modifying via the policy API, which my code does.  Hence another reason I loathe the nsx-t powercli module.

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
0 Kudos
WJCon
Enthusiast
Enthusiast

This looks like exactly what I need, I'll give it a go today - 

0 Kudos
WJCon
Enthusiast
Enthusiast

Understood Wila, I'll know for next time - thank you.

 

0 Kudos
WJCon
Enthusiast
Enthusiast

Chris do you know if something has changed with parameters on invoke-restmethod, it seems to not like the -Authentication parameter

There was also an error on the -SkipCertificationCheck but I have been able to get past that by trusting the certificate

I

0 Kudos
WJCon
Enthusiast
Enthusiast

Nevermind I can do this by building up the header instead -something similar to the below - i'll let you know how it goes

 

$credentials = Get-Credential
$auth = $credentials.UserName + ':' + $credentials.GetNetworkCredential().Password        
$Encoded = [System.Text.Encoding]::UTF8.GetBytes($auth)        
$auth64 = [System.Convert]::ToBase64String($Encoded)

 

$header = @{}
$header.add("Accept","application/json")
$header.add("Content-Type","application/json")
$header.add("Authorization", "Basic $auth64")

0 Kudos
Zsoldier
Expert
Expert
0 Kudos
WJCon
Enthusiast
Enthusiast

Hey Chris,

First of all thanks for the patience - 

This partially works for me, 

Basically it works if the Segment has Segment Profiles that aren't the Default, so lets say I create some other profiles change the segment to use these profiles then run the script it will change them back to the desired profiles.

But if the Segment is just using the default profiles then I get the error attached

I believe this is due to the lines where we are trying to get the value for $Binding - when the Segment has default values then the return of the get is empty, it only seems to have values if their is a non default profile in use

$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod

I think this then results in $binding.results.path having a null value

I think the patch api call should still work - documentation says if it doesn't exist it should create it, but for some reason is falling over for me.

If you run this against a Segment with all default profiles does this work for you - and are you using NSX-T 3.1.2?

 
 
0 Kudos
WJCon
Enthusiast
Enthusiast

One additional note is that if you change it from the default and then change it back it still works. Its like the first change populates the info that is retrieved in the get that populates the $binding values

So the only time it doesnt work for me is on a fresh segment that has never been changed - i still dont understand why the patch doesnt just create the required entry though 

0 Kudos