We have a lab that has a lot of nested esxi's for development purposes.
Prior to 6.7 we changed the default config on the dvs to allow Promiscuous Mode, Forged Transmits and Mac Changes.
The basic snippet that done this is below
On 6.5 dvs we would use
$dvSwitch = Get-VDSwitch $switchname
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configVersion = $dvswitch.ExtensionData.Config.ConfigVersion
$spec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.DefaultPortConfig.SecurityPolicy = New-Object VMware.Vim.DVSSecurityPolicy
$spec.DefaultPortConfig.SecurityPolicy.AllowPromiscuous = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value = $promiscuous
$spec.DefaultPortConfig.SecurityPolicy.MacChanges = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.MacChanges.Value = $macChanges
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value = $forgedTransmits
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value = $forgedTransmits
$dvswitch.ExtensionData.ReconfigureDvs_Task($spec)
With 6.7 there are new settings which incorporate the mac learn and remove the need for the promiscuous mode - but there is a requirement to set the enable mac learning flag on the PG - see below
Based on Williams Lams script I am able to enable this on a per pg level (After the PG is created) . However I am looking for a way to be able to make the default setting on new portgroups be to have the mac learning enabled.
Anyone know how I would archive this.
The desired outcome (like the first snippit of code - for dvs 6.5) would be to have a powercli where i can set the default security settings (including the new mac learn) on a 6.7 dvs
Afaik, and can tell from the API Reference, this can only be done per VDS portgroup.
No default setting for this for a VDS
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Afaik, and can tell from the API Reference, this can only be done per VDS portgroup.
No default setting for this for a VDS
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Luc for the prompt response - we have a method to do per PG - its a shame it cant be done by default at the vDS level.
You could launch an RFC for that feature, but I'm not sure that would get a timely reply.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Luc,
For now I have the below which will do the trick - basically allows me to input a folder name and will do all virtualwires for any VM that resides in that folder. Our setup is vCD based - so the folder will contain all vms for a vapp.
Its basically just piggbacking on William Lams scripts to suit them better to our needs.
Import-module c:\Scripts\MacLearnFunctions.ps1 -Force
$folderList = Get-Content c:\Scripts\maclearnfolder.txt
foreach ($folder in Get-Folder -Name $folderList){
$wires = Get-Folder $Folder |Get-VM |Get-VirtualPortGroup
Write-Host 'Processing folder' $folder
foreach ($wire in $wires){
Write-Host 'Processing virtualwire' $wire
Set-MacLearn -DVPortgroupName @($wire) -EnableMacLearn $true -EnablePromiscuous $false -EnableForgedTransmit $true -EnableMacChange $false
Get-MacLearn -DVPortgroupName @($wire)
}
}
You might be reconfiguring the same portgroup more than once, when there are more VMs in the list connected to a specific portgroup.
Perhaps do the Get-MacLearn first to check if the portgroup is already configured correctly.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Luc, good points
Have added '|Get-VirtualPortGroup| Select -Unique' - which seems to be returning just the a single entry.
In relation to the check - I could implement the Get-MacLearn check per Williams Post - but in our scenario they will always be new virtualwires. Basically when we spin out a vapp it creates all the networks at that point - they are all new and all have the default settings - the last step of spinning out the vApp will be to run the Set-MacLearn so the previous value is known as they were just created seconds before the script is run.
Just to account for Luc's points
a) Might return a network more than once
b) To check to see if it is already enabled
Below is the script that I am using currently and seems to be working to this point
Import-module c:\Scripts\MacLearnFunctions.ps1 -Force
$folderList = Get-Content c:\Scripts\maclearnfolder.txt
$counterfolder=0
$counternetwork=0
$counteralreadyset=0
foreach ($folder in Get-Folder -Name $folderList){
$networks = Get-Folder $Folder |Get-VM |Get-VirtualPortGroup| Select -Unique
Write-Host 'Processing folder' $folder
$counterfolder = $counterfolder + 1
foreach ($network in $networks){
#Write-Host 'Processing network' $network
$currentspec = Get-MacLearn -DVPortgroupName @($network)
$currentlearn = $currentspec.MacLearning
#Write-Host 'Current Setting ' $currentlearn
If ($currentlearn -eq 'True') {
Write-Host 'Mac Learn is already enabled on ' $network
$counteralreadyset = $counteralreadyset + 1
}else{
Set-MacLearn -DVPortgroupName @($network) -EnableMacLearn $true -EnablePromiscuous $false -EnableForgedTransmit $true -EnableMacChange $false
$counternetwork = $counternetwork + 1
}
}
}
Write-Host 'Processed folder count:' $counterfolder -ForegroundColor Yellow
Write-Host 'Turned Mac Learning on count:' $counternetwork -ForegroundColor Green
Write-Host 'Mac Learning already correct count:' $counteralreadyset -ForegroundColor Blue
As always thanks for the help Luc.
Perfect, and thanks for sharing that.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference