VMware Cloud Community
SCharchouf
Hot Shot
Hot Shot
‎11-07-2020 02:18 AM

Promiscuous Mode Policy Change

I'm using the below script to get Promiscuous Mode then I set it to desired value, I need assistance in order to create a script that can:

  1. First get Promiscuous Mode
  2. identify ESXi that have wrong configuration
  3. set configuration to desired value


$ESXs=get-vmhost

$ESXs | % {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_before}
}

$ESXs | Get-VirtualSwitch | Get-SecurityPolicy | Set-SecurityPolicy `
-MacChanges $false `
-ForgedTransmits $false `
-AllowPromiscuous $false

$ESXs | % {
$esx=$_ ; $switchs= Get-VirtualSwitch $esx
$switchs | % { $switch=$_ ; $sec=Get-SecurityPolicy $switch ; `
"$esx $switch $($sec.AllowPromiscuous) $($sec.ForgedTransmits) $($sec.MacChanges)" >> $file_after }
}

Labels (2)
Labels
Reply
0 Kudos
5 Replies
LucD
Leadership
Leadership
‎11-07-2020 03:15 AM

Try something like this.

It works for VSS and VDS.

 

$newVSSPolicy = @{
    VirtualSwitchPolicy = $null
    AllowPromiscuous = $false
    MacChanges = $false
    ForgedTransmits = $false
    Confirm = $false
  }
  $newVDSPolicy = @{
    Policy = $null
    AllowPromiscuous = $false
    MacChanges = $false
    ForgedTransmits = $false
    Confirm = $false
  }
  
  $reportBefore = @()
  $reportAfter = @()
  
  Get-VMHost -PipelineVariable esx |
  ForEach-Object -Process {
    # VSS
  
    Get-VirtualSwitch -Standard -VMHost $esx -PipelineVariable vss |
    Get-SecurityPolicy -PipelineVariable policy |
    where{$_.AllowPromicious -or $_.MacChanges -or $_.ForgedTransmits|
    ForEach-Object -Process {
        $reportBefore += New-Object -TypeName PSObject -Property @{
            VMHost = $esx.Name
            Switch = $vss.Name
            AllowPromicious = $policy.AllowPromiscuous
            MacChanges = $policy.MacChanges
            ForgedTransmits = $policy.ForgedTransmits
        }
        $newVSSPolicy.VirtualSwitchPolicy = $policy
        Set-SecurityPolicy @newVSSPolicy
        Get-SecurityPolicy -VirtualSwitch $vss |
        ForEach-Object -Process {
            $reportAfter += New-Object -TypeName PSObject -Property @{
                VMHost = $esx.Name
                Switch = $vss.Name
                AllowPromicious = $_.AllowPromiscuous
                MacChanges = $_.MacChanges
                ForgedTransmits = $_.ForgedTransmits
            }
        }
    }
  
    # VDS
  
    Get-VDSwitch -VMHost $esx -PipelineVariable vds |
    Get-VDSecurityPolicy -PipelineVariable policy |
    where{$_.AllowPromicious -or $_.MacChanges -or $_.ForgedTransmits|
    ForEach-Object -Process {
        $reportBefore += New-Object -TypeName PSObject -Property @{
            VMHost = $esx.Name
            Switch = $vds.Name
            AllowPromicious = $policy.AllowPromiscuous
            MacChanges = $policy.MacChanges
            ForgedTransmits = $policy.ForgedTransmits
        }
        $newVDSPolicy.Policy = $policy
        Set-VDSecurityPolicy @$newVDSPolicy
        Get-VDSecurityPolicy -VDSwitch $vds |
        ForEach-Object -Process {
            $reportAfter += New-Object -TypeName PSObject -Property @{
                VMHost = $esx.Name
                Switch = $vds.Name
                AllowPromicious = $_.AllowPromiscuous
                MacChanges = $_.MacChanges
                ForgedTransmits = $_.ForgedTransmits
            }
        }
    }
    
  }
  
  
  $reportBefore | Export-Csv -Path .\report-before.csv -NoTypeInformation -UseCulture
  $reportAfter | Export-Csv -Path .\report-after.csv -NoTypeInformation -UseCulture


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot
‎11-07-2020 07:54 AM

I got the below error message:

 

Get-SecurityPolicy : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null. Provide a valid value for the argument, and then try running the
command again.
At X:\Test.ps1:576 char:39
+ Get-SecurityPolicy -VirtualSwitch $switch -PipelineVariable polic ...
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-SecurityPolicy], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Get-SecurityPolicy : Cannot validate argument on parameter 'VirtualSwitch'. The argument is null. Provide a valid value for the argument, and then try running the
command again.
At X:\Test.ps1:576 char:39
+ Get-SecurityPolicy -VirtualSwitch $switch -PipelineVariable polic ...
+ ~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-SecurityPolicy], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetSecurityPolicy

Reply
0 Kudos
LucD
Leadership
Leadership
‎11-07-2020 08:11 AM

There was some code in there that I forgot to remove.
Code is updated


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
SCharchouf
Hot Shot
Hot Shot
‎11-07-2020 08:37 AM

thanks there's no error now but both csv file are empty

Reply
0 Kudos
LucD
Leadership
Leadership
‎11-07-2020 09:50 AM

There was another typo in the code, which I just corrected.

If none of the switches has an incorrect setting, the CSV files will be empty.
That is exactly what your request seems to ask for.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos