Solved: Script to modify vSwith Security settings

nareshunik · ‎03-19-2012

We need a script to modify the vSwitch Security settings.

To change the below:-

Mac address Changes Accept to Reject

Forged Transmit Accept to Reject

The above two settings need to change on all the vSwitch in the vcenter.

DougBaer · ‎03-20-2012

Absolutely. Pass an argument to Get-VMHost

If you pass the full hostname (as it shows in vCenter), it will act on one host:

Get-VMHost MYESXi01.mydomain.com

or if you want to do multiple, you can pass a wildcard:

Get-VMHost MYESXi*.mydomain.com

FWIW, I think this should do the same thing in a single line if you like that better

Get-VMhost|%{$hv=Get-View $_.ID;$ns=$hv.ConfigManager.NetworkSystem;($hv.Config.Network.Vswitch)|%{$vs=$_.Spec;$vs.Policy.Security.AllowPromiscuous=$false;$vs.Policy.Security.ForgedTransmits=$false; $vs.Policy.Security.MacChanges=$false;$ns.UpdateVirtualSwitch($_.Name,$vs)}}

Doug

Doug Baer, Solution Architect, Advanced Services, Broadcom | VCDX #019, vExpert 2012-23

View solution in original post

nareshunik · ‎03-19-2012

here is the script. Testedand works fine.

========================

foreach ($vmhost in Get-VMHost)
{
$hostview = Get-View $vmhost.ID
$ns = Get-View -Id $hostview.ConfigManager.NetworkSystem

foreach($sw in $hostview.Config.Network.Vswitch)
{
$vsSpec = $sw.Spec
$vsSpec.Policy.Security.AllowPromiscuous = $false
$vsSpec.Policy.Security.ForgedTransmits = $false
$vsSpec.Policy.Security.MacChanges = $false
$ns.UpdateVirtualSwitch($sw.Name, $vsSpec)
}
}

JDLangdon · ‎03-20-2012

Is there any way to do this with a simple one-line cmdlet as opposed to scritping?

DougBaer · ‎03-20-2012

Using PowerCLI (implied based on your use of 'cmdlet'), I doubt it.

At a minimum, this action script needs to grab all vSwitches on all hosts within scope and configure the parameters accordingly. I think the posted code is just about as simple as its going to get. You could stuff it into a PS function so you could call it using a single line, but the backend code would still look something like this.

If you're using a vDS, you could probably do it as a long one-liner.

Doug Baer, Solution Architect, Advanced Services, Broadcom | VCDX #019, vExpert 2012-23

JDLangdon · ‎03-20-2012

Is there any way to specify which host the modifications are made to as opposed to letting it make the modifications to all hosts?

DougBaer · ‎03-20-2012

Absolutely. Pass an argument to Get-VMHost

If you pass the full hostname (as it shows in vCenter), it will act on one host:

Get-VMHost MYESXi01.mydomain.com

or if you want to do multiple, you can pass a wildcard:

Get-VMHost MYESXi*.mydomain.com

FWIW, I think this should do the same thing in a single line if you like that better

Get-VMhost|%{$hv=Get-View $_.ID;$ns=$hv.ConfigManager.NetworkSystem;($hv.Config.Network.Vswitch)|%{$vs=$_.Spec;$vs.Policy.Security.AllowPromiscuous=$false;$vs.Policy.Security.ForgedTransmits=$false; $vs.Policy.Security.MacChanges=$false;$ns.UpdateVirtualSwitch($_.Name,$vs)}}

Doug

Doug Baer, Solution Architect, Advanced Services, Broadcom | VCDX #019, vExpert 2012-23