lilyskk
Contributor
Contributor

powercli to query dvport security settings

Hi

I have a distributed vswitch setup on each host. I need to create a script to capture the security settings on each dvport. Can anyone help me please?

Below is an example of the distributed vswitch I have on my environment.

1762191.png

I managed to create a script which output the Policy bit (Block Override Allowed, Shapping Override Allowed, Vendor Config Override Allowed, etc), using the following command:

get-virtualswitch -distributed | %{foreach ($portgroup in (Get-VirtualPortGroup -Distributed -VirtualSwitch $_)) {$portgroup.extensiondata.config.policy}}

1762191_1.png

But I'm stuck on getting the security settings as highlighted on the screenshot above (the first screenshot).

I tried to collect the defaultportconfig on the dvport, but it's showing as null. Below is the script I use to see the dvport group details:

get-virtualswitch -distributed | %{foreach ($portgroup in (Get-VirtualPortGroup -Distributed -VirtualSwitch $_)) {$portgroup.Extensiondata.config}}

Output:


Key                      : dvportgroup-42
Name                     : dvPort-Management
NumPorts                 : 0
DistributedVirtualSwitch : VmwareDistributedVirtualSwitch-1e fe 2d 50 90 62 fd
                           06-14 64 0f 35 02 a3 8c a2
DefaultPortConfig        :
Description              :
Type                     : earlyBinding
Policy                   : VMware.Vim.DVPortgroupPolicy
PortNameFormat           :
Scope                    :
VendorSpecificConfig     :
ConfigVersion            :
DynamicType              :
DynamicProperty          :

Perhaps there's some other way to query this...so if someone out there could help me with this, that'll be awesome!!! Smiley Happy

Thanks heaps...

Cheers,

Lilys

0 Kudos
10 Replies
ykalchev
VMware Employee
VMware Employee

Hi,

Can you try the following script and check if the output is the same:

$pg = Get-View -ViewType DistributedVirtualPortgroup -filter @{"Name"="dvPort-Management"}

$pg.Config

Thanks,

Yasen

Yasen Kalchev, vSM Dev Team
0 Kudos
LucD
Leadership
Leadership

For portgroups on dvSwitches these settings are stored differently.

See the DVSSecurityPolicy object for the details. Notice that you can use the Inherited property to check if the setting came from the dvSwitch or if it was set explicitely on the dvPortgroup.

See also my dvSwitch scripting – Part 2 – dvPortgroup post where I provide a function to set these and other properties.

Try this

get-virtualswitch -distributed | %{
    Get-VirtualPortGroup -Distributed -VirtualSwitch $_ | 
        Select Name,
        @{N="AllowPromiscuous";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
        @{N="ForgedTransmits";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
        @{N="MacChanges";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}}
}

Note that this assumes your are using the VMware provided dvSwitch, with the one from Cisco this is slightly different.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lilyskk
Contributor
Contributor

Hi Yasen,

Thanks for your reply.

I tried your script but I got the same output. Default Port Config is showing as null.

Cheers,

Lilys1762191_2.png

0 Kudos
lilyskk
Contributor
Contributor

Hi LucD,

Thanks heaps for that. I tried your script, but no luck either. Please find below for the screenshot:

1762191_3.png

The probelm is it couldn't see the defaultportconfig... it shows as null (as mentioned on my original message). However it shows all the properties fine on the GUI (via sphere client).

So if I do this : get-virtualswitch -distributed | %{Get-VirtualPortGroup -Distributed -VirtualSwitch $_ | %{ $_.extensiondata.config}}

It'll show as:

so if I query $_.extensiondata.config.defaultportconfig, it returns nothing.

Any ideas??

Cheers,

Lilys

0 Kudos
LucD
Leadership
Leadership

Which PowerCLI build are you running ?

Get-PowerCLIVersion

And against which vCenter/ESX(i) versions ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lilyskk
Contributor
Contributor

Hi Luc,

We're runnning PowerCLI 4.1 U1 build 332441.

1762191_5.png

vCenter version 4.1 build 258902 and ESXi version 4.1.0 build 260247

0 Kudos
LucD
Leadership
Leadership

Strange, I'm using the same versions/builds.

I did notice that the ConfigVersion property also seems to be empty.

How did you create the dvSwitch and the portgroups ?

Manually in the vSphere Client or with a script ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lilyskk
Contributor
Contributor

Hi Luc,

I wasn't involved in creating the dvswitch and port group. But I've been told they were created manually in vSphere Client. And applied the host profile to the rest of the ESXi hosts so that they all have the same settings.

Is there any difference between creating manually vs script?

0 Kudos
LucD
Leadership
Leadership

Not that I know of, just trying to see why that property is not filled in your environment.

Would it be possible to define a test dvSwitch from within the vSphere Client and not apply the host profile on it ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
lilyskk
Contributor
Contributor

Hey Luc!!

My colleague just applied vCenter Server 4.1 Update 1. And that seems to fix the problem?

After he installed the update last night, and I tried the command (below) again today that works fine Smiley Happy

get-virtualswitch -distributed | %{
    Get-VirtualPortGroup -Distributed -VirtualSwitch $_ |
        Select Name,
        @{N="AllowPromiscuous";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
        @{N="ForgedTransmits";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
        @{N="MacChanges";E={$_.extensiondata.config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}}
    }

1762191_7.png

Thanks heaps for all your help.

Cheers,

Lilys

0 Kudos