VMware Cloud Community
rg01
Contributor
Contributor
Jump to solution

problem with script

For some reason this is only working on port groups on vswitch0.

Foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

    $NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    Foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){
If($pg.spec.Name -like "VM*"){
Write $pg.spec.Name
        $pg.spec.policy.security.allowPromiscuous=$true
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
}
    }

}

The rest get this error:

Property 'allowPromiscuous' cannot be found on this object; make sure it exists
and is settable.
At H:\Scripts\pg-security-test1.ps1:44 char:37
+             $pgspec.policy.security. <<<< allowPromiscuous=$true
    + CategoryInfo          : InvalidOperation: (allowPromiscuous:String) [],
   RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

Try this.

The script check the conditions when the Security is $null and in that case it will create the object instead of using the copy from the portgroup.

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $vh01.Config.Network.Portgroup){
        if($pg.spec.Name -like "VM*"){
            if($pg.ComputedPolicy.NicTeaming -and
                 (
$pg.ComputedPolicy.NicTeaming.NicOrder.ActiveNic -or
                $pg.ComputedPolicy.NicTeaming.NicOrder.StandbyNic)){                 Write $pg.spec.Name                 $pg.spec.policy.security.allowPromiscuous=$true
               
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)             }             else{                 Write $pg.spec.Name                 $pg.spec.policy.security = New-Object VMware.Vim.HostNetworkSecurityPolicy
                $pg.spec.policy.security.allowPromiscuous=$true
               
$pg.spec.policy.security.forgedtransmits=$true
               
$pg.spec.policy.security.MacCHanges=$true
               
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)             }         }     } }

Note that the other 2 security properties are also set in case the object is created from scratch.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
10 Replies
LucD
Leadership
Leadership
Jump to solution

In the error message is says "$pgspec.policy.security" instead of "$pg.spec.policy.security".

Is the dot after $pg really missing or is that a copy/paste problem ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rg01
Contributor
Contributor
Jump to solution

It is just a copy/paste problem.

Property 'allowPromiscuous' cannot be found on this object; make sure it exists
and is settable.
At H:\Scripts\pg-security-test2.ps1:9 char:34
+         $pg.spec.policy.security. <<<< allowPromiscuous=$true
    + CategoryInfo          : InvalidOperation: (allowPromiscuous:String) [],
   RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

I get the same error message when I run the script against a portgroup that has no NICs assigned.

With the following adaption you can avoid this situation

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

   
$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

   
foreach ($pg in $NetworkSystem.Networkconfig.PortGroup){
       
if($pg.spec.policy.NicTeaming -and
            (
$pg.spec.policy.NicTeaming.NicOrder.ActiveNic -or
            $pg.spec.policy.NicTeaming.NicOrder.StandbyNic) -and
           
$pg.spec.Name -like "VM*"){
           
Write $pg.spec.Name
           
$pg.spec.policy.security.allowPromiscuous=$true
            $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)
        }
    }

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rg01
Contributor
Contributor
Jump to solution

Thanks LucD but some of my vswitches/port groups don't have an associated nic. However, this isn't matching anything even the ones that do.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Apparently the properties I'm testing against are only filled in in the ComputedPolicy property.

Try this variant on the script.

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $vh01.Config.Network.Portgroup){
        if($pg.ComputedPolicy.NicTeaming -and 
            ($pg.ComputedPolicy.NicTeaming.NicOrder.ActiveNic -or
            $pg.ComputedPolicy.NicTeaming.NicOrder.StandbyNic) -and
           
$pg.spec.Name -like "VM*"){             Write $pg.spec.Name             $pg.spec.policy.security.allowPromiscuous=$true
            $NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)         }     } }


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

rg01
Contributor
Contributor
Jump to solution

That works on the ones that have nics associated with them but not the ones that don't.

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

That is exactly what the script is supposed to do.

If there are no NICs, the Security property in the HostPortgroupSpec object is $null and the script is not able to change the setting.

You can of course create theHostPortgroupSpec or HostNetworkSecurityPolicy object from scratch (with New-Object cmdlet).

And then call the UpdatePortgroup method with the object you created and populated.

Let me know if you need any assistance with that.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rg01
Contributor
Contributor
Jump to solution

My skills are limited and I'll look up how to do this but if you could throw me a bone it would be much appreciated. Smiley Happy

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Try this.

The script check the conditions when the Security is $null and in that case it will create the object instead of using the copy from the portgroup.

foreach ($vh01 in (Get-View -ViewType HostSystem -Filter @{"Name" = "esx1.domain.com"})){

$NetworkSystem = Get-View $vh01.ConfigManager.NetworkSystem

    foreach ($pg in $vh01.Config.Network.Portgroup){
        if($pg.spec.Name -like "VM*"){
            if($pg.ComputedPolicy.NicTeaming -and
                 (
$pg.ComputedPolicy.NicTeaming.NicOrder.ActiveNic -or
                $pg.ComputedPolicy.NicTeaming.NicOrder.StandbyNic)){                 Write $pg.spec.Name                 $pg.spec.policy.security.allowPromiscuous=$true
               
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)             }             else{                 Write $pg.spec.Name                 $pg.spec.policy.security = New-Object VMware.Vim.HostNetworkSecurityPolicy
                $pg.spec.policy.security.allowPromiscuous=$true
               
$pg.spec.policy.security.forgedtransmits=$true
               
$pg.spec.policy.security.MacCHanges=$true
               
$NetworkSystem.UpdatePortgroup($pg.spec.name,$pg.spec)             }         }     } }

Note that the other 2 security properties are also set in case the object is created from scratch.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
rg01
Contributor
Contributor
Jump to solution

That's it. Thank you!

Reply
0 Kudos