Hi,

I am trying to build a script which will verify if the DVS standard security settings are being applied on all levels of vdswitch.

I started exploring the objects with powercli and i am llittle puzzled:

first I grabbed all the non uplink vds port groups

$All_pg_view = Get-View -ViewType Network | Where-Object { $_.gettype().Name -like 'DistributedVirtualPortgroup' -and $_.tag.key -notlike 'SYSTEM/DVS.UPLINKPG' }

By default, on a brand new switch with default settings, this is the output received:

$All_pg_view.Config.DefaultPortConfig.SecurityPolicy

AllowPromiscuous      MacChanges            ForgedTransmits       Inherited

----------------      ----------            ---------------       ---------

VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy     True

VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy     True

Notice the Inherited = true on all port groups

However, say you had a port group, for which you manually went in and changed a setting.

The output would become, something like

AllowPromiscuous      MacChanges            ForgedTransmits       Inherited

----------------      ----------            ---------------       ---------

VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy     True

VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy     False

Furthermore, if you dig into the AllowPromiscuous, MacChanges, ForgedTransmits property there is also a parameter there, called "inherited".

So, I went in, and manually modified the settings for a test portgroup (from reject to accept) for forged transmits

($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits

Value Inherited

----- ---------

True     False

Then i changed it back, the object became:

($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits

Value Inherited

----- ---------

False     False

Ok, so I made the setting as the default, but it still does not appear inherited, at either port group level, or at setting level. I guess this is normal.

Digging around I found a PowerCLI cmdlet to reset inheritance itself!

$pg_obj = Get-VDPortgroup -name ($All_pg_view | {$_.name -like 'ForgedTransmits-test'}).name

$pols = $pg_obj | Get-VDSecurityPolicy | ? {$_.AllowPromiscuousInherited -eq $False -or $_.ForgedTransmitsInherited -eq $False -or $_.MacChangesInherited -eq $False} | Set-VDSecurityPolicy -AllowPromiscuousInherited $true -ForgedTransmitsInherited $true -MacChangesInherited $true -Confirm:$false

After this, the "setting level" is updated to "inherited = true", but the "global" inherited, next to each individual setting appears as false.

($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits

Value Inherited

----- ---------

False      True

C:\> ($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy

AllowPromiscuous      MacChanges            ForgedTransmits       Inherited

----------------      ----------            ---------------       ---------

VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy    False

I would like to understand what the "1st" inherited (under config.defaultportconfig.securitypolicy ) stands for, and how it can be set from false to true, if it is of any real use to do so.

I tried to enable inheritance at vds level but the commandlet does not allow this,so clearly it does not affect this particular option.