Hi, I am trying to build a script which will verify if the DVS standard security settings are being applied on all levels of vdswitch. I started exploring the objects with powercli and i am...
See more...
Hi, I am trying to build a script which will verify if the DVS standard security settings are being applied on all levels of vdswitch. I started exploring the objects with powercli and i am llittle puzzled: first I grabbed all the non uplink vds port groups $All_pg_view = Get-View -ViewType Network | Where-Object { $_.gettype().Name -like 'DistributedVirtualPortgroup' -and $_.tag.key -notlike 'SYSTEM/DVS.UPLINKPG' } By default, on a brand new switch with default settings, this is the output received: $All_pg_view.Config.DefaultPortConfig.SecurityPolicy AllowPromiscuous MacChanges ForgedTransmits Inherited ---------------- ---------- --------------- --------- VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy True VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy True Notice the Inherited = true on all port groups However, say you had a port group, for which you manually went in and changed a setting. The output would become, something like AllowPromiscuous MacChanges ForgedTransmits Inherited ---------------- ---------- --------------- --------- VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy True VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy False Furthermore, if you dig into the AllowPromiscuous, MacChanges, ForgedTransmits property there is also a parameter there, called "inherited". So, I went in, and manually modified the settings for a test portgroup (from reject to accept) for forged transmits ($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits Value Inherited ----- --------- True False Then i changed it back, the object became: ($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits Value Inherited ----- --------- False False Ok, so I made the setting as the default, but it still does not appear inherited, at either port group level, or at setting level. I guess this is normal. Digging around I found a PowerCLI cmdlet to reset inheritance itself! $pg_obj = Get-VDPortgroup -name ($All_pg_view | {$_.name -like 'ForgedTransmits-test'}).name $pols = $pg_obj | Get-VDSecurityPolicy | ? {$_.AllowPromiscuousInherited -eq $False -or $_.ForgedTransmitsInherited -eq $False -or $_.MacChangesInherited -eq $False} | Set-VDSecurityPolicy -AllowPromiscuousInherited $true -ForgedTransmitsInherited $true -MacChangesInherited $true -Confirm:$false After this, the "setting level" is updated to "inherited = true", but the "global" inherited, next to each individual setting appears as false. ($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy.ForgedTransmits Value Inherited ----- --------- False True C:\> ($All_pg_view | ? {$_.name -like 'ForgedTransmits-test'})[0].config.defaultportconfig.securitypolicy AllowPromiscuous MacChanges ForgedTransmits Inherited ---------------- ---------- --------------- --------- VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy VMware.Vim.BoolPolicy False I would like to understand what the "1st" inherited (under config.defaultportconfig.securitypolicy ) stands for, and how it can be set from false to true, if it is of any real use to do so. I tried to enable inheritance at vds level but the commandlet does not allow this,so clearly it does not affect this particular option.