Get/Set Security Features on a vSwitch and Portgroups

A quick and easy couple of scripts which lists and sets the security options on a standard vSwitch:

Get-VirtualSwitch -Standard | Select VMHost, Name, `
    @{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, `
    @{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, `
    @{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }}

Use the above example to list the current settings for all Standard vSwitches.

Function Set-VirtualSwitchSecurity {
    Param (
        [Parameter(Mandatory=$True,ValueFromPipeline=$True)]$vSwitch,
        [ValidateSet("Accept","Reject")]$MacAddressChanges,
        [ValidateSet("Accept","Reject")]$PromiscuousMode,
        [ValidateSet("Accept","Reject")]$ForgedTransmits
    )
    Process {
        $hostExt = $vSwitch.VMHost.ExtensionData
        $networkSystem = get-view $hostExt.ConfigManager.NetworkSystem
        $networkSystem.NetworkConfig.Vswitch| Where {$_.name -match $vSwitch.Name} | Foreach {
            $switchSpec = $_.spec
            if ($PromiscuousMode -eq "Accept") {
                $switchSpec.Policy.Security.AllowPromiscuous = $True
            }
            if ($PromiscuousMode -eq "Reject") {
                $switchSpec.Policy.Security.AllowPromiscuous = $False
            }
            if ($MacAddressChanges -eq "Accept") {
                $switchSpec.Policy.Security.MacChanges = $True
            }
            if ($MacAddressChanges -eq "Reject") {
                $switchSpec.Policy.Security.MacChanges = $False
            }
            if ($ForgedTransmits -eq "Accept") {
                $switchSpec.Policy.Security.ForgedTransmits = $True
            }
            if ($ForgedTransmits -eq "Reject") {
                $switchSpec.Policy.Security.ForgedTransmits = $False
            }
            $NetworkSystem.UpdateVirtualSwitch($vSwitch.Name, $switchSpec)
        }
        Get-VirtualSwitch -Name $vSwitch.Name -VMHost $vSwitch.VMHost | Select VMHost, Name, `
            @{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, `
            @{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, `
            @{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }}
    }
}

Get-VirtualSwitch -Name vSwitch0 | Set-VirtualSwitchSecurity -MacAddressChanges Accept -PromiscuousMode Reject -ForgedTransmits Accept

The example above sets the security settings for each hosts vSwitch0

To list the Security Settings of all dvPortGroups use:

Get-VirtualPortGroup -Distributed | Select Name, `
    @{N="MacChanges";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value) { "Accept" } Else { "Reject"} }}, `
    @{N="PromiscuousMode";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, `
    @{N="ForgedTransmits";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}

To list all dvSwitches and their Portgroups and VLAN Types and Ids:

Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) {
    Switch ((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetType()).Name) {
        VmwareDistributedVirtualSwitchPvlanSpec {
            $Type = "Private VLAN"
            $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanID
        }
        VmwareDistributedVirtualSwitchTrunkVlanSpec {
            $Type = "VLAN Trunk"
            $VLAN = ($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID | Select Start, End)
        }
        VmwareDistributedVirtualSwitchVlanIdSpec {
            $Type = "VLAN"
            $VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID
        }
        default {
            $Type = (($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetType()).Name
            $VLAN = "Unknown"
        }
    }
    $dpg | Select virtualSwitch, Name, @{N="Type";E={$Type}}, @{N="VLanId";E={$VLAN}}
}