Get/Set Security Features on a vSwitch and Portgroups
A quick and easy couple of scripts which lists and sets the security options on a standard vSwitch:
Get-VirtualSwitch -Standard | Select VMHost, Name, `
@{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, `
@{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, `
@{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }}
Use the above example to list the current settings for all Standard vSwitches.
Function Set-VirtualSwitchSecurity {
Param (
[Parameter(Mandatory=$True,ValueFromPipeline=$True)]$vSwitch,
[ValidateSet("Accept","Reject")]$MacAddressChanges,
[ValidateSet("Accept","Reject")]$PromiscuousMode,
[ValidateSet("Accept","Reject")]$ForgedTransmits
)
Process {
$hostExt = $vSwitch.VMHost.ExtensionData
$networkSystem = get-view $hostExt.ConfigManager.NetworkSystem
$networkSystem.NetworkConfig.Vswitch| Where {$_.name -match $vSwitch.Name} | Foreach {
$switchSpec = $_.spec
if ($PromiscuousMode -eq "Accept") {
$switchSpec.Policy.Security.AllowPromiscuous = $True
}
if ($PromiscuousMode -eq "Reject") {
$switchSpec.Policy.Security.AllowPromiscuous = $False
}
if ($MacAddressChanges -eq "Accept") {
$switchSpec.Policy.Security.MacChanges = $True
}
if ($MacAddressChanges -eq "Reject") {
$switchSpec.Policy.Security.MacChanges = $False
}
if ($ForgedTransmits -eq "Accept") {
$switchSpec.Policy.Security.ForgedTransmits = $True
}
if ($ForgedTransmits -eq "Reject") {
$switchSpec.Policy.Security.ForgedTransmits = $False
}
$NetworkSystem.UpdateVirtualSwitch($vSwitch.Name, $switchSpec)
}
Get-VirtualSwitch -Name $vSwitch.Name -VMHost $vSwitch.VMHost | Select VMHost, Name, `
@{N="MacChanges";E={if ($_.ExtensionData.Spec.Policy.Security.MacChanges) { "Accept" } Else { "Reject"} }}, `
@{N="PromiscuousMode";E={if ($_.ExtensionData.Spec.Policy.Security.PromiscuousMode) { "Accept" } Else { "Reject"} }}, `
@{N="ForgedTransmits";E={if ($_.ExtensionData.Spec.Policy.Security.ForgedTransmits) { "Accept" } Else { "Reject"} }}
}
}Get-VirtualSwitch -Name vSwitch0 | Set-VirtualSwitchSecurity -MacAddressChanges Accept -PromiscuousMode Reject -ForgedTransmits Accept
The example above sets the security settings for each hosts vSwitch0
To list the Security Settings of all dvPortGroups use:
Get-VirtualPortGroup -Distributed | Select Name, `
@{N="MacChanges";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value) { "Accept" } Else { "Reject"} }}, `
@{N="PromiscuousMode";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value) { "Accept" } Else { "Reject"} }}, `
@{N="ForgedTransmits";E={if ($_.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value) { "Accept" } Else { "Reject"} }}
To list all dvSwitches and their Portgroups and VLAN Types and Ids:
Foreach ($dPG in (Get-VirtualPortGroup -Distributed)) {
Switch ((($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetType()).Name) {
VmwareDistributedVirtualSwitchPvlanSpec {
$Type = "Private VLAN"
$VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.pVlanID
}
VmwareDistributedVirtualSwitchTrunkVlanSpec {
$Type = "VLAN Trunk"
$VLAN = ($dPG.ExtensionData.Config.DefaultPortConfig.Vlan.VlanID | Select Start, End)
}
VmwareDistributedVirtualSwitchVlanIdSpec {
$Type = "VLAN"
$VLAN = $dPG.ExtensionData.Config.DefaultPortConfig.Vlan.vlanID
}
default {
$Type = (($dPG.ExtensionData.Config.DefaultPortConfig.Vlan).GetType()).Name
$VLAN = "Unknown"
}
}
$dpg | Select virtualSwitch, Name, @{N="Type";E={$Type}}, @{N="VLanId";E={$VLAN}}
}