3 Replies Latest reply on Aug 16, 2018 11:29 PM by Hejahida82

    How to change VM port group security settings from vRO for individual port?

    darrenoid Enthusiast

      Hello vRO community,

       

      What are some actions or workflows I can use to edit a virtual machine's port setting on a distributed virtual switch? Specifically I am looking to enable Promiscuous mode for the individual vSwitch port for a VM. How I would do it manually in vCenter is go to the Distributed Switch under networks, then go to the ports tab and locate the VM port. From there I go to edit and then security to change the settings:

       

       

      How can I check those values and change them programmatically in vRO?

       

      Thanks,
      Darren

        • 1. Re: How to change VM port group security settings from vRO for individual port?
          Hejahida82 Enthusiast
          VMware Employees

          Hi darrenoid

          It is possible to change the Promiscuous mode settings via vRO on a port group.

           

          This code snippet will change Promiscuous mode on a selected port group to enabled

          var spec = new VcDVPortgroupConfigSpec();
          spec.configVersion = counter;
          spec.defaultPortConfig = new VcVMwareDVSPortSetting();
          spec.defaultPortConfig.securityPolicy = new VcDVSSecurityPolicy();
          spec.defaultPortConfig.securityPolicy.inherited = false;
          spec.defaultPortConfig.securityPolicy.allowPromiscuous = new VcBoolPolicy();
          spec.defaultPortConfig.securityPolicy.allowPromiscuous.inherited = false;
          spec.defaultPortConfig.securityPolicy.allowPromiscuous.value = true;
          selectedPortGroup.reconfigureDVPortgroup_Task(spec); 
          

          where :

          1. the counter variable is a unique number from 0 onwards, each time you change the configuration you have to increment the spec.configVersion number otherwise vCenter thinks you are trying to continue a previous update
          2. the selectedPortGroup variable is the port group you want to make the change on, this is of type VC:DistributedVirtualPortgroup. If you want to find this programatically you will need some additional code, the methods listed in the Returned By section of this page will give you some ideas on how you could search for the port group(s) you want vRO API Explorer by Dr Ruurd and Flores of ITQ

           

          To check if the value is set to true before changing it you can check the value of the following setting, if it is set to true then Promiscuous mode is already enabled.

          selectedPortGroup.config.defaultPortConfig.securityPolicy.allowPromiscuous.value
          
          • 2. Re: How to change VM port group security settings from vRO for individual port?
            darrenoid Enthusiast

            Hello Hejahida82,

             

            Thank you for your reply this is good info to have. This info looks like it would work for changing the port group setting, but I was asking about changing this for a particular port ID. I want to have more fine grained control over the promiscuous setting. Rather than just allow it on the whole port group, I have the port group set to allow overrides for security settings, which allows me to set promiscuous mode per port on the switch. Please see my original screenshot to see this in the GUI.

             

            Any advice on how to do this one level deeper for a specific port ID?

             

            Regards,

            Darren

            • 3. Re: How to change VM port group security settings from vRO for individual port?
              Hejahida82 Enthusiast
              VMware Employees

              Hi darrenoid sorry about that, I must have misread the original post. To set it for an individual port you can do the following

               

              var port = new Array();
              port[0] = new VcDVPortConfigSpec();
              port[0].operation = "edit";
              port[0].key = portName;
              port[0].setting = new VcVMwareDVSPortSetting();
              port[0].setting.securityPolicy = new VcDVSSecurityPolicy();
              port[0].setting.securityPolicy.inherited = false;
              port[0].setting.securityPolicy.allowPromiscuous = new VcBoolPolicy();
              port[0].setting.securityPolicy.allowPromiscuous.inherited = false;
              port[0].setting.securityPolicy.allowPromiscuous.value = false;
              port[0].configVersion = counter;
              
              selectedVDS.reconfigureDVPort_Task(port);
              

              where selectedVDS is the vDS the port belongs to and is of type VC:vmwareDistributedSwitch, counter is again a unique number from 0 upwards and portName is the name of the port as shown in vCenter as a string.

               

              If you need to set the Allow override of port policies on the port group you can do this using code like this

              var spec = new VcDVPortgroupConfigSpec();
              spec.configVersion = counter;
              spec.policy.securityPolicyOverrideAllowed = true;
              selectedPortGroup.reconfigureDVPortgroup_Task(spec);
              

               

              hope that helps.