I am looking for a way to query the security settings (Promiscuous Mode, Forged Transmits and MAC Changes) of vSwitches and Portgroups. MY PS skills are limited. I can get about this far mostly from patching together various scripts I found. However at this point I must supply a vSwitch and even when I am able to pass that information I have no idea what to do after that.
Foreach ($VMHost in Get-VMHost){
Foreach ($vSwitch in ($VMHost | Get-VirtualSwitch )){
$hostMoRef = Get-VMHost $VMhost | % {Get-View $_.Id}
$hostNetwork = $hostMoRef.configManager.networkSystem
$hostNetworkMoRef = Get-View $hostNetwork
$hostNetworkMoRef.NetworkInfo
}
}
In PowerCLI 4.1 you can use the Extensiondata property to get at the Managed Object.
To list the security settings of all your vSwitches and their portgroups you can do something like this
foreach ($VMHost in Get-VMHost){ foreach($vSwitch in $VMHost.ExtensionData.Config.Network.Vswitch){ Write-Host $vSwitch.Name Write-Host "`tPromiscuous mode:" $vSwitch.Spec.Policy.Security.AllowPromiscuous Write-Host "`tForged transmits:" $vSwitch.Spec.Policy.Security.ForgedTransmits Write-Host "`tMAC Changes:" $vSwitch.Spec.Policy.Security.MacChanges foreach($portgroup in ($VMHost.ExtensionData.Config.Network.Portgroup | where {$_.Vswitch -eq $vSwitch.Key})){ Write-Host "`n`t" $portgroup.Spec.Name Write-Host "`t`tPromiscuous mode:" $portgroup.Spec.Policy.Security.AllowPromiscuous Write-Host "`t`tForged transmits:" $portgroup.Spec.Policy.Security.ForgedTransmits Write-Host "`t`tMAC Changes:" $portgroup.Spec.Policy.Security.MacChanges } } }
Note that the a security setting for a portgroup will be blank (= not set) when it uses the inherited corresponding vSwitch setting.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
In PowerCLI 4.1 you can use the Extensiondata property to get at the Managed Object.
To list the security settings of all your vSwitches and their portgroups you can do something like this
foreach ($VMHost in Get-VMHost){ foreach($vSwitch in $VMHost.ExtensionData.Config.Network.Vswitch){ Write-Host $vSwitch.Name Write-Host "`tPromiscuous mode:" $vSwitch.Spec.Policy.Security.AllowPromiscuous Write-Host "`tForged transmits:" $vSwitch.Spec.Policy.Security.ForgedTransmits Write-Host "`tMAC Changes:" $vSwitch.Spec.Policy.Security.MacChanges foreach($portgroup in ($VMHost.ExtensionData.Config.Network.Portgroup | where {$_.Vswitch -eq $vSwitch.Key})){ Write-Host "`n`t" $portgroup.Spec.Name Write-Host "`t`tPromiscuous mode:" $portgroup.Spec.Policy.Security.AllowPromiscuous Write-Host "`t`tForged transmits:" $portgroup.Spec.Policy.Security.ForgedTransmits Write-Host "`t`tMAC Changes:" $portgroup.Spec.Policy.Security.MacChanges } } }
Note that the a security setting for a portgroup will be blank (= not set) when it uses the inherited corresponding vSwitch setting.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Luc,
Thanks yet again. It worked perfectly and now knowing that Extensiondata exists makes understanding how to retrieve things I find in the MOB a lot easier.
Thanks
Is there a way of querying Distributed Virtual Switches and their portgroups for the same information?
foreach($vSwitch in $VMHost.ExtensionData.Config.Network.Vswitch) only returns standard switches, I was able to get all switches with foreach($vSwitch in $VMHost | Get-VirtualSwitches)and was then able to query the settings of the standard switches by looking at the properties in $vSwitch.ExtensionData.Spec.Policy.Security but Distributed Virtual Switch objects don't seem to have the same property collections.
The distributed vSwitch and portgroup are configured a bit different from the old ones.
You can in fact configure these settings for each port individually.
For the dvSwitch and the dvPortgroup you can report on the default settings that are used when the port has no individual settings.
Get-VirtualSwitch -Distributed | %{
Write-Host $_.Name
Write-Host "`tPromiscuous mode:" $_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value
Write-Host "`tForged transmits:" $_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
Write-Host "`tMAC Changes:" $_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value
foreach($portgroup in (Get-VirtualPortGroup -Distributed -VirtualSwitch $_)){
Write-Host "`n`t" $portgroup.Name
Write-Host "`t`tPromiscuous mode:" $portgroup.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value
Write-Host "`t`tForged transmits:" $portgroup.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
Write-Host "`t`tMAC Changes:" $portgroup.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value
}
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That worked great. Thanks very much
Hi Luc,
I am looking for a smiliar report but I want to have the host name and the report to be placed in CSV format. Is that possible?
Try something like this
&{foreach($dvSw in (Get-VirtualSwitch -Distributed)){ Get-VirtualPortGroup -Distributed -VirtualSwitch $dvSW |
Select @{N="dvSwitch";E={$dvSw.Name}},
@{N="Promiscuous mode";E={$dvSw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
@{N="Forged transmits";E={$dvSw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
@{N="MAC Changes";E={$dvSw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}},
@{N="Portgroup";E={$_.Name}},
@{N="Portgroup Promiscuous mode";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
@{N="Portgroup Forged transmits";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
@{N="Portgroup MAC Changes";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}} }} | Export-Csv C:\report.csv -NoTypeInformation -UseCulture
Not sure what you mean by host though. A dvSwitch is defined across several hosts.
Do you want for each dvSwitch all the hosts that are connected to it ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Sorry i have should have mentioned it before.. I am running a standard switch , so want to include the host name in the report
Try this
&{foreach($sw in (Get-VirtualSwitch -Standard)){ Get-VirtualPortGroup -VirtualSwitch $sw |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={$sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Forged transmits";E={$sw.Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="MAC Changes";E={$sw.Extensiondata.Spec.Policy.Security.MacChanges}},
@{N="Portgroup";E={$_.Name}},
@{N="Portgroup Promiscuous mode";E={$_.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Portgroup Forged transmits";E={$_..Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="Portgroup MAC Changes";E={$_.Extensiondata.Spec.Policy.Security.MacChanges}} }} | Export-Csv C:\report.csv -NoTypeInformation -UseCulture
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks Luc!!
Is there an easy way to set the security settings via PowerCLI? For the sVS and dVS.
In the dvSwitch module that comes with the PowerCLI Reference book there is a function called Set-DistributedSwitchPortGroup, that does all this.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
HI LUC,
please check attached screen shot which i am getting empty values. script to get security settings of standard switch.
&{foreach($sw in (Get-VirtualSwitch -Standard)){
Get-VirtualPortGroup -VirtualSwitch $sw |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={$sw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
@{N="Forged transmits";E={$sw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
@{N="MAC Changes";E={$sw.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}},
@{N="Portgroup";E={$_.Name}},
@{N="Portgroup Promiscuous mode";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value}},
@{N="Portgroup Forged transmits";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value}},
@{N="Portgroup MAC Changes";E={$_.Extensiondata.Config.DefaultPortConfig.SecurityPolicy.MacChanges.Value}}
}} | Export-Csv C:\Users\ljonnala\Desktop\powercli\hostconfig\VSwitchSecurity.csv -NoTypeInformation -UseCulture
please help me to export the standard switch security settings to .csv.file
Since you are going for VSS, and not VDS, you will have fetch a Boolean, not a BoolPolicy
Use the script I posted earlier for "Standard" switches (hint: the property doesn't have Value at the end)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
please check the attached error screen shot which getting with below script.
&{foreach($sw in (Get-VirtualSwitch -Standard)){
Get-VirtualPortGroup -VirtualSwitch $sw |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={$sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Forged transmits";E={$sw.Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="MAC Changes";E={$sw.Extensiondata.Spec.Policy.Security.MacChanges}},
@{N="Portgroup";E={$_.Name}},
@{N="Portgroup Promiscuous mode";E={$_.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Portgroup Forged transmits";E={$_..Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="Portgroup MAC Changes";E={$_.Extensiondata.Spec.Policy.Security.MacChanges}}
}} | Export-Csv C:\report.csv -NoTypeInformation -UseCulture
You have 2 dots in there
@{N="Portgroup Forged transmits";E={$_..Extensiondata.Spec.Policy.Security.ForgedTransmits}},
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
removed the . still i am getting the empty values shown in pic. it is esxi 5.5 version.
used below script
&{foreach($sw in (Get-VirtualSwitch -Standard)){
Get-VirtualPortGroup -VirtualSwitch $sw |
Select @{N="Host";E={$sw.VMHost.Name}},
@{N="Switch";E={$sw.Name}},
@{N="Promiscuous mode";E={$sw.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Forged transmits";E={$sw.Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="MAC Changes";E={$sw.Extensiondata.Spec.Policy.Security.MacChanges}},
@{N="Portgroup";E={$_.Name}},
@{N="Portgroup Promiscuous mode";E={$_.Extensiondata.Spec.Policy.Security.AllowPromiscuous}},
@{N="Portgroup Forged transmits";E={$_.Extensiondata.Spec.Policy.Security.ForgedTransmits}},
@{N="Portgroup MAC Changes";E={$_.Extensiondata.Spec.Policy.Security.MacChanges}}
}} | Export-csv C:\Users\ljonnala\Desktop\powercli\pp\vswitchsecurity.csv
this time i got switch level security settings, but port-group level getting empty.
That could mean that you have no explicit security settings for the portgroups defined.
In that case the portgroups will inherit from the vSwitch
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference