GeekAfterFive

Infrastructure as Code

home

Setting Default VDSwitch security for vCloud with PowerCLI

14 Mar 2013

Working as a public vCloud provider periodically gives me the opportunity to help clients that are running their own private vCloud. It's a great side benefit to working with an experienced public vCloud provider in case you need some advanced help, or custom code/scripting!

In this case, my client needed to set default security permissions for all new VDPortgroups that were created by vCloud Director. This is different than setting security on a single portgroup. This sets the defaults for ALL portgroups created after the setting change! This is very handy when the network creation is out of our hands. :D

############################################
# Configuration Settings                   #
############################################
$switchName="dvSwitch"
$promiscuous=$true
$forgedTransmits=$false
$macChanges=$false

###################################################
# Shouldn't need to edit anything below this line #
###################################################
$dvSwitch = Get-VDSwitch $switchname
$spec = New-Object VMware.Vim.VMwareDVSConfigSpec
$spec.configVersion = $dvswitch.ExtensionData.Config.ConfigVersion
$spec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting
$spec.DefaultPortConfig.SecurityPolicy = New-Object VMware.Vim.DVSSecurityPolicy
$spec.DefaultPortConfig.SecurityPolicy.AllowPromiscuous = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.AllowPromiscuous.Value = $promiscuous
 
$spec.DefaultPortConfig.SecurityPolicy.MacChanges = New-ObjectVMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.MacChanges.Value = $macChanges
 
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits = New-Object VMware.Vim.BoolPolicy
$spec.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value = $forgedTransmits

$dvswitch.ExtensionData.ReconfigureDvs_Task($spec)

I've written about getting around the missing dvPortgroup inheritance in the past, and there are also a couple good posts from Luc Dekens and Alan Renouf:

http://geekafterfive.com/2011/04/04/dvportgroup-inheritance/ http://www.lucd.info/2009/10/12/dvswitch-scripting-part-2-dvportgroup/ http://blogs.vmware.com/PowerCLI/2011/11/vsphere-distributed-switch-powercli-cmdlets.html

Last but not least, special thanks to William Lam for pointing me to the right spot in the API. :)