# encoding: ascii
# api: powershell
# title: Update-vSwitchSecurity
# description: Change the security setting of a vSwitch. Requires V2, and the VI toolkit for windows
# version: 1.0
# type: script
# author: Glenn Sizemore 12
# license: CC0
# x-poshcode-id: 743
# x-archived: 2014-05-11T02:35:48
# x-published: 2009-12-19T12:53:00
#
#
#requires -version 2.0
# Author: Glenn Sizemore 12/19/2009
# Source: http://get-admin.com/blog/?p=239
#
# v1.0 : It works
Cmdlet Update-vSwitchSecurity -SupportsShouldProcess {
param (
[Parameter(position=0,Mandatory=$TRUE,HelpMessage="Name of the vSwitch to modify")]
[string]
$vSwitch,
[Parameter(position=1,Mandatory=$TRUE,ValueFromPipeline=$TRUE,HelpMessage="One or more hosts for which we want to modify the vSwitch Security")]
[VMware.VimAutomation.Client20.VMHostImpl[]]
$VMhost,
[switch]
$AllowPromiscuous,
[switch]
$MacChanges,
[switch]
$ForgedTransmits
)
#.Synopsis
# Modify the security settings of a vSwitch
#.Description
# Modify the security settings of a vSwitch
#.Parameter vSwitch
# Name of the vSwitch to modify
#
# Type : String
# Mandatory : TRUE
# ParamaterSet:
# PipeLine : FALSE
#.Parameter VMHost
# One or more hosts for which we want to modify the vSwitch Security
#
# Type : VMHostImpl[]
# Mandatory : TRUE
# ParamaterSet:
# PipeLine : ByValue
#.Parameter AllowPromiscuous
# If provided then AllowPromiscuous will be enabled thus allowing all traffic
# is seen on the port. The default action is to disable AllowPromiscuous.
#
# Type : String
# Mandatory : TRUE
# ParamaterSet:
# PipeLine : FALSE
#.Parameter ForgedTransmits
# If provided then ForgedTransmits will be enabled thus allowing the virtual
# network adapter to send network traffic with a different MAC address than
# that of the virtual network adapter.
# The default action is to disable ForgedTransmits
#
# Type : Switch
# Mandatory : FALSE
# ParamaterSet:
# PipeLine : FALSE
#.Parameter MacChanges
# If provided then MacChanges will be enabled thus allowing Media Access Control
# (MAC) address to be changed. The default action is to disable MacChanges
#
# Type : Switch
# Mandatory : FALSE
# ParamaterSet:
# PipeLine : FALSE
#.Example
# # Set Promiscuous Mode, MAC Addess Changes, and Forged Transmits to reject.
# Update-vSwitchSecurity -VMHost (get-vmhost ESX1) -vSwitch 'vSwitch0'
#.Example
# # Enable Promiscuous Mode on vSwitch1 on all ESX hosts in cluster SQL
#
# Get-Cluster SQL | Get-VMHost | Update-vSwitchSecurity vswitch1 -AllowPromiscuous
#
# # If your not sure your running against the correct host/switch use -whatif/confirm
# Get-Cluster SQL | Get-VMHost | Update-vSwitchSecurity vswitch1 -AllowPromiscuous -whatif
#
# # Will output:
#
# What if: Performing operation "Updating vSwitch1 Security settings: AllowPromiscuous=TRUE,
# MacChanges=FALSE, ForgedTransmits=FALSE" on Target "ESX1".
# What if: Performing operation "Updating vSwitch1 Security settings: AllowPromiscuous=TRUE,
# MacChanges=FALSE, ForgedTransmits=FALSE" on Target "ESX2".
# What if: Performing operation "Updating vSwitch1 Security settings: AllowPromiscuous=TRUE,
# MacChanges=FALSE, ForgedTransmits=FALSE" on Target "ESX3".
#
# # Be aware that the vSwitch param will perform a wildcard search for the vswitch name!
foreach ($H in $vmhost) {
$hostid = Get-VMHost $H | get-view
$networkSystem = get-view $hostid.ConfigManager.NetworkSystem
$networkSystem.NetworkConfig.Vswitch| ?{$_.name -match $vSwitch} | % {
$switchSpec = $_.spec
$vSwitchName = $_.name
if ($AllowPromiscuous) {
$switchSpec.Policy.Security.AllowPromiscuous = $TRUE
$msg = "Updating $($vSwitchName) Security settings: AllowPromiscuous=True"
} else {
$switchSpec.Policy.Security.AllowPromiscuous = $FALSE
$msg = "Updating $($vSwitchName) Security settings: AllowPromiscuous=False"
}
if ($MacChanges) {
$switchSpec.Policy.Security.MacChanges = $TRUE
$msg += ", MacChanges=True"
} else {
$switchSpec.Policy.Security.MacChanges = $FALSE
$msg += ", MacChanges=False"
}
if ($ForgedTransmits) {
$switchSpec.Policy.Security.ForgedTransmits = $TRUE
$msg += ", ForgedTransmits=True"
} else {
$switchSpec.Policy.Security.ForgedTransmits = $FALSE
$msg += ", ForgedTransmits=False"
}
if (($pscmdlet.ShouldProcess($H.Name, $msg))) {
$hostNetworkSystemView = get-view $hostid.configManager.networkSystem
$hostNetworkSystemView.UpdateVirtualSwitch($vSwitchName, $switchSpec)
}
}
}
}