vSwitch security policies

Update 2009-2-22: Yet again, I updated the script, this time just to simplify and shorten the code using the “normal” method of updating values in objects retrieved from the SDK (rather than creating a whole new object and copying values, the script now updates the object retrieved, then uses that to update).

Update 2009-01-02: I have updated the script again, this time using the standard “vihost” so that you can connect to vCenter and change a host’s switches, as opposed to just connecting to the ESX host directly. I have also started using the _default_ parameter, which means that it is no longer necessary to specify the “–vswitch” option, but rather it is the last option on the line (just like all the other VMware provided scripts).

Update 2008-12-30: I have updated the script so that it defaults to turning all options off without having to specify them. This makes it easier to use (thanks to Glenn for this idea…).

I haven’t posted in a while, but it’s not because I haven’t been busy. The bulk of my recent work has been in automating the droll configuration items for an ESX server. With the exception of hardening the COS, pretty much everything can be setup/configured remotely via the SDK or rCLI. If you can change or set something via the Virtual Infrastructure Client, then you can set it via the SDK.

I am no POSH coder (just ask Glenn…), but I do know some perl, so using the VI Perl Toolkit, I’ve been able to script most of the configuration items that I need to do for an ESX server. This post is the first in what I hope will be a line that will hopefully contain scripts on configuring most aspects of an ESX host remotely.

I set all of our vSwitches to have Promiscuous Mode, Forged Transmits and MAC changes disabled, and so far there are no port groups that override this setting, thus giving me at least a little sense of security for certain aspects of my virtual networking.

In order to set the security policy remotely I had to write a perl script:

Please feel free to use the script, I do ask that if you find bugs to let me know. If you make improvements, it would be fantastic if you could send them to me, I’ll update the script and credit the author.

I have used this script on about 15 hosts without a problem, but I haven’t done any extensive bug hunting or error checking, so I can’t guarantee it will work 100% of the time, nor can I guarantee you won’t mess up your server. I HIGHLY recommend you move all VMs off the host and put it in maintenance mode before you adjust any parameters, this is especially true when changing your network config and you are using IP storage (NFS/iSCSI).

I execute the script from a VIMA appliance, however it should work from any host that has the perl toolkit installed (I think, but I’m not 100% sure, that if you have the rCLI installed you also have the Perl toolkit).

As you can see from just this one, simple, short script, there is a lot of power available to us in the SDK. With very minor modifications we can adjust the number of ports, change the traffic shaping policy, change the NICs assigned and their status (active/standby), and much more.

As time goes on, this script will probably expand to include a lot more functionality, and morph from a very specific “cfg-vswitch-secpol.pl” to a more general “host-adv-network-config.pl”. But, that depends on whether I decide to keep multiple small scripts for the advanced functionality, or create a single “super-script” for networking (I’m not too good with perl’s object model yet, so many small scripts means lots of redundant code, which I don’t like…guess I’ll be getting better at perl).

Update 2008-12-19: – It occurred to me that I had meant to post the method for changing vSwitch security policy settings from the command line on the host as well. So, since I just had a four hour drive for it to drive me nuts, I’m doing it now…

Obviously, change the “vSwitch0” to the name of your vSwitch.

This is slightly different for ESX versions 3.0.x since the vmware-vim-cmd doesn’t exist. Instead use the “vimsh -e” command with the same accessor (the “hostsvc/net/vswitch_setpolicy”) and options. Xtravirt has some good documentation on this process.

3 thoughts on “vSwitch security policies”

  1. Andrew, thank you for the script. I’ve tried to run the script from within Windows using the VI Toolkit without success. The error(s) I recieve are;

    Global symbol “$security_policy” requires explicit package name at cfg-vswtich-secpol.pl line 124.
    Global symbol “$spec” requires explicit package name at cfg-vswtich-secpol.pl line 131.
    Execution of cfg-vswtich-secpol.pl aborted due to compilation errors.

    I’m not a Perl expert, I’ve attempted to decyper where the error, however I’m stumped. Can you help? Thank you!

  2. I seem to have “fat fingered” a variable.

    # Line 118 should read:
    my $security_policy = HostNetworkSecurityPolicy->new ...

    Note that I transposed the “r” and “i” in the original.

    The second error happened because I didn’t specify the correct location of the spec…the original (before I modified the post above) had the variable from before the script was updated the last time…anyway:

    # Line 130 should read:
    spec => $vswitch->spec

    Sorry for the confusion! Thanks for letting me know!!


Leave a Reply