Create a VDS Port Group for NSXV2T Bridging PowerCLI Script

12 months ago

Issue – The NSX-T Migration Coordinator precheck phase reports – Migration of bridging is not supported. If you have bridges configured in your environment, they will not be migrated.
It turns out the NSX-V edge has a connection that ends up to a physical server.
Reviewing 7.4.1.1.1 Edge VM vNIC Configuration Requirement with Bridging needs a new Sphere Distributed Switch (VDS) Port Group created with MAC Address learning enable (not in the VCSA GUI).
The interactive PowerCLI script will ask for the VCSA, VDS and new Port Group name to create. The setting will be: VLAN Range 1-4094, 2 active uplinks, Load Balancing based on MAC hash, Forged Transmits to Accept and Native MAC Learning Enabled.
The MAC Learning is a function from:
https://www.virtuallyghetto.com/2018/04/native-mac-learning-in-vsphere-6-7-removes-the-need-for-promiscuous-mode-for-nested-esxi.html
https://github.com/lamw/vmware-scripts/blob/master/powershell/MacLearn.ps1

# Found https://vmscribble.com/powercli/create-a-vds-port-group-for-nsxv2t-bridging-powercli-script
# Tested with VMware PowerCLI 12.4.0 and VCSA 7.0.3
# Setup Variables
$vCenter = Read-Host "Enter the FQDN of the vCenter"
$VDSName = Read-Host "Enter the Distributed Switch Name"
$DVPortgroupName = Read-Host "Enter the Port Group Name to Create"

# Have the user confirm to run the script.
Write-host " "
Read-Host "
Hit ENTER to:
- Create a new Port Group Name $DVPortgroupName on VDS $VDSName
- VLAN Range 1-4094
- Load Balancing based on MAC hash
- Forged Transmits to Accept
- Native MAC Learning Enabled
"
Write-host " "

# Connect to vCenter
Connect-VIServer $vCenter | out-null 

# Thanks for both Functions Get-MacLearn and Set-MacLearn 
# https://github.com/lamw/vmware-scripts/blob/master/powershell/MacLearn.ps1
# https://williamlam.com/2018/04/native-mac-learning-in-vsphere-6-7-removes-the-need-for-promiscuous-mode-for-nested-esxi.html
Function Get-MacLearn {
<#
    .NOTES
    ===========================================================================
     Created by:    William Lam
     Organization:  VMware
     Blog:          www.williamlam.com
     Twitter:       @lamw
        ===========================================================================
    .DESCRIPTION
        This function retrieves both the legacy security policies as well as the new
        MAC Learning feature and the new security policies which also live under this
        property which was introduced in vSphere 6.7
    .PARAMETER DVPortgroupName
        The name of Distributed Virtual Portgroup(s)
    .EXAMPLE
        Get-MacLearn -DVPortgroupName @("Nested-01-DVPG")
#>
    param(
        [Parameter(Mandatory=$true)][String[]]$DVPortgroupName
    )

    $minSwitchVersion = "6.6.0"

    foreach ($dvpgname in $DVPortgroupName) {
        $dvpg = Get-VDPortgroup -Name $dvpgname -ErrorAction SilentlyContinue
        $switchVersion = ($dvpg | Get-VDSwitch).Version
        if($dvpg -and [version]$switchVersion -ge [version]$minSwitchVersion) {
            $securityPolicy = $dvpg.ExtensionData.Config.DefaultPortConfig.SecurityPolicy
            $macMgmtPolicy = $dvpg.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy

            $securityPolicyResults = [pscustomobject] @{
                DVPortgroup = $dvpgname;
                MacLearning = $macMgmtPolicy.MacLearningPolicy.Enabled;
                NewAllowPromiscuous = $macMgmtPolicy.AllowPromiscuous;
                NewForgedTransmits = $macMgmtPolicy.ForgedTransmits;
                NewMacChanges = $macMgmtPolicy.MacChanges;
                Limit = $macMgmtPolicy.MacLearningPolicy.Limit
                LimitPolicy = $macMgmtPolicy.MacLearningPolicy.limitPolicy
                LegacyAllowPromiscuous = $securityPolicy.AllowPromiscuous.Value;
                LegacyForgedTransmits = $securityPolicy.ForgedTransmits.Value;
                LegacyMacChanges = $securityPolicy.MacChanges.Value;
            }
            $securityPolicyResults
        } else {
            Write-Host -ForegroundColor Red "Unable to find DVPortgroup $dvpgname or VDS is not running $minSwitchVersion or later"
            break
        }
    }
}

Function Set-MacLearn {
<#
    .NOTES
    ===========================================================================
     Created by:    William Lam
     Organization:  VMware
     Blog:          www.williamlam.com
     Twitter:       @lamw
        ===========================================================================
    .DESCRIPTION
        This function allows you to manage the new MAC Learning capablitites in
        vSphere 6.7 along with the updated security policies.
    .PARAMETER DVPortgroupName
        The name of Distributed Virtual Portgroup(s)
    .PARAMETER EnableMacLearn
        Boolean to enable/disable MAC Learn
    .PARAMETER EnablePromiscuous
        Boolean to enable/disable the new Prom. Mode property
    .PARAMETER EnableForgedTransmit
        Boolean to enable/disable the Forged Transmit property
    .PARAMETER EnableMacChange
        Boolean to enable/disable the MAC Address change property
    .PARAMETER AllowUnicastFlooding
        Boolean to enable/disable Unicast Flooding (Default $true)
    .PARAMETER Limit
        Define the maximum number of learned MAC Address, maximum is 4096 (default 4096)
    .PARAMETER LimitPolicy
        Define the policy (DROP/ALLOW) when max learned MAC Address limit is reached (default DROP)
    .EXAMPLE
        Set-MacLearn -DVPortgroupName @("Nested-01-DVPG") -EnableMacLearn $true -EnablePromiscuous $false -EnableForgedTransmit $true -EnableMacChange $false
#>
    param(
        [Parameter(Mandatory=$true)][String[]]$DVPortgroupName,
        [Parameter(Mandatory=$true)][Boolean]$EnableMacLearn,
        [Parameter(Mandatory=$true)][Boolean]$EnablePromiscuous,
        [Parameter(Mandatory=$true)][Boolean]$EnableForgedTransmit,
        [Parameter(Mandatory=$true)][Boolean]$EnableMacChange,
        [Parameter(Mandatory=$false)][Boolean]$AllowUnicastFlooding=$true,
        [Parameter(Mandatory=$false)][Int]$Limit=4096,
        [Parameter(Mandatory=$false)][String]$LimitPolicy="DROP"
    )
    
    $minSwitchVersion = "6.6.0"

    foreach ($dvpgname in $DVPortgroupName) {
        $dvpg = Get-VDPortgroup -Name $dvpgname -ErrorAction SilentlyContinue
        $switchVersion = ($dvpg | Get-VDSwitch).Version
        if($dvpg -and [version]$switchVersion -ge [version]$minSwitchVersion) {
            $originalSecurityPolicy = $dvpg.ExtensionData.Config.DefaultPortConfig.SecurityPolicy

            $spec = New-Object VMware.Vim.DVPortgroupConfigSpec
            $dvPortSetting = New-Object VMware.Vim.VMwareDVSPortSetting
            $macMmgtSetting = New-Object VMware.Vim.DVSMacManagementPolicy
            $macLearnSetting = New-Object VMware.Vim.DVSMacLearningPolicy
            $macMmgtSetting.MacLearningPolicy = $macLearnSetting
            $dvPortSetting.MacManagementPolicy = $macMmgtSetting
            $spec.DefaultPortConfig = $dvPortSetting
            $spec.ConfigVersion = $dvpg.ExtensionData.Config.ConfigVersion

            if($EnableMacLearn) {
                $macMmgtSetting.AllowPromiscuous = $EnablePromiscuous
                $macMmgtSetting.ForgedTransmits = $EnableForgedTransmit
                $macMmgtSetting.MacChanges = $EnableMacChange
                $macLearnSetting.Enabled = $EnableMacLearn
                $macLearnSetting.AllowUnicastFlooding = $AllowUnicastFlooding
                $macLearnSetting.LimitPolicy = $LimitPolicy
                $macLearnsetting.Limit = $Limit

                Write-Host "Enabling MAC Learning on DVPortgroup: $dvpgname ..."
                $task = $dvpg.ExtensionData.ReconfigureDVPortgroup_Task($spec)
                $task1 = Get-Task -Id ("Task-$($task.value)")
                $task1 | Wait-Task | Out-Null
            } else {
                $macMmgtSetting.AllowPromiscuous = $false
                $macMmgtSetting.ForgedTransmits = $false
                $macMmgtSetting.MacChanges = $false
                $macLearnSetting.Enabled = $false

                Write-Host "Disabling MAC Learning on DVPortgroup: $dvpgname ..."
                $task = $dvpg.ExtensionData.ReconfigureDVPortgroup_Task($spec)
                $task1 = Get-Task -Id ("Task-$($task.value)")
                $task1 | Wait-Task | Out-Null
            }
        } else {
            Write-Host -ForegroundColor Red "Unable to find DVPortgroup $dvpgname or VDS is not running $minSwitchVersion or later"
            break
        }
    }
}

# Create the port group
Write-host " "
Write-host "Creating port group $DVPortgroupName" on VDS "$VDSName"
Get-VDSwitch -Name "$VDSName" | New-VDPortgroup -Name "$DVPortgroupName" -NumPorts 2 -VlanTrunkRange "1-4094"
Get-VDSwitch -Name "$VDSName" | Get-VDPortgroup $DVPortgroupName | Get-VDUplinkTeamingPolicy | Set-VDUplinkTeamingPolicy -LoadBalancingPolicy LoadBalanceSrcMac
Get-VDSwitch -Name "$VDSName" | Get-VDPortgroup $DVPortgroupName | Get-VDSecurityPolicy | Set-VDSecurityPolicy -ForgedTransmits $true
Write-host " "

# Enable MAC Learning
Set-MacLearn -DVPortgroupName @("$DVPortgroupName") -EnableMacLearn $true -EnablePromiscuous $false -EnableForgedTransmit $true -EnableMacChange $false
Write-host " "

# Display the settings of the new port group
Write-host " "
Write-host "Final specs of the port group $DVPortgroupName"
Get-MacLearn -DVPortgroupName @("$DVPortgroupName")
Write-host " "

# Disconnect vCenter
Disconnect-VIServer $vCenter -Confirm:$false

The VCSA website GUI shows the 4 tasks and the settings. Note MAC Learning can only be seen via the PowerCLI function Get-MacLearn.