I have been searching for a powercli script to add/update/drop traffic filtering in a Distributed Port Group. After looking through the forums I found something that might work but I am facing some issues.
$dvSwName = 'vDSwitch VDS'
$dvPgNames = 'vCenter Server'
$dvSw = Get-VDSwitch -Name $dvSwName
# Enable LBT
foreach($pg in (Get-View -Id $dvSw.ExtensionData.Portgroup | Where {$dvPgNames -contains $_.Name})){ $spec = New-Object VMware.Vim.DVPortgroupConfigSpec $spec.ConfigVersion = $pg.Config.ConfigVersion $spec.DefaultPortConfig = New-Object VMware.Vim.VMwareDVSPortSetting $spec.DefaultPortConfig.FilterPolicy = New-Object VMware.Vim.DvsFilterPolicy $filter = New-Object VMware.Vim.DvsTrafficFilterConfig $filter.AgentName = 'dvfilter-generic-vmware' $ruleSet = New-Object VMware.Vim.DvsTrafficRuleset $ruleSet.Enabled = $true $rule =New-Object VMware.Vim.DvsTrafficRule $rule.Description = 'Traffic Drop Rule' $rule.Direction = 'both' #'outgoingPackets' $action = New-Object VMware.Vim.DvsDropNetworkRuleAction $qualifier = New-Object VMware.Vim.DvsIpNetworkRuleQualifier $qualifier.Protocol = ${6} $qualifier.DestinationAddress = ${ip:192.168.9.97} $qualifier.SourceAddress = ${ip:192.168.9.97} #$action.QosTag = 4 $rule.Action += $action $rule.Qualifier += $qualifier $ruleSet.Rules += $rule $filter.TrafficRuleSet = $ruleSet $spec.DefaultPortConfig.FilterPolicy.FilterConfig += $filter $pg.ReconfigureDVPortgroup($spec)
}
1. This seems to create a Drop rule but the qualifier section does not seem to work. Protocol, DestinationAddress and SourceAddress are not used instead everything is taken as any instead.
How would I resolve this issue ?
2. The allow rule should follow a similar syntax I am assuming?
3. Also how do I remove an existing rule from the traffic filtering ruleset?