NSX-V: Create Logical Switches, Distributed Firewall Sections and Rules based on existing portgroup/vlans

In my previous blog post I wrote about how to automate the Enable MAC learning function on a VMware NSX Logical Switch via Powershell/PowerNSX. In this post I referred to a script which I used to export the configuration of the portgroup/vlans that where currently existing in the environment. I’m writing this blogpost, to share the script because someone might have a use case for it

The first step is to export all portgroups with the corresponding VLAN numbers. I used the script below to define all the non NSX related portgroups and put them in an CSV file.

#####################################################################################################
#### 
#### Powershell Script | Export all non-NSX related portgroups to CSV ####
#### Version: v1.0 ####
#### Contact: wgeelhoed at itq.nl ####
#### Company: ITQ ####
#### 
#####################################################################################################

Get-Module -ListAvailable VMware* | Import-Module 
Import-Module -Name PowerNSX

Connect-VIServer vcsa01.wesleygeelhoed.local -user administrator@vwees.local -Password 
Connect-NsxServer -vCenterServer vcsa01.wesleygeelhoed.local -user administrator@vwees.local -Password

$vdswitch = Get-VDSwitch -Name dvSwitch
$portgroups = get-vdportgroup -VDSwitch $vdswitch | where {$_.Name -notlike "vxw*" -and $_.IsUplink -eq $false}

get-vdportgroup -VDSwitch $vdswitch | where {$_.Name -notlike "vxw*" -and $_.IsUplink -eq $false} | Export-csv -NoTypeInformation -Path './export_nonnsx_pg.csv' -Force

Now we have the exported portgroups in place we can start using the other script to import this into NSX based stuff upon the CSV output file. Tagging of the DFW rule is done based upon the native VLAN ID. You can adjust it in the script itself. (Of course you can put this into one script. But I needed to adjust the naming convention for the new Logical Switches and DFW Sections and Rules. Therefore i chose to first add a new column named ‘NewName’ added all the proper naming conventions into it and then used it in my second script)  

You need to slightly adjust the script when you are adding Universal Logical Switches instead of Logical Switches, which are created in my script.
– Change the Transportzone Name to the name of the Universal Transport Zone
– Add ‘-Universal‘ behind the $section = New-NsxFirewallSection -Name $logicalswitchname line

As I mentioned earlier I used this script to adjust the naming convention. If you just want to create the Logical Switches based upon the current portgroupname you need to adjust the following option.
– Change $name = $item.NewName into $name = $item.Name

##################################################################################################################################################
#### #### 
#### PowerNSX Script to create Logical Switches, DFW sections with Allow any-any (with tagging based on native VLAN number) rule from csv export out of Export_NonNSX_PGs_To_CSV.ps1 ###
#### Version: v1.0 ####
#### Contact: wgeelhoed at itq.nl ####
#### Company: ITQ ####
#### ####
##################################################################################################################################################

##Infra-Info##
$vcenterserver = 'vcsa01.wesleygeelhoed.local'
$vcenteradmin = 'administrator@vwees.local'
$transportzonename = 'NSX_TZ1'
$vcenterpw = ''

Get-Module -ListAvailable VMware* | Import-Module 
Import-Module -Name PowerNSX

##Connection and details##
Connect-VIServer $vcenterserver -user $vcenteradmin -Password $vcenterpw
Connect-NsxServer -vCenterServer $vcenterserver -user $vcenteradmin -Password $vcenterpw
$NONNSXPG = Import-Csv '\pathto\export_nonnsx_pg.csv' -Delimiter ";"

$LS = 0

##Create Logical Switches, Sections and default Firewall Rules##
foreach ($item in $NONNSXPG)
{
$transportzone = Get-NSXTransportzone -Name $transportzonename
$name = $item.NewName
$vlan = $item.VlanConfiguration
$vlanvariable = 'VLAN '
$vlandelvariable = ''
$logicalswitchname = "$name"
$vlanoctet = "$vlan"
write-host "" 
write-host VLAN ID = 
$vlanoctet -replace "$vlanvariable","$vlandelvariable" 
$vlannumber = $vlanoctet -replace "$vlanvariable","$vlandelvariable"

if (($currentLS = Get-NsxLogicalSwitch -name $logicalswitchname) -eq $null) {write-host Creating NSX Logical Switch $logicalswitchname -ForegroundColor Yellow
New-NsxLogicalSwitch -Name $logicalswitchname -TransportZone $transportzone -ControlPlaneMode UNICAST_MODE | Out-Null}
 else { Write-host "$logicalswitchname already exists, skipping." }

$logicalswitch = Get-NsxLogicalSwitch -Name $logicalswitchname 

if (($currentsection = Get-NsxFirewallSection -name $logicalswitchname) -eq $null) {write-host Creating NSX DFW Section and DFW rule for $logicalswitchname -ForegroundColor Yellow
$section = New-NsxFirewallSection -Name $logicalswitchname
New-NsxFirewallRule -Name "Allow Any-Any" -Action allow -Direction inout -Position Bottom -EnableLogging -Tag "ID=$vlannumber.R=FALLTHROUGH" -Section $section -AppliedTo $logicalswitch | Out-Null
}
else { Write-host "$logicalswitchname Section already exists, skipping." }

$LS++
Write-Progress -Activity "Creating Logical Switches, Firewall sections and rules" -status "Created: $LS of $($NONNSXPG.Count)" -PercentComplete (($LS / $NONNSXPG.Count) * 100)
}
Write-host 'Logical switches, sections and Allow Any-Any default Firewall rules are created based upon the CSV file' -ForegroundColor Green

In case you messed things up or it didn’t give you the outcome you had in mind you can use this script to delete all of it. Again, based upon the CSV file.

Get-Module -ListAvailable VMware* | Import-Module 
Import-Module -Name PowerNSX

Connect-VIServer vcsa01.wesleygeelhoed.local -user administrator@vwees.local -Password 
Connect-NsxServer -vCenterServer vcsa01.wesleygeelhoed.local -user administrator@vwees.local -Password 
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

$NONNSXPG = Import-Csv 'pathto\export_nonnsx_pg.csv' -Delimiter ";"

##Delete Logical Switches, Sections and default Firewall Rules##
foreach ($item in $NONNSXPG)
{
$name = $item.NewName
Write-Host $name
Get-NsxFirewallSection -Name $name | Remove-NsxFirewallSection -Confirm:$false -Force
Get-NSXlogicalswitch -Name $name | Remove-NsxLogicalSwitch -Confirm:$false 
}

*Use these scripts at your own risk. Before apply it in a production environment, please test it thoroughly.

If someone has recommendations, comments or other points of improvement. Please do not hesitate to contact me!

Thanks for reading, and hopefully it might be useful for someone as well.

 

sources: vmware.com, powershell.github.io, microsoft.com 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s