PowerNSX – Central CLI Parsing
With the code of PowerNSX being put out online there are a lot of new ways of extracting, manipulating, and administrating your NSX deployment. This blog outlines a method of validating the DFW filter and MAC address on given VMs, rules that are applied to the selection of Virtual Machines, resolving their address-sets used in the rules.
Lets get started by reviewing a workflow in Central CLI.
Central CLI
NSX for vSphere brought into it Central CLI. Whilst this centralised the scraping of information it still had a rather cumbersome approach. It required the ID of a VM, Cluster, and the host before you get decipher which VM you wanted to see data on. It was a start but one with overhead.
First you find the cluster ID
melb-nsxm-01> show cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 Compute 1 domain-c76 Melbourne Enabled 2 Management domain-c61 Melbourne Enabled 3 Compute 2 domain-c78 Melbourne Enabled
Second is to find the hosts associated with a cluster
melb-nsxm-01> show cluster domain-c61 Datacenter: Melbourne Cluster: Management No. Host Name Host Id Installation Status 1 mgt-esxi3.corp.local host-37 Ready 2 mgt-esxi2.corp.local host-34 Ready 3 mgt-esxi4.corp.local host-40 Ready 4 mgt-esxi1.corp.local host-31 Ready
Then examine the host in question to ascertain the VM associated with it.
melb-nsxm-01> show host host-31 Datacenter: Melbourne Cluster: Management Host: mgt-esxi1.corp.local No. VM Name VM Id Power Status 1 melb-ops-01a vm-167 on 2 TsLdr01-0 vm-620 on 3 DB01 vm-626 on
Lets have a closer look at DB01 with the vm-id of 626.
melb-nsxm-01> show vm vm-626 Datacenter: Melbourne Cluster: Management Host: mgt-esxi1.corp.local VM: DB01 Virtual Nics List: 1. Vnic Name DB01 - Network adapter 1 Vnic Id 5001cf4f-f1cb-1087-78d3-943458ac8741.000 Filters nic-5783877-eth0-vmware-sfw.2
Here we can validate a whole heap of information applied to the vNIC by using the Filter listed in the previous output. Below validates rules applied to the specific vNIC.
melb-nsxm-01> show dfw host host-31 filter nic-5783877-eth0-vmware-sfw.2 rules
ruleset domain-c61 {
/ # Filter rules
rule 1182 at 1 inout protocol tcp from addrset ip-securitygroup-78 to addrset ip-securitygroup-79 port 3306 accept;
rule 1183 at 2 inout protocol any from any to any drop with log;
rule 1168 at 3 inout protocol ipv6-icmp icmptype 136 from any to any accept;
rule 1168 at 4 inout protocol ipv6-icmp icmptype 135 from any to any accept;
rule 1167 at 5 inout protocol udp from any to any port 68 accept;
rule 1167 at 6 inout protocol udp from any to any port 67 accept;
rule 1166 at 7 inout protocol any from any to any accept;
}
ruleset domain-c61_L2 {
Filter rules
rule 1169 at 1 inout ethertype any from any to any accept;
}
It can also resolve address sets used in the above rules. This is part of IP Discovery and learning mechanisms in the backend of NSX. This resolves objects (like Security Group or Logical Switch memberships) to IP!
melb-nsxm-01> show dfw host host-31 filter nic-5783877-eth0-vmware-sfw.2 addrsets
addrset ip-securitygroup-78 {
ip 10.0.2.11,
ip 10.0.2.12,
ip fe80::250:56ff:fe81:3618,
ip fe80::250:56ff:fe81:5231,
}
addrset ip-securitygroup-79 {
ip 10.0.3.11,
ip fe80::250:56ff:fe81:3a07,
}
So that is Central CLI. It is good to dig around but it has some convoluded and repeated steps which can cause administrative overhead.
PowerNSX
PowerNSX extensions for PowerShell allow us to speed this process up. The handwork has been done by the author of PowerNSX (Nick Bradford). With a handful of commandlets plus some amazing RegEx it is possible to pull the required data out some of the CLI commands very easily. By internally building PowerShell objects to represent Central CLI output, PowerNSX provides native functionality around filtering and iterating that make working with the Central CLI much easier than via the direct CLI
PowerCLI C:\> get-vm app01 | Get-NsxCliDfwFilter Vnic Name : App01 - Network adapter 1 Filters : nic-5805072-eth0-vmware-sfw.2 Port Group Id : dvportgroup-617 Mac Address : 00:50:56:81:52:31 Vnic Id : 5001ca95-c3d2-4f46-590a-f1799fb14bba.000
So a quick output shows the vNic name, associated portgroup-id, MAC address, and vNIC ID. Lets have a look at rules. The command ft after the | will format table. This helps tidy the output into a table opposed to blobs that extern forever!
PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwRule | ft -wrap -autosize
RuleSet InternalRule RuleID Position Direction Type Service Source Destination
------- ------------ ------ -------- --------- ---- ------- ------ -----------
domain-c61 False 1180 1 inout Layer3 tcp addrset ip-securitygroup-77 addrset
ip-ipset-40
domain-c61 False 1181 2 inout Layer3 tcp addrset ip-ipset-41 addrset ip-securit
ygroup-78
domain-c61 False 1182 3 inout Layer3 tcp addrset ip-securitygroup-78 addrset ip-securit
ygroup-79
domain-c61 False 1183 4 inout Layer3 any any any
domain-c61 False 1168 5 inout Layer3 ipv6-icmp icmptype 136 any any
domain-c61 False 1168 6 inout Layer3 ipv6-icmp icmptype 135 any any
domain-c61 False 1167 7 inout Layer3 udp any any
domain-c61 False 1167 8 inout Layer3 udp any any
domain-c61 False 1166 9 inout Layer3 any any any
domain-c61_L2 False 1169 1 inout Layer2 any any any
Oh and remember because what is being emitted by PowerNSX CentraCLI cmdlets are objects and not just text we can manipulate the output lets clean this table up. I don’t need to know ruleset source at the moment, nor the internal rule or direction so I am going to use some filters on Format Table command. The columns I am interested in are RuleID, Type, Service, Source, Destination, Port.
PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwRule | ft RuleID,Type,Service,Source,Destination,Port -wrap - autosize RuleID Type Service Source Destination Port ------ ---- ------- ------ ----------- ---- 1180 Layer3 tcp addrset ip-securitygroup-77 addrset ip-ipset-40 80 1181 Layer3 tcp addrset ip-ipset-41 addrset ip-securitygroup-78 80 1182 Layer3 tcp addrset ip-securitygroup-78 addrset ip-securitygroup-79 3306 1183 Layer3 any any any Any 1168 Layer3 ipv6-icmp icmptype 136 any any Any 1168 Layer3 ipv6-icmp icmptype 135 any any Any 1167 Layer3 udp any any 68 1167 Layer3 udp any any 67 1166 Layer3 any any any Any 1169 Layer2 any any any Any
So what do the address sets resolve to? Lets find out all applicable address sets to App01.
PowerCLI C:\Users\Administrator\Desktop> get-vm app01 | Get-NsxCliDfwAddrSet | ft -wrap -autosize AddrSet Type Address ------- ---- ------- ip-ipset-40 ip 172.16.1.6 ip-ipset-41 ip 172.16.1.1 ip-securitygroup-77 ip 10.0.1.11 ip-securitygroup-77 ip 10.0.1.12 ip-securitygroup-77 ip fe80::250:56ff:fe81:278 ip-securitygroup-77 ip fe80::250:56ff:fe81:2ad2 ip-securitygroup-78 ip 10.0.2.11 ip-securitygroup-78 ip 10.0.2.12 ip-securitygroup-78 ip fe80::250:56ff:fe81:3618 ip-securitygroup-78 ip fe80::250:56ff:fe81:5231 ip-securitygroup-79 ip 10.0.3.11
We can see what each security-group actually resolves to nice and easily. I don’t need to know the filter name, what host it is on or what cluster it is. Heck, I don’t even need to find the VM ID! Super easy.
An offering
Wrapping this up into a complete script you can get here is my rule_validation.ps1 hosted here on BitBucket. It does the aforementioned. There is a user defined variable called $vmname which can be changed on execution. This allows you define a VM. NOTE: this is based on the -match RegEx which means if the name you search for is web it will return anything matching just web or including web.
PowerCLI C:\Users\Administrator\Desktop> .\rule-validation.ps1 -vmname db01 DB01 Firewall filter and VM IPs Name IP Address ---- ---------- DB01 10.0.3.11 Resolving objects applied to DB01 Vnic Name : DB01 - Network adapter 1 Filters : nic-5783877-eth0-vmware-sfw.2 Port Group Id : dvportgroup-618 Mac Address : 00:50:56:81:3a:07 Vnic Id : 5001cf4f-f1cb-1087-78d3-943458ac8741.000 AddrSet Type Address ------- ---- ------- ip-securitygroup-78 ip 10.0.2.11 ip-securitygroup-78 ip 10.0.2.12 ip-securitygroup-78 ip fe80::250:56ff:fe81:3618 ip-securitygroup-78 ip fe80::250:56ff:fe81:5231 ip-securitygroup-79 ip 10.0.3.11 ip-securitygroup-79 ip fe80::250:56ff:fe81:3a07 Output of all rules RuleID Service Source Destination Port ------ ------- ------ ----------- ---- 1182 tcp addrset ip-securitygroup-78 addrset ip-securitygroup-79 3306 1183 any any any Any 1168 ipv6-icmp icmptype 136 any any Any 1168 ipv6-icmp icmptype 135 any any Any 1167 udp any any 68 1167 udp any any 67 1166 any any any Any 1169 any any any Any
Conclusion
This is an insight into how PowerNSX simplifies validation and operations of your platform. It is another tool in the administrators chest. It is super powerful and can be integrated into a number of other workflows that include PowerCLI.
Great post and thanks for the useful rule validation script.
That will come in very handy!
No worries. I hope that is useful.
I need to add some error validation to it but it is minimum viable script for now!
Hi:
I’m trying to use your script but I get this error:
get-vm : 2/28/2017 12:51:12 PM Get-VM [Invoke-NsxCli][ERROR] Unable
to execute Centralized CLI query. invoke-nsxrestmethod : Exception occured
calling invoke-restmethod. 406 : Not Acceptable : Response Body:
.Exception.Message. Try re-running command with the -RawOutput parameter.
At S:\NSX\scripts\rulevalidator.ps1:32 char:1
+ get-vm $vmactual | Get-NsxCliDfwRule | ft -wrap -autosize
RuleID,service,Source, …
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-VM], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomatio
n.ViCore.Cmdlets.Commands.GetVM
Is PowerCLI connected to a vCenter instance?
Can you re-run this with -rawOutput please.
Having the Same issue, what portion of the command should have the -rawOutput
I have added it to different parts of the powercli command.
Have you had the same error?