Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Example on how to change segment discovery, qos, and security profiles enmasse.
#Change Segment Profiles
$Credential = Get-Credential
$skipcertcheck = $true
$AuthMethod = “Basic”
$NSXMgr=”IPorDNSName”
$policyapi = "/policy/api/v1"
$base_url = ("https://" + $NSXMgr + $policyapi)
#Change these to the name of the various profiles you want to remap all your segments to.
$TargetIPDPName = "default-ip-discovery-profile"
$TargetMacDPName = "default-mac-discovery-profile"
$TargetQoSDPName = "" # This doesn't typically exist unless created so it is omitted from script.
$TargetSGName = "default-spoofguard-profile"
$targetSecName = "default-segment-security-profile"
#Get Segment List to loop through.
$SegmentEndPoint = "/infra/segments"
$Segments = Invoke-restmethod -Uri ($base_url + $segmentendpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
#I would check to see what segments are returned before modifying to make sure you are hitting only the segments you want.
#You can do this by simply calling $segments.results
$segments.results | select id, display_name
#IP, Mac, QoS, SpoofGuard, Security, Discovery Profiles
$IPDPs = Invoke-restmethod -Uri ($base_url + "/infra/ip-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$MacDPs = Invoke-restmethod -Uri ($base_url + "/infra/mac-discovery-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$QoSPs = Invoke-restmethod -Uri ($base_url + "/infra/qos-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$SGPs = Invoke-restmethod -Uri ($base_url + "/infra/spoofguard-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
$SecPs = Invoke-restmethod -Uri ($base_url + "/infra/segment-security-profiles") -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
#Target Segment Profiles that you want.
$TargetIPDP = $IPDPs.results | Where-Object {$_.display_name -eq $TargetIPDPName}
$TargetMacDP = $MacDPs.results | Where-Object {$_.display_name -eq $TargetMacDPName}
$TargetQoSP = $QoSPs.results | Where-Object {$_.display_name -eq $TargetQoSDPName}
$TargetSGP = $SGPs.results | Where-Object {$_.display_name -eq $TargetSGName}
$TargetSecP = $SecPs.results | Where-Object {$_.display_name -eq $TargetSecName}
#I have a where statement here because I only want to change my HCX-Uplink segment. Remove it if you want to work against everything in $segments.results.
Foreach ($Segment in ($Segments.results | Where-object {$_.display_name -match "HCX-Uplink"}))
{
#Sets the Discovery Segment Profiles if mac or ip don't match what you've defined.
$endpoint = "/segment-discovery-profile-binding-maps"
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
If ($Binding.results.ip_discovery_profile_path -ne $TargetIPDP.path -or $Binding.results.mac_discovery_profile_path -ne $TargetMacDP.path)
{
$Body = ('{ "resource_type":"SegmentDiscoveryProfileBindingMap","mac_discovery_profile_path":"' + $TargetMacDP.path + '","ip_discovery_profile_path":"' + $targetIPDP.path +'"}')
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
}
#Sets QoS profile if one found, otherwise skips
$endpoint= "/segment-qos-profile-binding-maps"
If (![string]::IsNullorEmpty($TargetQoSP))
{
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
If ($Binding.results.qos_profile_path -ne $TargetQoS.path)
{
$Body = ('{ "resource_type":"SegmentQoSProfileBindingMap","qos_profile_path":"' + $TargetQoSP.path + '"}')
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
}
}
#Sets spoofguard or security profiles if they don't match what's defined.
$endpoint= "/segment-security-profile-binding-maps"
$Binding = Invoke-restmethod -Uri ($base_url + $segmentendpoint + "/" + $segment.id + $endpoint) -Method GET -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod
If ($Binding.results.spoofguard_profile_path -ne $TargetSGP.path -or $Binding.results.segment_security_profile_path -ne $TargetSecP.path)
{
$Body = ('{ "resource_type":"SegmentSecurityProfileBindingMap","segment_security_profile_path":"' + $TargetSecP.path + '","spoofguard_profile_path":"' + $TargetSGP.path +'"}')
Invoke-restmethod -Uri ($base_url + $binding.results.path) -Method PATCH -Credential $Credential -SkipCertificateCheck:$skipcertcheck -Authentication:$AuthMethod -Body $Body -ContentType "application/json"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.