Posts

Syntax Highlighting in Notepad++

I do a lot of work with PowerCLI and my favorite text editor is Notepad++.  Recently, I've been adding more modules to my repertoire (PowerNSX and PowerVRNI, I'm looking at you!) and I've finally decided that I need to add all of these modules' cmdlets to my syntax highlighting in NPP.  The proper way to do this is to define a custom language and add everything to it.  This can be done through the GUI (yuk) or by editing a custom language xml file.

Unfortunately, there's no way to clone an existing language as a start for a custom language (or at least, I couldn't find a way to do it).  Even more unfortunately, the custom language definitions file syntax is pretty different from the inbuilt ones, so you can't just copy and then edit the XML from the already existing PowerShell language.

Not if you want to do it the proper way.  It looks to me like I can trivially edit my default langs.xml file (where PowerShell is defined) and add an arbitrary set of keywor…

Using VRNI to Analyze Applications

As I've been doing more NSX Distributed Firewall work, one of my customers came to me with an interesting challenge.  They had a fairly complicated application that they wanted to move into a microsegmented security model, but they only had a diagram from when the application was initially deployed and were confident that it didn't show everything that the application did or even all of the VMs that were part of the application.  It was an interesting problem, and since they had vRealize Network Insight deployed, the answer was fairly straight-forward!

VRNI captures network traffic information from just about any device that can forward netflow data.  It uses that data to figure out which devices are communicating to each other, as well as highlighting all sorts of network issues like dropped packets or asymmetric routes.  In this case, I just used it as a giant repository of glorious 5-tuple data!

I started by registering the application in VRNI.  I went to Security and then

Using ESXCLI V2 to Configure Storage Multipathing

A customer recently came to me with the need to use ESXCLI to configure a bunch of storage settings on all of their ESXi hosts.  He had been planning on connecting to the local console of each host and then executing the command, but wanted to know if there was a better way.  Of course there is!  We could use plink to run a script on his workstation that would establish SSH connections to his servers and then execute the ESXCLI commands... or we can do it all through PowerCLI!

I actually tackled this same problem 5 years ago using get-esxcli.  At that point, I did it with the normal V1 version of the cmdlet, which required carefully spaced lists of parameters, leading to ugly lines like this: $esxcli.storage.core.device.set($thisLUN.CanonicalName,$null,$null,$queueFullSample,$queueFullThreshold,$null)

No more!  Now, we have access to get-esxcli -v2, which is much easier to use!  Instead of needing to put a bunch of $nulls into the .set() method to space out our values, we can use the …

Upgrading a VDI vCenter 5.5 on Windows to VCSA 6.5

I recently worked with a customer to upgrade their Horizon VDI environment's Windows vCenter 5.5 server to the vCenter Server Appliance running 6.5.  I knew from an earlier experience that such a migration could potentially be challenging, but I hoped that things would go more smoothly this time, since that old issue was from before the Migrate option was introduced.  This customer also had a smaller, completely isolated DR VDI environment that we could upgrade first, to prove out our process.  So, that's what we did!

The migration of the DR environment went without a hitch.  We even spun up about 20 desktops and had a few IT staff log into and use them during the upgrade, so that we could be confident that we'd identify any issues that might impact the users during the production migration.  Everything went great, so we confidently moved forward with the production migration.  You can probably guess what happened next.

Fortunately, we didn't run into any catastrophic …

NSX Section Based Distributed Firewall Model

I've written before about creating NSX Distributed Firewall Rules following a model that uses rules that will specifically hit traffic based on if it's Inbound or Outbound.  That model is also useful for creating NSX Security Policies, as there's no negative logic (NOT applied to object) in the rule set.  While that model works great, it can be a bit difficult to wrap your head around.  In turn, that can make it difficult to hand off to a customer... so we've been working on an alternate model.

Unfortunately, this model does not work with Service Composer Policies, but it's flexible enough that it doesn't really need them.  It's based on a set of generic Security Tags (with corresponding Security Groups), that interact to create a dynamic micro-segmentation solution.  This model is based on defining a set of DFW Sections, each of which serves a very specific purpose in blocking or allowing traffic.  When creating new firewall rules, the administrator only n…

Pulling Average VM Network Usage En Masse

One of my customers is considering moving some of their infrastructure around and wanted to get an idea about how their WAN connection might be impacted by the move.  They didn't have vROPS and we didn't want to enable greater vCenter logging due to space constraints on the SQL server (that tells you that we're working with some older systems, doesn't it!).  So, I decided that our best course of action would be to write a script that could run on an interval, collecting and summarizing the real-time statistics that we actually needed.  Hence the creation of summarize-VMNetUsage.ps1!

This is a pretty straightforward script.  If you run it without any parameters, it will find the highest 20 second Average Network Usage stats from all VMs in an environment, then return a summary of its findings: VM Count, sum, average, maximum, minimum, and a date-stamp.  Then, the script enters a holding pattern until 1 hour has passed and it starts the process again.  It does this for 2…

Using the NSX API to Check the Status of a Firewall Rule Publish Action

Well, that title sure is a mouthful!  But, it's also what this post is all about, so let's get to it!  One of my customers was experiencing an issue where it was taking longer than expected for an NSX firewall rule publish to propagate to all of their ESXi hosts. While troubleshooting the core issue, they needed a way to get better visibility into the process so that they'd know when their publishes had succeeded.  That data was not available in the GUI, but after asking a few friends at VMware, we learned that we could get to it through the API by a simple command: GET /api/4.0/firewall/globalroot-0/status.  Those are the facts that we collected, so here's what we did with them!

First, I knew that one of my customers had done some work with the NSX API, so I asked him for some advice.  He pointed me at one of Mark Wahl's articles and gave me an excellent framework to build on.

I used that NSX API framework to send the GET command that we'd collected, which gav…