Checking Distributed Switch PNICs for Invalid VLAN Traffic

4/26/17 Update: I changed this script so that it no longer uses the min/max VLAN numbers and instead discovers a list of valid VLANs based on the Port Groups that are defined on the VDS.  It then alerts if it sees any VLANs that are not in that list.

One of my customers has several physical uplinks going into their ESXi hosts, each carrying different sets of VLANs.  They recently had an issue where an uplink with one set of VLANs was accidentally attached to a VDS that was configured for the other set of VLANs.  This wasn't a catastrophic issue, as the VDS didn't have port groups defined for those invalid VLANs and so any traffic was dropped into the bit bucket, but it did mean that 1 of the links going into that switch was useless.

After we corrected the issue, we decided that we should audit the environment to see if this problem had occurred anywhere else but not been detected.  We decided that the best way to perform an initial scan of the environment would be to leverage the NIC traffic hints that VMware generates per PNIC and see if any PNICs either registered no traffic or registered traffic from VLANs that were not appropriate.  This process required examining every PNIC attached to every VDS and ensuring that it conformed to standards.

As you can imagine, I didn't want to do this by hand... so I wrote a script to do it for me!  This script takes 3 parameters: VDSwitch, minVLANID, and maxVLANID.  VDSwith is the name of the Distributed Switch that the script will examine.  minVLANID is the lowest numbered VLAN that is acceptable on the VDS and maxVLANID is the highest numbered VLAN that is acceptable on the VDS.

With that data provided, the script will loop through each PNIC on each ESXi Host that's attached to the specified VDS, examining the VLAN traffic hints.  If it finds and VLANs that are outside of that range, it will report that in red during execution.  If it finds any links with no observed traffic, it will report that in yellow.  After it's done, it spits out a full report that lists each ESXi host, the min/max VLAN numbers and the observed traffic on each PNIC.

As always, this script is posted as is with no guarantees.  The fact that it worked for me in my situation does not guarantee that it'll work for you in yours.  Make sure that you fully understand and test any script that you find on the internet before running it in your own environment.


Popular posts from this blog

Deleting Orphaned (AKA Zombie) VMDK Files

Clone a Standard vSwitch from one ESXi Host to Another

Orphaned VMDK Files