Hi team ,
I need your expert advice on how should i deal converting a Global security group to Universal security Group . I am in Process to convert service Composer rules to universal rules applied to Logical switches .
Below are points to consider first where i am stuck in writing powershell script :
A global security group can have another global security inside it and so on until last security Group have has either static members or Dynamic member ship. only or is empty .
There may be some security Group which only has IP set which needs to be converted.
There may be Empty Security Group as well .
Some of them has only Dynamic Exclusion , no static member .
Problem:
If i am right i have to create a recursive function which calls itself and identifies security group and its members and takes action based on that ..But i have no idea how to write that ...
I have been able to wirte a Function which can handle Point no. 2 .. Please see detailed powershell scirpt i have written which address converting a Global security group which has only IP set to Universal security Group by using Get-NsxSecurityGroupEffectiveIpAddress .
VRA Main-v2.zip
I am pasting half of my code since i am not able to wirte further and need to figure out how i convert a Global security group which can have nested security groups to Universal security Group
Keep in mind each member in each nested security can already be there in universalroot and has to be looked up every time before we convert .
sources are Global security Group from Service Composer rules
foreach ($eachsource in $source)
{
$Ip=$eachsource.value (#Object id of Global security Group )
$global:initialsecurityGroup=@(Get-NsxSecurityGroup -UniversalOnly)
$securitysource=Get-NsxSecurityGroup -object id $ip
if (($securitysource.Member.count -eq 0) -and ($securitysource.dynamicMemberDefinition.dynamicSet.dynamicCriteria.value.count -eq 0))
{
Write-host 1 -ForegroundColor Green
$counter=0
:loopBreaker
foreach($name in $global:initialsecurityGroup.name)
{
$securitygroupfound=0
if ($name -eq $securitysource.name)
{
$objectid=$global:initialsecurityGroup[$counter].objectid
$securitygroupid= @(Get-NsxSecurityGroup -objectId $objectid)
Write-host "Security Group found $($securitysource.name)" -ForegroundColor Green
$FinalIPset += $securitygroupid
$securitygroupfound=1
if($inputsection -eq "sourcesection")
{
$Global:finalSourceIPset +=$FinalIPset
}
elseif($inputsection -eq "destinationsection")
{
$Global:finalDestinationIPset +=$FinalIPset
}
Hi team , I need your expert advice on how should i deal converting a Global security group to Universal security Group . I am in Process to convert service Composer rules to universal rules applied to Logical switches .
Below are points to consider first where i am stuck in writing powershell script :
Problem:
If i am right i have to create a recursive function which calls itself and identifies security group and its members and takes action based on that ..But i have no idea how to write that ...
I have been able to wirte a Function which can handle Point no. 2 .. Please see detailed powershell scirpt i have written which address converting a Global security group which has only IP set to Universal security Group by using Get-NsxSecurityGroupEffectiveIpAddress . VRA Main-v2.zip
I am pasting half of my code since i am not able to wirte further and need to figure out how i convert a Global security group which can have nested security groups to Universal security Group Keep in mind each member in each nested security can already be there in universalroot and has to be looked up every time before we convert .
sources are Global security Group from Service Composer rules
foreach ($eachsource in $source) { $Ip=$eachsource.value (#Object id of Global security Group ) $global:initialsecurityGroup=@(Get-NsxSecurityGroup -UniversalOnly)
$securitysource=Get-NsxSecurityGroup -object id $ip if (($securitysource.Member.count -eq 0) -and ($securitysource.dynamicMemberDefinition.dynamicSet.dynamicCriteria.value.count -eq 0)) { Write-host 1 -ForegroundColor Green
$counter=0 :loopBreaker foreach($name in $global:initialsecurityGroup.name) { $securitygroupfound=0 if ($name -eq $securitysource.name) { $objectid=$global:initialsecurityGroup[$counter].objectid $securitygroupid= @(Get-NsxSecurityGroup -objectId $objectid) Write-host "Security Group found $($securitysource.name)" -ForegroundColor Green $FinalIPset += $securitygroupid $securitygroupfound=1 if($inputsection -eq "sourcesection") { $Global:finalSourceIPset +=$FinalIPset } elseif($inputsection -eq "destinationsection") { $Global:finalDestinationIPset +=$FinalIPset }
break :loopbreaker write-host "afterBreak" } $counter = $counter + 1 }
if($securitygroupfound -eq 0) { $securitygroupid=@(New-NsxSecurityGroup -name $securitysource.name -Universal) Write-host "Creating Universal security Group $($securitysource.name)" -ForegroundColor Green $global:initialsecurityGroup +=$securitygroupid $FinalIPset +=$securitygroupid if($inputsection -eq "sourcesection") { $Global:finalSourceIPset +=$FinalIPset } elseif($inputsection -eq "destinationsection") { $Global:finalDestinationIPset +=$FinalIPset } }
} elseif (($securitysource.Member.count -ne 0) -and ($securitysource.dynamicMemberDefinition.dynamicSet.dynamicCriteria.value.count -eq 0)) {
Need to write code here
} elseif (($securitysource.Member.count -eq 0) -and ($securitysource.dynamicMemberDefinition.dynamicSet.dynamicCriteria.value.count -ne 0)) {
Need to write code here
} elseif (($securitysource.Member.count -ne 0) -and ($securitysource.dynamicMemberDefinition.dynamicSet.dynamicCriteria.value.count -ne 0)) {
Need to write code here
}