I recently had a customer who needed to create several hundred segments in NSX-T, each with non-default Mac Discovery and Segment Security profiles. Obviously, we weren’t going to try and do this manually and really needed to find a way to script this.
I did come across this post in GitHub by Zsoldier, which worked a treat so long as you have PowerShell 6 or later, as it relies on the later version of the Invoke-RestMethod cmdlet, which is native to PowerShell.
However, in my case, only PowerShell 5.1 was available, so rather than relying on the native PowerShell Invoke-RestMethod cmdlet, I wanted to write the script using only cmdlets from the vmware.sdk.nsx.policy PowerShell module (which is delivered as part of PowerCLI >12.6).
The main problem I encountered was a lack of documentation around the cmdlets in the new vmware.sdk.nsx.policy module, other than the Navigating NSX Module in PowerCLI 12.6 blog post by VMware.
I used the tips in this blog to find the correct cmdlets using Get-Command -Module vmware.sdk.nsx.policy, and discovered by trial and error that the sequence of steps you need to follow is as follows:
- Initialize the segment subnet
This step creates a subnet object which can be added to the segment settings - Initialize the segment
The step creates the segment settings object - Create the segment
- Initialize a Mac Discovery profile binding map
This step creates a binding map object which references the MAC Discovery or IP Discovery profile you want to associate with the segment - Patch the segment DiscoveryBinding
This step associates the initialized binding map from the previous step to the segment you just created - Initialize a Segment Security profile binding map
This step create a binding map object which references the segment security profile - Patch the segment SecurityProfileBinding
This final step associates the initialized security profile binding map with the segment.
For my example, I used a CSV file which was formatted as follows:
Segment_Name,Gateway,Mask,Gateway_CIDR,Mac_profile,Security_Profile,IsolatedNet-01,169.254.100.1,/27,169.254.100.1/27,,custom-mac-discovery-profile,custom-security-profile
IsolatedNet-02,192.168.84.1,/27,192.168.84.1/27custom-mac-discovery-profile,custom-security-profile
For my customer, all the overlay networks were isolated networks, with no attached Tier-1 gateway. If you are creating segments that need to route, you will need to add an additional column with the required Tier-1 Gateway defined for each segment.
Here is the script:
$nsxtServer = "<NSX Server IP or FQDN>"
$cred = Get-Credential
Connect-NsxServer -Server $nsxtServer -Credential $cred
Import-Csv $csvFileIsolated | ForEach-Object {
# Setting variables
$isolatedSegmentName = $_.Segment_Name
$isolatedSegmentGatewayCidr = $_.Gateway_CIDR
$macProfile=$_.Mac_profile
$secProfile=$_.Security_Profile
# Initializing segment objects
$isolatedSubnet = Initialize-SegmentSubnet -GatewayAddress $isolatedSegmentGatewayCidr
$isolatedSegment = Initialize-Segment -DisplayName $isolatedSegmentName -TransportZonePath "$overlayTzPath" -Subnets $isolatedSubnet
# Creating the segment in NSX-T
Invoke-PatchInfraSegment -Segment $isolatedSegment -SegmentId $isolatedSegmentName
# Initializing the MAC Discovery Profiles
$macProfileBinding = Initialize-SegmentDiscoveryProfileBindingMap -DisplayName ($macProfile.DisplayName + "-binding-map") -MacDiscoveryProfilePath $macProfile.path -Id ($macProfile.DisplayName + "-binding-map")
# Patch the segment DiscoveryBinding to associate initialized Mac Discovery
Binding Map
Invoke-PatchInfraSegmentDiscoveryBinding -InfraSegmentId $isolatedSegmentName -SegmentDiscoveryProfileBindingMapId $macProfileBinding.Id -SegmentDiscoveryProfileBindingMap $macProfileBinding
# Initialize the Security Profile Binding Map
$secProfileBinding = Initialize-SegmentSecurityProfileBindingMap -DisplayName ($secProfile.DisplayName + "-binding-map") -SegmentSecurityProfilePath $secProfile.path -Id ($secProfile.DisplayName + "-binding-map")
# Patch the segment SecurityProfileBinding to associate the initialized SecurityProfileBinding
Invoke-PatchInfraSegmentSecurityProfileBinding -SegmentId $isolatedSegmentName -SegmentSecurityProfileBindingMapId $secProfileBinding.Id -SegmentSecurityProfileBindingMap $secProfileBinding
Write-Host "Created segment $isolatedSegmentName and mapped the $securityProfile and $selectedMacProfile profiles to the segment."
}
Disconnect-NsxServer -Server $nsxtServer
I hope you find this useful.
theVirtualPaddy 
Leave a comment