VMware: Automating virtual Standard Switch configuration using PowerCLI

After virtual Standard Switch Management with PowerCLI let's have a step further by creating a script to automate vSS configuration.
This script is intended for vSS configuration in a real-world scenario after a brand new install of ESXi in which we have the default single vSwitch0 with "Management Network" VMKernel and "VM Network" portgroup.

Script's goal is to automatically configure vSwitch0 and deploy an additional vSwitch1 for iSCSI traffic according to the following logical design:

Networking specifications are:

Six (6) physical NICs per host (vmnic0 through vmnic5).
Two (2) vSwitches one for Management + vMotion + VM Traffic, one for iSCSI Traffic.
One (1) vmnic dedicated for management, one (1) vmnic dedicated for vMotion, two (2) vmnics for VM Traffic using "Route based on the originating virtual port ID" load balancing. Two (2) vmnics dedicated for iSCSI Traffic with PortBinding enabled. VM Network portgroup has "MAC address changes" and "Forged transmits" set to reject according to VMware best practices.

Let's now delve into script, I've committed it also on my PowerCLI GitHub Repository.
First part of the script is where variables are declared, change them accordingly to your environment and desired configurations. Save is with ".ps1" format and run it.

 ################################  
 #                              #  
 # vSS Management with PowerCLI #  
 #                              #  
 ################################  
 $virtualswitch = "vSwitch0" #vSwitch  
 $virtualswitchiscsi = "vSwitch1" #vSwitch for iSCSI  
 $esxihostip = "192.168.116.60" #ESXi host IP Address  
 $vmotionip = "192.168.170.61" #vMotion VMkernel IP Address  
 $subnetmask = "255.255.255.0" #VMKernel subnet mask  
 $mtu = "9000" #MTU Size (Jumbo Frames for iSCSI VMKernels)  
 $vmnic = @("vmnic0","vmnic1","vmnic2","vmnic3","vmnic4","vmnic5") #Array of ESXi host's vmnics  
 $iscsi_ip = @("10.10.10.1","10.10.10.2") #IP Address to assign to iSCSI VMKernels  
 $iscsitargetip = "10.10.10.3" #iSCSI Target IP Address  
 #Get VMHost  
 $vmhost = Get-VMHost -Name $esxihostip  
 #Get ESXCLI  
 $esxcli = Get-EsxCli  
 #Add vmnic1,vmnic2,vmnic3 to vSwitch0  
 Get-VirtualSwitch -VMHost $vmhost -Name $virtualswitch | Add-VirtualSwitchPhysicalNetworkAdapter -VMHostPhysicalNic (Get-VMHostNetworkAdapter -Physical -Name $vmnic[1],$vmnic[2],$vmnic[3]) -Confirm:$false  
 #Management Network: active vmnic0, standby vmnic1, unused vmnic2 vmnic3  
 Get-VirtualPortGroup -VMHost $vmhost -Name "Management Network" | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive $vmnic[0] -MakeNicStandby $vmnic[1] -MakeNicUnused $vmnic[2],$vmnic[3]  
 #Create vMotion VMKernel  
 New-VMHostNetworkAdapter -VMHost $vmhost -PortGroup vMotion -VirtualSwitch $virtualswitch -IP $vmotionip -SubnetMask $subnetmask -VMotionEnabled:$true  
 #vMotion VMKernel: active vmnic1, standby vmnic0, unused vmnic2 vmnic3  
 Get-VirtualPortGroup -VMHost $vmhost -Name vMotion | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive $vmnic[1] -MakeNicStandby $vmnic[0] -MakeNicUnused $vmnic[2],$vmnic[3]  
 #Reject MAC Address Changes and Forged Transmits on VM Portgroup  
 #EsxCLI command synthax: network vswitch standard portgroup policy security set --allow-forged-transmits --allow-mac-change --allow-promiscuous --portgroup-name --use-vswitch  
 $esxcli.network.vswitch.standard.portgroup.policy.security.set($false, $false, $false, "VM Network", $false)  
 #Create ISCSI vSwitch  
 New-VirtualSwitch -VMHost $vmhost -Name $virtualswitchiscsi -Nic $vmnic[4],$vmnic[5] -Mtu $mtu  
 #Create ISCSI VMKernel  
 New-VMHostNetworkAdapter -VMHost $vmhost -PortGroup ISCSI-1 -VirtualSwitch $virtualswitchiscsi -IP $iscsi_ip[0] -SubnetMask $subnetmask -Mtu $mtu  
 New-VMHostNetworkAdapter -VMHost $vmhost -PortGroup ISCSI-2 -VirtualSwitch $virtualswitchiscsi -IP $iscsi_ip[1] -SubnetMask $subnetmask -Mtu $mtu  
 #Set ISCSI VMKernel  
 Get-VirtualPortGroup -VMHost $vmhost -Name ISCSI-1 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive $vmnic[4] -MakeNicUnused $vmnic[5]  
 Get-VirtualPortGroup -VMHost $vmhost -Name ISCSI-2 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive $vmnic[5] -MakeNicUnused $vmnic[4]  
 #Add iSCSI Software Adapter  
 Get-VMHostStorage -VMHost $vmhost | Set-VMHostStorage -SoftwareIScsiEnabled:$true  
 #ISCSI PortBinding  
 $portname = Get-VMHostNetworkAdapter | where {$_.PortGroupName -match "ISCSI-*"} | %{$_.DeviceName}  
 $vmhba = Get-VMHostHba -VMHost $vmhost -Type iscsi | %{$_.Device}  
 $esxcli.iscsi.networkportal.add($vmhba, $false, $portname[0]) #Bind vmk2  
 $esxcli.iscsi.networkportal.add($vmhba, $false, $portname[1]) #Bind vmk3  
 #ISCSI Target Dynamic Discovery  
 New-IScsiHbaTarget -IScsiHba $vmhba -Address $iscsitargetip  
 #Rescan VMFS & HBAs  
 $vmhost | Get-VMHostStorage -RescanVmfs -RescanAllHba  

As expected this will be the result:

As usual code is commented, but let me spend a few words on some particular cmdlets:

 $esxcli.network.vswitch.standard.portgroup.policy.security.set($false, $false, $false, "VM Network", $false)  

is an esxcli command to change security policies on port groups (MAC Address changes, Forged Transmits and Promiscuous Mode) since PowerCLI does allow editing these features only for virtual distributed switches (vDS) and/or vDS port groups via Set-VDSecurityPolicy cmdlet.

 $esxcli.iscsi.networkportal.add($vmhba, $false, $portname[0])  

is another esxcli command for iSCSI port binding.

 New-IScsiHbaTarget -IScsiHba $vmhba -Address $iscsitargetip  

is the cmdlet to provide dynamic iSCSI target discovery.

While...

 Get-VMHostStorage -RescanVmfs -RescanAllHba  

perform a rescan of HBAs and VMFS datastores.

That's all!!