Powershell: VMware NSX duplicate VTEP addresses

Roughly a half year ago we came across a situation in which an VMware NSX environment was having problems consistingly applying routing and firewall rules. After some troubleshooting it appeared to be a problem with duplicate VTEP (VXLAN Tunnel Enpoint) addresses on the vSphere hosts. We fixed the problem, but we wanted to have some sort of periodic check to alert us, should this occur again.

As with most of these things this periodic check was put on the backlog, and only recently we got around to finding a solution. We choose to use a Powershell script that we would run as a scheduled job at the start of every day. At first we had a look at PowerNSX, since this module already offers a great deal of functions. Unfortunately we did not find a function within PowerNSX that could retreive VTEP addresses.

However PowerNSX did give us the insight in how we could connect with NSX using Powershell. Basically it uses the NSX API, meaning we could also retreive any content unlocked by the API. Knowing this we first use a request to retreive the available IP pools and select the pool in question. With that pool selected we do another request to get all the IP addresses that are in use. And finally we created a loop that would check if any of the addresses had a duplicate.

Powershell script

$NSXUser = “NSXapi_readonly_user” $NSXPassword = cat D:\NSXapi_readonly_password.txt | convertto-securestring $Cred = new-object System.Management.Automation.PSCredential($NSXUser, $NSXpassword)

$NSXManagers = “Hostname_NSXmanager1”, “Hostname_NSXmanager2”

foreach ($NSXManager in $NSXManagers) {

### Create authorization string and store in $head
$auth = \[System.Convert\]::ToBase64String(\[System.Text.Encoding\]::ASCII.GetBytes("$($cred.GetNetworkCredential().username):$($cred.GetNetworkCredential().password)"))
$head = @{"Authorization"="Basic $auth"}

### Connect to NSX Manager via API and request list of IP pools
$Request = "https://$NSXManager/api/2.0/services/ipam/pools/scope/globalroot-0"
$r = Invoke-WebRequest -Uri $Request -Headers $head -ContentType "application/xml" -ErrorAction:Stop
if ($r.StatusCode -eq "200") {Write-Host -BackgroundColor:Black -ForegroundColor:Green Status: Connected to $NSXManager successfully.}
\[ xml\]$rxml = $r.Content

### Read IP pools and return Pool ID matching VTEP pool
Foreach ($pool in $rxml.ipamAddressPools.ipamAddressPool)
	if ($pool.name -eq "VTEP IP Pool") {Write-Host VTEP pool found in $NSXmanager
					    $VTEPpool = $pool.objectId}

### Connect to NSX Manager via API and request ipaddresses in previously obtained VTEP pool
$Request = "https://$NSXManager/api/2.0/services/ipam/pools/$VTEPpool/ipaddresses"
$r = Invoke-WebRequest -Uri $Request -Headers $head -ContentType "application/xml" -ErrorAction:Stop
if ($r.StatusCode -eq "200") {Write-Host -BackgroundColor:Black -ForegroundColor:Green Status: Connected to $NSXManager successfully.}
\[ xml\]$rxml = $r.Content

### Read the allocated IP addresses and check for duplicates
$list = @()
$duplicate = 0
Foreach ($IPs in $rxml.allocatedIpAddresses.allocatedIpAddress)
	Foreach ($check in $list){
		if ($check -eq $IPs.ipAddress) {$duplicate = 1}
	if ($duplicate -eq 0){
		Write-Host -BackgroundColor:Black -ForegroundColor:Yellow Unique IP: $IPs.ipAddress
	} else {
		Write-Host -BackgroundColor:Black -ForegroundColor:Red Duplicate IP: $IPs.ipAddress
		$duplicate = 0
$list += $IPs.ipAddress}
} # End for each NSXManager

The script only contains the part used to retreive the IP addresses and check on duplicates. Besides the write-host lines there was also a function for sending an text message to phones. But you could script any type of alert you would like for your own environment.

Hopefully this article can give you some ideas on how to use Powershell and the NSX API. I think the options are legion :)