About the port group upgrade in IU's Intelligent Infrastructure environment

During the first quarter of 2020, as a follow-up to the Intelligent Infrastructure stretched cluster project, the UITS Storage and Virtualization (SAV) team will enable additional security enhancements to the distributed port groups to align with current VMware best practices.

The specific change depends on the original port group configuration; the majority of the changes involve disabling MAC Address Changes, Forged Transmits, and Promiscuous Mode. These features historically were required for certain older load balancers and clustered workloads. Most modern load balancers and clustered workloads do not require these features.

To minimize potential operational impact of the change:

On December 30, 2019, the SAV team created new port groups that use the new settings and denoted pre-existing port groups with settings that don't meet the updated standard by appending -Legacy to their names. For example, an existing port group named DPortGroup-VLAN-123 would be relabeled DPortGroup-VLAN-123-Legacy (with all of its settings remaining the same), and a new DPortGroup-VLAN-123 port group would be created with the new, hardened security settings.
Targeted email notification was sent to VM owners of the deprecated port groups. The message included directions to self-service port group migrations during their scheduled maintenance windows.
The SAV team is providing a self-service tool to enable bulk updates to multiple VMs at a time. To help VM admins with multiple VMs, the SAV team has published a PowerShell script that lets you identify and control the VM network adapter port group changes. It creates a CSV file containing the VM network adapters that need port group updates. VM admins can edit the CSV file, and the script will programmatically update the indicated VM network adapters instead of requiring VM admins to manually log into the GUI to make each change.
Download the bulk update PowerShell script from GitHub:IU (log in with your IU username and passphrase).

Note:

To run the script, your workstation must be connected to the IU network, and have the VMware.VimAutomation.Core PowerCLI module and the PowervRA PowerShell module installed.

Before March 1, 2020, organizations should update each NIC on any of their VMs that are attached to a legacy port group:

To check whether your organization has any VMs attached to a legacy port group, log into vRealize Automation (vRA) and request a VM information report. This creates a CSV file containing all the VMs belonging to your organization. Check the "VLANs" column for any port groups marked with -Legacy.
For any VMs attached to a legacy port group, use the Change NIC (Add, Change, Remove) action in vRA (see Interact with a VM in the Intelligent Infrastructure (II) self-service portal) to update each NIC to the corresponding new port group. For example, if your VM is using DPortGroup-VLAN-9999-Legacy, switch to DPortGroup-VLAN-9999. This may occur with the VM powered on.
Note:
- SAV recommends that you test the migration with pre-production systems first, and then perform the modifications during a scheduled maintenance window.
- A small percentage of workloads (particularly, some load balancers) may require non-standard port group configurations to function as expected. If you encounter issues after migrating to a new port group, use the Change NIC (Add, Change, Remove) action to reconfigure the NIC(s) back to the legacy port groups and restore functionality, and then email the SAV team at sav-request@iu.edu with the VM name, the service(s) running on the VM, a description of the issues you are experiencing, and the name of VLAN that requires the exception. SAV will work with you to create a purpose-built exception port group for your workload.

At 12:01am on March 1, 2020, any VMs that have not been migrated off legacy port groups will be migrated automatically by the system. On March 4, 2020, all legacy port groups will be removed from the II environment.