Restrict port-level configuration overrides on port groups and disable health check on the distributed switches.

You perform the procedure for all the distributed switches and port groups in Region A. To perform the procedure, you first connect to the Management vCenter Server and then to the Compute vCenter Server.


  1. Log in to the Management vCenter Server by using a PowerCLI console.
    Setting Value
    Command Connect-VIServer -Server sfo01m01vc01.sfo01.rainpole.local -Protocol https
    User name administrator@vsphere.local
    Password vsphere_admin_password
  2. NIST80053-VI-VC-CFG-00440 Restrict port-level configuration overrides on all existing port groups.
    $pgs = Get-VDPortgroup | Get-View
    ForEach($pg in $pgs){
    $spec = New-Object VMware.Vim.DVPortgroupConfigSpec
    $spec.configversion = $pg.Config.ConfigVersion
    $spec.Policy = New-Object VMware.Vim.VMwareDVSPortgroupPolicy
    $spec.Policy.VendorConfigOverrideAllowed = $False
    $spec.Policy.BlockOverrideAllowed = $False
    $spec.Policy.PortConfigResetAtDisconnect = $True
  3. NIST80053-VI-VC-CFG-00411 Disable the health check on all distributed switches.
    Get-View -ViewType DistributedVirtualSwitch | ?{($_.config.HealthCheckConfig | ?{$_.enable -notmatch "False"})}| %{$_.UpdateDVSHealthCheckConfig(@((New-Object Vmware.Vim.VMwareDVSVlanMtuHealthCheckConfig -property @{enable=0}),(New-Object Vmware.Vim.VMwareDVSTeamingHealthCheckConfig -property @{enable=0})))}
  4. Log in to the sfo01w01vc01.sfo01.rainpole.local Compute vCenter Server and repeat the procedure to reconfigure the virtual switches and port groups for the shared edge and compute cluster.