6.5
Table Of Contents
- vSphere Command-Line Interface Concepts and Examples
- Contents
- About This Book
- vSphere CLI Command Overviews
- Introduction
- List of Available Host Management Commands
- Targets and Protocols for vCLI Host Management Commands
- Supported Platforms for vCLI Commands
- Commands with an esxcfg Prefix
- ESXCLI Commands Available on Different ESXi Hosts
- Trust Relationship Requirement for ESXCLI Commands
- Using ESXCLI Output
- Connection Options for vCLI Host Management Commands
- Connection Options for DCLI Commands
- vCLI Host Management Commands and Lockdown Mode
- Managing Hosts
- Managing Files
- Managing Storage
- Introduction to Storage
- Examining LUNs
- Detach a Device and Remove a LUN
- Reattach a Device
- Working with Permanent Device Loss
- Managing Paths
- Managing Path Policies
- Scheduling Queues for Virtual Machine I/O
- Managing NFS/NAS Datastores
- Monitor and Manage FibreChannel SAN Storage
- Monitoring and Managing Virtual SAN Storage
- Monitoring vSphere Flash Read Cache
- Monitoring and Managing Virtual Volumes
- Migrating Virtual Machines with svmotion
- Configuring FCoE Adapters
- Scanning Storage Adapters
- Retrieving SMART Information
- Managing iSCSI Storage
- iSCSI Storage Overview
- Protecting an iSCSI SAN
- Command Syntax for esxcli iscsi and vicfg-iscsi
- iSCSI Storage Setup with ESXCLI
- iSCSI Storage Setup with vicfg-iscsi
- Listing and Setting iSCSI Options
- Listing and Setting iSCSI Parameters
- Enabling iSCSI Authentication
- Set Up Ports for iSCSI Multipathing
- Managing iSCSI Sessions
- Managing Third-Party Storage Arrays
- Managing Users
- Managing Virtual Machines
- Managing vSphere Networking
- Introduction to vSphere Networking
- Retrieving Basic Networking Information
- Troubleshoot a Networking Setup
- Setting Up vSphere Networking with vSphere Standard Switches
- Setting Up Virtual Switches and Associating a Switch with a Network Interface
- Retrieving Information About Virtual Switches
- Adding and Deleting Virtual Switches
- Checking, Adding, and Removing Port Groups
- Managing Uplinks and Port Groups
- Setting the Port Group VLAN ID
- Managing Uplink Adapters
- Adding and Modifying VMkernel Network Interfaces
- Managing VMkernel Network Interfaces with ESXCLI
- Add and Configure an IPv4 VMkernel Network Interface with ESXCLI
- Add and Configure an IPv6 VMkernel Network Interface with ESXCLI
- Managing VMkernel Network Interfaces with vicfg-vmknic
- Add and Configure an IPv4 VMkernel Network Interface with vicfg-vmknic
- Add and Configure an IPv6 VMkernel Network Interface with vicfg-vmknic
- Setting Up vSphere Networking with vSphere Distributed Switch
- Managing Standard Networking Services in the vSphere Environment
- Setting the DNS Configuration
- Manage an NTP Server
- Manage the IP Gateway
- Setting Up IPsec
- Manage the ESXi Firewall
- Monitor VXLAN
- Monitoring ESXi Hosts
- Index
The VMware implementation of IPsec adheres to the following IPv6 RFCs.
n
4301 Security Architecture for the Internet Protocol
n
4303 IP Encapsulating Security Payload (ESP)
n
4835 Cryptographic Algorithm Implementation Requirements for ESP
n
2410 The NULL Encryption Algorithm and Its Use With IPsec
n
2451 The ESP CBC-Mode Cipher Algorithms
n
3602 The AES-CBC Cipher Algorithm and Its Use with IPsec
n
2404 The Use of HMAC-SHA-1-96 within ESP and AH
n
4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
Using IPsec with ESXi
When you set up IPsec on an ESXi host, you enable protection of incoming or outgoing data. What happens
precisely depends on how you set up the system’s Security Associations (SAs) and Security Policies (SPs).
n
An SA determines how the system protects trac. When you create an SA, you specify the source and
destination, authentication, and encryption parameters, and an identier for the SA with the following
options.
vicfg-ipsec esxcli network ip ipsec
sa-src and sa-dst --sa-source and --sa-destination
spi (security parameter index) --sa-spi
sa-mode (tunnel or transport) --sa-mode
ealgo and ekey --encryption-algorithm and --encryption-key
ialgo and ikey --integrity-algorithm and --integrity-key
n
An SP identies and selects trac that must be protected. An SP consists of two logical sections, a
selector, and an action.
The selector is specied by the following options.
vicfg-ipsec esxcli network ip ipsec
src-addr and src-port --sa-source and --source-port
dst-addr and dst-port --destination-port
ulproto --upper-layer-protocol
direction (in or out) --flow-direction
The action is specied by the following options.
vicfg-ipsec esxcli network ip ipsec
sa-name --sa-name
sp-name --sp-name
action (none, discard, ipsec) --action
Because IPsec allows you to target precisely which trac should be encrypted, it is well suited for securing
your vSphere environment. For example, you can set up the environment so all vMotion trac is encrypted.
vSphere Command-Line Interface Concepts and Examples
154 VMware, Inc.