6.5
Table Of Contents
- vSphere Command-Line Interface Concepts and Examples
- Contents
- About This Book
- vSphere CLI Command Overviews
- Introduction
- List of Available Host Management Commands
- Targets and Protocols for vCLI Host Management Commands
- Supported Platforms for vCLI Commands
- Commands with an esxcfg Prefix
- ESXCLI Commands Available on Different ESXi Hosts
- Trust Relationship Requirement for ESXCLI Commands
- Using ESXCLI Output
- Connection Options for vCLI Host Management Commands
- Connection Options for DCLI Commands
- vCLI Host Management Commands and Lockdown Mode
- Managing Hosts
- Managing Files
- Managing Storage
- Introduction to Storage
- Examining LUNs
- Detach a Device and Remove a LUN
- Reattach a Device
- Working with Permanent Device Loss
- Managing Paths
- Managing Path Policies
- Scheduling Queues for Virtual Machine I/O
- Managing NFS/NAS Datastores
- Monitor and Manage FibreChannel SAN Storage
- Monitoring and Managing Virtual SAN Storage
- Monitoring vSphere Flash Read Cache
- Monitoring and Managing Virtual Volumes
- Migrating Virtual Machines with svmotion
- Configuring FCoE Adapters
- Scanning Storage Adapters
- Retrieving SMART Information
- Managing iSCSI Storage
- iSCSI Storage Overview
- Protecting an iSCSI SAN
- Command Syntax for esxcli iscsi and vicfg-iscsi
- iSCSI Storage Setup with ESXCLI
- iSCSI Storage Setup with vicfg-iscsi
- Listing and Setting iSCSI Options
- Listing and Setting iSCSI Parameters
- Enabling iSCSI Authentication
- Set Up Ports for iSCSI Multipathing
- Managing iSCSI Sessions
- Managing Third-Party Storage Arrays
- Managing Users
- Managing Virtual Machines
- Managing vSphere Networking
- Introduction to vSphere Networking
- Retrieving Basic Networking Information
- Troubleshoot a Networking Setup
- Setting Up vSphere Networking with vSphere Standard Switches
- Setting Up Virtual Switches and Associating a Switch with a Network Interface
- Retrieving Information About Virtual Switches
- Adding and Deleting Virtual Switches
- Checking, Adding, and Removing Port Groups
- Managing Uplinks and Port Groups
- Setting the Port Group VLAN ID
- Managing Uplink Adapters
- Adding and Modifying VMkernel Network Interfaces
- Managing VMkernel Network Interfaces with ESXCLI
- Add and Configure an IPv4 VMkernel Network Interface with ESXCLI
- Add and Configure an IPv6 VMkernel Network Interface with ESXCLI
- Managing VMkernel Network Interfaces with vicfg-vmknic
- Add and Configure an IPv4 VMkernel Network Interface with vicfg-vmknic
- Add and Configure an IPv6 VMkernel Network Interface with vicfg-vmknic
- Setting Up vSphere Networking with vSphere Distributed Switch
- Managing Standard Networking Services in the vSphere Environment
- Setting the DNS Configuration
- Manage an NTP Server
- Manage the IP Gateway
- Setting Up IPsec
- Manage the ESXi Firewall
- Monitor VXLAN
- Monitoring ESXi Hosts
- Index
Managing Security Associations
You can specify an SA and request that the VMkernel use that SA.
The following options for SA setup are supported.
vicfg-ipsec Option esxcli Option Description
sa-src <source_IP> sa-source <source_IP>
Source IP for the SA.
sa-dst <destination_IP> sa-destination
<destination_IP>
Destination IP for the SA.
spi sa-spi
Security Parameter Index (SPI) for the
SA. Must be a hexadecimal number
with a 0x prex.
When IPsec is in use, ESXi uses the
ESP protocol (RFC 43030), which
includes authentication and encryption
information and the SPI. The SPI
identies the SA to use at the receiving
host. Each SA you create must have a
unique combination of source,
destination, protocol, and SPI.
sa-mode [tunnel | transport] sa-mode [tunnel | transport]
Either tunnel or transport.
In tunnel mode, the original packet is
encapsulated in another IPv6 packet,
where source and destination
addresses are the SA endpoint
addresses.
ealgo [null | 3des-cbc |
aes128-cbc]
encryption-algorithm [null |
3des-cbc | aes128-cbc]
Encryption algorithm to be used.
Choose 3des-cbc or aes128-cbc, or
null for no encryption.
ekey <key> encryption-key <key>
Encryption key to be used by the
encryption algorithm. A series of
hexadecimal digits with a 0x prex or
an ASCII string.
ialgo [hmac-sha1 | hmac-
sha2-256 ]
integrity-algorithm [hmac-sha1
| hmac-sha2-256 ]
Authentication algorithm to be used.
Choose hmac-sha1 or hmac-
sha2-256.
ikey integrity-key
Authentication key to be used. A series
of hexadecimal digits or an ASCII
string.
You can perform these main tasks with SAs.
n
Create an SA. You specify the source, the destination, and the authentication mode. You also specify the
authentication algorithm and authentication key to use. You must specify an encryption algorithm and
key, but you can specify null if you want no encryption. Authentication is required and cannot be null.
The following example includes extra line breaks for readability. The last option, sa_2 in the example, is
the name of the SA.
esxcli network ip ipsec sa add
--sa-source 2001:DB8:1::121
--sa-destination 2001:DB8:1::122
--sa-mode transport
--sa-spi 0x1000
--encryption-algorithm 3des-cbc
Chapter 9 Managing vSphere Networking
VMware, Inc. 155