6.5
Table Of Contents
- vSphere Command-Line Interface Concepts and Examples
- Contents
- About This Book
- vSphere CLI Command Overviews
- Introduction
- List of Available Host Management Commands
- Targets and Protocols for vCLI Host Management Commands
- Supported Platforms for vCLI Commands
- Commands with an esxcfg Prefix
- ESXCLI Commands Available on Different ESXi Hosts
- Trust Relationship Requirement for ESXCLI Commands
- Using ESXCLI Output
- Connection Options for vCLI Host Management Commands
- Connection Options for DCLI Commands
- vCLI Host Management Commands and Lockdown Mode
- Managing Hosts
- Managing Files
- Managing Storage
- Introduction to Storage
- Examining LUNs
- Detach a Device and Remove a LUN
- Reattach a Device
- Working with Permanent Device Loss
- Managing Paths
- Managing Path Policies
- Scheduling Queues for Virtual Machine I/O
- Managing NFS/NAS Datastores
- Monitor and Manage FibreChannel SAN Storage
- Monitoring and Managing Virtual SAN Storage
- Monitoring vSphere Flash Read Cache
- Monitoring and Managing Virtual Volumes
- Migrating Virtual Machines with svmotion
- Configuring FCoE Adapters
- Scanning Storage Adapters
- Retrieving SMART Information
- Managing iSCSI Storage
- iSCSI Storage Overview
- Protecting an iSCSI SAN
- Command Syntax for esxcli iscsi and vicfg-iscsi
- iSCSI Storage Setup with ESXCLI
- iSCSI Storage Setup with vicfg-iscsi
- Listing and Setting iSCSI Options
- Listing and Setting iSCSI Parameters
- Enabling iSCSI Authentication
- Set Up Ports for iSCSI Multipathing
- Managing iSCSI Sessions
- Managing Third-Party Storage Arrays
- Managing Users
- Managing Virtual Machines
- Managing vSphere Networking
- Introduction to vSphere Networking
- Retrieving Basic Networking Information
- Troubleshoot a Networking Setup
- Setting Up vSphere Networking with vSphere Standard Switches
- Setting Up Virtual Switches and Associating a Switch with a Network Interface
- Retrieving Information About Virtual Switches
- Adding and Deleting Virtual Switches
- Checking, Adding, and Removing Port Groups
- Managing Uplinks and Port Groups
- Setting the Port Group VLAN ID
- Managing Uplink Adapters
- Adding and Modifying VMkernel Network Interfaces
- Managing VMkernel Network Interfaces with ESXCLI
- Add and Configure an IPv4 VMkernel Network Interface with ESXCLI
- Add and Configure an IPv6 VMkernel Network Interface with ESXCLI
- Managing VMkernel Network Interfaces with vicfg-vmknic
- Add and Configure an IPv4 VMkernel Network Interface with vicfg-vmknic
- Add and Configure an IPv6 VMkernel Network Interface with vicfg-vmknic
- Setting Up vSphere Networking with vSphere Distributed Switch
- Managing Standard Networking Services in the vSphere Environment
- Setting the DNS Configuration
- Manage an NTP Server
- Manage the IP Gateway
- Setting Up IPsec
- Manage the ESXi Firewall
- Monitor VXLAN
- Monitoring ESXi Hosts
- Index
You can also congure your iSCSI SAN on its own VLAN to improve performance and security. Placing
your iSCSI conguration on a separate VLAN ensures that no devices other than the iSCSI adapter can see
transmissions within the iSCSI SAN. With a dedicated VLAN, network congestion from other sources
cannot interfere with iSCSI trac.
Securing iSCSI Ports
You can improve the security of iSCSI ports by installing security patches and limiting the devices connected
to the iSCSI network.
When you run iSCSI devices, the ESXi host does not open ports that listen for network connections. This
measure reduces the chances that an intruder can break into the ESXi host through spare ports and gain
control over the host. Therefore, running iSCSI does not present an additional security risks at the ESXi host
end of the connection.
An iSCSI target device must have one or more open TCP ports to listen for iSCSI connections. If security
vulnerabilities exist in the iSCSI device software, your data can be at risk through no fault of the ESXi
system. To lower this risk, install all security patches that your storage equipment manufacturer provides
and limit the devices connected to the iSCSI network.
Setting iSCSI CHAP
iSCSI storage systems authenticate an initiator using a name and key pair. ESXi systems support Challenge
Handshake Authentication Protocol (CHAP).
Using CHAP for your SAN implementation is a best practice. The ESXi host and the iSCSI storage system
must have CHAP enabled and must have common credentials. During iSCSI login, the iSCSI storage system
exchanges its credentials with the ESXi system and checks them.
You can set up iSCSI authentication by using the vSphere Web Client, as discussed in the vSphere Storage
documentation or by using the esxcli command, discussed in “Enabling iSCSI Authentication,” on
page 94. To use CHAP authentication, you must enable CHAP on both the initiator side and the storage
system side. After authentication is enabled, it applies for targets to which no connection has been
established, but does not apply to targets to which a connection is established. After the discovery address is
set, the new volumes to which you add a connection are exposed and can be used.
For software iSCSI and dependent hardware iSCSI, ESXi hosts support per-discovery and per-target CHAP
credentials. For independent hardware iSCSI, ESXi hosts support only one set of CHAP credentials per
initiator. You cannot assign dierent CHAP credentials for dierent targets.
When you congure independent hardware iSCSI initiators, ensure that the CHAP conguration matches
your iSCSI storage. If CHAP is enabled on the storage array, it must be enabled on the initiator. If CHAP is
enabled, you must set up the CHAP authentication credentials on the ESXi host to match the credentials on
the iSCSI storage.
Supported CHAP Levels
To set CHAP levels with esxcli iscsi adapter setauth or vicfg-iscsi, specify one of the values in
Table 5-1 for <level>. Only two levels are supported for independent hardware iSCSI.
Mutual CHAP is supported for software iSCSI and for dependent hardware iSCSI, but not for independent
hardware iSCSI.
I Ensure that CHAP is set to chapRequired before you set mutual CHAP, and use compatible
levels for CHAP and mutual CHAP. Use dierent passwords for CHAP and mutual CHAP to avoid security
risks.
vSphere Command-Line Interface Concepts and Examples
72 VMware, Inc.