Difference between revisions of "ESXi - 6.7 network"
Jump to navigation
Jump to search
(→ipsec) |
|||
| Line 352: | Line 352: | ||
=== ipsec === | === ipsec === | ||
==== sa ==== | |||
* '''list''' | |||
: List configured Security Associations | |||
:* <code>esxcli network ip ipsec sa list</code> | |||
* '''add''' | |||
: Add a Security Association. | |||
:* <code>esxcli network ip ipsec sa add '''CMD_OPTIONS'''</code> | |||
'''CMD_OPTIONS''' | |||
-e|--encryption-algorithm=<str> | |||
Encryption algorithm for the Security Association. Should be one in set | |||
[null, 3des-cbc, aes128-cbc]. (required) | |||
-k|--encryption-key=<str> | |||
Encryption key(ASCII or hex). Length of hex key is dependent upon algorithm | |||
used. Required when a encryption algorithm has been specified. | |||
-i|--integrity-algorithm=<str> | |||
Integrity algorithm for the Security Association. Should be one in set | |||
[hmac-sha1, hmac-sha2-256]. (required) | |||
-K|--integrity-key=<str> | |||
Integrity key(ASCII or hex). Length of hex key is dependent upon algorithm | |||
used. (required) | |||
-d|--sa-destination=<str> | |||
Ipv6 address of Security Association destination. Can be specified as 'any' | |||
or a correct IPv6 address. (required) | |||
-m|--sa-mode=<str> Security Association mode. Should be one in set [transport, tunnel]. | |||
-n|--sa-name=<str> Name for the Security Association to be added. (required) | |||
-s|--sa-source=<str> Ipv6 address of Security Association source. Can be specified as 'any' or a | |||
correct IPv6 address. (required) | |||
-p|--sa-spi=<str> SPI value for the Security Association(hex). (required) | |||
* '''remove''' | |||
: Operation to remove Security Association(s) | |||
:* <code>esxcli network ip ipsec sa remove</code> | |||
==== sp ==== | |||
* '''list''' | |||
: List configured Security Policys | |||
:* <code>esxcli network ip ipsec sp list</code> | |||
* '''add''' | |||
: Add a Security Policy. | |||
:* <code>esxcli network ip ipsec sp add '''CMD_OPTIONS'''</code> | |||
'''CMD_OPTIONS''' | |||
-A|--action=<str> Action for Security Policy. Should be one in set [none, discard, ipsec]. | |||
-P|--destination-port=<long> | |||
Destination Port for Security Policy. '0' stands for 'any' (required) | |||
-w|--flow-direction=<str> | |||
Flow direction for Security Policy. Should be one in set [in, out]. | |||
-a|--sa-name=<str> Name for the Security Association. Not being Specified lets vmkernel | |||
automatically choose an Security Association. If no applicable Security | |||
Association exists, then vmkernel may request one using IKE. | |||
-p|--source-port=<long> | |||
Source Port for Security Policy. '0' stands for 'any' (required) | |||
-d|--sp-destination=<str> | |||
Ipv6 address and prefix length of Security Policy destination. Can be | |||
specified as 'any' or a correct Ipv6 network address. (required) | |||
-m|--sp-mode=<str> Security Policy mode. Should be one in set [transport, tunnel]. | |||
-n|--sp-name=<str> Name for the Security Policy to be added. (required) | |||
-s|--sp-source=<str> Ipv6 address and prefix length of Security Policy source. Can be specified | |||
as 'any' or a correct IPv6 network address. (required) | |||
-u|--upper-layer-protocol=<str> | |||
Upper layer protocol for Security Policy, Should be one in set [any, tcp, | |||
udp, icmp6]. | |||
* '''remove''' | |||
: Operation to remove Security Policy | |||
:* <code>esxcli network ip ipsec sp remove '''PARAM'''</code> | |||
'''PARAM''' | |||
--remove-all OR --sa-name | |||
=== neighbor === | === neighbor === | ||
=== netstack === | === netstack === | ||
Revision as of 22:57, 9 February 2022
network
Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general host networking settings.
diag
- ping
- Send ICMP echo requests to network hosts.
esxcli network diag ping CMD_OPTIONS
CMD_OPTIONS
-c|--count=<long> Specify the number of packets to send.
-D|--debug VMKPing debug mode.
-d|--df Set DF bit on IPv4 packets.
-H|--host=<str> Specify the host to send packets to. This parameter is required when not
executing ping in debug mode (-D)
-I|--interface=<str> Specify the outgoing interface.
-i|--interval=<str> Set the interval for sending packets in seconds.
--ipv4 Ping with ICMPv4 echo requests.
--ipv6 Ping with ICMPv6 echo requests.
--netstack=<str> Specify the TCP/IP netstack which the interface resides on
-N|--nexthop=<str> Override the system's default route selection, in dotted quad notation.
(IPv4 only. Requires interface option)
-s|--size=<long> Set the payload size of the packets to send.
-t|--ttl=<long> Set IPv4 Time To Live or IPv6 Hop Limit
-W|--wait=<str> Set the timeout to wait if no responses are received in seconds.
ens
lcore
- list
- List ENS contexts.
esxcli network ens lcore list
- add
- Create ENS context.
esxcli network ens lcore add ID
ID -l|--lcore-id=<long> ENS context id to be created. (required)
- remove
- Destroy ENS context.
esxcli network ens lcore remove ID
ID -l|--lcore-id=<long> ENS context id to be destroyed. (required)
affinity
- get
- Get the affinity for given ENS context.
esxcli network ens lcore affinity get ID
ID -l|--lcore-id=<long> ENS context id. (required)
- set
- Set affinity for given ENS context.
esxcli network ens lcore affinity set ID NODE
ID -l|--lcore-id=<long> ENS context id. (required) NODE -a|--affinity=<long> Numa node affinity. (required)
switch
- get
- Get the switch associated with given ENS context.
esxcli network ens lcore switch get ID
ID -l|--lcore-id=<long> ENS context id. (required)
- add
- Associate given ENS context with given switch.
esxcli network ens lcore switch add ID SWITCH
ID -l|--lcore-id=<long> ENS context id. (required) SWITCH -s|--switch=<str> Switch name. (required)
- remove
- Disassociate given ENS context from virtual switch.
esxcli network ens lcore switch remove ID
ID -l|--lcore-id=<long> ENS context id. (required)
maxLcores
- get
- Get the maximum number of ENS contexts (lcores).
esxcli network ens maxLcores get
- set
- Set the maximum number of ENS contexts.
esxcli network ens maxLcores set MAXCORES
MAXCORES -n|--maxlcores=<long> Number of maximum ENS contexts to be assigned. (required)
firewall
- get
- Get the firewall status.
esxcli network firewall get
- set
- Set firewall enabled status and default action.
esxcli network firewall set PARAM
- Set firewall enabled status and default action.
PARAM
--enabled OR --default-action
- refresh
- Load ruleset configuration for firewall.
esxcli network firewall refresh
- load
- Load firewall module and rulesets configuration.
esxcli network firewall load
- unload
- Allow unload firewall module.
esxcli network firewall unload
- Allow unload firewall module.
- Load firewall module and rulesets configuration.
ruleset
- list
- List the rulesets in firewall.
esxcli network firewall ruleset list
- set
- Set firewall ruleset status (allowedAll flag and enabled status).
esxcli network firewall ruleset set LABEL CMD_OPTIONS
- Set firewall ruleset status (allowedAll flag and enabled status).
LABEL -r|--ruleset-id=<str> The label of the ruleset. (required) CMD_OPTIONS -a|--allowed-all=<bool> Set to true to allowed all ip, set to false to use allowed ip list. -e|--enabled=<bool> Set to true to enable ruleset, set to false to disable it.
allowedip
- list
- list allowed ip addresses for rulesets.
esxcli network firewall ruleset allowedip list
- add
- Add allowed ip address/range to the ruleset ruleset.
esxcli network firewall ruleset allowedip add LABEL RANGE
- remove
- Remove allowed ip address/range from the ruleset.
esxcli network firewall ruleset allowedip remove LABEL RANGE
- Add allowed ip address/range to the ruleset ruleset.
LABEL -r|--ruleset-id=<str> The label of the ruleset. (required) RANGE -i|--ip-address=<str> Allowed ip address/range for the ruleset. (required)
client
- get
- Show the number of clients using a firewall ruleset.
esxcli network firewall ruleset client get LABEL
- add
- Add a new client to a firewall ruleset. This enables the firewall ruleset and increments the number of clients using the ruleset.
esxcli network firewall ruleset client add LABEL
- remove
- Remove a client from a firewall ruleset. This decrements the number of clients using the ruleset and if the number reaches zero the ruleset is disabled.
esxcli network firewall ruleset client remove LABEL
- Remove a client from a firewall ruleset. This decrements the number of clients using the ruleset and if the number reaches zero the ruleset is disabled.
- Add a new client to a firewall ruleset. This enables the firewall ruleset and increments the number of clients using the ruleset.
LABEL -r|--ruleset-id=<str> The label of the ruleset. (required)
rule
- list
- List the rules of each ruleset in firewall.
esxcli network firewall ruleset rule list
ip
- get
- Get global IP settings
esxcli network ip get
- set
- Update global IP settings
esxcli network ip set
Configure the VMkernel Adapter Gateway by Using esxcli Commands
connection
- list
- List active TCP/IP connections
esxcli network ip connection list
dns
search
- list
- List the search domains currently configured on the ESXi host in the order in which they will be used when searching.
esxcli network ip dns search list
- add
- Add a search domain to the list of domains to be searched when trying to resolve an host name on the ESXi host.
esxcli network ip dns search add DOMAIN NETSTACK
- remove
- Remove a search domain from the list of domains to be searched when trying to resolve an host name on the ESXi host.
esxcli network ip dns search remove DOMAIN NETSTACK
server
- list
- Print a list of the DNS server currently configured on the system in the order in which they will be used.
esxcli network ip dns server list
- add
- Add a new DNS server to the end of the list of DNS servers to use for this ESXi host.
esxcli network ip dns server add DOMAIN SERVER
- remove
- Remove a DNS server from the list of DNS servers to use for this ESXi host.
esxcli network ip dns server remove PARAM
DOMAIN
-d|--domain=<str> The string name of a domain to remove from the list of search domains.
(required)
NETSTACK
-N|--netstack=<str> The network stack instance; if unspecified, use the default netstack
instance
SERVER
-s|--server=<str> The IP address (v4 or v6) of the DNS server to add to the DNS server list.
(required)
PARAM
--all, --server
interface
- list
- This command will list the VMkernel network interfaces currently known to the system.
esxcli network ip interface list
- set
- This command sets the enabled status and MTU size of a given IP interface
esxcli network ip interface set CMD_OPTIONS
CMD_OPTIONS
-e|--enabled=<bool> Set to true to enable the interface, set to false to disable it.
-i|--interface-name=<str>
The name of the interface to apply the configurations. (required)
-m|--mtu=<long> The MTU size of the IP interface.
- add
- Add a new VMkernel network interface.
esxcli network ip interface add CMD_OPTIONS
CMD_OPTIONS
-P|--dvport-id=<str> DVPort ID of the connection point. This requires
--dvs-name to be given in the same command
-s|--dvs-name=<str> DVSwitch name of the connection point. This requires
--dvport-id to be given in the same command
-i|--interface-name=<str>
The name of the VMkernel network interface to create.
This name must be in the form vmkX, where X is a
number 0-255
-M|--mac-address=<str>
Set the MAC address for the newly created VMkernel
network interface.
-m|--mtu=<long> Set the MTU setting for a given VMkernel network
interface on creation
-N|--netstack=<str> The network stack instance; if unspecified, use the
default netstack instance
-p|--portgroup-name=<str>
The name of the vswitch port group to add this
VMkernel network interface to.
- remove
- Remove a VMkernel network interface from the ESXi host. A VMKernel network interface can be uniquely specified by --interface-name or --portgroup-name or --dvs-name/--dvport-id. i.e. Providing its name or its connection point are two ways to uniquely specify a VMKernel network interface.
esxcli network ip interface remove CMD_OPTIONS
CMD_OPTIONS
-P|--dvport-id=<str> DVPort ID of the connection point. This requires
--dvs-name to be given in the same command
-s|--dvs-name=<str> DVSwitch name of the connection point. This requires
--dvport-id to be given in the same command
-i|--interface-name=<str>
The name of the VMkernel network interface to remove.
This name must be in the form vmkX, where X is a
number 0-255
-N|--netstack=<str> The network stack instance; if unspecified, use the
default netstack instance
-p|--portgroup-name=<str>
The name of the vswitch port group to delete this
VMkernel network interface from.
ipv4
- get
- List the IPv4 addresses assigned to VMkernel network interfaces.
esxcli network ip interface ipv4 get
- set
- Configure IPv4 setting for a given VMkernel network interface.
esxcli network ip interface ipv4 set CMD_OPTIONS
CMD_OPTIONS
-g|--gateway=<str> The default gateway for this interface. The value must be a valid IPv4
address. Gateway would be reset if not provided
-i|--interface-name=<str>
The name of the VMkernel network interface to set IPv4 settings for. This
name must be an interface listed in the interface list command. (required)
-I|--ipv4=<str> The static IPv4 address for this interface.
-N|--netmask=<str> The static IPv4 netmask for this interface.
-P|--peer-dns=<bool> A boolean value to indicate if the system should use the DNS settings
published via DHCPv4 for this interface.
-t|--type=<str> IPv4 Address type :
dhcp: Use DHCP to aquire IPv4 setting for this interface.
none: Remove IPv4 settings form this interface.
static: Set Static IPv4 information for this interface. Requires --ipv4
and --netmask options.
address
- list
- List the IPv4 addresses assigned to VMkernel network interfaces.
esxcli network ip interface ipv4 address list
ipv6
- get
- Get IPv6 settings for VMkernel network interfaces. This does not include the IPv6 addresses which can be found in the "address list" command.
esxcli network ip interface ipv6 get
- set
- Configure IPv6 settings for a given VMkernel network interface.
esxcli network ip interface ipv6 set CMD_OPTIONS
CMD_OPTIONS
-d|--enable-dhcpv6=<bool>
Setting this value to true will enable DHCPv6 on this interface and attempt
to aquire an IPv6 address from the network
-e|--enable-ipv6=<bool>
Setting this value to true enables IPv6 on thisinterface while setting it
to false disables IPv6 on this interface.
-r|--enable-router-adv=<bool>
Setting this value to true will enable IPv6 Router Advertised IPv6
addresses to be added to this interface from any routers broadcasting on
the local network.
-g|--gateway=<str> A default gateway for this interface. The value must be a valid IPv6
address.
-i|--interface-name=<str>
The name of the VMkernel network interface to set IPv6 settings for. This
name must be an interface listed in the interface list command. (required)
-P|--peer-dns=<bool> A boolean value to indicate if the system should use the DNS settings
published via DHCPv6 for this interface.
address
- list
- This command will list all of the IPv6 addresses currently assigned to the system
esxcli network ip interface ipv6 address list
- add
- Add a static IPv6 address to a given VMkernel network interface.
esxcli network ip interface ipv6 address add CMD_OPTIONS
CMD_OPTIONS
-i|--interface-name=<str>
The name of the VMkernel network interface to add a static IPv6 address to.
This name must be an interface listed in the interface list command.
(required)
-I|--ipv6=<str> The IPv6 address to add to the given VMkernel network interface. This must
be in X:X:X::/X format (required)
- remove
- Remove an IPv6 address from a given VMkernel network interface.
esxcli network ip interface ipv6 address remove CMD_OPTIONS
CMD_OPTIONS
-i|--interface-name=<str>
The name of the VMkernel network interface to remove an IPv6 address from.
This name must be an interface listed in the interface list command.
(required)
-I|--ipv6=<str> The IPv6 address to remove from the given VMkernel network interface. This
must be in X:X:X::/X format (required)
tag
- get
- Gets the tags set on the given VMkernel network interface.
esxcli network ip interface tag get INTERFACE
- add
- Adds a tag on a given VMkernel network interface. Supported tags are: Management, VMotion, faultToleranceLogging, vSphereReplication, vSphereReplicationNFC, vSphereProvisioning, VSAN, VSANWitness
esxcli network ip interface tag add INTERFACE'TAGNAME'
- remove
- Removes a tag on a given VMkernel network interface.
esxcli network ip interface tag remove INTERFACE'TAGNAME'
INTERFACE
-i|--interface-name=<str>
Name of the VMkernel network interface (vmknic) whose tags are to be
read/set/removed (required)
This name must be an interface listed in the interface list command.
(required)
TAGNAME
-t|--tagname=<str> Tag name to assign to the interface (required)
ipsec
sa
- list
- List configured Security Associations
esxcli network ip ipsec sa list
- add
- Add a Security Association.
esxcli network ip ipsec sa add CMD_OPTIONS
CMD_OPTIONS
-e|--encryption-algorithm=<str>
Encryption algorithm for the Security Association. Should be one in set
[null, 3des-cbc, aes128-cbc]. (required)
-k|--encryption-key=<str>
Encryption key(ASCII or hex). Length of hex key is dependent upon algorithm
used. Required when a encryption algorithm has been specified.
-i|--integrity-algorithm=<str>
Integrity algorithm for the Security Association. Should be one in set
[hmac-sha1, hmac-sha2-256]. (required)
-K|--integrity-key=<str>
Integrity key(ASCII or hex). Length of hex key is dependent upon algorithm
used. (required)
-d|--sa-destination=<str>
Ipv6 address of Security Association destination. Can be specified as 'any'
or a correct IPv6 address. (required)
-m|--sa-mode=<str> Security Association mode. Should be one in set [transport, tunnel].
-n|--sa-name=<str> Name for the Security Association to be added. (required)
-s|--sa-source=<str> Ipv6 address of Security Association source. Can be specified as 'any' or a
correct IPv6 address. (required)
-p|--sa-spi=<str> SPI value for the Security Association(hex). (required)
- remove
- Operation to remove Security Association(s)
esxcli network ip ipsec sa remove
sp
- list
- List configured Security Policys
esxcli network ip ipsec sp list
- add
- Add a Security Policy.
esxcli network ip ipsec sp add CMD_OPTIONS
CMD_OPTIONS
-A|--action=<str> Action for Security Policy. Should be one in set [none, discard, ipsec].
-P|--destination-port=<long>
Destination Port for Security Policy. '0' stands for 'any' (required)
-w|--flow-direction=<str>
Flow direction for Security Policy. Should be one in set [in, out].
-a|--sa-name=<str> Name for the Security Association. Not being Specified lets vmkernel
automatically choose an Security Association. If no applicable Security
Association exists, then vmkernel may request one using IKE.
-p|--source-port=<long>
Source Port for Security Policy. '0' stands for 'any' (required)
-d|--sp-destination=<str>
Ipv6 address and prefix length of Security Policy destination. Can be
specified as 'any' or a correct Ipv6 network address. (required)
-m|--sp-mode=<str> Security Policy mode. Should be one in set [transport, tunnel].
-n|--sp-name=<str> Name for the Security Policy to be added. (required)
-s|--sp-source=<str> Ipv6 address and prefix length of Security Policy source. Can be specified
as 'any' or a correct IPv6 network address. (required)
-u|--upper-layer-protocol=<str>
Upper layer protocol for Security Policy, Should be one in set [any, tcp,
udp, icmp6].
- remove
- Operation to remove Security Policy
esxcli network ip ipsec sp remove PARAM
PARAM --remove-all OR --sa-name