ESXi - 6.7 network

From Da Nerd Mage Wiki
Revision as of 22:57, 9 February 2022 by Tinker (talk | contribs) (→‎ipsec)
Jump to navigation Jump to search

network

Operations that pertain to the maintenance of networking on an ESX host. This includes a wide variety of commands to manipulate virtual networking components (vswitch, portgroup, etc) as well as local host IP, DNS and general host networking settings.

diag

  • ping
Send ICMP echo requests to network hosts.
  • esxcli network diag ping CMD_OPTIONS
CMD_OPTIONS
 -c|--count=<long>     Specify the number of packets to send.
 -D|--debug            VMKPing debug mode.
 -d|--df               Set DF bit on IPv4 packets.
 -H|--host=<str>       Specify the host to send packets to. This parameter is required when not
                       executing ping in debug mode (-D)
 -I|--interface=<str>  Specify the outgoing interface.
 -i|--interval=<str>   Set the interval for sending packets in seconds.
 --ipv4                Ping with ICMPv4 echo requests.
 --ipv6                Ping with ICMPv6 echo requests.
 --netstack=<str>      Specify the TCP/IP netstack which the interface resides on
 -N|--nexthop=<str>    Override the system's default route selection, in dotted quad notation.
                       (IPv4 only. Requires interface option)
 -s|--size=<long>      Set the payload size of the packets to send.
 -t|--ttl=<long>       Set IPv4 Time To Live or IPv6 Hop Limit
 -W|--wait=<str>       Set the timeout to wait if no responses are received in seconds.

ens

lcore

  • list
List ENS contexts.
  • esxcli network ens lcore list
  • add
Create ENS context.
  • esxcli network ens lcore add ID
ID
 -l|--lcore-id=<long>  ENS context id to be created. (required)
  • remove
Destroy ENS context.
  • esxcli network ens lcore remove ID
ID
 -l|--lcore-id=<long>  ENS context id to be destroyed. (required)

affinity

  • get
Get the affinity for given ENS context.
  • esxcli network ens lcore affinity get ID
ID
 -l|--lcore-id=<long>  ENS context id. (required)
  • set
Set affinity for given ENS context.
  • esxcli network ens lcore affinity set ID NODE
ID
 -l|--lcore-id=<long>  ENS context id. (required)
NODE
 -a|--affinity=<long>  Numa node affinity. (required)

switch

  • get
Get the switch associated with given ENS context.
  • esxcli network ens lcore switch get ID
ID
 -l|--lcore-id=<long>  ENS context id. (required)
  • add
Associate given ENS context with given switch.
  • esxcli network ens lcore switch add ID SWITCH
ID
 -l|--lcore-id=<long>  ENS context id. (required)
SWITCH
 -s|--switch=<str>     Switch name. (required)
  • remove
Disassociate given ENS context from virtual switch.
  • esxcli network ens lcore switch remove ID
ID
 -l|--lcore-id=<long>  ENS context id. (required)

maxLcores

  • get
Get the maximum number of ENS contexts (lcores).
  • esxcli network ens maxLcores get
  • set
Set the maximum number of ENS contexts.
  • esxcli network ens maxLcores set MAXCORES
MAXCORES
 -n|--maxlcores=<long> Number of maximum ENS contexts to be assigned. (required)

firewall

  • get
Get the firewall status.
  • esxcli network firewall get
set
Set firewall enabled status and default action.
  • esxcli network firewall set PARAM
PARAM
    --enabled OR --default-action
  • refresh
Load ruleset configuration for firewall.
  • esxcli network firewall refresh
load
Load firewall module and rulesets configuration.
  • esxcli network firewall load
unload
Allow unload firewall module.
  • esxcli network firewall unload

ruleset

  • list
List the rulesets in firewall.
  • esxcli network firewall ruleset list
set
Set firewall ruleset status (allowedAll flag and enabled status).
  • esxcli network firewall ruleset set LABEL CMD_OPTIONS
LABEL
 -r|--ruleset-id=<str>     The label of the ruleset. (required)
CMD_OPTIONS
 -a|--allowed-all=<bool>   Set to true to allowed all ip, set to false to use allowed ip list.
 -e|--enabled=<bool>       Set to true to enable ruleset, set to false to disable it.

allowedip

  • list
list allowed ip addresses for rulesets.
  • esxcli network firewall ruleset allowedip list
add
Add allowed ip address/range to the ruleset ruleset.
  • esxcli network firewall ruleset allowedip add LABEL RANGE
  • remove
Remove allowed ip address/range from the ruleset.
  • esxcli network firewall ruleset allowedip remove LABEL RANGE
LABEL
 -r|--ruleset-id=<str> The label of the ruleset. (required)
RANGE
-i|--ip-address=<str> Allowed ip address/range for the ruleset. (required)

client

  • get
Show the number of clients using a firewall ruleset.
  • esxcli network firewall ruleset client get LABEL
add
Add a new client to a firewall ruleset. This enables the firewall ruleset and increments the number of clients using the ruleset.
  • esxcli network firewall ruleset client add LABEL
remove
Remove a client from a firewall ruleset. This decrements the number of clients using the ruleset and if the number reaches zero the ruleset is disabled.
  • esxcli network firewall ruleset client remove LABEL
LABEL
 -r|--ruleset-id=<str> The label of the ruleset. (required)

rule

  • list
List the rules of each ruleset in firewall.
  • esxcli network firewall ruleset rule list

ip

  • get
Get global IP settings
  • esxcli network ip get
  • set
Update global IP settings
  • esxcli network ip set
Configure the VMkernel Adapter Gateway by Using esxcli Commands

connection

  • list
List active TCP/IP connections
  • esxcli network ip connection list

dns

search

  • list
List the search domains currently configured on the ESXi host in the order in which they will be used when searching.
  • esxcli network ip dns search list
  • add
Add a search domain to the list of domains to be searched when trying to resolve an host name on the ESXi host.
  • esxcli network ip dns search add DOMAIN NETSTACK
  • remove
Remove a search domain from the list of domains to be searched when trying to resolve an host name on the ESXi host.
  • esxcli network ip dns search remove DOMAIN NETSTACK

server

  • list
Print a list of the DNS server currently configured on the system in the order in which they will be used.
  • esxcli network ip dns server list
  • add
Add a new DNS server to the end of the list of DNS servers to use for this ESXi host.
  • esxcli network ip dns server add DOMAIN SERVER
  • remove
Remove a DNS server from the list of DNS servers to use for this ESXi host.
  • esxcli network ip dns server remove PARAM
DOMAIN
 -d|--domain=<str>     The string name of a domain to remove from the list of search domains.
                       (required)
NETSTACK
 -N|--netstack=<str>   The network stack instance; if unspecified, use the default netstack
                       instance
SERVER
 -s|--server=<str>     The IP address (v4 or v6) of the DNS server to add to the DNS server list.
                       (required)
PARAM
--all, --server

interface

  • list
This command will list the VMkernel network interfaces currently known to the system.
  • esxcli network ip interface list
  • set
This command sets the enabled status and MTU size of a given IP interface
  • esxcli network ip interface set CMD_OPTIONS
CMD_OPTIONS
 -e|--enabled=<bool>   Set to true to enable the interface, set to false to disable it.
 -i|--interface-name=<str>
                       The name of the interface to apply the configurations. (required)
 -m|--mtu=<long>       The MTU size of the IP interface.
  • add
Add a new VMkernel network interface.
  • esxcli network ip interface add CMD_OPTIONS
CMD_OPTIONS
 -P|--dvport-id=<str>  DVPort ID of the connection point. This requires
                       --dvs-name to be given in the same command
 -s|--dvs-name=<str>   DVSwitch name of the connection point. This requires
                       --dvport-id to be given in the same command
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to create.
                       This name must be in the form vmkX, where X is a
                       number 0-255
 -M|--mac-address=<str>
                       Set the MAC address for the newly created VMkernel
                       network interface.
 -m|--mtu=<long>       Set the MTU setting for a given VMkernel network
                       interface on creation
 -N|--netstack=<str>   The network stack instance; if unspecified, use the
                       default netstack instance
 -p|--portgroup-name=<str>
                       The name of the vswitch port group to add this
                       VMkernel network interface to.
  • remove
Remove a VMkernel network interface from the ESXi host. A VMKernel network interface can be uniquely specified by --interface-name or --portgroup-name or --dvs-name/--dvport-id. i.e. Providing its name or its connection point are two ways to uniquely specify a VMKernel network interface.
  • esxcli network ip interface remove CMD_OPTIONS
CMD_OPTIONS
 -P|--dvport-id=<str>  DVPort ID of the connection point. This requires
                       --dvs-name to be given in the same command
 -s|--dvs-name=<str>   DVSwitch name of the connection point. This requires
                       --dvport-id to be given in the same command
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to remove.
                       This name must be in the form vmkX, where X is a
                       number 0-255
 -N|--netstack=<str>   The network stack instance; if unspecified, use the
                       default netstack instance
 -p|--portgroup-name=<str>
                       The name of the vswitch port group to delete this
                       VMkernel network interface from.

ipv4

  • get
List the IPv4 addresses assigned to VMkernel network interfaces.
  • esxcli network ip interface ipv4 get
  • set
Configure IPv4 setting for a given VMkernel network interface.
  • esxcli network ip interface ipv4 set CMD_OPTIONS
CMD_OPTIONS
 -g|--gateway=<str>    The default gateway for this interface. The value must be a valid IPv4
                       address. Gateway would be reset if not provided
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to set IPv4 settings for. This
                       name must be an interface listed in the interface list command. (required)
 -I|--ipv4=<str>       The static IPv4 address for this interface.
 -N|--netmask=<str>    The static IPv4 netmask for this interface.
 -P|--peer-dns=<bool>  A boolean value to indicate if the system should use the DNS settings
                       published via DHCPv4 for this interface.
 -t|--type=<str>       IPv4 Address type :
                           dhcp: Use DHCP to aquire IPv4 setting for this interface.
                           none: Remove IPv4 settings form this interface.
                           static: Set Static IPv4 information for this interface. Requires --ipv4
                       and --netmask options.
address
  • list
List the IPv4 addresses assigned to VMkernel network interfaces.
  • esxcli network ip interface ipv4 address list

ipv6

  • get
Get IPv6 settings for VMkernel network interfaces. This does not include the IPv6 addresses which can be found in the "address list" command.
  • esxcli network ip interface ipv6 get
  • set
Configure IPv6 settings for a given VMkernel network interface.
  • esxcli network ip interface ipv6 set CMD_OPTIONS
CMD_OPTIONS
 -d|--enable-dhcpv6=<bool>
                       Setting this value to true will enable DHCPv6 on this interface and attempt
                       to aquire an IPv6 address from the network
 -e|--enable-ipv6=<bool>
                       Setting this value to true enables IPv6 on thisinterface while setting it
                       to false disables IPv6 on this interface.
 -r|--enable-router-adv=<bool>
                       Setting this value to true will enable IPv6 Router Advertised IPv6
                       addresses to be added to this interface from any routers broadcasting on
                       the local network.
 -g|--gateway=<str>    A default gateway for this interface. The value must be a valid IPv6
                       address.
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to set IPv6 settings for. This
                       name must be an interface listed in the interface list command. (required)
 -P|--peer-dns=<bool>  A boolean value to indicate if the system should use the DNS settings
                       published via DHCPv6 for this interface.
address
  • list
This command will list all of the IPv6 addresses currently assigned to the system
  • esxcli network ip interface ipv6 address list
  • add
Add a static IPv6 address to a given VMkernel network interface.
  • esxcli network ip interface ipv6 address add CMD_OPTIONS
CMD_OPTIONS
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to add a static IPv6 address to.
                       This name must be an interface listed in the interface list command.
                       (required)
 -I|--ipv6=<str>       The IPv6 address to add to the given VMkernel network interface. This must
                       be in X:X:X::/X format (required)
  • remove
Remove an IPv6 address from a given VMkernel network interface.
  • esxcli network ip interface ipv6 address remove CMD_OPTIONS
CMD_OPTIONS
 -i|--interface-name=<str>
                       The name of the VMkernel network interface to remove an IPv6 address from.
                       This name must be an interface listed in the interface list command.
                       (required)
 -I|--ipv6=<str>       The IPv6 address to remove from the given VMkernel network interface. This
                       must be in X:X:X::/X format (required)

tag

  • get
Gets the tags set on the given VMkernel network interface.
  • esxcli network ip interface tag get INTERFACE
  • add
Adds a tag on a given VMkernel network interface. Supported tags are: Management, VMotion, faultToleranceLogging, vSphereReplication, vSphereReplicationNFC, vSphereProvisioning, VSAN, VSANWitness
  • esxcli network ip interface tag add INTERFACE'TAGNAME'
  • remove
Removes a tag on a given VMkernel network interface.
  • esxcli network ip interface tag remove INTERFACE'TAGNAME'
INTERFACE
  -i|--interface-name=<str>
                       Name of the VMkernel network interface (vmknic) whose tags are to be
                       read/set/removed (required)
                       This name must be an interface listed in the interface list command.
                       (required)
TAGNAME
 -t|--tagname=<str>    Tag name to assign to the interface (required)

ipsec

sa

  • list
List configured Security Associations
  • esxcli network ip ipsec sa list
  • add
Add a Security Association.
  • esxcli network ip ipsec sa add CMD_OPTIONS
CMD_OPTIONS
 -e|--encryption-algorithm=<str>
                       Encryption algorithm for the Security Association. Should be one in set
                       [null, 3des-cbc, aes128-cbc]. (required)
 -k|--encryption-key=<str>
                       Encryption key(ASCII or hex). Length of hex key is dependent upon algorithm
                       used. Required when a encryption algorithm has been specified.
 -i|--integrity-algorithm=<str>
                       Integrity algorithm for the Security Association. Should be one in set
                       [hmac-sha1, hmac-sha2-256]. (required)
 -K|--integrity-key=<str>
                       Integrity key(ASCII or hex). Length of hex key is dependent upon algorithm
                       used. (required)
 -d|--sa-destination=<str>
                       Ipv6 address of Security Association destination. Can be specified as 'any'
                       or a correct IPv6 address. (required)
 -m|--sa-mode=<str>    Security Association mode. Should be one in set  [transport, tunnel].
 -n|--sa-name=<str>    Name for the Security Association to be added. (required)
 -s|--sa-source=<str>  Ipv6 address of Security Association source. Can be specified as 'any' or a
                       correct IPv6 address. (required)
 -p|--sa-spi=<str>     SPI value for the Security Association(hex). (required)
  • remove
Operation to remove Security Association(s)
  • esxcli network ip ipsec sa remove

sp

  • list
List configured Security Policys
  • esxcli network ip ipsec sp list
  • add
Add a Security Policy.
  • esxcli network ip ipsec sp add CMD_OPTIONS
CMD_OPTIONS
 -A|--action=<str>     Action for Security Policy. Should be one in set  [none, discard, ipsec].
 -P|--destination-port=<long>
                       Destination Port for Security Policy. '0' stands for 'any' (required)
 -w|--flow-direction=<str>
                       Flow direction for Security Policy. Should be one in set  [in, out].
 -a|--sa-name=<str>    Name for the Security Association. Not being Specified lets vmkernel
                       automatically choose an Security Association. If no applicable Security
                       Association exists, then vmkernel may request one using IKE.
 -p|--source-port=<long>
                       Source Port for Security Policy. '0' stands for 'any' (required)
 -d|--sp-destination=<str>
                       Ipv6 address and prefix length of Security Policy destination. Can be
                       specified as 'any' or a correct Ipv6 network address. (required)
 -m|--sp-mode=<str>    Security Policy mode. Should be one in set  [transport, tunnel].
 -n|--sp-name=<str>    Name for the Security Policy to be added. (required)
 -s|--sp-source=<str>  Ipv6 address and prefix length of Security Policy source. Can be specified
                       as 'any' or a correct IPv6 network address. (required)
 -u|--upper-layer-protocol=<str>
                       Upper layer protocol for Security Policy, Should be one in set  [any, tcp,
                       udp, icmp6].
  • remove
Operation to remove Security Policy
  • esxcli network ip ipsec sp remove PARAM
PARAM
--remove-all OR --sa-name

neighbor

netstack

route

multicast

nic

port

sriovnic

vm

vswitch