I have been looking at doing some scripted installations of ESX 3.5 and have come across one little stumbling block.
Network Security!!!
What I am looking for and would greatly appreciate some assistance with is cli for Vswitch and Portgroup security config. I have not been able to find any info on setting promiscuous mode, Forged Transmits and Mac Address Changes.
My ideal would be to deploy the hosts and build the network configuration elements from a ks script. The host build, vmkernel port, vswitch and port group creation are OK.
does anyone know what commands can be used to change the security settings for vswitch and port groups?
Thanks
You can use vimsh wrapper vmware-vim-cmd:
[root@everest ~]# vmware-vim-cmd hostsvc/net/vswitch_setpolicy Insufficient arguments. Usage: vswitch_setpolicy [OPTIONS] vswitch Changes the policies of a virtual switch. Options: --securepolicy-promisc=bool Allow promiscuous mode. --securepolicy-macchange=bool Allow MAC address to be changed. --securepolicy-forgedxmit=bool Allow forged transmits. --shapingpolicy-enabled=bool Enabled shaper. --shapingpolicy-average-bandwidth=int Average bandwidth. --shapingpolicy-peak-bandwidth=int Peak bandwidth. --shapingpolicy-burst-size=int Burst size. --nicorderpolicy-active=vmnic_list List of active NICs. --nicorderpolicy-standby=vmnic_list Order in which failover should occur. --failurecriteria-check-speed=failurecriteria-check-speed Detecting failover using link speed check --failurecriteria-speed=int The speed for link speed check method --failurecriteria-check-duplex=bool Detecting failover using link duplex check --failurecriteria-duplex=bool The duplexity for link duplex check method --failurecriteria-check-error=bool Detecting failover using link error percentage --failurecriteria-error=int The error percentage for link error percentage check method --failurecriteria-check-beacon=bool Detecting failover using the beacon --nicteaming-policy=nicteaming-policy Nic-Teaming policy. --nicteaming-reverse-policy=bool Apply the teaming policy to inbound frames as well. --nicteaming-notify-switch=bool Notify switches when detects a link failure. --nicteaming-rollingorder=bool Whether or not to use rolling failover. --offloadcaps-csum-offload=bool Checksum offload --offloadcaps-tcp-segment=bool TCP segment offload --offloadcaps-zerocopy-xmit=bool Scatter gather
and specifically:
--securepolicy-promisc=bool
Allow promiscuous mode.
--securepolicy-macchange=bool
Allow MAC address to be changed.
--securepolicy-forgedxmit=bool
Allow forged transmits.
Here is a good article by Scott Lowe providing some examples on how to configure some advanced policies: http://blog.scottlowe.org/2008/12/16/using-vmware-vim-cmd-to-modify-a-portgroup/
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
You can use vimsh wrapper vmware-vim-cmd:
[root@everest ~]# vmware-vim-cmd hostsvc/net/vswitch_setpolicy Insufficient arguments. Usage: vswitch_setpolicy [OPTIONS] vswitch Changes the policies of a virtual switch. Options: --securepolicy-promisc=bool Allow promiscuous mode. --securepolicy-macchange=bool Allow MAC address to be changed. --securepolicy-forgedxmit=bool Allow forged transmits. --shapingpolicy-enabled=bool Enabled shaper. --shapingpolicy-average-bandwidth=int Average bandwidth. --shapingpolicy-peak-bandwidth=int Peak bandwidth. --shapingpolicy-burst-size=int Burst size. --nicorderpolicy-active=vmnic_list List of active NICs. --nicorderpolicy-standby=vmnic_list Order in which failover should occur. --failurecriteria-check-speed=failurecriteria-check-speed Detecting failover using link speed check --failurecriteria-speed=int The speed for link speed check method --failurecriteria-check-duplex=bool Detecting failover using link duplex check --failurecriteria-duplex=bool The duplexity for link duplex check method --failurecriteria-check-error=bool Detecting failover using link error percentage --failurecriteria-error=int The error percentage for link error percentage check method --failurecriteria-check-beacon=bool Detecting failover using the beacon --nicteaming-policy=nicteaming-policy Nic-Teaming policy. --nicteaming-reverse-policy=bool Apply the teaming policy to inbound frames as well. --nicteaming-notify-switch=bool Notify switches when detects a link failure. --nicteaming-rollingorder=bool Whether or not to use rolling failover. --offloadcaps-csum-offload=bool Checksum offload --offloadcaps-tcp-segment=bool TCP segment offload --offloadcaps-zerocopy-xmit=bool Scatter gather
and specifically:
--securepolicy-promisc=bool
Allow promiscuous mode.
--securepolicy-macchange=bool
Allow MAC address to be changed.
--securepolicy-forgedxmit=bool
Allow forged transmits.
Here is a good article by Scott Lowe providing some examples on how to configure some advanced policies: http://blog.scottlowe.org/2008/12/16/using-vmware-vim-cmd-to-modify-a-portgroup/
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Thank you very much for your prompt reply and most importantly providing just the right info.
This will make deployment a lot easier.