Dell's PowerEdge R6525 iDRAC9 has the following virtual console types:
- ActiveX
- Java
- HTML5
- eHTML5
I Googled and all eHTML5 results relate to Dell but found no definition of eHTML5.
With custom TCP/IP stack, you get following benefits:
- Separate Memory Heap.
- Personalized ARP Table.
- Personalized Routing Table which helps avoiding routing table conflicts that might appear when many features are using a common TCP/IP stack.
- Isolate traffic to improve network security.
Playing with the custom TCP/IP stacks and wanted to find out how I can benefit from it but all I can do with a custom TCP/IP stack is just create a vmknic on it. The vmknic on the custom TCP/IP stack even cannot be used to mount NFS shares. Googled a lot but found no use case how a custom TCP/IP stack is really used. It's also confusing even VSAN cannot benefit from using a separate TCP/IP stack.
Anyone can share some use case of using the custom TCP/IP stacks?
The ESXi's IPsec commands require the encryption/integrity keys be inputted in plaintext from the command line. This is not recommended security practice. The command line history is even logged to /var/log/shell.log.
So how can I hide the keys?
$ esxcli network ip ipsec sa add --help
Usage: esxcli network ip ipsec sa add [cmd options]
Description:
add Add a Security Association.
Cmd options:
-e|--encryption-algorithm=<str>
Encryption algorithm for the Security Association. Should be one
in set [null, 3des-cbc, aes128-cbc]. (required)
-k|--encryption-key=<str>
Encryption key(ASCII or hex). Length of hex key is dependent upon
algorithm used. Required when a encryption algorithm has been
specified.
-i|--integrity-algorithm=<str>
Integrity algorithm for the Security Association. Should be one in
set [hmac-sha1, hmac-sha2-256]. (required)
-K|--integrity-key=<str>
Integrity key(ASCII or hex). Length of hex key is dependent upon
algorithm used. (required)
-d|--sa-destination=<str>
Ipv6 address of Security Association destination. Can be specified
[...]
vSphere 7 Update 1 added a new "vSphere Clustering Service (vCLS)" and according to the doc:
Basic Architecture
The basic architecture for the vCLS control plane consists of maximum 3 virtual machines (VM), also referred to as system or agent VMs which are placed on separate hosts in a cluster. These are lightweight agent VMs that form a cluster quorum. On smaller clusters with less than 3 hosts, the number of agent VMs is equal to the numbers of ESXi hosts. The agent VMs are managed by vSphere Cluster Services. Users are not expected to maintain the lifecycle or state for the agent VMs, they should not be treated like the typical workload VMs.
It's very confusing to me how these vCLS VMs can help provide Clustering Service. These VMs even don't have network adapters so they cannot directly talk to each other. It's the cluster's ESXi hosts who are actually exchanging their status info. So technically speaking, an ESXi service (running as processes) can do whatever the vCLS VMs can do.
Try Googling "vsphere disable vcls" and you'll see this new feature really introduced some confusion to users. So what's the point of using the vCLS VMs?
In vSphere 7.0's doc it has a new CLI command:
Command:
esxcli network nic attachment addDescription: Attach one uplink as a branch to a trunk uplink with specified VLAN ID.
Options:
--branch | -bThe name of the NIC to be attached as branch uplink. (required)
--trunk | -tThe name of the NIC to be configured as trunk uplink. (required)
--vlan-id | -vThe vlan ID for the branch uplink. Valid values: integer in the range 1-4094 (required)
--helpShow the help message.
It's confusing to me what it does by attaching one uplink to another uplink. Anyone knows a use case for this?
The following is from vSphere's admin doc:
To begin a port mirroring session, you must specify the type of port mirroring session.
Procedure
Browse to a distributed switch in the vSphere Client navigator.
Click the Configure tab and expand Settings.
Select the Port mirroring option and click New.
Select the session type for the port mirroring session.
Option Description Distributed Port Mirroring Mirror packets from a number of distributed ports to other distributed ports on the same host. If the source and the destination are on different hosts, this session type does not function. Remote Mirroring Source Mirror packets from a number of distributed ports to specific uplink ports on the corresponding host. Remote Mirroring Destination Mirror packets from a number of VLANs to distributed ports. Encapsulated Remote Mirroring (L3) Source Mirror packets from a number of distributed ports to the IP addresses of a remote agent. The virtual machine’s traffic is mirrored to a remote physical destination through an IP tunnel. Click Next.
Every time I read this part I would be confused. I could never relate the word "Source" and "Destination" to what it says in the Description and so I could never remember who's who.
According to RFC3315:
Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association of IAs with clients. DHCP clients use DUIDs to identify a server in messages where a server needs to be identified.
[...]
Clients and servers MUST treat DUIDs as opaque values and MUST only compare DUIDs for equality. Clients and servers MUST NOT in any other way interpret DUIDs.
For IPv4 it's very common for a DHCP server to allocate fixed addresses to clients based on, for example, MAC addresses. So for IPv6 how does the DHCPv6 server allocate fixed IPv6 addresses?
I have some Dell PowerEdge R720 servers for testing. To make life easier, the UEFI boot is set to PXE first and in the PXE boot menu it'll default to boot from local disk if there's no input from the user. And in the PXE menu we can also choose to install a new ESXi to the hard disk.
The problem is, each time ESXi is reinstalled on the hard disk, the UEFI boot sequence will be reset to local disk first.
I've gone through BIOS settings back and forth but found no related setting.
Is this a hardware bug or there is some special BIOS setting I need to configure? Or it's ESXi installation that reset the UEFI boot sequence?
Before ESXi installation:
After ESXi installation:
The help for esxcli network ip ipsec sa remove mentions auto SA but I failed to find any info from Google.
[root@j2-ceriqv-050:~] esxcli network ip ipsec sa remove --help
Usage: esxcli network ip ipsec sa remove [cmd options]
Description:
remove Operation to remove Security Association(s)
Cmd options:
-a|--remove-all Set to remove all Security Associations.
-d|--sa-destination=<str>
Ipv6 address of Security Association destination. This option needs to be
specified when removing an auto SA.
^^^^^^^
-n|--sa-name=<str> Name for the Security Association to be removed. Specify 'auto' to remove an
auto SA.
^^^^^^^
-s|--sa-source=<str> Ipv6 address of Security Association source. This option needs to be specified
when removing an auto SA.
^^^^^^^
-p|--sa-spi=<str> SPI value for the Security Association (hex). This option needs to be specified
when removing an auto SA
^^^^^^^
The esxcli network ip ipsec sa add command does not mention auto SA:
[root@j2-ceriqv-050:~] esxcli network ip ipsec sa add --help
Usage: esxcli network ip ipsec sa add [cmd options]
Description:
add Add a Security Association.
Cmd options:
-e|--encryption-algorithm=<str>
Encryption algorithm for the Security Association. Should be one in set [null,
3des-cbc, aes128-cbc]. (required)
-k|--encryption-key=<str>
Encryption key(ASCII or hex). Length of hex key is dependent upon algorithm
used. Required when a encryption algorithm has been specified.
-i|--integrity-algorithm=<str>
Integrity algorithm for the Security Association. Should be one in set
[hmac-sha1, hmac-sha2-256]. (required)
-K|--integrity-key=<str>
Integrity key(ASCII or hex). Length of hex key is dependent upon algorithm used.
(required)
-d|--sa-destination=<str>
Ipv6 address of Security Association destination. Can be specified as 'any' or a
correct IPv6 address. (required)
-m|--sa-mode=<str> Security Association mode. Should be one in set [transport, tunnel].
-n|--sa-name=<str> Name for the Security Association to be added. (required)
-s|--sa-source=<str> Ipv6 address of Security Association source. Can be specified as 'any' or a
correct IPv6 address. (required)
-p|--sa-spi=<str> SPI value for the Security Association(hex). (required)
I understand the concept of Path MTU but not sure if it's required that systems in the same network should have the same MTU. For example my host's MTU is 9000 and the gateway's MTU is 1500, is IPv6 supposed to work fine with this configuratoin?
For IPv6, both DHCP and RA (the "prefix information" option, with the A flag) can provide IPv6 addresses to hosts. I'm still confused if it's common for DHCPv6 and RA to provide IP addresses in the same subnet.