www.certifyme.com
Edit the sshd_config file by typing nano sshd_config. The sshd_config file will open.
Find the line “Permit rootlogin no“. Change No with Yes.

www.certifyme.com
Save the file by pressing CTRL+X and then pressing ‘Y’ and then pressing ‘Enter’

www.certifyme.com
Now restart the sshd service by typing service sshd restart

To enable the SSH client and SSH service to work properly, we need to open ports for them in firewall. While
on the SSH command prompt, type esxcfg-firewall -e sshServer
Now open the SSH client by typing esxcfg-firewall -e sshClient. The SSH port is open now. We can remotely
login to ESX host using Putty.
Activate root SSH access in an ESXi host:
At the console of ESXi host, press ALT+F1 to access the console command line environment. You will not see
a cursor blinking – just plain black window.

www.certifyme.com
Type unsupported in the console window and press ‘Enter‘. You will not see the typing. The console will
ask for the root password. Type the password and press Enter. You will see the Tech Support text and the
command prompt.
At the command prompt, edit the inetd.conf file by typing vi /etc/inetd.conf. The editor will open the file.

www.certifyme.com
Find the line that begins with #ssh. Delete the # from #ssh.

www.certifyme.com
After deleting # from #ssh, exit vi editor by pressing ESC button and typing “:wq”

www.certifyme.com
After closing the vi editor, run the command /sbin/services.sh restart to restart the management services. You
are now able to connect to the ESXi host with a SSH client.

www.certifyme.com
References:
• http://www.vm-help.com/esx/esx3i/ESXi_enable_SSH.php
• http://itknowledgeexchange.techtarget.com/virtualization-pro/how-to-allow-the-root-user-to-login-tovmware-
esx-server-with-ssh/
• www.vladan.fr/how-to-activate-ssh-for-esx-server

Contents
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution
Introduction

www.certifyme.com
The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp,
and rdist). It provides an encrypted channel for logging into another computer over a network, executing
commands on a remote computer, and moving files from one computer to another. SSH provides strong host-tohost
and user authentication as well as secure encrypted communications over an insecure Internet.
SSH2 is a more secure, efficient, and portable version of SSH that includes SFTP, which is functionally similar
to FTP, but is SSH2 encrypted.
When connecting to a server for the first time SSH presents you with a host key fingerprint for that server and
asks you to confirm that you wish to save the new host key to the local database. Before agreeing, you should
compare this fingerprint with one you obtain by some other means (e.g., by telephone) from the server
administrators to avoid connecting to an imposter server.
Rather than validating identities via passwords, SSH can also use public key encryption to authenticate remote
hosts. For example, if you were to connect to a remote host called sales.acme.com (also running SSH), SSH
would use this system to verify that the remote system is the real sales.acme.com and not a computer set up to
imitate it. If you wish, you can set up SSH to use public key authentication rather than passwords for logging
into your other accounts, much like the ESX login program.
Technology Background
In ESX 4.0 SSH is blocked by default for the root user so you need to activate the root login on the console of
the ESX server. Otherwise you will not be able to use PuTTy or or VEEAM FastSCP. Same is the case with
ESXi. Although, both of the ESX versions come with SSH support, they are disabled by default which generally
means either root user must authenticate as a standard user and then SU to root or log in directly from the
console.
Through commands, you can enable SSH on ESX and ESXi consoles.
You might need SSH in ESX to login remotely to the console without needing to go physically to the computer
to configure or maintain it. You ca use Putty to log in remotely to the ESX/ESXi hosts. You can use SSH
directly to log in to the console without specifying the username and password.
Deny SSH access to all but specific IP addresses
You can configure /etc/hosts.allow with 3 specific IP addresses that can SSH to the ESX hosts in the cluster.
You should also configure /etc/hosts.deny with sshd:all which means all other IP addresses not configured in
the hosts.allow files will not be able to access the host and fail with an error “session terminated unexpectedly”
Only users in the WHEEL group can SU to Root
If the sshd_config file is configured with Permit Root Login = no option, then ROOT is not able to login to
the service console remotely e.g. via Putty. We can also take additional steps and limit which standard users can
SU to root by changing the /etc/pam.d/su file and then adding only specific users to the wheel group. Here’s
what you’ll need to do:
vi /etc/pam.d/su

www.certifyme.com
Then delete the following line
#auth required /lib/security/$ISA/pam_wheel.so use_uid
Once you have done that, you can now go and look at which users are part of the WHEEL group.
cat /etc/group |grep wheel
which should return this comment “wheel:x:10:root”
Now if your standard user is called johnsmith, just add a comma and add johnsmith so it looks like this.
“wheel:x:10:root,johnsmith”
Now you can add users to the service console, but only user “johnsmith” will be able to SU to root

www.certifyme.com
Choose Networking from the configuration panel.
Select an existing vSwitch and click Properties.
113
www.certifyme.com
vSwitch Properties window appears. Select ‘Network Adapters’ tab
114
www.certifyme.com
Click ‘Add’ button at the bottom. The ‘Add Adapter wizard’ appears.

www.certifyme.com
Select unclaimed adapter and click Next

www.certifyme.com
You can pick the new adapter as an active adapter and the already assigned adapter as standby adapter by
clicking the ‘Move Down’ button. It is recommended to leave the already active adapter and assign standby
status to the new adapter. Click Next.

Review the adapter to added to the vSwitch and click Finish

www.certifyme.com
Now you can view the newly assigned adapter in the vSwitch properties. Click Close

www.certifyme.com
You can also view the newly assigned adapter in the vSwitch networking area.

www.certifyme.com
Introduction
Physical Ethernet adapters serve as bridges between virtual and physical networks. In VMware vSphere, they
are called uplinks, and the virtual ports connected to them are called uplink ports. A single host may have a
maximum of 32uplinks, which may be on one switch or distributed among a number of switches.
In order for a virtual switch to provide access to more than one VLAN, the physical switch ports to which its
uplinks are connected must be in trunking mode. It is important to prune the VLANs, keeping only those that
are required for the virtual switch. Failure to do so can cause unnecessary overhead on the ESX Server host
because it must process broadcast traffic for all VLANs trunked to it.
Technology Background
You should prune VLANs at the physical switch level, but pruning at the physical switch cannot be quite as
aggressive as pruning at the uplink because the virtual switch knows which virtual machines are actually
powered on. As a result, the virtual switch may be able to prune VLANs that are needed but are not in use at the
time you are pruning.
You can specify different teaming behavior for different groups of virtual machines that share the same team of
physical adapters. For example, you can vary the active/standby status of each adapter in the team across port
groups to get both good link aggregation and failover behavior.
Teaming state — which physical Ethernet adapters are actually transporting data — is maintained for each
port group. Teaming state transitions are mostly transparent to virtual Ethernet adapters. Virtual machines
cannot tell when a failover has occurred or which physical adapter is carrying any given frame. When the
transition removes or restores actual access to a physical network — that is, when the last link goes down or
the first link comes up — the network visibility change is apparent to guests.
Uplinks are not required for a virtual switch to forward traffic locally. Virtual Ethernet adapters on the same
virtual switch can communicate with each other even if no uplinks are present. If uplinks are present, they are
not used for local communications within a virtual switch.
When VLANs are configured, ports must be on the same VLAN in order to communicate with each other. The
virtual switch does not allow traffic to pass from one VLAN to another. Communication between VLANs is
treated the same as communication between virtual switches — it is not allowed. If you do want
communication between two VLANs or two virtual switches, you must configure an external bridge or router to
forward the frames.
A virtual switch (vSwitch) can have multiple physical nics/vmnics/uplinks linked to it, but each “physical
nic”/vmnic/uplink can only be connected to a single vSwitch at a given time.
Keep in mind that if you want to connect a virtual machine’s “virtual nic” to the outside world, you do not
connect the “virtual nic” to a vSwitch. You connect a virtual machine’s “virtual nic” to a “Virtual Machine Port
Group”, and then you associate the “Virtual Machine Port Group” to a vSwitch. Along these lines, if two virtual
machines are connected to either the same “Virtual Machine Port Group”, or are connected to “Virtual Machine
Port Groups” on the same vSwitch, any network communication between the two will not flow through a
“physical uplink adapter”, it will remain “internal” to vSwitch/ESX server. This is why you don’t even have to
have any “physical uplink adapters” connected to a vSwitch. A vSwitch that is not connected to any “physical

www.certifyme.com
uplink adapters” is referred to as an “internal-only virtual switch”.
Keep thinking of the physical uplink adapters as “dumb bridge ports”. They do not have an IP address, their
“physical” MAC address will not appear on the network or anything like that. It is just a port through which
packets flow.

www.certifyme.com
In the vSphere client interface, select the server (IP address) in the right column and then click Configuration
Select Networking from the configuration menu.

www.certifyme.com
Click ‘Add Networking’ which is located on the right side of the page.
The Add Networking options window appears. Select Virtual Machine and click Next.

www.certifyme.com
Select the vSwitch, in which you will create the port group. Click Next.

www.certifyme.com
Enter the Network Label and leave the VLAN ID. Click Next.

The port group is added to the vSwitch connected to the physical adapter. Click Finish

www.certifyme.com
You can view the newly created Port group in the vSwitch you selected during the creation process.

www.certifyme.com
References:
• http://www.vcritical.com/2008/12/thanks-for-all-the-port-groups/
• blog.scottlowe.org/2006/04/17/vlans-and-port-groups/
• http://networkvirtualization.blogspot.com/2008/05/port-groups-in-vmware-esx.html
• http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html

www.certifyme.com
The ports on a virtual switch provide logical connection points among virtual devices and between virtual and
physical devices. You can think of them as virtual RJ-45 connectors. Each virtual switch can have up to 1,016
virtual ports, with a limit of 4,096 ports on all virtual switches on a host.
The virtual ports in ESX Server provide a rich control channel for communication with the virtual Ethernet
adapters attached to them. ESX Server virtual ports:
• Know authoritatively what the configured receive filters are for virtual Ethernet adapters attached to
them. This means no MAC learning is required to populate forwarding tables.
• Unlike physical switches, know authoritatively the “hard” configuration of the virtual Ethernet adapters
attached to them. This capability makes it possible to set such policies as “guest can’t change MAC
address,” because the virtual switch port can essentially know for sure what is “burned into ROM”
(actually, stored in the configuration file, outside control of the guest operating system).
Technology Background
Port groups aggregate multiple ports under a common configuration and provide a stable anchor point for
virtual machines connecting to labeled networks. You can create a maximum of 512 port groups on a single
host.
Each port group is identified by a network label, which is unique to the current host. Network labels are used to
make virtual machine configuration portable across hosts. All port groups in a datacenter that are physically
connected to the same network (in the sense that each can receive broadcasts from the others) are given the
same label. Conversely, if two port groups cannot receive broadcasts from each other, they have distinct labels.
A VLAN ID, which restricts port group traffic to a logical Ethernet segment within the physical network, is
optional. For a port group to reach port groups located on other VLANs, the VLAN ID must be set to 4095. If
you use VLAN IDs, you must change the port group labels and VLAN IDs together so that the labels properly
represent connectivity.
Port groups are important particularly for VMotion. To understand why, consider what happens as virtual
machines migrate to new hosts using VMotion. Port groups make it possible to specify that a given virtual
machine should have a particular type of connectivity on every host on which it might run. Port groups are usernamed
objects that contain enough configuration information to provide persistent and consistent network
access for virtual Ethernet adapters:
• Virtual switch name
• VLAN IDs and policies for tagging and filtering
• Teaming policy
• Layer 2security options
• Traffic shaping parameters
In short, port group definitions capture all the settings for a switch port. Then, when you want to connect a
virtual machine to a particular kind of port, you simply specify the name of a port group with an appropriate
definition. Port groups may specify different host-level parameters on different hosts — teaming
configurations, for example. But the key element is that the result is a consistent view of the network for a
virtual machine connected to that port group, whichever host is running it.
Port Group Configuration for Virtual Machines
102
www.certifyme.com
You can add or modify a virtual machine port group from the vSphere Client. The vSphere Client Add Network
wizard guides you through the tasks to create a virtual network to which virtual machines can connect,
including creating a vSwitch and configuring settings for a network label. When you set up virtual machine
networks, consider whether you want to migrate the virtual machines in the network between hosts. If so, be
sure that both hosts are in the same broadcast domain—that is, the same Layer 2 subnet.
ESX does not support virtual machine migration between hosts in different broadcast domains because the
migrated virtual machine might require systems and resources that it would no longer have access to in the new
network. Even if your network configuration is set up as a high-availability environment or includes intelligent
switches that can resolve the virtual machine’s needs across different networks, you might experience lag times
as the Address Resolution Protocol (ARP) table updates and resumes network traffic for the virtual machines.
Virtual machines reach physical networks through uplink adapters. A vSwitch can transfer data to external
networks only when one or more network adapters are attached to it. When two or more adapters are attached to
a single vSwitch, they are transparently teamed.

www.certifyme.com
Enter the IP address and subnet mask, or select Obtain IP setting automatically if you have a DHCP
configured. For the sake of showing this step, we are manually enter IP address and subnet mask.

www.certifyme.com
Click Edit to set the service console default gateway and click Next.

www.certifyme.com
Preview the newly created vswitch and click Finish

www.certifyme.com
You can see the newly created switch in the networking panel

www.certifyme.com
Delete a vSwitch:
To delete a vSwitch, simple, click remove above the switch display in the networking panel.

www.certifyme.com
On confirmation dialog box ‘Remove Virtual Switch vSwitch1′, click Yes. The vSwitch will be removed
from the networking panel.
References:
• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=
1010555
• http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html
• logs.vmware.com/vmtn/2009/04/the-great-vswitch-debate.html
• http://computing.dwighthubbard.info/index.php/2008/01/11/adding-a-virtual-switch-vswitch-tovmware-
esx-with-a-specific-number-of-ports/

www.certifyme.com
• Create a vSwitch
• Delete a vSwitch
Lab Solution
Create a vSwitch:
Switch on ESXi 4.0 server and Log in to the vSphere Client to connect to ESXi 4.0 host.
Select the host from the inventory panel.

www.certifyme.com
Click the Configuration tab, and click Networking.

www.certifyme.com
In the Virtual Switch view, click Add Networking.
93
www.certifyme.com
Select VMKernel, and click Next.
Select Create a new vSwitch, and click Next. If no adapters appear in the Create a new virtual switch group,
all network adapters in the system are being used by existing vSwitches.

www.certifyme.com
VMware Infrastructure 4 enforces a single-tier networking topology. In other words, there is no way to
interconnect multiple virtual switches, thus the network cannot be configured to introduce loops. As a result,
Spanning Tree Protocol (STP) is not needed and is not present.
Virtual Switch Isolation
Network traffic cannot flow directly from one virtual switch to another virtual switch within the same host.
Virtual switches provide all the ports you need in one switch, leading to the following benefits:
• Because there is no need to cascade virtual switches, Virtual Infrastructure 4 provides no capability to
connect virtual switches.
• Because there is no way to connect virtual switches, there is no need to prevent bad virtual switch
connections.
• Because virtual switches cannot share physical Ethernet adapters, there is no way to fool the Ethernet
adapter into doing loopback or some similar configuration that would cause a leak between virtual
switches.
In addition, each virtual switch has its own forwarding table, and there is no mechanism to allow an entry in one
table to point to a port on another virtual switch. In other words, every destination the switch looks up can
match only ports on the same virtual switch as the port where the frame originated, even if other virtual
switches’ lookup tables contain entries for that address.
It is unlikely that a would-be attacker could circumvent virtual switch isolation because it would be possible
only if there were a substantial unknown security flaw in the vmkernel. Because ESX Server parses so little of
the frame data — primarily just the Ethernet header — this would be difficult, and once an attacker had such
access, richer targets than breaking virtual switch isolation are readily available.
There are natural limits to this isolation. If you connect the uplinks of two virtual switches together, or if you
bridge two virtual switches with software running in a virtual machine, you open the door to the same kinds of
problems you might see in physical switches.
Changing the Number of Ports for a vSwitch
A vSwitch serves as a container for port configurations that use a common set of network adapters, including
sets that contain no network adapters at all. Each virtual switch provides a finite number of ports through which
virtual machines and network services can reach one or more networks..

www.certifyme.com
configuration. This means the system pays the lowest possible cost in complexity and demands on system
performance.
The design of ESX Server 4 supports temporarily loading certain components in the field — a capability that
could be used, for example, for running appropriately designed diagnostic utilities.
An additional benefit of the modular design is that VMware and third-party developers can easily incorporate
modules to enhance the system in the future.
In many ways, the ESX Server virtual switches are similar to physical switches. In some notable ways, they are
different. Understanding these similarities and differences will help you plan the configuration of your virtual
network and its connections to your physical network.