NSX CLI Guide

Associated Commands:

CLI Description Command

Activates specified local user account.


Activates specified local user account.
 		activate user <username> password [<password>]

Add new local user.


Add a new local user. By default status for newly created local user will be NOT_ACTIVATED and administrator will require to explicitly activate such users. When password is specified with command, status for created local user will be ACTIVE.
 		add user <username> [full-name <full-name>] [password <node-password>] [password-expiration-frequency <days>] [password-expiration-warning <days>] [password-reset-required]

Add audit user.


Re-create audit user if it was removed. By default status for re-created audit user will be NOT_ACTIVATED and administrator will require to explicitly activate audit user. When password is specified with command, status for re-created audit user will be ACTIVE.
 		add user audit [username <username>][full-name <full-name>] [password <node-password>] [password-expiration-frequency <days>] [password-expiration-warning <days>] [password-reset-required]

Clear all name servers


Clear all name servers from the DNS configuration.
 		clear name-servers

Resets configured password complexity requirements to default


Resets configured password complexity requirements to default.
 		clear password-complexity

Clear search domains


Remove all domain names from the DNS search list.
 		clear search-domains

Disable password expiration for the user


Disable password expiration for the user.
 		clear user <node-all-username> password-expiration

Disable password expiration warning for the user


Disable password expiration warning for the user.
 		clear user <node-all-username> password-expiration-warning

Copy a local file to remote file


Copy a local file to a remote destination.
 		copy file <existing-file-arg> url <scp-file-url-arg>

Copy a remote file to the local file store


Copy a remote file to the local file store. If no destination file is specified, the copied file has the same file name as the source file. You can use the file argument to specify a different destination file name.
To specify IPv6 remote addresses, url server should be enclosed between square brackets.
 		copy url <url> [file <filename>]

Copy a remote https url file with same filename


Copy a remote https url file to local file using same filename.
 		copy url <url> thumbprint <thumbprint> [file <filename>]

Deactivate local user.


Deactivate account for local user. Deactivating an account is permanent, unlike an account that is temporarily locked because of too many password failures. A deactivated account has to be explicitly activated.
 		deactivate user <username>

Delete local file


Delete a local file.
 		del file <existing-file-or-pattern-arg>

Delete name server


Delete the specified name server from the DNS configuration.
 		del name-server <name-server-arg>

Remove NTP server


Remove an existing NTP server.
 		del ntp-server <hostname-or-ip-address>

Delete a domain name


Delete the specified domain name from the DNS search list.
 		del search-domains <search-domain-arg>

Delete existing local users.


Delete specified user who is configured to log into the NSX appliance. Whereas local users root and administrator are not allowed to be deleted, but local user audit is deletable on-demand. In case to recreate a deleted user, kindly check the following link here
 		del user <username>

Delete existing local users.


Delete specified user who is configured to log into the NSX appliance. Whereas local users root and administrator are not allowed to be deleted, but local user audit is deletable on-demand.

Note: Deleted users cannot be created again.
 		del user <username>

Delete SSH service keys from authorized_keys file for specified user


Delete any SSH key with specified label from specified user's authorized_keys file. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
 		del user <username> ssh-keys label <key-label> [password <password>]

Get API account lockout period


Get the amount of time, in seconds, that an account will remain locked out of the API after exceeding the maximum number of failed authentication attempts.
get auth-policy api lockout-period

Get API account lockout reset period


In order to trigger an account lockout, all authentication failures must occur in this time window. If the reset period exprires, the failed login count is reset to zero.
get auth-policy api lockout-reset-period

Get API maximum authentication faliures


Get the number of failed API authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
get auth-policy api max-auth-failures

Get CLI account lockout period


Get the amount of time, in seconds, that an account will remain locked out of the CLI after exceeding the maximum number of failed authentication attempts.
get auth-policy cli lockout-period

Get CLI maximum authentication faliures


Get the number of failed CLI authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
get auth-policy cli max-auth-failures

Get minimum allowable password length


Get the minimum number of characters that passwords must have.
 		get auth-policy minimum-password-length

List file in the filestore


Display information about the specified file in the filestore.
 		get file <existing-file-arg>

Display file thumbprint


Display the file thumbprint.
 		get file <existing-file-arg> thumbprint

List files in the filestore


Display information about the files in the filestore.
 		get files

Get all name servers


Get all name servers in the DNS configuration.
 		get name-servers

Display upgrade status of the node


Display upgrade status of the node.
 		get node upgrade status

Display progress state of last rollback task


Display the status of the rollback tasks executed on the node and details of the last rollback task.
 		get node-rollback progress-status

Show NTP associations


Display the status of the NTP system. The delay, offset and dispersion values are in seconds.
 		get ntp-server associations

Show NTP servers


Display all NTP servers.
 		get ntp-servers

Get configured password complexity requirements


Get configured password complexity requirements.
 		get password-complexity

Get all search domains


Get all domain names in the DNS search list.
 		get search-domains

Save support bundle in filestore


Save the contents of the tech support bundle. Specify the file argument to save the bundle to a file with the specified file name in the file store. NSX Manager support bundles are .tar archives, NSX Edge support bundles are .tgz archives. This support bundle does not contain core or audit log files. To include those files, specify the all argument. To remove core dump files after collected in support bundle, specify optional argument remove-core-files along with all argument.

Core files contain system information and all information stored in memory at the time of the dump (this may include confidential, sensitive or personal information such as passwords and encryption keys, if they are being processed in memory at that time). If you choose to send the support bundle to VMware, it will be processed in accordance with VMware's standard processes and policies, to provide you with support, fix problems and improve the product and services.

Specify the log-age argument to include log files with modified times not past the age limit in days.

Specify the eal4-audit argument to collect pre-defined selective log files modified in last 4 hours.

Note: all, log-age, remove-core-files arguments are not allowed along with eal4-audit argument.
 		get support-bundle [file <filename> [[log-age <no-of-days>] [all [remove-core-file]]] | [eal4-audit]]

Save support bundle in filestore


Saves support bundle to the specified filename in the filestore.
 		get support-bundle [file <filename>]

Display progress status of last upgrade step


Display the status of the upgrade steps run on the node and details of last upgrade step.
 		get upgrade progress-status

Display playbook contents


Display the contents of the specified playbook for the specified upgrade bundle.
 		get upgrade-bundle <bundle-name-arg> playbook <playbook-file-arg>

List all playbooks in the filestore


Display all playbooks in the file store.
 		get upgrade-bundle playbooks

Get number of days od details user password expiration details


Get number of days the user's password is valid after a password change and number of days before user receives password expiration warning message.
 		get user <node-all-username> password-expiration

Get user status for specified non-root user


Get user status for specified non-root user.
 		get user <node-all-username> status

Get SSH keys from authorized_keys file for specified user


Get SSH keys from authorized_keys file for specified user.
 		get user <node-username> ssh-keys

Get VMC migration mode


Get VMC migration mode status.
 		get vmc migration-mode

Extract rollback scripts and start rollback


Extract the specified rollback scripts and start rollback.
 		node-rollback run-step step1_start_rollback

Execute a rollback step


None
 		node-rollback run-step step2_restore_data

Execute a rollback step


None
 		node-rollback run-step step3_exit_rollback

Execute playbook resume action


Resume an upgrade after running the command start upgrade-bundle <bundle-name> playbook <playbook-file> and the system was rebooted.
 		resume upgrade-bundle <bundle-name-arg> playbook

Set API account lockout period


Sets the amount of time, in seconds, that an account will remain locked out of the API after exceeding the maximum number of failed authentication attempts.
set auth-policy api lockout-period <lockout-period-arg>

Set API account lockout reset period


In order to trigger an account lockout, all authentication failures must occur in this time window. If the reset period exprires, the failed login count is reset to zero.
set auth-policy api lockout-reset-period <lockout-reset-period-arg>

Set API maximum authentication faliures


Set the number of failed API authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
set auth-policy api max-auth-failures <auth-failures-arg>

Set CLI account lockout period


Sets the amount of time, in seconds, that an account will remain locked out of the CLI after exceeding the maximum number of failed authentication attempts. While the lockout period is in effect, additional authentication attempts restart the lockout period, even if a valid password is specified.
set auth-policy cli lockout-period <cli-lockout-period-arg>

Set CLI maximum authentication faliures


Set the number of failed CLI authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
set auth-policy cli max-auth-failures <cli-auth-failures-arg>

Set minimum allowable password length


Set the minimum number of characters that passwords must have. The smallest value that can be set is 8.
set auth-policy minimum-password-length <password-length-arg>

Set auth-policy vidm properties


Set the vidm's properties.
 		set auth-policy vidm hostname <hostname-or-ip-address> thumbprint <vidm-host-thumbprint-arg> client-id <vidm-client-id-arg> client-secret <vidm-client-secret-arg> node-hostname <hostname-or-ip-address>

Add name server


Add a name server to the DNS configuration.
 		set name-servers <name-server-arg>

Add NTP server


Configure a new NTP server.
 		set ntp-server <hostname-or-ip-address>

Configure password complexity requirements


Configure password complexity requirements.
  • Minimum password length: minimum number of characters expected in password; user can not set their password of length lesser than this parameter. Default: 12, Minimum: 8, Maximum: 128

  • Maximum password length: maximum number of characters allowed in password; user can not set their password of length greater than this parameter. Default: 128, Minimum: 8, Maximum: 128

  • Lower characters: number of lower case characters (a..z) expected in user password.

    N < 0, to set minimum credit for having lower case character in the new password, i.e. this is the minimum number of lower case character that must be met for a new password.

    N > 0, to set maximum credit for having lower case character in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N lower case characters.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Upper characters: number of upper case characters (A..Z) expected in user password.

    N < 0, to set minimum credit for having upper case character in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password.

    N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N upper case characters.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Numeric characters: number of digits (0..9) expected in user password.

    N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password.

    N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N digits.

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Special characters: number of special characters (!@#$&*..) expected in user password.

    N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password.

    N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum password length value upto N special case characters..

    N = 0, to disable the policy check.

    Default: -1, Minimum: -128, Maximum: 128

  • Minimum unique characters: number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Allowed similar consecutives: reject passwords which contain more than N same consecutive characters. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Allowed monotonic sequence: reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0. Default: 0, Minimum: 0, Maximum: 128

  • Hash algorithm: sets hash/cryptographic algorithm type for new passwords. Default: sha512. Enum: [ sha512, sha256 ]

  • Password remembrance: limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0. Default: 0, Minimum: 0

Understanding PAM's maximum credit values with an example, consider password complexity configured as follows:
  • Minimum password length: 12
  • Lower case characters: -1
  • Upper case characters: 2
  • Digits: -1
  • Special case characters: -1
above values represent a password to be atleast of length 12 (or credits) which should consist atleast 1 lower case character, atleast 1 digit, atleast 1 special case character and any number of upper case characters.
If included, for first 2 upper case characters additional credit of +2 will be secured.
Which signifies password having 1 upper case character with additional 10 or more characters of required complexity will be allowed to set where total password length would be 11 or more,
password having 2 upper case characters with additional 8 or more characters of required complexity will be allowed to set where total password length would be 10 or more,
whereas password with 3 upper case characters shall still require 7 or more characters with above minimum value requirements, as there's only maximum credit of 2 configured for upper case characters.

Few valid passwords with respect to configured example complexity requirements:

  • hivmware@123 - consists of required minimum 1 - lower case character, special case character, digit and overall length is 12
  • Hivmware@12 - consists of required minimum 1 - lower case character, special case character, digit; whereas length is 11 but inclusion of 1 upper case character attributes an extra +1 credit, hence password is valid
  • HiVmware@1 - consists of required minimum 1 - lower case character, special case character, digit; whereas length is 10 but inclusion of 2 upper case characters attributes an extra +2 credit, hence password is valid

whereas following passwords will be invalid:

  • hivmware@12 - required length of 12 is not fulfilled
  • hivmware1234 - required minimum 1 special case character is not fulfilled
  • HiVMwar@1 - there are 3 upper case characters out which only maximum 2 characters will be considered for extra credit, third occurrence of upper case character will be attributed as 1 credit only, hence the overall credit score 11 does not fulfills complexity

Note, passwords less than 8 characters are never allowed.


 		set password-complexity [<complexity-name> <complexity-value>]

Add a domain name


Add a domain name to the DNS search list.
 		set search-domains <search-domain-arg>

Set the audit and guest user accounts password


Set the password for all the active users except admin and root users. This command does not require current password for the user account. The account of the target user must be ACTIVE to reset the password of the respective user. If you do not specify the 'new password' in the command line, you will be prompted for it. Note: This command can only be executed by administrator privileged user only.
set user <active-user> password [<password>]

Set number of days the user's password is valid after a password change


Set number of days the user's password is valid after a password change.
 		set user <node-all-username> password-expiration <password-expiration-arg>

Set number of days prior user receives warning message before password expires


Set number of days prior user receives warning message before password expires. Set 0 to disable warning messages for password expiry.
 		set user <node-all-username> password-expiration-warning <password-expiration-warn-arg>

Set new username for specified non-root user


Set new user name for the specified non-root user.
 		set user <node-all-username> username <new-node-username>

Set user password


Set the password for the specified user. If you do not specify the password on the command line, you will be prompted for it. For details on setting passwords during installation, see the NSX Installation Guide.
set user <username> password [<password> [old-password <old-password>]]

Add SSH service key to authorized_keys file for specified user


Add SSH service key to authorized_keys file for specified user. If password is not provided in the command then you are prompted to enter it. Password is required only for users root and admin.
 		set user <username> ssh-keys label <key-label> type <key-type> value <key-value> [password <password>]

Set VMC migration mode


Enable or disable VMC migration mode. Migration mode is used during upgrade. When an Edge is in VMC migration mode, VMC config will not be written to nestdb.
 		set vmc migration-mode <enabled-arg>

Execute a playbook given a valid playbook file


Start an upgrade with the specified upgrade bundle and according to the specified playbook.
 		start upgrade-bundle <bundle-name-arg> playbook <playbook-file-arg>

VDS Migrate Apply Topology


VDS Migrate Apply Topology
 		vds-migrate apply-topology (Deprecated)

VDS Migrate delete Topology


VDS Migrate delete Topology
 		vds-migrate delete-topology (Deprecated)

VDS Migrate Disable


VDS Migrate Disable
 		vds-migrate disable-migrate (Deprecated)

Migrate NVDS to VDS By Cluster Id


Migrate NVDS to VDS By Cluster Id
 		vds-migrate esxi-cluster-id <cluster-id> [maintenance-timeout <timeout>] (Deprecated)

Migrate NVDS to VDS By Cluster Name


Migrate NVDS to VDS By Cluster Name
 		vds-migrate esxi-cluster-name <cluster-name> [maintenance-timeout <timeout>] (Deprecated)

VDS Migrate Precheck


VDS Migrate Precheck
 		vds-migrate precheck (Deprecated)

VDS Migrate Show Topology


VDS Migrate Show Topology
 		vds-migrate show-topology (Deprecated)

Migrate NVDS to VDS By Tn List


Migrate NVDS to VDS By Tn List
 		vds-migrate tn-list <configfile> [maintenance-timeout <timeout>] (Deprecated)

Verify and extract bundle to default location


Verify and extract the specified upgrade bundle to the default location.
 		verify upgrade-bundle <bundle-name-arg>

Total commands: 76
Additional Links