Broadcom · VMware

VMware
vSphere8.0 Update 3 · ESXi + vCenter

A complete operational reference for vSphere 8.0.3 — architecture, virtual machine management, networking, storage, HA/DRS, security, PowerCLI, and troubleshooting for enterprise virtualization environments.

ESXi 8.0.3 vCenter 8.0.3 vSAN 8 Express NSX Integration vSphere+ / Tanzu VxRail Ready
vSphere Stack
Applications
Web apps · databases · middleware · services
▲ ▼
Guest OS
Windows Server · RHEL · Ubuntu · Core OS
▲ ▼
Virtual Hardware (vmx)
vCPU · vRAM · vmxnet3 · pvscsi · EFI
▲ ▼
⚡ ESXi 8.0.3 Hypervisor
VMkernel · resource scheduler · vSwitch · storage stack
▲ ▼
Physical Hardware
CPU · RAM · NIC · HBA · NVMe · iDRAC/BMC
ARCH

vSphere Architecture

🏗️ Core Components
Ex
ESXi Hypervisor — Type 1 bare-metal hypervisor. VMkernel runs directly on hardware, manages CPU scheduling, memory, storage I/O, and networking. Extremely small footprint (~200MB). Installed on host — no general-purpose OS underneath
vC
vCenter Server 8.0.3 — centralized management platform (vCSA — vCenter Server Appliance). Runs as a Linux appliance (Photon OS). Manages hosts, clusters, DRS, HA, vMotion, storage policies. Single vCSA can manage up to 2,500 hosts / 45,000 VMs
vS
vSphere Client (HTML5) — web-based management UI (port 443 on vCSA). Replaced the legacy Flex client. Full feature parity as of vSphere 7+. https://vcenter-fqdn — all management through this UI
API
vSphere API / REST API — full automation surface. PowerCLI, Terraform VMware provider, and vRealize Automation consume these APIs. https://vcenter/api — modern REST API (replaces SOAP-based SDK)
vL
vSphere Lifecycle Manager (vLCM) — image-based patching and firmware management. Single desired-state image per cluster. Replaces VUM (vSphere Update Manager) for clusters. Hardware Support Manager (HSM) integration for Dell VxRail firmware
📐 New in vSphere 8.0.3
DPU
DPU-Based Services (Project Monterey) — offload ESXi services to SmartNICs / DPUs (e.g., Intel IPU, NVIDIA BlueField). ESXi runs on DPU while host CPU freed for workloads. Supports NSX offload, vSAN offload to DPU
AI
vGPU / AI/ML Workloads — enhanced support for NVIDIA vGPU time-slicing and MIG (Multi-Instance GPU). Passthrough and shared GPU modes supported. AI/ML workload scheduling improvements in 8.0.3
vSN
vSAN 8 Express Architecture — disaggregated storage architecture with single-tier NVMe-only design (no disk groups). Up to 64 disks per host. Eliminates cache/capacity tier distinction — all NVMe
Cfg
Configuration Profiles — cluster-level desired-state host configuration (replaces host profiles). Drift detection and remediation built in. Managed via vLCM — single source of truth per cluster
TLS
TLS 1.3 enforcement — vSphere 8.0.3 enforces TLS 1.3 by default across all management endpoints. TLS 1.0/1.1 disabled. Verify integrations (backup, monitoring) support TLS 1.2+
vHW
VM Hardware Version 21 — default for new VMs on vSphere 8.0.3. Supports up to 768 vCPUs, 24TB RAM, NVMe controllers. Backward compatible — older HW versions still supported
🗂️ vCenter Inventory Hierarchy
Hosts & Clusters View
📂 vCenter (vc01.corp.com)
📂 Datacenter — DC01
📂 Cluster — ProdCluster
🖥 esxi01.domain.com
🖥 esxi02.domain.com
🖥 esxi03.domain.com
📂 Cluster — DevCluster
🖥 esxi04.domain.com
VMs & Templates View
📂 vCenter
📂 DC01
📁 Folder — Production VMs
💻 WebServer01
💻 DBServer01
📁 Folder — Templates
📄 Win2022-Template
Key Limits — vSphere 8.0.3
vCenter manages2,500 hosts · 45,000 VMs
Hosts per cluster96 hosts
VMs per cluster8,000
Max vCPUs per VM768 vCPUs (HW21)
Max RAM per VM24 TB
Max virtual disks256 per VM
VMs per host1,024 (practical: 100–300)
Linked vCenters (ELM)15 vCenters per ELM
ESXI

ESXi Host Administration

⚙️ VMkernel & ESXi Internals
VK
VMkernel — proprietary microkernel. Manages all hardware resources. Not Linux-based (unlike KVM). Modules loaded from VIBs. /vmfs/volumes — storage · /etc/vmware — config · /var/log — logs
CPU
CPU Scheduler — StrictCo-Stop scheduler. vCPUs scheduled as real CPUs. NUMA-aware — tries to keep VM vCPUs and memory on same NUMA node. esxtop → c key → CPU view — monitor co-stop and ready %
MEM
Memory Management — transparent page sharing (TPS), balloon driver (vmmemctl), memory compression, swap. TPS limited in 8.x for security (intra-VM only by default). Balloon driver requires VMware Tools installed in guest
I/O
Storage I/O Stack — PSA (Pluggable Storage Architecture): NMP (Native Multipathing), SATP (Storage Array Type Plugin), PSP (Path Selection Policy). VAAI offloads to array. esxcli storage nmp device list — view multipath config
SYS
hostd / vpxa agents — hostd manages the host locally; vpxa is the vCenter agent on each host. Communication: vCenter → vpxa → hostd → VMkernel. Restart: /etc/init.d/hostd restart · /etc/init.d/vpxa restart
🔧 ESXi Host Configuration Essentials
NTP configurationesxcli system ntp set -s pool.ntp.org
DNS configurationesxcli network ip dns server add -s 10.0.0.1
SSH serviceEnable only during maintenance — auto-stop via policy
Syslog forwardingesxcli system syslog config set --loghost=udp://siem:514
Scratch partitionSet persistent scratch on non-boot media hosts
Lockdown modeNormal — blocks direct host access bypassing vCenter
Host profilesEnforce consistent config — use vLCM Config Profiles in 8.x
DCUI timeoutSet idle timeout via UserVars.DcuiTimeOut
⚠ Maintenance Mode: Always vMotion VMs off first (or let DRS do it). Enter maintenance mode before any firmware/patch operations. Storage maintenance mode for vSAN hosts is separate.
💻 ESXi CLI Quick Reference (esxcli & esxtop)
Host & system commands
# System information esxcli system version get esxcli hardware cpu global get esxcli hardware memory get esxcli hardware platform get # Maintenance mode esxcli system maintenanceMode set --enable true esxcli system maintenanceMode get # Installed VIBs / patches esxcli software vib list esxcli software profile get # Network info esxcli network ip interface list esxcli network ip route list esxcli network nic list # Firewall esxcli network firewall ruleset list esxcli network firewall ruleset set --ruleset-id sshServer --enabled false
Storage & VM commands
# Storage / datastores esxcli storage filesystem list esxcli storage nmp device list esxcli storage nmp path list esxcli storage core adapter list # List running VMs esxcli vm process list vim-cmd vmsvc/getallvms vim-cmd vmsvc/power.getstate vmid # esxtop — real-time performance esxtop # interactive (c=cpu m=mem d=disk n=net) esxtop -b -d 5 -n 3 # batch mode, 5s interval, 3 iterations # Log files cat /var/log/vmkernel.log cat /var/log/hostd.log cat /var/log/vpxa.log cat /var/log/vmksummary.log
VCSA

vCenter Server Appliance (vCSA)

🏛️ vCSA Architecture & Services
VC
vCenter Server (vpxd) — core vCenter daemon. Manages inventory, task scheduling, events, alarms, licensing. service-control --status vpxd · journalctl -u vpxd
SSO
vCenter Single Sign-On (SSO) — identity and authentication service. Local vsphere.local domain. Integrates with AD/LDAP, SAML 2.0 (EntraID / ADFS). Port 7444 (HTTPS) · Default admin: administrator@vsphere.local
MB
Message Bus (RabbitMQ) — inter-component message broker within vCSA. Also used by vSAN and VASA providers. vmware-vpostgres, vmware-rhttpproxy are other key services
DB
Embedded PostgreSQL — replaced MS SQL / Oracle in vCSA 6.x+. All vCenter data stored here. Built-in backup via VCSA backup API. Backup: Appliance Management UI (port 5480) → Backup
ELM
Enhanced Linked Mode (ELM) — links multiple vCenter instances for single-pane management. Max 15 vCenters. Uses vSphere domain replication (not AD replication). Requires all vCenters in same SSO domain — vsphere.local
⚡ vCSA Management & Maintenance
vCSA shell commands
# Access appliance management https://vcsa:5480 # Appliance Mgmt UI # Service control (via shell or SSH) service-control --status --all service-control --stop --all service-control --start vpxd service-control --restart vsphere-ui # Check database health vcsa-util dbcheck # SSO password reset (if locked out) /usr/lib/vmware-vmafd/bin/vmafd-cli get-dc-name --server-name localhost # Certificate management certificate-manager # interactive cert tool vecs-cli store list # list cert stores vecs-cli entry list --store MACHINE_SSL_CERT # Backup trigger (API-based) curl -k -u administrator@vsphere.local:P@ss \ https://vcsa/api/appliance/recovery/backup/job
🔐 vCenter RBAC — Roles & Permissions
Built-in RoleAccess LevelCommon Use
AdministratorFull accessvCenter admins only — not for day-to-day
Read-onlyView onlyMonitoring, auditors
Virtual Machine UserInteract with VMsConsole access, power ops
Virtual Machine Power UserVM + snapshot opsDev/test teams
Network AdministratorNetwork configNetwork team
Datastore ConsumerAllocate spaceService accounts
No Cryptography AdminFull minus cryptoAdmins without key mgmt
P
Permissions = Role + Object + Principal — apply at vCenter, Datacenter, Cluster, Host, VM Folder, or individual VM level. Child objects inherit unless overridden. Propagate to children checkbox — controls inheritance
G
Use AD Groups, not individual users — add vsphere.local group or AD group to role. Manage membership in AD. Identity Sources: Active Directory · LDAP · SAML
⛔ Never use administrator@vsphere.local for daily ops. Create named admin accounts with scoped permissions. Reserve SSO admin for break-glass only.
VM

Virtual Machine Management

🖥️ VM Hardware — Key Settings
CPU vCPU Configuration
768Max vCPUs (HW21)
Hot-addAdd vCPU without reboot
SharesNormal / High / Low
ReservationGuaranteed MHz
LimitMax MHz (avoid in prod)
NUMAvNUMA >8 vCPU
RAM Memory Configuration
24 TBMax RAM (HW21)
Hot-addAdd RAM without reboot
BalloonReclaim idle guest RAM
SwapHost-level swap file (.vswp)
DISK Storage Adapters & Formats
pvscsiParavirtual (preferred)
NVMeVirtual NVMe controller
ThinLazy-zero, grows on write
Thick EZZeros on first write
Thick LPPre-zero — highest perf
256Max disks per VM
NIC Network Adapter Types
vmxnet3Paravirtual (preferred)
E1000eEmulated — legacy compat
SRIOVDirect device passthrough
10Max NICs per VM
📸 Snapshots — Best Practices
!
Snapshots ≠ Backups — snapshots capture state at a point in time. The delta disk grows with every write. Never rely on snapshots as your only recovery method. Delta disks stored in same datastore as vmdk — watch free space
72-hour maximum for production VMs. Long-running snapshots cause disk I/O overhead and datastore space exhaustion. Monitor with: Get-VM | Get-Snapshot | Where {$_.Created -lt (Get-Date).AddDays(-3)}
M
Memory snapshots — captures RAM state, allows full state rollback. Larger file, takes longer to create. Quiesces guest if VMware Tools installed. Quiesce = VSS snapshot in Windows guest — app-consistent
C
Snapshot consolidation — if snapshots fail to delete, use Consolidate option in vSphere Client. Check for orphaned delta files in datastore browser. Actions → Snapshots → Consolidate
🚀 vMotion & Storage vMotion
vMotion (live migration)Move running VM between hosts — zero downtime
RequirementShared storage · vMotion VMkernel · CPU compat
Network speed1GbE min · 10GbE recommended
CPU compatibilityEVC mode masks CPU features for cross-gen vMotion
Storage vMotionMove VM disks between datastores — online
Cross-vCenter vMotionMove VMs between vCenters — requires ELM or temp share
Long-distance vMotionRTT <150ms · 250 Mbps per stream
EVC (Enhanced vMotion Compatibility) — set at cluster level. Masks CPU features to lowest common denominator, enabling vMotion across different CPU generations (e.g., Intel Skylake → Ice Lake hosts in same cluster).
🛠️ VMware Tools — Required for Full Functionality
T
VMware Tools — guest agent providing OS-level integration: graceful shutdown, guest info (IP, hostname, OS), time sync, quiesced snapshots, VMCI. Install: open-vm-tools (Linux) · VMware-tools (Windows)
V
open-vm-tools — open source variant, included in modern Linux distros. Preferred for RHEL/Ubuntu — no manual install needed. dnf install open-vm-tools (RHEL) · apt install open-vm-tools
Check tools status via PowerCLI
# VMs needing Tools update Get-VM | Select Name, @{N="Tools";E={$_.ExtensionData.Guest.ToolsVersionStatus}} | Where {$_.Tools -ne "guestToolsCurrent"} # Upgrade tools on VM Update-Tools -VM "WebServer01" -RunAsync
Status: CurrentLatest version installed
Status: OldWorks but update recommended
Status: NotInstalledNo tools — limited functionality
Status: Unmanagedopen-vm-tools — OK, unmanaged by vCenter
Time syncEnabled via Tools — disable if OS syncs NTP
NET

vSphere Networking — vSS & VDS

VDS Architecture — Physical to Virtual
Physical Switch (ToR)
vmnic0 (uplink)
+
vmnic1 (uplink)
vSphere Distributed Switch (VDS)
vmk0 — Mgmt
·
vmk1 — vMotion
·
vmk2 — vSAN
·
vmk3 — Provision
·
VM Port Groups (VLANs)
VM1 — VLAN 100
·
VM2 — VLAN 200
·
VM3 — VLAN 300
🔀 vSphere Standard Switch (vSS) vs Distributed Switch (VDS)
FeaturevSSVDS
ManagementPer-hostvCenter-managed
Config scopeHost-localCluster-wide
Network I/O ControlNoYes
Port mirroringNoYes
LACPNoYes
Traffic shapingEgress onlyIngress + Egress
Private VLANsNoYes
Health checkNoYes
LicenseIncludedEnterprise Plus / vSphere+
🌐 VMkernel Adapters (vmk)
M
Management (vmk0) — host management traffic to vCenter/vpxa. Default gateway set here. Never trunk other services here in production. Typically on VLAN 10/100 — dedicated management VLAN
vM
vMotion (vmk1) — live VM migration traffic. Dedicated NIC team recommended. 10GbE minimum; 25GbE for large VMs. Enable "vMotion" service on vmkernel adapter
vS
vSAN (vmk2) — storage traffic for vSAN cluster. Must be on dedicated network — no sharing with vMotion or management. 25GbE / 100GbE for vSAN Express Architecture
P
Provisioning (vmk3) — cold migration, cloning, snapshot traffic. Optional but recommended to separate from management. Enable "Provisioning" service on vmk adapter
FT
Fault Tolerance Logging — FT traffic between primary and secondary VM. Dedicated 10GbE+ required. Enable "Fault Tolerance logging" on vmk adapter
🔒 Port Group Security Policies
Promiscuous ModeREJECT (default) — disable unless required
MAC Address ChangesREJECT — prevents MAC spoofing attacks
Forged TransmitsREJECT — prevents IP spoofing
VLAN TrunkingVLAN 4095 = trunk (use only for nested ESXi)
Private VLANPromiscuous / Isolated / Community modes
⛔ Never enable Promiscuous Mode on production port groups. Only required for network analysis tools (Wireshark taps) or NSX service VMs. Creates a security risk — all traffic visible to VMs on that port group.
⚠ MAC Changes + Forged Transmits: Enable only for nested ESXi labs or specific appliances (NSX Edges in some deployments). Document exceptions.
NIC teaming & load balancing
# Teaming policies (VDS) Route based on originating port Default — simple, no LACP Route based on IP hash Requires LACP on physical switch Route based on src MAC hash Per VM NIC assignment Use explicit failover order Active/Standby — for storage vmks Route based on physical NIC load VDS only — load-based teaming
STORE

Storage — VMFS, vSAN, NFS & iSCSI

💾 Storage Types Comparison
TypeProtocolUse CaseNotes
VMFS 6FC / iSCSI / FCoEBlock — primary for VMsAuto-unmap, 64TB volume, 62TB VMDK
NFS 4.1NFS over IPFile — shared storageSession trunking (multipath), Kerberos auth
vSAN 8VMkernel (vSAN)HCI — convergedExpress Arch: NVMe-only, 64 disks/host
vVolsFC / iSCSI / NFSPolicy-based, per-VMVASA provider on array required
RDMFC / iSCSIRaw device — DB / clustersPhysical or virtual compat mode
NVMe-oFNVMe/TCP · NVMe/FCLow-latency blockSupported in vSphere 8
🗄️ vSAN 8 Express Architecture
E
vSAN Express Architecture (ESA) — single-tier NVMe-only design. Eliminates cache/capacity disk group distinction. All-flash with NVMe only. Minimum 10GbE / 25GbE dedicated vSAN vmk per host
C
Cluster minimum — 3 hosts (FTT=1). 6+ hosts recommended for FTT=2. All hosts must contribute storage. Max 64 NVMe disks per host in ESA
P
Storage Policies (SPBM) — defines FTT (Failures to Tolerate), RAID level (RAID-1/5/6), compression, dedup, encryption per VM. RAID-5 requires 4 hosts · RAID-6 requires 6 hosts
S
Stretched Cluster / 2-site — synchronous replication across two sites with a witness appliance at a third site. RPO=0. Witness handles split-brain arbitration
vSAN health checkvSphere Client → Cluster → Monitor → vSAN → Health
Rebuild on host failureAutomatic — based on FTT policy
EncryptionData-at-rest via KMS · Data-in-transit vSAN
🔀 Multipathing — PSA Framework
NMP
Native Multipathing Plugin (NMP) — default VMware multipathing. Contains SATP (array type detection) and PSP (path selection). PSA is the framework — NMP is the default plugin
RR
Round Robin (PSP_RR) — cycles through all active paths. Best for Active-Active arrays (ALUA). Set IOPS limit for rotating between paths. Default IOPS=1000 — tune for your array
MRU
Most Recently Used (PSP_MRU) — uses the last active path, fails over on failure. Default for Active-Passive arrays. Does NOT load balance — single active path
FF
Fixed (PSP_FIXED) — always uses the preferred path, fails to another on failure, reverts back. Good for deterministic path control. Set preferred path via esxcli storage nmp path set
Storage CLI commands
# List LUNs and paths esxcli storage nmp device list esxcli storage nmp path list --device naa.xxx # Change path selection policy esxcli storage nmp device set \ --device naa.xxx \ --psp VMW_PSP_RR # Rescan storage adapters esxcli storage core adapter rescan --all # VMFS volume info esxcli storage filesystem list vmkfstools -D /vmfs/volumes/DS01/vm.vmdk
HA/DRS

High Availability & DRS

💚 vSphere HA — How It Works
HA Cluster — 4 Hosts
esxi01 (Master)
Primary · Monitors slaves
VM1
VM2
VM3
esxi02
Slave
VM4
VM5
esxi03 ❌ FAILED
Host failure detected
VM6
VM7
esxi04 ← Restart
VMs restarted here
VM6
VM7
HA electionMaster elected by datastore path count + MOID
HeartbeatNetwork (1s intervals) + Datastore heartbeat
Datastore heartbeats2 datastores per host — prevents false positives
Restart priorityHigh / Medium / Low / Disabled per VM
Admission controlReserve capacity for N host failures
VM monitoringRestart if VMware Tools heartbeat stops
App monitoringSDK-based — custom heartbeat (Oracle, SQL)
⚖️ DRS — Distributed Resource Scheduler
A
Automation Levels Manual → Partially Automated → Fully Automated Fully Automated: DRS makes and executes placement decisions. Use this in production — eliminates manual vMotion for load balancing.
T
DRS Threshold — 1 (conservative) to 5 (aggressive). Controls imbalance tolerance before vMotion is triggered. Default: 3 — good balance of stability vs. efficiency
R
DRS Rules — VM-VM Affinity (keep together), VM-VM Anti-affinity (keep apart), VM-Host Affinity/Anti-affinity (pin to/from hosts). Must run on / Should run on — hard vs. soft rules
pDRS
Predictive DRS — integrates with vROps to anticipate load spikes and pre-migrate VMs before resource contention occurs. Requires vRealize Operations integration
MM
Maintenance Mode + DRS — when host enters maintenance mode, DRS automatically vMotions all VMs off before host is depowered. Requires Fully Automated mode. Manual DRS: host stays "waiting" until VMs migrated manually
WM
VM Overrides — set per-VM DRS automation level. Use Manual for VMs that should not be automatically migrated (licensed software, latency-sensitive). Cluster → Configure → VM Overrides
📦 Resource Pools
S
Shares — relative weight for resource contention. High=2000 / Normal=1000 / Low=500 for CPU and Memory. Only matters when there is resource contention
Res
Reservation — guaranteed MHz / MB. Reserved even if unused. Reduces cluster capacity — use sparingly. Never reserve more than needed — wastes capacity
L
Limit — maximum CPU/RAM. Good for dev/test to prevent runaway consumption. Avoid limits in production — can cause unnecessary performance issues. -1 = Unlimited (recommended for prod VMs)
E
Expandable Reservation — allows children to borrow from parent when they need more than their reservation. Enabled by default. Uncheck for strict isolation between resource pools
⚠ Resource Pool Antipattern: Do NOT nest deep resource pool hierarchies — complex pools make it harder to understand actual resource allocation. Prefer flat structure (one pool per team/environment).
📦 Cluster (Root)
📦 Production (Shares: High)
💻 WebServer01
💻 DBServer01
📦 Dev/Test (Shares: Low)
💻 DevVM01
SEC

vSphere Security Hardening

🛡️ ESXi Security Hardening Checklist
Enable Lockdown Mode (Normal) — blocks direct host access via SSH/DCUI except for accounts in the exception list. All management must go through vCenter. Strict Lockdown: disables DCUI entirely — use with caution
Disable SSH when not in use — SSH should only be enabled during active maintenance. Use "Stop and Disable" policy to prevent auto-start. Alert via vCenter alarm when SSH is enabled on any host
Replace self-signed certificates — use CA-signed certificates for vCenter and ESXi. Required for zero-trust environments and browsers to trust management UI. certificate-manager tool on vCSA · VMCA or external CA
Configure Syslog to SIEM — forward VMkernel, hostd, and vpxa logs to a central SIEM. Retain 90 days minimum. esxcli system syslog config set --loghost=ssl://siem:1514
Set host account lockout — configure MaxFailures and UnlockTime via Security.AccountLockFailures advanced setting. Default: 5 failures → 15-minute lockout
Apply vSphere Security Configuration Guide (SCG) — VMware's official hardening baseline. Updated per version. Import hardening checks into vROps or Aria Config. Available at core.vmware.com/security/security-configuration-guide
Enable VM Encryption — vSphere Native Key Provider (NKP) built into vCenter — no external KMS required. Encrypt sensitive VMs at rest. vSphere NKP is free · Third-party KMS via KMIP standard
Secure Boot (ESXi) — enforce UEFI Secure Boot on ESXi hosts. Prevents unsigned VIBs / drivers from loading. Check: esxcli system settings encryption get
⚠️ Common vSphere Security Risks
!
VM Escape — hypervisor vulnerability allowing guest to access host. Mitigate with: Secure Boot, signed VIBs, disable HGFS (host-guest file system), disable copy/paste between guest and client. isolation.tools.copy.disable = TRUE in VMX file
!
vCenter Compromise — vCenter admin = keys to the kingdom. All VMs are accessible. Protect with: MFA on vCenter SSO, Tier 0 PAW access only, separate vCenter admin accounts. Recent CVEs: CVE-2023-20867, CVE-2024-37079 — patch immediately
!
vMotion data exposure — vMotion traffic is unencrypted by default. Enable encrypted vMotion for VMs processing sensitive data. VM → Edit Settings → VM Options → Encryption → Encrypt vMotion
Snapshot sprawl — old snapshots waste storage and slow I/O. Attackers can leverage orphaned snapshots to find historical data. Automate snapshot age alerts. Alert: Get-VM | Get-Snapshot | Where Created -lt 3 days ago
VMFS datastore access — a compromised ESXi host has read access to all VMDKs on shared datastores. RBAC at datastore level + storage array LUN masking reduce blast radius. Use dedicated datastores per security tier where possible
Subscribe to VMware Security Advisories (VMSA) at broadcom.com/support/resources. Many critical vSphere CVEs require patching within 72 hours per industry frameworks.
CLI

PowerCLI — vSphere 8 Administration

🔌 Connection & Cluster Operations
# Connect & configure Set-PowerCLIConfiguration -InvalidCertificateAction Ignore ` -DefaultVIServerMode Multiple -Scope User Connect-VIServer -Server vc01.corp.com -Credential (Get-Credential) # Cluster info & host status Get-Cluster | Select Name, HAEnabled, DrsEnabled, DrsAutomationLevel Get-VMHost | Select Name, ConnectionState, PowerState, ` @{N="CPUUsage%";E={[math]::Round($_.CpuUsageMhz/$_.CpuTotalMhz*100,1)}}, ` @{N="MemUsage%";E={[math]::Round($_.MemoryUsageMB/$_.MemoryTotalMB*100,1)}} # vSAN health check Get-VsanClusterHealthSummary -Cluster "ProdCluster" # DRS rules Get-DrsRule -Cluster "ProdCluster" New-DrsVMHostRule -Cluster "ProdCluster" -Name "SQL-Affinity" ` -VMGroup $vmg -VMHostGroup $hg -Type MustRunOn # Maintenance mode with DRS Set-VMHost -VMHost "esxi01" -State Maintenance -Evacuate -RunAsync
📸 Snapshot & Storage Management
# Find old snapshots Get-VM | Get-Snapshot | Where-Object {$_.Created -lt (Get-Date).AddDays(-3)} | Select VM, Name, Created, @{N="SizeGB";E={[math]::Round($_.SizeGB,2)}} # Total snapshot space consumed Get-VM | Get-Snapshot | Measure-Object SizeGB -Sum # Datastore capacity report Get-Datastore | Select Name, ` @{N="CapGB";E={[math]::Round($_.CapacityGB,0)}}, ` @{N="FreeGB";E={[math]::Round($_.FreeSpaceGB,0)}}, ` @{N="Free%";E={[math]::Round($_.FreeSpaceGB/$_.CapacityGB*100,1)}} | Sort "Free%" # Storage vMotion Move-VM -VM "WebServer01" -Datastore "DS-SSD-01" -RunAsync
📊 Reporting & Inventory
# Full VM inventory export Get-VM | Select Name, PowerState, NumCpu, MemoryGB, ` @{N="Host";E={$_.VMHost.Name}}, ` @{N="Cluster";E={(Get-Cluster -VM $_).Name}}, ` @{N="Datastore";E={($_ | Get-Datastore).Name -join ","}}, ` @{N="ToolsStatus";E={$_.ExtensionData.Guest.ToolsVersionStatus}}, ` @{N="IP";E={$_.Guest.IPAddress[0]}} | Export-Csv "vm-inventory.csv" -NoTypeInformation # Host hardware report Get-VMHost | Select Name, Version, Build, ` @{N="Model";E={$_.ExtensionData.Hardware.SystemInfo.Model}}, ` @{N="CPUs";E={$_.NumCpu}}, ` @{N="MemTB";E={[math]::Round($_.MemoryTotalGB/1024,2)}} | Export-Csv "host-report.csv" -NoTypeInformation # VMware Tools status report Get-VM | Select Name, ` @{N="ToolsVer";E={$_.ExtensionData.Guest.ToolsVersion}}, ` @{N="Status";E={$_.ExtensionData.Guest.ToolsVersionStatus}} | Where {$_.Status -ne "guestToolsCurrent"}
⚡ vLCM / Patching & Advanced
# Check host patch baseline compliance Get-VMHost | Select Name, Version, Build | Where {$_.Build -ne "24022510"} # 8.0.3 build # Run script inside guest (requires Tools) Invoke-VMScript -VM "RHEL-Server" ` -ScriptText "dnf update -y" ` -GuestCredential $cred -ScriptType Bash # Tag VMs for compliance tracking New-TagCategory -Name "Environment" -Cardinality Single New-Tag -Name "Production" -Category "Environment" Get-VM "WebServer01" | New-TagAssignment -Tag (Get-Tag "Production") # Posh-SSH: run esxcli remotely via SSH $ssh = New-SSHSession -ComputerName "esxi01" -Credential $cred Invoke-SSHCommand -SessionId $ssh.SessionId ` -Command "esxcli software vib list | grep -i tools"
PORTS

Required Network Ports

🔌 vSphere 8 Port Reference
PortProtoSourceDestinationServiceNotes
22TCPAdminESXiSSHDisable when not in maintenance
80TCPBrowserESXi/vCSAHTTP redirectRedirects to 443
443TCPClientvCSA / ESXiHTTPS / vSphere ClientPrimary management port
902TCP/UDPvCenterESXiVMware Remote Console / NFCVM console access, NFC data
903TCPBrowserESXiVMRC (legacy)Remote console (older clients)
2049TCP/UDPESXiNASNFSNFS datastore traffic
3260TCPESXiiSCSI arrayiSCSISoftware iSCSI initiator
5480TCPAdminvCSAvCSA Appliance Mgmt UIBackup, health, certificates
5900TCPClientESXiVNC (disabled by default)Legacy console — keep disabled
6500UDPESXiESXiHA agent (FDM)vSphere HA heartbeats
6501-6502TCPESXiESXiHA agent (FDM)FDM management
7444TCPvCentervCSASSO (STS)vCenter Single Sign-On
8000TCPESXiESXivMotionLive VM migration traffic
8100-8102TCP/UDPESXiESXiFault Tolerance (FT)FT logging and sync traffic
9000-9100TCPESXiESXivSANvSAN cluster traffic
10000TCPESXiESXivSAN HealthvSAN health monitoring
10080TCPvCenterESXivSphere IO FilterVAIO framework
12321TCPAdminvCSAvSphere API (REST)Modern API endpoint
44046TCPESXiESXivMotion (encrypted)Encrypted vMotion stream
DIAG

Troubleshooting & Diagnostics

🔧 Common Issues & Resolutions
!
vMotion fails — "A general system error occurred" — check: shared storage accessibility, vMotion vmk on both hosts in same subnet, CPU compatibility (EVC), sufficient memory on destination. Event log → Tasks & Events on the VM for detailed error
!
HA not restarting VMs after host failure — check: HA admission control (may lack capacity), VM restart priority set to Disabled, HA agent (FDM) not running on surviving hosts. Cluster → Monitor → vSphere HA → Heartbeat Datastores
!
VM stuck "Initiating" during snapshot delete — vmfstools consolidation needed. Check for delta files in datastore. Run Consolidate from VM context menu. vim-cmd vmsvc/snapshot.removeall vmid (last resort from ESXi SSH)
!
vpxa agent not connecting — restart vpxa on ESXi host: /etc/init.d/vpxa restart. If hostd is also failing, restart both. Check firewall port 902 between vCenter and host. Check /var/log/vpxa.log for connection errors
!
vCSA SSO lockout (administrator@vsphere.local) — use appliance shell to reset: sso-config.sh --reset-password. Or boot to GRUB recovery mode. Always maintain a secondary admin account for break-glass
Datastore 100% full — VMs pausing — immediately free space: consolidate or remove snapshots, delete unused VMDKs, move VMs via Storage vMotion. VMs auto-pause when datastore hits 100%. Set 20% free space alarm on all datastores proactively
High CPU Ready % in esxtop — vCPU waiting for physical CPU. Causes: VM oversized (too many vCPUs), host overloaded, no DRS. Right-size VMs, enable DRS, add host capacity. Ready % > 5% sustained = performance degradation
vSAN disk group failure / absent disks — check vSAN Health → Physical disk. Run Skyline Health proactive check. Check for controller firmware issues. Replace failed NVMe if indicated. vSAN resync progress: Cluster → Monitor → vSAN → Resyncing
🔍 Key Log Files & Diagnostic Commands
VMkernel log/var/log/vmkernel.log — kernel events, storage, net
hostd log/var/log/hostd.log — vSphere API, VM ops
vpxa log/var/log/vpxa.log — vCenter agent comms
vCenter log/var/log/vmware/vpxd/vpxd.log
vCSA vpostgres/var/log/vmware/vpostgres/
vsphere-ui log/var/log/vmware/vsphere-ui/
ESXi diagnostic bundle
# Generate support bundle from vSphere Client Host → Actions → Export Support Information # Via esxcli vm-support -n # network bundle (fast) vm-support # full support bundle # vCSA support bundle https://vcsa:5480 → Support → Create Support Bundle # Real-time performance analysis esxtop # CPU: c · Mem: m · Disk: d · Net: n esxtop -a # show all stats # vSAN diagnostics esxcli vsan health cluster get esxcli vsan storage list cmmds-tool find -t DISK # cluster metadata
📈 esxtop Key Metrics Reference
MetricView (Key)ThresholdMeaning
%RDY (CPU Ready)CPU (c)> 5%vCPU waiting for physical CPU — VM oversized or host overloaded
%CSTP (Co-Stop)CPU (c)> 3%SMP VMs waiting for all vCPUs to be scheduled together
%USED (CPU Used)CPU (c)> 90% sustainedHost physically running out of CPU cycles
MCTLSZ (Balloon)Mem (m)> 0Host reclaiming guest memory — host memory pressure
SWCUR (Swap)Mem (m)> 0Memory swapping to disk — severe performance degradation
DAVG/cmd (Disk latency)Disk (d)> 25msAverage device latency — storage performance issue
KAVG/cmd (Kernel latency)Disk (d)> 2msLatency in VMkernel — queue depth or driver issue
DRPD (Packets dropped)Net (n)> 0Network packets dropped — NIC saturated or misconfigured
%MBPS (Bandwidth)Net (n)> 80% linkNIC approaching saturation — add uplinks or upgrade speed