AIX 7 1 AN21 TCPIP For AIX Administrators Student

Business Data
Cloud Mobility
Intelligence Centre
Enterprise Computing Solutions
Student Manual
Dirección General de Formación
CONSEJERÍA DE EMPLEO,
TURISMO Y CULTURA
Comunidad de Madrid UNIÓN EUROPEA

FONDO SOCIAL EUROPEO
El Fondo Social Europeo invierte en tu futuro
EDUCATION
S E R V I C E S
V8.2
cover
IBM Training Front cover
.I. n
Student Notebook
.T ció
TCP/IP for AIX Administrators
.
C
Course code AN21 ERC 2.0
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Trademarks
IBM® is a registered trademark of International Business Machines Corporation.
The following are trademarks of International Business Machines Corporation in the United
States, or other countries, or both:
AFS™ AIX 5L™ AIX 6™
AIX® DB2® GPFS™
.I. n
HACMP™ Notes® POWER Hypervisor™
Power Systems™ Power® PowerHA®
.T ció
PowerVM® POWER6® System i®
System p® System x® System z®
.
Tivoli® 400®
C
.F a
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the
United States and other countries.
C rm
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
to fo
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other product and service names might be trademarks of IBM or other companies.
ec vo
oy si
u
cl
Ex
September 2013 edition

pr
The information contained in this document has not been submitted to any formal IBM test and is distributed on an “as is” basis without
any warranty either express or implied. The use of this information or the implementation of any of these techniques is a customer
responsibility and depends on the customer’s ability to evaluate and integrate them into the customer’s operational environment. While
each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will
result elsewhere. Customers attempting to adapt these techniques to their own environments do so at their own risk.
© Copyright International Business Machines Corporation 2010, 2013.

This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
V8.2
Student Notebook
TOC Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
.I. n
Unit 1. Network concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
.T ció
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
The global picture of Internet network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Example of an enterprise network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
.
Computer networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
C
How data is transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
.F a
Data encapsulation through the protocol stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
The transport layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
C rm
Transmission Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
User Datagram Protocol (UDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
The Internet layer: Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
to fo
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
IP and subnet addressing (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
IP and subnet addressing (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Subnetting example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
ec vo
Supernetting example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Variable length subnet masking (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Variable length subnet masking (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
Modifications to IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26
oy si
IP routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
The link layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
u
The physical layer: Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Network communication example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
cl
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Ex
Unit 2. Configuring TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
TCP/IP start-up flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
pr
/etc/rc.tcpip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Ethernet adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Minimum Configuration & Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Additional IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Command line TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
© Copyright IBM Corp. 2010, 2013 Contents iii

Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Name resolution: Local host file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12

Verifying network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14
Verifying adapter information and state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
Verifying address resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19
Additional configuration: IP aliasing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20
Testing for remote connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21
Viewing open sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-23
Removing IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
.I. n
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-25
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26
.T ció
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-28
.
Unit 3. inetd remote command services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
C
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
.F a
The inetd daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
Remote commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
C rm
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6
rexec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
r* commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-11
to fo
r* authentication files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
r* authentication files in action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
dsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
ec vo
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-20
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-22
oy si
Unit 4. OpenSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2
telnet, ftp, r* problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3
u
SSH protocol (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4

SSH protocol (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-5
cl
Using SSH on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-6

sshd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7
Client connection: ssh usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-8
Ex
Logging in without supplying a password (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9

Logging in without supplying a password (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . .4-10
Protecting your private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-11
Logging in using a passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
pr
scp and sftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-13

Advanced SSH topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
SSH port forwarding (tunneling) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-15
SSH local port forwarding syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-16
SSH local port forwarding with VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17
SSH remote port forwarding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19
SSH port forwarding to a third host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-21
iv TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

V8.2
Student Notebook
TOC SSH port forwarding to a third host example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

SSH dynamic port forwarding (web proxy) (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . 4-23
SSH dynamic port forwarding (web proxy) (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . 4-24
X11 forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-25
Restricting forwarding (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-26
Restricting forwarding (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
.I. n
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
.T ció
Unit 5. VLAN theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
.
Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
C
IEEE 802.1Q VLAN tagging (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
.F a
IEEE 802.1Q VLAN tagging (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
AIX VLAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
C rm
Power systems, VLANs, and virtual Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
VIOS and VLAN bridging availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
VEth configuration example: Dual networks and dual VIOS . . . . . . . . . . . . . . . . . . 5-9
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
to fo
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Unit 6. Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
ec vo
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Routing implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
IP routing algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Viewing the routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
oy si
Establishing routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Static routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11
Route command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12
u
Dynamic routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

Dynamic routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14
cl
ICMP redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Path MTU discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-17
Path MTU table and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-18
Ex
Exercise: Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Debugging routing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23
pr
Unit 7. Network availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Levels of network availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
Route load balancing and availability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
MPR load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
MPR policy codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
© Copyright IBM Corp. 2010, 2013 Contents v

Student Notebook
MPR metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8

Availability: Dead gateway detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-9
MPR scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Test 1: Weighted round-robin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Test 2: Weights (1 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-13
Test 2: Weights (2 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-14
Test 2: Weights (3 of 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-15
Test 3: Cost (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-16
.I. n
Test 3: Cost (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-17
Test 4: Active DGD (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
.T ció
Test 4: Active DGD (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19
Test 5: Passive DGD (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
Test 5: Passive DGD (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-21
.
Gigabit fast failover: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-22
C
GFF implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
.F a
GFF testing: Primary port failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
GFF testing: Primary port recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-26
C rm
Link aggregation and EtherChannel: Overview (1 of 2) . . . . . . . . . . . . . . . . . . . . .7-27
Link aggregation and EtherChannel: Overview (2 of 2) . . . . . . . . . . . . . . . . . . . . .7-29
Link aggregation: Key AIX configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
Link aggregation: Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
to fo
Link aggregation: Attributes and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
Link aggregation: Link failure and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-40
Link aggregation: Dynamic changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41
Combining link aggregation and gigabit fast failover . . . . . . . . . . . . . . . . . . . . . . .7-42
ec vo
Link aggregation and gigabit fast failover configuration . . . . . . . . . . . . . . . . . . . . .7-43

LA and GFF: Primary adapter failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-44
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-47
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-48
oy si

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-50
u
Unit 8. DNS and BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-2
cl
What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3

History of DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-4
History of BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-6
Ex
Internet domain name structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-7

DNS lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-8
DNS reverse lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-10
Types of name servers (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-12
pr
Types of name servers (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-13

Resource records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-14
First steps: BIND on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-15
Configuring a master name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-16
DNS example scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-17
DNS primary control file: /etc/named.conf (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . .8-18
DNS primary control file: /etc/named.conf (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . .8-19
vi TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

V8.2
Student Notebook
TOC Name zone file (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20

Name zone file (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22
IP zone file (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23
IP zone file (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24
IP loopback zone file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Remaining master server configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26
Configuring a slave name server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-27
Slave control file: /etc/named.conf (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28
.I. n
DNS control file: /etc/named.conf (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29
Caching-only / forwarder name server (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
.T ció
Caching-only / forwarder name server (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Creating sub (child) domains (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33
Creating sub (child) domains (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
.
Adding static hosts to the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
C
Adding hosts dynamically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
.F a
Adding hosts dynamically using TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
Adding hosts dynamically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
C rm
Client set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Client name resolution order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Client resolvers (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
Client resolvers (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
to fo
Client caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
netcd example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-46
Administering the named daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
Remote name daemon control set up (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
ec vo
Remote name daemon control set up (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49

rndc examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-52
Logging: Channel statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-53
oy si
Logging: Category statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Logging example: Bringing it all together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55
Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-56
u
Split DNS example (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

Split DNS example (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-58
cl
Removing BIND version information (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

Removing BIND version information (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-61
Ex
Checkpoint (2 of 2) solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62

Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-64
pr
Unit 9. DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
TCP/IP configuration introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
DHCP client-server interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
DHCP relay function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Network options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
© Copyright IBM Corp. 2010, 2013 Contents vii

Student Notebook
DHCP AIX implementation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-11

DHCP AIX server configuration (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-12
DHCP AIX server configuration (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-14
DHCP client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-16
DHCP relay configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-17
SRC DHCP control on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-18
Querying the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-19
Querying the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-20
.I. n
Dynamic DNS updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-21
Dynamic DNS update example (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-22
.T ció
Dynamic DNS update example (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-23
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-24
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-25
.
C
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-27
.F a
Unit 10. Network File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
C rm
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-2
10.1. NFS versions 2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
NFS versions 2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Network File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
to fo
Connection, state, and locking: NFS v2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7
Daemons and NFS client server interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-9
Authorization methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11
NFS server configuration: Starting and stopping . . . . . . . . . . . . . . . . . . . . . . . . .10-13
ec vo
NFS server configuration: Manual exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-15

NFS server configuration: SMIT configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .10-17
Manual NFS client mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-18
Predefined NFS client mounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-19
oy si
Automount overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-21

Map files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-22
Automount in operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-24
u
Topic summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-25

10.2. NFS version 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-27
cl
NFS version 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-28

NFSv4 overview and design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-29
New daemon processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-31
Ex
NFSv4 pseudo file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-32

NFSv4 alias tree extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-34
NFSv4 referrals (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-35
NFSv4 referrals (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-36
pr
NFSv4 replication (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-37

NFSv4 replication (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-38
NFSv4 delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-40
Using NFSv3 and NFSv4 side by side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-42
NFSv4 security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-43
Topic summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-45
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-46
viii TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
TOC Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47

Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-48
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-49
Unit 11. Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2
Overview of troubleshooting commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3
General TCP/IP problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4
.I. n
Cannot reach the destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Duplicate IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
.T ció
Flow through the TCP/IP stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Network performance: Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
.
Network performance: Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
C
Tuning network parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
.F a
Changing ISNO parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24
Changing MTU parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
C rm
Packet analysis: tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
tcpdump examples (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32
tcpdump examples (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-33
Packet analysis: iptrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34
to fo
iptrace: Sample packet output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
iptrace examples (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
iptrace examples (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38
ec vo
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-41
oy si
Unit 12. Time services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2
The Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3
u
Sources of time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

Stratum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6
cl
NTP communications methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

NTP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8
/etc/ntp.conf configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9
Ex
Receiver pseudo IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Timed daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12
timed command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14
timedc command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16
pr
setclock command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18

Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21
© Copyright IBM Corp. 2010, 2013 Contents ix

Student Notebook
Appendix A. IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Appendix B. AIX and Windows interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Accessing a Power system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
Partition / HMC access over the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Remote connection to an AIX CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5
PuTTY Connection Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-6
.I. n
UNIX and Korn shell for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7
Examples of UNIX emulation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
.T ció
Microsoft Windows Services for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-10
Remote graphical access to an AIX partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-11
Example of remote graphical access using Cygwin/X . . . . . . . . . . . . . . . . . . . . . B-12
.
Virtual Network Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13
C
VNC configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14
.F a
VNC over SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-15
Graphical tools for file transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-16
C rm
Sharing AIX file systems with Windows (Samba) . . . . . . . . . . . . . . . . . . . . . . . . . B-18
Samba installation and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19
Sharing AIX file systems with Windows (SSHFS) . . . . . . . . . . . . . . . . . . . . . . . . B-21
Graphical traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-22
to fo
Graphical packet capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-23
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-24
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-25
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-26
ec vo
Appendix C. Checkpoint solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-1
oy si
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-11
u
cl
Ex
pr
x TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

V8.2
Student Notebook
TMK Trademarks
The reader should recognize that the following terms, which appear in the content of this
training document, are official trademarks of IBM or other companies:
IBM® is a registered trademark of International Business Machines Corporation.
The following are trademarks of International Business Machines Corporation in the United
.I. n
States, or other countries, or both:
.T ció
AFS™ AIX 5L™ AIX 6™
AIX® DB2® GPFS™
HACMP™ Notes® POWER Hypervisor™
.
Power Systems™ Power® PowerHA®
C
.F a
PowerVM® POWER6® System i®
System p® System x® System z®
C rm
Tivoli® 400®
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the
United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
to fo
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
ec vo
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other product and service names might be trademarks of IBM or other companies.
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Trademarks xi

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
xii TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
pref Course description

TCP/IP for AIX Administrators
Duration: 4 days
.I. n
Purpose
.T ció
This course teaches implementing, using, and troubleshooting TCP/IP
on an AIX system. This includes defining multiple interfaces, VLAN
aware adapters, multiple routes, aggregated adapters, gigabit fast
.
failover, and controlling ports used for network services. It continues
C
with configuring AIX to participate as client or server in several
.F a
standard network services; for example: remote command and file
transfer services (both traditional and secured), configuring SSH
C rm
forwarding, DNS (including dynamic updates), time services, DHCP,
and NFS (V3 and V4).
This course provides essential networking skills which are important in
to fo
mastering advanced courses involving provisioning over the network,
performance, virtualization, high availability, and clustering. This
course is designed specifically for AIX version 7 but is also applicable
to previous versions.
ec vo
Audience
Network administrators or other personnel responsible for the
oy si
configuration, use, and support of TCP/IP and common network

services on AIX version 6 or version 7.
u
Prerequisites
cl
• Students should have a general working knowledge of the AIX

environment and commands. Students should be comfortable
Ex
using the AIX commands line, vi, and SMIT. These skills can be
acquired by taking the following courses:
- AN10 AIX Basics
- AN12 Power Systems for AIX II: AIX Implementation and
pr
Administration
© Copyright IBM Corp. 2010, 2013 Course description xiii

Student Notebook
Objectives
After completing this course, you should be able to:
• Describe the fundamental concepts of TCP/IP, protocols, and
addressing
• Configure TCP/IP on AIX
• Configure and use telnet, ftp, rexec, rlogin, rsh, rcp, and dsh
• Configure and use the open secure shell (OpenSSH)
.I. n
• Connect multiple TCP/IP networks using static and dynamic
routing
.T ció
• Understand the theory of VLANs and how IEEE 802.1Q protocol is
used in Power systems
.
• Configure routing, multipath routing and dead gateway detection
C
(DGD)
.F a
• Understand and configure gigabit fast failover and link aggregation
or EtherChannel
C rm
• Describe Domain Name System (DNS) function
• Configure DNS on AIX
• Describe Dynamic Host Configuration Protocol (DHCP) function
• Configure DHCP on AIX
to fo
• Describe Network File System (NFS) function
• Configure NFS versions 3 and 4 on AIX
• Configure the NFS automounter on AIX
• Perform basic troubleshooting of network problems
ec vo
• Configure for time services such as the Network Time Protocol

(NTP) and timed
Additionally, there is appendix material which covers:
oy si
• IP version 6
• Interoperability with Microsoft Windows platforms
u
cl
Ex
pr
xiv TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
pref Agenda
Day 1
Welcome
Unit 1: Network concepts
Exercise 1: TCP/IP concepts
.I. n
Unit 2: Configuring TCP/IP
Exercise 2: Configuring TCP/IP
.T ció
Unit 3: inetd remote command services
Exercise 3: The inetd daemon and remote command inetd services
.
C
Day 2
.F a
Unit 4: OpenSSH
C rm
Exercise 4: OpenSSH
Unit 5: VLAN theory
Exercise 5: Configuring VLANs
Unit 6: Routing
to fo
Exercise 6: Routing
Unit 7: Network availability
Day 3
ec vo
Exercise 7: Network availability (optional)

Unit 8: DNS and BIND
Exercise 8: Configuring a DNS domain
oy si
Unit 9: DHCP
Exercise 9: Configuring a DHCP and dynamic DNS
u
Day 4
cl
Unit 10: Network File System

Exercise 10: Configuring NFS
Ex
Unit 11: Problem determination

Exercise 11: Problem determination
Unit 12: Time services
Exercise 12: Time services
pr
© Copyright IBM Corp. 2010, 2013 Agenda xv

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
xvi TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
Uempty Unit 1. Network concepts
What this unit is about

This unit provides an introduction to networking and Transmission
Control Protocol/Internet Protocol (TCP/IP).
.I. n
It describes global network concepts, hardware and software
components, the layered TCP/IP model, TCP/IP protocols, and IP
.T ció
addressing and defines important terminology associated with TCP/IP.
.
What you should be able to do
C
.F a
After completing this unit, you should be able to:
C rm
• Describe global network concepts
• Define network components
• Describe the following:
to fo
- The main TCP/IP protocols
- The TCP/IP layering model
- IP addressing, subnetting, supernetting, and VLSM
ec vo
How you will check your progress

• Checkpoint questions
oy si
• Lab exercises
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 1. Network concepts 1-1

Student Notebook
Unit objectives
IBM Power Systems

.I. n
.T ció
– The main TCP/IP protocols
.
C
– The TCP/IP layering model
.F a
– IP addressing, subnetting, supernetting, and VLSM
C rm
to fo
ec vo
© Copyright IBM Corporation 2010, 2013. All Rights Reserved.

US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
Figure 1-1. Unit objectives AN212.0
Notes:
oy si
u
cl
Ex
pr
1-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
Uempty
The global picture of Internet network

IBM Power Systems
• 1,596,270,108 Internet users (March 2009)

• A vast array of servers and workstations
.I. n
• Managed using Web browsers, electronic mail, online chat, telephony,
file transfer, file sharing, data streaming, and collaborative applications
.T ció
• Consists of millions of private and public networks
• Linked by copper wires, fiber-optic cables, wireless connections, and
.
other technologies
C
.F a
• Results in a huge amount of online
information and shared resources
C rm
• Is a super fast highway
to fo
ec vo

Figure 1-2. The global picture of Internet network AN212.0
Notes:
oy si
In the 1970s, the sharing of expensive computing resources, such as mainframes, was
causing a bottleneck in the development of new computer science technology, so
u
engineers developed networking as a way of sharing resources.

cl
For example, the Europe to USA network traffic could increase up to hundreds of gigabits
per second depending on the hour of the day.
Ex
The complex communications infrastructure of the Internet consists of its hardware

components and a system of software layers that control various aspects of the
architecture. While the hardware can often be used to support other software systems, it is
the design and the rigorous standardization process of the software architecture that
pr
characterizes the Internet.

Aside from the complex physical connections that make up its infrastructure, the Internet is
facilitated by multi-lateral commercial contracts and by technical specifications or protocols
that describe how to exchange data over the network. Indeed, the Internet is defined by its
interconnections and routing policies.

Student Notebook
The responsibility for the architectural design of the Internet software systems has been
delegated to the Internet Engineering Task Force (IETF). The IETF conducts
standard-setting work groups, open to any individual, about the various aspects of Internet
architecture. Resulting discussions and final standards are published in Requests for
Comments (RFCs) and are freely available on the IETF web site.
The most prominent component of the Internet model is the Internet Protocol (IP) which
provides addressing systems for computers on the Internet and facilitates the
.I. n
Internetworking of networks.
.T ció
Similar to the way commercial Internet providers connect via Internet exchange points,
research networks tend to interconnect into large sub networks.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Example of an enterprise network

IBM Power Systems
• Consists of several local and VLANs

geographically dispersed networks for
different departments HR Engineering
.I. n
• Provides Internet access and related
services Finance Marketing
.T ció
• Uses a vast array of network hardware
.
Internet
Internet
C
.F a
C rm
to fo
Building 1 Building 2
Trunk
ec vo

Figure 1-3. Example of an enterprise network AN212.0
Notes:
oy si
An enterprise network is both local and wide area in scope. It integrates all the systems
within an organization, whether they are Windows computers, Apple Macintosh, UNIX
u
workstations, minicomputers, or mainframes.

cl
An enterprise network can be thought of as a plug-and-play platform for connecting many

different computing devices. In this platform scenario, no user or group is an island. All
systems can potentially communicate with all other systems while maintaining reasonable
Ex
performance, security, and reliability.

pr

Student Notebook
Computer networking
IBM Power Systems
• Computers (hosts) use protocols (software layers) to communicate over a

physical infrastructure.
– TCP/IP layers consist of rules which define how hosts communicate on a network.
.I. n
Protocol examples Network device examples
.T ció
Application Layer
HTTP, Telnet, SSH, FTP,
.
SMTP, POP, DHCP, DNS, Layer 7 switch
C
.F a
BOOTP, SNMP, NTP, LDAP
Transport Layer
C rm
TCP, UDP Firewall
Internet Layer
IPv4, IPv6, ICMP, IPSec Router, Layer 3 switch
to fo
Link Layer
ARP, NDP, CDP Switch, Bridge, NIC
ec vo

Figure 1-4. Computer networking AN212.0
Notes:
oy si
The TCP/IP protocol suite consists of lots of different protocols, which are described in
many thousands of RFCs. Most of these protocols and RFCs are either application specific
u
(such as RFC 959, which describes the FTP protocol) or describe how data should be
transferred over a specific architecture (such as RFC 894, which describes IP over
cl
Ethernet). For now, it is important to understand the working and interdependency of only a
few core protocols. Since these protocols are built on top of each other, where one protocol
Ex
uses another protocol to get things done, the interdependency is just as important as
understanding each protocol independently.
From top to bottom we find the following protocols:
pr
• Applications use either the User Datagram Protocol (UDP) or the Transmission Control
Protocol (TCP) to transmit their data. Both TCP and UDP deliver the data to the right
process and make use of IP to arrange delivery to the right host. The difference
between UDP and TCP is that TCP implements a mechanism of acknowledgments,
whereby reliability can be guaranteed. UDP does not have such a mechanism, making
UDP less reliable.
V8.2
Student Notebook
Uempty • The Internet layer is responsible for end-to-end (source to destination) packet delivery
including routing through intermediate hosts. Internet control message protocol (ICMP)
messages are typically generated in response to errors in IP datagrams or for
diagnostic or routing purposes. The IPsec protocol is responsible for securing Internet
protocol (IP) communications by authenticating and encrypting each IP packet of a data
stream.
• The network interface is the protocol layer which transfers data between hosts. In order
.I. n
to do this a physical medium, such as copper or fiber is required. Hence, the network
interface and physical layers are closely related.
.T ció
Common network devices
• Repeater. A repeater is an electronic device that receives a signal and retransmits it at
.
a higher level and a higher power so that the signal can cover longer distances without
C
degradation. Because repeaters work with the actual physical signal and do not attempt
.F a
to interpret the data being transmitted, they operate on the Physical layer, which is the
first layer of the OSI model.
C rm
• Network Interface Card (NIC). A NIC is a LAN adapter which is designed to allow
computers to communicate over a computer network. It is both a layer 1 (physical layer)
and layer 2 (data link layer) device because it provides physical access to a networking
to fo
medium and provides a low-level addressing system through the use of MAC
addresses.
• Bridge. A bridge is a hardware device for linking two networks that work with the same
protocol. Unlike a repeater, which works at the physical level, a bridge works at the
ec vo
logical level (on layer 2), which means it can filter frames so that it only lets past data
whose destination address corresponds to a machine located on the other side of the
bridge.
oy si
• Switch. A network switch is a device that connects network segments. The term
commonly refers to a network bridge that processes and routes data at the Data link
layer (layer 2) of the OSI model.
u
- Layer 3. Switches that additionally process data at the network layer (layer 3 and
cl
above) are often referred to as layer 3 switches or multi-layer switches. A layer 3

switch can perform some or all of the functions normally performed by a router.
- Layer 4. Layer 4 switches process data at the transport layer and are always
Ex
vendor-dependent. An example of a layer 4 switch is a firewall which performs

transport layer function such as Network Address Translation (NAT), IP filtering, and
packet encryption/decryption.
- Layer 7. The most advanced switches, called layer 7 switches (corresponding to the
pr
application layer of the OSI model), can redirect data based on advanced
application data contained in the data packets, for example, an awareness of the
type of the file being sent by FTP. For this reason, a layer 7 switch can be used for
load balancing by routing the incoming data flow to servers which have a lower load
or are responding more quickly.

Student Notebook
How data is transmitted

IBM Power Systems
• Before the final packet is established, the data is passed through the
following protocol layers:
.I. n
The application layer Data
.T ció
Package and multiplex data for multiple
The transport layer applications
.
C
.F a
The Internet layer Addresses
C rm
Post to the transport media
The link layer
to fo
The physical layer Network
ec vo

Figure 1-5. How data is transmitted AN212.0
Notes:
oy si
The Internet Protocol Suite (commonly known as TCP/IP) is the set of communications
protocols used for the Internet and other similar networks. It is named from two of the most
u
important protocols in it: the Transmission Control Protocol (TCP) and the Internet Protocol
(IP).
cl
Each layer is a group of methods and protocols which provides a service and adds the
corresponding transmission data to the packet.
Ex
TCP/IP layers look like a logistic work-flow, and processes and tasks are executed at each
layer of the suite. Each layer and its function is described in the following slides.
The link layer is the lowest layer in the Internet Protocol Suite.
pr
The physical layer consists of the basic hardware transmission technologies of a network.
It is a fundamental layer underlying the logical data structures of the higher level functions.
The physical layer defines the means of transmitting raw bits rather than logical data
packets over a physical link connecting network nodes.
V8.2
Student Notebook
Uempty
Data encapsulation through the protocol stack

IBM Power Systems
• As data moves down the layers it is encapsulated at each level.
.I. n
• Each layer adds the corresponding transmission data to the packet to
complete the frame.
.T ció
s
y er
a
.
l
e
th
C
gh Application layer
.F a
Data
rou
th
n
tio
C rm
TCP/UDP Transport layer
ul a Data
s header
p
ca
en IP
IP Data Internet layer
t a header
D a
to fo
Frame Frame Link layer
Frame Data
header footer
ec vo

Figure 1-6. Data encapsulation through the protocol stack AN212.0
Notes:
oy si
A frame consists of the following key information:

u
• Layer 4: Transport layer, TCP packet, and source and destination port numbers
including the payload or data.
cl
• Layer 3: IP layer, and source and destination IP addresses.

• Layer 2: Source and destination MAC addresses. The frame header contains the
Ex
preamble. The preamble alerts and synchronizes the network interface card (NIC) to
the incoming data. The frame footer contains the frame check sequence. This provides
a cyclic redundancy check (CRC) on all data held in the frame. CRC is an error
detection mechanism generated by the NICs. The source NIC generates a 32 bit CRC
pr
figure from the address, type, and data fields. The destination NIC does the same
calculations. If the destination NIC calculates the same figure for the CRC as the
source, the frame was received error-free.

Student Notebook
The transport layer

IBM Power Systems
• The transport layer is responsible for encapsulating application data into

units suitable for transfer to the destination host.
• Applications are multiplexed to the transport layer using ports.
.I. n
• Essentially, two transport models exist:
.T ció
– Transmission Control Protocol (TCP)
– User Datagram Protocol (UDP)
.
• A port identifies the application on the host.
C
– Server side ports are well known and fixed in the range 0 to 1023.
.F a
• Stored in /etc/services
C rm
• For example, ftp uses port 21 and can be used over TCP or UDP
## grep
grep "^ftp
"^ftp .*]$"
.*]$" /etc/services
/etc/services
ftp
ftp 21/tcp
21/tcp ## File
File Transfer
Transfer [Control]
[Control]
to fo
ftp
ftp 21/udp
21/udp # File
# File Transfer
Transfer [Control]
[Control]
– Client side ports are dynamic > 1023.

– Every client connection uses a new port.
ec vo

Figure 1-7. The transport layer AN212.0
Notes:
oy si
The transport layer provides transparent transfer of data between end systems using the
services of the network (IP) layer. The transport layer multiplexes data from different
u
application processes. The connection-oriented model uses ports. Ports are essentially
ways to address multiple entities in the same location. For example, the first line of a postal
cl
address is a kind of port and distinguishes between different occupants of the same house.
Computer applications will each listen for information on their own ports, which is why you
Ex
can use more than one network-based application at the same time.
Essentially, two transport models exist:
• TCP is used for many protocols, including Web browsing and email.
pr
• UDP is used for multi-casting and broadcasting since retransmissions are not possible
to a large amount of hosts.
Each application is officially assigned a port number. Each process listens on the
destination port for incoming packets and sends outgoing packets to the source port.
Processes can bind to multiple ports, and well known ports are in the range 0 to 1023.
V8.2
Student Notebook
Uempty
Transmission Control Protocol

IBM Power Systems
• Transmission Control Protocol (TCP)

– Connection-orientated interface to the IP layer
.I. n
– Provides reliability, flow control, and error recovery
• Each byte transmitted requires an acknowledgment
.T ció
• Receiver indicates to the sender the number of bytes it can receive without
buffer overflow
• Missing packets are retransmitted
.
C
– Full duplex
.F a
Application DATA
C rm
User
Kernel
Transport TCP DA TCP TA
Segment MSS MSS
IP Layer IP TCP DA IP TCP TA

to fo
MTU
MSS: Maximum Segment Size

Link
LINK IP TCP DA CHKSM MTU: Maximum Transmit Unit
Frame
ec vo

Figure 1-8. Transmission Control Protocol AN212.0
Notes:
oy si
TCP offers a connection-oriented interface to IP, which means that, if applications use TCP,
a reliable data transfer is guaranteed. If IP packets are lost, duplicated, or arrive out of
u
order, the TCP protocol will take all necessary actions to correct this and deliver the data to
the application in exactly the same way it was sent.
cl
This makes TCP the suitable protocol for all applications that require unicast (one-to-one)
reliable communications. Examples of these applications include Web servers, telnet, ftp,
Ex
mail, and so forth.

This reliability comes at a cost though. The overhead of communicating via TCP is much
higher. Some of the problems that need to be handled by TCP are:
pr
• Connection setup: check whether the other party is alive and able and willing to receive
data on a certain port.
• Out-of-sequence arrival of packets.
• Duplicate arrival of packets.

Student Notebook
• Acknowledgment of packets and retransmission of lost packets and lost

acknowledgments.
• Pacing: A method where multiple packets can be sent before the sender expects
acknowledgment.
• Connection closing: A connection can only be closed once all parties have sent all the
data they wanted to send.
.I. n
The MSS is only negotiated at the start of the connection and remains in force for the life of
the connection. The purpose of this negotiation is to avoid fragmentation at the IP layer. At
.T ció
the same time, we want to use the largest segment size possible. Since there is overhead
for each TCP segment, the largest segment size possible should be used, as long as there
is no IP fragmentation.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
User Datagram Protocol

IBM Power Systems
• User Datagram Protocol (UDP)

– A connectionless interface to the IP layer
.I. n
– Does not assure datagram delivery or duplication protection
– No reliability, error recovery, or flow control
.T ció
– Typically provides higher throughput and shorter latency
.
C
.F a
Application DATA
User
Kernel
C rm
Transport UDP DATA
Datagram
IP IP UDP DA IP UDP TA
MTU Compliance
MTU (FRAGMENT 1) MTU (FRAGMENT 2)
to fo
Link
LINK IP UDP DA CHKSM
Frame
MTU: Maximum Transmit Unit
ec vo

Figure 1-9. User Datagram Protocol (UDP) AN212.0
Notes:
oy si
The UDP protocol is nothing more than a simple interface to IP with the addition of the
ports concept. As with IP, UDP does not guarantee packet delivery or duplication
u
protection.
cl
At first glance, this seems senseless. Which application is going to accept the loss of its
data? However, there are a few applications that benefit from this:
Ex
• Applications that use broadcasts or multi-casts. If you talk to ten, twenty, a hundred, or
more systems at once (for example, when doing Internet radio broadcasts), you
probably cannot or will not want to handle the complexities of every system reporting
back to you which packet they did or did not receive or resend all the packets that were
pr
lost. In such situations, if a packet is lost, nothing is done because nothing can
reasonably be done about it.
• Another reason for using UDP when streaming radio or video is that time goes on. If a
packet is lost and you want to resend it, you have to interrupt the stream momentarily
and can only continue when the packet has been resent. This might take a few
seconds, and during that time the user is staring at a blank screen. It is more likely that

Student Notebook
the user, in case of a lost packet, will accept a little static on his or her screen for a few
milliseconds.
• The third reason why an application might want to use UDP is the low overhead of UDP.
This is really important where performance is critical, and the chance of data loss is low
and can be handled.
If the data being transmitted is greater than the size of the maximum transmission unit,
then it is fragmented into smaller chunks. Fragmentation degrades network performance
.I. n
as the packets have to be reassembled on the other side.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Sockets
IBM Power Systems
• A socket is a combination of address, protocol, and port

number.
.I. n
• A pair of sockets defines a unique application network
connection.
.T ció
– Can be listed using netstat –a command
.
C
## netstat
netstat -a
-a |grep
|grep ftp
ftp
.F a
Proto
Proto Recv-Q
Recv-Q Send-Q
Send-Q Local
Local Address
Address Foreign
Foreign Address
Address (state)
(state)
tcp
tcp 00 00 nimmaster.41395
nimmaster.41395 grumpy.ftp
grumpy.ftp ESTABLISHED
ESTABLISHED
C rm
udp
udp 00 00 *.tftp
*.tftp *.*
*.*
to fo
ec vo

Figure 1-10. Sockets AN212.0
Notes:
oy si
A socket is the software structure created by the application process which consists of a
combination of a port number, transport layer protocol (TCP or UDP), and an IP address.
u
A socket uniquely identifies a single network process.

TCP and UDP both implement ports independently of each other. Consequently, TCP port
cl
53 is not the same socket as UDP port 53 of the same host.

A TCP server can serve several clients concurrently, and the server creates one socket for
Ex
each client. These sockets share the same local socket address and have different remote
socket addresses. For example Port 80 of an HTTP server can serve multiple HTTP
clients. Several sockets will be created by the server for each client.
A communicating local and remote socket are called a socket pair, and this defines a
pr
unique application network connection.

The /etc/services file defines the port portion of the socket and protocols used for well
known ports for network services. The fields are official network service name, socket port
number used for the service, transport protocol used for the service, and aliases (if
desired). The file can be edited as necessary.

Student Notebook
The Internet layer: Internet Protocol

IBM Power Systems
• Internet Protocol (IP) is the core Internet layer protocol.

– Defines addressing methods and handles the routing of packets
.I. n
• The IP Layer provides the following functions:
.T ció
– Transmission of outgoing packets to the data link layer for delivery to the
destination host or gateway and incoming packets to the transport layer
– Error detection and diagnostics
.
C
• The Internet layer is not responsible for reliable transmission.
.F a
– Reliability of service provided by higher level protocols, such as the
C rm
Transmission Control Protocol (TCP) in the Transport Layer
• Layering allows IP to be used over heterogeneous networks, such as

Ethernet, ATM, FDDI, Wi-Fi, token ring, or others.
to fo
• IP is capable of fragmenting/defragmenting packets based on the
maximum transmission unit (MTU) of link elements.
ec vo

Figure 1-11. The Internet layer: Internet Protocol AN212.0
Notes:
oy si
The IP protocol is the packet delivery protocol of the TCP/IP protocol suite. It is comparable
to the Postal Service in that it delivers the packet independent of the physical infrastructure
u
such as train, airplane, car, bike, or horse-and-cart.

cl
IP uses a best-effort approach. It tries to deliver the data to the destination, but in order to
be efficient it does not make any guarantees as to if and when the data will arrive. It might
well be that different packets that make up a connection will take a different route and will
Ex
arrive in the wrong order, duplicated, or not at all. It is up to the higher layer protocol to
correct this or not.
The routing of IP packets is based on a so-called “IP address” which can be compared to a
pr
zip code. At every hop, this IP address is read, a routing table is consulted, and the packet
is sent to the next hop, where again a routing table is consulted. These routing tables are
important, since a wrong routing table somewhere will mean that packets are not sent to
the destination via the shortest route but will either take a detour or not arrive at all. In fact,
incorrect routing tables might actually cause a packet to circle through a network
indefinitely (or until a timer runs out).
V8.2
Student Notebook
Uempty Routing has its own unit later in this course. The IP protocol offers the following additional
features as well:
• If a packet is too large for the architecture that it has to pass through, then a packet can
be fragmented into multiple, smaller packets that are sent individually to the destination.
At the destination, the fragments are reassembled.
• Each IP packet can have a priority indication which identifies the type of service that is
needed: low latency, high bandwidth, low cost, or maximum reliability. Unfortunately,
.I. n
this priority mechanism is not often implemented. All packets are often using the same
.T ció
path to a destination, regardless of their requested type of service, and are transmitted
on a first-come, first-served basis.
• The IP protocol offers a broadcast capability, using a specially formed IP address. This
.
allows you to send an IP packet to all systems on the local network (LAN).
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
IP addressing
IBM Power Systems
• An IP address is a numerical identification and logical address

that is assigned to a network interface card (NIC) connected
.I. n
to a network.
.T ció
• IP version 4 uses four byte addresses which are presented in
dotted decimal notation (for example: 80.1.205.104).
.
C
• Each packet has both a source and destination IP addresses.
.F a
– Destination IP address used to forward packets to their correct
C rm
destination
– Source address provided to support acknowledgements and replies
• Every TCP/IP host contains a special address called the

to fo
loopback which is assigned an address of 127.0.0.1.
– Useful for TCP/IP connections between processes in the same host
ec vo

Figure 1-12. IP addressing AN212.0
Notes:
oy si
An Internet Protocol (IP) address is a numerical identification and logical address that is
assigned to devices participating in a computer network utilizing the Internet Protocol for
u
communication between its nodes.

cl
IP addresses are stored as binary numbers. They are usually displayed in human-readable
notation, for example: 80.1.205.104.
Ex
pr
V8.2
Student Notebook
Uempty
IP and subnet addressing (1 of 2)

IBM Power Systems
• An IP address is a combination of the network number and the host

identifier, as identified by an associated subnet mask.
– 32 bits, divided into four octets:
.I. n
10000001 00100001 10010111 00000111
.T ció
129 . 33 . 151 . 7
11111111 11111111 00000000 00000000 /16
.
255 . 255 . 0 . 0
C
Network identification Host identification
.F a
– The subnet mask = 255.255.0.0
C rm
– The network address = 129.33.0.0
– The broadcast address = 129.33.255.255
– The first host on the network = 129.33.0.1
to fo
– The last host on the network = 129.33.255.254
• The alternative CIDR notation specifies the number of network bits:
– The network address = 129.33/16
ec vo

Figure 1-13. IP and subnet addressing (1 of 2) AN212.0
Notes:
oy si
In order to be able to deliver the IP packet to the correct destination host, every host needs
an IP address. These IP addresses are 32-bit values and have to be unique. In most cases,
u
the IP address is not written in its binary form but in the so-called decimal dot notation,
where the 32 bits are grouped into four groups of eight bits each, and those eight bits are
cl
written in decimal form, separated with dots.

The subnet mask allows us to identify the two key pieces of information in the IP address:
Ex
the address of the network and the host identification (host ID). Each bit with a 1 value in
the mask’s 32 bit string identifies that the corresponding bit position in the IP address is
part of the network ID. A value of 255 in a dotted decimal octet indicate that the entire
matching octet in the IP address is part of the network ID.
pr
An alternative notation that is used to describe network portion of an IP address is CIDR

notation. CIDR stands for Classless Inter-Domain Routing, but the CIDR notation is often
used even when routing is not classless. In CIDR notation, a suffix is provided which
identifies the number of contiguous most significant bits, in the IP address, represent the
network ID.

Student Notebook
Several addresses and address ranges are reserved for special purposes. The most
important ones are listed here:
• The IP address 127.0.0.1 (in fact, the whole 127.0.0.0/8 network) is reserved for the
loopback address. Hosts use the loopback address to send messages to themselves.
• Any IP address with the hostname part all zeros, such as 129.33.0.0, is reserved as an
identification for the network itself. It is not a valid IP address to be assigned to a host.
.I. n
• Any IP address with the hostname part all ones, such as 129.33.255.255, is reserved as
the local broadcast address. Data sent to this address is delivered to all systems on the
.T ció
local network.
.
It is valuable to know how many bits are needed in the host portion of the mask to support
C
a given number of hosts in the subnet. To assist with this, following is a table of the decimal
.F a
values for powers of 2.
C rm
Power of 2 Decimal Value
0 1
1 2
to fo
2 4
3 8
4 16
5 32
ec vo
6 64
7 128
8 256
9 512
oy si
10 1,024
11 2,048
12 4,096
u
13 8,192
14 16,384
cl
15 32,768
16 65,536
17 131,072
Ex
18 262,144
19 524,288
20 1,048,576
21 2,097,152
pr
22 4,194,304
23 8,388,608
V8.2
Student Notebook
Uempty
IP and subnet addressing (2 of 2)

IBM Power Systems
• Network addresses by default are divided into classes:

Class Default subnet mask Range No. of networks No. of hosts
.I. n
A 255.0.0.0 (/8) 1-127 128 16.7 million
B 255.255.0.0 (/16) 128-191 16384 65534
.T ció
C 255.255.255.0 (/24) 192-223 2.1 Million 254
.
• Network assignment is managed by the IANA (Internet
C
.F a
Assigned Numbers Authority) through ISPs.
– Network address are generally either broken up and assigned to
C rm
physical networks (subnetting) or aggregated together (supernetting).
– This is achieved by manipulating the subnet mask.
to fo
ec vo

Figure 1-14. IP and subnet addressing (1 of 2) AN212.0
Notes:
oy si
IP addresses need to be assigned in such a fashion that they are unique across the whole
Internet. That is why there is a special organization that does this. This is the Internet
u
Assigned Number Authority, or IANA for short. They are responsible for assigning groups
of addresses (called classes) to organizations. They do not do this directly but have
cl
contracted out that responsibility to the InterNIC (http://www.internic.net), who in turn

delegates this to local ISPs.
Ex
In addition to classes A to C, there are also classes D and E. Class D addresses are
reserved for multicasting. (Multicasting is a limited area type of broadcasting.) There is no
network or host portion in a multicast address. It is an integer number registered with the
InterNIC that identifies a group of machines. Class E is for experimental use only.
pr
Class A and B addresses contain lots of hosts and therefore need to be broken down into
smaller more manageable chunks. This is achieved through a process known as
subnetting. On the other hand, class C addresses contain very few hosts, which can also
be subnetted into smaller chunks but very often need to be aggregated together to form
larger networks. This is achieved through a process known as supernetting.

Student Notebook
Subnetting example
IBM Power Systems
• Company bigbucks.com has acquired the class B network address of

129.33.0.0. They need to split the address range so that they can have
up to 128 physical networks and up to 510 hosts per network.
.I. n
.T ció
10000001 00100001 0000000 0 00000000
129 . 33 . 0 . 0
.
11111111 11111111 1111111 0 00000000 /23
C
.F a
255 . 255 . 254 . 0
Network identification Assigned by this Host identification
organization to the
C rm
network
The number of possible

physical (sub) networks
The number of hosts
to fo
is:
2^7 = 128. per network is:
(2^9)-2 = 510
ec vo

Figure 1-15. Subnetting example AN212.0
Notes:
oy si
The default subnet mask for a class B network is 255.255.0.0. This translates to one
network with ((2^16)-2) with 65534 hosts. Organizations with class A and B addresses
u
often have hundreds, if not thousands, of physical networks split across both local and
geographically dispersed locations. The only way to do this is to split the network address
cl
into more manageable chunks. This is achieved by borrowing bits from the host ID and
using them for the network. Using 7 bits from the host ID allows for (2^7) 128 physical
Ex
networks. On each of the 128 networks there can be ((2^9)-2) 510 hosts. We have to
subtract two from the number of hosts because all 0’s are reserved for the network and all
1’s reserved for the broadcast address.
pr
V8.2
Student Notebook
Uempty
Supernetting example
IBM Power Systems
• Company losechange.com has acquired four class C network

addresses: 222.180.108.0 through to 222.180.111.0; however, they
would like to aggregate these networks together to form one global
.I. n
network.
.T ció
11111100 10110100 011011 00 00000000
222 . 180 . 108 . 0
.
C
11111111 11111111 111111 00 00000000 /22
.F a
255 . 255 . 252 . 0
Network identification
C rm
Host identification
One class C network.

to fo
Network address =
222.180.108.0/22 The number of hosts
(2^10)-2 = 1022
ec vo

Figure 1-16. Supernetting example AN212.0
Notes:
oy si
Having four class C addresses, equates to four physical networks each with up to 254
hosts. Each network would require a router to route packets between them. Supernetting is
u
the opposite to subnetting and borrows bits from the network portion of the IP address. In
the example, we have borrowed two bits, changing the subnet mask from 255.255.255.0 to
cl
255.255.252.0. The result is that networks 222.180.109, 110, and 111 have become part of
the 222.180.108 network. The 222.180.108 network can have up to ((2^10)-2) 1022 hosts.
Ex
pr

Student Notebook
Variable length subnet masking (1 of 2)

IBM Power Systems
• Subnetting has one big disadvantage. It breaks down the network into
equally sized subnets.
• Variable length subnet masking (VLSM) was developed to allow the
.I. n
network to be broken up into subnets of unequal size.
.T ció
• Take the previous class C example:
– 222.180.108/24 provides 254 hosts
.
• Let’s subdivide the network into six subnets:
C
.F a
– Subnet 1 = 126 hosts
14
– Subnet 2 = 64 hosts 14
C rm
12
64
to fo
– Subnet 6 = 14 hosts
ec vo

Figure 1-17. Variable length subnet masking (1 of 2) AN212.0
Notes:
oy si
The main weakness of conventional subnetting is that the subnet ID represents only one
additional hierarchical level in how IP addresses are interpreted. The subnet ID is the same
u
length throughout the network, so it is not possible to define a different number of hosts in
the subnetworks. This is inefficient even in small networks and can result in the need to use
cl
extra addressing blocks while wasting many of the addresses in each block.
The solution is an enhancement to the basic subnet addressing method called variable
Ex
length subnet masking (VLSM).

The idea is to subnet the network, and then subnet the subnets just the way you originally
subnetted the network. It is possible to apply this multiple-level splitting to only some of the
pr
subnets, allowing you to selectively cut the IP address pie so that some of the slices are
bigger than others.
VLSM does an initial subnetting of the network into large subnets, and then further breaks
down one or more of the subnets as required. You add bits to the subnet mask for each of
the sub-subnets and sub-sub-subnets to reflect their smaller size.
V8.2
Student Notebook
Uempty
Variable length subnet masking (2 of 2)

IBM Power Systems
Original network /24
First division: split /24 network

into two /25 Subnetworks
.I. n
222.180.108.0/25 (subnet 1)
.T ció
222.180.108.128/25
Second division: split 222.180.108.128/25

into two /26 Subnetworks
.
C
222.180.108.128/26 (subnet 2)
.F a
222.180.108.192/26
C rm
Third division: split 222.180.108.192/26
into four /28 Subnetworks
222.180.108.192/28 (subnet 3)
222.180.108.208/28 (subnet 4)
to fo
222.180.108.224/28 (subnet 5)
222.180.108.240/28 (subnet 6)
ec vo

Figure 1-18. Variable length subnet masking (2 of 2) AN212.0
Notes:
oy si
Using the example shown on the previous page, we can now see how everything fits using
VLSM. We start with our Class C network: 222.180.108.0/24. We then do three subnettings
u
as follows:
cl
• The first step is to do an initial subnetting by using one bit for the subnet ID, leaving us
7 bits for the host ID. This gives us two subnets: 222.180.108.0/25 and
222.180.108.128/25. Each of these can have a maximum of 126 hosts. We set aside
Ex
the first of these for subnet S6 and its 100 hosts.

• Then we can take the second subnet, 222.180.108.128/25, and subnet it further into
two sub-subnets. We do this by taking one bit from the 7 bits left in the host ID. This
gives us the sub-subnets 222.180.108.128/26 and 222.180.108.192/26, each of which
pr
can have 62 hosts.

• The final step is to take the second sub-subnet, 222.180.108.192/26, and subnet it
further into four sub-sub-subnets. We take 2 bits from the 6 that are left in the host ID.
This gives us four sub-sub-subnets that each can have a maximum of 14 hosts:
222.180.108.192/28, 222.180.108.208/28, 222.180.108.224/28 and
222.180.108.240/28.

Student Notebook
Modifications to IP addressing
IBM Power Systems
• IP filtering and firewalls

– Firewalls are implemented to increase the network security and control
access to private networks.
.I. n
– A list defines which IP addresses, protocols, and ports
.T ció
are allowed or blocked.
.
C
• IP address translation
.F a
– Network Address Translator (NAT) acts as an intermediary agent.
C rm
• The (real) originating IP addresses of the private network are hidden from the
public network.
– Multiple hosts appear to share the same IP address on the external network.
– Only the outside interface of the NAT device needs to have routable address.
to fo
• Just as a company telephone number can have multiple specific extensions for
internal services.
ec vo

Figure 1-19. Modifications to IP addressing AN212.0
Notes:
oy si
Firewall
u
Firewalls are implemented to increase network security.

Firewalls can be implemented in either hardware or software and control access to
cl
private networks based on the public IP of the client. Access control filter lists are
defined by the network administrator and can allow or restrict traffic based upon
Ex
protocol, IP address, and specific network applications (ports).

Network address translation (NAT)
Network address translation allows several computers to share one public IP address.
pr
In order to increase network security, the real originating IP addresses can be hidden
from the external systems receiving the request. A NAT device, typically a
router/firewall, will hide IP addresses behind the private network. Only the outside
interface of the NAT device needs to have an Internet-routable address.
V8.2
Student Notebook
Uempty
IP routing
IBM Power Systems
• IP routing is the process used by routers to forward IP datagrams.
• Inter-network routers use specific protocols in order to make forwarding
.I. n
decisions across IP connected networks.
.T ció
• The following devices are capable of IP routing:
– Routers, bridges, gateways, firewalls, and layer 3 or > switches
.
– Hosts with multiple network cards
C
.F a
• The routing process directs IP packets based on routing tables.
C rm
– Small networks: Static routing with manually configured routing tables
– Large networks: Dynamic routing protocols which permanently update routing
tables
to fo
• Routing schemes differ in their delivery: unicast, broadcast, multicast,
and anycast.
ec vo

Figure 1-20. IP routing AN212.0
Notes:
oy si
Routing is the process of selecting paths in a network along which to send network traffic.
The routing process forwards IP packets based on routing tables which contain a list of
u
routes to network destinations. These routing tables are stored in the memory of the routing
devices. Multiple or alternative paths can be defined towards the same destination. This is
cl
covered in more detail in the routing unit.

In small networks, static routing is used and routing tables are manually configured. Larger
Ex
networks involve dynamic routing using routing protocols such as Open Shortest Path First
(OSPF).
Routing schemes differ in their delivery semantics:
pr
• Unicast delivers a message to a single specified node.

• Broadcast delivers a message to all nodes in the network.
• Multicast delivers a message to a group of nodes that have expressed interest in
receiving the message.
• Anycast delivers a message to any one out of a group of nodes (typically the one
nearest to the source).

Student Notebook
The link layer

IBM Power Systems
• The link layer provides:

– Encapsulation of IP packets into frames, frame synchronization, Media
.I. n
Access Control (MAC) addressing, and VLAN switching (packet
switching).
.T ció
• Each link layer implementation has its own method of
.
addressing, for example:
C
.F a
– All Ethernet adapters have a unique identifier called the Media Access
Control (MAC) address which corresponds to the physical address of
C rm
the device.
– Ethernet uses the Address Resolution Protocol (ARP) to resolve IP
addresses to data link addresses.
to fo
ec vo

Figure 1-21. The link layer AN212.0
Notes:
oy si
The link layer is the lowest layer in the Internet Protocol Suite.
u
It is the group of methods or protocols that only operate on a host’s link. The link is the
physical and logical network component used to interconnect hosts or nodes in the
cl
network.
A link protocol is a suite of methods and standards that operate only between adjacent
Ex
network nodes of a local area network segment or a wide area network connection.
The core protocols specified in this layer are the Address Resolution Protocol (ARP) and its
cousin, the Reverse Address Resolution Protocol (RARP).
The link layer also contains hardware specific interface methods such as Ethernet and
pr
other IEEE 802 encapsulation schemes such as VLAN tagging.

For example, the link layer includes the following functionalities:
Encapsulation of IP packets into frames, frame synchronization, Media Access Control
(MAC) addressing, LAN switching (layer 2 switching), collision detection IP address
to/from physical address resolution, ….
V8.2
Student Notebook
Uempty
Address Resolution Protocol

IBM Power Systems
• Address Resolution Protocol (ARP) is the method for finding a hardware

address when only the IP address is known.
– ARP is part of the link layer and is used to determine the MAC address of a
.I. n
remote host.
– ARP operates only on the local area network.
.T ció
• ARP is invoked automatically by IP if the destination MAC address is
unknown.
.
– When the MAC address of a remote host is not listed in the ARP table, ARP
C
sends a broadcast packet such as « Who is 9.143.22.166 ».
.F a
– Only the destination host answers and sends back a packet containing its
C rm
MAC address.
– ARP tables on both source and destination hosts are updated.
• Inverse ARP and reverse ARP are protocols used to obtain the IP
address from the MAC address.
to fo
• Gratuitous ARP is an ARP broadcast update message to the network.
– Typically used in high availability when an application address is moved from
adapter to adapter.
ec vo

Figure 1-22. Address Resolution Protocol AN212.0
Notes:
oy si
Address Resolution Protocol (ARP) is the method for finding the MAC address of a host
when only its IP address is known. ARP is responsible for converting unique IP addresses
u
into unique physical machine addresses.

cl
It can be used to resolve many different network layer protocol addresses to interface
hardware addresses, not only IP to MAC address correspondence. ARP is a link layer
protocol and only operates on the local area network or point to point link.
Ex
ARP uses the broadcast facility of networks to discover the hardware (physical) address.
The operation is transparent to users and administrators.
When data is to be sent to the network, the destination MAC address is determined from
pr
the ARP table. If there is no destination MAC address in the ARP table, ARP on your
system obtains the address by broadcasting a request. The address of the destination is
stored into the ARP table. Entries in the ARP table are normally discarded if they have not
been used for 20 minutes. This default timeout can be changed using the no command; the
tunable parameter is arpt_killc.

Student Notebook
The physical layer: Ethernet

IBM Power Systems
• The physical layer is used to send and receive data packets.

– A data packet on the wire is referred to as a frame.
.I. n
– The data field contains IP datagram.
– The frame contains source and destination MAC addresses, IP
.T ció
addresses, and port numbers.
.
• Ethernet is a technology based on a set of physical
C
.F a
components (adapters, connectors, cabling, and repeaters)
and technical rules (number of hosts, distance, and speed).
C rm Ethernet frame
to fo
ec vo

Figure 1-23. The physical layer: Ethernet AN212.0
Notes:
oy si
Today, Ethernet is the de-facto standard of LAN technology, replacing older style Token
Ring and FDDI networks. Ethernet forms part of both the data link layer (standardized as
u
IEEE 802.3) and physical layer (RJ45/copper or long/short range, single/multi-mode Fiber
cabling). Further details on Ethernet are provided in the next unit.
cl
Ex
pr
V8.2
Student Notebook
Uempty
Network communication example

IBM Power Systems
• Example communication between a web server located in UK and a

workstation located in France:
www.lpar.co.uk
.I. n
Marie Web server
workstation
.T ció
httpd
Layers HTTP Virtual connection
HTTP HTTP
Application
Client Server
.
C
Transport TCP TCP
.F a
Paris router London router
IP IP
C rm
Internet
IP IP
Link Link Link

Link Link
Physical
to fo
Connection Internet
Internet
Ethernet
Ethernet Ethernet
Ethernet
Wide Area Network (WAN)

ec vo

Figure 1-24. Network communication example AN212.0
Notes:
oy si
The figure shows an example of communication between a Web server located in the UK
and a workstation running a Web browser located in France. The packets are routed
u
through two gateways in London and Paris

cl
The diagram shows the operation of the Internet Protocol suite between two Internet hosts
connected via two routers and the corresponding layers of the IP suite in use at each hop.
All hosts use the Internet layer to route packets to next hop solely based on the IP address
Ex
while only the hosts need the upper layers to send or receive application data. At the
transport layer and application layer the hosts can be said to have virtual connections
between them.
pr

Student Notebook
Checkpoint
IBM Power Systems
1. Which layers are defined in the TCPIP Internet Protocol

suite?
.I. n
.T ció
2. Which layer is required for frame transmission?
.
3. What is the role of the transport layer?
C
.F a
C rm
4. Which protocol of the link layer translates IP addresses to
MAC addresses?
to fo
5. What is the purpose of VLSM?
ec vo

Figure 1-25. Checkpoint AN212.0
Notes:
oy si
Write your answers here:

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
• In this lab exercise, you will:

– Practice interpreting IP
.I. n
addresses.
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure 1-26. Exercise introduction AN212.0
Notes:
oy si
u
cl
Ex
pr

Student Notebook
Unit summary
IBM Power Systems
Having completed this unit, you should be able to:

.I. n
.T ció
– The main TCP/IP protocols
.
C
– The TCP/IP layering model
.F a
– IP addressing, subnetting, supernetting, and VLSM
C rm
to fo
ec vo

Figure 1-27. Unit summary AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 2. Configuring TCP/IP

This unit covers the configuration of TCP/IP.
.I. n
.T ció
• Configure TCP/IP
.
• Test and review the TCP/IP configuration
C
.F a
• Add IP aliases
• Remove IP configuration
C rm
to fo
• Lab exercises
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 2. Configuring TCP/IP 2-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
• Add IP aliases
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
TCP/IP start-up flow

IBM Power Systems
Partition activation
.I. n
Run time init Process /etc/inittab
.T ció
/sbin/rc.boot calls cfgmgr Process /etc/rc.net
.
C
.F a
/etc/rc.tcpip Starts TCP/IP subsystems
syslogd
C rm
/etc/rc.nfs snmpd
sendmail
portmap
Login
…
to fo
Inetd Æ /etc/inetd.conf
ec vo

Figure 2-2. TCP/IP start-up flow AN212.0
Notes:
oy si
TCP/IP startup is initiated from the inittab processing. /sbin/rc.boot calls cfgmgr
during the second phase processing which will in turn initialize the network interfaces and
u
set up routing by processing the /etc/rc.net file. TCP/IP subsystems are started from
/etc/rc.tcpip script. This script can be edited directly to comment or uncomment
cl
subsystem startup. The inetd daemon is responsible for loading a network programs based
upon request, such as FTP, Telnet, and so on. Once the core TCP/IP subsystems have
Ex
been initialized, further TCP/IP based applications, such as NFS, NIM, and HACMP, can be
started.
pr

Student Notebook
/etc/rc.tcpip
IBM Power Systems
• TCP/IP subsystems startup script

– Defines a start function to detect if srcmstr or subsystem is running
.I. n
• Enable or disable subsystem start at next system restart:
.T ció
– Comment or uncomment line that starts the subsystem
• Example section of file:
.
start /usr/sbin/snmpd "$src_running"
C
.F a
#start /usr/sbin/dhcpsd "$src_running"
#start /usr/sbin/dhcprd "$src_running"
C rm
start /usr/sbin/hostmibd "$src_running"
• smit otherserv
– Can select a subsystem to start: NOW, Next System RESTART, or
to fo
BOTH.
– Executes undocumented chrctcp smit command.
ec vo

Figure 2-3. /etc/rc.tcpip AN212.0
Notes:
oy si
The /etc/rc.tcpip file is a shell script that, when executed, uses SRC commands to initialize
selected daemons. The rc.tcpip shell script is automatically executed with each system
u
restart. It can also be executed at any time from the command line.
cl
The script defines functions that are used to manage the starting and stopping of the
subsystem. The most important is the start function. This function determines is any action
is needed (the subsystem may already be running) and it identifies if the SRC facility is
Ex
active (if not, it starts the daemon directly).

The main portion of the script is a series of start lines for each networking subsystem.
Whether or not a line is commented out determines if that subsystem will be started by the
pr
script.
You can either use SMIT (otherserv fastpath) to modify the file, or you can directly edit the
file. SMIT executes an undocumented SMIT command, chrctcp, to update the file.
V8.2
Student Notebook
Uempty Some of the chrctcp command flags are:

-a: uncomment the start line for the identified subsystem
-d: comment out the start line for the identified subsystem
-c <daemon>: identify which subsystem to affect
-S: start or stop the subsystem right now, depending on the use of the -a or -d flags.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
Ethernet adapters
IBM Power Systems
• Many types supported on AIX

– Traditional copper (TX)
– Single-mode and multi-mode fiber (SX, LX, SR, LR)
.I. n
• Each adapter (entX) has two interfaces (enX and etX)
– enX interface uses the standard DIX Ethernet frame format
.T ció
• Originally designed by Digital, Intel, and Xerox
– etX interface uses IEEE802.3 frame format (the same as DIX except Type field is
replaced by Length)
.
C
.F a
Interface en0 and et0 Adapter card ent0
Layer 3 logical devices Layer 1 and 2 physical device MAC
C rm
address
## lsdev
lsdev -Cl
-Cl ent0
ent0
ent0
ent0 Available 01-08
Available 01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter IP addresses
are assigned
## lscfg -v -l ent0 |grep Network
lscfg -v -l ent0 |grep Network to the
Network Address.............001125BF9018 interfaces, in
Network Address.............001125BF9018
to fo
this case en0.
## lsdev
lsdev -Cc
-Cc if
if
en0
en0 Available
Available 01-08
01-08 Standard
Standard Ethernet
Ethernet Network
Network Interface
Interface
et0 Defined
et0 Defined 01-08
01-08 IEEE 802.3 Ethernet Network Interface
IEEE 802.3 Ethernet Network Interface
ec vo

Figure 2-4. Ethernet adapters AN212.0
Notes:
oy si
Brief history of Ethernet

u
The original Ethernet is called Experimental Ethernet today. It was developed by Robert
Metcalfe in 1972 (patented in 1978) and was based in part on the ALOHAnet protocol. The
cl
first Ethernet that was generally used was DIX Ethernet (known as Ethernet II) and was
derived from Experimental Ethernet. Today, there are many different standards of Ethernet
(under the umbrella of IEEE 802.3), and the technical community has accepted the term
Ex
Ethernet for all of them. Currently under development is IEEE 802.3ba (40 Gb/s and 100
Gb/s Ethernet). For further information see http://www.ieee802.org/3
Ethernet adapter support on AIX
pr
• TX 10/100/1000 Mb up to 100 m using traditional copper

• SX 1000 Mb up to 550 m using multi-mode fiber
• LX 1000 Mb up to 5 km using single-mode fiber (can also run on multi-mode fiber)
• SR (short range) 10 Gb up to 300 m using multi-mode fiber
• LR (long range) 10 Gb up to 25 km using single-mode fiber
V8.2
Student Notebook
Uempty In virtually all cases on AIX, you will configure the en (DIX) interface; et interfaces are rarely
(if at all) used.
General note: Fiber versus Fibre. When talking about networks and fiber, it is important to
know when to use the correct spelling. Fiber refers to the medium (wire), whereas fibre
refers to the protocol, that is, Fibre Channel.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
TCP/IP configuration
IBM Power Systems
• Host with single adapter

– Use smitty tcpip
.I. n
.T ció
• Host with multiple adapters
– Use smitty tcpip for the first adapter
.
– And smitty chinet for subsequent adapters
C
.F a
• TCP/IP configuration can also be performed from the
C rm
command line
– Method 1: AIX. Data is held in the ODM.
– Method 2: BSD. Data must be stored in flat file configuration or is lost
to fo
on reboot.
ec vo

Figure 2-5. TCP/IP configuration AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Minimum Configuration & Startup

IBM Power Systems
• smit mktcpip
Minimum
Minimum Configuration
Configuration && Startup
Startup
.I. n
[Entry
[Entry Fields]
Fields]
.T ció
** HOSTNAME
HOSTNAME [waldorf]
[waldorf]
** Internet
Internet ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [10.47.1.18]
[10.47.1.18]
Network MASK (dotted decimal)
Network MASK (dotted decimal) [255.255.0.0]
[255.255.0.0]
.
** Network
Network INTERFACE
INTERFACE en0
en0
C
NAMESERVER
NAMESERVER
.F a
Internet
Internet ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [10.47.1.33]
[10.47.1.33]
DOMAIN
DOMAIN Name
Name [lpar.co.uk]
[lpar.co.uk]
C rm
Default
Default Gateway
Gateway
Address
Address (dotted
(dotted decimal
decimal or
or symbolic
symbolic name)
name) [10.47.0.1]
[10.47.0.1]
Cost
Cost [0]
[0] ##
Do
Do Active
Active Dead
Dead Gateway
Gateway Detection?
Detection? no
no ++
to fo
Your CABLE Type
Your CABLE Type N/A
N/A ++
START
START Now
Now no
no ++
ec vo

Figure 2-6. Minimum Configuration & Startup AN212.0
Notes:
oy si
AIX provides a very quick and easy configuration SMIT panel for configuring TCP/IP on the
system. The essential items you will require are:
u
• Hostname of the machine

cl
• IP address (and network mask)

• Interface to be configured.
Ex
Desirable items are:

• Default gateway for the environment
• DNS parameters (nameserver and domain name).
• This information populates the /etc/resolv.conf file as follows:
pr
nameserver 10.47.1.33
domain lpar.co.uk
Cable type is generally not required and can be left as N/A. Start now will refresh (or start)
the TCP/IP subsystems (note: they should already be running).

Student Notebook
Additional IP configuration
IBM Power Systems
• In a multi-homed host, subsequent adapters should be

configured with smit chinet.
.I. n
Change
Change // Show
Show aa Standard
Standard Ethernet
Ethernet Interface
Interface
.T ció
[Entry
[Entry Fields]
Fields]
Network
Network Interface
Interface Name
Name en1
en1
INTERNET
INTERNET ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [192.168.0.1]
[192.168.0.1]
.
Network
Network MASK
MASK (hexadecimal
(hexadecimal oror dotted
dotted decimal)
decimal) [255.255.255.0]
[255.255.255.0]
Current STATE up ++
C
Current STATE up
.F a
Use
Use Address
Address Resolution
Resolution Protocol
Protocol (ARP)?
(ARP)? yes
yes ++
BROADCAST
BROADCAST ADDRESS (dotted decimal)
ADDRESS (dotted decimal) []
[]
Interface
Interface Specific
Specific Network
Network Options
Options
C rm
('NULL'
('NULL' will
will unset
unset the
the option)
option)
rfc1323
rfc1323 []
[]
tcp_mssdflt
tcp_mssdflt []
[]
tcp_nodelay
tcp_nodelay []
[]
to fo
tcp_recvspace
tcp_recvspace []
[]
tcp_sendspace
tcp_sendspace []
[]
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
ec vo

Figure 2-7. Additional IP configuration AN212.0
Notes:
oy si
If SMIT is being used to configure further interfaces, then the fastpath smit chinet
should be used. All fields are optional but the following items are essential:
u
• IP address (and network mask)

cl
• Interface to be configured
• State of the interface (Default is down, so do not forget to switch this to up. This is a
very common configuration error.)
Ex
Interface specific network options include:

• rfc1323 - enable large packets for high performance
• tcp_mssdeflt - maximum segment size
pr
• tcp_nodelay - pacing message flow

• tcp_recvspace - socket buffer size for receiving data
• tcp_sendspace - socket buffer size for sending data
V8.2
Student Notebook
Uempty
Command line TCP/IP configuration

IBM Power Systems
• There are two ways to configure network resources:

– AIX ODM (chev or SMIT)
.I. n
– Directly, using BSD UNIX commands: hostname, ifconfig, route
• Setting the hostname
.T ció
– AIX: # chdev –l inet0 –a hostname=sys1
– BSD: # hostname sys1
.
• Adding an IP address to an interface
C
.F a
– AIX: # chdev -l en0 -a netaddr=192.168.0.1 –a \
netmask=255.255.255.0 -a state=up
C rm
– BSD: # ifconfig en0 192.168.0.1 255.255.255.0 up
• If the direct method is used, place the commands at the end of:
– /etc/rc.net
to fo
or
– /etc/bsdnet (if inet0 bootup_option=yes)
ec vo

Figure 2-8. Command line TCP/IP configuration AN212.0
Notes:
oy si
In addition to SMIT, TCP/IP configuration can be driven from the command line. There are
two ways to handle this:
u
• The AIX way, in which configuration is stored in the AIX internal database (ODM). This
cl
way the configuration remains after shutdown/restart.

• The traditional BSD UNIX way. This way configuration does not survive restarts unless
Ex
the commands are entered into the /etc/rc.net file.

The /etc/rc.net file is executed by cfgmgr during system boot. The /etc/rc.net file
configures AIX style configuration and (optionally) traditional BSD UNIX configuration. If
only traditional BSD style networking is required then the following command can be run: #
pr
chdev -l inet0 -a bootup_option=yes. Doing this causes AIX to process the

/etc/rc.bsdnet file instead of the rc.net file at boot time. Commands such as
hostname, ifconfig, route, and so on should be appended to /etc/rc.bsdnet as
appropriate.

Student Notebook
Name resolution: Local host file

IBM Power Systems
• Name resolution can be achieved through several mechanisms:

– Local hosts file, DNS, NIS, and LDAP
.I. n
• Local /etc/hosts file:
## This
This is
is aa comment
comment
.T ció
## Format:
Format: IP
IP <space
<space or
or tab>
tab> name
name || [optional
[optional aliases]
aliases]
.
127.0.0.1
127.0.0.1 loopback
loopback localhost
localhost
C
10.10.1.1
10.10.1.1 system1
system1 nimserver
nimserver
.F a
10.10.1.2
10.10.1.2 system2
system2
10.10.1.3 system3
C rm
10.10.1.3 system3
• Verifying name resolution:

to fo
## host
host system1
system1
system1
system1 is
is 10.10.1.3,
10.10.1.3, Aliases:
Aliases: nimserver
nimserver
ec vo

Figure 2-9. Name resolution: Local host file AN212.0
Notes:
oy si
Systems use different methods for mapping host names to IP addresses. The method
depends upon the environment in which a system is going to participate.
u
• Flat Network. This method provides name resolution through the file /etc/hosts and
cl
works well in small stable environments.

• Domain Name Server (DNS). DNS is a system that allows name and IP lookups in a
Ex
tree like database structure. It was created due to growth of the Internet and designed
for large networks.
• Network Information System (NIS) Server. This method provides a centralized server
for administration of configuration and other files within a LAN environment.
pr
• Lightweight Directory Access Protocol (LDAP) Server. LDAP is an application

protocol for querying and modifying directory services running over TCP/IP. Tivoli
Directory Server (TDS) is IBM’s version of an LDAP server.
V8.2
Student Notebook
Uempty The /etc/hosts file

Host names (symbolic network interface names) and their IP addresses are associated
with each other by entries in the /etc/hosts file. Entries should be included in
/etc/hosts for (1) loopback, (2) the local machine, and (3) any other hosts known to the
system. Typically, /etc/hosts is kept consistent among all machines. Aliases can be
created in this file by entering them after the host name. Each alias is separated by a
space. Aliases cannot exceed 255 characters, and each entry must be contained on one
.I. n
line.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
Verifying network interfaces

IBM Power Systems
• netstat
## netstat
netstat -in
-in
Name
Name Mtu
Mtu Network Address ZoneID Ipkts
Ipkts Ierrs Opkts
Opkts Oerrs
Oerrs Coll
.I. n
Network Address ZoneID Ierrs Coll
en0
en0 1500
1500 link#2
link#2 ea.48.f0.0.b0.3
ea.48.f0.0.b0.3 3359653
3359653 00 238778
238778 00 00
en0
en0 1500
1500 10.47
10.47 10.47.1.23
10.47.1.23 3359653
3359653 00 238778
238778 00 00
.T ció
lo0
lo0 16896
16896 link#1
link#1 1201
1201 00 1214
1214 00 00
lo0
lo0 16896 127
16896 127 127.0.0.1
127.0.0.1 1201
1201 00 1214
1214 00 00
lo0
lo0 16896
16896 ::1
::1 00 1201
1201 00 1214
1214 00 00
.
C
• ifconfig
.F a
## ifconfig
ifconfig -a
-a
C rm
en0:
en0:
flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CH
flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CH
ECKSUM_OFFLOAD(ACTIVE),CHAIN>
ECKSUM_OFFLOAD(ACTIVE),CHAIN>
inet
inet 10.47.1.23
10.47.1.23 netmask
netmask 0xffff0000
0xffff0000 broadcast
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
tcp_sendspace 262144 tcp_recvspace 262144
262144 tcp_recvspace 262144 rfc1323
rfc1323 11
to fo
lo0:
lo0: flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet
inet 127.0.0.1
127.0.0.1 netmask
netmask 0xff000000
0xff000000 broadcast
broadcast 127.255.255.255
127.255.255.255
inet6
inet6 ::1/0
::1/0
tcp_sendspace
tcp_sendspace 131072
131072 tcp_recvspace
tcp_recvspace 131072
131072 rfc1323
rfc1323 11
ec vo

Figure 2-10. Verifying network interfaces AN212.0
Notes:
oy si
The netstat –i command shows the state of all configured interfaces. The –n flag shows
network addresses as numbers. When this flag is not specified, the netstat command
u
interprets addresses where possible and displays them symbolically.

cl
The ifconfig –a command instructs is used to display information about all interfaces in the
system. The key flags are up and running, which show the interface is available and
active.
Ex
pr
V8.2
Student Notebook
Uempty
Verifying adapter information and state

IBM Power Systems
• enstat
– Shows adapter statistics and link state
.I. n
– Applicable to both physical and virtual devices
## entstat
entstat –d
–d ent3
ent3 || head
head
.T ció
-------------------------------------------------------------
-------------------------------------------------------------
ETHERNET
ETHERNET STATISTICS
STATISTICS (ent3)
(ent3) ::
Device
Device Type: 2-Port 10/100/1000 Base-TX
Type: 2-Port 10/100/1000 Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
.
Hardware Address: 00:1a:64:a8:99:55
Elapsed
Elapsed Time:
Time: 00 days
days 00 hours
hours 44 minutes
minutes 14
14 seconds
C
seconds
.F a
Transmit
Transmit Statistics:
Statistics: Receive
Receive Statistics:
Statistics:
--------------------
-------------------- -------------------
-------------------
Packets:
Packets: 11 Packets:
Packets: 10
10
C rm
Bytes:
Bytes: 60
60 Bytes:
Bytes: 1246
1246
## entstat
entstat –d
–d ent3
ent3 || egrep
egrep –i
–i ‘(link|speed)’
‘(link|speed)’
Link
Link Status
Status :: Up
Up
Media
Media Speed
Speed Selected:
Selected: Auto
Auto negotiation
negotiation
to fo
Media
Media Speed
Speed Running:
Running: 1000
1000 Mbps
Mbps Full
Full Duplex
Duplex
## entstat
entstat -d
-d ent1
ent1 |grep
|grep -i
-i PVID
PVID
PVID:
PVID: 33 VIDs: None
VIDs: None
ec vo

Figure 2-11. Verifying adapter information and state AN212.0
Notes:
oy si
The entstat command displays the statistics gathered by the specified Ethernet device
driver. Full examples of the entstat command:
u
1. Physical adapter
cl
# entstat -d ent3
-------------------------------------------------------------
Ex
ETHERNET STATISTICS (ent3) :

Device Type: 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
Elapsed Time: 0 days 0 hours 18 minutes 17 seconds
pr
Transmit Statistics: Receive Statistics:

-------------------- -------------------
Packets: 1 Packets: 31
Bytes: 60 Bytes: 5382
Interrupts: 0 Interrupts: 30

Student Notebook
Transmit Errors: 0 Receive Errors: 0

Packets Dropped: 0 Packets Dropped: 0
Bad Packets: 0
Max Packets on S/W Transmit Queue: 2
S/W Transmit Queue Overflow: 0
Current S/W+H/W Transmit Queue Length: 0
.I. n
Broadcast Packets: 1 Broadcast Packets: 29
Multicast Packets: 0 Multicast Packets: 0
.T ció
No Carrier Sense: 0 CRC Errors: 0
DMA Underrun: 0 DMA Overrun: 0
.
Lost CTS Errors: 0 Alignment Errors: 0
C
Max Collision Errors: 0 No Resource Errors: 0
.F a
Late Collision Errors: 0 Receive Collision Errors: 0
Deferred: 0 Packet Too Short Errors: 0
C rm
SQE Test: 0 Packet Too Long Errors: 0
Timeout Errors: 0 Packets Discarded by Adapter: 0
Single Collision Count: 0 Receiver Start Count: 0
Multiple Collision Count: 0
to fo
Current HW Transmit Queue Length: 0
General Statistics:
ec vo
-------------------
No mbuf Errors: 0
Adapter Reset Count: 0
Adapter Data Rate: 2000
oy si
Driver Flags: Up Broadcast Running

Simplex 64BitSupport ChecksumOffload
u
PrivateSegment LargeSend DataRateSet

cl
2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902) Specific Statistics:

------------------------------------------------------------------------
Ex
Link Status : Up
Media Speed Selected: Auto negotiation
Media Speed Running: 1000 Mbps Full Duplex
PCI Mode: PCI-X (100-133)
pr
PCI Bus Width: 64-bit

Latency Timer: 144
Cache Line Size: 128
Jumbo Frames: Disabled
TCP Segmentation Offload: Enabled
TCP Segmentation Offload Packets Transmitted: 0
V8.2
Student Notebook
Uempty TCP Segmentation Offload Packet Errors: 0

Transmit and Receive Flow Control Status: Enabled
XON Flow Control Packets Transmitted: 0
XON Flow Control Packets Received: 0
XOFF Flow Control Packets Transmitted: 0
XOFF Flow Control Packets Received: 0
Transmit and Receive Flow Control Threshold (High): 45056
.I. n
Transmit and Receive Flow Control Threshold (Low): 24576
Transmit and Receive Storage Allocation (TX/RX): 16/48
.T ció
2. Virtual adapter
# entstat -d ent1
.
-------------------------------------------------------------
C
.F a
Device Type: Virtual I/O Ethernet Adapter (l-lan)
C rm
Hardware Address: f6:c7:3d:dc:cc:85

to fo
-------------------- -------------------
Bytes: 11587532 Bytes: 3870332
ec vo

oy si
Bad Packets: 0
u

cl

Ex

pr


Student Notebook

General Statistics:
-------------------
No mbuf Errors: 0
.I. n
.T ció
DataRateSet
.
C
.F a
Virtual I/O Ethernet Adapter (l-lan) Specific Statistics:
---------------------------------------------------------
C rm
RQ Length: 4481
No Copy Buffers: 0
Trunk Adapter: False
to fo
Filter MCast Mode: False
Filters: 255
Enabled: 1 Queued: 0 Overflow: 0
LAN State: Operational
ec vo
Hypervisor Send Failures: 0

Receiver Failures: 0
oy si
Send Errors: 0
Hypervisor Receive Failures: 0
u
Invalid VLAN ID Packets: 0

cl
ILLAN Attributes: 0000000000003002 [0000000000003002]

Ex
PVID: 3 VIDs: None
Switch ID: ETHERNET0

pr
Buffers Reg Alloc Min Max MaxA LowReg

tiny 512 512 512 2048 512 511
small 512 512 512 2048 512 512
medium 128 128 128 256 128 128
large 24 24 24 64 24 24
huge 24 24 24 64 24 24
V8.2
Student Notebook
Uempty
Verifying address resolution

IBM Power Systems
• arp
## arp
arp -a
-a
.I. n
nimmaster
nimmaster (10.47.1.33)
(10.47.1.33) at
at 3a:6e:a6:2:67:9d
3a:6e:a6:2:67:9d [ethernet]
[ethernet] stored
stored in
in bucket
bucket 33
?? (10.47.1.254)
(10.47.1.254) atat 0:11:25:1:2f:1d
0:11:25:1:2f:1d [ethernet]
[ethernet] stored
stored in
in bucket
bucket 75
75
.T ció
hmc2.lpar.co.uk
hmc2.lpar.co.uk (10.47.1.134)
(10.47.1.134) atat (incomplete)
(incomplete)
hmc3.lpar.co.uk
hmc3.lpar.co.uk (10.47.1.135) at 0:d:60:b:dc:59
(10.47.1.135) at 0:d:60:b:dc:59 [ethernet]
[ethernet] stored
stored in
in bucket
bucket 105
105
bucket:
bucket: 00 contains:
contains: 0 entries
0 entries
bucket:
bucket: 11 contains:
contains: 00 entries
entries
.
……
…… [[ note:
note: buckets
buckets 2-147
2-147 removed
removed for
for clarity]
clarity]
C
bucket:
bucket: 148
148 contains:
contains: 00 entries
entries
.F a
There
There are
are 33 entries
entries in
in the
the arp
arp table.
table.
C rm
• The arp command can also be used to add (-s) and remove
(-d) entries from the arp table.
to fo
ec vo

Figure 2-12. Verifying address resolution AN212.0
Notes:
oy si
Name, IP, and MAC address information used or discovered by the ARP protocol is stored
in a table. This table can be viewed using the arp –a command. On AIX, entries stay within
u
the arp table for 20 minutes. This time can be tuned by changing the arpt_killc attribute
of network options along with the number of buckets (arptab_nb) and size of each bucket
cl
(arptab_bsiz). These ARP attributes can be viewed using the no –a | grep arp
command.
Ex
Example:
# no -a |grep arp
arpqsize = 12
pr
arpt_killc = 20
arptab_bsiz = 7
arptab_nb = 149

Student Notebook
Additional configuration: IP aliasing

IBM Power Systems
• IP aliasing is a popular function which allows multiple IP addresses to be

assigned to a single IP interface.
• This technology is popular with clustering technologies, such as
.I. n
PowerHA.
.T ció
## netstat
netstat -in
-in -I
-I en1
en1 || grep
grep –v
–v link
link
Name
Name Mtu
Mtu Network
Network Address
Address ZoneID
ZoneID Ipkts
Ipkts Ierrs
Ierrs Opkts
Opkts Oerrs
Oerrs
.
en1
en1 1500 192.168.0
1500 192.168.0 192.168.0.1
192.168.0.1 00 00 66 00
C
.F a
## ifconfig
ifconfig en1
en1 alias
alias 172.31.0.1
172.31.0.1 255.255.0.0
255.255.0.0
## ifconfig
ifconfig en1
en1 alias
alias 10.47.33.33
10.47.33.33 255.255.0.0
255.255.0.0
C rm
## netstat
netstat -in
-in -I
-I en1
en1 || grep
grep –v
–v link
link
Name Mtu
Name Mtu Network
Network Address
Address ZoneID
ZoneID Ipkts
Ipkts Ierrs
Ierrs Opkts
Opkts Oerrs
Oerrs
en1
en1 1500
1500 192.168.0
192.168.0 192.168.0.1
192.168.0.1 00 00 77 00
to fo
en1
en1 1500 172.31
1500 172.31 172.31.0.1
172.31.0.1 00 00 77 00
en1
en1 1500
1500 10
10 10.47.33.33
10.47.33.33 00 00 88 00
ec vo

Figure 2-13. Additional configuration: IP aliasing AN212.0
Notes:
oy si
IP aliasing is used widely in clustering technologies (such as PowerHA) and in WPARs. It is

very useful if the network is being redefined to use another IP subnet or network range.
u
Aliases can also be added using the smit fastpath, mkinet4al.

cl
Ex
pr
V8.2
Student Notebook
Uempty
Testing for remote connectivity

IBM Power Systems
## ping
ping sys1
sys1
PING
PING sys1:
sys1: (192.108.14.2):
(192.108.14.2): 56
56 data
data bytes
bytes
64
64 bytes from 192.108.14.2: icmp_seq=0 ttl=255
bytes from 192.108.14.2: icmp_seq=0 ttl=255 time=0
time=0 ms
.I. n
ms
64
64 bytes
bytes from
from 192.108.14.2:
192.108.14.2: icmp_seq=1
icmp_seq=1 ttl=255
ttl=255 time=0
time=0 ms
ms
^C
^C
.T ció
----seraph
----seraph PING
PING Statistics----
Statistics----
22 packets
packets transmitted,
transmitted, 22 packets
packets received,
received, 0%
0% packet
packet loss
loss
.
## traceroute
traceroute sys1
C
sys1
.F a
trying
trying to
to get
get source
source for
for sys1
sys1
source should be 10.47.1.31
source should be 10.47.1.31
C rm
traceroute
traceroute to
to sys1
sys1 (192.108.14.2)
(192.108.14.2) from
from 10.47.1.31
10.47.1.31 (10.47.1.31),
(10.47.1.31), 30
30 hops
hops max
max
outgoing
outgoing MTU
MTU == 1500
1500
11 merovingian.lpar.co.uk
merovingian.lpar.co.uk (10.47.1.30)
(10.47.1.30) 11 ms
ms 00 ms
ms 00 ms
ms
22 7.7.7.1
7.7.7.1 (7.7.7.1)
(7.7.7.1) 00 ms
ms 00 ms
ms 00 ms
ms
33 sys1
sys1 (192.108.14.2)
(192.108.14.2) 00 ms
ms 00 ms
ms 00 ms
to fo
ms
• Note: Sometimes the protocols used by ping (ICMP) and

traceroute (UDP) are blocked by firewalls or IPSec filters.
ec vo

Figure 2-14. Testing for remote connectivity AN212.0
Notes:
oy si
The ping command sends an ICMP echo_request to obtain an ICMP echo_response from
a host or router. If the host is operational and on the network, it responds to the echo.
u
The default is to continuously send echo requests until an interrupt is received with Ctrl-c,
cl
but there is an option (-c) to specify the number of packets sent. The ping command sends
one datagram per second and prints one line of output for every response received. It
calculates round trip times and packet loss statistics, and displays a brief summary upon
Ex
completion.
Be careful of some options like -f. This will cause ICMP packets to flood the network. Ping
is useful to test basic connectivity between hosts, but it cannot tell us anything about where
pr
the break is in the path. On the other hand, if ping cannot get a response, traceroute can
sometimes still give us information that helps to identify the outage.
The traceroute command is useful for displaying all the routers between end to end host
connectivity. It might turn out that the remote host is fine, but a router has failed along the
path. Traceroute works by increasing the time-to-live value of each successive batch of
packets sent. The first three packets sent have a time-to-live (TTL) value of one (implying

Student Notebook
that they are not forwarded by the next router and make only a single hop). The next three
packets have a TTL value of 2, and so on. When a packet passes through a host, the host
normally decrements the TTL value by one and forwards the packet to the next host. When
a packet with a TTL of one reaches a host, the host discards the packet and sends an
ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these
returning packets to produce a list of hosts that the packets have traversed en route to the
destination. The three time stamp values returned for each host along the path are the
.I. n
delay (aka latency) values typically in milliseconds (ms) for each packet in the batch. If a
packet does not return within the expected timeout window, an asterisk is traditionally
.T ció
printed. The report indicates that the first listed host is at one hop, the second listed host at
two hops, and so on. IP does not guarantee that all the packets take the same route. Also
note that if the host at hop number N does not reply, the output will list * for that attempt,
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Viewing open sockets

IBM Power Systems
• netstat
## netstat
netstat –a
–a
Active
Active Internet connections
Internet connections (including
(including servers)
servers)
.I. n
Proto Recv-Q Send-Q Local Address
Proto Recv-Q Send-Q Local Address Foreign
Foreign Address
Address (state)
(state)
tcp4
tcp4 00 00 *.daytime
*.daytime *.*
*.* LISTEN
LISTEN
.T ció
tcp
tcp 00 00 *.ftp
*.ftp *.*
*.* LISTEN
LISTEN
tcp4
tcp4 00 00 *.ssh
*.ssh *.*
*.* LISTEN
LISTEN
tcp
tcp 00 0 *.telnet
0 *.telnet *.*
*.* LISTEN
LISTEN
.
tcp4
tcp4 00 00 *.smtp
*.smtp *.*
*.* LISTEN
LISTEN
C
tcp4
tcp4 00 0 *.time
0 *.time *.*
*.* LISTEN
LISTEN
.F a
tcp
tcp 00 00 *.http
*.http *.*
*.* LISTEN
LISTEN
tcp4
tcp4 00 10
10 waldorf.login
waldorf.login nimmaster.1023
nimmaster.1023 ESTABLISHED
ESTABLISHED
C rm
tcp4
tcp4 00 0 waldorf.51460
0 waldorf.51460 nimmaster.ssh
nimmaster.ssh ESTABLISHED
ESTABLISHED
udp4
udp4 00 00 *.daytime
*.daytime *.*
*.*
udp4
udp4 00 0 *.time
0 *.time *.*
*.*
udp
udp 00 00 *.tftp
*.tftp *.*
*.*
to fo
udp4
udp4 00 00 *.ntp
*.ntp *.*
*.*
udp
udp 00 0 *.snmp
0 *.snmp *.*
*.*
udp4
udp4 00 00 *.xdmcp
*.xdmcp *.*
*.*
udp4
udp4 00 0 *.syslog
0 *.syslog *.*
*.*
ec vo

Figure 2-15. Viewing open sockets AN212.0
Notes:
oy si
A socket is a combination of IP address, port number, and protocol family, which uniquely
identifies a single network process. A socket is also referred to as a communication end
u
point. A pair of sockets uniquely identifies the end to end connection. Socket
communication can be viewed with the netstat –a command. Open ports/sockets can be
cl
viewed using the netstat –a command.

Ex
pr

Student Notebook
Removing IP configuration
IBM Power Systems
• Deconfiguring in the kernel only:

## ifconfig
ifconfig <interface>
<interface> down
down
.I. n
## ifconfig
ifconfig <interface>
<interface> detach
detach
.T ció
• Preventing re-configuration at system restart:
– Remove or comment out ifconfig statements added to rc.net or
.
bsd.net
C
.F a
– Remove any ODM definition:
Method 1:
C rm
## chdev
chdev -l
-l <interface>
<interface> -a
-a state=detach
state=detach
Method 2:
to fo
## rmdev
rmdev –d
–d -l
-l <interface>
<interface>
## cfgmgr
cfgmgr
ec vo

Figure 2-16. Removing IP configuration AN212.0
Notes:
oy si
The effective interface configuration is in kernel memory. The ifconfig command can be
used to modify the interface definition in the kernel. Requesting a down state will stop the
u
use of that interface, but will leave the configuration parameters in place. Requesting a
detach state will detach the interface from the related adapter and will also remove the
cl
configuration parameters for that interface.

If the interface configuration was made persistent by either coding an ifconfig command in
Ex
a startup script (such as /etc/rc,net or /etc/bsd.net) or configuring the interface parameters

in the ODM, it will be reconfigured at the next system restart. To prevent that, remove the
persistent definition. If using a startup script, either comment out or remove the ifconfig
command. If configured in the ODM, you can either use chdev to request a detach state
pr
(this deletes the configuration details) or you can totally remove the ODM interface object
and then use cfgmgr to rediscover it.
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
1. True or False: An IP address is assigned to the physical

adapter.
.I. n
.T ció
2. Which two commands will display the MAC address of an
Ethernet adapter?
.
C
.F a
3. What is the difference between ent0, en0, and et0?
C rm
to fo
ec vo

Figure 2-17. Checkpoint (1 of 2) AN212.0
Notes:
oy si

u
cl
Ex
pr

Student Notebook
Checkpoint (2 of 2)
IBM Power Systems
4. How would you list established TCP socket connections?
.I. n
5. True or False: Smitty tcpip should be used to configure all
.T ció
interfaces on the system.
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IBM Power Systems
• In this exercise, you will:

– Configure TCP/IP
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
Unit summary
IBM Power Systems

.I. n
.T ció
• Add IP aliases
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 3. inetd remote command services

This unit describes the inetd daemon and selected remote command
services provided by the inetd daemon.
.I. n
.T ció
.
• Configure the inetd daemon
C
.F a
• Log in to remote hosts with telnet, rsh, and rlogin
• Transfer files between systems with ftp and rcp
C rm
• Execute commands on remote systems with rexec and rsh
• Execute commands concurrently on multiple hosts using dsh
• Discuss the security of these TCP/IP commands
to fo
ec vo
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-1
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• Log in to remote systems with telnet, rsh, and rlogin
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
The inetd daemon

IBM Power Systems
• Known as the super server daemon

• Loads a network program based upon request
.I. n
– Saves CPU, memory, and system startup time
– Examples: FTP, TFTP, login, Telnet, shell, exec, bootp, and time
.T ció
– To enable or disable a network program, comment or uncomment the
appropriate line in /etc/inetd.conf and refresh the inetd daemon
.
– Example: Disable FTP
C
.F a
vi
vi /etc/inetd.conf,
/etc/inetd.conf, locate
locate and
and comment
comment out
out ftp
ftp line
line
C rm
#ftp
#ftp stream
stream tcp6
tcp6 nowait
nowait root
root /usr/sbin/ftpd
/usr/sbin/ftpd ftpd
ftpd
telnet
telnet stream tcp6
stream tcp6 nowait root
nowait root /usr/sbin/telnetd
/usr/sbin/telnetd telnetd
telnetd -a
-a
shell
shell stream
stream tcp6
tcp6 nowait
nowait root
root /usr/sbin/rshd
/usr/sbin/rshd rshd
rshd
to fo
refresh
refresh –s
–s inetd
inetd
0513-095
0513-095 The request
The request for
for subsystem
subsystem refresh
refresh was
was completed
completed successfully.
successfully.
ec vo

Figure 3-2. The inetd daemon AN212.0
Notes:
oy si
The inetd daemon was developed in the early days of the Internet when computers were
slow and did not have a lot of memory but were used to provide a lot of services.
u
If computers of that day and age needed to run dozens of individual daemons to provide all
cl
the different services, they would quickly run out of memory and CPU capacity, and their
startup time would be comparatively slow. Because of this, the inetd daemon was
developed.
Ex
The inetd daemon, sometimes also called the super daemon, is a relatively simple
program. It reads a file (/etc/inetd.conf) for the list of ports it needs to open. It opens
these TCP and UDP ports and then sits idle waiting for traffic to arrive on any of these
pr
ports. When traffic arrives, it looks again at the /etc/inetd.conf file to see which
daemon should be started. It then starts the daemon and lets the daemon handle the
traffic.
Because of this mechanism, the memory and CPU usage is rather low for ports that do not
receive a lot of traffic. And, since we are still interested in saving memory and CPU time
today, the inetd daemon is still used for low-usage services.
Student Notebook
There is a slight delay each time a daemon needs to be started. Because of this, the inetd
daemon is not supposed to be used for busy servers that receive a lot of connections in a
short period of time. HTTP, for instance, is best served with a dedicated web server
daemon running 24/7.
Some daemons, such as FTP, can be run both from the inetd daemon and as a standalone
daemon. You would make that decision based on the amount of traffic you expect.
The /etc/inetd.conf file controls the behavior of the inetd daemon. It consists of the
.I. n
following seven columns:
.T ció
- The first column identifies the service name inetd will support. This service name is
translated into a port number via the /etc/services file.
- Columns two through four identify the socket type, protocol, and socket
.
management technique. The protocols are TCP or UDP. Generally the particular
C
.F a
protocol requires specific values in the other two fields:
• stream tcp nowait
C rm
• dgram udp wait
tcp6 and udp6 mean that the daemon is also able to handle IPv6 traffic.
- Column five is the username which the daemon should start. The inetd daemon
to fo
itself runs as root but can, if required, do a setuid() call before starting the
daemon. The daemon then runs as a regular user and, if hacked, can do less
damage to the system.
ec vo
- Column six is the path and name of the program that implements the service. This is
the daemon that is started by inetd.
- Column seven and on is the name of the program, plus all the options that are
oy si
required when starting.

Enabling and disabling inetd services is simply done by commenting out the corresponding
lines in the /etc/inetd.conf file, and then restarting inetd with the refresh -s inetd
u
command.
cl
Ex
pr
V8.2
Student Notebook
Uempty
Remote commands
IBM Power Systems
• ARPANET inetd services

– Remote login: telnet
.I. n
– Remote execute: rexec Auto execution
(no password required)
– Remote file transfer: ftp
.T ció
$HOME/.netrc
• BSD
.
C
– Remote login: rlogin, rsh Auto execution
.F a
(no password required)
– Remote execute: rsh /etc/hosts.equiv
C rm
– Remote file transfer: rcp $HOME/.rhosts
• AIX (DSM)
to fo
– Remote execute: dsh
• Wrapper for rsh or ssh which allows commands/scripts to be executed on
multiple hosts simultaneously
ec vo

Figure 3-3. Remote commands AN212.0
Notes:
oy si
Remote login, execute, and file transfer were the first services that were implemented
when the Internet was born. They allowed users to use other systems over the network as
u
if they were local users. There were two competing organizations, however, both of whom
implemented these services differently.
cl
TCP/IP under AIX uses two flavors of commands. ARPANET commands were designed for
large networks on the Internet consisting of multivendor operating systems. Berkeley
Ex
commands were developed by the University of California at Berkeley to work between

UNIX operating systems.
IBM produced various layers of cluster software that sit on top of AIX, one of which is
pr
Distributed Systems Management (DSM). DSM filesets are distributed as part of the AIX
BOS. The dsh command is packaged as part of the DSM filesets and is a powerful utility
that is used to run commands and scripts on multiple hosts simultaneously.
Student Notebook
telnet
IBM Power Systems
.I. n
LPAR:
telnet telnetd kenny LPAR:
kyle
.T ció
## telnet
telnet kenny
kenny
.
Trying...
Trying...
C
Connected
Connected to
to kenny.lpar.co.uk.
kenny.lpar.co.uk.
.F a
Escape
Escape character
character is
is '^]'.
'^]'.
telnet (kenny.lpar.co.uk)
telnet (kenny.lpar.co.uk)
C rm
AIX
AIX Version
Version 66
Copyright
Copyright IBM
IBM Corporation,
Corporation, 1982,
1982, 2009.
2009.
login:
login: root
root
root's
root's Password:
Password:
to fo
Last
Last unsuccessful login:
unsuccessful login: Mon
Mon 10
10 Dec
Dec 15:13:58
15:13:58 2007
2007 on
on /dev/vty0
/dev/vty0 from
from count.lpar.co.uk
count.lpar.co.uk
Last login: Tue 28 Jul 10:59:04 2009 on /dev/pts/0 from nimmaster
Last login: Tue 28 Jul 10:59:04 2009 on /dev/pts/0 from nimmaster
kenny.lpar.co.uk:/
kenny.lpar.co.uk:/ ##
ec vo

Figure 3-4. telnet AN212.0
Notes:
oy si
The telnet command uses the TELNET protocol which allows remote login to other hosts.
The server host must have the telnetd available.
u
The syntax is telnet <hostname> [protocol].

cl
There is no automatic login capability with this command on AIX.

The tn command performs the same function as the telnet command.
Ex
The default escape sequence to go into telnet sub command mode on a session started
using the tn command is Ctrl-t.
pr
V8.2
Student Notebook
Uempty
rexec
IBM Power Systems
.I. n
LPAR:
rexec rexecd kenny LPAR:
kyle
.T ció
## rexec
rexec kenny
kenny date
date
.
Name
Name (kenny.lpar.co.uk:root):
(kenny.lpar.co.uk:root):
C
Auto login.
Password
Password (kenny.lpar.co.uk:root):
(kenny.lpar.co.uk:root):
.F a
Also applicable
Wed
Wed 55 Aug
Aug 17:55:04
17:55:04 2009
2009 with the FTP
command.
C rm
## cat
cat $HOME/.netrc
$HOME/.netrc
machine
machine kenny
kenny login
login root
root password
password ibmaix
ibmaix
machine
machine kyle
kyle login
login root
root password
password ibmaix
ibmaix
## rexec
rexec kenny
kenny date
date
to fo
Wed
Wed 5 Aug 18:01:18 2009
5 Aug 18:01:18 2009
ec vo

Figure 3-5. rexec AN212.0
Notes:
oy si
The rexec command executes a command on the specified server machine. The host
parameter specifies the name of the host where the command is to be executed. The
u
command parameter specifies the command, including any flags or parameters, to be

executed on the server host.
cl
The rexec command provides an automatic login feature by checking for a

$HOME/.netrc file that contains the user name and password to use at the server host. If
Ex
such an entry is not found, rexec prompts for a valid user name and password for the
server host.
The rexec command does not recognize a macdef entry in the .netrc file. If a macdef
pr
entry exists, the rexec command does not fail, but the user gets an error message about
unknown options.
rexec cannot handle commands that use a full screen such as vi or graphical applications.
rexec command does support interactive command processing.
Student Notebook
The .netrc file

A $HOME/.netrc file in the local user’s home directory permits automatic login and
can contain macros that automatically run when called. You can have multiple entries in
this file allowing you to execute on different hosts. You should have only one entry for
each foreign host.
.netrc must be a hidden file in the user’s home directory and must be owned by the
user executing the command or by root. As the .netrc file can contain a password,
.I. n
the permissions on .netrc must be set to 600 (read and write by owner only);
.T ció
otherwise automatic login will fail.
The machine, login, and password line may be typed horizontally or vertically in the file.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
ftp
IBM Power Systems
.I. n
LPAR:
ftp ftpd kenny LPAR:
kyle
.T ció
## ftp
ftp kenny
kenny
.
Connected
Connected to
to kenny.lpar.co.uk.
kenny.lpar.co.uk.
C
220
220 kenny.lpar.co.uk
kenny.lpar.co.uk FTP
FTP server
server (Version
(Version 4.2
4.2 Thu
Thu Dec
Dec 44 10:21:27
10:21:27 CST
CST 2008)
2008) ready.
ready.
.F a
331 Password required for root.
331 Password required for root.
230-Last
230-Last unsuccessful
unsuccessful login:
login: Mon
Mon 10
10 Dec
Dec 15:13:58
15:13:58 2007
2007 on
on /dev/vty0
/dev/vty0 from
from
count.lpar.co.uk
C rm
count.lpar.co.uk
230-Last
230-Last login:
login: Wed
Wed 55 Aug
Aug 18:09:48
18:09:48 2009
2009 on
on ftp
ftp from
from nimmaster
nimmaster
230 User root logged
230 User root logged in.in.
ftp>
ftp> put
put /unix
/unix /tmp/unix
/tmp/unix
200
200 PORT command successful.
PORT command successful.
150
150 Opening
Opening data
data connection
connection for
for /tmp/unix.
to fo
/tmp/unix.
226
226 Transfer
Transfer complete.
complete.
24456220
24456220 bytes
bytes sent
sent in
in 0.4098
0.4098 seconds
seconds (5.828e+04
(5.828e+04 Kbytes/s)
Kbytes/s)
local: /unix remote: /tmp/unix
local: /unix remote: /tmp/unix
ec vo

Figure 3-6. ftp AN212.0
Notes:
oy si
Overview
u
FTP syntax is the command ftp followed by a valid host name on your network.
The remote user name specified at the login prompt must exist and have a password
cl
defined at the remote host.

Alternatively, the client can use $HOME/.netrc to:
• Log in automatically
Ex
• Define macros (a set of ftp commands which run as a procedure)

To gain a list of ftp subcommands type help.
The .netrc file (extension for FTP)
pr
Additionally for FTP up to 16 macros containing, at most, 4096 characters for all macros
can be defined in one .netrc file. A special macdef named init is always executed upon
successful login to the specified server. All other macdefs must be called by their names
from the ftp> prompt by putting a $ in front of the macdef name.
It is required that macdefs be followed by a blank line including the last macdef in the file.
Student Notebook
Example: .netric file

$ cat /home/team02/.netrc
machine sys2 login team02 password dalvm3
macdef budget
type binary
cd /weekly/update
put monthly
<Blank line - must be here!! >
.I. n
macdef inventory
type ascii
get widget /wooden
.T ció
machine sys4 login team03 password p4ccf22
macdef init
.
put file1
C
get file2
.F a
quit
C rm
The /etc/ftpusers file
User names listed in the /etc/ftpusers file on the server must also appear in the
server’s /etc/passwd file.
/etc/ftpusers is a list of client users who do not have permission to ftp into the server’s
to fo
system. The ftpd daemon on the server does not allow access to the users names listed
in this file.
/etc/ftpusers can be built with vi, through smit ftpusers or by using the ruser
command.
ec vo
Anonymous ftp
Anonymous ftp is a way to allow client users to use ftp to log in to a server without having to
supply a password. Although the client is prompted for a password, no password needs to
oy si
be supplied. By convention the password is the name of the client host initiating this type of
FTP.
u
There is a script provided that builds the anonymous ftp directory tree structure. This script
is named /usr/samples/tcpip/anon.ftp. It creates the directory structure and
cl
additionally creates the two anonymous FTP accounts called anonymous and ftp. Both
have an * in the password field on the server.
When users do an ftp to an anonymous ftp server and log in as ftp or anonymous they will
Ex
find themselves in the /home/ftp directory. The server executes the chroot command in
the home directory of the FTP user account when the FTP user logs in. For greater
security, be sure to implement the following rules when you construct the FTP subtree.
• Make the /home/ftp home directory owned by root with permissions of 555.
pr
• Make /home/ftp/bin directory owned by the root user and unwritable by anyone
else. The Is program must be present in this directory to support the list command. This
program should have permissions of 111 and the directory with permissions of 555.
• Make /home/ftp/etc directory owned by the root user and unwritable by anyone.
• /home/ftp/pub directory mode is 777 and owned by ftp. Users should then place files
that are to be accessible through the anonymous account in this directory.
V8.2
Student Notebook
Uempty
r* commands
IBM Power Systems
.I. n
LPAR:
r* rlogind or rshd kenny LPAR:
kyle
.T ció
## rlogin
rlogin kenny
kenny
root's
root's Password:
Password:
.
##
C
<CTRL
<CTRL D>
D>
.F a
## rlogin
rlogin kenny
kenny –l
–l alex
alex (note:
(note: is
is the
the same
same as
as ## rsh
rsh kenny
kenny –l
–l alex)
alex)
C rm
alex's
alex's Password:
Password:
$$
<CRTL
<CRTL D>
D>
## rsh
rsh kenny
kenny –l
–l alex
alex date
date
to fo
rshd:
rshd: 0826-813
0826-813 Permission
Permission is
is denied.
denied.
## rcp
rcp -r
-r DNSbak
DNSbak alex@kenny:.
alex@kenny:.
rshd:
rshd: 0826-813
0826-813 Permission
Permission is
is denied.
denied.
ec vo

Figure 3-7. r* commands AN212.0
Notes:
oy si
The r* commands
u
• The rlogin command performs a remote login on behalf of the user. If the user wants to
log in using a user name other than the one he/she is currently logged in as, the -l
cl
option is used along with the new user name.

• The rsh command executes specified commands on the server host. If executed
Ex
without a command argument, it acts as an rlogin and logs the user in. The –l option is
also applicable to rsh. By default, if remote commands are to be executed,
authentication must be configured. Otherwise, a “Permission is denied” error will occur.
• The rcp command is a subset of the rshd and is responsible for copying files remotely.
pr
Student Notebook
r* authentication files
IBM Power Systems
• /etc/hosts.equiv
– Defines which client users are permitted to execute commands on the
.I. n
server without supplying a password
– Not applicable to root
.T ció
• $HOME/.rhosts
– Defines a list of users who are not required to supply a login password
.
when they execute rcp, rlogin, and rsh using a server user account
C
.F a
• Ideally, both files should be given 600 permissions.
C rm
## format
format for
for /etc/hosts.equiv
/etc/hosts.equiv // .rhosts
.rhosts
++ ## allow
allow all
all users
users from
from all
all hosts
hosts
++ root
root ## allow
allow any
any root
root user
user
to fo
kyle
kyle alex
alex ## allow
allow user
user alex
alex from
from kyle
kyle
kyle -francois
kyle -francois ## disallow user francois from kyle
disallow user francois from kyle
ec vo

Figure 3-8. r* authentication files AN212.0
Notes:
oy si
The /etc/hosts.equiv file, along with any local $HOME/.rhosts files, defines the
hosts (computers on a network) and user accounts that can invoke remote commands on a
u
local host without supplying a password. A user or host that is not required to supply a
password is considered trusted.
cl
When a local host receives a remote command request, the appropriate local daemon first
checks the /etc/hosts.equiv file to determine if the request originates with a trusted
Ex
user or host. For example, if the local host receives a remote login request, the rlogind
daemon checks for the existence of a hosts.equiv file on the local host. If the file exists
but does not define the host or user, the system checks the appropriate $HOME/.rhosts
file. This file is similar to the /etc/hosts.equiv file, except that it is maintained for
pr
individual users.
Both files, hosts.equiv and .rhosts, must have permissions denying write access to
group and other. If either group or other have write access to a file, that file will be ignored.
V8.2
Student Notebook
Uempty Do not give write permission to the /etc/hosts.equiv file to group and other.
Permissions of the /etc/hosts.equiv file should be set to 600 (read and write by owner
only).
If a remote command request is made by the root user, the /etc/hosts.equiv file is
ignored and only the /.rhosts file is read.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
r* authentication files in action

IBM Power Systems
• .rhosts example:
alex@kenny
alex@kenny $$ id
id
.I. n
uid=204(alex)
uid=204(alex) gid=1(staff)
gid=1(staff)
alex@kenny
alex@kenny $ cat .rhosts
$ cat .rhosts
.T ció
nimmaster
nimmaster zion
zion zion@nimmaster
zion@nimmaster ## rsh
rsh kenny
kenny -l
-l alex
alex date
date
Wed
Wed 55 Aug
Aug 20:18:16
20:18:16 2009
2009
.
• hosts.equiv example:
C
.F a
root@kenny
root@kenny ## cat
cat /etc/hosts.equiv
/etc/hosts.equiv
C rm
++ alex
alex
to fo alex@nimmaster
alex@nimmaster ## rcp
rcp file*
file* alex@kenny:.
alex@kenny:.
ec vo

Figure 3-9. r* authentication files in action AN212.0
Notes:
oy si
In the first example, a user named zion on the system names nimmaster tries to run the
date command on the system named kenny with the authority of the user alex (who is a
u
user defined on system kenny). The rshd daemon checks the .rhosts file in user alex’s
home directory and find that user zion from system nimmaster is allowed o run with the
cl
authority of alex.
In the second example, user alex on system nimmaster is trying to copy a file from
Ex
nimmaster to the system named kenny, with the authority of alex on the target system.
The /etc/hosts.quiv file has an entry that states that if a client system has pre-authenticated
alex, to allow that user to run with alex’s authority on this system also.
pr
V8.2
Student Notebook
Uempty
dsh
IBM Power Systems
• Distributed shell, part of dsm.dsh fileset

• Allows multiple commands to be run simultaneously on a
.I. n
number of hosts
.T ció
– Using either rsh (default) or ssh as the mechanism
• To use ssh # export DSH_REMOTE_CMD=/usr/bin/ssh
– Must be able to SSH without being prompted for a password (covered in the
.
following SSH unit).
C
.F a
nimmaster
nimmaster ## export
export DSH_GROUP_LIST=/aix/dshgroup
DSH_GROUP_LIST=/aix/dshgroup
nimmaster
nimmaster :/aix
:/aix ## cat
cat dshgroup
C rm
dshgroup
Error on kenny, rsh
kenny
kenny permissions
kyle
kyle incorrect
eric
eric
nimmaster
nimmaster :/aix
:/aix ## dsh
dsh "printf
"printf '$(date)';
'$(date)'; uname
uname -a"
-a"
kenny.lpar.co.uk:
kenny.lpar.co.uk: rshd: 0826-813 Permission is
rshd: 0826-813 Permission is denied.
to fo
denied.
dsh:
dsh: 2617-009
2617-009 kenny.lpar.co.uk
kenny.lpar.co.uk remote
remote shell
shell had
had exit
exit code
code 11
eric.lpar.co.uk:
eric.lpar.co.uk: Wed
Wed 55 Aug
Aug 20:35:43
20:35:43 2009AIX
2009AIX eric
eric 11 66 00CF2E7F4C00
00CF2E7F4C00
kyle.lpar.co.uk: Wed 5 Aug 20:35:43 2009AIX kyle 1 6 00CF2E7F4C00
kyle.lpar.co.uk: Wed 5 Aug 20:35:43 2009AIX kyle 1 6 00CF2E7F4C00
ec vo

Figure 3-10. dsh AN212.0
Notes:
oy si
Overview
u
The dsh command concurrently runs commands on multiple nodes and hardware devices.
The dsh command issues a remote shell command for each target specified and returns
cl
the output from all targets, formatted so that command results from all nodes can be
managed. By default, /usr/bin/rsh is the model for syntax and security. This can be
changed by to ssh or kerberized rsh by setting the environment variable
Ex
dsh_remote_cmd. The dsh command is a DSM utility.

Target specification
A target is a node or hardware device where a remote command will be executed. Node
pr
targets are specified using the –a, --all-nodes context_list, –n node_list, and –N
nodegroups flags or the dsh_node_list environment variable. The dsh_node_list
and dsh_device_list environment variables specify files listing target nodes and
devices. The file format is one target per line. Blank lines and comment lines beginning with
# are ignored.
Student Notebook
Identifying groups of targets

For convenience, you can create one or more node group files, each containing a list of
targets, The node group file contains one hostname or TCP/IP address per line for each
node that is a group member. Blank lines and comment lines beginning with # are ignored.
There are several different ways to identify one or more of these group definitions to the
dsh command. One common way is to identify the a list of these group definition files a the
value of the environment variable: DSH_GROUP_LIST.
.I. n
Mode
.T ció
DSH can be used in non-interactive (shown in the visual) or interactive mode. Here is an
example of using DSH in interactive mode:
.
# dsh -N dshgroup
C
dsh> df -m /var
.F a
eric.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
C rm
eric.lpar.co.uk: /dev/hd9var 320.00 219.70 32% 5016 7% /var
kenny.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
to fo
kenny.lpar.co.uk: /dev/hd9var 320.00 219.30 32% 5027 7% /var
kyle.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
kyle.lpar.co.uk: /dev/hd9var 320.00 219.07 32% 5029 7% /var
ec vo
dsh> ls -l /unix
kyle.lpar.co.uk: lrwxrwxrwx 1 root system 21 21 Jul 10:43
/unix -> /usr/lib/boot/unix_64
eric.lpar.co.uk: lrwxrwxrwx 1 root system 21 21 Jul 10:37
oy si

kenny.lpar.co.uk: lrwxrwxrwx 1 root system 21 21 Jul 10:42
u
DSH can also run scripts held locally on remote systems and run them as specific
cl
users, specified by the –l flag, as follows:

# dsh -N mynodes -e ./listunix –l alex
Ex
kyle.lpar.co.uk: lrwxrwxrwx 1 root system 21 Jun 26 20:39

eric.lpar.co.uk: lrwxrwxrwx 1 root system 21 Jun 26 20:26
kenny.lpar.co.uk: lrwxrwxrwx 1 root system 21 Jun 26 20:33
pr

Remote shell environment
The shell environment used on the remote target defaults to the shell defined for the
user_ID used for remote command execution. The command syntax used for remote
V8.2
Student Notebook
Uempty command execution can be specified using the –S flag. If –S is not specified, the syntax
defaults to KSH syntax.
When commands are executed on the remote target, the path used is determined by the
dsh_path environment variable defined in the shell of the current user. If dsh_path is not
set, the path used is the remote shell default path. For example, to set the local path for the
remote targets, use: dsh_path=$path
The –E flag exports a local environment definition file to each remote target. Environment
.I. n
variables specified in this file are defined in the remote shell environment before the
.T ció
command_list is executed.
Command output
The dsh command waits until complete output is available from each remote shell process
.
and then displays that output before initiating new remote shell processes. This default
C
.F a
behavior is overridden by the –s flag.
The dsh command output consists of standard error and standard output from the remote
C rm
commands. The dsh standard output is the standard output from the remote shell
command. The dsh standard error is the standard error from the remote shell command.
Each line is prefixed with the host name of the node that produced the output. The host
name is followed by the : character and a command output line. A filter for displaying
to fo
identical outputs grouped by node is provided separately. See the dshbak command for
more information.
Output for each target can be copied to a file using the –F output_path flag. Standard
ec vo
output for each target is written to the target.output file in the output_path directory,
and standard error for each target is written to the target.error file in the
output_path directory. The –F flag does not suppress output on the console.
A command can be run silently using the –Q flag; no output from each target’s standard
oy si
output or standard error is displayed. If the –F flag is specified, output continues to be

written to output files.
u
Reporting
cl
Output from the dsh command can be saved to a report on the local host. The --report
report_path flag enables report generation to the specified report_path directory.
Reporting is also enabled by defining the dsh_report environment variable with the
Ex
report_path. The --report flag overrides the dsh_report environment variable.

The --report-name flag defines a report name if reporting is enabled. The report name is
also the subdirectory of report_path that contains the report files. A numerical index is
appended to the subdirectory name to allow multiple reports with the same name. If the
pr
--report-name flag is not used, the name defaults to Unspecified.

Summary HTML and XML report files are created, in addition to an XML results file.
Student Notebook
Security
IBM Power Systems
• A number of inetd services are no longer considered secure:

– Passwords sent as plain text (easily sniffed)
.I. n
– Authentication based on user name and IP address (easily forged)
• The securetcpip command, runs tcbck -a, which
.T ció
disables the nontrusted commands and daemons:
– rcp, rlogin, rlogind, rsh, rshd, tftp, and tftpd
.
C
– Ability to specify a password in .netrc files
.F a
• The aixpert command sets the system security level and
C rm
can disable insecure services
• telnet, ftp, rexec, rsh, rcp, and rlogin functions
normally replaced with the SSH protocol
to fo
– Some commands (rsh, rlogin, and others) can be kerberized using
Kerberos Version 5 support
ec vo

Figure 3-11. Security AN212.0
Notes:
oy si
A number of TCP/IP services could compromise the security of a system without careful
implementation. These include the Berkeley commands and tftp which allow access
u
without passwords and the ftp/exec commands which can have passwords supplied by the
.netrc file. Also, the commands that do use passwords send these passwords in plain
cl
text over the network, which makes them easy to sniff.

Because of these issues, these commands are normally disabled. You can do this
Ex
manually by commenting out the proper lines from the /etc/inetd.conf file, but you can also
use the securetcpip command. The securetcpip script is in the directory
/usr/lpp/bos.net/inst_root/etc.
pr
The aixpert command can be used to set a wide variety of system security configuration
settings. The aixpert functionality is much more feature rich than using securetcpip.
If you have machines that require tftp protocol service to boot from a server, the tftp
daemon can be initialized only by using the /etc/tftpaccess.ctl file. A sample can be
found in /usr/samples/tcpip directory.
V8.2
Student Notebook
Uempty Some commands can be Kerberized. Kerberos is a network authentication service that
provides a means of verifying the identities of principals (users and hosts) on physically
insecure networks. Kerberos provides mutual authentication, data integrity, and privacy
under the realistic assumption that network traffic is vulnerable to capture, examination,
and substitution. Kerberos Version 5 is available on the AIX expansion pack and is badged
under the name Network Authentication Service.
If you disable these commands, you are probably going to want functional replacements for
.I. n
them, which do solve the security issues. This is normally implemented with the SSH
protocol, which is covered in the next unit.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Checkpoint
IBM Power Systems
1. Name three commands that can be used for remote login.
.I. n
2. Name two commands that can be used to transfer files.
.T ció
3. Name two commands that can be used for remote
.
execution.
C
.F a
C rm
4. Name three mechanisms you can deploy to harden system
security.
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IBM Power Systems

– Use inetd based remote
.I. n
commands.
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
Unit summary
IBM Power Systems
.I. n
• Log in to remote systems with telnet, rsh, and rlogin
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 4. OpenSSH

This unit describes the OpenSSH protocol.
.I. n
.T ció
• Discuss problems with telnet, ftp, rlogin, rsh, rcp, rexec
.
• Describe the SSH protocol
C
.F a
• Manage the sshd subsystem on AIX
• Use ssh, scp, and ftp commands
C rm
• Log in using SSH protocol based commands without a password
• Protect the private key and login using a passphrase
to fo
• Configure port and X11 forwarding
• Use sshd as a web proxy / SOCKS server

ec vo
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 4. OpenSSH 4-1

Student Notebook
Unit objectives
IBM Power Systems

• Discuss problems with telnet, ftp, rlogin, rsh, rcp, and rexec
.I. n
.T ció
.
C
• Log in using SSH protocol based commands without a
.F a
password
C rm
to fo
• Use sshd as a web proxy and SOCKS server
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
telnet, ftp , r* problems

IBM Power Systems
• telnet, ftp, rexec, rsh, and rcp are traditional

commands used for remote login, file transfer, and remote
.I. n
execution
.T ció
• Authentication is usually based on password
– Send as plain text
.
C
– Vulnerable to sniffing
.F a
– Need to remember each password for each account
C rm
• Authentication can also be based on IP address
– Uses /etc/hosts.equiv or $HOME/.rhosts file
to fo
– Vulnerable to IP address spoofing
– Dependent on name resolution
ec vo

Figure 4-2. telnet, ftp, r* problems AN212.0
Notes:
oy si
Various problems are associated with the traditional methods of remote login, file transfer,
and remote execution. The most important problem is that passwords are passed around in
u
clear text, available for anybody to see with a sniffer. That person can then use your
password to authenticate as you and break into your account. This is made worse by the
cl
fact that people usually have accounts on multiple servers and do not use a different
password for each account. If they do, they generally need to write down all these
Ex
passwords somewhere because it is too hard to remember them all. The second problem is
that authentication can be configured by a user to be based on IP address instead of
password using the .rhosts file and by the superuser using the /etc/hosts.equiv
file. This is vulnerable to IP spoofing and, if hostnames instead of IP addresses are used,
pr
dependent on a DNS server which itself might be compromised.

Student Notebook
SSH protocol (1 of 2)
IBM Power Systems
• First developed by Tatu Ylönen, a researcher at Helsinki

University of Technology, Finland (1995).
.I. n
• OpenSSH is the most popular ssh implementation.
.T ció
• Based on a client server model.
.
C
– Server daemon:
.F a
• sshd Å /etc/ssh/sshd_config (configuration file)
C rm
– Client programs:
• ssh Æ remote login, remote execution
• scp Æ remote copy
• sftp Æ remote transfer
to fo
• OpenSSH defaults to SSH2 (version 2 of the protocol).
ec vo

Figure 4-3. SSH protocol (1 of 2) AN212.0
Notes:
oy si
OpenSSH was created by the OpenBSD team as an alternative to the original SSH
software by Tatu Ylönen, which is now proprietary software. Tatu Ylönen was a researcher
u
at Helsinki University of Technology, Finland.

cl
A typical SSH implementation consists of three client programs:

- ssh, which is used for remote logins and remote command execution.
Ex
- scp, which is used for remote copy.

- sftp, which is used for remote file transfer
In addition to this, the SSH server needs to have a server program or daemon called sshd.
pr
The original SSH protocol RFCs were #4250-4256, 4335, 4344, and 4345
Modifications to the SSH protocol are in the RFCs: 4419, 4432, 4462, 4716, 5656, and
6594
V8.2
Student Notebook
Uempty
SSH protocol (2 of 2)
IBM Power Systems
• Uses encryption to protect data in transit

– Support for various encryption methods
.I. n
– Sniffing attack no longer practical
.T ció
• Uses public key algorithms to authenticate server
.
– If using public key authentication, can prevent man-in-the-middle
C
attacks
.F a
C rm
• Can use public key algorithms to also authenticate user
– Account passwords no longer needed
to fo
ec vo

Figure 4-4. SSH protocol (2 of 2) AN212.0
Notes:
oy si
SSH uses strong encryption to encrypt the data in transit and to authenticate the client, the
server and, optionally, the user as well. This prevents against sniffers. Use of public key
u
authentication can prevent man-in-the-middle attacks and can also spare the user from the
ordeal of having multiple passwords for all his accounts. A user is no longer authenticated
cl
based on his password but based on public key algorithms.

Ex
pr

Student Notebook
Using SSH on AIX

IBM Power Systems
• Prerequisites (on the AIX expansion pack CD):

– openssh.base.client
.I. n
– openssh.base.server
Packaged in
– openssh.license
LPP format
.T ció
– openssh.man.en_US
• OpenSSH daemon automatically started through System V init scripts in
.
/etc/rc.d/rc2.d (not inetd)
C
• Start and stop control via SRC
.F a
C rm
## stopsrc
Defaults to
stopsrc -s
-s sshd
sshd
port 22
## startsrc
startsrc –s
–s sshd
sshd
to fo
## lssrc
lssrc -s
-s sshd
sshd
Subsystem
Subsystem Group
Group PID
PID Status
Status
sshd
sshd ssh
ssh 303258
303258 active
active
ec vo

Figure 4-5. Using SSH on AIX AN212.0
Notes:
oy si
The OpenSSH filesets are contained on the AIX expansion pack. The server daemon
(sshd) is controlled via SRC commands. The SRC refresh operation is not supported.
u
Once installed, the SSH daemon is set to start by default at system boot time. This is done
cl
through the System V init scripts in /etc/rc.d/rc2.d.

Ex
pr
V8.2
Student Notebook
Uempty
sshd
IBM Power Systems
• On startup:
– Reads: /etc/ssh/sshd_config
.I. n
– Loads host keys:
• /etc/ssh/ssh_host_rsa_key.pub
.T ció
• /etc/ssh/ssh_host_rsa_key
• /etc/ssh/ssh_host_dsa_key.pub
.
• /etc/ssh/ssh_host_dsa_key
C
.F a
• Can be configured to listen on multiple ports
• Host authentication defaults to RSA
C rm
• On first connection, the client (by default) will be provided with the
RSA key fingerprint (servers public key)
– User must accept the key, and then enter the login password
to fo
– Upon subsequent connections, keypairs verified
ec vo

Figure 4-6. sshd AN212.0
Notes:
oy si
The sshd daemon process runs on the server. It is usually not run out of inetd because it
needs to generate an RSA key each time it starts, and this takes some time. Every sshd
u
host (server) needs to generate a host key pair. This is done at install time with the make
host-key command. Two key pairs are created; one for RSA (Rivest-Shamir-Adleman) and
cl
DSA (Digital Signature Algorithm). Key pairs are stored in /etc/ssh/ssh_host_<rsa

or dsa>_key (private key) and /etc/ssh/ssh_host_key_<rsa or dsa>.pub
Ex
(public key).
New key pairs can be generated using the ssh-keygen command.
Note: A useful thing to know is that sshd can be started with the -d option. This prevents
pr
sshd from forking itself into the background and sends all debug output to
stdout/stderr. This is very useful for debugging a faulty configuration file.

Student Notebook
Client connection: ssh usage

IBM Power Systems
• On the server, this public key (fingerprint) can be viewed:

statler
statler (server)
(server) /etc/ssh
/etc/ssh ## ssh-keygen
ssh-keygen -l
-l -f
-f ssh_host_rsa_key.pub
ssh_host_rsa_key.pub
.I. n
2048
2048 53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f
.T ció
• Syntax: ssh [options] [user@]hostname [command]
waldorf
waldorf (client)
(client) ## ssh
ssh root@statler
.
root@statler
The
The authenticity of host 'statler
authenticity of host 'statler (10.47.1.19)'
(10.47.1.19)' can't can't be
be established.
C
established.
.F a
RSA key fingerprint
RSA key fingerprint isis
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f.
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f.
C rm
Are
Are you
you sure
sure you
you want
want to
to continue
continue connecting
connecting (yes/no)?
(yes/no)?
Warning:
Warning: Permanently
Permanently added
added 'statler,10.47.1.19'
'statler,10.47.1.19' (RSA) (RSA) to
to the
the list
list of
of
known
known hosts.
hosts.
Public key is written
root@statler's
root@statler's password:
password: to the known_hostss
statler:/
statler:/ ## exit file
to fo
exit
waldorf:/
waldorf:/ ## ls
ls -l
-l $HOME/.ssh/known_hosts
$HOME/.ssh/known_hosts
-rw-r--r--
-rw-r--r-- 11 root
root system
system 401
401 06
06 May
May 12:21
12:21 //.ssh/known_hosts
//.ssh/known_hosts
ec vo

Figure 4-7. Client connection: ssh usage AN212.0
Notes:
oy si
On first connection, the client will be presented with the public key (RSA key fingerprint) of
the server. The client then gets a warning that this host is unknown and is able to accept or
u
not. This public key must be accepted by the client user. Once accepted, it is written into
the $HOME/.ssh/known_hosts file. Upon subsequent connections, the keypairs are
cl
verified and the user is warned if the keys do not match. When the StrictHostKeyChecking
option is set either in $HOME/.ssh/config or in /etc/ssh/ssh_config, the user can
Ex
only connect to hosts whose public key is stored in /etc/ssh/known_hosts or

$HOME/.ssh/known_hosts. This effectively prevents against man-in-the-middle attacks.
pr
V8.2
Student Notebook
Uempty
Logging in without supplying a password (1 of 2)

IBM Power Systems
• Known as Challenge-Response Authentication

• Two methods: RSA or DSA (near identical procedure)
.I. n
• From the client, generate a public/private key pair
.T ció
## ssh-keygen
ssh-keygen -t
-t rsa
rsa
.
Generating
Generating public/private rsa
public/private rsa key
key pair.
pair.
C
Enter
Enter file
file in
in which
which to
to save
save the
the key
key (//.ssh/id_rsa):
(//.ssh/id_rsa):
.F a
Enter
Enter passphrase
passphrase (empty
(empty for
for no
no passphrase):
passphrase): Passphrase must be
blank
C rm
Enter
Enter same
same passphrase
passphrase again:
again:
Your
Your identification
identification has
has been
been saved
saved in
in //.ssh/id_rsa.
//.ssh/id_rsa.
Your
Your public
public key
key has
has been
been saved
saved in
in //.ssh/id_rsa.pub.
//.ssh/id_rsa.pub.
The
The key
key fingerprint
fingerprint is:
is:
to fo
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
root@waldorf.lpar.co.uk
ec vo

Figure 4-8. Logging in without supplying a password (1 of 2) AN212.0
Notes:
oy si
Challenge-Response Authentication requires each user to generate a keypair on the client

host with the ssh-keygen command. This command then stores the private and public
u
keys in $HOME/.ssh. The usage of this key can be protected with a passphrase so the
system administrator cannot borrow them. The user then transfers the public key to the
cl
server and adds it to $HOME/.ssh/authorized_keys. After that, the user can log in
without needing to supply a password to authenticate itself.
Ex
pr

Student Notebook
Logging in without supplying a password (2 of 2)

IBM Power Systems
• Install the public key on the server side

– RSA key file: $HOME/.ssh/authorized_keys
.I. n
– DSA key file: $HOME/.ssh/authorized_keys2
.T ció
waldorf:/
waldorf:/ ## MY_KEY=`cat
MY_KEY=`cat /.ssh/id_rsa.pub`
/.ssh/id_rsa.pub`
.
waldorf:/
waldorf:/ ## ssh
ssh root@statler
root@statler "echo
"echo $MY_KEY
$MY_KEY >>
>>
C
/.ssh/authorized_keys"
/.ssh/authorized_keys"
.F a
C rm
• User can now log in without entering password.
• Useful for automating tasks (for example, backups).
to fo
ec vo

Figure 4-9. Logging in without supplying a password (2 of 2) AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Protecting your private key

IBM Power Systems
• Anyone who can use your private key (id_rsa) can log in to any system
where you are authorized.
• It is important to password-protect your private key by using a
.I. n
passphrase.
.T ció
• This procedure is identical to logging in without supplying a password,
except a passphrase is entered when generating the public/private key
pair.
.
C
.F a
waldorf:/
waldorf:/ ## ssh-keygen
ssh-keygen -t
-t rsa
rsa
Generating
Generating public/private rsa key
public/private rsa key pair.
pair.
C rm
Enter
Enter file in which to save the key (//.ssh/id_rsa):
file in which to save the key (//.ssh/id_rsa):
Enter
Enter passphrase
passphrase (empty
(empty for
for no
no passphrase):
passphrase): Enter
Enter
Enter same
same passphrase
passphrase again:
again: passphrase
Your
Your identification
identification has
has been
been saved
saved in
in //.ssh/id_rsa.
//.ssh/id_rsa. here
Your public key has been saved in //.ssh/id_rsa.pub.
to fo
Your public key has been saved in //.ssh/id_rsa.pub.
The
The key
key fingerprint
fingerprint is:
is:
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
ec vo

Figure 4-10. Protecting your private key AN212.0
Notes:
oy si
If the key is protected with a passphrase, the passphrase must be entered at login. The
advantage of this scheme is that a user is no longer required to authenticate to a server
u
using a password, but is authenticated based on public key algorithms. This greatly
simplifies account administration, both for the user and the system administrator. The only
cl
drawback is that the user’s private key has to be kept secret. That is why this key is usually
protected with a passphrase.
Ex
pr

Student Notebook
Logging in using a passphrase

IBM Power Systems
waldorf:/
waldorf:/ ## ssh
ssh root@statler
root@statler
Enter
Enter passphrase for
passphrase for key
key '/.ssh/id_rsa':
'/.ssh/id_rsa':
.I. n
statler:/
statler:/ ##
.T ció
• Disadvantage: Need to type passphrase every time the key is used.
– Solution: ssh-agent
.
C
waldorf:/ ## ssh-agent
ssh-agent $SHELL
.F a
waldorf:/ $SHELL
waldorf:/
waldorf:/ ## ssh-add
ssh-add
C rm
Enter
Enter passphrase
passphrase for
for //.ssh/id_rsa:
//.ssh/id_rsa:
Identity
Identity added: //.ssh/id_rsa (//.ssh/id_rsa)
added: //.ssh/id_rsa (//.ssh/id_rsa)
waldorf:/ # ssh root@statler
waldorf:/ # ssh root@statler
statler:/
statler:/ ##
to fo
ec vo

Figure 4-11. Logging in using a passphrase AN212.0
Notes:
oy si
Passphrases are important as they protect the identity of the private key. However, as a
consequence, users can no longer log in without entering a password. This can be solved
u
by using the ssh-agent. The ssh-agent is a program which holds private keys used for
public key authentication (RSA, DSA) in memory. The idea is that ssh-agent is started in
cl
the beginning of an X-session or a login session, and all other windows or programs are
started as clients to the ssh-agent program. Private keys/passphrases are loaded into the
Ex
agent using the ssh-add command.

The ssh-add command without any options or arguments asks for the passphrase of
$HOME/.ssh/identity, $HOME/.ssh/id_rsa, and $HOME/.ssh/id_dsa to unlock
them, and then uploads them to the ssh-agent daemon. If your private key is stored in
pr
another file, you can specify this file too. The -l option to ssh-add shows all currently
retained keys, and the -d option deletes keys.
V8.2
Student Notebook
Uempty
scp and sftp

IBM Power Systems
• scp
– Is a secure copy (remote file copy) program
.I. n
– Syntax: scp [options] [sourcefile] ... [destinationfile]
– Filenames specified as: [[user@]host:]filename
.T ció
waldorf:/
waldorf:/ ## scp
scp –r
–r /home/db2
/home/db2 statler:/home
statler:/home
.
C
• sftp
.F a
– Is a file transfer program, similar to FTP
C rm
– Two modes, interactive and non-interactive
waldorf:/
waldorf:/ ## cat
cat batchfile
batchfile
put
put /unix
/unix /tmp/unix_a
/tmp/unix_a
mget
mget /home/db2/*
/home/db2/* /tmp/db2
/tmp/db2
to fo
waldorf:/
waldorf:/ ## sftp
sftp -b
-b batchfile
batchfile
root@statler
root@statler
ec vo

Figure 4-12. scp and sftp AN212.0
Notes:
oy si
The scp command lets you copy files to and from the remote system. It is even possible to
do third-party copies as follows: hostC # scp hostA:/tmp/fileA
u
hostB:/tmp/fileB
cl
The sftp command is a file transfer program, similar to FTP, which performs all operations
over an encrypted SSH transport.
Ex
pr

Student Notebook
Advanced SSH topics

IBM Power Systems
• Port forwarding (tunneling)

– Two flavors: Local and remote
.I. n
– Useful for:
• Using insecure protocols over insecure networks
.T ció
• Accessing machines/ports behind firewalls
.
• SSH proxy (dynamic port forwarding)
C
.F a
– Useful for:
C rm
• Configuring a SOCKS or secure Web proxy
• X11 forwarding
to fo
– Useful for:
• Running X11 applications over a secure connection
ec vo

Figure 4-13. Advanced SSH topics AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
SSH port forwarding (tunneling)

IBM Power Systems
• The process of running an insecure protocol over SSH

• Examples: VNC, SSH access to firewalled clients
.I. n
Home Office
.T ció
Internet
VNC traffic
.
AIX
(SSH / VNC server)
C
.F a
C rm
VNC (insecure) is
tunneled over SSH
connection
to fo
ec vo

Figure 4-14. SSH port forwarding (tunneling) AN212.0
Notes:
oy si
Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through
SSH Secure Shell.
u
cl
Ex
pr

Student Notebook
SSH local port forwarding syntax

IBM Power Systems
• ssh –L listeningPort:destHost:destPort \
[user@]sshdHostname
.I. n
– Executed at the application client host
– Application client connects to localhost:listeningPort
.T ció
Application client host Destination (and sshd) host
.
tunnel
C
ssh sshd
.F a
(port 22)
C rm
listening port localhost
localhost destination port

to fo
app client app server
ec vo

Figure 4-15. SSH local port forwarding syntax AN212.0
Notes:
oy si
Setting up local port forwarding starts with executing the ssh client command at the host
where you want to run the application client and specifying the sshd server host to which
u
you want to connect.

cl
What allows you to use the establish ssh session to forward other application traffic is -L
option. This specifies that the ssh client detect connections to the specified listing port
number and cause the remote sshd to establish a connection with the application server at
Ex
the specified destination host and destination port. (The name of the destination host is
resolved at the destination end of the tunnel). Then all traffic on these two connections is
forward between them by the ssh session.
pr
In order to use the established ssh tunnel, the application client needs to treat the specified
listening port on the local host as the location of its application server.
V8.2
Student Notebook
Uempty
SSH local port forwarding with VNC

IBM Power Systems
.I. n
.T ció
Home
client
machine
.
C
2
.F a
C rm
Office
server
1 (lpar.co.uk)
to fo
ec vo

Figure 4-16. SSH local port forwarding with VNC AN212.0
Notes:
oy si
The example in the visual shows ssh local port forwarding being setup and used to tunnel a
VNC session. The user wishes to run an Xwindows and motif based CDE graphical user
u
interface and use VNC to allow that graphics interface to be used remotely. The Host
running CDE has a hostname of nimmaster. It also happens that the IP address of the
cl
interface we need to use, on nimmaster, has DNS label of lpar.co.uk.

First you need to know what port the server application will use. At some previous time, a
Ex
nimmaster administrator executed the command vncserver :3 at that server. This opens
up two TCP ports, 5803 (for VNC access over HTTP) and 5903 (for VNC client access).
The user plans to use a web browser with http protocol to connect to the VNC server.
pr
Next you need to select a listing port on the client machine, avoiding using a port number
that may be needed for other services. In this case we chose 1033.
Given this information, the ssh command that needs to be executed at the client side is
# ssh –L 1033:nimmaster:5803 root@lpar.co.uk

Student Notebook
This command create an interactive ssh session with lpar.co.uk and also defines a tunnel
that we can use.
We will need to use a different window on the local client machine to start the application
client. On another local window you can now start a web browser an type in a URL of:
http://localhost:1033
This will connect to the listening port of the SSH tunnel. The SSH tunnel will establish a
.I. n
connection to the specified hostname and port number at the server end of the SSH
session, and forward traffic between the two connections.
.T ció
In the visual, the ssh command also specified the option:
-p 6000
.
which overrides the default sshd service port number of 22. This might be done if a firewall
C
.F a
is blocking port 22 but allows port 6000. To have this work, there must be an instance of the
sshd running on the server that has also been customized to use port 6000 instead of port
C rm
22.
This visual also shows a second port forwarding option of
–L 5903:nimmaster:5903
to fo
which illustrates that you can define multiple forwarding ports. In this situation the second
forwarding port is defined to support a VNC client in addition to a web browser.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
SSH remote port forwarding example

IBM Power Systems
• Syntax: ssh –R listeningPort:destHost:destPort \

[user@] sshdHostname
.I. n
• Same tunnel defined, except initiated from the application server
– sshd server for the port forwarding is running on the app client system
.T ció
• Example:
.
Office
Office server:/
server:/ ## ssh
ssh –R
–R 2222:localhost:6000
2222:localhost:6000 root@<IP
root@<IP of
of Home
Home
C
machine>
machine>
.F a
Home
Home machine:/
machine:/ ## ping
ping –i
–i 20
20 127.0.0.1
127.0.0.1 1
C rm
Home
Home machine:/
machine:/ ## ssh
ssh –p
–p 2222
2222 root@localhost
root@localhost
2
to fo
root@localhost's password:
root@localhost's password:
Office
Office server:/
server:/ ##
ec vo

Figure 4-17. SSH remote port forwarding example AN212.0
Notes:
oy si
Remote port forwarding is very similar to local port forwarding. The difference is that the
tunnel is initiated on the server side with the sshd service running on the application client
u
machine. The -R flag lets ssh know that the listening port will now be at the sshd end of the
tunnel rather than the ssh client end of the tunnel. The meaning of the -R positional
cl
parameters are the same as the -L parameters if viewed relative to the application client
and application server. This is useful when the firewall restrictions allow session initiation
Ex
from inside the company but not from outside.

The example scenario again assumes that the sshd daemon has been customized to use
port 6000 (instead of the default port 22) due to the firewall allowing port 6000. Port 2222
has been chosen as the listening port. The destination host can use localhost just as well
pr
as the actual hostname, since that is resolved at the application server end of the tunnel.
The ssh port forwarding session is being at the office server that will eventually act as the
application server. If we want to leave the port forwarding up for an extended period of time,
waiting for an application client to use the tunnel, then there is the danger of having the port
forwarding session terminated for inactivity. The port forwarding session is also an

Student Notebook
interactive shell session which gives the user a prompt from the home system. By
executing a periodic ping of the loopback address on that home system, the STDOUT of
the ping is transmitted on the interactive session back to the office system, thus preventing
termination due to inactivity.
A user at the home server can now initiate another ssh session to the listening port on the
home server. This session is tunneled to the office server. The firewall does sees this as
traffic on the ssh port forwarding session that was initiated from inside rather than a new
.I. n
session being initiated from outside.
.T ció
Note that port forwarding session uses the sshd on the server with the listening port (home
server), while the ssh session that is being forwarded through the tunnel is using the sshd
on the office server.
.
While this technique can be useful, it is bypassing firewall security restrictions. You should
C
be aware of the security exposures and discuss these issues with the security officer in
.F a
your company.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
SSH port forwarding to a third host

IBM Power Systems
• ssh –L listeningPort:destHost:destPort \
[user@]sshdHostname
.I. n
– same syntax as previous local port forwarding
– destination host is different from the sshd host
.T ció
Application client host sshd host
.
ssh tunnel
C
sshd
.F a
C rm
listening port Destination host
localhost destination port

to fo
app client app server
ec vo

Figure 4-18. SSH port forwarding to a third host AN212.0
Notes:
oy si
The application client and server do not have to be located at the end points of the ssh
tunnel. For example, in local port forwarding, the destination host can be different than the
u
sshd host. In this situation, the connection between the sshd is a remote connection rather
than an internal connection (effectively through the local loopback address). This can be
cl
useful if you wish to connect to a server that does not have its own tunneling capability or if
you just want to use a single forwarding server to access multiple other servers.
Ex
pr

Student Notebook
SSH port forwarding to a third host example

IBM Power Systems
• Example: Obtaining SSH access to a remote AIX box through an SSH

server through a firewall
.I. n
Home Office
.T ció
Internet
lpar.co.uk aixod01
.
AIX
Client (SSH server running
C
on port 6000)
.F a
C rm
client:/
client:/ ## ssh
ssh –p
–p 6000
6000 –L
–L 2222:aixod01:22
2222:aixod01:22 root@lpar.co.uk
root@lpar.co.uk
to fo
client:/
client:/ ## ssh
ssh –p
–p 2222
2222 root@localhost
root@localhost
root@localhost’d password:
root@localhost’d password:
aixod01:/
aixod01:/
ec vo

Figure 4-19. SSH port forwarding to a third host example AN212.0
Notes:
oy si
The example in the visual shows forwarding to a third host. Server aixod01 is connected to
a local private network and has no direct connectivity to the Internet. The command, # ssh
u
–p 6000 –L 2222:aixod01:22 root@lpar.co.uk allows the client user (at home) to connect
to the third machine (aixod01) through the SSH server running on lpar.co.uk.
cl
Ex
pr
V8.2
Student Notebook
Uempty
SSH dynamic port forwarding (web proxy) (1 of 2)

IBM Power Systems
• Example:
Danger, untrusted
network
.I. n
vnc
Hotel or coffee shop Office
.T ció
Web server
AIX
(SSH server)
Internet
.
C
ftp
.F a
C rm
SSH proxy connection smtp
• Syntax: ssh –ND [localIP:]localport [user@]hostname

to fo
ec vo

Figure 4-20. SSH dynamic port forwarding (web proxy) (1 of 2) AN212.0
Notes:
oy si
SSH also supports dynamic port forwarding via SOCKS4 and SOCKS5. SOCKS (sockets
secure) defines a standard mechanism for a client to connect to a service by way of a proxy
u
server. The socks client identifies the destination IP address and port of the destination
service within the socks packet to send to the socks server. This means that the ssh setup
cl
does not need to define destination service information. The socks client must have logic
that understands how to work with a socks server and a method for configuring it with the
Ex
socks server connection information.

Options:
• -D: [bind_address:] port
pr
Specifies a local dynamic application-level port forwarding. This works by allocating a

socket to listen to a port on the local side that is optionally bound to the specified
bind_address. Whenever a connection is made to this port, the connection is forwarded
over the secure channel, and the application protocol is then used to determine where
to connect to from the remote machine.
• -N: Do not execute a remote command. Useful when forwarding ports.

Student Notebook
SSH dynamic port forwarding (web proxy) (2 of 2)

IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm 1
to fo
ec vo

Figure 4-21. SSH dynamic port forwarding (web proxy) (2 of 2) AN212.0
Notes:
oy si
In order to configure dynamic port forwarding, you must first set up the SSH connection as
shown in the visual (step 1).
u
# ssh -p 6000 -ND 192.168.0.33:3333 root@lpar.co.uk

cl
In this case, the IP address 192.168.0.33 is the address of the client. The port 3333 will be
used by the client to forward all Web traffic through the SSH tunnel.
Ex
Then (step2), configures the socks capable client to use the SOCKS proxy function and to
know the socks proxy bind-address and port. The client may or may not be on the socks
proxy system. The method of client configuration varies from one client to another. Some
environments allow system wide proxy settings.Clients applications may use the system
pr
configuration or selectively override it to use a different proxy.

The example shown in the visual shows the system level configuration of the Airport
interface to use a web proxy for http on a MAC OS X. On Windows7 systems, you would go
to the Control Panel -> Network and Internet -> Internet Options -> Connections -> LAN
Settings button.
V8.2
Student Notebook
Uempty
X11 forwarding
IBM Power Systems
• Example:
.I. n
Client wkstn
Insecure AIX
.T ció
Examples:
MacOSX network (SSH server)
Windows (cygwin)
.
C
SSH connection
.F a
X11forwarding=yes
C rm
clientX:/ ## ssh ## vi
vi /etc/ssh/sshd_config
/etc/ssh/sshd_config
clientX:/ ssh root@statler
root@statler –X
–X
statler:/ ## xcalc X11Forwarding
X11Forwarding yes
yes
statler:/ xcalc
## stopsrc
stopsrc –s
–s sshd
sshd
## startsrc
startsrc –s sshd
–s sshd
to fo
ec vo

Figure 4-22. X11 forwarding AN212.0
Notes:
oy si
SSH can be configured to allow forwarding of X11 graphical applications. First, the
X11Forwarding option must be set to yes in the server configuration file. Secondly, the
u
client must have an X11 based client. On UNIX based platforms, MAC OS, and Linux, X11
is provided. However, on Windows systems a third party X11 client application is required,
cl
for example, cygwin or Hummingbird Exceed.

The –X option on the SSH command enables X11 forwarding.
Ex
X11 forwarding can introduce additional load on the network which can impact
performance.
pr

Student Notebook
Restricting forwarding (1 of 2)
IBM Power Systems
• Network administrators typically do not like the idea of forwarding

being enabled if SSH is allowed through the firewall.
.I. n
– It allows us as users to access any back-end application or port effectively
bypassing the firewall.
.T ció
• System wide restrictions can be set in the SSH server configuration
.
file.
C
– /etc/ssh/sshd_config
.F a
C rm
• To block all port forwarding:
– AllowTcpForwarding no (default is yes)
to fo
• To block X11 forwarding:
– X11Forwarding no (default is no)
ec vo

Figure 4-23. Restricting forwarding (1 of 2) AN212.0
Notes:
oy si
Port forwarding enables holes to be punched in firewalls and provides access to

applications and ports which were not intended by the network and system administrators.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Restricting forwarding (2 of 2)
IBM Power Systems
• To block all forwarding but allow user morpheus to be able to X11

and port forward to a remote machine trinity on port 22, edit the
server configuration file as follows:
.I. n
## vi
vi /etc/sshd_config
.T ció
/etc/sshd_config
.. .. ..
<< global
global settings
settings >>
.
.. .. ..
C
.F a
X11Forwarding
X11Forwarding nono
AllowTcpForwarding
AllowTcpForwarding no no
C rm
.. .. ..
Match
Match User
User morpheus
morpheus
PermitOpen
PermitOpen trinity:22
trinity:22
to fo
X11Forwarding
X11Forwarding yes
yes
AllowTcpForwarding
AllowTcpForwarding yes
yes
.. .. ..
ec vo

Figure 4-24. Restricting forwarding (2 of 2) AN212.0
Notes:
oy si
u
cl
Ex
pr

Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
1. Why are the traditional remote login, remote file transfer,

and remote execution programs not safe?
.I. n
.T ció
2. How does the SSH protocol counter these weaknesses?
.
C
.F a
C rm
3. How is the SSH daemon managed?
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
4. True or False: The SSH daemon can be configured to start

on multiple ports.
.I. n
.T ció
5. What is the purpose of a passphrase?
.
C
.F a
C rm
6. How can TCP port forwarding be disabled on an SSH
server?
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
IBM Power Systems

– Configure an SSH server on AIX
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems

• Discuss problems with telnet, ftp, rlogin, rsh, rcp, and rexec
.I. n
.T ció
.
C
• Log in using SSH protocol based commands without a
.F a
password
C rm
to fo
• Use sshd as a web proxy and SOCKS server
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 5. VLAN theory

This unit describes the IEEE 802.1Q VLAN protocol.
.I. n
.T ció
• Describe VLANs (Virtual LAN) and IEEE 802.1Q theory
.
• Understand how VLANs and IEEE 802.1Q are used within Power
C
.F a
systems
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 5. VLAN theory 5-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
• Describe VLANs (virtual LAN) and IEEE 802.1Q theory
• Understand how VLANs and IEEE 802.1Q are used within
.T ció
Power systems
.
C
.F a
C rm
to fo
• Note: Implementing and configuring virtual Ethernet and
Virtual I/O Servers (VIOS) is covered in detail in AN30
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Virtual LANs
IBM Power Systems
• Virtual LANs (VLANs) divide physical networks into logical networks:

– To form smaller more manageable sub-networks.
.I. n
– To provide greater flexibility.
– To aid performance and security through isolation.
.T ció
– Ports in a VLAN share broadcast traffic and belong to the same broadcast
domain.
.
• The industry standard VLAN protocol is IEEE 802.1Q.
C
Broadcast
.F a
domain
C rm
to fo
VLAN 1
Building 1 Trunk Building 2
VLAN 2
ec vo

Figure 5-2. Virtual LANs AN212.0
Notes:
oy si
Virtual LANs (VLANs)

u
VLANs are used to divide networks into smaller more manageable chunks. This helps to
reduce the size of the broadcast domain and also helps with security through isolation.
cl
IEEE 802.1Q is the standard for VLANs. It aims to:

• Define an architecture to logically partition bridged LANs, and provide services to
Ex
defined user groups independent of physical location.

• Allow interoperability between multivendor equipment.
pr

Student Notebook
IEEE 802.1Q VLAN tagging (1 of 2)

IBM Power Systems
• VLANs are created by assigning a VLAN ID (VID) to switch ports.

• By default, all switch ports are assigned a VLAN ID, referred to as a
PVID (port VLAN ID).
.I. n
• When an untagged packet enters a port it will be automatically tagged
.T ció
with the port’s PVID.
.
C
.F a
C rm
• The packet can only travel to a destination port which belongs to the
same VLAN group.
to fo
• Ports can belong to multiple VLAN groups.
• Packets can either leave the switch port tagged or untagged.
ec vo

Figure 5-3. IEEE 802.1Q VLAN tagging (1 of 2) AN212.0
Notes:
oy si
802.1Q VLAN
u
In 802.1Q, the VLAN information is written into the Ethernet packet itself. Each packet
carries a VLAN ID called a tag. This allows VLANs to be configured across multiple
cl
switches. Packets can leave the switch tagged or untagged depending on the setting for
that port’s VLAN membership properties. When using 802.1Q, four bytes are added to the
Ethernet frame, 12 bits of which are used for the VLAN ID. Theoretically, there can be up to
Ex
4096 VLANs per network.

pr
V8.2
Student Notebook
Uempty
IEEE 802.1Q VLAN tagging (2 of 2)

IBM Power Systems
• Packets can also be tagged by the operating system (in this case
from AIX).
– This is useful if you want to create multiple networks from a single Ethernet
.I. n
adapter.
.T ció
ent1 VLAN 1 network A
Network ent0 ent2 VLAN 2 network B
ent3 VLAN 3 network C
.
C
.F a
• If a tagged packet enters a switch port, the tag will be unaffected by
the default PVID setting.
C rm
– Note: The switch must be aware of the VLAN, otherwise the packet is dropped.
to fo
ec vo

Figure 5-4. IEEE 802.1Q VLAN tagging (2 of 2) AN212.0
Notes:
oy si
AIX implementation supports the IEEE 802.1Q VLAN tagging standard with the capability
to support multiple VLAN IDs running on Ethernet adapters. Each VLAN ID is associated
u
with a separate Ethernet interface to the upper layers (for example, IP) and creates unique
logical Ethernet adapter instances per VLAN, for example, ent1, ent2, and so on. For
cl
example, you might only have one physical Ethernet adapter on the system but want to
create multiple networks.
Ex
Note: ent0 (as shown in the visual) can either be physical or virtual. It the adapter is virtual,
the VLANs must be defined on the HMC as well as within AIX.
pr

Student Notebook
AIX VLAN tagging

IBM Power Systems
• To assign a VLAN ID in AIX, a VLAN adapter must be created.

– Go to smit addvlan, and select a base Ethernet adapter.
.I. n
Available
Available Network
Network Adapters
Adapters
Move
Move cursor to desired item and press Enter. Use
cursor to desired item and press Enter. Use arrow
arrow keys
keys to
to scroll.
scroll.
.T ció
ent1
ent1 Available
Available 09-08
09-08 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (1410890)
(1410890)
ent0
ent0 Available
Available 01-08
01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14106902)
(14106902)
.
Add
Add AA VLAN
VLAN
[Entry
[Entry Fields]
C
Fields]
.F a
VLAN
VLAN Base
Base Adapter
Adapter ent1
ent1
** VLAN
VLAN Tag
Tag ID
ID [33]
[33] +#
+#
VLAN Priority [] +#
C rm
VLAN Priority [] +#
## lsdev
lsdev -Cc
-Cc adapter
adapter
ent0
ent0 Available
Available 01-08
01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14106902)
(14106902)
ent1
ent1 Available 09-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
Available 09-08 2-Port 10/100/1000 Base-TX PCI-X Adapter
to fo
(14108902)
ent2 Packets which get
ent2 Available
Available VLAN
VLAN sent from adapter
ent2 are sent
tagged (33) out of
ent1.
ec vo

Figure 5-5. AIX VLAN tagging AN212.0
Notes:
oy si
Use smit addvlan fast path to configure VLANs. Start by selecting a base adapter
(which will be used to send the packets) and assign a VLAN tag. Optionally, you can also
u
specify a priority. This is used by the VLAN driver to prioritize packets if multiple VLANs are
created using the same base adapter. You can specify a value from 0-7, where 0 is the
cl
default priority, 1 is the highest, and then priorities are ranked in decreasing numerical
order from 2 through 7.
Ex
After you have configured a VLAN, configure the IP interface (for example, en2) for
standard Ethernet.
pr
V8.2
Student Notebook
Uempty
Power systems, VLANs, and virtual Ethernet

IBM Power Systems
• IEEE 802.1Q protocol has been implemented in POWER5 (or later)

systems to provide virtual Ethernet.
.I. n
– AIX can have up to 256 virtual adapters per LPAR.
– Does not require a VIOS, unless a bridged connection to the outside world is
.T ció
required.
.
VLAN 100 frames
VIOS AIX LPAR 1 AIX LPAR 2 AIX LPAR 3
Untagged
Physical
C
Ethernet
.F a
VLAN 200 frames ent0
Tagged
C rm
Virtual
Virtual Virtual Ethernet
SEA Ethernet Ethernet ent0
Bridge ent0 ent0 PVID=100
PVID=100 PVID=100 ent1
Power Hypervisor
VID=200
Virtual Ethernet
switch
Virtual
to fo
Virtual Virtual
Ethernet
Ethernet Ethernet
ent1
ent1 ent1
PVID=100
PVID=200 PVID=200
VID=200
ec vo

Figure 5-6. Power systems, VLANs, and virtual Ethernet AN212.0
Notes:
oy si
Virtual Ethernet introduction

u
Virtual Ethernet adapters enable inter-partition communication without the need for
physical network adapters assigned to each partition. It can be used in both shared and
cl
dedicated POWER5 or POWER6 processor partitions provided the partition is running AIX
(Version 5.3 or later) or Linux. This technology enables IP-based communication between
logical partitions on the same system using a VLAN Ethernet switch (POWER Hypervisor)
Ex
in POWER5 (or later) servers.

Due to the number of possible partitions on many systems being greater than the number
of I/O slots, virtual Ethernet is a convenient and cost saving option to enable partitions
pr
within a single system to communicate with one another through a virtual Ethernet LAN.
The virtual Ethernet interfaces may be configured with both IPv4 and IPv6 protocols.
Note: Packets tagged by AIX or the VIOS with a PVID will leave the virtual switch port and
physical adapter untagged and, inversely, packets tagged by AIX or the VIOS with a VID
will leave the virtual switch port and physical adapter tagged.

Student Notebook
VIOS and VLAN bridging availability

IBM Power Systems
• VIOS is a single point of failure (SPOF).

• Production systems should:
– Use Etherchannel and Gigabit Fast Failover (GFF) to eliminate the adapters
.I. n
as an SPOF.
– Eliminate the VIOS and SEA bridge as a SPOF by deploying two VIO servers
.T ció
and using SEA failover.
switch1
switch2
.
C
VIOS 1 VIOS 2
.F a
primary secondary
C rm
ent0 ent1 ent2 ent0 ent1 ent2
ent3 (Etherchannel) ent3 (Etherchannel)
SEA SEA
ent5 ent5
to fo
Ctrl Ctrl
Veth Veth
channel VLAN 99 channel
ent4 ent4
ent6 ent6
ec vo

Figure 5-7. VIOS and VLAN bridging availability AN212.0
Notes:
oy si
In production environments, it is important to deploy Dual VIO server and EtherChannel

configurations to eliminate all single points of failures; in this case, the Ethernet adapters
u
and the VIOS/SEA bridge. A control channel is a virtual Ethernet adapter which is
configured on the HMC to act as a heart-beating path between the VIO servers. It must
cl
belong to a non-shared VLAN. If the channel fails, the secondary VIOS will take over.
Ex
pr
V8.2
Student Notebook
Uempty
VEth configuration example: Dual networks and
dual VIOS
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure 5-8. VEth configuration example: Dual networks and dual VIOS AN212.0
Notes:
oy si
Virtual I/O server virtual Ethernet configuration, dual networks, without VLAN
tagging
u
• Ethernet adapters on each virtual I/O server

cl
ent0: Physical connection to user network

ent1: Not used (bottom port of 2-port adapter)
Ex
ent2: Physical connection to storage network

pr

ent8: 8023ad link aggregation device for ent0 and ent4 - user network

Student Notebook
ent9: 8023ad link aggregation device for ent2 and ent6 - storage network
ent10: Virtual Ethernet adapter / VLAN ID: 1 / access external network
ent11: Virtual Ethernet adapter / VLAN ID: 2 / access external network
ent12: Virtual Ethernet adapter VLAN ID: 91 (control channel)
.I. n
ent14: Shared Ethernet adapter (SEA) - bridges external user network with
hypervisor at TCPIP layer 2
.T ció
ent15: Shared Ethernet adapter (SEA) - bridges external storage network with
.
ent16: Virtual Ethernet adapter - VIOS connection to VLAN 100 for TCP/IP config
C
including SSH and DLPAR
.F a
• VIO server commands for this configuration
C rm
Run these commands on both VIO servers:
$ mkvdev -lnagg ent0,ent4 -attr mode=8023ad hash_mode=src_dst_port
ent8 Available
to fo
ent9 Available
$ mkvdev -sea ent8 -vadapter ent10 -default ent10 -defaultid 1 -attr
ha_mode=auto ctl_chan=ent12
ent14 Available
ec vo

ent15 Available
oy si
$ mktcpip -hostname VIOS_HOSTNAME -inetaddr X.X.X.X -interface en16

-netmask X.X.X.X -gateway X.X.X.X
• Cisco switch configuration example for the user Ethernet network
u
interface Port-channel83
cl
description LACP channel - VIO server #1 - User network

no ip address
switchport
Ex
switchport access vlan 100

switchport mode access
switchport nonegotiate
storm-control broadcast level 10.00
pr
storm-control multicast level 10.00

spanning-tree portfast
spanning-tree bpduguard enable
V8.2
Student Notebook
Uempty !
interface GigabitEthernet7/46
description LACP - VIO server #1 ethernet adapter #1
no ip address
switchport
.I. n
.T ció
channel-protocol lacp
channel-group 83 mode passive
.
C
!
.F a
C rm
no ip address
switchport
to fo
ec vo
!
oy si
Notes:
The storage Ethernet network configuration uses different interface and port channel
numbers and vlan 200 but is otherwise the same configuration.
u
Port security must be disabled to allow multiple MAC addresses (VIO client LPARs) on the
cl
VIO server Ethernet ports

This configuration assumes that the native VLAN is 1 (because it is not displayed above).
Ex
This is required because LACP packets must not be tagged on the switch.
Virtual I/O server virtual Ethernet configuration, dual networks, with IEEE 802.1Q
VLAN tagging
• Ethernet adapters on each virtual I/O server
pr


Student Notebook

ent8: 8023ad link aggregation device for ent0 and ent4 – user network
.I. n
ent9: 8023ad link aggregation device for ent2 and ent6 – storage network
ent10: Virtual Ethernet adapter with 802.1Q enabled / VLAN ID: 1, 100 / access
.T ció
external network
ent11: Virtual Ethernet adapter with 802.1Q enabled / VLAN ID: 2, 200 / access
.
external network
C
.F a
C rm
ent14: Shared Ethernet adapter (SEA) - bridges external user network with
ent15: Shared Ethernet adapter (SEA) - bridges external storage network with
to fo
ent16: VIO server VLAN with TAG ID: 100
ent17: VIO server VLAN with TAG ID: 200
ec vo
ent18: Virtual Ethernet adapter - VIOS connection to VLAN 100 for TCP/IP config
including SSH and DLPAR
• VIO server commands for this configuration
oy si
Run the first six commands on both VIO servers:

u
ent8 Available
cl
ent9 Available
Ex
ent14 Available
ent15 Available
pr
$ mkvdev -vlan ent14 -tagid 100

ent16 Available
$ mkvdev -vlan ent15 -tagid 200
ent17 Available
$ mktcpip -hostname VIOS_HOSTNAME -inetaddr X.X.X.X -interface en18
-netmask X.X.X.X -gateway X.X.X.X
V8.2
Student Notebook
Uempty • Cisco switch configuration example for the user Ethernet network
description LACP channel - VIO server #1 - User network
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
.I. n
switchport mode trunk
.T ció
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast trunk
.
C
.F a
!
C rm
no ip address
switchport
to fo
ec vo

oy si
!
u

no ip address
cl
switchport
Ex

pr
!

Student Notebook
Checkpoint
IBM Power Systems
1. List some advantages of using VLANs.
.I. n
2. True or False: IEEE 802.1Q trunk adapters can be created within the
Power Hypervisor for use by AIX.
.T ció
3. True or False: A virtual adapter can be created without belonging to a
.
VLAN.
C
.F a
4. True or False: A control channel can belong to VLAN 1.
C rm
5. True or False: A virtual adapter on AIX can belong to multiple VLANs.
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems

• Describe VLANs (virtual LAN) and IEEE 802.1Q theory
.I. n
• Understand how VLANs and IEEE 802.1Q are used within
.T ció
Power systems
.
C
.F a
C rm
to fo
• Note: Implementing and configuring virtual Ethernet and
Virtual I/O Servers (VIOS) is covered in detail in AN30.
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 6. Routing

This unit describes routing and how it works in AIX.
.I. n
.T ció
• Describe the concept of routing
.
• Explain the IP routing algorithm
C
.F a
• List the types of routes in the route table
• Configure static routes
C rm
• Discuss dynamic routing
• Discuss troubleshooting routing problems
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 6. Routing 6-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Routing
IBM Power Systems
Router
Routing table
.I. n
Interface X Interface Y
.T ció
Network
Network Network
Network
PP QQ
.
C
.F a
• Routers
C rm
– Attached two or more networks
– Configured to forward packets at the IP level
– Determine the route of a packet by consulting a routing table
to fo
– Route packets according to the destination network
• To enable forwarding: # no –o ipforwarding=1
ec vo

Figure 6-2. Routing AN212.0
Notes:
oy si
A route defines a path for sending packets through the Internet to an address on another
network. A route does not define the complete path, only the path from a host to a gateway
u
(router) that can then forward packets on to either the destination or to another gateway.
The term routing refers to the process of choosing a path over which to send packets, and
cl
router refers to any computer making such a choice. Routing is performed by the IP layer.
IP routers are used to connect different networks. No daemons are necessary to make
Ex
routing occur on a host. Message distance is usually expressed in the number of gateway
hops or hop count (called the metric). The distance a message travels from originating host
to destination host depends upon the number of gateway hops it must make. A host is zero
hops from a network on which it is attached. It is one hop from a network that can be
pr
reached by going through only one gateway.

Routers route packets according to the destination network. The destination network then
takes care of sending the packet to the destination host.
A host that is connected to multiple networks but does not forward packets between them
is referred to as a multi-homed host. Hosts should not forward IP datagrams unless

Student Notebook
specifically configured as a router. Most BSD-derived implementations (AIX) include a

kernel variable called ipforwarding, which is used to control this behavior. The no
command is used to view or change the value of ipforwarding.
# no -o ipforwarding
ipforwarding=0 (do not forward) ipforwarding=1 (do forward)
To change it: no -o ipforwarding=value, where value is 0 or 1.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Routing implementation
IBM Power Systems
.I. n
.T ció
.
C
.F a
Routing table for sys17:
Destination Deliver via
C rm
address gateway
Host route Direct route
Network route Direct route
Host route Indirect route
to fo
Network route Indirect route
Default route Indirect route
ec vo

Figure 6-3. Routing implementation AN212.0
Notes:
oy si
A route does not define the complete path. It defines only the path segment from one host
to a gateway that can forward packets to a destination, or from one gateway to another.
u
Routes are defined in the kernel routing table. Each routing table entry has two
cl
components, the destination address (where you want to end up) and the gateway address
(where the packet gets sent on its way to its final destination). The routes are categorized
according to various criteria.
Ex
What type of destination is specified is one way of categorizing the routes:

• A host route defines a route to a specific host through a gateway. The routing IP
algorithm still sees a host address as a network; it is simply a perfect match.
pr
• A network route defines a route to any of the hosts on a specific network through a
gateway.
• A default route defines a gateway to use when a host or network route to a destination
is not otherwise defined.

Student Notebook
What type of gateway is specified is another way of categorizing the routes:

• An indirect route defines a gateway which is not an interface on the router; the final
destination in not in a locally attached network.
• A direct route defines a gateway which is an interface on the router; the destination is
on a locally attached network.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IP routing algorithm
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure 6-4. IP routing algorithm AN212.0
Notes:
oy si
Both hosts and gateways participate in IP routing. When an application program on a host
attempts to communicate with another host, one or more IP datagrams are generated. The
u
host must decide to which IP address the datagrams should go. This address might be to a
host on the same network or to another network.
cl
Three types of routing table entries can be seen. They are:

Ex
• Direct: This occurs when both the source and destination hosts are on the same
physical network. The packets can be sent directly from the source to the destination.
• Indirect: This occurs when the source and destination hosts are on different physical
networks. The only way to reach the host is through one or more IP gateways. The
pr
address of the first of these gateways (the first hop) is the only information needed by
the source host.
• Default: This is to be used if the destination IP network address is not found in the
direct or indirect entries.
The IP routing mechanism only considers the IP network address part of the destination
address.

Student Notebook
Viewing the routing table

IBM Power Systems
• netstat command
## netstat
netstat –rn
–rn
.I. n
Routing tables
Routing tables
Destination
Destination Gateway
Gateway Flags
Flags Refs
Refs Use
Use If
If Exp
Exp Groups
Groups
.T ció
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 22 (Internet):
(Internet):
default
default 10.47.0.1
10.47.0.1 UG
UG 11 1994123
1994123 en0
en0 -- --
.
10.47.0.0
10.47.0.0 10.47.1.33
10.47.1.33 UHSb
UHSb 00 0 en0
0 en0 -- -- =>
=>
C
10.47/16 10.47.1.33 UU 33 4981045
4981045 en0 -- --
.F a
10.47/16 10.47.1.33 en0
10.47.1.33
10.47.1.33 127.0.0.1
127.0.0.1 UGHS
UGHS 22 402161
402161 lo0
lo0 -- --
10.47.255.255 10.47.1.33 UHSb 00 00 en0 -- --
C rm
10.47.255.255 10.47.1.33 UHSb en0
127/8
127/8 127.0.0.1
127.0.0.1 UU 15
15 6708
6708 lo0
lo0 -- --
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 24
24 (Internet
(Internet v6):
v6):
::1
::1 ::1
::1 UH
UH 11 387784
387784 lo0
lo0 -- --
to fo
ec vo

Figure 6-5. Viewing the routing table AN212.0
Notes:
oy si
The routing table format indicates:

u
• The destination address (host or network). If the destination is a network, the subnet
mask is indicated by /XX, where XX is the number of bits in the network portion of the
cl
address.
• The gateway address of the next hop gateway.
Ex
• Flags:
- U: Up
- H: Route is to a host
pr
- G: Route is to a gateway
- D: The route was created dynamically by a redirect
- M: The route has been modified by a redirect
- b: The route represents a broadcast address
V8.2
Student Notebook
Uempty - S: Manually added

(See the man page for a complete list of flags.)
• Refs: The current number of active users for the route.
• Use: A count of the number of packets sent using that route.
• Exp: Displays the time remaining (in minutes) before the route expires (for example,
ICMP redirect routes).
.I. n
• Groups: Provides a list of group IDs associated with that route.
.T ció
Protocol Family 2 is IPv4; Family 24 is IPv6. The IPv6 entry shown is the IPv6 loopback
address.
.
The -r flag shows routing statistics.
C
The -n flag displays the network address as an IP address. When this flag is not used, the
.F a
addresses are displayed symbolically.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
Establishing routes
IBM Power Systems
.I. n
Implicit Static Dynamic
.T ció
.
C
.F a
Routing table
C rm
to fo
ec vo

Figure 6-6. Establishing routes AN212.0
Notes:
oy si
Implicit routes: The implicit method is performed when you configure an interface.
u
Explicit routes: Explicit routes are added by the network administrator.

Dynamic routes: Dynamic routes are created by ICMP redirect messages in a static
cl
routing environment and dynamic routing protocols such as OSPF. ICMP sends redirect
messages when a better route to a host is noted. ICMP redirects are only generated by
Ex
routers and are intended for use only by hosts.

pr
V8.2
Student Notebook
Uempty
Static routing
IBM Power Systems
• Manually updated
• Practical in small, stable networks
.I. n
• Configured through SMIT (mkroute) or route command
• No daemons involved
.T ció
Add
Add Static
Static Route
Route
[Entry
[Entry Fields]
Fields]
Destination
Destination TYPE
TYPE net
net ++
.
** DESTINATION Address
DESTINATION Address [9.19.98]
[9.19.98]
C
(dotted
(dotted decimal
decimal oror symbolic
symbolic name)
name)
.F a
** Default GATEWAY Address
Default GATEWAY Address [9.19.99.1]
[9.19.99.1]
(dotted
(dotted decimal
decimal oror symbolic
symbolic name)
name)
C rm
COST
COST [0]
[0] ##
Network
Network MASK
MASK (hexadecimal
(hexadecimal oror dotted
dotted decimal)
decimal) []
[]
Network Interface
Network Interface []
[] ++
(interface
(interface toto associate
associate route
route with)
with)
Enable
Enable Active Dead Gateway Detection?
Active Dead Gateway Detection? no
no ++
to fo
Is
Is this
this aa Local
Local (Interface)
(Interface) Route?
Route? no
no ++
Policy
Policy (for Multipath Routing
(for Multipath Routing Only)
Only) Default
Default (Global)
(Global) ++
Weight
Weight (for
(for Weighted
Weighted Multipath
Multipath Routing
Routing Policy)
Policy) [1]
[1] ##
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
ec vo

Figure 6-7. Static routing AN212.0
Notes:
oy si
With static routing, the routing table is maintained manually with the route command or
through SMIT.
u
cl
Ex
pr

Student Notebook
Route command
IBM Power Systems
• Route syntax: route [add/delete/change] [destination]

[gateway]
.I. n
– Add a default gateway
## route
route add
add 00 9.19.99.20
9.19.99.20
.T ció
– Add a host or network route
## route
route add
add 9.19.98.1
9.19.98.1 9.19.99.11
9.19.99.11
.
## route
route add
add –net
–net 9.19.98/24
9.19.98/24 9.19.99.11
C
9.19.99.11
.F a
– Delete a host route
C rm
## route
route delete
delete 9.19.98.1
9.19.98.1 9.19.99.11
9.19.99.11
– Empty or flush the routing table

## route
route -f
to fo
-f
ec vo

Figure 6-8. Route command AN212.0
Notes:
oy si
The route command allows you to make manual entries into the network routing tables.
There are many additional options that can be specified at definition, some of which will be
u
covered later. (See the route man page for further details.)
cl
These entries are good only until the next system reboot unless they are entered into the
/etc/rc.net file.
Ex
To delete a route, you must specify at minimum the destination and gateway of the existing
route. If there are duplicate routes through the same gateway, you must additional
attributes to make the request unique; for example, specifying the interface being used to
depart the local host.
pr
Routes can also be manipulated via SMIT (smit route). SMIT supports adding and deleting
routes. To modify a route, you need to delete and redefine the route.
V8.2
Student Notebook
Uempty
Dynamic routing
IBM Power Systems
• With dynamic routing, the routers talk to each other to

exchange routing information.
.I. n
• This should automatically configure all routing tables properly.
.T ció
• Implemented through ICMP redirects and formal routing
protocols.
.
C
.F a
Dynamic routing
protocols
C rm
router1 router2
to fo
ec vo

Figure 6-9. Dynamic routing AN212.0
Notes:
oy si
In larger networks, configuring all routing tables properly by hand will become tedious or
even impossible. In this case, you will want to use dynamic routing. This means that your
u
routing tables are updated automatically.

cl
There are essentially two ways in which this can happen:

• If a packet is routed to the wrong router, then this router will generate an ICMP redirect
Ex
message containing the IP address of the proper router to use back to the originating
host. If the host is configured to accept ICMP redirects, it can use these messages to
update its routing table.
• In more complex networks, ICMP redirects are not enough, and you will need special
pr
routing protocols which routing daemons on all routers use to exchange routing
information with each other.
We are going to look at both solutions quickly, but as dynamic routing is beyond the scope
of this course, we are not going to do any exercises with them.

Student Notebook
Dynamic routing protocols

IBM Power Systems
• Dynamic routing protocols exchange routing tables between routers.
• This allows every router to find the best route to a certain network.
.I. n
• Basic algorithms:
.T ció
– Vector distance: Only communicate with your neighbor routers and let them
forward your information, with one hop added, to their neighbors.
.
– Link state: Communicate with all routers in your realm using IP multicasts.
C
.F a
• Protocols that implement these algorithms:
C rm
– RIP, RIPv2, OSPF, BGP, and so on
• AIX daemons that implement these protocols:

– Routed (RIP only), gated (RIPv2, OSPF, BGP, and so on)
to fo
• Dynamic routing is normally done on dedicated routers, not on general
purpose AIX machines.
ec vo

Figure 6-10. Dynamic routing protocols AN212.0
Notes:
oy si
When your network is large and you have a sizable number of routers, creating each
routing table by hand becomes tedious or simply impossible. Additionally, ICMP redirects
u
will not lead to a stable or optimal situation, particularly if multiple routes exist between two
systems. In these situations, dynamic routing protocols are used.
cl
A dynamic routing protocol generally works as follows: Each router runs a routing daemon.
This daemon communicates with other routers in the network and transfers its own routing
Ex
table (which, initially, only includes its implicit routes) to other routers. Based on the
information that each router receives, they can deduce an accurate picture of the whole
network and calculate the best route to each destination in the network. This information is
then fed into the routing table and used for routing the IP packets.
pr
This might seem simple, but in reality it is horribly complex. A lot of academic research has
been done in this area, and currently there are two algorithms being used:
In the vector distance algorithm, each router only communicates with his neighbors, using
broadcasts or direct unicasts. Routers update their own routing table with the information
V8.2
Student Notebook
Uempty received and transfer the whole routing table on to the next neighbor. That means each
transfer from one router to another might include information about other routers as well.
In general, vector distance algorithms have two disadvantages.
• Convergence is slow. This means that it takes a while (up to 45 minutes) before a
change in the network has propagated over all routers.
• The only metric that is being used is the hop count. If a low-bandwidth route to a
.I. n
destination takes three hops, but there is an alternative, high-bandwidth route available
that takes five hops, then a vector distance algorithm will always use the three hop
.T ció
route.
When using link state algorithms, each router multicasts its own table of implicit routes to
every other router in the network using IP multicasts. They do not transfer information
.
obtained from others.
C
.F a
With every router receiving all implicit routes of every router directly, they can, with a little
effort, construct a mental picture of the whole network. This is then used to calculate the
C rm
shortest route to each and every final destination in the network.
The advantage of this is that since each router has complete knowledge of the network,
routing does not have to be done based on hopcount alone. In fact, five different metrics
to fo
can be used.
• The normal metric (hopcount)
• Minimize delay (lowest latency, preferred for interactive communication)
ec vo
• Maximize throughput (highest bandwidth, preferred for bulk file transfers)

• Maximize reliability (minimize packet loss, preferred for network status messages)
• Minimize monetary cost (preferred for low-value or low-priority services)
oy si
The disadvantage of link state algorithms is that they are a huge task to configure and
maintain. There are several courses, both from IBM and other vendors, that spend days
u
just covering the concepts and implementation of one specific link state protocol.
Based on these algorithms, several protocols have been designed which implement them.
cl
These protocols can be used in different situations and include RIP (Route Information
Protocol), RIPv2, OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol).
Ex
On AIX you will find two daemons that implement these protocols: routed and gated. The
routed daemon only implements RIP, while the gated daemon implements all current
protocols including RIP, OSPF, and BGP.
pr

Student Notebook
ICMP redirects
IBM Power Systems
1. IP sys5
datagram
.I. n
destination
sys8
.T ció
3. ICMP redirect 4. Future IP datagrams
.
C
.F a
2. IP
C rm
sys4 datagram sys6
sys4e sys6e
to fo
## no
no -a
-a |grep
|grep -i
-i directs
directs
ipignoreredirects == 00
ipignoreredirects sys8
ipsendredirects
ipsendredirects == 11
ec vo

Figure 6-11. ICMP redirects AN212.0
Notes:
oy si
When there is a better choice of a router for sending messages through than the one the IP
datagram was originally sent to, an ICMP redirect error message is generated which
u
updates the sending host’s routing tables. The process goes like this:
cl
a. An IP datagram is sent from sys5 with a destination of sys8. sys5’s routing table
shows sys4 as the router.
Ex
b. sys4 checks its routing table and sees there is a closer router to sys8’s network. It
sends on the IP datagram to sys8.
c. Then sys4 sends an ICMP redirect message to sys5 which updates its routing table.
d. Future IP datagrams destined for sys8 go to the new router.
pr
The ipsendredirects and ipignoreredirects network options are used to control how AIX
handles ICMP redirects. These options can be set with the no command.
V8.2
Student Notebook
Uempty
Path MTU discovery

IBM Power Systems
• The maximum transmission unit (MTU) is the largest size packet that can
be transmitted on a particular network, without fragmentation.
– Different networks can have different MTU values.
.I. n
• Path MTU is the smallest MTU of any network path between two hosts.
.T ció
• The goal of path MTU discovery is to prevent IP packet fragmentation at
the router.
.
– Fragmenting packets at the router is inefficient.
C
.F a
C rm
Net 1 Net 2 Net 3
MTU 9000 R MTU 1500
R MTU 9000
to fo
PMTU for Net 3 set to
1500
ec vo

Figure 6-12. Path MTU discovery AN212.0
Notes:
oy si
Maximum Transmission Unit (MTU): The MTU of a network is the largest packet size for
that network. For example, the MTU for standard Ethernet is 1500 bytes but is often set to
u
9000 bytes by enabling the jumbo frames attribute. For locally connected destinations, the
MTU attribute of the network interface is used by the IP protocol to determine the size of
cl
outgoing packets.
Path MTU: For remote destinations, AIX supports a path MTU discovery algorithm as
Ex
described in RFC 1911. If a PMTU value exists for a route, the IP protocol will fragment the
packet to fit within the PMTU value before sending it. It is much more efficient to fragment
the packet at the sender than to have packets be fragmented by routers along the path to
the destination.
pr

Student Notebook
Path MTU table and options

IBM Power Systems
• To display the PMTU table, use the pmtu command:

## pmtu
pmtu display
display
.I. n
dst
dst gw
gw If
If pmtu
pmtu refcnt
refcnt redisc_t
redisc_t exp
exp
.T ció
-------------------------------------------------------------------------
-------------------------------------------------------------------------
10.30.5.120
10.30.5.120 10.6.119.254
10.6.119.254 en0
en0 1500
1500 11 15
15 00
80.1.205.104
80.1.205.104 10.6.119.254
10.6.119.254 en0
en0 1500
1500 11 11
11 00
.
C
.F a
• To list or change PMTU options, use the no command:
C rm
## no
no –a
–a |grep
|grep pmtu
pmtu
pmtu_default_age
pmtu_default_age == 10
10
pmtu_expire
pmtu_expire == 10
10
pmtu_rediscover_interval
pmtu_rediscover_interval == 30
30
to fo
tcp_pmtu_discover = 1
tcp_pmtu_discover = 1
udp_pmtu_discover
udp_pmtu_discover == 11
ec vo

Figure 6-13. Path MTU table and options AN212.0
Notes:
oy si
The pmtu command is provided to manage and display the path MTU table. By default, the
Ipv4 pmtu entries are displayed. Ipv6 pmtu entries can be displayed using the -inet6
u
flag. The reference count (recnt) signifies the number of current TCP and UDP applications
using this PMTU entry. The rediscover time (redisc_t entry) signifies the amount of time
cl
that is elapsed since the last path MTU discovery attempt.

As shown in the visual, there are five no options which control path MTU discovery.
Ex
• PMTU is active if options tcp|udp_pmtu_discover are set to 1 and inactive if set to 0.

• The PMTU is rediscovered after every pmtu_rediscover_interval minutes. The
default value is 30 minutes.
• The PMTU entry expiry is controlled by the network option pmtu_expire. The default
pr
value is 10 minutes.
• Since routes can change dynamically, the path MTU value for a path might also change
over time. Decreases in the path MTU value will result in packet fragmentation, so
discovered path MTU values are periodically checked for decreases. By default,
decreases are checked every 10 minutes, and this value can be changed by modifying
the value of the pmtu_default_age option.
V8.2
Student Notebook
Uempty
Exercise: Routing
IBM Power Systems
135.9.19.5
sys1 sys8
.I. n
sys5
5.10.10.1 201.64.23.8
.T ció
sys2 135.9.19.4 135.9.19.6 sys9
sys4 sys6
.
5.10.10.2 201.64.23.9
C
sys4e sys6e
.F a
5.10.10.4 201.64.23.6
C rm
sys3 sys7 sys10
5.10.10.3 135.9.19.7 201.64.23.10
to fo
subnet mask = Subnet Mask = 255.255.0.0 subnet mask =
255.0.0.0 255.255.255.0
ec vo

Figure 6-14. Exercise: Routing AN212.0
Notes:
oy si
Take a few minutes and try to write out the routing table for each host you see in the picture
so that each host can communicate with each other host. Your instructor has the answers.
u
cl
Ex
pr

Student Notebook
Debugging routing problems

IBM Power Systems
• Know your network!

• -n option works for most IP-related commands.
.I. n
– Disables hostname lookups
• route, netstat -r displays the routing table.
.T ció
– Read carefully!
• ping -R records the route traveled by a ping.
.
– Only works when the route is intact
C
.F a
– Limited to nine entries
• traceroute uses packets with incremental TTL to determine where a
C rm
route breaks.
– Useful in problem determination
– Might not work if filters or firewalls are involved
to fo
• Remember that routing is needed in both directions!
ec vo

Figure 6-15. Debugging routing problems AN212.0
Notes:
oy si
Debugging routing problems is one of the hardest tasks in debugging network problems.
The absolute first prerequisite is to know the network. You have to know what networks are
u
connected to other networks by which router and which IP addresses are used throughout
the network. It is extremely useful to draw maps of the network on a whiteboard or flipchart
cl
when debugging problems like this.

A useful option when debugging is -n. This option is used in most Linux commands related
Ex
to networking (route, netstat, ping, traceroute) and prevents the command from doing a
reverse DNS lookup (determining the host or network name for a given IP address). Apart
from showing you the IP addresses instead of hostnames, it also isolates any DNS
problems you might have.
pr
As seen before, the route and netstat -r commands both show the routing table. This is
extremely useful provided that you know how to interpret the table and that you read it very
carefully.
We have seen the ping command already. The -R flag tells ping to record the route that the
packet has traveled in the IP header and to show that route when the reply comes in.
V8.2
Student Notebook
Uempty There is one thing you need to know about this. The number of routers that can be
recorded in the IP header is limited to nine.
The traceroute command appears to work the same as ping -R, but that is not true. ping
-R sends one packet the whole way and waits for the reply to come in. Only then is the
route shown. This means that if one of the routers or the final destination has problems, no
reply comes in and nothing can be shown. traceroute, in contrast, works differently. It
sends a UDP packet to the destination using a destination port which is known to be not in
.I. n
use, but configures a time to live (TTL) of one. When this packet arrives at the first router,
the router decreases the TTL with one, yielding zero, and discards the packet as per IP
.T ció
protocol requirements. It also returns an ICMP Time Exceeded message to the origin of
the packet. traceroute duly records this, and then sends a UDP packet with a TTL of two.
This packet is discarded at the second router, which returns ICMP Time Exceeded. This
.
process goes on until the UDP packet arrives at the final destination, which sends back an
C
.F a
ICMP Port Unreachable. Then traceroute knows that the destination has been
reached and quits. The advantage of traceroute is that it will give you information even if
C rm
the final destination or an intermediate router is having problems.
Finally, remember that routing is needed in both directions. It is not enough if your ping
(ICMP echo request) arrives at the destination. For you to see anything, the ping reply
(ICMP echo reply) must also traverse back through the network.
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
Checkpoint
IBM Power Systems
1. When a network interface is configured, a route is created in

the route table. What is the term associated with the
.I. n
creation of this route?
a. Dynamic
.T ció
b. Implicit
c. Static (or explicit)
.
C
.F a
2. True or False: The route -f (or route flush) command
C rm
deletes all routes.
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 7. Network availability

This unit describes how to increase the levels of network availability
using both gigabit fast failover (GFF) and EtherChannel technology.
.I. n
.T ció
.
• Understand and configure routing for availability and load
C
balancing (multi-path routing with dead gateway detection)
.F a
• Understand and configure gigabit fast failover (GFF)
C rm
• Understand and configure link aggregation (LA) and EtherChannel
• Combine both GFF and LA technologies to achieve the highest
levels of availability
to fo
ec vo
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 7. Network availability 7-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
• Understand and configure link aggregation (LA) and
.
C
EtherChannel
.F a
• Combine both GFF and LA technologies to achieve the
C rm
highest levels of availability
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Levels of network availability

IBM Power Systems
3-15mins Site PowerHA XD
.I. n
3mins Host / Node
.T ció
3mins Network PowerHA (application recovery)
.
20-30secs Adapter
C
.F a
8 secs Routing Multipath Routing, DGD
C rm
Switch
250ms-2secs Link aggregation, EtherChannel
Adapter
to fo
3ms Port Gigabit fast failover (GFF)
ec vo

Figure 7-2. Levels of network availability AN212.0
Notes:
oy si
Within Power systems and AIX, PowerHA is the key to maintaining application availability.
Failover recover times largely depend on the infrastructure and the application
u
configuration. The approximate levels of downtime experienced with PowerHA depends on

the network component which failed:
cl
• Physical Ethernet adapter (NIC): Typically 20-30 seconds (depending on the RSCT
topology settings)
Ex
• Network: 3 minutes
• Node: 3 minutes
• Site: 3 to 15 minutes (could be greater, depending on the distance between sites and
pr
the storage technology deployed)

Multipath routing (MPR) can take advantage of duplicate adapters or duplicate routers,
when it is on e of those components which fail and not the entire server.

Student Notebook
EtherChannel and GFF are networking technologies which reside at lower levels and have
much faster recovery times than PowerHA or MPR. In fact, all three technologies can be
combined together to provide the maximum levels of availability.
A common form of network interruptions is loose cabling or cable malfunctions (especially
delicate fiber cables). GFF, a technology that can be used with IBM dual port adapters, can
protect against this with only 3 ms recovery time. Link aggregation can further help protect
against the loss of the physical adapter, the path to the switch, or the loss of a switch.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Route load balancing and availability overview

IBM Power Systems
• AIX will allow you to add multiple routes to the same

destination. This feature is known as MPR (multipath routing).
.I. n
.T ció
1
Primary Default Router1
10.47.0.1
Host
10.47.1.18
.
Default Router2
C
Backup 10.47.0.254
.F a
C rm
2
Primary Default Router1
10.47.0.1
Host
10.47.1.18
Default Router2
to fo
Primary 10.47.0.254
ec vo

Figure 7-3. Route load balancing and availability overview AN212.0
Notes:
oy si
Since AIX5L, it has been possible to configure multiple routes to the same destination. This
configuration is known as multipath routing (MPR). MPR allows us to load balance between
u
gateways or prioritize paths (using the weight and cost options). MPR also allows us to do
dead gateway detection (DGD) This allows the system to dynamically change the weight
cl
on a route if a router has failed.

The first example has one route that is preferred (due to performance, security, or other
Ex
considerations). The less desirable route is only used for backup in case the preferred
route fails. All traffic should use the primary route unless it is not available, in which case
traffic should be routed over the backup route.
pr
The second example has two routes of equal desirability. In this situation connections
would be load-balanced between both routes in order to improve available bandwidth. If
one of them fails, all traffic will be routed over the remaining path, thus providing availability
though at a reduced bandwidth.

Student Notebook
MPR load balancing

IBM Power Systems
• When a host has multiple paths to a destination, which path is

taken?
.I. n
– Depends on the following routing metrics:
• Cost
.T ció
– Set using the route command
• MPR policy
.
– Set using the no command
C
.F a
• Weight
– Set using the route command
C rm
Default Router1
10.47.0.1
Host
to fo
Which path should I take?
10.47.1.18
Default Router2
10.47.0.254
ec vo

Figure 7-4. MPR load balancing AN212.0
Notes:
oy si
When a host has multiple paths to the same destination a decision must be made as to
which path to take. The first metric which is checked is the cost (hopcount). The route with
u
the lowest cost is the highest priority. If all costs are equal the MPR policy is used to
determine the path. The weight metric can be used to influence the outcome in certain
cl
MPR policies. This is described on the next page.

Ex
pr
V8.2
Student Notebook
Uempty
MPR policy codes

IBM Power Systems
# no –o mpr_policy=<code>
.I. n
• (code 1) Weighted round-robin:
– Selects routes on a round-robin basis, but biases how often each is selected
.T ció
based on the weight.
• (code 2) Random:
.
– Selects a route at random.
C
.F a
• (code 3) Weighted random:
– Selects a route at random, but biases how often each is selected based on
C rm
the weight.
• (code 4) Lowest utilization:
– Selects a route with the minimum number of current connections going
to fo
through it.
• (code 5) Hash-based:
– Selects a route by hashing based on the destination IP address.
ec vo

Figure 7-5. MPR policy codes AN212.0
Notes:
oy si
The mpr_policy determines the policy that will be used. The default policy is weighted
round robin (WRR) which behaves just like round-robin when the weights are all 1.There
u
are five MPR policies to choose from (as stated in the mpr_policy help display):
• Weighted round-robin (1): Based on user-configured weights assigned to the multiple
cl
routes (through the route command) where round-robin is applied. If no weights are
configured, it behaves identical to plain round-robin.
Ex
• Random (2): Chooses a route at random.

• Weighted random (3): Chooses a route based on user-configured weights and a randomization
routine. The policy adds up the weights of all the routes and picks a random number between 0
and total weight. Each of the individual weights are removed from the total weight until this
pr
number is zero. This picks a route in the range of the total number of routes available.
• Lowest utilization (4): Chooses a route with the minimum number of current connections
going through it.
• Hash-based (5): Hash-based algorithm chooses a route by hashing based on the
destination IP address.
To change the MPR policy type: # no –o mpr_policy=<number>

Student Notebook
MPR metrics
IBM Power Systems
• Costs and weights can be set with route command and viewed with
netstat –C.
– Cost (-hopcount option): The smaller the number, the higher the priority.
.I. n
– Weight (-weight option): The larger the number, the higher the priority.
.T ció
– Cost takes precedence; MPR policy and weight only used when routes have
equal cost.
.
## route
route add
add 1/8
1/8 18.1.1.254
18.1.1.254 –weight
–weight 22 –hopcount
–hopcount 11
C
## route add 1/8 18.1.1.1
route add 1/8 18.1.1.1 –weight
–weight 3 –hopcount 55
3 –hopcount
.F a
## netstat
netstat -Cn
-Cn
C rm
Routing tables
Routing tables
Destination
Destination Gateway
Gateway Flags
Flags Wt
Wt Policy
Policy If
If Cost
Cost Config_Cost
Config_Cost
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 22 (Internet):
(Internet):
to fo
default
default 10.6.119.254
10.6.119.254 UG
UG 11 -- en0
en0 00 00
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 22 WRR en5
WRR en5 11 11 =>
=>
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 33 -"-
-"- en5
en5 55 55
ec vo

Figure 7-6. MPR metrics AN212.0
Notes:
oy si
Each route has a cost and a weight (Wt) field. You can also see the policy defined for the
route.
u
Costs takes precedence with the lowest cost route being selected. If there is more than one
cl
lowest cost route (equal costs), then the MPR policy determines the algorithm to load
balance between them. Some of the MPR policies (such as the default Weighted
Round-Robin policy) use the route weights as a factor.
Ex
The visual shows a netstat display of the routing table where two routes are defined with
different gateways to the same destination, and having different weights and costs. Notice
that the route report indicates that one route is an alternate path by displaying the => string
pr
next to the first of the two routes.
V8.2
Student Notebook
Uempty
Availability: Dead gateway detection

IBM Power Systems
• Two modes: Active and passive

• Passive dead gateway detection (DGD)
– Requires the use of TCP and ARP to detect gateway loss.
.I. n
– Works on a best effort basis
.T ció
– Configured using the no command
• To turn on: # no –p –o passive_dgd=1
• dgd_packets_lost: Number of TCP packets lost before DGD removes ARP
.
entry
C
.F a
• dgd_retry_time: After dgd_retry_time minutes, cost is restored to
Config_Cost
C rm
• Active DGD
– Set on a per route basis (-active_dgd)
– Use ping to detect gateway loss
– Behavior configured globally through the no command
to fo
• dgd_ping_time: How often to ping the gateway (in seconds)
• dgd_packets_lost: The number of packets that must be lost before the cost
is raised for all routes using this gateway
ec vo

Figure 7-7. Availability: Dead gateway detection AN212.0
Notes:
oy si
Dead gateway detection overview

u
The dead gateway detection (DGD) feature in AIX implements a mechanism for hosts
to detect a dysfunctional gateway, adjust its routing table accordingly, and reroute
cl
network traffic to an alternate backup route if available. DGD is generally most useful for
hosts that use static rather than dynamic routing. There are two methods of DGD, active
and passive.
Ex
Passive dead gateway detection

If the network option -passive_dgd is 1, passive dead gateway detection is enabled for
the entire system. If no response is received for consecutive dgd_packets_lost ARP
pr
requests to a gateway, that gateway is assumed to be down, and the distance metrics
(also known as hopcount or cost) for all routes using that gateway are raised to the
maximum possible value. After dgd_retry_time minutes have passed, the route’s costs
are restored to their user-configured values. The host also takes action based on failing
TCP connections. If consecutive dgd_packets_lost TCP packets are lost, the ARP
entry for the gateway in use is deleted and the TCP connection tries the next-best route.

Student Notebook
The next time the gateway is used, the above actions take place if the gateway is
actually down. The passive_dgd, dgd_packets_lost, and dgd_retry_time
parameters can all be configured using the no command.
Passive dead gateway detection has low overhead and is recommended for use on any
network that has redundant gateways. However, passive dead gateway detection is
done on a best-effort basis only. Some protocols, such as UDP, do not provide any
feedback to the host if a data transmission is failing. In this case no action can be taken
.I. n
by passive dead gateway detection.
.T ció
Active dead gateway detection
Hosts can also be configured to use active dead gateway detection on a per-route basis
with the -active_dgd flag of the route command. Active dead gateway detection pings
.
all gateways used by routes for which it is enabled every dgd_ping_time seconds. If no
C
response is received from a gateway, it is pinged more rapidly up to dgd_packets_lost
.F a
times. If still no response is received, the costs of all routes using that gateway are
raised. The gateway continues to be pinged and, if a response is eventually received,
C rm
the costs on the routes are restored to their user-configured values. The
dgd_ping_time parameter can be configured using the no command.
Active dead gateway detection is most useful when a host must immediately discover
to fo
when a gateway goes down. Since it queries each gateway for which it is enabled every
few seconds, there is some network overhead associated with its use. Active dead
gateway detection is recommended only for hosts that provide critical services on
networks with a limited number of hosts.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
MPR scenario
IBM Power Systems
lpar1
lpar
lpar 11 ## route
route add
add –net
–net 18/8
18/8 1.1.1.1
1.1.1.1
1.1.1.100 lpar
lpar 11 ## route
route add
add –net
–net 18/8
18/8 1.1.1.254
1.1.1.254
.I. n
1/8
1/8 router2
router1
network
.T ció
network
1.1.1.1 1.1.1.254
18.1.1.1 18.1.1.254
.
18/8
18/8
network
network
C
lpar
lpar 22 ## route
route add
add –net
–net 1/8
1/8 18.1.1.1
18.1.1.1
.F a
lpar 2 # route add –net 1/8 18.1.1.254
lpar 2 # route add –net 1/8 18.1.1.254
lpar2
C rm
18.1.1.100
weight policy cost
lpar
lpar 11 ## netstat
netstat -C
-C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -"-
-"- en5
en5 00 00
to fo
lpar
lpar 22 ## netstat
netstat -C
-C |grep
|grep 1/8
1/8
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 11 -"- en5
-"- en5 00 00
ec vo

Figure 7-8. MPR scenario AN212.0
Notes:
oy si
The following tests based on this scenario are used to demonstrate the effect of
multi-pathing metrics.
u
There are two networks (network 1 and network 18) each with a non-routing host. There
cl
are two routers that are available to route traffic between the two networks.
All the necessary routes are defined for the hosts to use either gateway. Initially they are
Ex
defined with equal costs and equal weights.

pr

Student Notebook
Test 1: Weighted round-robin

IBM Power Systems
• Both AIX LPARs have a default configuration

– Weight =1 | Cost = 1 | mpr_policy=1 (WRR)
Ping 1 Ping 2
.I. n
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100 lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING ## ping
ping -R
-R 18.1.1.100
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes 18.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms ms
.T ció
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
1.1.1.1 1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.100 1.1.1.100
1.1.1.100
1.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms ms
.
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
C
1.1.1.254 1.1.1.254
1.1.1.254
1.1.1.254
.F a
1.1.1.100 1.1.1.100
1.1.1.100
1.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
64 bytes from
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms ms
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
C rm
1.1.1.1 1.1.1.1
1.1.1.1
1.1.1.1 1.1.1.100
1.1.1.100
1.1.1.100 1.1.1.100
64 64
64 bytes from
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms
64 bytes from
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms RR: 18.1.1.254
RR: 18.1.1.1 RR: 18.1.1.254
RR: 18.1.1.1 18.1.1.100
18.1.1.100 18.1.1.100
18.1.1.100 1.1.1.254
1.1.1.254 1.1.1.254
1.1.1.254 1.1.1.100
1.1.1.100 1.1.1.100
1.1.1.100 64
64 bytes from
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms
to fo
64
64 bytes from
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms RR:
RR: 18.1.1.254
18.1.1.254
RR:
RR: 18.1.1.1
18.1.1.1 18.1.1.100
18.1.1.100
18.1.1.100
18.1.1.100 1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1 1.1.1.100
1.1.1.100
1.1.1.100
1.1.1.100
ec vo

Figure 7-9. Test 1: Weighted round-robin AN212.0
Notes:
oy si
The IP addresses recorded by the ICMP echo request and echo reply are the departing
interfaces on each hop.
u
During the first ping, the outgoing path is always to router 1 (18.1.1.1). On the return, lpar2
cl
alternates which router is sent the echo reply packet (1.1.1.1 or 1.1.1.254). During the
second ping, router 2 is always chosen for the outgoing path route, while the echo replies
show the same alternating path (1.1.1.1 or 1.1.1.254) behavior as on the first ping.
Ex
pr
V8.2
Student Notebook
Uempty
Test 2: Weights (1 of 3)
IBM Power Systems
• The weights are changed on LPAR 2 as follows:

lpar
lpar 22 ## route
route set
set 1/8
1/8 18.1.1.1
18.1.1.1 -weight
-weight 22
.I. n
lpar
lpar 22 ## route
route set
set 1/8
1/8 18.1.1.254
18.1.1.254 -weight
-weight 33
.T ció
lpar
lpar 22 ## netstat
netstat -C
-C |grep
|grep 1/8
1/8
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 33 WRR
WRR en5
en5 00 00 =>
=>
.
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 22 -"- en5
-"- en5 00 00
C
.F a
C rm
to fo
ec vo

Figure 7-10. Test 2: Weights (1 of 3) AN212.0
Notes:
oy si
For the second test case, we will set the wighted to be different for the two routes. The
route using router 1 is given a weight of 2. The route using router 2 is given a weight of 3.
u
The route command subcommand that being used is the set subcommand. This is useful
cl
for changing route characteristic without having to delete and redefine the route.
Ex
pr

Student Notebook
IBM Power Systems
• First ping
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
.T ció
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes from
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes from
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms (same
(same route)
to fo
ms route)
64
64 bytes from
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0 ms ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo

Notes:
oy si
We can now see the effect of the weight metric.

u
As before all outgoing echo requests bound to a single route (via router 2 in this case).
The first echo reply used router 1 (1.1.1.1).
cl
The second echo reply used router 2 (1.1.1.254), as did the next 2 packets - for a total of 3
consecutive echo replies using router 2.
Ex
The fifth echo reply used router 1, as did the next packet - for a total of 2 consecutive echo
replies using router 1.
The seventh echo reply used router 2, as did the next 2 packets - for a total of 3
pr
consecutive echo replies using router 2.

The tenth echo reply used router 1, as did the next packet - for a total of 2 consecutive
echo replies using router 1.
You can see a clear pattern of alternating echo replies where the number of sequential
echo replies using the same path reflect the weight ratio of 2 to 3.
V8.2
Student Notebook
Uempty
IBM Power Systems
• Second ping
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
.T ció
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes from
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes from
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes from
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
to fo
64
64 bytes from
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo

Notes:
oy si
The second ping produces exactly the same results; however, the output shows router 1 is
chosen on the outbound path.
u
cl
Ex
pr

Student Notebook
Test 3: Cost (1 of 2)
IBM Power Systems
• A cost of 1 is added to the 18/8 1.1.1.254 route on LPAR 1.

– This now becomes the secondary route.
.I. n
.T ció
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.254
1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.254
1.1.1.254 -hopcount
-hopcount 11
.
C
lpar
lpar 11 ## netstat
netstat -C
-C |grep
|grep 18/8
18/8
.F a
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11
C rm
to fo
ec vo

Figure 7-13. Test 3: Cost (1 of 2) AN212.0
Notes:
oy si
For this test case, the route using router 2 for the outgoing first hop is modified to have a
higher cost than the route using router 1.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Test 3: Cost (2 of 2)
IBM Power Systems
• Note: All subsequent pings produce the same output.

lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
.I. n
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
.T ció
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
to fo
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=9
icmp_seq=9 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=10
icmp_seq=10 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo

Figure 7-14. Test 3: Cost (2 of 2) AN212.0
Notes:
oy si
Setting the cost to 1 for the route to router2 results in the route to router1 becoming the
highest priority. However, if router1 were to fail, the host will not use the alternative path.
u
This problem can be solved by using dead gateway detection.

cl
Ex
pr

Student Notebook
Test 4: Active DGD (1 of 2)

IBM Power Systems
• Activate DGD is enabled on all routes:

lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.1
1.1.1.1
.I. n
lpar
lpar 11 ## route
route delete
delete 18/8 1.1.1.254
18/8 1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.1
1.1.1.1 -active_dgd
-active_dgd
.T ció
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.254
1.1.1.254 –hopcount
–hopcount 11 -active_dgd
-active_dgd #note:
#note: backup
backup
route
route
lpar
lpar 11 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UGA
UGA 11 WRR
WRR en5
en5 11 11 =>
=>
C
18/8
18/8 1.1.1.254
1.1.1.254 UGA
UGA 11 -"-
-"- en5
en5 00 00
.F a
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.1
18.1.1.1
C rm
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.254
18.1.1.254
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.1
-net 1/8 18.1.1.1 -active_dgd
-active_dgd
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.254 –hopcount
-net 1/8 18.1.1.254 –hopcount 11 -active_dgd
-active_dgd #note:
#note: backup
backup
route
route
to fo
lpar
lpar 22 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
1/8
1/8 18.1.1.1
18.1.1.1 UGA
UGA 11 WRR
WRR en5
en5 11 11 =>
=>
1/8
1/8 18.1.1.254
18.1.1.254 UGA
UGA 11 -"-
-"- en5
en5 00 00
ec vo

Figure 7-15. Test 4: Active DGD (1 of 2) AN212.0
Notes:
oy si
In this test case, the alternate routes are both defined to use active dead gateway detection
(DGD). This will case AIX to periodically (every 5 seconds by default) send an echo request
u
to the gateway defined for that route, to determine its usability. If gateway is not accessible
over that route, the effective cost of that route is changed to make it a high cost route.
cl
This would not be helpful if only the one host used it, since the other host could continue to
select the preferred (but inoperative) router with the lower defined cost. Thus the visual
Ex
shows that active DGD is also being enabled on the other host.
The flag value of A indicates that his route is using active DGD.
pr
V8.2
Student Notebook
Uempty
Test 4: Active DGD (2 of 2)

IBM Power Systems
• Eight packets lost

lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
.I. n
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
.T ció
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=7 ttl=254 time=0 ms (same
64 bytes from 18.1.1.100: icmp_seq=7 ttl=254 time=0 ms (same route) route)
C
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=9
icmp_seq=9 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=10
icmp_seq=10 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route) Router
route)
route) Router 11 ##
64 bytes from 18.1.1.100: icmp_seq=11 ttl=254 time=0 ms (same route)
64 bytes from 18.1.1.100: icmp_seq=19 ttl=254 time=0 ms Disconnected
Disconnected from
from
64 bytes from 18.1.1.100: icmp_seq=19 ttl=254 time=0 ms
C rm
RR:
RR: 18.1.1.254
18.1.1.254 network
network
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes from
18.1.1.100: icmp_seq=20
icmp_seq=20 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
18.1.1.100: icmp_seq=21
icmp_seq=21 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
to fo
The cost of the highest priority route is set to MAX to enable the secondary route.
lpar
lpar 11 ## netstat
netstat –C
–C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -- en5
en5 MAX
MAX 00
ec vo

Figure 7-16. Test 4: Active DGD (2 of 2) AN212.0
Notes:
oy si
The ping shows the outbound and inbound path to destination via router1 (1.1.1.1).
Router1 is disconnected from the network. The system (using active DGD) detects the loss
u
and increases the effective cost to MAX. This makes the backup route using router2
(1.1.1.254) the lowest cost route This, in turn, results in the selection of the backup route
cl
for the connection. The same occurs at the other host, which results in the selection of the
backup route for each echo reply.
Ex
Eight packets were discarded.

If this had been a UDP application, the application code would likely have retransmitted the
datagrams that lacked any replies from the application at the other end; nine retries would
pr
likely have been within its retry limits.

If this had been a TCP connection, AIX network services would have handled the packet
transmission retry attempts and would have been successful after nine retries.
Whether this was TCP or UDP, the active DGD reacts quickly enough to avoid any
application level outage.

Student Notebook
Test 5: Passive DGD (1 of 2)

IBM Power Systems
• Active DGD is removed from all routes and passive DGD is enabled:
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.1
1.1.1.1
.I. n
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.254
1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.1
1.1.1.1
lpar 11 ## route add
add -net 18/8 1.1.1.254 –hopcount
-net 18/8 1.1.1.254 –hopcount 11 #note:
#note: backup
backup route
.T ció
lpar route route
lpar
lpar 11 ## no
no -o
-o passive_dgd=1
passive_dgd=1
lpar
lpar 11 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 WRR
WRR en5
en5 11 11 =>
=>
C
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -"-
-"- en5
en5 00 00
.F a
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.1
18.1.1.1
C rm
lpar
lpar 22 ## route
route delete 1/8 18.1.1.254
delete 1/8 18.1.1.254
lpar
lpar 22 ## route
route add
add -net
-net 1/8
1/8 18.1.1.1
18.1.1.1
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.254
-net 1/8 18.1.1.254 –hopcount
–hopcount 11 #note:
#note: backup
backup route
route
lpar
lpar 22 ## no
no -o
-o passive_dgd=1
passive_dgd=1
to fo
lpar
lpar 22 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 11 WRR
WRR en5
en5 11 11 =>
=>
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 11 -"-
-"- en5
en5 00 00
ec vo

Figure 7-17. Test 5: Passive DGD (1 of 2) AN212.0
Notes:
oy si
For this test case, one route is given a higher cost forcing the selection of the other route.
Active DGD is not enabled on the routes. Instead the no command is used to globally
u
enable passive DGD.

cl
Passive DGD does not actively ping the router and thus has lower overhead. Instead it
waits for other protocols to notify it of an outage. This involves either TCP connections over
that router reporting excessive retries, or ARP timing out a the ARP entry for the router and
Ex
being unable to rediscover the MAC for the router’s IP address.

The test case show that there were 26 packets lost before passive DGD raised the
effective cost of the failed route. Passive DGD will show slower recovery from outages than
pr
active DGD.
V8.2
Student Notebook
Uempty
Test 5: Passive DGD (2 of 2)

IBM Power Systems
• Twenty-six packets lost

lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
.T ció
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route) Router
route) Router 11 ##
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
Disconnected
Disconnected from
from
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=31
icmp_seq=31 ttl=254
ttl=254 time=0
time=0 ms
.F a
ms
RR:
RR: 18.1.1.254
18.1.1.254
network
network
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
C rm
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=32
icmp_seq=32 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=33
icmp_seq=33 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=34
icmp_seq=34 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
to fo
The cost of the highest priority route is set to MAX to enable the secondary route.
lpar
lpar 11 ## netstat
netstat –C
–C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -- en5
en5 MAX
MAX 00
ec vo

Figure 7-18. Test 5: Passive DGD (2 of 2) AN212.0
Notes:
oy si
Test five demonstrates a repeat of test four using passive DGD. The detection on loss of
route is significantly larger in this case. 26 packets were lost.
u
cl
Ex
pr

Student Notebook
Gigabit fast failover: Overview

IBM Power Systems
• Gigabit fast failover (GFF)

• Feature available on most multi-port cards
.I. n
– Not supported on the IVE adapters
• Averages 3 milliseconds downtime on loss of primary port (zero
.T ció
disruption)
• Can be combined with link aggregation and PowerHA for the highest
.
levels of network availability
C
.F a
• No switch configuration required
C rm
switch1 switch2
to fo
primary ent0 ent1 backup
host
ec vo

Figure 7-19. Gigabit fast failover: Overview AN212.0
Notes:
oy si
The gigabit Ethernet fast failover device driver provides autonomous self healing adapter
ports to increase network availability and minimize interruptions in mission critical
u
environments. The millisecond failover time was designed as a migration path for dual ring
FDDI users accustomed to continuous network availability and instantaneous port failover.
cl
The new gigabit Ethernet failover feature is not instantaneous, but it averages an
impressive 0.003 second from the instant the link loss is detected to the instant the link is
Ex
recovered. Millisecond failover speeds are achieved with this failover feature because it is
implemented in the adapter device driver layer and port parameters and resources can be
shared by the two adapters sharing a single PCI-X slot.
For the highest availability, connect the two ports to different Ethernet network switches as
pr
shown in the visual. This failover feature requires no special support at the network switch
and can be used with EtherChannel and PowerHA.
At the time of this course revision, the adapters which supported GFF were:
• 2-port gigabit Ethernet-SX PCI-X (1410882)
V8.2
Student Notebook
Uempty • 2-port 10/100/1000 Base-TX PCI-X (14108902)

• 4-port 10/100/1000 Base-TX PCI-X (14101103)
• 4-port 10/100/1000 Base-TX PCI-express (14106803)
• 2-port Gb Ethernet-SX PCI-express (14103f03)
• 2-port 10/100/1000 Base-TX PCI-express (14104003)
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
GFF implementation
IBM Power Systems
• Locate the dual port adapters

## lsdev
lsdev -Cc
-Cc adapter
adapter
ent0
ent0 Available 01-08
Available 01-08 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
.I. n
ent1
ent1 Available
Available 01-09
01-09 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
.T ció
• Set the failover mode on the ports
## chdev
chdev -l
-l ent0
ent0 -a
-a failover=primary
failover=primary
## chdev
chdev -l
-l ent1
ent1 -a
-a failover=backup
failover=backup
.
C
• Can be also done through smit (fastpath: chgenet)
.F a
Change
Change // Show
Show Characteristics
Characteristics of
of an
an Ethernet
Ethernet Adapter
Adapter
C rm
[Entry
[Entry Fields]
Fields]
Ethernet
Ethernet Adapter
Adapter ent0
ent0
Description
Description 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
Status
Status Available
Available
to fo
## Note:
Note: some
some field
field removed
removed for
for clarity.
clarity.
Enable failover mode
Enable failover mode primary
primary ++
• Configure the IP address on the primary port

ec vo

Figure 7-20. GFF implementation AN212.0
Notes:
oy si
Start with unconfigured adapters cabled to separate, interconnected redundant switches

(to avoid a single point of failure at the switch) as shown. If ports have been configured
u
previously for TCP/IP, remove the interface definitions in the ODM database via fastpath
smitty inet.
cl
1. Locate the dual port gigabit Ethernet adapter ports with the lsdev command.
Ex
2. Configure the primary port via the fastpath smitty Ethernet.

Three failover modes are available. Configure this port as Primary and the backup
port as Backup. (The default value, Disable, means this port is not a member of
failover configuration so the two ports behave independently.)
pr
3. Configure the backup port (fastpath smitty ethernet).

4. Configure the IP interface on top of the primary port using fastpath smitty chinet.
If you try to configure an interface on the backup port, the system will reject that
attempt.
V8.2
Student Notebook
Uempty
GFF testing: Primary port failure

IBM Power Systems
• Error log on loss of primary port

---------------------------------------------------------------------------
---------------------------------------------------------------------------
LABEL: GOENT_RCVRY_EXIT
.I. n
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
Type:
Type: INFO
INFO
.T ció
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
---------------------------------------------------------------------------
.
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_FAILOVER_SUCC
GOENT_FAILOVER_SUCC
C
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
.F a
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
C rm
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
---------------------------------------------------------------------------
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_LINK_DOWN
GOENT_LINK_DOWN
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
to fo
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET DOWN
DOWN
ec vo

Figure 7-21. GFF testing: Primary port failure AN212.0
Notes:
oy si
On loss of the primary port, the IP address and adapter (ent6 in this case) remain up and
available, but the packets will arrive and leave via the backup interface and port. Note that
u
the primary port can fail silently, and unless additional features are deployed, such as error
notification, no one will notice!
cl
Ex
pr

Student Notebook
GFF testing: Primary port recovery

IBM Power Systems
• Error log on port recovery

---------------------------------------------------------------------------
.I. n
---------------------------------------------------------------------------
LABEL:
GOENT_FAILOVER_SUCC
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:54:38
14:54:38 CEDT
CEDT 2009
2009
.T ció
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Description
Description
.
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
C
.F a
C rm
to fo
ec vo

Figure 7-22. GFF testing: Primary port recovery AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Link aggregation and EtherChannel: Overview
(1 of 2)
IBM Power Systems
• Standard is IEEE 802.3ad (now IEEE 802.1AX)

• Cisco standard is EtherChannel
• Addresses two problems, bandwidth and redundancy
.I. n
• Link failover time, 250ms Æ 2secs
.T ció
• Up to eight links in an aggregate / channel active
– Plus 1 backup backup
.
C
switch1 switch1 switch2 switch1 switch2
.F a
C rm ent0 ent1 ent2 ent0 ent1 ent0 ent1 ent2
to fo
ent3 ent2 ent3
Aggregate Backup Aggregate + backup

ec vo

Figure 7-23. Link aggregation and EtherChannel: Overview (1 of 2) AN212.0
Notes:
oy si
Link aggregation is designed to overcome two problems with Ethernet connections,

bandwidth limitations and lack of redundancy.
u
The first problem is that Ethernet does not scale. If bandwidth problems are being
cl
experienced, the logical step was to move up to the next generation, for example 100
Mbit/s to 1000 Mbit/s or (more commonly today) 1000 Mbit/s to 10000 Mbit/s. In the early
1990s, Kalpana invented EtherChannel (later acquired by Cisco systems). Other network
Ex
manufacturers developed similar solutions, but there was no interoperability between

vendors. In 2000, IEEE passed 802.3ad which became the open standard of
EtherChannel. The 802.3ad standard has now been rebranded to 802.1AX. It is based on
the link aggregation control protocol (LACP). The LACP specification allows the bundling of
pr
several physical ports together to form a single logical channel. LACP allows a network
device to negotiate an automatic bundling of links by sending LACP packets to the host.
The second problem is having single points of failure within a typical port-cable-port
connection. If a link fails, link aggregation technology will automatically redistribute traffic
across the remaining links. If all active links within the primary channel fail, then traffic will

Student Notebook
be redistributed to the backup link. Automatic recovery in an aggregate takes less than one
second and is transparent to network applications and the end user. This makes it very
resilient and desirable for mission critical applications. Automatic recovery to a backup
channel takes slightly longer, typically between 1 and 4 seconds.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Link aggregation and EtherChannel: Overview
(2 of 2)
IBM Power Systems
• If the switch supports IEEE 802.3ad (now 802.1AX) natively, no switch

configuration is required to identify port groupings.
– Dynamic negotiation occurs.
.I. n
• If you are using vendor specific link aggregation (such as Cisco
.T ció
EtherChannel), then the switch must be configured appropriately.
– Interoperability issues tend to be the cause of most problems.
.
• Drawbacks:
C
– Traditionally, links contained in an aggregate must go to the same switch.
.F a
– There are vendor specific implementations which allow active aggregate links
C rm
to go into different switches.
• For example: Cisco's Virtual Switching System (VSS) allows the creation of a
Multichassis EtherChannel (MEC).
– Cisco Catalyst 6500 chassis only.
to fo
• Nortel Split Multi-Link Trunking (SMLT)
– SMLT has been submitted to IETF to be made into a standard.
ec vo

Figure 7-24. Link aggregation and EtherChannel: Overview (2 of 2) AN212.0
Notes:
oy si
Generally speaking, if the switch natively supports 802.3ad, link aggregation control
protocol data units (LACPDUs) are exchanged between the server machine and the switch.
u
LACP will let the switch know that the adapters configured in the aggregation should be
considered as one on the switch without further user intervention. Cisco switches do
cl
support LACP but not natively. The port on the switch must be configured to support
EtherChannel or LACP.
Ex
Currently, there is no open standard for distributing active links across multiple switches.
This can be achieved via vendor specific features such as Cisco’s VSS and Nortel’s SMLT.
pr

Student Notebook
Link aggregation: Key AIX configuration options

IBM Power Systems
• Mode (supported hashing modes)

– standard (default | src_port | dst_port | src_dst_port )
– 8023ad (default | src_port | dst_port | src_dst_port )
.I. n
– round_robin (default)
.T ció
• Interoperability:
– If switch is configured for 802.3ad, use mode 8023ad in AIX
.
– If switch is configured for EtherChannel, use either standard or round_robin in
C
AIX
.F a
• Enable alternate address
C rm
– The Link Aggregation adapter can be configured with a locally administered
alternate MAC address.
– Provides stable MAC address regardless of adapter membership
to fo
• Backup adapter
– Backup link (different switch) in case the switch supporting the aggregated
links fails.
ec vo

Figure 7-25. Link aggregation: Key AIX configuration options AN212.0
Notes:
oy si
Modes:
u
• Standard: In this mode the EtherChannel uses an algorithm to choose which adapter it
will send the packets out on. The algorithm consists of taking a data value, dividing it by
cl
the number of adapters in the EtherChannel, and using the remainder (using the
modulus operator) to identify the outgoing link. The hash mode value determines which
data value is fed into this algorithm. (See the hash mode attribute for an explanation of
Ex
the different hash modes.) For example, if the hash mode is standard, it will use the
packet’s destination IP address. If this is 10.10.10.11 and there are two adapters in the
EtherChannel, (1 / 2) = 0 with remainder 1, then the second adapter is used. The
adapters are numbered starting from 0. The adapters are numbered in the order they
pr
are listed in the SMIT menu. This is the default operation mode.
• 8023ad: This options enables the use of the IEEE 802.3ad link aggregation control
protocol (LACP) for automatic link aggregation. Like EtherChannel, IEEE 802.3ad
requires support in the switch. Unlike EtherChannel, however, the switch does not need
to be configured manually to know which ports belong to the same aggregation. The
V8.2
Student Notebook
Uempty advantages of using IEEE 802.3ad link aggregation instead of EtherChannel are that it
creates the link aggregations in the switch automatically and that it allows you to use
switches that support the IEEE 802.3ad standard but do not support EtherChannel. In
IEEE 802.3ad, the link aggregation control protocol (LACP) automatically tells the
switch which ports should be aggregated. When an IEEE 802.3ad aggregation is
configured, link aggregation control protocol data units (LACPDUs) are exchanged
between the server machine and the switch. LACP will let the switch know that the
.I. n
adapters configured in the aggregation should be considered as one on the switch
without further user intervention.
.T ció
• Round-robin: In this mode the EtherChannel will rotate through the adapters, giving
each adapter one packet before repeating. The packets might be sent out in a slightly
different order than they were given to the EtherChannel, but it will make the best use of
.
its bandwidth. It is an invalid combination to select this mode with a hash mode other
C
.F a
than default. If you choose the round-robin mode, leave the hash mode value as
default.
C rm
Mode, hash mode, and outgoing traffic distribution: (across adapter ports within the
EtherChannel)
• mode: Standard or 8023ad hash_mode default
to fo
This is the traditional AIX behavior. The adapter selection algorithm uses the last byte of
the destination IP address (for TCP/IP traffic) or MAC address (for ARP and other
non-IP traffic). This mode is typically the best initial choice for a server with a large
number of clients.
ec vo
• mode: Standard or 8023ad hash_mode src_dst_port

The outgoing adapter path is selected via algorithm using the combined source and
destination TCP or UDP port values. Average the TCP/IP address suffix values in the
oy si
Local and Foreign columns shown by netstat -an command. Since each connection
has a unique TCP or UDP port, the three port-based hash modes provide additional
adapter distribution flexibility when there are several separate TCP or UDP connections
u
between an IP address pair.

cl
• mode: Standard or 8023ad hash_mode src_port

The adapter selection algorithm uses the source TCP or UDP port value. In netstat -an
Ex
command output, the port is the TCP/IP address suffix value in the Local column.
• mode: Standard or 8023ad hash_mode dst_port
The outgoing adapter path is selected via algorithm using the destination system port
value. In netstat -an command output, the TCP/IP address suffix in the Foreign column
pr
is the TCP or UDP destination port value.

• mode: Round-robin hash_mode default
Outgoing traffic is spread evenly across all the adapter ports in the EtherChannel. This
mode is the typical choice for two hosts connected back-to-back (for example, without
an intervening switch).

Student Notebook
Optional key fields:

• Enable alternate address: Setting this to yes will enable you to specify a MAC address
that you want the EtherChannel to use. If you set this option to no, the EtherChannel will
use the MAC address of the first adapter. If this adapter fails, then the MAC address of
the EtherChannel will change. AIX will send a gratuitous ARP (GARP) packet out to the
local network to inform client and networking devices of the change. GARP is not a
perfect solution, therefore, the preferred method is to create an locally administered
.I. n
alternate MAC address for the EtherChannel.
.T ció
• Backup adapter: Specifies the adapter to use as your EtherChannel backup.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Link aggregation: Example

IBM Power Systems
Add
Add An
An EtherChannel
EtherChannel // Link
Link Aggregation
Aggregation
[Entry
[Entry Fields]
.I. n
Fields]
EtherChannel
Link Aggregation
Aggregation Adapters
Adapters ent6,ent8
ent6,ent8 ++
Enable
Enable Alternate
Alternate Address
Address yes
yes ++
.T ció
Alternate
Alternate Address
Address [0x02deadbeef01]
[0x02deadbeef01] ++
Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames no
no ++
Mode
Mode round_robin
round_robin ++
.
Hash
Hash Mode
Mode default
default ++
C
Backup
Backup Adapter
Adapter ++
.F a
Automatically
Automatically Recover
Recover to
to Main
Main Channel
Channel yes
yes ++
Perform
Perform Lossless
Lossless Failover
Failover After
After Ping
Ping Failure
Failure yes
yes ++
Internet
Internet Address
Address to
to Ping []
C rm
Ping []
Number
Number of
of Retries
Retries []
[] +#
+#
Retry
Retry Timeout (sec)
Timeout (sec) []
[] +#
+#
## lsdev
lsdev -Cl
-Cl ent13
ent13
to fo
ent13
ent13 Available EtherChannel
Available EtherChannel // IEEE
IEEE 802.3ad
802.3ad Link
Link Aggregation
Aggregation
• The IP address is configured on the en13 interface.

ec vo

Figure 7-26. Link aggregation: Example AN212.0
Notes:
oy si
The SMIT dialogue panel, which is shown in the visual, may be accessed using the menu
provided by using the fastpath of: etherchannel.
u
The new EtherChannel or LA adapter is being defined upon two existing Ethernet adapters:
cl
ent6 and ent8. These must be cabled to switch ports where the switch is either configured
to explicitly define these links as being in a channel grouping, or which support a protocol
that will dynamically discover that they are both part of the same 802.3ad aggregate. The
Ex
base adapters must not have their own configured interfaces; if the base adapters’
interfaces are configured, the existing interfaces will be detached and all configuration
attributes will be lost.
pr
The new aggregate adapter (ent13) will use a provided alternate address rather than using
the MAC of the first link in the channel. Load balancing will use a mode of round-robin. No
backup link is defined.

Student Notebook
In this example, Cisco configuration was applied on the switch.The Cisco switch details
follow:
The adapter ports were connected to switch ports 4/32 and 4/33 on a VLAN 619.
description clp_2,600-752
.I. n
.T ció
channel-group 11 mode on
.
C
.F a
!
C rm
description clp_2,600-752
to fo
channel-group 11 mode on
ec vo
!
description Gi4/32-33
oy si
switchport
u

cl
Note: If the host (may be in an LPAR) cannot detect the physical loss of a link (common in
virtual LPARs), then an Internet address to ping must be supplied in order for the host to
switch back to the primary channel.
Ex
pr
V8.2
Student Notebook
Uempty
Link aggregation: Attributes and status

IBM Power Systems
• Listing EtherChannel attributes

## lsattr
lsattr -El
-El ent13
ent13
.I. n
adapter_names
adapter_names ent6,ent8
ent6,ent8 EtherChannel
EtherChannel Adapters
Adapters True
True
alt_addr
alt_addr 0x02deadbeef01
0x02deadbeef01 Alternate
Alternate EtherChannel
EtherChannel Address
Address True
True
auto_recovery
auto_recovery yes Enable
Enable automatic
automatic recovery
recovery after
after failover True
.T ció
yes failover True
backup_adapter
backup_adapter NONE
NONE Adapter used when whole channel fails
Adapter used when whole channel fails True
True
hash_mode
hash_mode default
default Determines
Determines how
how outgoing
outgoing adapter
adapter is
is chosen
chosen True
True
mode
mode round_robin
round_robin EtherChannel mode of operation
EtherChannel mode of operation True
True
.
netaddr
netaddr 00 Address
Address to
to ping
ping True
True
C
noloss_failover
noloss_failover yes
yes Enable
Enable lossless
lossless failover
failover after
after ping
ping failure
failure True
True
.F a
num_retries
num_retries 33 Times
Times to
to retry
retry ping
ping before
before failing
failing True
True
retry_time
retry_time 11 Wait
Wait time
time (in
(in seconds)
seconds) between
between pings
pings True
True
C rm
use_alt_addr
use_alt_addr no
no Enable
Enable Alternate EtherChannel Address
Alternate EtherChannel Address True
True
use_jumbo_frame
use_jumbo_frame no
no Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames True
True
###
### reset
reset stats
stats ###
• Viewing EtherChannel status ###
to fo
## entstat –r –d ent13
entstat –r –d ent13
– Active channel
###
### display
display stats
stats ###
###
– Statistics for each component adapter ## entstat
entstat –d
–d ent13
ent13
ec vo

Figure 7-27. Link aggregation: Attributes and status AN212.0
Notes:
oy si
Documentation
u
The attributes of the EtherChannel can be documented by using the lsattr command.
Most importantly, the adapter_names attribute displays the list of links in the aggregate
cl
and the backup_adapter is identified (if configured).

Status
Ex
For general viewing or problem determination purposes, you can use the entstat
command to verify the configuration of the link aggregation, view the current status
(which links are active), and understand how traffic is being distributed over the
component adapters.
pr
Example entstat output:

# entstat -d ent13
-------------------------------------------------------------
Device Type: EtherChannel

Student Notebook
Hardware Address: 00:de:ad:be:ef:01

-------------------- -------------------
Bytes: 49399256 Bytes: 575598
.I. n
.T ció
Bad Packets: 0
.
C
.F a
C rm
to fo
ec vo

oy si

u

General Statistics:
cl
-------------------
No mbuf Errors: 0
Ex

pr

=============================================================
=============================================================
Statistics for every adapter in the EtherChannel:
-------------------------------------------------
V8.2
Student Notebook
Uempty Number of adapters: 2

Operating mode: Round-robin mode
-------------------------------------------------------------
.I. n
-------------------- -------------------
.T ció
Bytes: 24833262 Bytes: 4380
.
C
.F a
Bad Packets: 0
C rm
to fo
ec vo

oy si

u

cl

Ex
General Statistics:
-------------------
No mbuf Errors: 0
pr


Student Notebook
------------------------------------------------------------------------
Link Status : Up
.I. n
Latency Timer: 144
.T ció
.
TCP Segmentation Offload Packet Errors: 0
C
.F a
C rm
to fo
-------------------------------------------------------------
ec vo

oy si

-------------------- -------------------
u

Bytes: 24565994 Bytes: 571218
cl

Ex

Bad Packets: 0
pr

V8.2
Student Notebook
Uempty Lost CTS Errors: 0 Alignment Errors: 0

.I. n
.T ció
General Statistics:
-------------------
.
No mbuf Errors: 0
C
.F a
C rm
to fo
------------------------------------------------------------------------
Link Status : Up
ec vo

oy si
Latency Timer: 144

u

cl

TCP Segmentation Offload Packet Errors: 0
Ex

pr


Student Notebook
Link aggregation: Link failure and recovery

IBM Power Systems
ent6
ent6 port
port failure
failure
---------------------------------------------------------------------------
---------------------------------------------------------------------------
LABEL:
GOENT_LINK_DOWN
Date/Time: Fri
Fri Jul
Jul 17
17 10:53:43
10:53:43 CEDT
CEDT 2009
.I. n
Date/Time: 2009
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Note: There was no loss of packets.
.T ció
Description
Description
ETHERNET
ETHERNET DOWN
DOWN
## entstat
entstat -d
-d ent13
ent13 |grep
|grep -i
-i LINK
LINK
.
Link Status : UNKNOWN
Link Status : UNKNOWN
Link
Link Status
Status :: Up
C
Up
.F a
ent6
ent6 Port
Port recovery
recovery
---------------------------------------------------------------------------
---------------------------------------------------------------------------
C rm
LABEL:
GOENT_RCVRY_EXIT
Date/Time:
Date/Time: Fri
Fri Jul
Jul 17
17 10:55:58
10:55:58 CEDT
CEDT 2009
2009
Type:
Type: INFO
INFO
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
to fo
MODE
## entstat
entstat -d
-d ent13
ent13 |grep
|grep -i
-i LINK
LINK
Link
Link Status
Status :: Up
Up
Link
Link Status
Status :: Up
Up
ec vo

Figure 7-28. Link aggregation: Link failure and recovery AN212.0
Notes:
oy si
The visual show two events. The first is the loss of a link. The second is the recovery of a
link.
u
The GOENT_LINK_DOWN record report which link (ent6) and gone down. Since this is
cl
only one link being used by the EtherChannel, traffic continuous over the remaining link
and there is no impact on the application traffic using the EtherChannel. A examination of
the enstat details for the EtherChannel adapter shows that while one link has an
Ex
UNKNOWN status, the other one has an Up status.

The GOENT_RCVRY_EXIT record reports that the link is back up (that link recovery has
completed). And examination of the entstat details fro the EtherChannel would then show
pr
both links with a link status of Up.
V8.2
Student Notebook
Uempty
Link aggregation: Dynamic changes

IBM Power Systems
• Dynamically changes (without interrupting traffic)

– Add and remove adapters (allows you to replace a failing adapter without
interrupting traffic)
.I. n
– Add or remove a backup adapter
.T ció
– Switch between standard mode, 802.3ad, and round robin
– To manually force a failover, use SMIT chgethch or ethchan_config
command
.
C
• Example commands:
.F a
## Add
Add an
an adapter
adapter (ent4)
(ent4) to
to the
the main
main channel
channel (ent3)
(ent3)
C rm
/usr/lib/methods/ethchan_config
/usr/lib/methods/ethchan_config -a
-a ent3
ent3 ent4
ent4
## Remove
Remove ent4
ent4 adapter
adapter from
from the
the EtherChannel
EtherChannel (ent3)
(ent3)
/usr/lib/methods/ethchan_config -d ent3 ent4
/usr/lib/methods/ethchan_config -d ent3 ent4
to fo
## To
To force
force aa manual
manual failover
failover to
to the
the backup
backup channel
channel
/usr/lib/methods/ethchan_config
/usr/lib/methods/ethchan_config –f ent3
–f ent3
ec vo

Figure 7-29. Link aggregation: Dynamic changes AN212.0
Notes:
oy si
Dynamic adapter membership

u
The dynamic adapter membership feature (introduced in AIX 5L V5.2) allows you to
change most attributes of a link aggregation dynamically without interrupting traffic. This
cl
includes the ability to change the adapter membership for the aggregate.
ethchan_config
Ex
The ethchan_config command (or SMIT) can be used to make these dynamic
changes to the link aggregation.
ethchan_config can also be used to force a failover from the primary channel to the
backup adapter or a failback. This can be very useful for problem determination.
pr

Student Notebook
Combining link aggregation and

gigabit fast failover
IBM Power Systems
• Achieving the highest levels of availability

– Up to three links can fail without effecting availability
.I. n
– Can be used as an underlying technology when configuring PowerHA
clusters
.T ció
– Applicable also to the Virtual I/O Server
.
switch1 switch2 switch3 switch4
C
.F a
C rm
LA primary / GFF primary
ent6 ent7 ent8 ent9

LA primary / GFF backup
LA primary LA backup
LA backup / GFF primary

ent13
to fo
LA backup / GFF backup
Host
ec vo

Figure 7-30. Combining link aggregation and gigabit fast failover AN212.0
Notes:
oy si
Combining GFF, LA, and PowerHA results in achieving the highest possible levels of
network availability. This articular scenarios uses a network interface back scenario where
u
the link aggregate has a single link and defines a backup link in case that aggregate fails.
cl
The base adapters for the Link Aggregate (LA) would be the GFF primary adapters: ent6
and ent8. Each of these this automatically backed up by the secondary port on that
adapter. If the primary adapter port (or its connection to the switch) fails, then the
Ex
secondary port will take over, transparent to the link aggregation. If the link aggregate fails
(both ent6 and ent7), then traffic continues over the backup channel link (the other
adapter).
pr
V8.2
Student Notebook
Uempty
Link aggregation and gigabit fast failover
configuration
IBM Power Systems
## chdev
chdev -l
-l ent6
ent6 -a
-a failover=primary
failover=primary
## chdev
chdev -l
-l ent7
ent7 -a
-a failover=backup
failover=backup
## chdev
chdev -l
-l ent8
ent8 -a
-a failover=primary
failover=primary
.I. n
## chdev
chdev -l
-l ent9
ent9 -a
-a failover=backup
failover=backup
.T ció
Add
Add An
An EtherChannel
Link Aggregation
Aggregation
[Entry
[Entry Fields]
Fields]
.
EtherChannel
Link Aggregation
Aggregation Adapters
Adapters ent6
ent6 ++
C
Enable
Enable Alternate
Alternate Address
Address yes
yes ++
.F a
Alternate
Alternate Address
Address []
[] ++
Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames no
no ++
Mode standard ++
C rm
Mode standard
Hash
Hash Mode
Mode default
default ++
Backup
Backup Adapter
Adapter ent8
ent8 ++
Automatically
Automatically Recover
Recover to
to Main
Main Channel
Channel yes
yes ++
Perform
Perform Lossless Failover After
Lossless Failover After Ping
Ping Failure
Failure yes
yes ++
Internet Address to Ping
Internet Address to Ping []
[]
to fo
Number
Number of
of Retries
Retries []
[] +#
+#
Retry
Retry Timeout (sec)
Timeout (sec) []
[] +#
+#
• The IP address is configured on the LA/EtherChannel interface.

ec vo

Figure 7-31. Link aggregation and gigabit fast failover configuration AN212.0
Notes:
oy si
In this configuration there is no switch configuration required as the LA/EtherChannel is

operating in backup only mode.
u
cl
Ex
pr

Student Notebook
LA and GFF: Primary adapter failure

IBM Power Systems
## ping
ping 10.6.119.40
10.6.119.40
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=0
icmp_seq=0 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes from 10.6.119.40:
bytes from 10.6.119.40: icmp_seq=1
icmp_seq=1 ttl=64
ttl=64 time=0
time=0 ms
ms
.I. n
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=2
icmp_seq=2 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=3
icmp_seq=3 ttl=64
ttl=64 time=0
time=0 ms
ms
.T ció
64 bytes from 10.6.119.40:
64 bytes from 10.6.119.40: icmp_seq=4
icmp_seq=4 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=5
icmp_seq=5 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes from 10.6.119.40:
bytes from 10.6.119.40: icmp_seq=6
icmp_seq=6 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40: icmp_seq=7 ttl=64 time=0 ms
.
10.6.119.40: icmp_seq=7 ttl=64 time=0 ms
C
.F a
On Jul 16 15:07:33 switch ports for ent6 and ent7 were disconnected from the switch.
-15:07:34 EtherChannel backup became active.
-Zero ICMP packets were lost.
C rm
Sample
Sample output
output from
from entstat
entstat shows
shows the
the swap
swap to
to the
the backup
backup channel.
channel.
-------------------------------------------------
-------------------------------------------------
to fo
Number
Number of
of adapters:
adapters: 22
Active
Active channel:
channel: backup
backup adapter
adapter
Operating
Operating mode: Network interface
mode: Network interface backup
backup mode
mode
ec vo

Figure 7-32. LA and GFF: Primary adapter failure AN212.0
Notes:
oy si
Error log on failure:

u
---------------------------------------------------------------------------
cl
Date/Time: Thu Jul 16 15:08:52 CEDT 2009

Type: TEMP
Ex
Resource Name: ent6

Description
ETHERNET NETWORK RECOVERY MODE
---------------------------------------------------------------------------
pr
Type: TEMP
Resource Name: ent6
Description
V8.2
Student Notebook
Uempty ETHERNET NETWORK RECOVERY MODE

---------------------------------------------------------------------------
Type: TEMP
Resource Name: ent6
.I. n
Description
.T ció
---------------------------------------------------------------------------
LABEL: ECH_CHAN_FAIL
.
Type: PERM
C
.F a
Resource Name: ent13
Description
C rm
ETHERCHANNEL FAILOVER
Detail Data
All primary Ether Channel adapters failed: switching over to backup adapter
to fo
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_FAIL
Type: TEMP
ec vo
Resource Name: ent6

Description
ETHERNET DOWN
oy si
---------------------------------------------------------------------------
u

Type: TEMP
cl
Resource Name: ent6

Description
Ex
ETHERNET DOWN
---------------------------------------------------------------------------
pr
Type: INFO
Resource Name: ent6
Description
---------------------------------------------------------------------------

Student Notebook
Type: TEMP
Resource Name: ent6
Description
.I. n
---------------------------------------------------------------------------
.T ció
Type: TEMP
Resource Name: ent6
.
Description
C
.F a
ETHERNET DOWN
C rm
Errorlog on recovery:
---------------------------------------------------------------------------
Date/Time: Tue Jul 21 14:04:29 CEDT 2009
to fo
Type: TEMP
Resource Name: ent6
Description
ec vo
---------------------------------------------------------------------------
LABEL: ECH_CHAN_RCVRY
Type: INFO
Resource Name: ent13
oy si
Description
ETHERCHANNEL RECOVERY
---------------------------------------------------------------------------
u
Type: INFO
cl
Resource Name: ent6

Description
Ex
---------------------------------------------------------------------------
Type: TEMP
Resource Name: ent6
pr
Description
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
1. Given the following output, which path will be taken to the 18/8
network?
.I. n
## netstat
netstat -C
-C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 10
10 WRR
WRR en5
en5 00 00
.T ció
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 20
20 -- en5
en5 11 11
.
2. What will happen as a result of entering the following command?
C
.F a
# /usr/lib/methods/ethchan_config -d ent10 ent8
_____________________________________________________
C rm
_____________________________________________
3. True or False: EtherChannels can be configured without any switch

to fo
configuration.
ec vo

Notes:
oy si

u
cl
Ex
pr

Student Notebook
Checkpoint (2 of 2)
IBM Power Systems
4. Can active channels in an LA or EtherChannel configuration be

connected to different switch backplanes?
.I. n
.T ció
5. True or False: Combining GFF, LA, and PowerHA results in
achieving the highest levels of network availability.
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IBM Power Systems
• In this optional exercise, you

will:
.I. n
– Configure MPR with DGD
– Configure Ethernet fast failover
.T ció
and EtherChannel (optional)
.
C
• Note:
.F a
– Due the lab H/W configuration,
C rm
you might not be able to
complete all elements of the
optional section.
– This exercise might have to be
to fo
completed in a phased approach.
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
Unit summary
IBM Power Systems
.I. n
.T ció
• Understand and configure link aggregation (LA) and
.
C
EtherChannel
.F a
• Combine both GFF and LA technologies to achieve the
C rm
highest levels of availability
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 8. DNS and BIND

This unit describes the concept of the Domain Name System and the
configuration of a domain environment.
.I. n
.T ció
.
• Describe domain name history, concepts, and terminology
C
.F a
• List the types of name servers
• Identify files used with DNS
C rm
• Configure a DNS domain
- Primary, slave servers, clients, sub domains, and split DNS
• Use commands to query domain name servers
to fo
• Set up and use the rndc and netcd daemons
• Configure dynamic updates using TSIGs
• Remove BIND version information
ec vo

oy si
• Checkpoint solutions
• Lab exercises
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-1
Student Notebook
Unit objectives
IBM Power Systems

.I. n
.T ció
.
C
– Primary, slave servers, clients, sub domains, and split DNS
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
What is DNS?
IBM Power Systems
• DNS is the Domain Name System.

• DNS is one of the fundamental building blocks of the Internet.
.I. n
• DNS is a global, hierarchical, and distributed database.
• It translates names into addresses and vice versa.
.T ció
– This process is known as name resolution.
.
Question:
Question: Who
Who is
is www.bbc.co.uk
www.bbc.co.uk ??
C
.F a
Answer:
Answer: www.bbc.co.uk
www.bbc.co.uk is
is canonical
canonical (meaning
(meaning
alias)
alias)
C rm
Host
Host == www.bbc.net.uk.
www.bbc.net.uk.
IP
IP == 212.58.251.195
212.58.251.195
to fo
ec vo

Figure 8-2. What is DNS? AN212.0
Notes:
oy si
The Domain Name System, or DNS, is one of the Internet’s fundamental building blocks. It
is a global, hierarchical, and distributed information database that is responsible for
u
translating names into addresses and vice versa, routing mail to its proper destination, and
many other services.
cl
Ex
pr
Student Notebook
History of DNS
IBM Power Systems
• In the 1970s the Internet (then ….ARPANET):

– Was a small friendly community of a few hundred hosts.
.I. n
• Name resolution was managed by a single host file:
.T ció
– Named hosts.txt.
– Maintained by Standford Research Institute, Ca – Network Information
Centre (NIC).
.
C
• As the Internet adopted TCP/IP standards in the 1980s, the
.F a
growth exploded.
C rm
– A new mechanism was required to cope with large networks.
• Paul Mockapetris was responsible for designing the
architecture of DNS.
to fo
– The first DNS RFCs were released in 1984.
ec vo

Figure 8-3. History of DNS AN212.0
Notes:
oy si
Through the 1970s, the ARPANET was a small, friendly community of a few hundred hosts.
A single file, HOSTS.TXT, contained all the information you needed to know about those
u
hosts. It held a name-to-address mapping for every host connected to the ARPANET. The
familiar UNIX host table, /etc/hosts, was compiled from HOSTS.TXT, mostly by deleting
cl
fields that UNIX did not use.

HOSTS.TXT was maintained by the Network Information Center (NIC). ARPANET
Ex
administrators typically e-mailed their changes to the NIC and periodically FTPed the file to
get the current HOSTS.TXT. Their changes were compiled into a new HOSTS.TXT once or
twice a week. As the ARPANET grew, this scheme became unworkable. The size of
HOSTS.TXT grew in proportion to the growth in the number of ARPANET hosts. Moreover,
pr
the traffic generated by the update process increased even faster, and when the ARPANET
moved to the TCP/IP protocols, the population of the network exploded.
The ARPANET’s governing bodies chartered an investigation into a successor for
HOSTS.TXT. Their goal was to create a system that solved the problems inherent in a
unified host table system.
V8.2
Student Notebook
Uempty Paul Mockapetris, then of USC’s Information Sciences Institute, was responsible for
designing the architecture of the new system. In 1984, he released RFCs 882 and 883,
which describe the Domain Name System.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
History of BIND
IBM Power Systems
• BIND: Berkeley Internet Name Domain
.I. n
• First implementation was written by a team of undergraduates
.T ció
for Berkeley 4.3 BSD UNIX and called BIND.
– BIND is now virtually the only major implementation of DNS today and
is ported to all versions of UNIX.
.
C
.F a
• BIND is now maintained by Internet Software Consortium
C rm
(ISC).
• Major versions:
– 9: Latest
to fo
– 8: Default version on AIX 5L and 6.1; development is suspended.
– 4: Depreciated
ec vo

Figure 8-4. History of BIND AN212.0
Notes:
oy si
Following the RFCs, in 1984, a small group of students from Berkeley University wrote the
first UNIX implementation for Berkeley’s 4.3 BSD operating system. In 1985, Kevin Dunlap
u
of DEC significantly rewrote the DNS implementation and renamed it BIND (Berkeley
Internet Name Domain). BIND is the de facto standard of DNS used today and is supported
cl
by Internet Software Consortium. The latest version is BIND 9 which is a complete rewrite
of the previous versions.
Ex
pr
V8.2
Student Notebook
Uempty
Internet domain name structure

IBM Power Systems
The root domain

TLD (Top Level Domain)
.I. n
gTLDs
com org net nl fr uk ccTLDs
.T ció
.
ibm Zone of Authority
ibm.com domain
C
.F a
C rm
nl fr uk Each domain will
consist of several
zones!
Zone of
Authority
to fo
sys1 The FQDN of this node is
uk.ibm.com
sys1.uk.ibm.com.
domain FQDN (Fully Qualified Domain Name)
ec vo

Figure 8-5. Internet domain name structure AN212.0
Notes:
oy si
The visual shows an example of a possible DNS structure. The root domain is on top with
the gTLDs and the ccTLDs right below it. There is one subdomain, ibm.com, which has
u
another subdomain, uk.ibm.com. A domain is a group of systems under the same

administrative control. In the Domain Name System (DNS), this is called a zone of
cl
authority. In reality, a zone of authority specifies authoritative control of zone files for that
domain. Note that when we are talking about fully qualified domain names (FQDN), the
Ex
final dot should be included. A FQDN is normally made up by a short name, such as sys1
followed by the domain name, such as uk.ibm.com. So the FQDN of sys1 is
sys1.uk.ibm.com.
pr
gTLD - Generic Top Level Domain

ccTLD - Country code Top Level Domain
Student Notebook
DNS lookups
IBM Power Systems
Query
Referral
.I. n
.T ció
com org net ie au uk
co
.
C
ibm
.F a
bbc
nl
C rm fr uk
Ans: 212.58.251.195
bbc.co.uk
nameserver
to fo
UK namesever will
be polite and issue
iterative queries,
until it can return
an answer
sys1 Who is: www.bbc.co.uk ? Recursive
query
ec vo

Figure 8-6. DNS lookups AN212.0
Notes:
oy si
The visual shows the result of the command host www.bbc.co.uk, executed on host sys1.
In the example, ten DNS queries and responses are performed:
u
a. The first query is a so-called recursive query from sys1 for the IP address of
cl
www.bbc.co.uk to the DNS server of the uk.ibm.com domain. The IP address of this
name server is known to sys1; it is configured in its /etc/resolv.conf file. A
recursive query in this respect means, “I want the answer to this question.” This
Ex
means that the answer that sys1 expects is the IP address of www.bbc.co.uk.
b. The second query is a so-called iterative query from the name server of UK to one of
the root name servers. Again, the query is for the IP address www.bbc.co.uk. An
pr
iterative query, in contrast to a recursive query, means, “I want your help in

answering this question.” This means that the UK name server is happy with any
help that the other party can give. The third packet is a reply from the root name
server, and identifies the name server of the UK domain.
c. The fourth packet is again an iterative query from the UK name server to the UK
name server.
V8.2
Student Notebook
Uempty d. The fifth packet is a reply from the UK name server, and identifies the name server
of the co.uk domain.
e. The sixth packet is again an interactive query from the UK name server to the co.uk
name server.
f. The seventh packet is a reply from the co.uk name server, and identifies the name
server of the bbc.co.uk domain.
.I. n
g. The eighth packet is again an interactive query from the UK name server to the
bbc.co.uk name server.
.T ció
h. The bbc.co.uk name servers are authoritative for the bbc.co.uk domain. This means
that they have the database which describes all nodes in the bbc.co.uk domain,
including the www.bbc.co.uk node. So the answer that these name servers can reply
.
(in packet number nine) is the IP address for the www.bbc.co.uk host.
C
.F a
i. The UK name server now knows the IP address of the www.bbc.co.uk host, and
returns this to sys1 in the tenth packet. Apart from the procedure to look up a
C rm
hostname, this also illustrates the benefit of having a combination of iterative and
recursive queries. Having a combination of clients doing recursive queries and
name servers doing iterative queries turns out to be the most efficient scheme.
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
DNS reverse lookups

IBM Power Systems
Reverse lookups
are handled
through a special
lookup branch
.I. n
arpa.in-addr
.T ció
com org net ie arpa
in-addr
.
C
ibm 0……. 212.......255
.F a
58….......255
C rm
0……….
nl fr uk 0……. 251.......255
195.......255
to fo
0…….
Ans: www.bbc.co.uk.
sys1 Who is: 212.58.251.195 ?

ec vo

Figure 8-7. DNS reverse lookups AN212.0
Notes:
oy si
IP address to host name lookups would, if nothing else was arranged, require you to go to
every DNS server on the Internet to see if the IP address was in its tables. Obviously this is
u
completely impossible; however, we can do reverse DNS lookups. This is done by using an
ingenious trick, which involves a special in-addr.arpa domain. The visual illustrates
cl
how this works.

Suppose someone wants to do a reverse DNS lookup for the IP address 212.58.251.195.
Ex
The first step then is to convert this IP address to its corresponding DNS name, which is
195.251.58.212.in-addr.arpa. This might look strange at first, but remember that IP
addresses become more specific when going from left to right and that host names become
more specific when reading from right to left. To fit IP address in a host name based
pr
scheme, we have to reverse the order.

Just as before, the name servers are then queried for this node. Only this time it is not the
A record (IP address) we are looking for, but the PTR (FQDN) record.
In all but a few cases, the organization that manages the name-to-IP domain also manages
the IP-to-name domain.
V8.2
Student Notebook
Uempty Note: It is extremely important that reverse DNS lookups are configured correctly. Almost
all services on the Internet can (and about half of the services actually will) perform a
reverse DNS lookup to retrieve the host name of a client. This host name is then used for
authorization and logging. If the reverse DNS lookup fails, chances are that the client is
simply not allowed to use the service or only after a long time out.
The host/nslookup and dig commands allow you to check whether regular and reverse
DNS lookups match.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Types of name servers (1 of 2)

IBM Power Systems
• Authoritative name servers:

– Master (primary)
.I. n
• Stores the master copy of the domain data in zones
.T ció
– Slave (secondary)
• Act as backup servers
.
C
• Download domain data (zone files) typically from the primary master (or
.F a
from another slave)
C rm
• A DNS server can be a master to one zone and a slave to
another.
to fo
ec vo

Figure 8-8. Types of name servers (1 of 2) AN212.0
Notes:
oy si
A primary master name server is a name server which is authoritative for a domain or
multiple domains (most likely the domain itself and the associated reverse DNS domains).
u
This is the server where the administrator makes changes to the DNS tables. The master
name server can serve requests from clients and other name servers, both recursive and
cl
iterative. When it performs a lookup for another domain and it receives answers, it caches
these answers for later reference.
Ex
A slave name server is also authoritative for a domain, but it retrieves this data in a
so-called zone transfer from a master name server. It can also serve requests from clients
and other name servers and cache data from other domains. Note: In more complex
environments, slave name servers can also retrieve the data from other slave servers.
pr
V8.2
Student Notebook
Uempty
Types of name servers (2 of 2)

IBM Power Systems
• Non-authoritative server
– Caching only (also referred to as recursive servers)
.I. n
• Do not have any authoritative domain data
• Perform recursive lookups on behalf of clients and cache the answer (via
.T ció
hints file)
– Forwarders
.
• Perform recursive queries to other domain name servers
C
.F a
• Perform recursive lookups on behalf of clients and cache the answer (via
forward statement)
C rm
• All types of servers can be configured to forward
– Used in parenting
– Forward-only server
to fo
• A server which can only forward queries to other domain name servers
• General note: All DNS servers cache responses.
ec vo

Figure 8-9. Types of name servers (2 of 2) AN212.0
Notes:
oy si
A caching-only name server does not have its own data and is not authoritative for a
domain. It just performs lookups for clients. All results obtained are cached, however,
u
making it a useful thing to have in a small network which is connected to the outside world
through a slow link.
cl
Caching name servers are also used to take the burden off master and slave servers. In
many configurations, administrators do not allow master and slave servers to cache for
Ex
performance and security reasons.

Forwarders are similar to caching-only servers in that they ask other name servers for the
answer, albeit by using a different mechanism. In many configurations a caching server will
pr
also forward.
Student Notebook
Resource records
IBM Power Systems
• Data (for instance, an IP address) is associated with a host

using resource records (RRs).
.I. n
– The RR identifies the sort of data that is stored.
• Common RRs for domains:
.T ció
– SOA (Start of Authority): Information regarding the authoritative name
server
.
– NS (Name Server): The name server of the domain
C
.F a
– MX (Mail Exchanger): The mail server of the domain
• Common RRs for hosts:
C rm
– A (Address): The IP address of a host
– PTR (Pointer): The host name of a host
– CNAME (Canonical Name): An alias name for a host
to fo
– HINFO (Host Info): Information about a host
– AAAA or A6 (for IPv6): The IPv6 address of a host
ec vo

Figure 8-10. Resource records AN212.0
Notes:
oy si
The hierarchical structure as shown in the previous visual can be thought of as the key to
the database. With an FQDN we can find the record for a specific host. The next thing we
u
need to retrieve is the data that is stored about this host. This is done through a series of
resource records.
cl
Each resource record stores something about each host or domain. What is stored
depends on the resource record type. There are several kinds of resource records. Some
Ex
are typically only used for a host, and others are typically only used for a domain.
pr
V8.2
Student Notebook
Uempty
First steps: BIND on AIX

IBM Power Systems
• Switch to version 9
– Stop BIND daemon (named) daemon
.I. n
• Named daemon stops and starts the DNS subsystem
– Re-link named and the dynamic update binary (nsupdate)
.T ció
– Start named
.
## stopsrc
stopsrc –s
–s named
named
C
.F a
## cd
cd /usr/sbin
/usr/sbin
## ln
ln -fs
-fs /usr/sbin/named9
/usr/sbin/named9 /usr/sbin/named
/usr/sbin/named
C rm
## ln
ln -fs
-fs /usr/sbin/nsupdate9
/usr/sbin/nsupdate9 /usr/sbin/nsupdate
/usr/sbin/nsupdate
## startstc
startstc –s
–s named
named
## oslevel
oslevel -s;
-s; named
named -v
-v Actual
to fo
6100-03-01-0921
6100-03-01-0921 versions
BIND
BIND 9.4.1
9.4.1
ec vo

Figure 8-11. First steps: BIND on AIX AN212.0
Notes:
oy si
The default version of BIND on AIX 5.3 and 6.1 is version 8. It is preferable to use BIND
version 9.
u
The only supported by AIX 7.1 is BIND version 9.

cl
If you are not using AIX 7.1, the procedure for switching to using BIND 9 is covered in the
visual.
Ex
If you are using AIX 7.1 and you wish to use Dynamic DNS (DDNS), you will still need to
change the nsupdate command to link to nsupdate9 (it defaults to being a link to
nsupdate8). The named file should already be linked to named9 (the only option).
pr
Student Notebook
Configuring a master name server

IBM Power Systems
• Create named control file

– Master configuration file, /etc/named.conf
.I. n
• Create name zone file
– Used for name to IP address translation
.T ció
• Create IP zone files
– Used for reverse IP to name translation
.
• Create local IP zone file
C
.F a
– Used to resolve the loopback address
C rm
• Create hints file (optional)
– Used to identify the root DNS severs.
– Optional because BIND contains a list of root servers hardcoded at
compilation time
to fo
• Create /etc/resolv.conf
• Start named daemon
ec vo

Figure 8-12. Configuring a master name server AN212.0
Notes:
oy si
All zone files are created using a standard resource record format. These standards are
explained as we look at each file. The named daemon must be started after all the files are
u
created.
cl
Ex
pr
V8.2
Student Notebook
Uempty
DNS example scenario

IBM Power Systems
.I. n
uk
.T ció
co
.
recursion=no recursion=yes
C
.F a
snowwhite grumpy lpar doc sleepy
Primary nameserver Slave nameserver Caching-only nameservers (External)
C rm
10.47.1.33 10.47.100.2 Forwarders (Internal)
10.47.110.90 and 91
dopey aix
to fo
Primary (child) nameserver
10.47.10.33 Parent domain
Sub-domain
10.47/16
ec vo

Figure 8-13. DNS example scenario AN212.0
Notes:
oy si
Domain characteristics:
u
• Parent domain: lpar.co.uk consisting of:

- Master name server: snowwhite 10.47.1.33
cl
- Slave name server: grumpy 10.47.100.2

Ex
- Note: Master and slave servers have caching and external access disabled
(recursion set to no). All external queries are handled by caching-only name servers
doc and sleepy which resolve internal queries by forwarding to snowwhite and
grumpy.
pr
- Clients within the 10.47/16 network will point to name servers doc and sleepy.
• Sub (Child) domain: aix.lpar.co.uk consisting of:
- Master name server: dopey 10.47.10.33
- There is no slave server in the sub-domain.
Student Notebook
DNS primary control file: /etc/named.conf (1 of 2)

IBM Power Systems
//
// lpar.co.uk
lpar.co.uk DNS
DNS primary
primary nameserver
nameserver
options
options {{
.I. n
directory
directory "/etc/named";
"/etc/named";
notify
notify yes;
yes; //
// notify
notify slaves
slaves on
on zone
zone updates
updates
.T ció
recursion
recursion no; // stops all external queries // lookups
no; // stops all external queries lookups
};
};
.
//
// secure
secure TSIG
TSIG key
key for
for dynamic
dynamic updates
updates and
and server-server
server-server
C
communication
.F a
communication
key
key ddns-key
ddns-key {{
algorithm
algorithm hmac-md5;
hmac-md5;
C rm
secret "yyvt9Oeax2MWqxUi8xtbuw==";
};
};
//
// Use
Use the
the secure
secure TSIG
TSIG key
key when
when communicating
communicating with
with slave
slave server
server
to fo
server
server 10.47.100.2
10.47.100.2 {{
keys
keys {ddns-key
{ddns-key ;; };
};
};
};
ec vo

Figure 8-14. DNS primary control file: /etc/named.conf (1 of 2) AN212.0
Notes:
oy si
The /etc/named.conf file is read by the named daemon when it starts. It specifies the
location of all data which the daemon uses.
u
The options statement specifies the global options for the domain. The directory entry
cl
tells the named daemon that all file names listed in this file are stored in the /etc/named
directory.
Ex
The key statement defines the asymmetric transaction signature (TSIG) keys to be used
for server to server communication. Key generation will be covered later in this unit.
The server statement defines which key to use in communication with the host specified
(IP address).
pr
// represents a comment.
V8.2
Student Notebook
Uempty
DNS primary control file: /etc/named.conf (2 of 2)

IBM Power Systems
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
Allow update only
type
type master;
master; if the request was
.I. n
signed using “key”
file "named.lpar";
file "named.lpar"; ddns-key
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
.T ció
allow-transfer
allow-transfer {{ key
key ddns-key
ddns-key ;; };
};
};
};
Allow zone transfer
.
if the request was
zone
zone "47.10.in-addr.arpa"
"47.10.in-addr.arpa" {{ signed accordingly
C
type
type master;
.F a
master;
file
file "named.revip47";
"named.revip47";
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
C rm
};
allow-transfer
allow-transfer { key ddns-key ; };
{ key ddns-key ; };
};
}; Note: allow-update statements can be replaced by:
update-policy {
grant ddns-key subdomain lpar.co.uk. ANY;
zone
zone "0.0.127.in-addr.arpa"
"0.0.127.in-addr.arpa" {{
to fo
};
type update-policy {
type master;
master; grant ddns-key subdomain 47.10.in-addr.arpa. ANY;
file "named.local";
file "named.local"; };
};
};
ec vo

Figure 8-15. DNS primary control file: /etc/named.conf (2 of 2) AN212.0
Notes:
oy si
The rest of the /etc/named.conf identifies the zones.

u
Zones:
- lpar.co.uk represents the name to IP zone file.
cl
- 47.10.in-addr.arpa represents the reverse IP zone file

Ex
- 0.0.127.in-addr.arpa represents the loopback zone file.

Notice in this example there is no hints (cache) file specified. This is generally not required
because all recursive and iterative queries will be automatically sent to the Internet root
domain servers.
pr
Student Notebook
Name zone file (1 of 2)

IBM Power Systems
$ORIGIN
$ORIGIN .. ;; start
start of
of the
the domain
domain name
name space
space
$TTL
$TTL 9999999
9999999 ;; default
default TTL
TTL (16w
(16w 3d
3d 17hs
17hs 46m
46m 39s)
39s)
.I. n
lpar.co.uk
lpar.co.uk IN SOA snowwhite.lpar.co.uk.
IN SOA snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk.
((
.T ció
1328
1328 ;; serial
serial no.
no. of
of this
this zone
zone file
file
1d
1d ;; refresh
refresh (1(1 day)
day)
1h
1h ;; slave
slave retry
retry in
in case
case of
of problem
problem
.
4w
4w ;; slave
slave expiration
expiration time
time (4
(4 weeks)
weeks)
C
.F a
1h
1h ;; minimum caching time in case of
minimum caching time in case of failed
failed lookups
lookups
))
NS snowwhite.lpar.co.uk.
C rm
NS snowwhite.lpar.co.uk. ;; primary
primary
NS
NS grumpy.lpar.co.uk.
grumpy.lpar.co.uk. ; slave
; slave
MX
MX 00 snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk. ;; mail
mail server
server
$ORIGIN aix.lpar.co.uk.
$ORIGIN aix.lpar.co.uk. ;; sub child domain
sub child domain
dopey
dopey AA 10.47.10.23
10.47.10.23 ;; glue
glue (1.
(1. name
name
to fo
and
and IP
IP address
address of of the
the sub
sub domain
domain master
master DNS
DNS server)
server)
;; host
host records
records ...
... Continued
Continued on
on next
next page
page
ec vo

Figure 8-16. Name zone file (1 of 2) AN212.0
Notes:
oy si
The $ORIGIN Directive (standardized in RFC 1035) defines the domain name that will be
appended to any incomplete name defined in a resource record. An incomplete name is
u
one that does not end in a dot (.). In traditional BIND documentation, it is more common to
see the name zone file start like this:
cl
$ORIGIN lpar.co.uk.
Ex
$TTL <value>
@IN SOA …….( ………..
)
pr
However in AIX, the named daemon will change the format of the $ORIGIN statements as
shown in the visual when the dynamic update process is invoked.
The $TTL is the default time to live for all resource records. This is the maximum amount of
time that other name servers are allowed to cache the answer.
V8.2
Student Notebook
Uempty The SOA record identifies:

• The domain, primary, and slave name servers (NS records).
• Serial number of the zone file. This value must increment when any resource record in
the zone file is updated. A slave (secondary) DNS server will read the master DNS SOA
record periodically, either on expiry of refresh (defined below) or when it receives a
NOTIFY and compares arithmetically its current value of the serial number with that
received from the master DNS. If the serial number value from the master is
.I. n
arithmetically higher than that currently stored by the slave, then a zone transfer is
.T ció
initiated.
• Refresh. Indicates the time when the slave will try to refresh the zone from the master
• Retry. Defines the time between retries if the slave fails to contact the master when
.
refresh (above) has expired.
C
.F a
• Expiry. Indicates when the zone data is no longer authoritative. Used by slave servers
only. BIND9 slaves stop responding to queries for the zone when this time has expired
C rm
and no contact has been made with the master.
• Negative caching TTL. RFC 2308 (implemented by BIND 9) redefined this value to be
the negative caching time. In previous BIND versions (4 and 8), this value was the
to fo
global TTL. The negative caching TTL is the time a name error (NXDOMAIN) result
might be cached by a resolver. Negative caching is useful because it reduces the
response time for negative answers. It also reduces the number of messages that have
to be sent between resolvers and name servers thereby reducing overall network traffic.
ec vo
A large proportion of DNS traffic on the Internet could be eliminated if all resolvers
implemented negative caching. With this in mind, negative caching should no longer be
seen as an optional part of a DNS resolver.
• The mail servers (MX records).
oy si
The $ORIGIN following the SOA identifies the child domain (aix.lpar.co.uk). Two records
are required, known as glue records because they bind together the parent and child
u
domains. The first glue record is an A record and identifies the name and IP address of the
master DNS server in the sub domain. This record must be under the sub domain
cl
$ORIGIN. The second glue record identifies the NS record of the master DNS server and
must be under the $ORIGIN of the parent domain (shown in the next visual).
Ex
pr
Student Notebook
Name zone file (2 of 2)

IBM Power Systems
$ORIGIN
$ORIGIN lpar.co.uk.
lpar.co.uk.
aix
aix NS
NS dopey.aix
dopey.aix ;; glue
glue (2.
(2. NS
NS record
record for
for
sub
sub domain)
domain)
.I. n
snowwhite
snowwhite AA 10.47.1.33
10.47.1.33
www
www CNAME
CNAME snowwhite
snowwhite
.T ció
data
data AA 10.47.1.38
10.47.1.38
dino
dino AA 10.47.1.30
10.47.1.30
ds4300A
ds4300A AA 10.47.100.98
10.47.100.98
.
ds4300B
ds4300B AA 10.47.100.99
10.47.100.99
C
ernie AA 10.47.1.18
.F a
ernie 10.47.1.18
fred
fred AA 10.47.1.10
10.47.1.10
grumpy AA 10.47.100.2
C rm
grumpy 10.47.100.2
grumpy-fsp
grumpy-fsp AA 10.47.100.254
10.47.100.254
hmc1
hmc1 AA 10.47.1.133
10.47.1.133
hmc2
hmc2 AA 10.47.1.134
10.47.1.134
hmc3
hmc3 AA 10.47.1.135
10.47.1.135
to fo
kyle
kyle AA 10.47.1.22
10.47.1.22
localhost
localhost CNAME
CNAME loopback
loopback
loopback
loopback AA 127.0.0.1
127.0.0.1
ec vo

Figure 8-17. Name zone file (2 of 2) AN212.0
Notes:
oy si
The rest of the information identifies the authoritative data for the zone.
u
• NS = Nameserver
• A = Address
cl
• CNAME = Alias
Ex
pr
V8.2
Student Notebook
Uempty
IP zone file (1 of 2)
IBM Power Systems
$ORIGIN
$ORIGIN ..
$TTL
$TTL 9999999
9999999 ;; 16
16 weeks
weeks 33 days
days 17
17 hours
hours 46
46 minutes
minutes 39
39 seconds
seconds
.I. n
47.10.in-addr.arpa.
47.10.in-addr.arpa. IN IN SOA
SOA snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk. ( (
.T ció
754
754 ;; serial
serial no.
no. of
of this
this zone
zone file
file
1d
1d ; refresh (1 hour)
; refresh (1 hour)
1h
1h ;; slave
slave retry
retry in
in case
case of
of problem
problem
.
4w ;; slave expiration time (4 weeks)
slave expiration time (4
C
4w weeks)
.F a
1h
1h ;; minimum caching time in case of
minimum caching time in case of failed
failed
lookups
lookups
C rm
))
NS
NS
grumpy.lpar.co.uk.
to fo
;; PTR
PTR records
records ...
... Continued
Continued on
on next
next page
page
ec vo

Figure 8-18. IP zone file (1 of 2) AN212.0
Notes:
oy si
Names in DNS are set up in a hierarchy. To resolve an address, the system traces the
hierarchy, contacting a server for each sub domain in the name. Since this structure is
u
based on name, there is no easy way to translate a host address back into its host name.
cl
The in-addr.arpa record domain was created to allow reverse translation. This domain
uses the address of a host to point to the name and data for that host.
Ex
Valid resource record types are: Start of authority (SOA), name server (NS), and domain
name pointer (PTR).
There should be one reverse hosts data file per network.
Note: Since all systems are on the same network (10.47/16), only 1 IP zone file is required.
pr
Student Notebook
IP zone file (2 of 2)
IBM Power Systems
$ORIGIN
$ORIGIN 1.47.10.in-addr.arpa.
1.47.10.in-addr.arpa.
10
10 PTR
PTR fred.lpar.co.uk.
fred.lpar.co.uk.
.I. n
100
100 PTR
PTR vios1.lpar.co.uk.
vios1.lpar.co.uk.
101
101 PTR
PTR vios2.lpar.co.uk.
vios2.lpar.co.uk.
.T ció
12
12 PTR
PTR neo.lpar.co.uk.
neo.lpar.co.uk.
133
133 PTR
PTR hmc1.lpar.co.uk.
hmc1.lpar.co.uk.
134
134 PTR
hmc2.lpar.co.uk.
.
135
135 PTR
hmc3.lpar.co.uk.
C
14
14 PTR
PTR trinity.lpar.co.uk.
trinity.lpar.co.uk.
.F a
33 PTR
PTR zion.lpar.co.uk.
zion.lpar.co.uk.
30
30 PTR
PTR dino.lpar.co.uk.
dino.lpar.co.uk.
C rm
31
31 PTR
PTR sleepy.lpar.co.uk.
sleepy.lpar.co.uk.
$ORIGIN
$ORIGIN 100.47.10.in-addr.arpa.
100
100 PTR
PTR theswitch.lpar.co.uk.
theswitch.lpar.co.uk.
22 PTR
PTR grumpy.lpar.co.uk.
grumpy.lpar.co.uk.
to fo
254
254 PTR
PTR grumpy-fsp.lpar.co.uk.
grumpy-fsp.lpar.co.uk.
98
98 PTR
PTR ds4300A.lpar.co.uk.
ds4300A.lpar.co.uk.
99
99 PTR
PTR ds4300B.lpar.co.uk.
ds4300B.lpar.co.uk.
ec vo

Figure 8-19. IP zone file (2 of 2) AN212.0
Notes:
oy si
The $ORIGIN identifies the network. Only the final octet of the IP is required as a pointer to
the host name which must be specified as a FQDN.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IP loopback zone file

IBM Power Systems
$TTL
$TTL 86400
86400 ;; 11 day
day
;; SOA.
SOA.
.I. n
0.0.127.in-addr.arpa. IN
IN SOA
SOA snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk. ((
.T ció
11
11 ;; serial
serial
754
754 ;
; serial no.
serial no. of
of this
this zone
zone file
file
1d
1d ; refresh (1 hour)
; refresh (1 hour)
.
1h ;
; slave
slave retry
retry in
in case
case of
of problem
C
1h problem
.F a
4w
4w ;
; slave expiration time (4 weeks)
slave expiration time (4 weeks)
1h
1h ; minimum caching
; minimum caching TTLTTL
C rm
))
IN
IN NS
11 IN PTR localhost.
IN PTR localhost.
to fo
ec vo

Figure 8-20. IP loopback zone file AN212.0
Notes:
oy si
The local IP zone file contains the local loopback address for the network 127.0.0.1. Valid
resource record types are: Start of authority (SOA), name server (NS), and domain name
u
pointer (PTR).
cl
Ex
pr
Student Notebook
Remaining master server configuration steps

IBM Power Systems
• Create resolv.conf
## cat
cat /etc/resolv.conf
/etc/resolv.conf
.I. n
Domain
Domain lpar.co.uk
lpar.co.uk
Nameserver 0.0.0.0
.T ció
Nameserver 0.0.0.0
search
search lpar.co.uk
lpar.co.uk aix.lpar.co.uk
aix.lpar.co.uk
.
• Start the named subsystem, now.
C
.F a
# startsrc –s named
C rm
or
• Use SMIT to start it now and on system restarts
# smit named
to fo
Start using the named subsystem > BOTH
ec vo

Figure 8-21. Remaining master server configuration steps AN212.0
Notes:
oy si
The existence of /etc/resolv.conf determines how a system resolves hostnames and

IP addresses within a domain network.
u
• Domain identifies the domain in which the host belongs to.

cl
• The name server identifies the IP addresses of name servers to query. In this case, as
the host is the nameserver, 0.0.0.0 can be used.
Ex
• Search identifies the domain suffix search order to query for the answer.
The final step is to start the named subsystem. This can be done using the startsrc
command, but you are likely to want this service to start persistently through reboots.
pr
The recommended method to make the named service persistent is to use SMIT to start it
as a server network service. The fast path is named.
SMIT will execute an undocumented SMIT subcommand:
/usr/sbin/chrctcp -S -a named
V8.2
Student Notebook
Uempty
Configuring a slave name server

IBM Power Systems
• Create named control file

– Master configuration file, /etc/named.conf
.I. n
• Create local IP zone file (for the loopback address) *
• Create hints file (optional) *
.T ció
• Create /etc/resolv.conf *
• Start named daemon *
.
C
• On start up, name and IP zone files will be downloaded from
.F a
the master. This process is known as zone transfer.
C rm
– When the primary server zone files are changed, the server, by
default, will inform slaves of the incremental change. This process is
known as notify.
– Notify will lead to a zone transfer. Zones transfer are either:
to fo
• Incremental (IXFR)
• Full (AXFR) * Same process as the master
ec vo

Figure 8-22. Configuring a slave name server AN212.0
Notes:
oy si
The steps for creating a slave are similar to those for creating a master except there are no
zone files to create since they are downloaded from the master.
u
cl
Ex
pr
Student Notebook
Slave control file: /etc/named.conf

IBM Power Systems
//
// lpar.co.uk
lpar.co.uk DNS
DNS slave
slave nameserver
nameserver
.I. n
options
options {{
directory
"/etc/named";
.T ció
};
};
//
// secure
secure TSIG
TSIG key
key for
for server-server
server-server comms
.
comms
key
key ddns-key
ddns-key {{
C
.F a
algorithm
algorithm hmac-md5;
hmac-md5;
C rm
};
};
//
// Use
Use the
the secure
secure TSIG
TSIG key
key when
when communicating
communicating with
with the
the primary
primary
server
server
to fo
server
server 10.47.1.33
10.47.1.33 {{
keys
keys {ddns-key
{ddns-key ;; };
};
};
};
ec vo

Figure 8-23. Slave control file: /etc/named.conf (1 of 2) AN212.0
Notes:
oy si
As per the master /etc/named.conf file.

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
DNS control file: /etc/named.conf

IBM Power Systems
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
type
type slave;
slave;
.I. n
masters
masters {10.47.1.33
{10.47.1.33 ;; };
};
file "named.lpar.slave";
file "named.lpar.slave";
.T ció
};
};
zone
zone "47.10.in-addr.arpa"
"47.10.in-addr.arpa" {{
.
type
type slave;
slave;
C
masters
masters {10.47.1.33
{10.47.1.33 ;; };
};
.F a
file "named.revip47.slave";
file "named.revip47.slave";
};
};
C rm
zone
"0.0.127.in-addr.arpa" {{
type
type master;
master;
file "named.local";
file "named.local";
to fo
};
};
• Local IP zone file is the same as the primary.

ec vo

Figure 8-24. DNS control file: /etc/named.conf (2 of 2) AN212.0
Notes:
oy si
The differences are: type is set to slave followed by the master statement identifying the IP
address of the master server.
u
cl
Ex
pr
Student Notebook
Caching-only / forwarder name server (1 of 2)

IBM Power Systems
• Note: Hint files are always optional.

– Queries are automatically sent to the Internet root servers
.I. n
– ftp://ftp.rs.internic.net/domain/named.root
;; example
example caching-only
caching-only DNS
DNS file
file (/etc/name.conf)
(/etc/name.conf)
.T ció
acl
acl “education_net” {10.47.0.0/16; };
“education_net” {10.47.0.0/16; };
options {
options {
directory
"/etc/named";
.
allow-query
allow-query {{ “education_net”;
“education_net”; };
};
C
forwarders Forwarder:
forwarders {{ 10.47.1.33;
10.47.1.33; 10.47.100.2;
10.47.100.2; };
.F a
}; Send recursive
};
}; queries to
snowwhite and
C rm
grumpy
zone
zone "."
"." {{
type
type hint;
hint; file
file "named.hint";
"named.hint";
};
}; Caching-only:
Send external
to fo
queries to root
zone
"0.0.127.in-addr.arpa" {{ servers
type
type master;
master; file
file "named.local";
"named.local";
};
};
ec vo

Figure 8-25. Caching-only / forwarder name server (1 of 2) AN212.0
Notes:
oy si
The example shown in the visual shows a combination of both a caching-only and
forwarder name server. When the server receives a query, the following search is
u
performed:
cl
• Is the data in the cache? If so, send back the response.

• Forward the query to the servers specified in the forwarder’s statement. In this example,
Ex
only internal authoritative responses will be returned.

• Finally, the query will be sent to a root name server and the iterative query process will
begin.
The hint zone identifies to the named daemon the authoritative servers further up the
pr
hierarchy, usually the root name servers. When BIND is compiled, it contains a built in list
of default root name servers. Therefore, the hint zone is optional, especially if
bos.net.tcp.server is updated on a regular basis. If not, every few months or so, the latest
root name server list should be pulled from ftp://ftp.rs.internic.net/domain/named.root and
placed in the hint file (see next visual).
V8.2
Student Notebook
Uempty Note: If a sub child domain is isolated, for example, has no valid route to the Internet and
the hints zone contains the details of the parent DNS servers, queries sent to the parent
are iterative. In this case, this mean that the parent will not return RR zone data that is not
authoritative. For this reason, sub domain servers use the forwarders option as shown in
the visual.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Caching-only / forwarder name server (2 of 2)

IBM Power Systems
• Example: Typical hints file for any type of name server
.I. n
;; example
example named.hint
named.hint file
file (/etc/named/named.hint)
(/etc/named/named.hint)
.T ció
.. 3600000
3600000 IN
IN NSNS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000
3600000 AA 198.41.0.4
198.41.0.4
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000
3600000 AAAA
AAAA 2001:503:BA3E::2:30
2001:503:BA3E::2:30
.
C
;; root
root servers
servers BB through
through LL removed
removed for
for clarity
.F a
clarity
.. 3600000 NS M.ROOT-SERVERS.NET.
C rm
3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000
3600000 AA 202.12.27.33
202.12.27.33
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000
3600000 AAAA
AAAA 2001:DC3::35
2001:DC3::35
;; End
End of
of File
File
to fo
ec vo

Figure 8-26. Caching-only / forwarder name server (2 of 2) AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Creating sub (child) domains (1 of 2)

IBM Power Systems
• When parent domains become too large, the logical process

is to break them up into sub (child) domains.
.I. n
– For example:
• Parent domain = lpar.co.uk
.T ció
• Sub domain 1 = aix.lpar.co.uk
• Sub domain 2 = linux.lpar.co.uk
.
• Parent master servers require glue records to identify child
C
.F a
sub domains
C rm
– These are specified in the name and IP zone files
Named zone file on the lpar.co.uk primary server
$ORIGIN
$ORIGIN aix.lpar.co.uk.
aix.lpar.co.uk. ;; sub
sub domain
domain
to fo
dopey
dopey AA 10.47.10.23
10.47.10.23 ;; glue
glue
$ORIGIN
$ORIGIN lpar.co.uk.
lpar.co.uk.
aix
aix NS
NS dopey.aix
dopey.aix ;; glue
glue
ec vo

Figure 8-27. Creating sub (child) domains (1 of 2) AN212.0
Notes:
oy si
Creating a sub domain structure is identical to creating the parent master and slave DNS
servers. The additional effort required is in the creation of the glue records as shown in the
u
visual.
cl
Ex
pr
Student Notebook
Creating sub (child) domains (2 of 2)

IBM Power Systems
• Sub domain master server requires:

– Parent domain servers to be specified as forwarders
.I. n
Sub-domain /etc/named.conf file
.T ció
options
options {{
forwarders
forwarders {{ 10.47.1.33;
10.47.1.33; 10.47.100.2;
10.47.100.2; };
};
.
……
C
.F a
};
};
C rm
to fo
ec vo

Figure 8-28. Creating sub (child) domains (2 of 2) AN212.0
Notes:
oy si
There are no glue records as such from the sub domain perspective. However, the sub
domain does need to know the IP addresses of the parent domain servers. This is handled
u
via the forwarder statement within the global options. Optionally, a hints file can be defined
which identifies the parent servers. However, note that queries sent to hints servers in this
cl
way are non-recursive. This means that if the parent does not know the answer, the
process stops!
Ex
pr
V8.2
Student Notebook
Uempty
Adding static hosts to the domain

IBM Power Systems
• Update name zone file

– Add host entry A record
.I. n
– Add any optional records, for example CNAME (aliases)
– Increase serial value in SOA record
.T ció
• Update IP zone file
.
– Add IP address entry PTR record for each interface
C
– Increase serial value in SOA record
.F a
• Refresh named
C rm
Note: If zones
have been
protected they
cannot be updated
manually!!
to fo
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
};
};
ec vo

Figure 8-29. Adding static hosts to the domain AN212.0
Notes:
oy si
To remove a host, update the above files by deleting the host instead of adding the host.
Remember to always refresh the named daemon.
u
cl
Ex
pr
Student Notebook
Adding hosts dynamically

IBM Power Systems
• Updating DNS files manually is a very tedious operation and

one prone to error!
.I. n
• Remember, DHCP servers need to dynamically update DNS
zone files.
.T ció
• Dynamic updates can be done:
.
– With no security (not recommended)
C
– Using ACLs (not recommended)
.F a
– Using secure transaction signatures or TSIGs (recommended)
C rm
• Transaction signatures (TSIGs) are the preferred choice for
server-to-server communication, including:
– Dynamic update
to fo
– Zone transfer
– Notify
ec vo

Figure 8-30. Adding hosts dynamically AN212.0
Notes:
oy si
Updating DNS files manually is not only tedious but also error prone. All updates ideally
should be handled through the dynamic update function.
u
Networking and the explosive growth of the Internet has led to IP address assignment
cl
becoming much more dynamic. Today, most clients get their addresses and network
specific information via DHCP.
Ex
In the dynamic update process, the DHCP server owns the IP address which it allocates to
the DHCP client and therefore is responsible for updating the DNS PTR reverse zone
record. In most situations, the DHCP client owns its host name and is responsible for
updating the DNS A zone record. However, the DHCP server or client can also update both
pr
A and PTR records. This is known as dynamic DNS proxy behavior.

Secure updates to the DNS server are important. The recommended method is to use
transaction signatures (TSIGs).
V8.2
Student Notebook
Uempty
Adding hosts dynamically using TSIG

IBM Power Systems
• Generating a TSIG (symmetric) key

## dnssec-keygen
dnssec-keygen -a
-a hmac-md5
hmac-md5 -b
-b 128
128 -n
-n HOST
HOST ddns-key
ddns-key
.I. n
Kddns-key.+157+44683
Kddns-key.+157+44683
## ls
ls
.T ció
Kddns-key.+157+58541.key
Kddns-key.+157+58541.key Kddns-key.+157+58541.private
Kddns-key.+157+58541.private
## cat
cat Kddns-key.+157+58541.private
.
Private-key-format:
Private-key-format: v1.2
C
v1.2
.F a
Algorithm: 157 (HMAC_MD5)
Algorithm: 157 (HMAC_MD5)
Key:
Key: yyvt9Oeax2MWqxUi8xtbuw==
yyvt9Oeax2MWqxUi8xtbuw==
C rm
Insert the key into the /etc/named.conf file
key
key ddns-key
ddns-key {{
to fo
algorithm
algorithm hmac-md5;
hmac-md5;
secret
"yyvt9Oeax2MWqxUi8xtbuw==";
};
};
ec vo

Figure 8-31. Adding hosts dynamically using TSIG AN212.0
Notes:
oy si
TSIG keys are generated using the dnssec-keygen command. The hmac-md5 secret is to
be extracted from the private key file and inserted into the /etc/named.conf as shown in
u
the visual.
cl
Ex
pr
Student Notebook
Adding hosts dynamically

IBM Power Systems
• Adding hosts
– Binary: /usr/sbin/nsupdate
.I. n
/usr/sbin/nsupdate
/usr/sbin/nsupdate -d
-d -y
-y ddns-key:yyvt9Oeax2MWqxUi8xtbuw==
ddns-key:yyvt9Oeax2MWqxUi8xtbuw== <<-
<<- EOF
EOF
update
update add
add 101.100.47.10.in-addr.arpa
101.100.47.10.in-addr.arpa $TTL
$TTL IN
IN PTR
PTR
.T ció
dummy.lpar.co.uk.
dummy.lpar.co.uk.
EOF
EOF
.
/usr/sbin/nsupdate
/usr/sbin/nsupdate -d
-d -y
-y ddns-key:yyvt9Oeax2MWqxUi8xtbuw==
ddns-key:yyvt9Oeax2MWqxUi8xtbuw== <<-
<<- EOF
EOF
C
update
update add
add dummy.lpar.co.uk.
dummy.lpar.co.uk. $TTL
$TTL IN
IN AA 10.47.100.101
10.47.100.101
.F a
EOF
EOF
C rm
• To remove hosts, substitute delete where add is shown.
• Dynamic updates are usually done through scripts.
– The most common dynamic DNS update scripts are
to fo
/usr/sbin/dhcpaction and dhcpremove
• These are wrapper scripts (around nsupdate) which DHCP uses to
dynamically update DNS.
ec vo

Figure 8-32. Adding hosts dynamically AN212.0
Notes:
oy si
Dynamic updates are usually handled through scripts. The supplied binary to invoke a
dynamic update is nsupdate. When using BIND version 9 the nsupdate9 binary must be
u
used. To make sure nsupdate9 is invoked when nsupdate is used, type the following:
cl
# ln -fs /usr/sbin/nsupdate9 /usr/sbin/nsupdate

The -d option makes nsupdate9 operate in debug mode. This provides tracing information
about the update requests that are made and the replies received from the name server.
Ex
The –y option reads the secret key in the format key-name:key. Alternatively, the –k option
can be used to accept the name of the private key file, for example:
pr
By default, the host will send the dynamic request to the name server specified in
/etc/resolv.conf. Alternatively, the nameserver can be directly specified to the
nsupdate command using the server directive.
AIX provide two dynamic DNS wrapper scripts to be used by both DHCP servers and
clients to dynamically update the DNS server. These are dhcpaction (for add) and
dhcpremove (for delete).
V8.2
Student Notebook
Uempty
Client set up
IBM Power Systems
• Create /etc/resolv.conf
domain
domain lpar.co.uk
lpar.co.uk ## The
The domain
domain the
the client
client belongs
belongs to
to (only
(only 11
.I. n
domain!)
domain!)
.T ció
## nameservers
nameservers to
to query.
query. Can
Can specify
specify up
up to
to 16
16 nameservers.
nameservers.
nameserver 10.47.110.90 ## Hit the caching/forwarders. Server
Hit the caching/forwarders. Server 11
nameserver
10.47.110.91 ## Server
Server 22
.
C
.F a
## query
query using
using the
the following
following suffix
suffix order
order
search
search lpar.co.uk
lpar.co.uk aix.lpar.co.uk
aix.lpar.co.uk
C rm
to fo
ec vo

Figure 8-33. Client set up AN212.0
Notes:
oy si
On the client, the /etc/resolv.conf contains the default domain name for the system
and the name servers it uses for name resolution. The domain name is the domain in which
u
this host resides. The client can list anywhere from one to a maximum of 16 name servers
in this file. Once an active name server is found, the search through this list stops.
cl
The search directive specifies the domain suffix to search for the answer. For example,
using the /etc/resolv.conf file in the visual, if an # nslookup test command was
Ex
typed on the host, the host would attempt to search for the answer using test.lpar.co.uk
then test.aix.lpar.co.uk. The search process stops on the first successful query.
pr
Student Notebook
Client name resolution order

IBM Power Systems
• The default search order on AIX is: DNS, NIS (auth), local
• To change the default order to local followed by bind:
.I. n
– Append to /etc/netsvc.conf
.T ció
• hosts = local, bind
OR
.
C
– Set environment variable nsorder in /etc/environment
.F a
• NSORDER=local,bind
C rm
• Change is effective at next login or process start
• nsorder overrides /etc/netsvc.conf
to fo
ec vo

Figure 8-34. Client name resolution order AN212.0
Notes:
oy si
The default name resolution order can be changed on AIX using either the
/etc/netsvc.conf file or NSORDER environment variable. In certain environments, for
u
example, systems which are made highly available (using PowerHA), the system should
always resolve first using the local /etc/hosts file then DNS.
cl
Possible values are:

Ex
• bind Uses BIND/DNS services for resolving names

• local Searches the local /etc/hosts file for resolving names
• nis Uses NIS services for resolving names. NIS must be running if you specify this
option.
pr
• nis+ Uses NIS plus services for resolving names. NIS plus must be running if you
specify this option.
• ldap Uses LDAP services for resolving names
• ldap_nis Uses LDAP NIS services for resolving names
V8.2
Student Notebook
Uempty • bind4 Uses BIND/DNS services for resolving only IPv4 addresses
• bind6 Uses BIND/DNS services for resolving only IPv6 addresses
• local4 Searches the local /etc/hosts file for resolving only IPv4 addresses
• local6 Searches the local /etc/hosts file for resolving only IPv6 addresses
• nis4 Uses NIS services for resolving only IPv4 addresses
.I. n
• nis6 Uses NIS services for resolving only IPv6 addresses
• nis+4 Uses NIS plus services for resolving only IPv4 addresses
.T ció
• nis+6 Uses NIS plus services for resolving only IPv6 addresses
• ldap4 Uses LDAP services for resolving only IPv4 addresses
.
• ldap6 Uses LDAP services for resolving only IPv6 addresses
C
.F a
• ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
C rm
• ldap_nis6 Uses NIS LDAP services for resolving only IPv6 addresses
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Client resolvers (1 of 2)
IBM Power Systems
• Host
## host
host mach1
mach1
.I. n
mach1.aix.lpar.co.uk
mach1.aix.lpar.co.uk is
is 10.47.10.101
10.47.10.101
## host
host 10.47.10.199
10.47.10.199
mach1.aix.lpar.co.uk is
is 10.47.10.101
.T ció
mach1.aix.lpar.co.uk 10.47.10.101
• nslookup
.
– Two modes: interactive and non-interactive Non-interactive
C
example
.F a
## nslookup
nslookup www.bbc.co.uk
www.bbc.co.uk
C rm
Server:
Server: 127.0.0.1
127.0.0.1
Address:
Address: 127.0.0.1#53
127.0.0.1#53
Non-authoritative
Non-authoritative answer:
answer:
to fo
www.bbc.co.uk
www.bbc.co.uk canonical
canonical name
name == www.bbc.net.uk.
www.bbc.net.uk.
Name:
Name: www.bbc.net.uk
www.bbc.net.uk
Address:
Address: 212.58.253.67
212.58.253.67
ec vo

Figure 8-35. Client resolvers (1 of 2) AN212.0
Notes:
oy si
The host command returns the Internet address of a host machine when the host name
parameter is specified and the name of the host when the address parameter is specified.
u
Depending on the configuration of name resolution service, the host command might also
display any aliases associated with the host name parameter.
cl
The nslookup command queries only domain name servers and responds similarly to the
host command when used non-interactively. An interactive session allows you to
Ex
repeatedly query information without leaving the nslookup program. The > is the
interactive input symbol to continue, exit terminates the nslookup program. The nslookup
command has many options. Refer to the system documentation for further details.
pr
V8.2
Student Notebook
Uempty
Client resolvers (2 of 2)
IBM Power Systems
• Domain information groper (DIG)

## dig
dig @10.47.1.33
@10.47.1.33 alex.lpar.co.uk
alex.lpar.co.uk AA
.I. n
;; <<>>
<<>> DiG
DiG 9.4.1
9.4.1 <<>>
<<>> @10.47.1.33
@10.47.1.33 alex.lpar.co.uk
alex.lpar.co.uk AA
.T ció
;; (1
(1 server
server found)
found)
;;
;; global
global options:
options: printcmd
printcmd
;;
;; Got
Got answer:
answer:
;;
;; ->>HEADER<<- opcode: QUERY,
->>HEADER<<- opcode: QUERY, status:
status: NOERROR,
NOERROR, id:
id: 344
344
;;
;; flags:
flags: qr
qr aa
aa rd
rd ra;
ra; QUERY:
QUERY: 1,
1, ANSWER:
ANSWER: 1,
1, AUTHORITY:
AUTHORITY: 2,2, ADDITIONAL:
ADDITIONAL: 22
.
;;
;; QUESTION
QUESTION SECTION:
SECTION:
C
;alex.lpar.co.uk.
;alex.lpar.co.uk. IN
IN AA
.F a
;;
;; ANSWER
ANSWER SECTION:
SECTION:
alex.lpar.co.uk.
alex.lpar.co.uk. 9999999
9999999 IN
IN AA 10.47.110.90
10.47.110.90
C rm
;;
;; AUTHORITY
AUTHORITY SECTION:
SECTION:
lpar.co.uk.
lpar.co.uk. 9999999
9999999 IN
IN NS
lpar.co.uk.
lpar.co.uk. 9999999
9999999 IN
IN NS
grumpy.lpar.co.uk.
;;
;; ADDITIONAL
ADDITIONAL SECTION:
SECTION:
grumpy.lpar.co.uk.
grumpy.lpar.co.uk. 9999999
9999999 IN
IN AA 10.47.100.2
10.47.100.2
snowwhite.lpar.co.uk. 9999999
9999999 IN AA 10.47.1.33
to fo
IN 10.47.1.33
;;
;; Query
Query time:
time: 00 msec
msec
;;
;; SERVER:
SERVER: 10.47.1.33#53(10.47.1.33)
10.47.1.33#53(10.47.1.33)
;;
;; WHEN: Mon Apr 20 10:50:51
WHEN: Mon Apr 20 10:50:51 2009
2009
;;
;; MSG
MSG SIZE
SIZE rcvd:
rcvd: 126
126
ec vo

Figure 8-36. Client resolvers (2 of 2) AN212.0
Notes:
oy si
The dig (domain information groper) command is a flexible tool for interrogating DNS name
servers. It performs DNS lookups and displays the answers that are returned from the
u
queried name server(s). Most DNS administrators use the dig command to troubleshoot
DNS problems because of its flexibility, ease of use, and clarity of output.
cl
A typical invocation of dig looks like: dig @server name type

Ex
Where:
• server is the name or IP address of the name server to query. If no server argument is
given, dig consults /etc/resolv.conf and queries the name servers listed there.
• name is the name of the resource record to be looked up. If no name is given, then dig
pr
will try a lookup of . (dot).

• type indicates what type of query is required -- ANY, A, MX, SOA and so forth. If no type
argument is supplied, dig performs a lookup for an A record.
Student Notebook
Client caching
IBM Power Systems
• AIX 6.1 (and later) clients can use a new network caching
daemon (netcd) to cache lookup responses to improve
.I. n
performance by reducing latency.
.T ció
• Caches are held in memory (hashed tables).
– Local based, for example /etc/hosts
.
C
– Network based, for example DNS
.F a
C rm
• Start up and stop through standard SRC commands
– netcd is not activated by default
– Management through command netcdctrl
to fo
– Configuration file: /etc/netcd.conf
– No SMIT panels exist
ec vo

Figure 8-37. Client caching AN212.0
Notes:
oy si
Today, most network-based applications require resolving an Internet host name to an IP

address and vice-versa. Latency in this translation procedure directly affects the
u
performance of applications. AIX V6.1 introduced the network caching daemon (netcd) to
improve performance for resolver lookups.
cl
The netcd daemon can be used to cache the resolver lookups. Translations for IPv4 and
IPv6 are supported. The communication between the resolver and the netcd daemon is
Ex
done with a UNIX socket (/dev/netcd).

Note: The netcd caching will not affect the resolver behavior in the order the resources are
queried. The NSORDER environment variable and the /etc/netsvc.conf file are
pr
consulted by the resolver in the normal manner.

Caching
Caches are held as hashed tables to provide fast access. The netcd daemon will
maintain two types of caches based on whether the resource it uses is local or
network-based.
V8.2
Student Notebook
Uempty Local resources, such as /etc/hosts, are loaded into local caches at the start up of
the netcd daemon. Therefore, local caches contain all entries of the corresponding local
resource, and a resolver request to it will always result in a cached netcd reply. In
environments with large local resources, resolver lookups to the hashed cache entries
will result in faster response time compared to the traditional linear search of the local
resource. The netcd daemon will periodically check if the local resources have changed
and, if necessary, reload them. The netcd daemon will also cache resolver lookups to a
.I. n
network resource such as DNS. In contrast to local caches, the network caches are
created with empty entries during the daemon startup. The netcd daemon will populate
.T ció
the cache with the result of each query at run time. Negative answers from the resource
are cached as well. When an entry is inserted to the cache, a time-to-live (TTL) is
associated to it. For DNS queries, the TTL value returned by the DNS server is used
.
with the default settings. The netcd daemon will check periodically for expired entries
C
and remove them.
.F a
netcd AIX integration
C rm
The netcd daemon is delivered as part of the bos.net.tcp.client package. Three new
important files are introduced with netcd:
• /usr/sbin/netcd The netcd daemon itself.
to fo
• /usr/sbin/netcdctrl The command to manage netcd daemon caches.
Operations include dumping caches, flushing caches, changing the logging level
of netcd, and display statistics.
The netcd daemon is part of the TCP/IP system resource controller (SRC) group. You
ec vo
can use the startsrc, stopsrc, and lssrc commands to control the daemon. The
refresh command is not supported.
The daemon is started in /etc/rc.tcpip script during AIX startup. Note that the
oy si
daemon is not activated by default. To make the activation of this subsystem persistent
through reboots, uncomment the appropriate lines in /etc/rc.tcpip
u
There is no SMIT panel available for managing the netcd. lines in /etc/rc.tcpip
cl
Ex
pr
Student Notebook
netcd example
IBM Power Systems
## cp
cp /usr/samples/tcpip/netcd.conf
/usr/samples/tcpip/netcd.conf /etc/netcd.conf
/etc/netcd.conf
Edit /etc/netcd.conf as appropriate
Edit /etc/netcd.conf as appropriate
## startsrc
startsrc –s
–s netcd
netcd
.I. n
After
After some time …… dump
some time dump the
the cache
cache file
file
## netcdctrl
netcdctrl -t
-t dns
dns -e
-e hosts
hosts -a
-a /tmp/dnscache
/tmp/dnscache
.T ció
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ELEM ELEM #1
#1
Expiration
Expiration date
date :: Mon
Mon Apr
Apr 20
20 19:19:20
19:19:20 2009
2009
Ulm or resolver name
Ulm or resolver name : dns : dns
.
Query type : 10100002
Query type : 10100002
Query
Query length
length :: 44
C
Answer
Answer (0:
(0: positive;
positive; otherwise
otherwise :: negative)
negative) :: 00
.F a
Query
Query key
key :: 1237211734
1237211734
String
String used
used inin query
query :: alex
alex Cache
Additional
Additional parameters
parameters in in query:
query:
query param1 : 2 file dump
C rm
query param1 : 2
query param2
query param2 : 0 : 0
Length
Length ofof cached
cached element
element :: 3737
###################
################### hostent
hostent
Number of aliases
Number of aliases = 0 = 0
Number
Number ofof addresses
addresses == 11
Type
Type == 22
Length
Length == 44
to fo
Host
Host name
name == alex.lpar.co.uk
alex.lpar.co.uk
Alias
Alias ==
Address = 10.47.110.90
Address = 10.47.110.90
####################
#################### end end of
of hostent
hostent
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> END END ELEM
ELEM #1
#1
ec vo

Figure 8-38. netcd example AN212.0
Notes:
oy si
A netcd sample configuration file is installed in /usr/samples/tcpip/netcd.conf.

You can copy the file to the /etc/ directory and use it as a template for your configuration.
u
If the netcd daemon does not detect a configuration file during startup, it will use its default
values. The lssrc -l netcd command provides you with an overview of the currently active
cl
configuration:
# lssrc -ls netcd
Ex
Subsystem Group PID Status

netcd netcd 421904 active
Debug Inactive
pr
Configuration File /etc/netcd.conf

Configured Cache local hosts
Configured Cache dns hosts
With the netcdctrl command, you can dump the cache contents to a file. The dump can be
either in binary or ASCII format.
V8.2
Student Notebook
Uempty
Administering the named daemon

IBM Power Systems
• Stop, start, and refresh operations can be done through

standard SRC commands.
.I. n
.T ció
• The remote name daemon control (rndc) program allows the
system administrator to control the operation of a name
server.
.
C
– Operations include:
.F a
• Reloading/refreshing zones
C rm
• Stopping the server
• Querying the status
• Flushing the server’s cache
to fo
• Dumping the server’s database
ec vo

Figure 8-39. Administering the named daemon AN212.0
Notes:
oy si
BIND includes a utility called rndc that allows you to administer the named daemon, locally
or remotely, with command line statements. If you run the rndc command with no
u
command line options or arguments, it prints a short summary of the supported commands
and the available options and their arguments.
cl
The rndc command communicates with the name server over a TCP connection (port
953), sending commands authenticated with digital signatures. In the current versions of
Ex
the rndc command and the named daemon, the only supported authentication algorithm is
HMAC-MD5, which uses a shared secret on each end of the connection. This provides
TSIG style authentication for the command request and the name server’s response. All
commands sent over the channel must be signed by a key_id known to the server. The
pr
rndc command reads a configuration file (/etc/rndc.conf) to determine how to contact

the name server and decide what algorithm and key it must use.
Student Notebook
Remote name daemon control set up (1 of 2)

IBM Power Systems
Generate the rndc.key file

## rndc-confgen
rndc-confgen -a
-a #Note:
#Note: creates
creates /etc/rndc.key
/etc/rndc.key file
file
## cat /etc/rndc.key
.I. n
cat /etc/rndc.key
key
key "rndc-key"
"rndc-key" {{
algorithm
algorithm hmac-md5;
.T ció
hmac-md5;
secret
secret "iNKnjkSg7+BMY68ODM6VtQ==";
"iNKnjkSg7+BMY68ODM6VtQ==";
};
};
.
Copy the key statement into the /etc/rndc.conf file
C
.F a
and add an options statement:
## cp
cp /etc/rndc.key
/etc/rndc.key /etc/rndc.conf
/etc/rndc.conf
C rm
## vi
vi /etc/rndc.conf
/etc/rndc.conf
.. .. ..
Append
Append toto /etc/rndc.conf
/etc/rndc.conf file
file
options
options { {
to fo
default-server
default-server localhost;
localhost;
default-key
default-key rndc-key;
rndc-key;
};
};
ec vo

Figure 8-40. Remote name daemon control set up (1 of 2) AN212.0
Notes:
oy si
To use the remote name daemon control (rndc) facility, you first need to generate a secret
key for secure communications between the rndc client and the named daemon. The
u
rndc-confgen command will generate a /etc/rndc.key file that contains a key statement with
a name of rndc-key and the generate key. This key statement uses a syntax that is the
cl
exact same syntax as the key statements used in both the rndc.conf and named.conf
configuration files.
Ex
The key statement needs to be placed in the /etc/rndc.conf file. If you do not already have
an /etc/rndc.conf file, you create one with the contents of your rndc.key file.
The /etc/rndc.conf file will also need an options statement which identifies the address of
pr
the default name server and the default key statement to use for that name server (the
client rndc command can override both the name server and key to be used).
V8.2
Student Notebook
Uempty
Remote name daemon control set up (2 of 2)

IBM Power Systems
## cat
cat /etc/rndc.key
/etc/rndc.key
key
key "rndc-key" {{
"rndc-key"
algorithm
algorithm hmac-md5;
hmac-md5;
.I. n
secret
};
};
.T ció
Copy the key statement into the /etc/named.conf file
key
key "rndc-key"
"rndc-key" {{
.
algorithm
algorithm hmac-md5;
hmac-md5;
C
secret
.F a
};
};
C rm
Add controls statement in /etc/named.conf to permit remote control
controls
controls {{
inet
inet ** allow
allow {{ localhost;
localhost; 10.47.0.0/16;
10.47.0.0/16; }} keys
keys {{ rndc-key;
rndc-key;
};
};
to fo
};
};
## refresh
refresh –s
–s named
named
ec vo

Figure 8-41. Remote name daemon control set up (2 of 2) AN212.0
Notes:
oy si
The named also needs to know the secret key being used by rndc. Insert the key
statements (from /etc/rndc.key) into the /etc/named.conf file.
u
If the named daemon is to be controlled remotely using rndc, a controls statement needs
cl
to be inserted into the server configuration file (/etc/named.conf).

In the example controls statement, any host on the 10.47/16 network will be allowed to
Ex
control the named daemon remotely if the rndc client on that host uses a secret key that
matches what is defined for that network in the controls statement (what is defined in the
rndc-key key statement).
The named subsystem must either be stopped and started, or refreshed, in order for it to
pr
read the changes to the /etc/named.conf file.
Student Notebook
rndc examples
IBM Power Systems
## rndc
rndc stats
stats
## cat named.stats
cat named.stats
+++
+++ Statistics
Statistics Dump
Dump +++
+++ (1240223747)
.I. n
(1240223747)
success
success 998
998
.T ció
referral
referral 00
nxrrset
nxrrset 582
582
nxdomain
nxdomain 6395
6395
.
recursion
recursion 22
22
C
failure
failure 00
.F a
duplicate
duplicate 00
C rm
dropped
dropped 00
---
--- Statistics
Statistics Dump
Dump ---
--- (1240223747)
(1240223747)
## rndc
rndc dumpdb
dumpdb –cache
–cache
Note:
Note: File
File is
is dumped
dumped to:
to: <dns-dir>/named_dump.db
<dns-dir>/named_dump.db
to fo
## rndc
rndc stop
stop
Note:
Note: save
save pending
pending dynamic
dynamic updates
updates and
and stop
stop the
the named
named
ec vo

Figure 8-42. rndc examples AN212.0
Notes:
oy si
The rndc command controls the operation of a name server. If you run the rndc command
with no command line options or arguments, it prints a short summary of the supported
u
commands and the available options and their arguments. The rndc command
communicates with the name server over a TCP connection, sending commands
cl
authenticated with digital signatures.

Here is a list of rndc commands (from the BIND 9 Administrator Reference Manual):
Ex
• reload: Reload configuration file and zones.

• reload zone [class [view]]: Reload the given zone.
• refresh zone [class [view]]: Schedule zone maintenance for the given zone.
pr
• reconfig: Reload the configuration file and load new zones, but do not reload existing
zone files even if they have changed. This is faster than a full reload when there is a
large number of zones because it avoids the need to examine the modification times of
the zones files.
• stats: Write server statistics to the statistics file.
V8.2
Student Notebook
Uempty • querylog: Toggle query logging. Query logging can also be enabled by explicitly
directing the queries category to a channel in the logging section of named.conf.
• dumpdb: Dump the server’s caches to the dump file.
• stop: Stop the server, making sure any recent changes made through dynamic update
or IXFR are first saved to the master files of the updated zones.
• halt: Stop the server immediately. Recent changes made through dynamic update or
.I. n
IXFR are not saved to the master files, but will be rolled forward from the journal files
when the server is restarted.
.T ció
• trace: Increment the servers debugging level by one.
• trace level: Sets the server’s debugging level to an explicit value.
.
• notrace: Sets the server’s debugging level to 0.
C
.F a
• flush: Flushes the server’s cache.
• status: Display status of the server.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Logging
IBM Power Systems
• Logging options are defined in /etc/named.conf.

– Using the logging statement
.I. n
• All log output is divided into categories and redirected to one
of many channels.
.T ció
– Category: Output type
.
– Channel: Output location, severity information
C
• There are four predefined channels.
.F a
– default_syslog Send to syslog daemon
C rm
– default_debug Write to file
– default_stderr Writes to stderr
– null Throw away
to fo
• Custom channels can be created.
ec vo

Figure 8-43. Logging AN212.0
Notes:
oy si
The logging statement configures a wide variety of logging options for the name server. It
is channel phrase that associates output methods, format options, and severity levels with
u
a name that can then be used with the category phrase to select how various classes of
messages are logged.
cl
Only one logging statement is used to define as many channels and categories as are
required.
Ex
pr
V8.2
Student Notebook
Uempty
Logging: Channel statement syntax

IBM Power Systems
• Syntax:
– Channel “<channel_name>” {
.I. n
( file path name
[ versions ( number | unlimited ) ]
.T ció
[ size size spec ]
| syslog syslog_facility
| stderr | null );
.
[ severity (critical | error | warning | notice |
C
.F a
info | debug [ level ] | dynamic ); ]
[ print-category yes or no; ]
C rm
[ print-severity yes or no; ]
[ print-time yes or no; ]
};
to fo
ec vo

Figure 8-44. Logging: Channel statement syntax AN212.0
Notes:
oy si
All log output goes to one or more channels. You can make as many channels as you want.
Every channel definition must include a destination clause that says whether messages
u
selected for the channel go to a file, to a particular syslog facility, to the standard error
stream, or are discarded. Optionally, it can also limit the message severity level that will be
cl
accepted by the channel (the default is info) and whether to include a named-generated
time stamp, the category name, and severity level (the default is not to include any).
Ex
pr
Student Notebook
Logging: Category statement syntax

IBM Power Systems
• Syntax:
– Category “<category name>” { “channel1”;
.I. n
channel..etc..”; };
• Log output is broken down into 19 categories.
.T ció
Examples:
.
– default
C
– general
.F a
– database
C rm
– config
– update
– client
to fo
– queries
– notify
ec vo

Figure 8-45. Logging: Category statement syntax AN212.0
Notes:
oy si
There are many categories, so you can send the logs you want to see wherever you want
without seeing logs you do not want. If you do not specify a list of channels for a category,
u
log messages in that category will be sent to the default category instead.
cl
Ex
pr
V8.2
Student Notebook
Uempty
Logging example: Bringing it all together

IBM Power Systems
logging
logging {{
channel
channel "debug"
"debug" {{
file
file "dnsdebug.out“
"dnsdebug.out“ versions
versions 33 size
size 20m;
.I. n
20m;
severity
severity debug
debug 3;
3; //
// very
very verbose
verbose
.T ció
print-time
print-time yes;
yes;
};
};
channel
channel “syslog”
“syslog” {{
.
syslog
syslog daemon;
daemon;
C
severity
severity info;
info;
.F a
};
};
channel
channel “dynamic_updates”
“dynamic_updates” {{
C rm
file
file "dynamic_updates”;
"dynamic_updates”;
severity
severity info;
info;
};
};
category
category "default"
"default" {{ "debug";
"debug"; };
};
to fo
category
category “security” { “syslog”; };
“security” { “syslog”; };
category
category “update” { “dynamic_updates” };
“update” { “dynamic_updates” };
};
};
ec vo

Figure 8-46. Logging example: Bringing it all together AN212.0
Notes:
oy si
In this example we have three categories which are directed through three channels.
u
• Default The default category defines the logging options for those categories where no
specific configuration has been defined. This category is directed through channel
cl
debug. Very verbose output will be written to three generations of the file
dnsdebug.out, each of which will 20 MB in size.
Ex
• Security Approval and denial of requests. This category is directed through channel
syslog. General security information will be written to the syslog daemon.
• Update Dynamic updates. This category is directed through channel
dynamic_updates. General dynamic update information will be written to the file
pr
dynamic_updates.
Severity Controls the logging level. Options can be critical, error, warning, notice, info,
debug (1 – low -> 3 high), and dynamic.
Student Notebook
Split DNS
IBM Power Systems
• Split DNS is the process of separating internal and external DNS views
of your domain data (for security purposes).
• This can be achieved using internal and external name servers or using
.I. n
a single DNS server using a new BIND 9 configuration option: views
.T ció
DMZ (demilitarized zone)
.
C
Internal External
.F a
zones zones
C rm
Internal
Internal Internet
Internet
namesevers
namesevers
network
network
to fo
ec vo

Figure 8-47. Split DNS AN212.0
Notes:
oy si
DNS servers are one of the top 10 most attacked services on the Internet. It is important for
security that the internal and external data is separated. In reality, external Internet facing
u
DNS servers contain very few RRs, for example, WWW, FTP, and mail servers.
cl
In previous versions of BIND, split DNS configurations had to be achieved using different
servers. BIND version 9 allows a single DNS server to split DNS data by creating views.
Ex
pr
V8.2
Student Notebook
Uempty
Split DNS example (1 of 2)

IBM Power Systems
• /etc/named.conf, internal view

view
view "internal"
"internal" {{
.I. n
//
// All
All clients
clients on
on the
the 10
10 and
and 192.168
192.168 networks
networks are
are internal
internal
// and private.
// and private.
.T ció
match-clients
match-clients {{ 10.0.0.0/8;
10.0.0.0/8; 192.168.0.0/16;
192.168.0.0/16; };
};
//
// Provide
Provide recursive
recursive service
service to
to internal
internal clients
clients only.
only.
.
recursion
recursion yes;
yes;
C
.F a
//
// Internal
Internal zones
zones ...
...
C rm
zone
zone "lpar.co.uk" {{
"lpar.co.uk"
type
type master;
master;
file "named.lpar.internal";
file "named.lpar.internal";
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
to fo
allow-transfer
allow-transfer {{ key
key ddns-key
ddns-key ;; };
};
};
};
};
};
ec vo

Figure 8-48. Split DNS example (1 of 2) AN212.0
Notes:
oy si
The view statement is a powerful new feature of BIND 9 that lets a name server answer a
DNS query differently depending on who is asking. It is particularly useful for implementing
u
split DNS setups without having to run multiple servers.

cl
Each view statement defines a view of the DNS namespace that will be seen by a subset
of clients. A client matches a view if its source IP address matches the address_match_list
of the view’s match-clients clause and its destination IP address matches the
Ex
address_match_list of the view’s match-destinations clause. If not specified, both

match-clients and match-destinations default to matching all addresses. A view can also
be specified as match-recursive- only, which means that only recursive requests from
matching clients will match that view. The order of the view statements is significant. A
pr
client request will be resolved in the context of the first view that it matches.
Zones defined within a view statement will only be accessible to clients that match the
view. By defining a zone of the same name in multiple views, different zone data can be
given to different clients, for example, internal and external clients in a split DNS setup.
The visual shows an example of an internal view.
Student Notebook
Split DNS example (2 of 2)

IBM Power Systems
• /etc/named.conf, external view

view
view "external"
"external" {{
.I. n
//
// Match
Match all
all clients
clients not
not matched
matched by
by the
the previous
previous view.
view.
.T ció
match-clients
match-clients {{ any;
any; };
};
//
// Refuse
Refuse recursive
recursive service
service to
to external
external clients.
clients.
.
recursion
recursion no;
no;
C
.F a
//
// Provide
Provide aa restricted
restricted view
view of
of the
the lpar.co.uk
lpar.co.uk zone
zone
C rm
//
// containing only publicly accessible hosts.
containing only publicly accessible hosts.
//
// For
For example:
example: www,
www, ftp
ftp servers,
servers, mail
mail (MX
(MX records)
records)
zone “lpar.co.uk"
zone “lpar.co.uk" {{
type
type master;
master;
to fo
file
file “named.lpar.external";
“named.lpar.external";
};
};
};
};
ec vo

Figure 8-49. Split DNS example (2 of 2) AN212.0
Notes:
oy si
The visual shows an example of an external view. The keyword of any allows this view to
be used by any query which was not already matched to previous view statements. This
u
external view statement should be placed after the internal view statement. The view
restricts access to what is defined in the named.lpar.extrnal zone file. It also rejects
cl
recursive queries.
Ex
pr
V8.2
Student Notebook
Uempty
Removing BIND version information (1 of 2)

IBM Power Systems
• DNS is one of the most attacked services in the Internet.

• Each version of BIND will have a number of documented and
.I. n
undocumented weaknesses.
.T ció
• Servers should be configured so the version information will
not be disclosed.
.
C
## nslookup
nslookup
.F a
>> set
set class=chaos
class=chaos
>> set
set type=txt
type=txt
C rm
>> version.bind
version.bind
Server: 10.47.1.33 Same result can be
Server: 10.47.1.33
achieved with dig.
Address:
Address: 10.47.1.33#53
10.47.1.33#53
to fo
version.bind
version.bind text
text == "9.4.1“
"9.4.1“
## dig
dig @10.47.1.33
@10.47.1.33 version.bind
version.bind txt
txt chaos
chaos
ec vo

Figure 8-50. Removing BIND version information (1 of 2) AN212.0
Notes:
oy si
The visual illustrates how nslookup or dig can identify the version of bind being used on a
server. This can be used to narrow a hacker attack based upon the known vulnerabilities of
u
that version.
cl
Ex
pr
Student Notebook
Removing BIND version information (2 of 2)

IBM Power Systems
• Add the following line to /etc/named.conf in the options

stanza.
.I. n
options
options {{
……
.T ció
version
version "Not
"Not disclosed";
disclosed";
……
.
};
};
C
.F a
C rm
## nslookup
nslookup
>> set
set class=chaos
class=chaos
>> set
set type=txt
type=txt
>> version.bind
version.bind
to fo
Server:
Server: 10.47.1.33
10.47.1.33
Address:
Address: 10.47.1.33#53
10.47.1.33#53
version.bind
version.bind text
text == "Not
"Not disclosed"
disclosed"
ec vo

Figure 8-51. Removing BIND version information (2 of 2) AN212.0
Notes:
oy si
The options statement allows you to override the default version information with text of
your own choosing. In the shown example, the version field in the nslookup results
u
command shows the text: Not disclosed.

cl
Ex
pr
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
1. True or False: On the client, the /etc/resolv.conf

contains the default domain name for the system and the
.I. n
name servers it uses for name resolution.
.T ció
.
2. True or False: The named daemon can be started
C
automatically with a command line entry in the
.F a
inetd.conf file.
C rm
3. True or False: The named daemon must be running on
to fo
every machine participating in the domain environment.
ec vo

Notes:
oy si

u
cl
Ex
pr
Student Notebook
Checkpoint (2 of 2)
IBM Power Systems
4. Name three DNS client resolvers.
.I. n
.T ció
.
5. What is the purpose of the netcd daemon?
C
.F a
C rm
to fo
ec vo

Figure 8-53. Checkpoint (2 of 2) solutions AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IBM Power Systems

– Configure a DNS primary server
.I. n
– Configure a DNS slave server
– Set up rndc
.T ció
– Add DNS records dynamically
using TSIG’s
.
– Configure a domain client
C
.F a
– Use the network caching
daemon
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
Unit summary
IBM Power Systems

.I. n
.T ció
.
C
– Primary, slave servers, clients, sub domains, and split DNS
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 9. DHCP

This unit describes the Dynamic Host Control Protocol.
.I. n
.T ció
• Discuss the DHCP functions and features
.
• Configure a DHCP network on AIX
C
.F a
C rm
• Lab exercises
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 9. DHCP 9-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
TCP/IP configuration introduction

IBM Power Systems
• TCP/IP configuration can be either:

– Static
.I. n
• Permanent configuration configured on the actual host. For example: smitty
mktcpip
.T ció
• Typically used for server and network devices (routers, firewalls, switches,
and so forth)
.
C
.F a
– Dynamic
• Temporary configuration
C rm
– Based on a pre-determined fixed lease time
• TCP/IP configuration handled through the DHCP (Dynamic Host
Configuration Protocol)
to fo
• Typically used for clients (for example, PCs running Windows, MAC OS,
Linux)
ec vo

Figure 9-2. TCP/IP configuration introduction AN212.0
Notes:
oy si
Every host in an IP network needs to be configured with several parameters, including the
IP address, the subnet-mask, the default router, the IP addresses of DNS servers, and so
u
forth. There are basically two ways of supplying these parameters to the host.
cl
When a site uses static configuration, all parameters are configured on the local system
and stored on some sort of local medium. In most cases this is the local hard disk. With
static configuration, every host on a network needs its own IP address, even when the
Ex
system is off or not connected to the network at all. Think, for instance, about the situation
where your company has a thousand mobile workers, each with its own laptop, who can
hook up to any network in any of your ten buildings throughout the country. Since you never
know when or where someone is logged in, you need to reserve 10.000 IP addresses, one
pr
thousand for each network, even if a network has only ten connections available. This is a
tremendous waste of IP addresses and does not the user who will need to do some local
configuration every time he connects to another network.
When a site uses dynamic addressing, no IP configuration is stored locally. Instead, when
the system boots up it requests the local configuration from a server. When the system

Student Notebook
shuts down, it notifies the server that the configuration is no longer needed and can be
reused. This limits the number of IP addresses that need to be reserved, since only the
systems that are actually in use on a network need an IP address for this network. It also
saves the user from doing a lot of local configuration.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Dynamic Host Configuration Protocol

IBM Power Systems
• DHCP
– Is an extension of BOOTP
.I. n
– A DHCP server dynamically assigns TCP/IP configuration to DHCP
clients.
.T ció
• TCP/IP supplied configuration can be
– Dynamic IP addresses from a pool
.
C
– Fixed IP addresses
.F a
– Network options (subnet mask, DNS server, default routers, and so
C rm
forth)
• A client should only receive TCP/IP information from one
DHCP server.
to fo
• There are no DHCP backup servers.
– Availability can be achieved using PowerHA.
ec vo

Figure 9-3. Dynamic Host Configuration Protocol AN212.0
Notes:
oy si
BOOTP protocol
u
BOOTP is a network protocol used by a network clients to obtain an IP address from a

configuration server.
cl
BOOTP is usually used during the bootstrap process when a computer is starting up. A
BOOTP configuration server assigns an IP address to each client from a pool of addresses.
Ex
BOOTP uses the User Datagram Protocol (UDP) as a transport on IPv4 networks only.
BOOTP has been superseded by DHCP. However, it is still used in AIX today by NIM
servers to provide clients with the location of their boot image from a known IP address.
This is used for BOS installs and booting the system into maintenance mode over the
pr
network.
DHCP protocol
DHCP supports the following types of IP address allocation:
• Dynamic allocation - host is assigned an address from a pool of addresses for a limited
time lease or until the host relinquishes it.

Student Notebook
• Automatic allocation - host is assigned a permanent IP address from the range defined
by the administrator.
• Manual allocation - host is assigned a static address by the network administrator.
Typically, a DHCP client should only receive offers from a single DHCP server on the
network. If there are multiple DHCP servers, a client will accept the first IP address offered.
There is no backup concept with DHCP. DHCP availability can be achieved by using a
PowerHA solution. A kind of poor man’s availability can be achieved by having more than
.I. n
one DHCP server on a network which will allocate IP addresses in different ranges within
.T ció
the same subnet.
DHCP is backwards compatible with BOOTP.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
DHCP client-server interaction

IBM Power Systems
Client Server
1 Start-up DHCP
.I. n
255.255.255.255 Broadcast
2 DHCPdiscover
.T ció
3 DHCPoffer
TCP/IP configuration
.
4 DHCPrequest Accept or Deny
C
.F a
Client is now running with 5 DHCPack
Acknowledgement. Transaction completed.
TCP/IP configuration BOUND state.
C rm
6 T1 (50% of the lease time)
Renew the lease
DHCPrequest (unicast)
7 DHCPack
to fo
8 Stop DHCP. DHCPrelease 9 IP freed
Time
ec vo

Figure 9-4. DHCP client-server interaction AN212.0
Notes:
oy si
The visual shows the exchange of packets that enable a client to obtain a lease on an IP
address.
u
a. The client broadcasts a DHCPDISCOVER message on its local subnet to

cl
255.255.255.0. This message is received by all DHCP servers and DHCP relays on
the network. A DHCP relay relays the message as a unicast message to one or
more DHCP servers. DHCP relay code is typically included in a router, saving you
Ex
from having to put a DHCP server or other special system on each network.
b. All servers check their local configuration to see if they have any IP addresses for
that network that can be used by this client. Each server that wants to offer a lease
pr
does this by sending a DHCPOFFER containing the IP address, other configuration

parameters, and the maximum lease time for this IP address.
c. The client receives all offers, selects one (typically, but not necessarily, the one with
the longest maximum lease time), and sends a DHCPREQUEST to that server to
confirm the lease.

Student Notebook
d. The server receives the DHCPREQUEST, stores the client’s configuration details,
and sends a DHCPACK message to the client.
e. After half of the lease period (usually called T1) the client contacts the server with a
unicast DHCPREQUEST requesting a renewal of the lease. If the server is still
available and willing, it sends a DHCPACK back to the client, confirming the renewal
of the lease. The timers will now be reset, and the lease period countdown starts
again. If the server does not react to the unicast DHCPREQUEST (not shown on the
.I. n
diagram for clarity), the client waits until T2, which is about 0.875th of the lease
period. It then does a broadcast DHCPREQUEST. This broadcast contains the ID of
.T ció
the DHCP server. If the client still has no confirmation from the server by the time the
lease expires, it starts a DHCPDISCOVER sequence again to get another IP
address from another server. Plus, since the lease has expired, it sends a
.
DHCPRELEASE to the previous server. This DHCPRELEASE probably gets lost
C
.F a
since the server has not been responding anyway.
f. If the DHCP subsystem on the client stops, the client will relinquish its lease for a
C rm
graceful shutdown and will send the server a DHCPRELEASE message.
Servers do not commit the IP address for the client until they receive the DHCPREQUEST
packet; therefore, it might happen that a server sends multiple DHCPOFFERs to multiple
clients with the same IP address. The first client that actually claims the IP address (with a
to fo
DHCPREQUEST) is confirmed with the DHCPACK, and other clients are reneged with a
DHCPNACK message. The client, therefore, can only use an IP address after it has
received the DHCPACK.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
DHCP relay function

IBM Power Systems
• Routers by default will not forward 255.255.255.255

broadcasts.
.I. n
.T ció
• In order to have a client and server on different subnets the
router must be configured as a DHCP relay.
.
C
.F a
Cisco router
“configured”
as a DHCP relay
C rm
DHCP
client 1. Broadcast 2. Forward (unicast) AIX DHCP
server
4. Forward offer (unicast) 3. Offer

to fo
ec vo

Figure 9-5. DHCP relay function AN212.0
Notes:
oy si
By default, routers do not forward broadcasts. In internetworks, most of the time, a DHCP
server is located on a different network than the majority of its clients.
u
For DHCP messages to be able to reach the server, configuration of DHCP server IP
cl
addresses is required. The router will intercept DHCP broadcast messages and forward
them as unicasts to the DHCP server, hence, providing relay functionality.
Ex
DHCP relay agents provide extra security to the network by hiding the server’s IP address
from the clients. The client knows only the IP address of the relay agent.
pr

Student Notebook
Network options
IBM Power Systems
• TCP/IP configuration options which a server can present to

the client
.I. n
• Complete list described in /etc/options.file
.T ció
• Popular examples:
Option number Description
1 subnet mask
.
C
2 time offset
.F a
3 router
C rm
4 time server
6 DNS server
12 hostname
15 DNS domain name
to fo
33 static routes
ec vo

Figure 9-6. Network options AN212.0
Notes:
oy si
This visual lists some of the more interesting options a DHCP server can send to a client.
For a complete listing of available options within AIX, refer to /etc/options.file.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
DHCP AIX implementation example

IBM Power Systems
.I. n
AN21system 10.1.3.30
Cisco
Router 10.1.1.1
.T ció
10.1.2.0 10.1.2.1
subnet
10.1.1.0
.
10.1.3.0
subnet
subnet 10.1.2.2
C
10.1.1.2
.F a
10.1.3.1 AIX
Router AIX DHCP
server
C rm
DHCP
clients
10.1.3.40
MAC Address = ea48f000E008
to fo
• Server to provide: IP address, subnet mask, default router,
nameserver address, and domain name
ec vo

Figure 9-7. DHCP AIX implementation example AN212.0
Notes:
oy si
The example in the visual shows the network is made up of three LANs connected by two
routers, one of which is an AIX system. Each LAN has a number of AIX hosts. The network
u
administrator wants the hosts on each LAN to be configured with an IP address, subnet
mask, default router, the address of a name server, and the domain name for the network.
cl
The administrator has decided to run a DHCP server on LAN 10.1.1.0 and use a DHCP
relay to forward requests from clients on the other two LANs. Both AIX and CISCO routers
Ex
are configured to pick up DHCP client requests originating in those networks and forward
them to the server located on LAN 10.1.1.0.
All IP addresses for each subnet will be allocated dynamically from a pool except for two
pr
machines in the 10.1.3 subnet. One system, named AN21system, will have a permanent
address assigned from the pool. The other system, with a MAC address of ea48f000E008,
will be assigned a static address outside of the dynamic pool range.

Student Notebook
DHCP AIX server configuration (1 of 2)

IBM Power Systems
## /etc/dhcpsd.cnf
/etc/dhcpsd.cnf AIX
AIX Server
Server DHCP
DHCP configuration
configuration file
file
.I. n
numLogFiles
numLogFiles 44
logFileSize
logFileSize 100
100
.T ció
logFileName
logFileName /tmp/dhcpsd.log
/tmp/dhcpsd.log
logItem
logItem SYSERR
SYSERR
logItem OBJERR
.
logItem OBJERR
C
leaseTimeDefault
leaseTimeDefault 30
30 minutes
minutes
.F a
leaseExpireInterval
leaseExpireInterval 33 minutes
minutes
C rm
to fo
ec vo

Figure 9-8. DHCP AIX server configuration (1 of 2) AN212.0
Notes:
oy si
The first part of the server configuration file specifies the logging options as follows:
u
• numLogFiles: The number of log files desired.

• logFileSize: The size of log files in K bytes.
cl
• logFileName: The name of the most recent log file.

Ex
• logItem: The following types of items can be logged:

- SYSERR: System error at the interface to the platform.
- OBJERR: Object error in between objects in the process.
pr
- PROTERR: Protocol error between client and server.

- WARNING: Warning worthy of attention from the user.
- EVENT: Event occurred to the process.
- ACTION: Action taken by the process.
- INFO: Information that might be useful.
V8.2
Student Notebook
Uempty - ACNTING: Who was served when.

- TRACE: Code flow for debugging.
The next lines specify the lease information:
• leaseTimeDefault: The default duration of leases issued by this server.
• leaseExpireInterval: Specifies how often addresses in the BOUND state are checked to
see if they have expired.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
DHCP AIX server configuration (2 of 2)

IBM Power Systems
network
network 10.0.0.0
10.0.0.0 2424
{{
option
option 11 255.255.255.0
255.255.255.0 ## Subnet
Subnet mask
mask
.I. n
option
option 66 10.1.1.3
10.1.1.3 ## Name
Name server
server
option
option 15
15 lpar.co.uk
lpar.co.uk .. ## Domain
Domain
.T ció
subnet
subnet 10.1.1.0
10.1.1.0 10.1.1.10-10.1.1.254
10.1.1.10-10.1.1.254 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
{{
option
option 33 10.1.1.1
10.1.1.1 ## Default
Default router
router
}}
.
subnet
subnet 10.1.2.0
10.1.2.0 10.1.2.10-10.1.2.254
10.1.2.10-10.1.2.254 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
C
{{
.F a
option
option 33 10.1.2.1
10.1.2.1 ## Default
Default router
router
option
option 33 10.1.2.1
10.1.2.1 ## Default
Default router
router
C rm
}}
subnet
subnet 10.1.3.0
10.1.3.0 10.1.3.10-10.1.3.30
10.1.3.10-10.1.3.30 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
{{
option
option 33 10.1.3.1
10.1.3.1 ## Default
Default router
router
client
client 11 ea48f000E008
ea48f000E008 10.1.3.30
10.1.3.30 ## Allocate
Allocate fixed IP
fixed IP from
from the
the pool
pool to
to MAC
MAC
address
address (ea48f000E008)
(ea48f000E008)
to fo
client
client 00 an21system
an21system 10.1.3.40
10.1.3.40 ## Allocate
Allocate fixed
fixed IP
IP from
from outside
outside the
the pool
pool to
to
hostname
hostname (an21system)
(an21system)
}}
}}
ec vo

Figure 9-9. DHCP AIX server configuration (2 of 2) AN212.0
Notes:
oy si
• network: Specifies the dotted decimal notation address for a network administered by
this server. Optionally, the address can be followed by the subnet mask or a range of
u
addresses administered by this server. Options particular to the network can also be
specified within curly braces following the network statement. (Note that the subnet
cl
mask can be specified either in the traditional notation, for example, 255.255.255.0, or
as the number of bits in the mask, for example, 24. The latter method is used in the
Ex
example.)
• subnet: Specifies a subnet administered by this server optionally followed by a range of
addresses in this subnet which are to be administered. As with the network statement,
options for the subnet can be specified within curly braces following the subnet
pr
statement.
• class: Specifies the ASCII string name of a class. A class can be used to designate
particular types of systems, for example, a print server or a Windows client. When the
DHCP client sends requests to the server, it might include its class name in order to
cause the server to provide particular types of options. The class might be further
V8.2
Student Notebook
Uempty defined by the range of addresses that are given to clients which request the class.
Options particular to the class can also be specified following the statement in curly
braces.
• client: Specifies elements particular to a client. Elements which can be defined include
id type (0 represents a hostname and 1 a MAC address), id value (hardware address
for the RFC 1340 hardware ID types or a character string for id type 0), and address.
Options particular to this client can also be specified as with network, subnet, and
.I. n
class. If manual allocation is used for a client, a specific address is entered for the client
in this field. In our example, our administrator does not provide specific client address
.T ció
information, so the server allocates an address from its pool of available addresses.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
DHCP client configuration

IBM Power Systems
AIX:
## /etc/dhcpcd.ini
.I. n
/etc/dhcpcd.ini
## AIX
AIX client
client DHCP
DHCP configuration
configuration file
file
Windows:
.T ció
numLogFiles
numLogFiles 44
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcpcd.log
/tmp/dhcpcd.log
.
logItem
logItem SYSERR
SYSERR
logItem OBJERR
C
logItem OBJERR
.F a
interface
interface en0
en0
C rm
to fo
ec vo

Figure 9-10. DHCP client configuration AN212.0
Notes:
oy si
On AIX, the client configuration file must contain the interfaces which are required to be
configured via DHCP. The logging statements are the same as on the server and are
u
optional but useful for debugging purposes.

cl
On Windows platforms, the client is set to use DHCP by selecting Control panel >
Network connections, then selecting the network adapter and clicking Properties >
Internet protocol > Properties. Then as per the diagram shown as in the visual above.
Ex
pr
V8.2
Student Notebook
Uempty
DHCP relay configuration

IBM Power Systems
• AIX router
## /etc/dhcprd.cnf
/etc/dhcprd.cnf AIX
AIX relay
relay DHCP
DHCP configuration
configuration file
file
.I. n
numLogFiles
numLogFiles 44
.T ció
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcprelay.log
/tmp/dhcprelay.log
logItem
logItem SYSERR
SYSERR
server 10.1.1.2
.
server 10.1.1.2
C
.F a
• Cisco router DHCP server
C rm
## Example
Example (subset)
(subset) CISCO
CISCO router
router DHCP
DHCP relay
relay configuration
configuration
interface
interface Ethernet1
Ethernet1
ip
ip address
address 10.1.2.1
10.1.2.1 255.255.255.0
255.255.255.0
ip helper-address 10.1.1.2
to fo
ip helper-address 10.1.1.2
duplex
duplex auto
auto
speed
speed auto
auto
!!
ec vo

Figure 9-11. DHCP relay configuration AN212.0
Notes:
oy si
For DHCP messages to be able to reach the server, routers must be configured to intercept
DHCP broadcast messages and forward them as unicasts to the DHCP server, hence,
u
providing relay functionality.

cl
On AIX, this is done via the server statement in the /etc/dhcprd.cnf file.
On Cisco routers, within the definition of the interface statement, the IP helper addresses
Ex
identifies the IP address of the DHCP server.

pr

Student Notebook
SRC DHCP control on AIX

IBM Power Systems
• Server
– Manual start: startsrc –s dhcpsd
– Start now and at system restart: chrctcp -S -a dhcpsd
.I. n
– Manual stop: stopsrc –s dhcpsd
.T ció
– Stop now and at system restart: chrctcp -S -d dhcpsd
• Client
.
– Manual start: startsrc –s dhcpcd
C
– Start now and at system restart: chrctcp -S -a dhcpcd
.F a
– Manual stop: stopsrc –s dhcpcd
C rm
– Stop now and at system restart: chrctcp -S -d dhcpcd
• Relay
– Manual start: startsrc –s dhcprd
to fo
– Start now and at system restart: chrctcp -S -a dhcprd
– Manual stop: stopsrc –s dhcprd
– Stop now and at system restart: chrctcp -S -d dhcprd
ec vo

Figure 9-12. SRC DHCP control on AIX AN212.0
Notes:
oy si
DHCP control on AIX is handled through SRC. Daemons can be started at boot time by
uncommenting the appropriate statements in the /etc/rc.tcpip file. This can be
u
managed through the chrctcp command.

cl
Ex
pr
V8.2
Student Notebook
Uempty
Querying the server

IBM Power Systems
## lssrc
lssrc -ls
-ls dhcpsd
dhcpsd
Log
Log File:
File: /tmp/dhcpsd.log
/tmp/dhcpsd.log
.I. n
Log
Log Level:
Level: 0x806
0x806
Client
Client Expire
Expire Interval:
Interval: 3600
3600
.T ció
Reserve
Reserve Expire
Expire Interval:
Interval: 900
900
Bad
Bad Addr
Addr Reclaim
Reclaim Interval:
Interval: 4294967295
4294967295
Database
Database Save
Save Interval: 3600
.
Interval: 3600
C
IP Address
IP Address Status
Status Duration
Duration Time
Time Stamp
Stamp Client
Client ID
ID
.F a
--------------- --------
--------------- -------- -------- ------------ --------------
-------- ------------ --------------
10.1.1.41
10.1.1.41 Leased
Leased 1800
1800 Jun
Jun 66 18:02
18:02 1-ea48f000e009
1-ea48f000e009
C rm
10.1.1.42
10.1.1.42 Free
Free
10.1.1.43
10.1.1.43 Free
Free
10.1.1.44
10.1.1.44 Released
Released 1800
1800 Jun
Jun 66 18:02
18:02 1-ea48f000e008
1-ea48f000e008
10.1.1.45 Free
to fo
10.1.1.45 Free
10.1.1.46
10.1.1.46 Leased
Leased 1800
1800 Jun
Jun 88 13:06
13:06 0-an21system
0-an21system
10.1.1.47
10.1.1.47 Free
Free
ec vo

Figure 9-13. Querying the server AN212.0
Notes:
oy si
In order to list the current status of IP assignment on the server, use the lssrc –ls dhcpsd
command. In addition to this, the dadmin command can also be used to query the server.
u
For example, dadmin –s will produce output similar to that shown on the visual.
cl
Additionally, the server records the current IP assignment (held in an internal database) to
a file /etc/db_file.cr. The server also maintains a checkpoint files
/etc/db_file.chkpt. If the server crashes or you have to shut down and cannot do a
Ex
normal closing of the database, the server can process the checkpoint and database files
to reconstruct a valid database.
pr

Student Notebook
Querying the client

IBM Power Systems
## lssrc
lssrc -ls
-ls dhcpcd
dhcpcd
LogFileName:
LogFileName: /tmp/dhcpcd.log
/tmp/dhcpcd.log
.I. n
Logging:
Logging: ENABLED
ENABLED
Tracing:
Tracing: NOT
NOT ACTIVE
ACTIVE
.T ció
Interface
Interface IP Address
IP Address Duration
Duration Start
Start End
End
en0
en0 10.1.1.46
10.1.1.46 1800
1800 1244463676
1244463676 1244465476
1244465476
.
dhcpcd tcpip 397508 active
C
dhcpcd tcpip 397508 active
.F a
C rm
to fo
ec vo

Figure 9-14. Querying the client AN212.0
Notes:
oy si
In order to list the current status of IP assignment on the client, use the lssrc –ls dhcpcd
command.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Dynamic DNS updates

IBM Power Systems
• When DHCP servers provide IP configuration to clients, DNS

servers need to be updated in order for the host name and IP
.I. n
to be resolvable.
– Solution: Dynamic DNS updates
.T ció
.
The preferred solution
C
.F a
1 1
IP information Lease expiration
C rm
DHCP DHCP DHCP
DHCP client
server client server
2 2
Dynamic DNS update (add) Dynamic DNS update (remove)
PTR and A records
to fo
PTR and A records
DNS DNS
server server
ec vo

Figure 9-15. Dynamic DNS updates AN212.0
Notes:
oy si
Networking and the explosive growth of the Internet has led to IP address assignment
becoming much more dynamic. Most client hosts get their addresses and network specific
u
information via DHCP. However, without name resolution, the connection to hosts and
application use simply will not work. The solution is dynamic DNS (DDNS).
cl
By default, in the dynamic DNS process, the DHCP server owns the IP address which it
allocates to the DHCP client and therefore is responsible for updating the DNS PTR
Ex
reverse zone record. Typically, the DHCP client owns its host name and is responsible for
updating the DNS A zone record. However, the DHCP server or client can also update both
A and PTR records. This is known as DDNS proxy behavior, and this is the preferred
solution. Why? Simply from a security perspective, DNS servers should accept dynamic
pr
updates from as few hosts as possible, and generally this is limited to DHCP only. Also, this
avoids problems with Windows platforms because DCHP clients do not support transaction
signatures.

Student Notebook
Dynamic DNS update example (1 of 2)

IBM Power Systems
• Step 1: Add the host name to the client configuration file.

## /etc/dhcpcd.ini
/etc/dhcpcd.ini AIX
AIX client
client DHCP
DHCP configuration
configuration file
file
.I. n
numLogFiles
numLogFiles 44
.T ció
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcpcd.log
/tmp/dhcpcd.log
logItem
logItem SYSERR
SYSERR
logItem OBJERR
.
logItem OBJERR
interface
interface en0
en0
C
{{
.F a
option
option 12
12 “the_client_hostname"
“the_client_hostname"
}}
C rm
to fo
ec vo

Figure 9-16. Dynamic DNS update example (1 of 2) AN212.0
Notes:
oy si
The first step in configuring dynamic update is to assign a host name or IP label to the
interface. On AIX, this is done through the option 12 statement as shown.
u
If there are multiple interface stanzas, specifying option 12, then the first option string is
cl
used for the host name.

Ex
pr
V8.2
Student Notebook
Uempty
Dynamic DNS update example (2 of 2)

IBM Power Systems
• Step 2: Append updateDNS and removeDNS lines to the end

of the server configuration file.
.I. n
## /etc/dhcpsd.cnf
/etc/dhcpsd.cnf AIX
AIX server
server DHCP
DHCP configuration
configuration file
file
.T ció
updateDNS
updateDNS "/usr/sbin/dhcpaction9
"/usr/sbin/dhcpaction9 '%s'
'%s' '%s'
'%s' '%s'
'%s' '%s'
'%s' >>
>> /tmp/updns.out
/tmp/updns.out 2>&1
2>&1 ""
removeDNS
removeDNS "/usr/sbin/dhcpremove9
"/usr/sbin/dhcpremove9 '%s'
'%s' >> /tmp/rmdns.out 2>&1 "
>> /tmp/rmdns.out 2>&1 "
.
• updateDNS provides four positional parameters:
C
.F a
– Host name, domain name, IP address, lease time
• removeDNS provides one parameter:
C rm
– IP address
• AIX provides two scripts: dhcpaction8 and dhcpremove8
to fo
– Copy scripts and modify to change each nsupdate8 to nsupdate9
– Modify nsupdate9 invocations for TSIG if using security
ec vo

Figure 9-17. Dynamic DNS update example (2 of 2) AN212.0
Notes:
oy si
The second step is to uncomment the updateDNS and removeDNS lines in the DHCP
server configuration files.
u
The format for updateDNS directive is: updateDNS string, where string is the script to be
cl
called followed by four %s’s to indicate the placement of the provided positional
parameters. Those positional parameters are: hostname, domain name, IP
address, lease time.
Ex
The format for removeDNS directive is: removeDNS string, where string is the script to be
called followed by one %s to indicate the placement of the IP address.
By default, IBM provides two wrapper scripts around nsupdate8, dhcpaction8 (add), and
pr
dhcpremove8 (delete). They are specifically designed to be used as the scripts in these
directives. For BIND9, the scripts need to be copied (with new names of dhcpaction9 and
dhcpremove9 and modified to use nsupdate9. If the name server requires secure
connections, the nsupdate invocations also need to provide the needed TSIG information.

Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
1. True or False: In AIX, all hosts should get their IP addresses

through DHCP.
.I. n
.T ció
2. A (blank) forwards DHCP requests to another network.
.
C
.F a
C rm
3. Which file contain a list of all the DHCP network options?
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
4. True or False: A DHCP server can only allocate dynamic

addresses to a client.
.I. n
.T ció
5. Put the following DHCP messages in the correct order:
.
• DHCPACK
C
.F a
• DHCPREQUEST
• DHCPRELEASE
C rm
• DHCPDISCOVER
• DHCPOFFER
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
IBM Power Systems

– Configure a DHCP server and
.I. n
client
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 10. Network File System

This unit describes how to configure and use NFS on AIX.
.I. n
.T ció
• Define NFS terminology and concepts including:
.
- Identify the NFS daemons and their roles
C
.F a
- Describe NFS client server interaction and authorization
methods
C rm
• Configure and manage NFS, including:
- Stop and start NFS
- Configure an NFS server and an NFS client
to fo
• Configure and use the automount subsystem
• Describe the goals of NFSv4 and the roles of its daemons
• Configure NFSv4, including:
ec vo
- Configure an NFSv4 domain and pseudo-root file system

- Extend the pseudo-root file system using alias tree extensions
- Configure NFSv4 features: Referrals, replication, and
delegation
oy si
- Configure NFSv3 and v4 side-by side

• Identify NFSv4 security mechanisms
u
cl

Ex
• Lab exercises
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-1
Student Notebook
Unit objectives
IBM Power Systems

.I. n
– Identify the NFS daemons and their roles
– Describe NFS client server interaction and authorization methods
.T ció
– Stop and start NFS
.
– Configure an NFS server and an NFS client
C
.F a
C rm
– Configure an NFSv4 domain and pseudo-root file system
– Extend the pseudo-root file system using alias tree extensions
to fo
– Configure NFSv4 features: Referrals, replication, and delegation
– Configure NFSv3 and v4 side-by side
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty 10.1.NFS versions 2 and 3
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
NFS versions 2 and 3

IBM Power Systems
After completing this topic, you should be able to:

• Define NFS terminology and concepts
.I. n
• Identify the NFS daemons and their roles
.T ció
• Understand NFS client server interaction
• Describe NFS authorization methods
.
C
• Stop and start NFS
.F a
• Configure an NFS server
C rm
• Configure an NFS client
• Understand the role of the automouter
to fo
• Configure the automount subsystem
ec vo

Figure 10-2. NFS versions 2 and 3 AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Network File Systems

IBM Power Systems
• File sharing between heterogeneous systems in a TCP/IP network

• Transparent access to remote files and directories
.I. n
• Based on a client/server model using RPCs
• Filesets:
.T ció
– Server: bos.net.nfs.server
– Client: bos.net.nfs.client
.
C
.F a
/home
C rm
/data client1 client2
/data
to fo
/data nfs_server /home
ec vo

Figure 10-3. Network File Systems AN212.0
Notes:
oy si
Overview
u
Network File System (NFS) is a facility for sharing files in a heterogeneous environment of
machines, operating systems, and networks. The NFS function is built into the kernel of the
cl
operating system so it is transparent to applications and users. NFS is based on a

client/server model where the server stores files and provides clients with access.
Ex
In order to access such files, two things must happen. First, the remote system must make
the files available to other systems on the network. Second, these files must be mounted
on the local system to be able to access them. The mounting process makes the remote
files appear as if they are resident on the local system. The system that makes its files
pr
available to others on the network is called a server, and the system that uses a remote file
is called a client.
NFS is implemented as a set of Remote Procedure Calls (RPC) by the client.
Remote Procedure Call (RPC) -- backbone of NFS
Student Notebook
RPC is a library of procedures. The procedures allow the client process to direct the server
process to execute procedure calls as if the client process had executed the calls in its own
address space. Since the client and the server are two separate processes, they need not
exist on the same physical system. Because the server and client processes can reside on
two different systems which might have completely different architectures, RPC must
address the possibility that the two systems might not represent data in the same format.
So RPC uses data types defined by the eXternal Data Representation (XDR) protocol.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Connection, state, and locking: NFS v2 and 3

IBM Power Systems
• Connection and state

– NFS protocol is connectionless and stateless
.I. n
– Server does not remember anything about transactions
– All of the information that the client needs is kept on the client
.T ció
– No system recovery procedures
.
C
• Locking
.F a
– NFS supports advisory locking as requested by applications, for
example, fcntl() and lockf() library routines
C rm
– Uses a separate RPC protocol and two daemons, rpc.lockd and
rpc.statd
• Optional, but started by default
to fo
– Implemented on both the client and server
– File locking is stateful
ec vo

Figure 10-4. Connection, state, and locking: NFS v2 and 3 AN212.0
Notes:
oy si
Connection and state

u
NFS uses a stateless protocol. Each remote procedure call contains all of the information
necessary to complete the call, and the server does not keep track of any past requests.
cl
Clients must maintain all of this information. They are not notified if the server is down. This
avoids complex crash recovery. A packet is just sent again until the packet gets through.
Ex
Note: Both NFS v2 and v3 operate over the User Datagram Protocol (UDP) and the
Transmission Control Protocol (TCP). NFS V3 uses TCP by default. NFS v4 only uses
TCP.
Locking
pr
The network lock manager is a facility that works in cooperation with the NFS to provide a
System V style of advisory file and record locking over the network.
The network lock manager (rpc.lockd) and the network status monitor (rpc.statd) are
network-service daemons. The rpc.statd daemon is a user level process while the rpc.lockd
Student Notebook
daemon is implemented as a set of kernel threads (similar to the NFS server). Both
daemons are essential to the ability of the kernel to provide fundamental network services.
Note: Mandatory or enforced locks are not supported over NFS. Network Lock Manager is
specific to NFS Version 2 and Version 3.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Daemons and NFS client server interaction

IBM Power Systems
client server
call to portmap
mount request portmap
.I. n
returns mountd port #
.T ció
filesystem mount request
rpc.mountd
check permissions
.
OK or denied
kernel /etc/xtab
C
.F a
I/O
C rm
requests
ds
a
re
th
el
rn
ke
kernel threads
read/write request
to fo
biods data
nfsd
buffer cache
direct requests (mkdir, rmdir, fsstat ….)

NFS kernel ext. kernel
ec vo

Figure 10-5. Daemons and NFS client server interaction AN212.0
Notes:
oy si
Mounting process
u
The mountd is a server daemon that answers a client’s request to mount a server’s
exported file system or directory. The mountd daemon finds out which file systems are
cl
available by reading the /etc/xtab file. The mount process takes place as shown in the
visual.
Ex
a. Client mount makes call to server’s portmap daemon to find the port number
assigned to the rpc.mountd daemon.
b. The portmap passes the port number to the client.
c. Client mount then contacts the server rpc.mountd daemon directly and passes the
pr
name of the desired directory.

d. The server rpc.mountd checks /etc/xtab (built by exportfs -a, a command which
reads /etc/exports) to verify availability and permissions on the requested
directory.
e. If all is verified, the server rpc.mountd gets a file handle (pointer to file system
directory) for the exported directory and passes it back to the client’s kernel.
Student Notebook
I/O Requests
When a thread in a client system attempts to read or write a file in an NFS-mounted
directory, the request is redirected from the usual I/O mechanism to one of the client’s biod
threads. The biod thread sends the request to the appropriate server, where it is assigned
to one of the server’s NFS threads (nfsd thread). While that request is being processed,
neither the biod nor the nfsd thread involved do any other work.
The nfsd and biod daemons are both multithreaded, which means there are multiple kernel
.I. n
threads within a process. Also, the daemons are self-tuning in that they create or delete
threads as needed based on the amount of NFS activity.
.T ció
The biod daemon
The biod daemon is the block input/output daemon and is required in order to perform
.
read-ahead and write-behind requests as well as directory reads and bringing data over in
C
chunks (NFS v3 defaults to 32k). The biod daemon threads improve NFS performance by
.F a
filling or emptying the buffer cache on behalf of the NFS client applications. When a user on
a client system wants to read from or write to a file on a server, the biod threads send the
C rm
requests to the server. Many operations, such as mkdir, rmdir, symlink, and fsstat are
sent directly to the server from the operating system’s NFS client kernel extension and do
not require the use of the biod daemon.
The maximum number of biod threads can be controlled by: # mount -o biods=n where
to fo
n is the number of threads specified. The default is four biod threads per mount point.
The nfsd daemon
The nfsd is a server daemon that handles client requests for file system operations. Each
ec vo
nfsd handles one request at a time. The receipt of any one NFS protocol request from a
client requires the dedicated attention of an nfsd daemon until that request is satisfied, and
the results of the request processing are sent back to the client. The nfsd daemons are the
oy si
active agents providing NFS services. Threads are dynamically created and are limited by
the number specified in the startup file /etc/rc.nfs or nfso settings.
The portmap daemon
u
The portmap daemon converts RPC program numbers into Internet port numbers. When
cl
an RPC server starts up, it registers with the portmap daemon. The server tells the daemon
which port number it is listening on and which RPC program numbers it serves. By this
process, the portmap daemon knows the location of every registered port used by RPC
Ex
servers on the host, and which programs are available on each of these ports. When
mounting, the mount request starts with an RPC call named GETPORT that calls the
portmap, which in turn informs the client of the port number that the called RPC server
listens to. After this, the port number is used as reference for further communication. This is
pr
why the NFS daemons must be registered with the portmap daemon.
A client will only consult the portmap daemon once for each program the client tries to call.
The portmap daemon tells the client which port to send the call to. The client stores this
information for future reference. As standard RPC servers are normally started by the inetd
daemon, the portmap daemon must be started before the inetd daemon is invoked.
V8.2
Student Notebook
Uempty
Authorization methods
IBM Power Systems
• Standard UNIX authorization based on the UID and GID of the user
– Ideally there should be a mechanism in place to ensure all users have the
same credentials, for example, LDAP.
.I. n
– The client root user by default is mapped to user nobody.
• Extended file permissions: Access control lists (ACLs)
.T ció
– NFSv3 (and v4) supports AIX ACLs (type AIXC)
• AIX client support only
.
– NFSv4 supports NFSv4 ACLs (type NFS4)
C
.F a
• Operating system independent (includes Windows)
attributes:
attributes: SUID
SUID Example: AIX ACL
C rm
base
base permissions:
permissions:
owner
owner (frank):
(frank): rw-
rw-
group
group (system):
(system): r-x
r-x
others
others :: ---
---
extended
extended permissions:
permissions:
to fo
enabled
enabled
permit
permit rw-
rw- u:dhs
u:dhs
deny
deny r--
r-- u:chas,
u:chas, g:system
g:system
specify
specify r--
r-- u:john,
u:john, g:gateway,
g:gateway, g:mail
g:mail
ec vo

Figure 10-6. Authorization methods AN212.0
Notes:
oy si
Choosing your user authorization method

u
When deciding which user authorization method to implement, think about your
requirements for controlling access to data. Do you have simple or complex data access
cl
requirements?
Standard UNIX permissions enable you to control access to only three identities: the
Ex
owning user, the owning group, and everyone else. If that is not sufficient to meet your
access control requirements, then you should choose one of the ACL options. For
example, if you have data where you need one group to have write access, one or more
other groups to have read-only access, and everyone else to have no access at all, you will
pr
not be able to accomplish this using standard UNIX permissions.

If standard UNIX permissions do not meet your requirements, you can then choose to use
AIX ACLs or NFS V4 ACLs. If you choose NFS V4 ACLs, then make sure that you choose
file system types on your server that support this. On AIX, NFS V4 ACLs are only
supported by JFS2 with Extended Attribute Format set to version 2 and GPFS.
Student Notebook
You should not use AIX ACLs if you have non-AIX NFS clients that must be able to
manipulate ACLs for data on your NFS server. AIXC ACLs are only supported in AIX.
AIXC ACLs are supported on both NFS V3 and NFS V4 AIX clients. To be able to see and
modify AIXC ACLs from an NFS client, you must mount your file systems with the acl
option (noacl is the default).
For more information regarding ACLs, see the AIX Version 6.1 Security Guide.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
NFS server configuration: Starting and stopping

IBM Power Systems
• Server configuration
Start NFS (now and system restart): Stop NFS:
.I. n
• /usr/sbin/mknfs –B /usr/sbin/rmnfs –N
.T ció
## lssrc
lssrc –g
–g nfs
nfs ## lssrc
lssrc –g
–g nfs
nfs
Subsystem
Subsystem Group
Group PID
PID Status
Status Subsystem
Subsystem Group
Group Status
Status
biod
biod nfs
nfs 209010
209010 active
active biod
biod nfs
nfs inoperative
inoperative
nfsd nfs 249988
249988 active nfsd nfs inoperative
.
nfsd nfs active nfsd nfs inoperative
rpc.mountd
rpc.mountd nfs
nfs 319652
319652 active
active rpc.mountd
rpc.mountd nfs
nfs inoperative
inoperative
C
rpc.statd nfs 311458 active rpc.statd nfs inoperative
.F a
rpc.statd nfs 311458 active rpc.statd nfs inoperative
rpc.lockd
rpc.lockd nfs
nfs 323774
323774 active
active rpc.lockd
rpc.lockd nfs
nfs inoperative
inoperative
nfsrgyd
nfsrgyd nfs
nfs inoperative
inoperative nfsrgyd
nfsrgyd nfs
nfs inoperative
inoperative
C rm
gssd
gssd nfs
nfs inoperative
inoperative gssd
gssd nfs
nfs inoperative
inoperative
Start up ## cat
cat /etc/inittab
/etc/inittab
....
....
to fo
rctcpip:23456789:wait:/etc/rc.tcpip
rctcpip:23456789:wait:/etc/rc.tcpip Starts daemons
rcnfs:23456789:wait:/etc/rc.nfs
rcnfs:23456789:wait:/etc/rc.nfs Exports filesystems
....
....
ec vo

Figure 10-7. NFS server configuration: Starting and stopping AN212.0
Notes:
oy si
The mknfs command configures the system to run the NFS daemons. The mknfs
command accepts the following flags:
u
• -B: Adds an entry to the inittab file to execute the /etc/rc.nfs file on system restart
cl
and executes the /etc/rc.nfs file immediately to start the NFS daemons.
• -I: Adds an entry to the inittab file to execute the /etc/rc.nfs file on system restart.
Ex
• -N: Starts the /etc/rc.nfs file to start the NFS daemons immediately. When started
this way, the daemons run until the next system restart.
When NFS is started the following daemons are invoked:
pr
• The biod daemon runs on all NFS client systems. When a user on a client wants to read
or write to a file on a server, the biod daemon sends this request to the server. The biod
daemon is activated during system startup and runs continuously.
• The nfsd daemon runs on the server and handles client requests for file system
operations.
Student Notebook
• The rpc.mountd daemon answers client requests to mount file systems. The mountd
daemon finds out which file systems are available by reading the /etc/xtab file. The
/etc/xtab file is created when file systems are exported on the server. This process
is covered in the next visual.
• The rpc.statd and rpc.lockd daemons work together to maintain stateful locking. NFS
implements an advisory locking mechanism, meaning if a program is ill-behaved and
does not pay any attention to the locking messages it receives, it can go ahead and
.I. n
access the file. In the event of a server crash, the locking information will be recovered.
The status monitor maintains information on the location of connections as well as the
.T ció
status in the /etc/sm directory, the /etc/sm.bak file, and the /etc/state file.
When restarted, the statd daemon queries these files and tries to reestablish the
connection it had prior to termination.
.
C
The rmnfs command changes the configuration of the system to stop running NFS
.F a
daemons. It accepts the same flags as mknfs.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
NFS server configuration: Manual exporting

IBM Power Systems
• To export directories:
nfs_server
nfs_server ## vi
vi /etc/exports
/etc/exports
.I. n
.T ció
/home
/home
/usr/man
/usr/man -ro
-ro
/data
/data -root=kenny:kyle,access=kenny:kyle:eric,rw=kenny:kyle
-root=kenny:kyle,access=kenny:kyle:eric,rw=kenny:kyle
.
C
.F a
nfs_server
nfs_server ## exportfs
exportfs -va
-va
Exported
Exported /usr/man
/usr/man
C rm
Exported
Exported /data
/data
Exported /home
Exported /home
to fo
/etc/xtab input rpc.mountd
ec vo

Figure 10-8. NFS server configuration: Manual exporting AN212.0
Notes:
oy si
In order to configure an NFS server you have to first decide:

u
• What directories you want to export

• Which clients you want to have access to the directories and files
cl
• The permissions (for example, read-write, read-only) clients will have when accessing
the files
Ex
In the example shown in the visual:

• /home is exported to the world with read-write permissions. For security reasons, the
clients root user does not have root privileges when accessing the files remotely. The
root user is mapped to the nobody user (UID 2).
pr
• /usr/man directory is exported to the world with read-only permissions.

• /data directory is exported to systems kenny, kyle, and eric. Systems, kenny and kyle
have read-write access, and their root users have root privileges when accessing the
files remotely. System eric has read-only access and the root user is mapped to user
nobody.
Student Notebook
Only when the NFS subsystem is activated, using the mknfs command, can directories be
made available. When the /etc/export file has been configured the exportfs command
is used to make the directories available for client mounting. The exportfs -a command
exports all items listed in the /etc/exports file and automatically copies the entries to
the /etc/xtab file. /etc/xtab file entries are used by the system and always reflect
what is currently exported. This leaves the /etc/exports file available for updating at
any time. The /etc/xtab file must never the edited directly.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
NFS server configuration: SMIT configuration

IBM Power Systems
• To export directories: smitty mknfsexp

Add
Add aa Directory
Directory to
to Exports
Exports List
List
.I. n
[TOP]
[TOP] [Entry
[Entry Fields]
Fields]
** Pathname
Pathname of
of directory
directory toto export
export [/data]
[/data] //
.T ció
Anonymous UID
Anonymous UID [-2]
[-2]
Public
Public filesystem?
filesystem? no
no ++
** Export
Export directory
directory now,
now, system
system restart
restart or
or both
both both
both ++
.
Pathname of alternate exports
Pathname of alternate exports filefile []
[]
Allow
Allow access
access by
by NFS
NFS versions [] ++
C
versions []
.F a
** Security method
Security method 1 1 [sys]
[sys] ++
** Mode
Mode to
to export
export directory
directory read-mostly
read-mostly ++
Hostname
Hostname list.
list. If
If exported
exported read-mostly [kenny]
C rm
read-mostly [kenny]
Hosts
Hosts & netgroups allowed client access
& netgroups allowed client access [kyle]
[kyle]
Hosts
Hosts allowed
allowed root
root access
access [eric]
[eric]
Note:
to fo
– Version 4 specific fields have been removed
– There are five security stanzas. Each method can have different
properties.
ec vo

Figure 10-9. NFS server configuration: SMIT configuration AN212.0
Notes:
oy si
The operation shown in the visual populates the /etc/exports file and invokes the
exportfs command to make the file system available for mounting. Allowing access by
u
NFS versions is optional. If left blank the default is v3.

cl
The resulting export file:

# cat /etc/exports
Ex
/exports -sec=sys,rw=kenny,access=kyle,root=eric
If not using SMIT, the command for updating /etc/exports (and optionally generating a new
/etc/xtab) is the mknfsexp command. See the man page for more details.
pr
Note: The option Public filesystems? field was added at AIX version 4.2.1 to support an
NFS (versions 2 and 3) extension called WebNFS. WebNFS provides for NFS over a Web
browser via a URL (for example, nfs://<server>/<nfs_public_dir>). This functionality is
rarely (if ever) used. AIX clients do not support the mounting of public exports and the
default option should always be left as no.
Student Notebook
Manual NFS client mounting

IBM Power Systems
• The showmount command can be used to query the directories

exported by the NFS server.
.I. n
nfs_client
nfs_client ## showmount
showmount -e
-e nfs_server
nfs_server
export list for nfs_server:
export list for nfs_server:
.T ció
/usr/man
/usr/man (everyone)
(everyone)
/data
/data kenny,kyle,eric
kenny,kyle,eric
/home (everyone)
.
/home (everyone)
C
.F a
• Mounting an NFS server directory:
## mkdir /data_client_mnt
C rm
mkdir /data_client_mnt
## mount
mount nfs_server:/data
nfs_server:/data /data_client_mnt
/data_client_mnt
nfs_client
nfs_client ## df
df /data
/data
to fo
Filesystem
Filesystem 512-blocks
512-blocks Free
Free %Used
%Used Iused
Iused %Iused
%Iused Mounted
Mounted on
on
nfs_server:/data
nfs_server:/data 278528
278528 212920
212920 24%
24% 1317
1317 6%
6% /data_client_mnt
/data_client_mnt
• Predefined mounts can also be defined using smit mknfsmnt
ec vo

Figure 10-10. Manual NFS client mounting AN212.0
Notes:
oy si
The showmount command is useful for viewing which directories are available for
mounting on a particular NFS server (v2 and v3 only). To mount an NFS directory, first
u
create a mount point directory, and then issue the mount command as shown in the visual.
cl
Syntax: mount <NFS_server_name>:<server mount point> <client

directory mount point>
Ex
pr
V8.2
Student Notebook
Uempty
Predefined NFS client mounting

IBM Power Systems
– smit mknfsmnt
Add
Add aa File
File System
System for
for Mounting
Mounting
.I. n
** Pathname
Pathname ofof mount
mount point
point [/data_client_mnt]
[/data_client_mnt] //
** Pathname of remote directory
Pathname of remote directory [/data]
[/data]
.T ció
** Host
Host where
where remote
remote directory
directory resides
resides [nfs_server]
[nfs_server]
** Security
Security method
method [sys]
[sys] ++
** Mount
Mount now,
now, add
add entry
entry to
to /etc/filesystems
/etc/filesystems oror both?
both? Both
Both ++
** /etc/filesystems entry will mount the directory
/etc/filesystems entry will mount the directory no
no ++
.
on
on system
system restart.
restart.
C
** Mode
Mode for
for this
this NFS
NFS file
file system
system read-write
read-write ++
.F a
** Attempt
Attempt mount
mount in
in foreground
foreground or or background
background background
background ++
** Mount
Mount file
file system
system soft
soft or
or hard
hard hard
hard
C rm
Note: Many options removed for clarity.
Note: Many options removed for clarity.
/data_client_mnt:
/data_client_mnt: /etc/filesystems
dev
dev == "/data"
"/data"
vfs
vfs == nfs
nfs
to fo
nodename
nodename == nfs_server
nfs_server
mount
mount == false
false
options
options == bg,hard,intr,sec=sys
bg,hard,intr,sec=sys
account
account == false
false
ec vo

Figure 10-11. Predefined NFS client mounting AN212.0
Notes:
oy si
Predefined mounts are NFS mounts which are defined in /etc/filesystems for ease of
use when manually mounting or to enable remote file systems to be mounted during
u
system start time.

cl
Key options are:

• Security Method: Possible values are sys, dh, krb5, krb5i, and krb5p which correspond
Ex
to UNIX, DES, Kerberos 5, Kerberos 5 with integrity, and Kerberos 5 with privacy. The
default NFS security used in most implementations is standard UNIX (sys). The other
methods are used in special situations where authentication and encryption are
required. These methods are supported by a new version of NFS (NFS version 4). NFS
pr
v4 is not the default version used in AIX and is a fairly complex topic. The next section
will cover some of the highlights of using NFSv4.
• Mode: Read-write or read-only.
Student Notebook
• Attempt mount in: Values are background (default) or foreground. If the attempt to
mount the directory fails, the mount will be retried in the background. If foreground is
selected the mount request stays in the foreground even if the mount request fails.
• Mount type: Values are hard or soft. If the mount is soft, the system returns an error if
the server does not respond. If the mount is hard, the client continues trying until the
server responds. The hard mount is the default. When a hard mount is selected an
extra option (intr) is included in /etc/filesystems. The intr option allows signals to
.I. n
interrupt an NFS call. This is useful for aborting an NFS mount process when the server
does not respond.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Automount overview
IBM Power Systems
• NFS extension (Autofs) used for automatic and transparent mounting

and unmounting of NFS File systems
– Quiescent NFS mounts are automatically umounted thereby reducing
.I. n
the number of active mounts.
.T ció
• Uses automount map files to find the mount directories and mount
arguments
• Three types of map files:
.
C
– Direct (absolute paths)
.F a
– Indirect (relative paths)
C rm
– Master (pointer to direct and indirect map files)
• Is invoked from the client using the automount command
– Starts the automountd daemon
to fo
– If a master map file exists, the automountd is started a boot time.
– New NFS mounts can be added on the fly by adding them as
appropriate to the map files.
ec vo

Figure 10-12. Automount overview AN212.0
Notes:
oy si
The autofs kernel extension monitors specified directory mount points and, when a file I/O
operation is requested to that mount point, requests automountd to mount the directory
u
within autofs. The automount command is used to propagate the automatic mount
information to the autofs kernel extension and start automountd daemon. After a period of
cl
inactivity (five minutes by default) for directories under its control, autofs will attempt to
unmount the quiescent NFS filesystem.
Ex
Using the automount, you neither have to keep the /etc/filesystems file up to date
with NFS stanzas nor do you have to keep file systems mounted that are not being used.
pr
Student Notebook
Map files
IBM Power Systems
• Indirect ## cat
cat /etc/auto_indirect
/etc/auto_indirect
inventory
inventory kenny:/books
kenny:/books
.I. n
subscription
subscription kenny:/magazine
kenny:/magazine
review
review kenny:/article
kenny:/article
.T ció
## cat
cat /etc/auto_direct
/etc/auto_direct
• Direct /home
/home kenny:/home
kenny:/home
.
/usr/games
/usr/games -ro
-ro kenny:/usr/games
kenny:/usr/games
C
.F a
Master map
## cat file name is
cat /etc/auto_master
/etc/auto_master
• Master fixed!
C rm
/publishing
/publishing /etc/auto_indirect
/etc/auto_indirect
/-
/- /etc/auto_direct
/etc/auto_direct
## automount
automount –v
To invoke:
to fo
–v
This
This operation will
operation will start
start the
the automountd
automountd
and process the master map file
and process the master map file
ec vo

Figure 10-13. Map files AN212.0
Notes:
oy si
Indirect map files

u
The automount indirect local map will contain the name of the client subdirectory mount
point, any optional mount options, and full path name of the server’s exported directory.
cl
The directories inventory, subscription, and review do not have to exist on the client. The
file name /etc/auto_indirect is arbitrary. Any name can be used, but it must be
created and stored in the /etc directory. For simple system administration, use the word
Ex
auto followed by a name that describes the contents of the map. Grouping automount
maps by a naming convention makes it easier to keep updated. Indirect map files are used
for mounting NFS exported directories to local mount points which cannot already exist. In
this example, the local mounts points are created within the /publishing directory.
pr
/publishing cannot already be an existing mount point.

Direct map files
Direct maps are useful for directories that are under higher level directories, such as
/home, that cannot be used as an automount indirect mount point.
V8.2
Student Notebook
Uempty The format of the file is identical to the indirect map file, but the client mount point must be
the full absolute name of a directory.
Master map file
AIX requires all map files to be referenced from within the file /etc/auto_master. This
filename is not optional. The syntax for the master map file is the local directory mount
point, followed by the map name and any optional mount options. /- for direct maps is a
way of saying no mount point is needed to be referenced because it is implicitly stated
.I. n
within the direct map file itself.
.T ció
The automount command
The automount command is used as an administration tool for AutoFS. Popular flags
include:
.
C
• -v: Displays verbose status and warning messages to standard out.
.F a
• -i Interval: Specifies the amount of time, in seconds, that an inactive autofs mounted
C rm
directory exists. The default is 300 seconds.
• -t Duration: Specifies the amount of time, in seconds, that the auto unmount process
sleeps before it starts to work again. The minimum value is 21. The default value is 120.
The maximum value is 600.
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Automount in operation
IBM Power Systems
• On boot / startup of the automount subsystem

## mount
mount
node
node mounted
mounted mounted
mounted over
over vfs
vfs date
date options
options
--------
-------- ---------------
--------------- ---------------
--------------- ------
------ ------------
------------ ---------------
.I. n
---------------
/dev/hd4
/dev/hd4 // jfs
jfs 27
27 Jul
Jul 13:24
13:24 rw,log=/dev/hd8
rw,log=/dev/hd8
/dev/hd2
/dev/hd2 /usr
/usr jfs
jfs 27
27 Jul 13:24 rw,log=/dev/hd8
Jul 13:24 rw,log=/dev/hd8
.T ció
/dev/hd9var
/dev/hd9var /var
/var jfs
jfs 27
27 Jul
Jul 13:24
rw,log=/dev/hd8
/dev/hd3
/dev/hd3 /tmp
/tmp jfs
jfs 27
27 Jul
Jul 13:24
rw,log=/dev/hd8
Note:
Note: some
some AIX
AIX File
File systems
systems removed
removed for
for clarity
clarity
/etc/auto_indirect
/etc/auto_indirect /publishing
/publishing autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
.
/etc/auto_direct /usr/games
/etc/auto_direct /usr/games autofs
autofs 27 Jul 13:24 ignore
27 Jul 13:24 ignore
C
.F a
• On access of NFS file system data
## mount
mount
C rm
node
node mounted
mounted mounted
mounted over
over vfs
vfs date
date options
options
-------- --------------- --------------- ------ ------------ ---------------
-------- --------------- --------------- ------ ------------ ---------------
Note:
Note: AIX
AIX File
File systems
systems removed
removed for
for clarity
clarity
/etc/auto_indirect
/etc/auto_indirect /publishing
/publishing autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
/etc/auto_direct
/etc/auto_direct /usr/games
/usr/games autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
kenny /books /publishing/inventory
/publishing/inventory nfs3 27
27 Jul
Jul 13:37
to fo
kenny /books nfs3 13:37
kenny
kenny /article
/article /publishing/review nfs3
/publishing/review nfs3 27
27 Jul 13:37
Jul 13:37
kenny
kenny /magazine
/magazine /publishing/subscription
/publishing/subscription nfs3
nfs3 27 27 Jul
Jul 13:37
13:37
kenny
kenny /usr/games
/usr/games /usr/games
/usr/games nfs3
nfs3 2727 Jul
Jul 13:37
13:37 ro
ro
kenny
kenny /home
/home /home
/home nfs3
nfs3 2727 Jul
Jul 13:38
13:38
ec vo

Figure 10-14. Automount in operation AN212.0
Notes:
oy si
On start up of AIX, if a master file map exists, the automountd daemon is started
automatically and processes the file. At this point, no NFS file systems have been
u
mounted. This can be seen in the first half of the visual. The second half of the visual
shows all the NFS file systems mounted as data has been accessed.
cl
Ex
pr
V8.2
Student Notebook
Uempty
Topic summary
IBM Power Systems
Having completed this topic, you should be able to:

• Define NFS terminology and concepts
.I. n
• Identify the NFS daemons and their roles
.T ció
• Understand NFS client server interaction
• Describe NFS authorization methods
.
C
• Stop and start NFS
.F a
• Configure an NFS server
C rm
• Configure an NFS client
• Understand the role of the automouter
to fo
• Configure the automount subsystem
ec vo

Figure 10-15. Topic summary AN212.0
Notes:
oy si
u
cl
Ex
pr
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty 10.2.NFS version 4
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
NFS version 4
IBM Power Systems
After completing this topic, you should be able to:

• Define the goals of NFSv4
.I. n
• Describe the role of the new NFSv4 daemons
.T ció
• Configure an NFSv4 domain and pseudo-root file system
• Extend the pseudo-root file system using alias tree extensions
.
C
• Describe and configure NFSv4 features:
.F a
– Referrals, replication, and delegation
C rm
• Configure NFSv3 and v4 side by side
to fo
ec vo

Figure 10-16. NFS version 4 AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
NFSv4 overview and design goals

IBM Power Systems
• NFS version 4 support was included in AIX 5.3.

– You must explicitly declare an export for NFS V4 using the vers option.
.I. n
• Potentially improved performance
– Less impact from WAN latencies
.T ció
– Ability to use parallel NFS (pNFS)
• Increased security (RPCSEC-GSS)
.
• Integrated locking support
C
.F a
– NFS v4 protocol is stateful
C rm
– File locking is implemented and, by default, is the main protocol
– There are no rcp.statd and rpc.lockd daemons required
• Cross platform interoperability, including Microsoft Windows
to fo
• Backwards compatibility with NFSv3
• Movement toward an open standard, managed by the IETF,
whereas previous versions of NFS were proprietary.
ec vo

Figure 10-17. NFSv4 overview and design goals AN212.0
Notes:
oy si
NFS V2 and NFS V3 History

u
NFS was first introduced by Sun Microsystems in the early 1980s.

NFS V1 was Sun’s prototype version and was never released for public use.
cl
NFS V2 was released in 1985 with the SunOS V2 operating system. Many UNIX vendors
licensed this version of NFS from Sun. NFS V2 suffered many undocumented and subtle
Ex
changes throughout its 10-year life. Some vendors allowed NFS V2 to read or write more
than 4 K bytes at a time. Others increased the number of groups provided as part of the
RPC authentication from 8 to 16. These minor changes created occasional
incompatibilities between different NFS implementations; however, the protocol continued
pr
to provide an exceptional degree of compatibility between systems made by different

vendors.
The NFS V3 specification was developed during July 1992. Working code for NFS V3 was
introduced by some vendors in 1995 and was made widely available in 1996. Version 3
Student Notebook
incorporated many performance improvements over Version 2 but did not significantly
change the way that NFS worked or the security model used by the network file system.
NFS V4 design motivations
Increasingly, businesses have needed to secure and protect data. Earlier versions of NFS
had weaknesses that kept them from meeting these needs. The following list is an example
of areas that NFS V2 and NFS V3 have failed to address:
.I. n
• Strong authentication to prevent malicious users from masquerading as valid users of
the system
.T ció
• Fine-grained access control to make sure only the right people have access to sensitive
data
.
• Encrypting data traffic to protect it from unauthorized disclosure as it travels over the
C
network
.F a
• Uniquely identifying users in a large organization
C rm
• Good system and file I/O performance, including access from remote locations
• Being able to access shared data from many different platforms
• The use of an open systems design
to fo
NFS V4 in AIX
NFS v4 is not the default version used in AIX. This course topic will cover some of the
highlights of using NFSv4 in AIX. For more detail than can be covered in this course, refer
ec vo
to the following IBM Redbook (www.redbooks.ibm.com)

Implementing NFSv4 in the Enterprise: Planning and Migration Strategies.
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
New daemon processes

IBM Power Systems
• nfsrgyd
– Mandatory daemon (on both server and client)
.I. n
– Provides name translation services for NFS servers and clients
• gssd
.T ció
– Optional daemon, depending on the NFS security method
– Kerberos 5 as an NFS security method, is provided under a mechanism called
.
General Security Services (GSS).
C
– In AIX, GSS is provided by a library in the IBM Network Authentication Service
.F a
(NAS) fileset.
## lssrc
lssrc –g
–g nfs
C rm
nfs
Subsystem
Subsystem Group
Group PID
PID Status
Status
biod
biod nfs
nfs 209010 active
209010 active
nfsd
nfsd nfs
nfs 249988
249988 active
active
rpc.mountd
rpc.mountd nfs
nfs 319652
319652 active
active
to fo
rpc.statd
rpc.statd nfs
nfs 311458
311458 active
active
rpc.lockd
rpc.lockd nfs
nfs 323774 active
323774 active
nfsrgyd
nfsrgyd nfs
nfs 324433
324433 active
active
gssd
gssd nfs
nfs inoperative
inoperative
ec vo

Figure 10-18. New daemon processes AN212.0
Notes:
oy si
The nfsrgyd daemon provides a name translation service for NFS servers and clients. This
daemon must be running in order to perform translations between NFS string attributes and
u
UNIX numeric identities.

cl
Some NFS security methods, such as Kerberos 5, are provided under a more general
mechanism called General Security Services or GSS. In AIX, GSS services are provided
by a library in the IBM Network Authentication Service (NAS) fileset. NAS is shipped on the
Ex
expansion pack. The gssd daemon makes these GSS services available to the NFS server
kernel code. If the gssd daemon is not running, then efforts to access files via NFS using
GSS security methods such as Kerberos 5 will fail.
pr
Student Notebook
NFSv4 pseudo file system

IBM Power Systems
NFS domain /nfsv4 pseudo-root

lpar.co.uk Also referred to
as “nfsroot”
home projects
.I. n
.T ció
alex francois projA projB projC
nfs_server:/
nfs_server:/ ## /usr/sbin/chnfsdom
/usr/sbin/chnfsdom lpar.co.uk
lpar.co.uk Sets the NFS domain
.
nfs_server:/ # chnfs -r /nfsv4
nfs_server:/ # chnfs -r /nfsv4 –B–B to “lpar.co.uk” and
nfsroot to “nfsv4”
C
nfs_server:/
nfs_server:/ ## nfsd
nfsd -getnodes
-getnodes
.F a
#root:public
#root:public
/nfsv4:/nfsv4
/nfsv4:/nfsv4
C rm
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/nfsv4/home -vers=4,sec=sys,rw,root=nfs_client
/nfsv4/home -vers=4,sec=sys,rw,root=nfs_client
/nfsv4/projects
/nfsv4/projects -vers=4,sec=sys,rw,root=nfs_client
-vers=4,sec=sys,rw,root=nfs_client
Mount nfsroot
to fo
nfs_client:/
nfs_client:/ ## /usr/sbin/chnfsdom
/usr/sbin/chnfsdom lpar.co.uk
lpar.co.uk
nfs_client:/
nfs_client:/ # mount -o vers=4 nfs_server:/ /mnt
# mount -o vers=4 nfs_server:/ /mnt
nfs_client:/
nfs_client:/ ## ls
ls /mnt
/mnt
home
home projects
projects
ec vo

Figure 10-19. NFSv4 pseudo file system AN212.0
Notes:
oy si
NFSv4 pseudo file system

u
NFS V4 no longer has a separate mount protocol. Instead of exporting a number of distinct
exports, an NFS V4 client sees the NFS V4 server’s exports as existing inside a single file
cl
tree called the nfsv4 pseudo file system. The pseudo file system tree constructed by the
server creates a single logical view of all the different exported file systems.
Ex
Differences between NFSv3 and NFSv4 mounts

The benefit provided by NFSv4 under AIX becomes immediately apparent as soon as the
difference in mount strategies is understood. On NFSv3 clients, each exported file system
must be mounted individually, while only a single mount command is required when
pr
NFSv4 is in use. The NFSv4 server creates a pseudo view for the NFSv4 clients, so all the
exported file systems are visible when a user changes directory to /mnt.
First steps
The first step in configuring NFSv4 is to set an NFS domain name. This is done using the
chnfsdom command. Although any domain name can be used, it is usually best practice
V8.2
Student Notebook
Uempty that the domain name matches the DNS or Kerberos domain/realm names. The next step
on the server is to set the location of the nfsroot directory. This step is optional because, by
default, it is set to the root /. However, for best practice, it should be relocated elsewhere
using the chnfs command.
AUTH_SYS method
By default, NFS uses the AUTH_SYS (sec=sys) method to authenticate user identities.
Under the AUTH_SYS security flavor, the user is authenticated at the client, usually via a
.I. n
logon name and password. The NFS server trusts the user and group identities presented
.T ció
by its clients.
Note: NFS V4 does not support file exporting. If you need to export a specific file, export it
as Version 2 or 3 (using the vers=2 or vers=3 options).
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
NFSv4 alias tree extension

IBM Power Systems
• Allows local file systems to be exported under aliased directories,

typically the pseudo-root directory.
.I. n
NFS domain root
lpar.co.uk / pseudo-root
.T ció
separate local /exports
filesystems
.
fsA fsB 3rdparty fsA fsB code
C
.F a
code
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
C rm
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
/local/fsB
/local/fsB -vers=4,sec=sys,rw,exname=/exports/fsB
-vers=4,sec=sys,rw,exname=/exports/fsB
/local/3rdparty/code
/local/3rdparty/code -vers=4,sec=sys,rw,exname=/exports/code
-vers=4,sec=sys,rw,exname=/exports/code
nfs_server:/
nfs_server:/ # exportfs -va
# exportfs -va
to fo
nfs_client:/
nfs_client:/ ## mount
mount -o
-o vers=4
vers=4 nfs_server:/
nfs_server:/ /mnt
/mnt
nfs_client:/ # ls /mnt
nfs_client:/ # ls /mnt
code
code fsA
fsA fsB
fsB
ec vo

Figure 10-20. NFSv4 alias tree extension AN212.0
Notes:
oy si
The alias tree model adds more flexibility to NFSv4 exports. External name space
(exname) is not part of the NFS V4 RFC. This is an option specific to AIX implementation.
u
The exname option extends the pseudo file system concept. The external name in your
/etc/exports file must begin with the nfsroot name.
cl
Note:
• The described pseudo-root FS setup (on the previous visual) cannot coexist with the
Ex
alias tree model. You must choose between the two models.
• Each of the exported directories shown above (/local/fsA, /local/fsB, and
/local/3rdparty/code) are individual file systems. This is a mandatory
requirement. For example:
pr
node mounted mounted over vfs date options

-------- --------------- --------------- ------ ------------ ---------------
/dev/fslv01 /local/fsA jfs2 23 Jul 16:34 rw,log=/dev/loglv00
/dev/fslv02 /local/fsB jfs2 23 Jul 16:34 rw,log=/dev/loglv00
/dev/fslv03 /local/3rdparty/code jfs2 23 Jul 16:34 rw,log=/dev/loglv00
V8.2
Student Notebook
Uempty
NFSv4 referrals (1 of 2)
IBM Power Systems
• Referrals
– Allow us to build a distributed namespace
.I. n
– Mask the real NFS servers from the clients
.T ció
.
C
Master nfs
.F a
server
nfs servers nfs clients
C rm
Referrals
to fo
ec vo

Figure 10-21. NFSv4 referrals (1 of 2) AN212.0
Notes:
oy si
The NFSv4 protocol provides referral and replication functions that enable the distribution
of data across multiple servers in a way that is transparent to the users of that data. A
u
referral is a special NFSv4 object, created in the namespace of a server, to which location
information is attached. This server redirects, or refers, operations to the server specified in
cl
the location information. In other words, the referral server does not actually contain the file
system but automatically redirects the client to another server that does. This is a very
Ex
powerful capability because it hides from the end user where the actual data is located. In
addition, the administrator can redirect clients from one server to another simply by
changing the referral statement in the exports file on the server.
Note: Circular referrals can be created. This must be avoided.
pr
Student Notebook
NFSv4 referrals (2 of 2)
IBM Power Systems
publications:/
publications:/ ## cat
cat data:/
data:/ ## cat
cat /etc/exports
/etc/exports
/etc/exports
/etc/exports /local/data -vers=4,sec=sys,rw
/local/data -vers=4,sec=sys,rw
.I. n
/local/docs
/local/docs -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
.T ció
master_nfs_server:/
master_nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/local/docs -vers=4,refer=/local/docs@publications
/local/docs -vers=4,refer=/local/docs@publications
.
/local/data
/local/data -vers=4,refer=/local/data@data
-vers=4,refer=/local/data@data
C
.F a
C rm
nfs_client:/
nfs_client:/ ## mount
mount -o
-o vers=4
vers=4 master_nfs_server:/
master_nfs_server:/ /mnt
/mnt
nfs_client:/
nfs_client:/ ## ls /mnt
ls /mnt
to fo
local
local
ec vo

Figure 10-22. NFSv4 referrals (2 of 2) AN212.0
Notes:
oy si
The visual above demonstrates the referral feature. The client gains access to two NFS
directories, /mnt/local/docs and /mnt/local/data, by mounting the nfsroot
u
directory on the master server. Both directories reside on the publications and data servers
respectively.
cl
Ex
pr
V8.2
Student Notebook
Uempty
NFSv4 replication (1 of 2)
IBM Power Systems
• Replication
– Ideal for read-only file systems
– Client can continue to access data if an NFS server fails
.I. n
– The actual replication of data is not performed by NFS!
.T ció
nfs sever
Replica1
/data network nfs client
.
network
mount
C
.F a
/data
nfs sever
C rm
Replica2
/data
nfs_lpar1:/
nfs_lpar1:/ ## chnfs
chnfs –R
–R on
on –B
–B
to fo
nfs_lpar1:/
nfs_lpar1:/ ## nfsd -getreplicas
nfsd -getreplicas
replicas=on
replicas=on
– Enabling replication on the server

ec vo

Figure 10-23. NFSv4 replication (1 of 2) AN212.0
Notes:
oy si
Replication is a means of specifying locations where copies of data can be found. It allows
copies of data to be placed on multiple NFSv4 servers and informs NFSv4 clients where
u
the replicas can be located. There are two primary reasons for replicating data:
cl
• Replicating data improves availability in the case of failure.

• Replication enables load balancing by having different clients refer to multiple servers.
Ex
pr
Student Notebook
NFSv4 replication (2 of 2)
IBM Power Systems
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -vers=4,sec=sys,ro,replicas=/exports@nfs_lpar1:/exports@nfs_lpar2
-vers=4,sec=sys,ro,replicas=/exports@nfs_lpar1:/exports@nfs_lpar2
.I. n
nfs_lpar2:/
nfs_lpar2:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -vers=4,sec=sys,ro,replicas=/exports@nfs_lpar2:/exports@nfs_lpar1
-vers=4,sec=sys,ro,replicas=/exports@nfs_lpar2:/exports@nfs_lpar1
.T ció
nfs_client
nfs_client ## mount
mount -o
-o vers=4
vers=4 nfs_lpar1:/
nfs_lpar1:/ /mnt
/mnt
nfs_client
nfs_client ## nfs4cl
nfs4cl showfs
showfs /mnt/exports
/mnt/exports |grep
|grep -v
-v options
options
.
Server
Server Remote
Remote Path
Path fsid
fsid Local
Local Path
Path
C
--------
-------- ---------------
--------------- ---------------
--------------- ---------------
---------------
.F a
nfs_lpar1
nfs_lpar1 /exports
/exports 0:42949672973
0:42949672973 /mnt/exports
/mnt/exports
Current Server: nfs_lpar1:/exports
C rm
Replica
Replica Server:
Server: nfs_lpar2:/exports
nfs_lpar2:/exports
nfs_client
nfs_client ## nfs4cl
nfs4cl setfsoptions
setfsoptions /mnt/exports
/mnt/exports prefer=nfs_lpar2
prefer=nfs_lpar2
nfs_client
nfs_client # nfs4cl showfs /mnt/exports |grep
# nfs4cl showfs /mnt/exports |grep -v
-v options
options
Server
Server Remote
Remote Path
Path fsid
fsid Local
Local Path
Path
to fo
--------
-------- ---------------
--------------- ---------------
--------------- ---------------
---------------
nfs_lpar2
nfs_lpar2 /exports
/exports 0:42949672973
0:42949672973 /mnt/exports
/mnt/exports
Replica
Replica Server:
Server: nfs_lpar1:/exports
nfs_lpar1:/exports
ec vo

Figure 10-24. NFSv4 replication (2 of 2) AN212.0
Notes:
oy si
Client-side support for multiple locations

u
When the client is no longer able to access replicated data on its current server, it attempts
to access the data from the next most favored server. The client creates a preference list
cl
when it mounts a file system from the server, using the order specified in the server’s
/etc/exports entry for that file system. This order can be overridden by the client using
the nfs4cl command as shown in the visual.
Ex
Important: The NFSv4 replication protocol does not provide automatic data
synchronization among replica sites.
Synchronizing replicas
pr
Read-write and read-only exports in a replicated environment pose a major challenge in

respect to data synchronization. A method of synchronizing data between sites and
replicas is required. Several methods are available for achieving this:
• Using the cpio command, in conjunction with the rsh or ssh commands
• Using the rdist command
V8.2
Student Notebook
Uempty • Building a clustered General Parallel File System (GPFS) environment

For small environments, building replicas with the cpio command in conjunction with the
rsh or ssh commands is probably the easiest method to implement. This method also
preserves the NFSv4 ACLs that might be present on directories or files. A clustered
environment using the IBM General Parallel File System (GPFS) provides the most
complete solution.
cpio example:
.I. n
nfs_lpar1 # rsh nfs_lpar2 "find /exports -print | cpio -oacvU " | cpio -icvUud
.T ció
After the command completes, the /exports file system on nfs_lpa1 is a copy of the
/exports file system on nfs_lpar2.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
NFSv4 delegation
IBM Power Systems
• Delegation is an optional protocol mechanism that can reduce

overhead for client caching of NFS accessed files.
.I. n
• Read delegation (what AIX supports) ensures the file is not
modified, eliminating the need to periodically check for
.T ció
changes.
.
– Both client and server delegation is on by default (1):
C
.F a
master_nfs_server:/
master_nfs_server:/ ## nfso
nfso –a
–a |grep
|grep delegation
delegation
C rm
client_delegation =
client_delegation = 11
server_delegation
server_delegation == 11
– Can also be set on a per file system basis (if turned off at a global
level):
to fo
master_nfs_server:/
master_nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -deleg=yes,vers=4,sec=sys,rw
-deleg=yes,vers=4,sec=sys,rw
ec vo

Figure 10-25. NFSv4 delegation AN212.0
Notes:
oy si
Client-side caching and delegation

u
Most NFS client implementations cache both data and attributes to improve performance
and reduce network traffic. With caching, some amount of server interaction is still required
cl
to maintain the required semantics of the NFS protocol. Clients must check with servers at
file OPEN time to validate and flush cached information as appropriate. In addition, the
client periodically polls the server while files are in use. Depending on the application
Ex
environment, the network traffic associated with client cache maintenance can be modest.
In less reliable or slower networks, this traffic can represent a performance restriction.
NFS V4 provides an optional protocol mechanism called delegation that can improve the
pr
caching of NFS. With delegations, the open time network traffic can be avoided as well as
the periodic checks to servers. The reduction in network traffic can help increase the
performance and scale of an NFS environment.
When a file is opened, the server can provide the client a read delegation for the file. If the
client is granted a read delegation, it is assured that no other client has the ability to write to
the file for the duration of the delegation. If the client is granted a write delegation, the client
V8.2
Student Notebook
Uempty is assured that no other client has read or write access to the file. The AIX server only
grants read delegations. The AIX server only supports delegation with the 64-bit AIX
kernel. The AIX client supports both read and write delegations.
In order for the server to grant a delegation to the client, the client must first provide a
callback address to the server. When a delegation is recalled, the server will send the recall
request to this address. By default, the client will indicate the IP address that is being used
for normal communication with the server. For clients with multiple network interfaces, a
.I. n
specific address can be specified in the /etc/nfs/nfs4_callback.conf file. The
format of the entries in this file is: server-host client-ip-address
.T ció
Server-host is the name or address of an NFSv4 server and client-ip-address is the client
address to be used when providing the server callback information.
.
Delegations can be recalled by the server. If another client requests access to the file in
C
such a way that the access conflicts with the granted delegation, the server is able to notify
.F a
the initial client and recall the delegation. This requires that a callback path exists between
the server and client. If this callback path does not exist, then delegations cannot be
C rm
granted. If a file delegation has been granted, access from other NFSv4 clients, NFS
versions 2 and 3 clients, and local accesses to the file at the file server can cause the
delegation to be recalled. If GPFS is being NFSv4 exported, an access at a GPFS node in
the network might cause the delegation to be recalled.
to fo
The essence of a delegation is that it allows the client to locally service operations such as
open, close, lock, locku, read, and write without immediate interaction with the server.
Server and client delegation is enabled by default. Server delegation can be disabled with
ec vo
the nfso -o server_delegation=0 command. Administrators can use the exportfs

command option:
-o deleg={yes | no}
oy si
to disable or enable the granting of delegations on a per-file system basis, which will
override the nfso setting. The deleg option can also be specified in the /etc/exports file
u
entry for an exported filesystem.

Client delegation can be disabled with the nfso -o client_delegation=0 command. Client
cl
delegation must be set before any mounts take place on the client.
If the administrator is exporting a file system where many clients will be writing to many
Ex
common files, the administrator might want to disable delegations for that file system.
If the client cannot be contacted (for example, if the network or client is experiencing an
outage) other clients might be delayed in accessing the data.
pr
Student Notebook
Using NFSv3 and NFSv4 side by side

IBM Power Systems
• NFSv3 example:
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
.I. n
/exports –rw
/exports –rw
/data
/data -ro
-ro
.T ció
– Can be changed to support both v3 and v4 clients
.
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
C
.F a
/exports –vers=3:4,rw,sec=sys,krb5
/exports –vers=3:4,rw,sec=sys,krb5
/data
/data –vers=3:4,ro,sec=sys,kbr5
–vers=3:4,ro,sec=sys,kbr5
C rm
nfs_lpar1:/
nfs_lpar1:/ ## exportfs
exportfs -va
-va
– Data can be mounted by using either NFSv3 or v4

to fo
ec vo

Figure 10-26. Using NFSv3 and NFSv4 side by side AN212.0
Notes:
oy si
Despite the addition of new NFSv4 functionality in AIX, many customer sites require the
ability to provide both NFSv3 and NFSv4 services concurrently. This can be necessary in
u
order to support existing systems or other operating systems that presently do not offer
NFSv4 implementations. Coexistence of both versions is not difficult to achieve, and a
cl
hybrid environment can be maintained indefinitely if necessary.

Ex
pr
V8.2
Student Notebook
Uempty
NFSv4 security overview

IBM Power Systems
• RPCSEC_GSS mechanisms:
– Kerberos Version 5
– SPKM (Simple Public-Key Mechanism)
.I. n
– LIPKEY (Low Infrastructure Public Key Mechanism using SPKM)
.T ció
• Currently, AIX only provides support for Kerberos v5 security.
– krb5: Authentication only nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
/data –vers=4,rw,sec=krb5p,krb5i,krb5
– krb5i: Authentication and integrity /data –vers=4,rw,sec=krb5p,krb5i,krb5
.
– Krb5p: Authentication, integrity, and privacy
C
.F a
nfs traffic
C rm
AIX NFS server AIX NFS client
[Optional]
Integrity checking and encryption
Kerberos client Kerberos client
Kerberos domain lpar.co.uk Kerberos domain lpar.co.uk
Au
n
t
io
he
at
nt
For further details,
tic
to fo
ic
at
en
io KDC server with

th
n
including configuration,
Au
LDAP back end

refer to the Redbook:
Kerberos server
Kerberos domain lpar.co.uk
NFS domain lpar.co.uk
Securing NFS in AIX
ec vo

Figure 10-27. NFSv4 security overview AN212.0
Notes:
oy si
NFSv4 Security
u
NFS has always relied on client-side authentication to provide security. This has generally
not been a problem because NFS has largely been used within private networks. One of
cl
the objectives of the Version 4 protocol is to enable increased use of NFS to wide area
networks. The basic NFS security mechanisms are extended in NFS V4 through the
mandated support of the RPCSEC_GSS. RPCSEC_GSS is implemented at the RPC layer.
Ex
It is capable of supporting the following security mechanisms:

• Kerberos Version 5 (IETF RFC-1964)
Kerberos is a network authentication service that provides a means of verifying the
pr
identities of principals (users and hosts) on physically insecure networks. Kerberos

provides mutual authentication, data integrity, and privacy under the realistic
assumption that network traffic is vulnerable to capture, examination, and substitution.
Kerberos is a symmetric key mechanism that is more suited for an intranet-based
solution. The Kerberos authentication method is the third-party authentication model;
the trusted third-party or intermediary used in the Kerberos protocol is the Key
Student Notebook
Distribution Center (KDC). The KDC issues all of the Kerberos tickets to the clients. In
the Kerberos protocol, a database is maintained that keeps a record of every principal.
The record contains the name, private key, expiration date of the principal, and some
administrative information about each principal. This Kerberos database is maintained
on the master KDC and can be replicated to one or more replica KDCs.
Other existing distributed file systems, such as DFS (Distributed File System) and AFS
(Andrew File System), also use the Kerberos mechanism for their security.
.I. n
• SPKM, (IETF RFC-2025)
.T ció
SPKM is a GSS-API mechanism based on a public key technology, unlike Kerberos,
which is based on symmetric key technology. SPKM provides authentication, key
establishment, data integrity, and data confidentiality in an on-line distributed
.
application environment using a public key infrastructure. SPKM data formats and
C
procedures are designed to be as similar to those of the Kerberos mechanism as is
.F a
practical, for easy implementation in those environments where Kerberos has already
been implemented. For applications that need to have a GSS-API mechanism based on
C rm
a public key infrastructure, SPKM is the answer.
• LIPKEY (Low Infrastructure Public Key Mechanism using SPKM, IETF RFC-2847)
GSS-API mechanisms, such as Kerberos Version 5 [IETF RFC-1964] and SPKM [IETF
to fo
RFC-2025], require a great deal of infrastructure. LIPKEY is a low infrastructure-based
GSS-API security mechanism that maps to a typical Transport Layer Security (TLS)
deployment scenario. It consists of a client with no public key certificate accessing a
server with a public key certificate. The LIPKEY mechanism can be used when the
ec vo
initiator (client) does not possess a public key certificate, and instead uses user name
and password for authentication.
Typically, most of the LIPKEY implementations use the native password database
oy si
residing on the server’s operating system for client authentication. Some LIPKEY
implementations might provide a plug-in architecture that lets administrators use
different authentication databases for verification of username and password supplied
u
by the client.
cl
Because of the asymmetric nature, these security mechanisms based on public key
technology are more suitable for Internet-based solutions. The long-term plan for NFS
Version 4 is to make it available on the Internet, separate from its usage in
Ex
intranet-based solutions. For it to succeed, SPKM and LIPKEY, in particular, (because

of its low infrastructure requirement) will play a vital role.
NFS Version 4 is slowly emerging as the next generation distributed file system. For further
pr
details on integrating NFSv4 with Kerberos v5 on AIX, refer to the Redbook Securing NFS
in AIX, SG24-7204-00.
V8.2
Student Notebook
Uempty
Topic summary
IBM Power Systems
Having completed this topic, you should be able to:
.I. n
• Define the goals of NFSv4
• Describe the role of the new NFSv4 daemons
.T ció
• Configure an NFSv4 domain and pseudo-root file system
.
• Extend the pseudo-root file system using alias tree extensions
C
.F a
• Describe and configure NFSv4 features:
– Referrals, replication, and delegation
C rm
• Configure NFSv3 and v4 side by side
to fo
ec vo

Figure 10-28. Topic summary AN212.0
Notes:
oy si
u
cl
Ex
pr
Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
1. What server daemon handles client requests for file system

operations?
.I. n
2. What file needs to be created and which command needs to be
.T ció
executed on an NFS server in order to make files, directories, and file
systems available for mounting from clients?
.
C
3. What file contains the startup script for NFS?
.F a
C rm
4. True or False: AutoFS is a server-side service that allows for automatic
and transparent mounting and unmounting of NFS file systems.
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
5. List three design goals of NFSv4.
.I. n
6. Why is this configuration incorrect?
.T ció
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
.
C
/local/fsB
/local/fsB -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
.F a
nfs_server:/
nfs_server:/ ## exportfs
exportfs -a
-a
C rm
exportfs:
exportfs: /local/fsB: There are
/local/fsB: There are too
too many
many levels
levels of
of symbolic
symbolic
links to translate a path name.
links to translate a path name.
to fo
7. True or False: The NFS domain name must equal the DNS domain
name.
ec vo

Notes:
oy si

u
cl
Ex
pr
Student Notebook
IBM Power Systems

– Configure a NFS v3 and v4 on
.I. n
AIX
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems

.I. n
– Identify the NFS daemons and their roles
– Describe NFS client server interaction and authorization methods
.T ció
– Stop and start NFS
.
– Configure an NFS server and an NFS client
C
.F a
C rm
– Configure an NFSv4 domain and pseudo-root file system
– Extend the pseudo-root file system using alias tree extensions
to fo
– Configure NFSv4 features: Referrals, replication, and delegation
– Configure NFSv3 and v4 side-by side
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 11. Problem determination

This unit describes debugging tips, problem areas of hardware and
software, and diagnostic commands and tools available for
.I. n
understanding problem areas in networking.
.T ció
.
C
• Perform TCP/IP troubleshooting on AIX
.F a
• Solve common TCP/IP problems
C rm
- Connectivity
- Duplicate IP addresses
- Problems with network services
to fo
- Identify errors which can occur through the IP stack
• Understand factors which affect network performance
• Tune key network parameters
ec vo
• Inspect IP data using tcpdump and iptrace

• Analyze the output of an iptrace
oy si

u
• Checkpoint solutions
• Lab exercises
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-1
Student Notebook
Unit objectives
IBM Power Systems

.I. n
.T ció
– Connectivity
– Duplicate IP addresses
.
– Problems with network services
C
.F a
– Identify errors which can occur through the IP stack
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Overview of troubleshooting commands

IBM Power Systems
Problem determination
.I. n
netstat
.T ció
ping arp
tcpdump traceroute
entstat
.
C
Tuning
.F a
Documentation iptrace
no ifconfig
C rm
lsattr lscfg
lsdev chdev
Monitoring
nmon
to fo
topas
errlog
ec vo

Figure 11-2. Overview of troubleshooting commands AN212.0
Notes:
oy si
Most of these commands should be familiar to you by now. The ping command is probably
the most useful because it allows us to determine whether a particular host is responding. If
u
a host does not respond or there is a slow delay in communication, the traceroute
command will trace the number of hops through gateways and record the round-trip time of
cl
each successful hop. This is particularly useful in large networks where there are many
networks between the source and destination hosts.
Ex
The commands iptrace, tcpdump, and no are possibly commands you have not used or
seen before. We shall cover these later in the unit.
pr
Student Notebook
General TCP/IP problems

IBM Power Systems
• Cannot reach the destination

• Duplicate IP addresses
.I. n
• Bottlenecks and errors through the TCP/IP stack
.T ció
• Network services not running or incorrectly configured
• Performance
.
C
.F a
• Actions:
C rm
– Approach problems methodically
• Start at a high level (for example, ping) before digging deeper (for
example, iptrace)
to fo
– Monitor the system and network workloads
– Tune network options
– Perform packet analysis
ec vo

Figure 11-3. General TCP/IP problems AN212.0
Notes:
oy si
Common TCP/IP problems usually fall into the following categories:

u
• Failure to reach the destination system

• Duplicate IP address problems in the subnet
cl
• Bottlenecks and errors in the TCP/IP stack

• Network services not running or incorrectly configured
• Performance
Ex
Be methodical in solving the problem. Work through the protocols from bottom to top,
hardware to networking to application. Identify what works and what specifically will not.
Many times the problem can be identified when you examine your assumptions. What has
pr
changed? What used to work or works now? Eliminate variables one by one.
As a system administrator you should closely monitor the system over time, using
commands such as: nmon, netpmon, and netstat and work closely with the network team
in order to understand the network infrastructure topology and the monitoring and
performance of the network.
V8.2
Student Notebook
Uempty
Cannot reach the destination

IBM Power Systems
• Actions:
– Attempt to ping or ping –R or traceroute to the destination.
.I. n
– Check cables and link status (entstat) and switch port settings.
– Test to ensure the local IP stack is up by pinging the loopback.
.T ció
– Check to ensure the adapter is available.
• Command? _______________________
.
C
– Check interface settings. Look for flags up and running.
.F a
• Command? _______________________
C rm
– Check to see if the correct path is taken. View the routing table.
• Command? _______________________
– Check name resolution.
to fo
• Commands? ___________ ______________ _______________
– Check the arp table.
• Command? _______________________
ec vo

Figure 11-4. Cannot reach the destination AN212.0
Notes:
oy si
Make a note of the commands above. If you have access to a AIX console, type these
commands as you go and review the output with the class and your instructor.
u
cl
Ex
pr
Student Notebook
Duplicate IP address
IBM Power Systems
• Actions:
– Connect to one of the hosts with the duplicate IP address.
– Check the error log on the host.
.I. n
– Locate the MAC address of the other host/adapter.
• Log in to the network switch and locate and disable the port of one of the systems
.T ció
with the duplicate address.
– In AIX, remove one of the duplicate IP addresses.
.
## errpt
errpt –A
–A
C
---------------------------------------------------------------------------
.F a
---------------------------------------------------------------------------
LABEL:
LABEL: AIXIF_ARP_DUP_ADDR
AIXIF_ARP_DUP_ADDR
Date/Time:
Date/Time: Mon
Mon 28
28 Sep
Sep 10:55:18
10:55:18 2009
2009
C rm
Type:
Type: PERM
PERM
Resource
Resource Name:
Name: SYSXAIXIF
SYSXAIXIF
Description
Description
DUPLICATE
DUPLICATE IP
IP ADDRESS
ADDRESS DETECTED
DETECTED IN
IN THE
THE NET
NET
Detail Data
Detail Data MAC address of
to fo
DUPLICATE
DUPLICATE IP
IP ADDRESS
ADDRESS the other
0404
0404 0404
0404 host/adapter
MAC
MAC ADDRESS
ADDRESS
EA48
EA48 F000
F000 7004
7004
ec vo

Figure 11-5. Duplicate IP address AN212.0
Notes:
oy si
Duplicate IP addresses will cause connectivity problems in the network. Depending on the
switch model and type, errors will be logged to the network switch as well as the error log of
u
each of the AIX hosts with the duplicate address. There are many ways in which these
types of problems can be resolved. One such method might involve connecting to one of
cl
the hosts and checking the error log to confirm there is a duplicate IP problem. The error
log will report the MAC address of the other host with the duplicate address. The ARP table
Ex
on the switch should indicate to which physical network ports the two hosts are connected.
One of the ports could be disabled from the switch. On Cisco hardware, this can be done
using the following command: ssh <admin_user>@<switch name> netpro
<switch name> <port number> -cmd set disable. Alternatively, you can change
pr
the IP parameters for the host to which you are currently connected, empty the ARP table,
re-arp for the duplicate IP address, and then connect to the host and decide whether to
alter, remove, or keep the address.
V8.2
Student Notebook
Uempty
Flow through the TCP/IP stack

IBM Power Systems
Analysis
Application Application
Memory
Write buffer Read buffer
(svmon, nmon, netstat)
.I. n
.T ció
Transport Socket send Socket receive TCP/UDP statistics
Buffer Buffer
tcp_sendspace tcp_recvspace
# netstat –p tcp
udp_sendspace udp_recvspace # netstat –p udp
.
C
Internet MTU
IP input
.F a
Compliance/ IP statistics
Queue # netstat –p ip
Enforcement ipqmaxlen
MTU size
C rm
Link
Transmit Receive Adapter statistics
Queue Queue # entstat <entX>
tx_que_sz rxdesc_que_sz # netstat -v
to fo
Physical
Network
(specific network s/w)
ec vo

Figure 11-6. Flow through the TCP/IP stack AN212.0
Notes:
oy si
Overview
u
Data is written from the application to a write buffer into system memory. Data to be
transferred across the network is then queued to a socket send buffer (either TCP or UDP
cl
depending on what the application requested). The port number of the sending application
is included here along with the port number of the receiving application which was
requested by the sending application. TCP segments the data stream (according to the
Ex
MTU), adds its control information, and passes it to IP. IP adds its information including the
correct IP source and destination addresses, applies MTU compliance (fragmenting if
necessary - normally on UDP traffic), checks the ARP table, and puts the data in the
transmit queue of the network interface. It then gets taken from the transmit queue and put
pr
on the physical network medium (copper or fiber) after the appropriate network interface
control information is added.
The destination machine receives the message from the transport medium and puts it in
the receive queue. Once the network interface has completed its check, it passes to the IP
input queue where IP puts the data stream back together if it had to be fragmented at the
Student Notebook
sending side. When complete, the data stream is copied to the socket receive buffer and
the application notified. The data is then put in the application read buffer. The buffer and
the IP input queue use system memory, a potentially limited resource. The transmit and
receive queues use memory on the adapters. There are many places along the way where
a message can be delayed or lost. That is why it is a good idea to use this layered
approach to isolating a problem starting from what every other layer depends on, the
hardware layer.
.I. n
Memory
.T ció
If memory fills up on a system, performance problems will occur. There are many tools in
AIX to monitor memory usage (for example, svmon and topas-nmon). The topas-nmon
utility is particularly useful as it allows us to monitor system statistics over time.
.
The netstat command with the –m flag will show network memory statistics. The kernel
C
allocates memory from the network memory buffer pool, commonly called the mbuf pool, to
.F a
be used as buffers by the networking subsystem. Watch out for positive values in the failed
column. You should not see a large number of failed calls. There might be a few which
C rm
trigger the system to allocate more buffers as the buffer pool size increases. There is a
predefined set of buffers of each size that the system starts with after each reboot, and the
number of buffers increases as necessary, up to a limit. To zero network memory statistics
type: # netstat –Zm
to fo
For further details regarding memory performance, refer to the AIX performance courses:
AN51 and AN52.
Transport layer – TCP (netstat –p tcp)
ec vo
Statistics of interest are packets sent, data packets, data packets retransmitted, packets
received, completely duplicate packets, and retransmit timeouts.
For the TCP statistics, compare the number of packets sent to the number of data packets
oy si
retransmitted. If the number of packets retransmitted is over 10-15% of the total packets
sent, TCP is timing out, indicating that network traffic might be too high for
u
acknowledgments (ACKs) to return before a time out. A bottleneck on the receiving node or
general network problems can also cause TCP retransmissions. TCP retransmissions
cl
increase network traffic, further adding to any network performance problems.

Also, compare the number of packets received with the number of completely duplicate
Ex
packets. If TCP on a sending node times out before an ACK is received from the receiving
node, it retransmits the packet. Duplicate packets occur when the receiving node
eventually receives all the retransmitted packets. If the number of duplicate packets
exceeds 10-15%, the problem might again be too much network traffic or a bottleneck at
pr
the receiving node. Duplicate packets increase network traffic.

The value for retransmit time outs occurs when TCP sends a packet but does not receive
an ACK in time. It then resends the packet again. This value is incremented for any
subsequent re-transmittals. These continuous re-transmittals drive CPU utilization higher,
and if the receiving node does not receive the packet, it eventually is dropped.
V8.2
Student Notebook
Uempty Transport layer – UDP (netstat –p udp)

Statistics of interest are:
• Bad checksums Bad checksums could happen due to hardware card or cable failure.
• Dropped due to no socket Number of received UDP datagrams of the destination
socket ports were not opened. As a result, the ICMP destination unreachable - port
unreachable message must have been sent out. But if the received UDP datagrams
.I. n
were broadcast datagrams, ICMP errors are not generated. If this value is high,
investigate how the application is handling sockets.
.T ció
• Socket buffer overflows Socket buffer overflows could be due to insufficient transmit
and receive UDP sockets, too few nfsd daemons, or too small network options
(nfs_socketsize, udp_recvspace, and sb_max values).
.
C
If the netstat -p udp command indicates socket overflows, then you might need to
.F a
increase the number of nfsd daemons on the server. First, check the affected system for
CPU or I/O saturation, and verify the recommended setting for the other communication
C rm
layers by using the no -a command. If the system is saturated, you must either reduce its
load or increase its resources.
IP layer (netstat –p ip)
to fo
• Total packets received Number of total IP datagrams received.
• Bad header checksum or fragments dropped If the output shows bad header
ec vo
checksum or fragments dropped due to dup or out of space, this indicates either a
network that is corrupting packets or a device driver receive queues that are not large
enough.
oy si
• Fragments received Number of total fragments received.

• Dropped after timeout If the fragments dropped after timeout is other than zero, then
the time to life counter of the IP fragments expired due to a busy network before all
u
fragments of the datagram arrived. To avoid this, use the no command to increase the
value of the ipfragttl network parameter. Another reason could be a lack of mbufs;
cl
increase the wall.

• Packets sent from this host Number of IP datagrams that were created and sent out
Ex
from this system. This counter does not include the forwarded datagrams (passthrough
traffic).
• Fragments created Number of fragments created in this system when IP datagrams
pr
were sent out.

• When viewing IP statistics, look at the ratio of packets received to fragments received.
As a guideline for small MTU networks, if 10 percent or more of the packets are getting
fragmented, you should investigate further to determine the cause. A large number of
fragments indicates that protocols above the IP layer on remote hosts are passing data
to IP with data sizes larger than the MTU for the interface. Gateways and routers in the
Student Notebook
network path might also have a much smaller MTU size than the other nodes in the
network. The same logic can be applied to packets sent and fragments created.
• Fragmentation results in additional CPU overhead so it is important to determine its
cause. Be aware that some applications, by their very nature, can cause fragmentation
to occur. For example, an application that sends small amounts of data can cause
fragments to occur. However, if you know the application is sending large amounts of
data and fragmentation is still occurring, determine the cause. It is likely that the MTU
.I. n
size used is not the MTU size configured on the systems.
.T ció
Network Interface layer (entstat –d)
The entstat command displays statistics gathered by the specified Ethernet device driver.
If no flags are specified, only the device generic statistics are displayed. This command is
.
also invoked when the netstat command is run with the -v flag. The netstat command
C
does not issue any entstat command flags.
.F a
C rm
• No mbuf errors The number of times that mbufs were not available to the device driver.
This usually occurs during receive operations when the driver must obtain mbuf buffers
to process inbound packets. If the mbuf pool for the requested size is empty, the packet
will be discarded. The netstat -m command can be used to confirm this.
to fo
• Transmit errors The number of output errors encountered on this device. This is a
counter for unsuccessful transmissions due to hardware or network errors.
• Packets dropped The number of packets accepted by the device driver for
ec vo
transmission which were not (for any reason) given to the device.
• S/W transmit queue overflow The number of outgoing packets which have overflowed
the software transmit queue. For physical adapters try increasing the software transmit
oy si
queue size of the adapter using smitty chgenet. Note: All interfaces must be down in
order for this parameter to be changed.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Network services
IBM Power Systems
• Actions:
– Check daemons are running OK (lssrc -s)
.I. n
– Check processes and threads (# ps –A; ps –A –o THREAD)
– Check active sockets (netstat –a)
.T ció
– Check application specific configuration and debug files
• Examples:
.
C
– inetd (/etc/inetd.conf)
.F a
– DHCP server (/etc/dhcpsd.conf)
C rm
– Activate tracing or debugging tools
• For example: traceson –s clinfoES
– Use tcpdump and iptrace commands to analyze incoming and
outgoing packets
to fo
ec vo

Figure 11-7. Network services AN212.0
Notes:
oy si
For network service problems, first check that the service is running and the associated
processes and threads are listed in the process table. Second, check to make sure the
u
configuration of the service is correct. If everything seems well but problems remain, you
might need to turn on tracing and analyze incoming and outgoing packets using
cl
tcpdump/iptrace commands.
Ex
pr
Student Notebook
Network performance: Factors

IBM Power Systems
• Many factors can affect network performance

– System workload
.I. n
– Network load
– Throughput
.T ció
– Latency
– Packet loss
.
C
– Retransmission
.F a
ňņtopas_nmonņņc=CPUņņņņņņņņņņņņņņHost=aixod04ņņņņņņņņRefresh=2
ňņtopas_nmonņņc=CPUņņņņņņņņņņņņņņHost=aixod04ņņņņņņņņRefresh=2 secsņņņ13:59.51ņŉ
secsņņņ13:59.51ņŉ
ŇŇ Network
Network ņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ŇI/F
ŇI/F Name
Name Recv=KB/s
Recv=KB/s Trans=KB/s
Trans=KB/s packin
packin packout
packout insize
insize outsize
outsize Peak->Recv
Peak->Recv TransKBŇ
TransKBŇ
C rm
ŇŇ en0
en0 0.2
0.2 0.3
0.3 3.5
3.5 1.0
1.0 48.3
48.3 338.0
338.0 0.2
0.2 0.6Ň
0.6Ň
ŇŇ en1
en1 0.1
0.1 0.4
0.4 2.5
2.5 2.5
2.5 60.8
60.8 149.2
149.2 0.4
0.4 0.4Ň
0.4Ň
nmon ŇŇ en2
en2 0.1
0.1 0.3
0.3 1.0
1.0 1.0
1.0 71.0
71.0 271.0
271.0 0.1
0.1 0.3Ň
0.3Ň
ŇŇ lo0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.5Ň
View: Network statistics lo0
ŇŇ Total
0.0
0.0
0.0
0.0
0.0 0.0 0.0 0.0 0.5 0.5Ň
ŇŇ
Total 0.0 0.0 inin Mbytes/second
Mbytes/second Overflow=0
Overflow=0
ŇI/F
ŇI/F Name
Name MTU
MTU ierror
ierror oerror
oerror collision
collision Mbits/s
Mbits/s Description
Description ŇŇ
ŇŇ en0
en0 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
to fo
ŇŇ en1
en1 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
ŇŇ en2
en2 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
ŇŇ lo0
lo0 16896
16896 00 00 00 00 Loopback
Loopback Network
Network Interface
Interface ŇŇ
ŇņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ŇņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ec vo

Figure 11-8. Network performance: Factors AN212.0
Notes:
oy si
There are many factors which can effect network performance. It is important as a general
rules to deploy tools which can monitor the system, system workloads, and physical
u
network infrastructure. The latter will usually required specific network management
software provided by vendors such as Cisco and Nortel.
cl
As data is broken into component parts (often known frames, packets, or segments) for
transmission, several factors can affect their delivery.
Ex
• System workload The current load on the physical system.

• Network load The current load on the physical network.
• Throughput The amount of traffic a network can carry is measured as throughput,
pr
usually in kilobits per second. It is important to appreciate the difference between

throughput and latency. Throughput is analogous to the combination of speed and the
number of lanes on the highway. Latency is analogous the total trip time, which will
increase with the distance that you travel regardless of the throughput.
V8.2
Student Notebook
Uempty • Latency The round trip time for a packet to be delivered between source and
destination hosts, delivered across intervening networks.
• Packet loss In some cases, intermediate devices in a network will lose packets. This
might be due to errors, to overloading of the intermediate network, or to intentional
discarding of traffic in order to enforce a particular service level.
• Retransmission When packets are lost in a reliable network, they are retransmitted.
This incurs two delays. First, the delay from re-sending the data, and second, the delay
.I. n
resulting from waiting until the data is received in the correct order before forwarding it
.T ció
up the protocol stack.
These factors and others, such as the performance of the network signaling on the end
nodes, compression, encryption, concurrency, and so on, all affect the effective
.
performance of a network. In some cases, the network might not work at all. In others, it
C
might be slow or unusable. Because applications run over these networks, application
.F a
performance suffers. Various intelligent solutions are available to ensure that traffic over
the network is effectively managed to optimize performance for all users. This usually takes
C rm
the form of traffic shaping by means of deploying quality of service (QoS) rules.
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Network performance: Actions

IBM Power Systems
• Actions:
– Measure network throughput and latency:
.I. n
## ftp
ftp remote_node
remote_node 1 GB was transfer
Connected
Connected to
to remote_node
remote_node over a Gbit network
.T ció
in 11 seconds. That
ftp>
ftp> put "|dd if=/dev/zero
put "|dd if=/dev/zero bs=1M
bs=1M count=1024"
count=1024" /dev/null
/dev/null is 93 MB per second
226
226 Transfer
Transfer complete.
complete. throughpput.
1073741824
1073741824 bytes
bytes sent
sent in
in 11.02
11.02 seconds
seconds (9.517e+04
(9.517e+04 Kbytes/s)
Kbytes/s)
.
## ping
ping -c
-c 100
100 remote_node
remote_node |grep round-trip
C
|grep round-trip
.F a
round-trip
round-trip min/avg/max == 3/7/22
min/avg/max 3/7/22 ms
ms Average
latency: 7ms
C rm
– Deploy tools to measure systems workloads and the workload of the
physical network infrastructure.
– Check for bottlenecks and errors through the TCP/IP stack.
to fo
– Tune network options.
– Liaise with the network team.
ec vo

Figure 11-9. Network performance: Actions AN212.0
Notes:
oy si
When analyzing performance problems, it is important to obtain a benchmark of what is

achievable under normal conditions when performance seems satisfactory. When
u
concerned with degraded performance, comparing current measurements to the baseline

can tell you if network throughput or response times are a cause of the current degradation.
cl
Comparing against the baseline is also important for normal monitoring of the system to
spot trends in performance degradation, which in time might result in performance goals
Ex
not being met.

There are many standard tools in AIX which can be used to report on system and network
activity (topas, nmon, netpmon, and spray to name just a few). It is also important that you
understand the current set of network options and tunables in AIX and set them accordingly
pr
for your environment. Some experimentation might be necessary in order to obtain the
optimum settings. When tuning the network or when dealing with network related problems,
you should always work closely with the network team, as they will have a thorough
understanding on the underlying infrastructure.
V8.2
Student Notebook
Uempty
Tuning network parameters

IBM Power Systems
• TCP/IP parameters can be tuned to control the behavior of certain

network functions.
.I. n
– For example, socket buffers, routing, arp, system security, and many
more
.T ció
– Can improve performance and inadvertently affect performance!
• System wide network tunables are viewed and changed via the no
.
command
C
.F a
– List: # no –L or # no -a
– Change: # no -o option=NewValue Example: # no –p –o
C rm
rfc1323=1
• Interface specific options (ISNO) can be set through chdev and
ifconfig commands
to fo
– # chdev -l Name -a Attribute=value Example: # chdev –l en0 –a -a
rfc1323=0
– # ifconfig interface parameter Example: # ifconfig en0 rfc1323 1
ec vo

Figure 11-10. Tuning network parameters AN212.0
Notes:
oy si
Tuning network parameters

u
The no command is used to configure network tuning parameters. The no command sets
or displays current or next boot values for network tuning parameters. This command can
cl
either make permanent changes (-p) or defer changes until the next reboot (-r).
Parameters are stored in the /etc/tunables directory. There are two files, lastboot
(settings used during the current boot) and nextboot (parameters to be used during the
Ex
next boot).
Warning: Be careful when using the no command. If used incorrectly, the no command
can cause undesirable behavior in certain network functions and inadvertently affect
pr
performance!
For further information, access the AIX Information center and lookup Network option
tunable parameters and the no command.
Student Notebook
Interface-specific network options

Interface-specific network options (ISNO) allow IP network interfaces to be custom tuned
for the best performance. The following parameters have been added for each supported
network interface and are only effective for TCP (and not UDP) connections:
• rfc1323
• tcp_nodelay
.I. n
• tcp_sendspace
.T ció
• tcp_recvspace
• tcp_mssdflt
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Example: Listing network options.

# oslevel -s
7100-02-01-1245
# no -L
General Network Parameters
--------------------------------------------------------------------------------
NAME CUR DEF BOOT MIN MAX UNIT TYPE
.I. n
DEPENDENCIES
--------------------------------------------------------------------------------
bsd_loglevel 3 3 3 0 7 numeric D
.T ció
--------------------------------------------------------------------------------
fasttimo 200 200 200 50 200 millisecond D
--------------------------------------------------------------------------------
.
init_high_wat 0 0 0 0 10 %_of_thewall D
--------------------------------------------------------------------------------
C
nbc_limit 192K 192K 192K 0 8E-1 kbyte D
.F a
thewall
--------------------------------------------------------------------------------
C rm
nbc_max_cache 128K 128K 128K 1 192M byte D
nbc_min_cache
nbc_limit
--------------------------------------------------------------------------------
nbc_min_cache 1 1 1 1 128K byte D
to fo
nbc_max_cache
--------------------------------------------------------------------------------
nbc_ofile_hashsz 12841 12841 12841 1 999999 segment D
--------------------------------------------------------------------------------
nbc_pseg 0 0 0 0 2G-1 segment D
ec vo
--------------------------------------------------------------------------------
nbc_pseg_limit 384K 384K 384K 0 768K kbyte D
--------------------------------------------------------------------------------
ndd_event_name {all} {all} {all} 0 128 string D
--------------------------------------------------------------------------------
oy si
ndd_event_tracing 0 0 0 0 64K-1 numeric D

--------------------------------------------------------------------------------
net_buf_size {all} {all} {all} 0 128 string D
u
--------------------------------------------------------------------------------
net_buf_type {all} {all} {all} 0 128 string D
cl
--------------------------------------------------------------------------------
net_malloc_frag_mask {0} {0} {0} 0 128 string D
--------------------------------------------------------------------------------
Ex
netm_page_promote 1 1 1 0 1 numeric D
--------------------------------------------------------------------------------
sb_max 1M 1M 1M 4K 8E-1 byte D
--------------------------------------------------------------------------------
send_file_duration 300 300 300 0 4G-1 second D
--------------------------------------------------------------------------------
pr
sockthresh 85 85 85 0 100 %_of_thewall D

--------------------------------------------------------------------------------
sodebug 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
sodebug_env 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
somaxconn 1K 1K 1K 0 32K-1 numeric C
Student Notebook
--------------------------------------------------------------------------------
tcp_inpcb_hashtab_siz 24499 24499 24499 1 999999 numeric R
--------------------------------------------------------------------------------
tcptr_enable 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
thewall 768K 768K 768K 0 64M kbyte S
--------------------------------------------------------------------------------
udp_inpcb_hashtab_siz 24499 24499 24499 1 83000 numeric R
--------------------------------------------------------------------------------
.I. n
use_sndbufpool 1 1 1 0 1 boolean R
--------------------------------------------------------------------------------
.T ció
TCP Network Tunable Parameters
--------------------------------------------------------------------------------
.
DEPENDENCIES
C
--------------------------------------------------------------------------------
.F a
clean_partial_conns 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
C rm
delayack 0 0 0 0 3 boolean D
--------------------------------------------------------------------------------
delayackports {} {} {} 0 10 ports_list D
--------------------------------------------------------------------------------
hstcp 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
to fo
limited_ss 0 0 0 0 100 numeric D
--------------------------------------------------------------------------------
rfc1323 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
ec vo
rfc2414 1 1 1 0 1 boolean C
--------------------------------------------------------------------------------
rto_high 64 64 64 2 8E-1 roundtriptime R
rto_low
--------------------------------------------------------------------------------
oy si
rto_length 13 13 13 1 64 roundtriptime R
--------------------------------------------------------------------------------
rto_limit 7 7 7 1 64 roundtriptime R
u
rto_high
rto_low
--------------------------------------------------------------------------------
cl
rto_low 1 1 1 1 63 roundtriptime R
rto_high
--------------------------------------------------------------------------------
Ex
sack 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_bad_port_limit 0 0 0 0 8E-1 numeric D
--------------------------------------------------------------------------------
tcp_cwnd_modified 0 0 0 0 1 boolean C
pr
--------------------------------------------------------------------------------
tcp_ecn 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_ephemeral_high 64K-1 64K-1 64K-1 32K+1 64K-1 numeric D
tcp_ephemeral_low
--------------------------------------------------------------------------------
tcp_ephemeral_low 32K 32K 32K 1K 65534 numeric D
tcp_ephemeral_high
V8.2
Student Notebook
Uempty --------------------------------------------------------------------------------
tcp_fastlo 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_fastlo_crosswpar 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_finwait2 1200 1200 1200 0 32K-1 halfsecond D
--------------------------------------------------------------------------------
tcp_icmpsecure 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
.I. n
tcp_init_window 0 0 0 0 32K-1 byte C
--------------------------------------------------------------------------------
.T ció
tcp_keepcnt 8 8 8 0 32K-1 numeric D
--------------------------------------------------------------------------------
tcp_keepidle 14400 14400 14400 1 32K-1 halfsecond C
--------------------------------------------------------------------------------
.
tcp_keepinit 150 150 150 1 32K-1 halfsecond D
C
--------------------------------------------------------------------------------
.F a
tcp_keepintvl 150 150 150 1 32K-1 halfsecond C
--------------------------------------------------------------------------------
C rm
tcp_limited_transmit 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
tcp_low_rto 0 0 0 0 3000 numeric D
timer_wheel_tick
--------------------------------------------------------------------------------
tcp_maxburst 0 0 0 0 32K-1 numeric D
to fo
--------------------------------------------------------------------------------
tcp_mssdflt 1460 1460 1460 1 64K-1 byte C
--------------------------------------------------------------------------------
tcp_nagle_limit 64K-1 64K-1 64K-1 0 64K-1 byte D
ec vo
--------------------------------------------------------------------------------
tcp_nagleoverride 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
tcp_ndebug 100 100 100 0 32K-1 numeric D
--------------------------------------------------------------------------------
oy si
tcp_newreno 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
tcp_nodelayack 0 0 0 0 1 boolean D
u
--------------------------------------------------------------------------------
tcp_recvspace 16K 16K 16K 4K 8E-1 byte C
sb_max
cl
--------------------------------------------------------------------------------
tcp_sendspace 16K 16K 16K 4K 8E-1 byte C
sb_max
Ex
--------------------------------------------------------------------------------
tcp_tcpsecure 0 0 0 0 7 numeric D
--------------------------------------------------------------------------------
tcp_timewait 1 1 1 1 5 15_second D
--------------------------------------------------------------------------------
pr
tcp_ttl 60 60 60 1 255 0.6_second C

--------------------------------------------------------------------------------
tcprexmtthresh 3 3 3 1 32K-1 numeric D
--------------------------------------------------------------------------------
timer_wheel_tick 0 0 0 0 100 numeric R
--------------------------------------------------------------------------------
UDP Network Tunable Parameters
Student Notebook
--------------------------------------------------------------------------------
DEPENDENCIES
--------------------------------------------------------------------------------
udp_bad_port_limit 0 0 0 0 8E-1 numeric D
--------------------------------------------------------------------------------
udp_ephemeral_high 64K-1 64K-1 64K-1 32K+1 64K-1 numeric D
udp_ephemeral_low
--------------------------------------------------------------------------------
.I. n
udp_ephemeral_low 32K 32K 32K 1K 65534 numeric D
udp_ephemeral_high
.T ció
--------------------------------------------------------------------------------
udp_recvspace 42080 42080 42080 4K 8E-1 byte C
sb_max
--------------------------------------------------------------------------------
.
udp_sendspace 9K 9K 9K 4K 8E-1 byte C
C
sb_max
.F a
--------------------------------------------------------------------------------
udp_ttl 30 30 30 1 255 second C
C rm
--------------------------------------------------------------------------------
udpcksum 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
IP Network Tunable Parameters

--------------------------------------------------------------------------------
to fo
DEPENDENCIES
--------------------------------------------------------------------------------
directed_broadcast 0 0 0 0 1 boolean D
ec vo
--------------------------------------------------------------------------------
ie5_old_multicast_mapping 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ip6_defttl 64 64 64 1 255 numeric D
--------------------------------------------------------------------------------
oy si
ip6_prune 1 1 1 1 8E-1 second D

--------------------------------------------------------------------------------
ip6forwarding 0 0 0 0 1 boolean D
u
--------------------------------------------------------------------------------
ip6srcrouteforward 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
cl
ip_ifdelete_notify 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ip_nfrag 200 200 200 1 32K-1 byte D
Ex
--------------------------------------------------------------------------------
ipforwarding 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ipfragttl 2 2 2 1 255 halfsecond D
--------------------------------------------------------------------------------
pr
ipignoreredirects 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ipqmaxlen 100 100 100 100 2G-1 numeric R
--------------------------------------------------------------------------------
ipsendredirects 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
ipsrcrouteforward 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
V8.2
Student Notebook
Uempty ipsrcrouterecv 0 0 0 0 1 boolean D

--------------------------------------------------------------------------------
ipsrcroutesend 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
lo_perf 1 1 1 0 1 boolean R
--------------------------------------------------------------------------------
maxnip6q 20 20 20 1 32K-1 numeric D
--------------------------------------------------------------------------------
multi_homed 1 1 1 0 3 boolean D
.I. n
--------------------------------------------------------------------------------
ndogthreads 0 0 0 0 1K numeric D
.T ció
--------------------------------------------------------------------------------
nonlocsrcroute 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
subnetsarelocal 1 1 1 0 1 boolean D
.
--------------------------------------------------------------------------------
C
tn_filter 1 1 1 0 1 boolean D
.F a
--------------------------------------------------------------------------------
C rm
ARP/NDP Network Tunable Parameters
--------------------------------------------------------------------------------
DEPENDENCIES
--------------------------------------------------------------------------------
arpqsize 1K 1K 1K 1 32K-1 numeric D
to fo
tcp_pmtu_discover
udp_pmtu_discover
--------------------------------------------------------------------------------
arpt_killc 20 20 20 0 255 minute D
ec vo
--------------------------------------------------------------------------------
arptab_bsiz 7 7 7 1 32K-1 bucket_size R
--------------------------------------------------------------------------------
arptab_nb 149 149 149 1 32K-1 buckets R
--------------------------------------------------------------------------------
oy si
dgd_packets_lost 3 3 3 1 32K-1 numeric D

--------------------------------------------------------------------------------
dgd_ping_time 5 5 5 1 8E-1 second D
u
--------------------------------------------------------------------------------
dgd_retry_time 5 5 5 1 32K-1 numeric D
--------------------------------------------------------------------------------
cl
ndp_mmaxtries 3 3 3 0 8E-1 numeric D

--------------------------------------------------------------------------------
ndp_umaxtries 3 3 3 0 8E-1 numeric D
Ex
--------------------------------------------------------------------------------
ndpqsize 50 50 50 1 32K-1 numeric D
--------------------------------------------------------------------------------
ndpt_down 3 3 3 1 8E-1 halfsecond D
--------------------------------------------------------------------------------
pr
ndpt_keep 120 120 120 1 8E-1 halfsecond D

--------------------------------------------------------------------------------
ndpt_probe 5 5 5 1 4G-1 halfsecond D
--------------------------------------------------------------------------------
ndpt_reachable 30 30 30 1 4G-1 halfsecond D
--------------------------------------------------------------------------------
ndpt_retrans 1 1 1 1 4G-1 halfsecond D
--------------------------------------------------------------------------------
Student Notebook
passive_dgd 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
rfc1122addrchk 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
Stream Header Tunable Parameters

--------------------------------------------------------------------------------
DEPENDENCIES
.I. n
--------------------------------------------------------------------------------
lowthresh 90 90 90 0 100 %_of_thewall D
.T ció
--------------------------------------------------------------------------------
medthresh 95 95 95 0 100 %_of_thewall D
--------------------------------------------------------------------------------
nstrpush 8 8 8 8 32K-1 numeric S
.
--------------------------------------------------------------------------------
C
psebufcalls 20 20 20 20 8E-1 numeric I
.F a
--------------------------------------------------------------------------------
psecache 1 1 1 0 1 boolean D
C rm
--------------------------------------------------------------------------------
psetimers 20 20 20 20 8E-1 numeric I
--------------------------------------------------------------------------------
strctlsz 1K 1K 1K 0 32K-1 byte D
--------------------------------------------------------------------------------
strmsgsz 0 0 0 0 32K-1 byte D
to fo
--------------------------------------------------------------------------------
strthresh 85 85 85 0 100 %_of_thewall D
--------------------------------------------------------------------------------
strturncnt 15 15 15 1 8E-1 numeric D
ec vo
--------------------------------------------------------------------------------
Other Network Tunable Parameters

--------------------------------------------------------------------------------
oy si
DEPENDENCIES
--------------------------------------------------------------------------------
bcastping 0 0 0 0 1 boolean D
u
--------------------------------------------------------------------------------
dgd_flush_cached_route 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
cl
icmp6_errmsg_rate 10 10 10 1 255 msg/second D

--------------------------------------------------------------------------------
icmpaddressmask 0 0 0 0 1 boolean D
Ex
--------------------------------------------------------------------------------
ifsize 256 256 256 8 1K numeric R
--------------------------------------------------------------------------------
igmpv2_deliver 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
pr
llsleep_timeout 3 3 3 1 2G-1 second D

--------------------------------------------------------------------------------
main_if6 0 0 0 0 32K-1 numeric D
--------------------------------------------------------------------------------
main_site6 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
maxttl 255 255 255 1 255 second D
--------------------------------------------------------------------------------
V8.2
Student Notebook
Uempty mpr_policy 1 1 1 1 6 numeric D

--------------------------------------------------------------------------------
pmtu_default_age 10 10 10 0 32K-1 minute D
--------------------------------------------------------------------------------
pmtu_expire 10 10 10 0 32K-1 minute D
--------------------------------------------------------------------------------
pmtu_rediscover_interval 30 30 30 0 32K-1 minute D
--------------------------------------------------------------------------------
route_expire 1 1 1 0 1 boolean D
.I. n
--------------------------------------------------------------------------------
routerevalidate 0 0 0 0 1 boolean D
.T ció
--------------------------------------------------------------------------------
rtentry_lock_complex 1 1 1 0 1 boolean R
--------------------------------------------------------------------------------
site6_index 0 0 0 0 32K-1 numeric D
.
--------------------------------------------------------------------------------
C
tcp_pmtu_discover 1 1 1 0 1 boolean D
.F a
--------------------------------------------------------------------------------
udp_pmtu_discover 1 1 1 0 1 boolean D
C rm
--------------------------------------------------------------------------------
n/a means parameter not supported by the current platform or kernel
Parameter types:
to fo
S = Static: cannot be changed
D = Dynamic: can be freely changed
B = Bosboot: can only be changed using bosboot and reboot
R = Reboot: can only be changed during reboot
ec vo
C = Connect: changes are only effective for future socket connections

M = Mount: changes are only effective for future mountings
I = Incremental: can only be incremented
Value conventions:
oy si
K = Kilo: 2^10 G = Giga: 2^30 P = Peta: 2^50

M = Mega: 2^20 T = Tera: 2^40 E = Exa: 2^60
u
cl
Ex
pr
Student Notebook
Changing ISNO parameters

IBM Power Systems
## cat ## no
no –a
–a
cat /etc/tunables/lastboot
/etc/tunables/lastboot |grep
|grep use_isno
use_isno
tcp_recvspace
tcp_recvspace == 131072
131072
use_isno = "1"
use_isno = "1" tcp_sendspace
tcp_sendspace == 16384
16384
rfc1323
rfc1323 == 00
.I. n
...
...
.T ció
Change
Change // Show
Show aa Standard
Standard Ethernet
Ethernet Interface
Interface
Network
Network Interface
Interface Name
Name en4
en4
INTERNET
INTERNET ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [3.18.8.71]
[3.18.8.71]
Network
Network MASK
MASK (hexadecimal
(hexadecimal or
or dotted
dotted decimal)
decimal) []
[]
Defaults
.
Current
Current STATE
STATE up
up ++
Use
Use Address
Address Resolution
Resolution Protocol
Protocol (ARP)?
(ARP)? yes
yes ++
C
BROADCAST
BROADCAST ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) []
[]
Interface
Interface Specific
Specific Network
Network Options
.F a
Options
('NULL'
('NULL' will
will unset
unset the
the option)
option)
rfc1323
rfc1323 [1]
[1]
C rm
tcp_mssdflt
tcp_mssdflt []
[]
tcp_nodelay
tcp_nodelay []
[]
tcp_recvspace
tcp_recvspace [262144]
[262144]
tcp_sendspace
tcp_sendspace [262144]
[262144]
## ifconfig
ifconfig en4
en4
to fo
en4:
en4:
flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64B
flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64B
IT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
IT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
inet
inet 3.18.8.71
3.18.8.71 netmask
netmask 0xff000000
0xff000000 broadcast
broadcast 3.255.255.255
3.255.255.255
tcp_sendspace
262144 rfc1323
rfc1323 11
ec vo

Figure 11-11. Changing ISNO parameters AN212.0
Notes:
oy si
RFC1323:
u
The rfc1323 tunable enables the TCP window scaling option. The TCP window scaling
option is a TCP negotiated option, so it must be enabled on both endpoints of the TCP
cl
connection to take effect. By default, the TCP window size is limited to 65536 bytes (64 K)
but can be set higher if the rfc1323 value is set to 1. If you are setting the tcp_recvspace
value to greater than 65536, set the rfc1323 value to 1 on each side of the connection. If
Ex
you do not set the rfc1323 value on both sides of the connection, the effective value for the
tcp_recvspace tunable will be 65536. This option adds 12 more bytes to the TCP protocol
header, which deducts from the user payload data, so on small MTU adapters this option
might slightly hurt performance.
pr
TCP maximum segment size tuning

The maximum size packets that TCP sends can have a major impact on bandwidth,
because it is more efficient to send the largest possible packet size on the network.
V8.2
Student Notebook
Uempty TCP controls this maximum size, known as maximum segment size (MSS), for each TCP
connection. For direct-attached networks, TCP computes the MSS by using the MTU size
of the network interface, and then subtracting the protocol headers to come up with the size
of data in the TCP packet. For example, Ethernet with an MTU of 1500 would result in an
MSS of 1460 after subtracting 20 bytes for IPv4 header and 20 bytes for TCP header.
The TCP protocol includes a mechanism for both ends of a connection to advertise the
MSS to be used over the connection when the connection is created. Each end uses the
.I. n
Options field in the TCP header to advertise a proposed MSS. The MSS that is chosen is
the smaller of the values provided by the two ends. If one endpoint does not provide its
.T ció
MSS, then 536 bytes is assumed, which is bad for performance.
The problem is that each TCP endpoint only knows the MTU of the network it is attached
.
to. It does not know the MTU size of other networks that might be between the two
C
endpoints. So TCP only knows the correct MSS if both endpoints are on the same network.
.F a
Therefore, TCP handles the advertising of MSS differently depending on the network
configuration. It wants to avoid sending packets that might require IP fragmentation over
C rm
smaller MTU networks.
The value of MSS advertised by the TCP software during connection setup depends on
whether the other end is a local system on the same physical network (that is, the systems
have the same network number) or whether it is on a different (remote) network.
to fo
The tcp_mssdflt option is the TCP MSS size, which represents the TCP data size. There is
no need to adjust for other protocol options because TCP handles this adjustment if other
options, like the rfc1323 option, are used.
ec vo
In an environment with a larger-than-default MTU, this method has the advantage in that
the MSS does not need to be set on a per-network basis. The disadvantages are as
follows:
oy si
• Increasing the default can lead to IP router fragmentation if the destination is on a

network that is truly remote and the MTUs of the intervening networks are not known.
u
• The tcp_mssdflt option must be set to the same value on the destination host.
Note: You can only use the tcp_mssdflt option if the tcp_pmtu_discover option is set to 0.
cl
TCP node delay

Ex
In AIX, the TCP_NODELAY socket option is disabled by default, which might cause large
delays for request/response workloads that might only send a few bytes and then wait for a
response. TCP implements delayed acknowledgments because it expects to piggy back a
TCP acknowledgment on a response packet. The delay is normally 200 ms.
pr
Most TCP implementations implement the nagle algorithm, where a TCP connection can
only have one outstanding small segment that has not yet been acknowledged. This
causes TCP to delay sending any more packets until it receives an acknowledgment or
until it can bundle up more data and send a full size segment.
Applications that use request/response workloads should use the setsockopt() call to
enable the TCP_NODELAY option. For example, the telnet and rlogin utilities, Network File
Student Notebook
System (NFS), and Web servers already use the TCP_NODELAY option to disable nagle.
Some applications do not do this, which might result in poor performance depending on the
network MTU size and the size of the sends (writes) to the socket.
Setting the tcp_nodelay value to 1 causes TCP to not delay, which disables nagle, and
send each packet for each application send or write.
The tcp_sendspace tunable
.I. n
The tcp_sendspace tunable specifies how much data the sending application can buffer in
the kernel before the application is blocked on a send call. You should set the
.T ció
tcp_sendspace tunable value at least as large as the tcp_recvspace value, and, for higher
speed adapters, the tcp_sendspace value should be at least twice the size of the
tcp_recvspace value.
.
The tcp_recvspace tunable
C
.F a
The tcp_recvspace tunable specifies how many bytes of data the receiving system can
buffer in the kernel on the receiving sockets queue.
C rm
The tcp_recvspace tunable is also used by the TCP protocol to set the TCP window size,
which TCP uses to limit how many bytes of data it will send to the receiver to ensure that
the receiver has enough space to buffer the data. The tcp_recvspace tunable is a key
to fo
parameter for TCP performance because TCP must be able to transmit multiple packets
into the network to ensure the network pipeline is full. If TCP cannot keep enough packets
in the pipeline, then performance suffers.
A common guideline for the tcp_recvspace tunable is to set it to a value that is at least 10
ec vo
times less than the MTU size. You can determine the tcp_recvspace tunable value by
dividing the bandwidth-delay product value by 8. Bandwidth-delay is computed with the
following formula:
oy si
bandwidth-delay product = capacity(bits)= bandwidth(bits/second) x round-trip time

(seconds)
u
Dividing the capacity value by 8 provides a good estimate of the TCP window size needed
to keep the network pipeline full. The longer the round trip delay and the faster the network
cl
speed, the larger the bandwidth-delay product value, and thus the larger the TCP window.
An example of this is a 100 Mbit network with a round trip time of 0.2 milliseconds. You can
calculate the bandwidth-delay product value with the formula above.
Ex
bandwidth-delay product = 100000000 x 0.0002 = 20000 20000/8 = 2500

Thus, in this example, the TCP window size needs to be at least 2500 bytes. On 100 Mbit
and gigabit Ethernet on a single LAN, you might want to set the tcp_recvspace and
pr
tcp_sendspace tunable values to at least 2 or 3 times the computed bandwidth-delay

product value for best performance.
General
ISNO parameters set for an individual interface take precedence over the system wide
values set with the no command. The feature is enabled (the default) or disabled for the
V8.2
Student Notebook
Uempty whole system with the no command use_isno option. It is a restricted tunable (not intended
to be changed unless told to do so by AIX Support), and thus should be left enabled.
Example: # no -p -o use_isno=0
Modification to restricted tunable use_isno, confirmation
required yes/no: yes
Warning: a restricted tunable has been modified
.I. n
Setting use_isno to 0
.T ció
Setting use_isno to 0 in nextboot file
Most ISNO settings on an interface are set automatically by the method invoked when a
high bandwidth network adapter is defined to the kernel. The ISNO setting is made directly
.
to the kernel definitions (as displayed by the ifconfig command) and are not automatically
C
.F a
applied to the ODM. The SMIT display of the ODM defined interface attributes will not show
these automatic ISNO setting.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Recommended settings for AIX 6.1 and AIX 7.1:
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Changing MTU parameters

IBM Power Systems
## lsattr
lsattr -El
-El en4
en4 |grep
|grep mtu
mtu
mtu
mtu 1500
1500 Maximum
Maximum IP
IP Packet
Packet Size
Size for
for This
This Device
Device True
True
remmtu
remmtu 576
576 Maximum IP Packet Size for REMOTE Networks True
Maximum IP Packet Size for REMOTE Networks True
.I. n
Change
Change // Show
Show Characteristics
Characteristics of
of an
an Ethernet
Ethernet Adapter
Adapter
.T ció
[Entry
[Entry Fields]
Fields]
Ethernet
Ethernet Adapter
Adapter ent0
ent0
.
Description
Description 2-Port
2-Port 10/100/1000
10/100/1000
Base-TX Set MTU to 9000
Base-TX PCI-X
PCI-X Adapter
C
Adapter
.F a
Status
Status Available
Available Note: some items
Software removed for
Software transmit
transmit queue
queue size
size [8192]
[8192] +#
+# clarity.
Rcv
Rcv descriptor
descriptor queue
queue size [1024] +#
C rm
size [1024] +#
TX
TX descriptor
descriptor queue
queue size
size [512]
[512] +#
+#
Transmit
Transmit jumbo frames
jumbo frames yes
yes ++
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
Enable failover mode
Enable failover mode disable
disable ++
to fo
## chdev
chdev –l
–l en4
en4 –a
–a mtu=<value>
mtu=<value>
## ifconfig
ifconfig en4
en4 mtu
mtu <value>
<value>
Custom settings
ec vo

Figure 11-12. Changing MTU parameters AN212.0
Notes:
oy si
The maximum transmission unit (MTU) and maximum segment size (MSS) setting are
important factors in tuning AIX for throughput.
u
For best throughput for systems on the same type of network, it is advisable to use a large
cl
MTU. In multi-network environments, if data travels from a network with a large MTU to a
smaller MTU, the IP layer has to fragment the packet into smaller packets to facilitate
transmission on a smaller MTU network. This costs the receiving system CPU time to
Ex
reassemble the fragment packets. When the data travels to a remote network, TCP in AIX
defaults to a maximum segment size (MSS) of 512 bytes (remmtu = 576 bytes). This
conservative value is based on a requirement that all IP routers support an MTU of at least
576 bytes.
pr
Do not increase MTU on only one station in a LAN. All stations on a LAN should have the
same effective MTU value.
Note: Jumbo frames can be enabled on gigabit Ethernet and 10 gigabit Ethernet adapters.
Doing so raises the MTU to 9000 bytes. Because there is less overhead per packet, jumbo
frames typically provide better performance, CPU consumption, or both. Consider using
Student Notebook
jumbo frames especially if you have a network dedicated to backup tasks. Jumbo frames
should only be considered if all equipment between most of your clients and servers
supports jumbo frames, including routers and switches.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Packet analysis: tcpdump

IBM Power Systems
• Useful PD tool. Dumps the headers of packets on a network.
.I. n
• Supports filtering of packets
.T ció
– Otherwise prints a lot of information
.
• Default is to send one line summary of each captured packet
C
to standard output
.F a
C rm
• Can send output to a file using the –w flag
– Use –r flag to read the output file
– Can also send to stdout and to a file using the –l flag
to fo
• Example: # tcpdump -l | tee /tmp/data_dump
ec vo

Figure 11-13. Packet analysis: tcpdump AN212.0
Notes:
oy si
The tcpdump command prints out the headers of packets on a network interface that
match a Boolean expression.
u
For further details see the man page.

cl
Ex
pr
Student Notebook
tcpdump examples (1 of 2)
IBM Power Systems
• Window 1: DNS server

nimmaster:/
nimmaster:/ ## tcpdump
tcpdump -i
-i en0
en0 port
port 53
53 and
and host
host statler
statler
tcpdump:
tcpdump: verbose output suppressed, use -v or
verbose output suppressed, use -v or -vv
-vv for
for full
full protocol
protocol decode
.I. n
decode
listening
listening on
on en0,
en0, link-type
link-type 1,
1, capture
capture size
size 96
96 bytes
bytes
12:25:01.686703
12:25:01.686703 IPIP statler.lpar.co.uk.39953
statler.lpar.co.uk.39953 >> nimmaster.lpar.co.uk.domain:
nimmaster.lpar.co.uk.domain: 23909+
23909+ AA
.T ció
(QM)
(QM) www.bbc.co.uk.
www.bbc.co.uk. (31)
(31)
12:25:01.705845
12:25:01.705845 IPIP nimmaster.lpar.co.uk.domain
nimmaster.lpar.co.uk.domain >> statler.lpar.co.uk.39953:
statler.lpar.co.uk.39953: 23909
23909
2/2/2 CNAME[|domain]
2/2/2 CNAME[|domain]
.
C
.F a
• Window 2: DNS client
C rm
statler.lpar.co.uk:/
statler.lpar.co.uk:/ ## echo
echo "\n$(date)\n"
"\n$(date)\n" &&
&& host
host www.bbc.co.uk
www.bbc.co.uk
Tue
Tue 22
22 Sep
Sep 12:25:01
12:25:01 2009
2009
www.bbc.net.uk
www.bbc.net.uk is
is 212.58.253.67,
212.58.253.67, Aliases:
Aliases: www.bbc.co.uk
www.bbc.co.uk
to fo
ec vo

Figure 11-14. tcpdump examples (1 of 2) AN212.0
Notes:
oy si
The visual shows the packet header transactions between a DNS client and server when a
client issues a lookup request.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
tcpdump examples (2 of 2)
IBM Power Systems
• To print all packets arriving at or departing from lpar1:

– # tcpdump host lpar1
.I. n
.T ció
• To print all FTP traffic through Internet gateway R123:
– # tcpdump 'gateway R123 and (port ftp or ftp-data)‘
.
C
.F a
• To print all ICMP packets that are not echo requests or replies
(for instance, not ping packets):
C rm
– # tcpdump 'icmp[icmptype] != icmp-echo and \
icmp[icmptype] != icmp-echoreply'
to fo
ec vo

Figure 11-15. tcpdump examples (2 of 2) AN212.0
Notes:
oy si
u
cl
Ex
pr
Student Notebook
Packet analysis: iptrace

IBM Power Systems
• tcpdump is fine if you only require packet header or high

level packet transaction flow information.
.I. n
• If you wish to view the entire packet including the payload
(data) then iptrace must be used.
.T ció
• As with tcpdump, flags can be used to filter the traffic.
.
– Based on source and destination host, interface, protocol, and port
C
number
.F a
• Example of use:
C rm
– /usr/sbin/iptrace [flags] logfile
– iptrace can also be managed through SRC
• The ipreport command must be used to view the output.
to fo
ec vo

Figure 11-16. Packet analysis: iptrace AN212.0
Notes:
oy si
The iptrace daemon records Internet packets received from configured interfaces.
Command flags provide a filter so that the daemon traces only packets meeting specific
u
criteria. Packets are traced only between the local host on which the iptrace daemon is
invoked and the remote host.
cl
The ipreport command must be used to view the output of an iptrace. The output can be
transferred and viewed in a product called Wireshark (see Windows interoperability unit).
Ex
For further details see the man page.

pr
V8.2
Student Notebook
Uempty
iptrace: Sample packet output

IBM Power Systems
Packet
Packet Number
Number 55
ETH: Layer 2
ETH: ====( 150
====( 150 bytes
bytes transmitted
transmitted on
on interface
interface en0en0 )====
)==== 13:19:33.360833294
13:19:33.360833294
ETH:
ETH: [[ ea:48:f0:00:30:02
ea:48:f0:00:30:02 ->-> 3a:6e:a6:02:67:9d
3a:6e:a6:02:67:9d ]] type
type 800
800 (IP)
(IP)
.I. n
IP:
IP: << SRC
SRC == 10.47.1.19
10.47.1.19 >> (statler.lpar.co.uk)
(statler.lpar.co.uk)
IP:
IP: << DST
DST == 10.47.1.33
10.47.1.33 >> (nimmaster)
(nimmaster) Layer 3
.T ció
IP:
IP: ip_v=4,
ip_v=4, ip_hl=20,
ip_hl=20, ip_tos=16,
ip_tos=16, ip_len=136,
ip_len=136, ip_id=4542,
ip_id=4542, ip_off=0
ip_off=0 DF
DF
IP:
IP: ip_ttl=60,
ip_ttl=60, ip_sum=1611,
ip_sum=1611, ip_p
ip_p == 66 (TCP)
(TCP)
TCP:
TCP: <source
<source port=21(ftp), destination port=42408
port=21(ftp), destination port=42408 >> Layer 4
TCP: th_seq=49635133, th_ack=2486030143
.
TCP: th_seq=49635133, th_ack=2486030143
TCP:
TCP: th_off=8,
th_off=8, flags<PUSH
flags<PUSH || ACK>
ACK>
C
TCP: th_win=65522,
th_win=65522, th_sum=0,
th_sum=0, th_urp=0
.F a
TCP: th_urp=0
TCP:
TCP: nop
nop
TCP:
TCP: nop
nop
C rm
TCP:
TCP: timestamps
timestamps TSVal:
TSVal: 0x4b2476c5
0x4b2476c5 TSEcho:
TSEcho: 0x4ae40b2a
0x4ae40b2a
TCP: 00000000
TCP: 00000000 32323020 73746174 6c65722e 6c706172
32323020 73746174 6c65722e 6c706172 |220
|220 statler.lpar|
statler.lpar|
TCP:
TCP: 00000010
00000010 2e636f2e
2e636f2e 756b2046
756b2046 54502073
54502073 65727665
65727665 |.co.uk
|.co.uk FTP
FTP serve|
serve|
TCP:
TCP: 00000020
00000020 72202856
72202856 65727369
65727369 6f6e2034
6f6e2034 2e322057
2e322057 |r
|r (Version
(Version 4.2
4.2 W|
W|
TCP:
TCP: 00000030
00000030 6564204f
6564204f 63742031
63742031 2030393a
2030393a 34303a30
34303a30 |ed
|ed Oct
Oct 11 09:40:0|
09:40:0|
to fo
TCP:
TCP: 00000040
00000040 35204344
35204344 54203230
54203230 30382920
30382920 72656164
72656164 |5
|5 CDT
CDT 2008)
2008) read|
read| data
TCP: 00000050
TCP: 00000050 792e0d0a
792e0d0a |y...
|y... ||
ec vo

Figure 11-17. iptrace: Sample packet output AN212.0
Notes:
oy si
When looking at a sample packet (captured using iptrace), we can see the following
information:
u
• Layer 2: Packet is of type Ethernet, source and destination MAC addresses

cl
• Layer 3: IP layer, source and destination IP addresses

• Layer 4: Transport layer, TCP packet. Source and destination port numbers including
Ex
the payload or data

pr
Student Notebook
iptrace examples (1 of 2)
IBM Power Systems
• Capturing root password by sniffing FTP data

statler.lpar.co.uk:/ ## iptrace
iptrace -a
-a -p
-p 21
21 /tmp/iptrace
/tmp/iptrace
.I. n
[262184]
[262184]
statler.lpar.co.uk:/ ## kill
kill 262184
262184
statler.lpar.co.uk:/ ## iptrace:
iptrace: unload
unload success!
success!
.T ció
nimmaster:/
nimmaster:/ ## ftp
ftp statler
statler
Connected
Connected to
to statler.lpar.co.uk.
statler.lpar.co.uk.
.
220
220 statler.lpar.co.uk
statler.lpar.co.uk FTP
FTP server
server (Version
(Version 4.2
4.2 Wed
Wed Oct
Oct 11 09:40:05
09:40:05 CDT
CDT 2008)
2008) ready.
ready.
C
Name (statler:root):
Name (statler:root):
.F a
331
331 Password
Password required
required for
for root.
root.
Password:
Password:
C rm
230-Last
230-Last unsuccessful
unsuccessful login:
login: Thu
Thu 77 May
May 09:56:26
09:56:26 2009
2009 on
on ssh
ssh from
from waldorf.lpar.co.uk
waldorf.lpar.co.uk
230-Last
230-Last login:
login: Tue
Tue 22
22 Sep
Sep 12:01:13
12:01:13 2009
2009 on
on /dev/pts/0
/dev/pts/0 from
from nimmaster
nimmaster
230
230 User
User root
root logged
logged in.
in.
ftp> bye
ftp> bye
221
221 Goodbye.
Goodbye.
to fo
statler.lpar.co.uk:/ ## ipreport
ipreport -n
-n -s
-s /tmp/iptrace
/tmp/iptrace |grep
|grep "|PASS"
"|PASS"
TCP:
TCP: 00000000
00000000 50415353
50415353 2069626d
2069626d 6169780d
6169780d 0a
0a |PASS
|PASS ibmaix..
ibmaix.. ||
ec vo

Figure 11-18. iptrace examples (1 of 2) AN212.0
Notes:
oy si
The example in the visual shows how the root password can be captured using iptrace and
ipreport commands.
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
iptrace examples (2 of 2)
IBM Power Systems
• To record packets coming in and going out from a specific

remote host (lpar1):
.I. n
– # iptrace -i en0 -s lpar1 -b /tmp/iptrace_capt
.T ció
• To record all packets (promiscuous mode) on all network
adapters, suppressing ARP packets:
.
C
– # iptrace –a -e /tmp/iptrace_prom_capt
.F a
C rm
• Record all ICMP and UDP protocol traffic:
– # iptrace -P icmp,udp /tmp/iptrace.proto
to fo
• Record all traffic on ports 22 and 25
– # iptrace -p 22, 25 /tmp/iptrace.port
ec vo

Figure 11-19. iptrace examples (2 of 2) AN212.0
Notes:
oy si
u
cl
Ex
pr
Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
1. A system cannot communicate with the rest of the network.

Using the example below, what is the problem?
.I. n
## ifconfig
ifconfig en0
en0
en0:
en0: flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
.T ció
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
262144 rfc1323
rfc1323 11
.
C
.F a
C rm
2. What is the difference between throughput and latency?
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
3. A client daemon (clinfoES) contacts a server every 30 seconds on port

6174 to obtain the status of a HA cluster. What command can you use
to analyze the client server interaction?
.I. n
.T ció
4. Which command can you use to check the physical link status of an
.
Ethernet adapter?
C
.F a
C rm
5. How can you easily check bandwidth performance on a network?
to fo
ec vo

Notes:
oy si

u
cl
Ex
pr
Student Notebook
IBM Power Systems

– Perform TCP/IP troubleshooting
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems

.I. n
.T ció
– Connectivity
– Duplicate IP addresses
.
C
– Problems with network services
.F a
– Identify errors which can occur through the IP stack
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Unit 12. Time services

This unit introduces the time server.
.I. n
.T ció
• Describe the Network Time Protocol
.
• Configure the xntpd daemon
C
.F a
• Configure the timed daemon
C rm
to fo
• Lab exercises
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-1
Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Network Time Protocol

IBM Power Systems
• NTP: Network Time Protocol

• RFC 1305
.I. n
• Synchronizes time between systems
.T ció
• μsec precision
.
C
.F a
C rm
to fo
Time Server
ec vo

Figure 12-2. The Network Time Protocol AN212.0
Notes:
oy si
The Network Time Protocol (NTP) is an Internet standard protocol which synchronizes time
between systems on a TCP/IP network. Depending on circumstances, the precision is in
u
the microsecond range (one millionth of a second).

cl
Ex
pr
Student Notebook
Sources of time
IBM Power Systems
• Directly connected atomic clock

– Highest precision but very expensive
.I. n
• Radio time receiver
.T ció
– Fairly expensive
– Precise
.
• Global positioning system (GPS) satellite receiver
C
.F a
– Cheap
– Reception problem: does not work indoors
C rm
• Another NTP server
– Adds incremental error
• Internal system clock
to fo
– Useful if no other sources are available
ec vo

Figure 12-3. Sources of time AN212.0
Notes:
oy si
Keeping accurate track of the correct time has been a problem for many centuries. As it
turns out, the rotation speed of the earth is not constant enough to rely on, so people have
u
used stellar observations, moon phases, and even witchcraft to track the current time.
cl
Recently, atomic clocks have been introduced which measure time by measuring the
natural resonance frequency of a single Cesium-atom (9,192,631,770 Hz). These systems
are off by less than a second in a million years. For an example of such a clock see
Ex
http://www.boulder.nist.gov/timefreq/cesium/fountain.htm.
Obviously, it would be ridiculous as an individual to go out and buy such an atomic clock
and connect it to your AIX system. That is why various state-sponsored organizations with
pr
an atomic clock have connected radio transmitters to their clock and broadcast the correct
time to anyone interested. By connecting a (still fairly expensive) receiver to your computer,
you can synchronize your computer to the atomic clock of that organization. This method is
very precise, since the source of the signal is well known and the distance can be easily
measured.
V8.2
Student Notebook
Uempty Another, more recent method is using the signal from global positioning system (GPS)
satellites to measure the correct time. Each GPS has its own atomic clock on board which
it uses to send the correct time and its current position to earth. By tracking four or more
satellites and measuring the differences in received time, you can work out the exact time
and the exact position of the receiver. Most GPS receivers can be connected to a computer
using the serial or USB port and thus can become a source of correct time. One
disadvantage of GPS is that the signals do not pass through buildings, so you have to
.I. n
place your receiver near a window or buy an extra antenna.
Once you have a system set to the correct time, you can use the NTP protocol to transfer
.T ció
this time to other clients. Note, however, that each communication link, because of
variations in latency and bandwidth, adds a little error. This is normally countered by using
multiple servers. Various public NTP servers on the Internet exist which can be used.
.
C
As a last resort, if no other means are available, you can connect your NTP server to the
.F a
local clock of your system. This is useful if you are on an isolated network and do not want
to invest in radio or GPS receivers but keeping time synchronized between the systems is
C rm
nevertheless necessary.
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Stratum
IBM Power Systems
• The stratum number identifies how far you are from the time
source.
.I. n
• The maximum stratum is 15.
.T ció
sender
.
C
receiver Stratum 0
.F a
time server Stratum 1
C rm time server time server Stratum 2

to fo
time client time client time client Stratum 3
ec vo

Figure 12-4. Stratum AN212.0
Notes:
oy si
The stratum number is the number of hops you are away from the correct time. For the
purpose of NTP, stratum 0 (zero) is defined as the receiver (radio, GPS) itself. Stratum 1 is
u
the server which connects to this receiver directly, stratum 2 retrieves the time from the
stratum 1 server, and so forth.
cl
In NTP, the maximum stratum number is 15.

Ex
pr
V8.2
Student Notebook
Uempty
NTP communications methods

IBM Power Systems
• Unicast
.I. n
• Broadcast using local broadcast address
.T ció
• Multicast using IANA reserved address 224.0.1.1
.
C
.F a
C rm
to fo
ec vo

Figure 12-5. NTP communications methods AN212.0
Notes:
oy si
All NTP communications are done using port 123. There are three ways a client can obtain
the time from the server.
u
• The first method is by starting a unicast connection to the server. In this case, the server
cl
is passive. It waits for clients to contact it.

• The second method is by listening to a broadcast from the server. In this case, the
Ex
server is active. It periodically broadcasts time information to the local network. The
broadcast address being used is the local broadcast address (the host part of the IP
address is all ones).
• The third method is by listening to a multicast from the server. In this case, the server is
pr
again active. It periodically broadcasts time information to the IANA assigned multicast
address 224.0.1.1. If all routers are configured correctly, this ensures that the
information is only sent to the clients who are really interested in time information. And
since multicasts can traverse routers, you have effectively ensured that you only need
one or a few time servers in your network instead of needing one for every subnet.
Student Notebook
NTP overview
IBM Power Systems
• ntpdate: Retrieves time from NTP server and sets internal clock (only
once)
– Run before starting xntpd
.I. n
• xntpd: Synchronizes time with another NTP server (continuously)
.T ció
– Can act as server and client
– Configuration file /etc/ntp.conf
.
C
• ntpq: Queries a time server
.F a
• ntptrace: Determines where NTP server gets its time
C rm
– Can follow the chain of servers
– Identify master time source
to fo
• xntpdc: Queries and controls the xntpd daemon
– Documentation under man pages
– Subcommands with online help
ec vo

Figure 12-6. NTP overview AN212.0
Notes:
oy si
The NTP package implements an NTP time server. The package contains a number of
binary programs, sample configuration files, and on-line documentation. The two most
u
important programs are ntpdate and xntpd.

cl
ntpdate is usually started by hand (although some people run it out of cron). It connects to
a time server, retrieves the correct time, sets the local clock to the correct time, and exits.
This provides a lightweight method of setting the time on your system, but after ntpdate is
Ex
done, the system essentially runs free again.

xntpd is the NTP daemon which slaves itself to another time source, continuously
monitoring the other source and adjusting the local time. It can also function as an NTP
pr
server, providing time for other clients. It is configured with the file /etc/ntp.conf.
Important to note is that ntpd will not start if the time difference between itself and the time
server to be used is large. It is therefore common to run ntpdate before starting ntpd.
V8.2
Student Notebook
Uempty
/etc/ntp.conf configuration file

IBM Power Systems
• /etc/ntp.conf configures the xntpd daemon

• xntpd start-up through:
.I. n
– /etc/rc.tcpip
– Command line (SRC subsystem)
.T ció
• Most common directives in /etc/ntp.conf:
– server <ip address>: Connect to server with lower stratum
.
C
– peer <ip address>: Synchronize with peer of equal stratum
.F a
– fudge <ip address> <options>: Change parameters of a server or
C rm
peer (for example, stratum)
– broadcast <ip address>: Broadcast time to <ip address> (can also be
224.0.1.1)
– broadcastclient: Listen to local broadcast address
to fo
– multicastclient: Listen to multicast address 224.0.1.1
– driftfile <filename>: File where local clock drift is stored
ec vo

Figure 12-7. /etc/ntp.conf configuration file AN212.0
Notes:
oy si
The xntpd subsystem can be started from the command line using:
u
# startsrc -s xntpd
If you want it to also start at each system restart, it needs to be uncommented in the
cl
/etc/rc.tcpip script. SMIT provides a convenient way to both start it now and update rc.tcpip:
# smit xntpd
Ex
The /etc/ntp.conf file configures the xntpd daemon. It usually consists of a few lines
only. The following directives are common:
• server <ip address> identifies the server to connect to for the correct time. The
pr
xntpd daemon also automatically retrieves the stratum number of that server and sets
its own statum number one higher.
• Multiple server statements can be used. If one of the statements has the prefer
keyword, then this server has preference over other servers.
Student Notebook
• peer <ip address> identifies a peer server to connect to for the correct time. A peer
server always has the same stratum. If the times on two peers are not the same, the
average is taken.1
• fudge <ip address> <options> changes the parameters of an earlier defined
server or peer. For example, normally a server or peer will automatically transfer its
stratum number to the client, but with the fudge option you can change that stratum
number to something else.
.I. n
• broadcast <ip address> configures this NTP server to broadcast the time to the
.T ció
specified broadcast address (this should be the local broadcast address) or to the
multicast address 224.0.1.1.
• broadcastclient configures this NTP client to listen to NTP broadcasts on the local
.
broadcast address.
C
.F a
• multicastclient configures this NTP client to listen to NTP multicasts on the
multicast address 224.0.1.1.
C rm
• driftfile is the name of the file where the drift of the local clock is stored. This drift is
automatically determined by measuring the adjustments needed to the local clock over
a period of time. In case the NTP server cannot be contacted, the ntpd daemon will
nevertheless keep applying the same adjustments (taken from the driftfile) to reach a
to fo
high degree of precision.
ec vo
oy si
u
cl
Ex
pr
.
1 Actually, the algorithm is a little more ingenious than this, but the times will slowly converge
V8.2
Student Notebook
Uempty
Receiver pseudo IP addresses

IBM Power Systems
• All supported non-NTP sources of time have a pseudo IP

address 127.127.t.u where:
.I. n
– t is the clock type
– u indicates the connection (values 0 through 3)
.T ció
• Clock types can be found at:
http://doc.ntp.org/4.1.2/refclock.html
.
• The connection number maps to the port by creating a link:
C
.F a
# ls –sf /dev/tty# /dev/wwvb<u>
C rm
• Examples:
– server 127.127.1.0: Local system clock (undisciplined)
– server 127.127.20.0: GPS receiver conforming to NMEA protocol on
tty0
to fo
• These are only for local reference clocks
– The pseudo IP address is not used to communicate over the network.
ec vo

Figure 12-8. Receiver pseudo IP addresses AN212.0
Notes:
oy si
If you want to receive time from a radio or GPS receiver, there is nothing magical you need
to do. xntpd has built in support for most receivers. This support is activated by using the
u
server keyword in the /etc/ntp.conf file with a pseudo IP address of the form 127.127. t. u.
Such an IP address would normally not be used (technically, it is one of the 16 million
cl
reserved loopback addresses) and is therefore used within ntpd to address the receiver.
The value t identifies the clock type, and the value u defines the connection, such as the
Ex
serial port to use. To relate the u value to the actual serial port being used, you need to
create a symbolic link between the reference clock special device filename of /dev/wwvb#
(where # is the u value) and the tty special device filename (such as /dev/tty0).
The following two examples are useful:
pr
• Server 127.127.1.0 identifies the (first) local PC clock. By connecting to this clock, you
get a free running NTP server which can be used on an isolated network. The stratum
number obtained when connecting to this address is three instead of one, but you can
change this with the fudge keyword.
• Server 127.127.20.0 identifies a GPS receiver which conforms to the NMEA protocol on
tty0. (tty1 would be 127.127.20.1.) Most GPS receivers support this.
Student Notebook
Timed daemon
IBM Power Systems
• Alternative to NTP/xntpd if the NTP protocol is not

implemented in your network
.I. n
• Makes sure clocks are synchronized with each other, but not
necessarily absolutely correct
.T ció
• Supports automatic discovery of time servers
Timed
.
C
Master
.F a
Server
C rm
to fo
Timed Timed
Submaster Submaster
Server Server
ec vo

Figure 12-9. Timed daemon AN212.0
Notes:
oy si
If you do not have a good time source for the NTP protocol, or no Internet connection to
use public NTP servers, you might benefit from using the timed daemon instead of xntpd.
u
The timed daemon synchronizes one machine’s clock with those of other machines on the
cl
local area network that are also running the timed daemon. The timed daemon slows the
clocks of some machines and speed up the clocks on other machines to create an average
network time. It is important to realize that this average network time is not synchronized to
Ex
any clock outside the network so, after a while, it will be off anyway. For some protocols,
such as Kerberos and DHCP, it is only important that there is no difference between the
different systems, not that the time is absolutely correct. In those situations, the timed
daemon can help.
pr
When the timed daemon is started without the -M flag, the machine locates the nearest
master time server (through a broadcast) and asks for the network time. The machine then
uses the date command to set the machine’s clock to the network time. The machine
accepts synchronization messages sent periodically by the master time server and calls
the adjtime subroutine to perform the needed corrections on the machine’s clock.
V8.2
Student Notebook
Uempty The timedc command controls the operation of the timed daemon. The timedc command
can measure the difference between clocks on various machines on a network, find the
location of the master time server, enable or disable tracing of messages received by the
timed daemon, and debug.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
timed command
IBM Power Systems
Change/Show Restart Characteristics of timed Subsystem
.I. n
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
.T ció
[Entry Fields]
* TRACE timed messages received no +
.
* Include this host in the ELECTION of MASTER timeserver no +
VALID NETWORK to check for timeserver [ ]
C
IGNORE this NETWORK when checking for timeserver [ ]
.F a
C rm
to fo
ec vo

Figure 12-10. timed command AN212.0
Notes:
oy si
/usr/sbin/timed [ -c] [ -M ] [ -t ] [ [ -n Network ] ... | [ -i Network ] ... ]

u
Flags
-c Specifies that the master-timed daemon should ignore the time values it gets from the
cl
other slave-timed daemons when for calculating the average network time. This flag
changes the network time to be the same as the system clock on the master-timed
Ex
daemon.
-i Network Specifies a network to be excluded from clock synchronization. The network
variable can be either a network address or a network name. If a network name is specified
for the network variable, the network name must be defined in the /etc/networks file.
pr
Specify one network address or network name with each -i flag. Do not use this flag with
the -n flag.
-M Specifies the machine as a master or submaster time server on its local area networks.
If a master time server is not currently available on a network, the machine becomes the
master time server for that network. If a master time server already exists on a network, the
machine becomes a submaster time server on that network. However, the machine can
V8.2
Student Notebook
Uempty become the master time server if the current master time server becomes inoperative. The
timed daemon creates the /var/adm/timed.masterlog file when the timed daemon is
started with the -M flag.
-network Network Specifies a network to include in clock synchronization. The network
variable can be either a network address or a network name. If a network name is specified
for the network variable, the network name must be defined in the /etc/network file.
Specify on network address or network name with each -n flag. Do not use this flag with the
.I. n
-i flag.
.T ció
-t Allows the timed daemon to trace the messages it receives and store them in the
/var/adm/timed.log file. You can also use the timedc command to activate tracing.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
timedc command
IBM Power Systems
• Purpose
– Returns information about the timed daemon
.I. n
.T ció
• Syntax
– timedc [ Subcommand [ Parameter ... ] ]
.
C
.F a
• Example
– timedc msite
C rm
to fo
ec vo

Figure 12-11. timedc command AN212.0
Notes:
oy si
Variables - The timedc command recognizes the following subcommands:

u
• ? [ Parameter ... ] Displays a short description of each variable specified in the

parameter list. The ? subcommand only works in interactive mode. If you give no
cl
variable, the ? subcommand shows a list of subcommands recognized by the timedc

command.
Ex
• clockdiff Host ... Computes the differences between the clock of the host machine and
the clocks of the machines given as variables.
• election Host ... Requests that the timed daemon on the specified hosts reset its
election timers and ensure that a timed master server is available. Up to 4 hours can be
pr
specified. If a master timed server is no longer available, then the timed daemon on the
specified hosts will request to become the new timed master server. The specified hosts
must be running the timed daemon in submaster mode with the -M flag.
V8.2
Student Notebook
Uempty • help [ Parameter ...] Displays a short description of each subcommand specified in the
parameter list. If you give no variables, the help subcommand shows a list of
subcommands recognized by the timedc command.
• msite Finds the location of the master site.
• quit Exits the timedc command.
• trace { on | off} Enables or disables tracing of incoming messages to the timed
.I. n
daemon. The messages are held in the /var/adm/timed.log file.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
setclock command
IBM Power Systems
• Purpose
– Sets the time and date for a host on a network
.I. n
.T ció
• Syntax
– /usr/sbin/setclock [ TimeServer ]
.
C
.F a
• If the timeserver argument is missing, setclock uses
timeserver hostname, if defined.
C rm
to fo
ec vo

Figure 12-12. setclock command AN212.0
Notes:
oy si
The /usr/sbin/setclock command gets the time from a network time server and, if run
by a user with root user authority, sets the local time and date accordingly.
u
The setclock command takes the first response from the time server, converts the
cl
calendar clock reading found there, and displays the local date and time. If the setclock
command is run by the root user, it calls the standard workstation entry points to set the
system date and time.
Ex
If no time server responds or if the network is not operational, the setclock command
displays a message to that effect and leaves the current date and time settings of the
system unchanged.
pr
Parameter - TimeServer - The host name or address of a network host that services time
requests. The setclock commands sends an Internet time service request to a time server
host. If the time server name is omitted, the setclock command sends the request to the
default time server. The default time server is the IP address related to the hostname:
timeserver (resolved through either DNS or /etc/hosts).
V8.2
Student Notebook
Uempty
Checkpoint
IBM Power Systems
1. What is the name of the subsystem that provides NTP time

services on AIX and what configuration file does it use?
.I. n
.T ció
2. True or False: When configuring NTP services, the server
.
directive can specify a serial port attached clock source or a
C
server in a lower stratum.
.F a
C rm
3. How does the setclock command know what server to
query?
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
IBM Power Systems

– Configure and use the NTP times
.I. n
service on AIX
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Notes:
oy si
u
cl
Ex
pr
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Appendix A. IPv6

This unit describes the IPv6 protocol and the way it is implemented on
a Linux system.
.I. n
.T ció
.
• Describe the main differences between IPv4 and IPv6
C
.F a
• Describe the IPv6 address notation
• List the most important classes of IPv6 addresses
C rm
• Configure IPv6 on an AIX system
• Configure DNS for IPv6
• Discuss connectivity to the worldwide IPv6 network
to fo
• Discuss application requirements for IPv6

ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix A. IPv6 A-1

Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure A-1. Unit objectives AN212.0
Notes:
oy si
u
cl
Ex
pr
A-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
Uempty
IP version 6
IBM Power Systems
• Successor to (current) IP version 4

– IPv5 (Stream Protocol, RFC 1819) never made it
.I. n
• Major improvements over IPv4:
– Hugely expanded address space
.T ció
– Performance improvements
– Functionality enhancements
.
– Security enhancements
C
.F a
• Most modern routers, operating systems, and applications
support IPv6 today.
C rm
• An IPv6 backbone has existed on the Internet for a number of
years.
– Accessible via a tunnel over IPv4
to fo
• On July 20, 2004, ICANN added the root DNS zones for IPv6
to the root DNS servers.
ec vo

Figure A-2. IP version 6 AN212.0
Notes:
oy si
IP Version 6 is deemed to be the successor to the current IP Version 4 protocol. There has
been a proposal for IP Version 5 (the stream protocol, see RFC 1819), but this protocol has
u
never made it.

cl
IPv6 has a large number of improvements over IPv4.

• The address space (the number of potential addresses) has been increased
Ex
tremendously. This is the most obvious change as you go from IPv4 to IPv6, and
is also the most important reason for the switch. We are going to cover this in the
next visual.
• There have been several performance enhancements. One example of this is
pr
the fact that the IPv6 header no longer contains a checksum. In IPv4, this
checksum was present, and needed to be checked and recalculated at every
hop (router), because the checksum also covered the hop counter (TTL) which
changes at every hop.

Student Notebook
Another performance improvement is the addition of a flow label. Traditionally, IP is a

stateless protocol, which means that a router needs to inspect all parameters of each IP
packet, and make a routing decision again for every packet.
A sender of a series of IPv6 packets can add a flow label to each of these packets. This
identifies each individual IP packet as belonging to the same stream and needing the
exact same treatment (routing decision) as the first packet of the stream. This can
increase router performance since a simple lookup in, for instance, a hash table is far
.I. n
faster than having to make a full routing decision.
.T ció
Yet another performance improvement is the fact that the IPv6 header no longer
supports options. Because of this, the header size is now fixed, which allows for yet
more performance optimizations in router code.
.
• There are several functionality enhancements. Most of these are in the form of
C
additional headers which can be inserted between the main IPv6 header and the
.F a
higher-layer protocol header (for example, TCP or UDP).
C rm
• Security has now been incorporated in the protocol in the form of IPSec. This
means that encryption and authentication can be done at a really low level in the
protocol stack which makes it easier to obtain good security in applications.
Most modern operating systems, routers, and other devices have supported IPv6 for a
to fo
number of years now. Also, IPv6 support has been available on the Internet for a number of
years. The final bits were put in place on July 20th, 2004, when the ICANN added the
resource records and zone files for IPv6 to the root name servers.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IPv6 addresses
IBM Power Systems
• 128 bits (versus 32 bits for IPv4)

– This makes for potentially
.I. n
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
(340 undecillion* and then some)
.T ció
• Notation using hexadecimal using colons after each 16 bits:
3ffe:ffff:0100:f101:0000:0000:0000:9566
.
• May remove leading zeros within a block and one consecutive
C
.F a
series of blocks of zeros: 3ffe:ffff:100:f101::9566
C rm
• Netmasks work just like IPv4, but only the CIDR notation is
used: 3ffe:ffff:100:f101::9566/64
to fo
* 1036 …a really BIG number!
ec vo

Figure A-3. IPv6 addresses AN212.0
Notes:
oy si
The most obvious change in IPv6 is the increase in IP address length. IPv4 has an address
length of 32 bits, which gives 232 addresses (a little over four billion). IPv6, in contrast, has
u
an address length of 128 bits which gives 2128 addresses (a little over 340 undecillion). And
because IPv6 uses Classless Inter Domain Routing (CIDR) from the start, and a more
cl
granular way of distributing IP addresses over providers, the portion of the address space
that can actually be used is also larger than IPv4. So IPv6 should provide us with enough
Ex
addresses for many years to come. That is probably a good thing because we might just be
able to switch the whole of the current Internet over from IPv4 to IPv6, but it will be almost
impossible to switch to yet another version of IP after that.
Because IPv6 addresses are so incredibly large, the notation of these addresses has
pr
changed. We no longer use decimal addresses but use hexadecimal instead: 8 groups of
16 bits each, written in hexadecimal and separated by colons. To make things a little
shorter, you can leave out the leading zeros in a block and replace a single series of blocks
of zeros with ::.
Netmasks work just like in IPv4, but only the CIDR slash notation is used.

Student Notebook
Another useful difference is that in IPv6, each interface can explicitly have multiple IP
addresses. This was not possible according to the IPv4 standard, and that is why, in IPv4,
we sometimes need to do IP aliasing. That is no longer needed in IPv6.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IPv6 address ranges

IBM Power Systems
• ::/128: Unspecified address

– Used if an address is unknown, for default route, or as any address
when binding to an interface.
.I. n
• ::1/128: Loopback address
.T ció
• fe80::/64: Prefix used for link-local addresses
– Automatically assigned to an interface
.
– Cannot be routed
C
.F a
– The host part is typically based on the MAC address
• fec0::/64 - feff::/64: Prefix used for site-local
C rm
addresses
– Used for intranets like RFC 1918 addresses
• 2xxx::/64 and 3xxx::/64: Prefix used for globally
to fo
assigned unicast addresses
• ffxx::/64: Used for various multicast addresses
ec vo

Figure A-4. IPv6 address ranges AN212.0
Notes:
oy si
Just as with IPv4, the IPv6 address range has been divided up into a number of ranges,
each with their own purpose.1 Here are the most important addresses and address ranges:
u
• ::/128 (the all-zeros address) is the so-called unspecified address, just as

cl
0.0.0.0 in IPv4. It is used if an address is unknown, to identify the default route,

or as an any address when binding to an interface.
Ex
• ::1/128 (127 zeros followed by a 1) is the loopback address. In IPv6, only one
loopback address is assigned. IPv4 had the whole 127.0.0.0/255.0.0.0 network
(16 million addresses) reserved for loopback.
• fe80::/64 is the address range which is used for so-called link-local
pr
addresses. Link-local addresses are addresses that only operate on a single link
(LAN). They are not routable. On local area networks, the host part of the IP
address (the last 64 bits) is based on the 48-bit MAC address of the adapter.
This host part is calculated using the IEEE EUI-64 method. We will cover that in
the next visual.
1 Actually, most of the address space has not been divided up yet and is left open for future applications.

Student Notebook
There are more addresses reserved for link-local addresses (fe80::/64 through
febf::/64), but only fe80::/64 is in use today.
• fec0::/64 through feff::/64 is reserved for site-local addresses. This
means that you can use these addresses on intranets, just like 10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16 on IPv4. Site-local addresses are not
routable on the Internet, so they also provide you with a measure of security.
• All addresses 2xxx::/64 and 3xxx::/64 are currently reserved as globally
.I. n
routable, Internet addresses and are given out by ISPs to customers. If you hook
.T ció
up to the global IPv6 Internet, you will need an address range which is a subset
of this range.
There are two exceptions to this. 2001:0db8::/32 and 3ffe:ffff::/32 are
.
ranges that are set apart for documentation and examples. They should not be routable
C
on the Internet. The idea is that people who blindly copy configuration files and
.F a
examples will not by accident use IP addresses assigned to somebody else.
C rm
• Finally, all addresses ffxx::/64 are used for various multicast address ranges.
Several multicast scopes exist (node, link, site, organization, and global), each
with their own address range.
Note that, within IPv6, there is no such thing as a broadcast anymore. The broadcast in
to fo
the IPv4 since has been replaced with a link-local multicast.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Assigning IPv6 addresses in AIX

IBM Power Systems
• Run autoconf6 -A to assign link-local and loopback addresses and

enable IPv6.
• Uncomment the autoconf6 line in /etc/rc.tcpip to enable IPv6 on
.I. n
next reboot.
• To configure IPv6 addresses on an adapter:
.T ció
– ifconfig en0 inet6 fec0:1::2/64 up
– ifconfig en0 inet6 3ffe:ffff::2/64 alias
.
• To change the ODM:
C
– chdev -l en0 -a netaddr6=fec0:1::2 -a prefixlen-64 -a
.F a
state=up
– chdev -l en0 -a alias6=3ffe:ffff::2 -a prefixlen=64 -a
C rm
state=up
• To assign the default route:
– route add -inet6 default 3ffe:ffff::1
to fo
• To put the default route in the ODM:
– chdev -l inet0 -a rout6=net,,,,,'default','3ffe:ffff::1'
• Or use smitty configtcp6
ec vo

Figure A-5. Assigning an IPv6 address in Linux AN212.0
Notes:
oy si
To start using IPv6, the first thing you need to do is run the autoconf6 -A command. This
configures all interfaces with the appropriate link-local address. It also configures the
u
loopback interface with the correct IPv6 loopback interface and enables IPv6. If you only
want to run IPv6 on the en0 interface, use the command autoconf6 -i en0 instead.
cl
To make sure IPv6 is enabled at system boot, uncomment the autoconf6 line in
/etc/rc.tcpip, and add -A or -i <interface> as appropriate. The line will then look like
Ex
this:
start autoconf6 ““ -A
You can now add IPv6 addresses to interfaces. The first interface is added with the
pr
following command: ifconfig en0 inet6 <address>/<prefixlen> up. Note that this will
overwrite any link-local addresses that autoconf6 configured though. For any additional
addresses, use alias instead of up.
To set the default router, use the route add -inet6 default <address> command.

Student Notebook
Make sure that all your changes make it into the ODM as well by executing the appropriate
chdev command or from SMIT with the configtcp6 fastpath.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Dynamic IPv6 addresses in AIX

IBM Power Systems
• ndpd-host: Neighbor discovery protocol - host daemon

– Runs on an IPv6 host
.I. n
– Takes over all IPv6 addresses and configures them with a link-local address
– Upon reception of a router advertisement message, configures all interfaces
.T ció
with appropriate site-local and global addresses plus any routing table entries
– startsrc -s ndpd-host
.
• ndpd-router
C
– Runs on an IPv6 router
.F a
– Takes over all IPv6 addresses and configures them with a link-local address
C rm
– Configures site-local and global addresses on all interfaces based on
information in /etc/gateway6
– Advertises the site-local and global addresses to all hosts
– startsrc -s ndpd-router
to fo
• View status of discovered neighbors with ndp -a
ec vo

Figure A-6. Dynamic IPv6 addresses in AIX AN212.0
Notes:
oy si
Just as with IPv4, it is also possible to dynamically assign IPv6 addresses to hosts. In fact,
it is easier to do this with IPv6 than with IPv4 due to the vastly increased address space.
u
After all, with so many addresses available we can (and do) simply incorporate the MAC
address into the IP address, with an appropriate prefix, without worrying that we might run
cl
out of addresses. It is also usually not necessary to worry about lease times and such.
In fact, the only thing a host needs to know to configure the appropriate IPv6 address is the
Ex
site-local or global prefix. These prefixes are normally advertised by IPv6 routers through
the neighbor discovery protocol.
Under AIX, the NDP is implemented in two daemons, one running on a non-routing host,
pr
and another running on routers.

The ndpd-host daemon runs on non-routing hosts. It takes over the interfaces and initially
configures them with link-local addresses only. If it receives a router advertisement
message containing site-local or global address prefixes, it will automatically configure the
appropriate site-local or global addresses on the interfaces as well and will add any routing
table entries that are appropriate.

Student Notebook
The ndpd-router daemon runs on an AIX router. It is configured with appropriate site-local
and global address prefixes, plus a series of options, in the /etc/gateway6 file. It will
then advertise its routes on all locally connected networks. The hosts on these networks
can use these advertisement messages to configure their own site-local and global
addresses.
As IPv6 routing is normally done on dedicated equipment and not on AIX, we will not cover
the configuration of the ndpd-router daemon in this course.
.I. n
To view the cache of the ndpd-host daemon, use the ndp program. The -a option shows
.T ció
the full cache.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Connecting to the worldwide IPv6 network

IBM Power Systems
• Most ISPs do not offer IPv6 connectivity by default (yet).

• To connect to the WW IPv6 network anyway, you need to
.I. n
setup an IPv6-over-IPv4 tunnel to an ISP offering IPv6
services.
.T ció
• This can be done using various standard and non-standard
methods, depending on provider and operating system in use.
.
C
• Examples:
.F a
– http://www.6bone.net
C rm
– http://www.freenet6.net
• When signing up, you typically get a full /48 network
(64000 networks of 264 hosts each)
to fo
ec vo

Figure A-7. Connecting to the worldwide IPv6 network AN212.0
Notes:
oy si
Once we have configured our own internal IPv6 network, we will want to connect it to the
worldwide IPv6 network. This is a step which is slightly more complicated than with IPv4,
u
since most ISPs do not offer IPv6 connectivity by default (yet). If your ISP offers it at all,
then it is usually a premium service.
cl
All is not lost, however, if your regular ISP does not offer IPv6 connectivity. There are
several standard and non-standard methods of creating tunnels to an IPv6 capable ISP
Ex
over a regular IPv4 network. What method to choose is dependent on the IPv6 ISP you use
and the operating system in use.
When you sign up for IPv6 connectivity, you will typically receive your own /48 network
pr
(64000 network of 264 hosts each) for free. This whole address range (280 addresses) is
fully routable on the whole Internet. This is a vast improvement over IPv4, where you have
to make a serious business case if you want to receive more than a handful of routable IP
addresses for your environment.

Student Notebook
IPv6 addresses in DNS

IBM Power Systems
• Modern name servers (including BIND 9) support IPv6

• Forward lookups:
.I. n
– Use AAAA resource record type to assign an IPv6 address to a host
name
.T ció
• Reverse lookups:
.
– Use ip6.arpa reverse lookup zone (current standard)
C
– Use ip6.int reverse lookup zone (for backwards compatibility)
.F a
– Both can refer to the same zone file
C rm
to fo
ec vo

Figure A-8. IPv6 addresses in DNS AN212.0
Notes:
oy si
With IPv6 addresses being four times as large as IPv4 addresses, we will definitely want
these addresses to be incorporated in our DNS tables. Fortunately, this is possible
u
because all modern name servers (including BIND 9) support IPv6.

cl
This support extends to two things:

• Listening to IPv6-enabled devices and working with DNS traffic to and from IPv6
Ex
hosts. Also, BIND 9 supports ACLs based on IPv6 addresses and so forth.
• Support for IPv6-specific resource record types.
Here, we are going to discuss the second item; the changes that need to be made to our
zone data to incorporate IPv6 addresses in our tables. There are two issues to discuss:
pr
forward and reverse lookups.

For forward lookups (host name to IP address), a new resource record type has been
introduced, the AAAA record. This AAAA record can be incorporated in the regular, forward
lookup table.
V8.2
Student Notebook
Uempty For reverse lookups (IP address to hostname), two new domains have been introduced.
Initially, the proposal was to use the ip6.int domain. Some implementations actually use
this domain. Later, a new proposal was accepted to use the ip6.arpa domain. This is the
current standard which you should support at least. For backwards compatibility, it is a
good idea to also support the ip6.int domain for the next few years. Fortunately, if you
configure things smartly, the amount of administration involved in supporting both is
minimal since they can use the same zone file.
.I. n
We will look at the contents of the files in the next visual.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
DNS example files

IBM Power Systems
# cat named.conf
.
zone “example.com" {
.I. n
type master; file "named.example.com";
};
zone “0.0.10.in-addr.arpa" {
Unchanged
.T ció
type master; file "named.10.0.0";
};
zone "0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa" {
type master; file "named.3ffe:ffff::";
.
};
zone "0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.int" {
C
type master; file "named.3ffe:ffff::";
.F a
};
.
C rm
# cat named.example.com
.
sysX IN A 10.0.0.100
sysX IN AAAA 3ffe:ffff:1
to fo
.
# cat named.3ffe:ffff::
.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR sysX.example.com.
.
ec vo

Figure A-9. DNS example files AN212.0
Notes:
oy si
The visual shows the three files in your DNS setup that need to be changed and added in
order to support IPv6.
u
For forward lookups, the change is minimal; you just need to add an AAAA record for a
cl
host in your forward lookup table.

For reverse lookups, the change is more complex. Just as with IPv4, a trick has been used
Ex
to incorporate an IP address in the DNS structure. Let’s review how IPv4 did things. The
IPv4 address 9.19.98.1 becomes the FQDN 1.98.19.9.in-addr.arpa. 98.19.9.in-addr.arpa
becomes the zone identifier, and 1 is the node within that zone. This node then gets a PTR
record to the hostname.
pr
IPv6 does things the same way except in the ip6.arpa zone. The major complication is that
IPv6 addresses are incredibly large, and we will want to do things a little more granular to
support CIDR better. So the IPv6 address 3ffe:ffff::1 (which, when written in full, is
3ffe:ffff:0000:0000:0000:0000:0000:0001) becomes the FQDN
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa. Again, the zone
V8.2
Student Notebook
Uempty identifier is 0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa and the host is

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
By referring both the 0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa zone and the
0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.int zone to the same zone file, we avoid a duplication of
effort.
Not listed in the visual, but important nevertheless, are the two files that link the host name
localhost to the IPv6 address ::1. These files are generally already included in your
.I. n
distribution, otherwise it is a nice challenge to create them yourself based on the
.T ció
information in this unit.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr

Student Notebook
IPv6 application support

IBM Power Systems
• Test and debug programs with IPv6 support:

– ping (use option -o interface for link-local addresses)
.I. n
– netstat
– traceroute
.T ció
– host (use option -t AAAA to display IPv6 addresses)
– dig
.
C
• All AIX libraries are IPv6-ready.
.F a
• IPv6 support in applications depends on the developer.
C rm
– Check manual page and other documentation.
to fo
ec vo

Figure A-10. IPv6 application support AN212.0
Notes:
oy si
Now that our IPv6 infrastructure has been configured, we can start running our applications
on top of it.
u
The first set of applications we might want to discuss are troubleshooting applications like
cl
ping, netstat, traceroute, host, and dig. All of these have been extended to include IPv6
support, although with some of these you need to add specific options.
Ex
Furthermore, all relevant AIX libraries haven been updated to include IPv6 support.
The last set of applications to discuss is generic user applications and daemons. Support
for IPv6 in these applications varies wildly. Some support IPv6 fully, and in some cases the
developer has never heard of IPv6 at all. There is no generic way of finding out whether an
pr
application supports IPv6. You need to read the manual page and other documentation for
that. If the application you need does not support IPv6, you can get in touch with the
developer or write the code yourself.
V8.2
Student Notebook
Uempty
Checkpoint
IBM Power Systems
1. How many addresses are available in IPv4?
.I. n
2. How many in IPv6?
.T ció
3. What is the difference between a link-local and a site-local address?
.
C
4. A system has a network adapter with MAC address
.F a
00:0C:76:92:BD:64. What will be its link-local IPv6 address?
C rm
5. And what will be the reverse-lookup DNS name for that address?
6. How do you know if an application is ready for IPv6?

to fo
ec vo

Figure A-11. Checkpoint AN212.0
Notes:
oy si
Write your answers down here:

u
cl
Ex
pr

Student Notebook
Unit summary
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure A-12. Unit Summary AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty Appendix B. AIX and Windows interoperability

Today, Microsoft Windows is the most popular desktop environment.
This unit will explore tools and methods to help you administer a
.I. n
Power systems environment from a Windows based PC workstation.
.T ció
.
C
• List methods and tools for remote HMC/AIX partition access
.F a
• Download and install tools for graphical access
C rm
• Perform file transfer between a Windows client and an AIX partition
• Mount an AIX file system on a Windows client
• Use graphical network diagnostic tools on Windows
to fo
ec vo
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-1
Student Notebook
Unit objectives
IBM Power Systems
.I. n
.T ció
• Perform file transfer between a Windows client and an AIX
partition
.
C
.F a
C rm
to fo
ec vo

Figure B-1. Unit objectives AN212.0
Notes:
oy si
u
cl
Ex
pr
B-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
Uempty
Accessing a Power system

IBM Power Systems
.I. n
LAN B LAN C
.T ció
LAN A
.
C
.F a
VIOS VIOS LPAR LPAR LPAR
#1 #2 #1 #2 #3
C rm
POWER Hypervisor
HMC
to fo
Private LAN
ec vo

Figure B-2. Accessing a Power system AN212.0
Notes:
oy si
The network configuration can be more complex than just a single LAN. You might have to
consider network components such as firewalls or others devices that make remote access
u
complex.
cl
In the example shown in the visual, the logical partitions #2 and #3 are connected to a
secured network. RMC ports must be authorized on the firewall to get access to the HMC in
order to perform certain operations like DLPAR.
Ex
The system administrator can ask the network administrator to open ports corresponding to
the tools that will be installed for remote access, such as ports 5800, 5801, … 5900, 5901
… for VNC software.
pr
Student Notebook
Partition / HMC access over the network

IBM Power Systems
• Power systems are usually installed in a data center machine

room connected to the network.
.I. n
• Typically, most users work remotely and connect to:
.T ció
– The Power Hypervisor interface (ASMI) and the HMC GUI using a
Web browser via https
– The HMC command line interface using SSH
.
C
– The AIX partition CLI using a protocol such as Telnet or SSH
.F a
– The AIX partition graphical interface using an Xwindows based
C rm
appliance
• Additionally, day-to-day activities might involve:
– Transferring files to the partitions using FTP, SCP, or SFTP
to fo
– Accessing AIX file system data on your workstation
ec vo

Figure B-3. Partition / HMC access over the network AN212.0
Notes:
oy si
As an AIX administrator, you must be able to access the Power systems environment from
your local workstation over the network.
u
Your workstation is usually Windows or Linux based, so you can install additional tools to
cl
be able to access command line interface, graphical interface, or transfer files to perform
day-to-day administration tasks.
Ex
For example, if you are using a Windows based workstation, you are not able to connect by
default to the HMC CLI. HMC CLI remote connection can be done by only using SSH which
is not included in the default Windows installation.
In addition, Windows is not able to connect to a UNIX X Windows server, so you will need
pr
to install an X emulation package or a graphical desktop sharing system.

Many tools are available (freeware or licensed) depending on your needs, such as
usability, bandwidth consumption, and maintenance.
V8.2
Student Notebook
Uempty
Remote connection to an AIX CLI

IBM Power Systems
• Windows command line (DOS prompt) includes Telnet

– Which in most cases is not practical
.I. n
• Security implications and usability (for example, copy and paste facilities)
– There is no default support for SSH
.T ció
• The workaround is to use the terminal emulation tool, PuTTY
.
C
• PuTTY:
.F a
– Is free open source software
C rm
– Is a small lightweight self-contained
executable (does not require installation)
– Supports all SSH client functionality
to fo
– Additionally provides Telnet, rlogin,
serial, and raw connectivity options
ec vo

Figure B-4. Remote connection to an AIX CLI AN212.0
Notes:
oy si
If your local workstation is Windows based you should install an SSH based command line
tool. PuTTY is a terminal emulator application which acts as a client for the SSH, Telnet,
u
rlogin, and raw TCP computing protocols.

The main functions of PuTTy are:
cl
• Control over the SSH encryption key and protocol version.

• Command line SCP and SFTP clients
Ex
• Control over port forwarding with SSH (local, remote, or dynamic port forwarding),
including built in handling of X11 forwarding.
• SSH tunneling
• Emulates most xterm, VT102 control sequences
pr
• IPv6 support
• Public key authentication support
• Support for local serial port connections
You can configure options to control the key sequences. For example, you can configure
the backspace key as Control^H instead of typing the « stty erase ^? » AIX
command.
Student Notebook
PuTTY Connection Manager

IBM Power Systems
• Manages multiple PuTTY instances
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo

Figure B-5. PuTTY Connection Manager AN212.0
Notes:
oy si
The visual shows an example of PuTTY Connection Manager. PuTTY Connection

Manager is a tabbed version of PuTTY. It is a free add-on which aims to provide a solution
u
for managing multiple PuTTY instances.

cl
PuTTY Session Manager is a tool that allows system administrators to organize their
PuTTY sessions into folders and assign hot keys to their favorite sessions.
Ex
pr
V8.2
Student Notebook
Uempty
UNIX and Korn shell for Windows

IBM Power Systems
• Several UNIX and shell emulation tools are available for

the Windows operating system.
.I. n
.T ció
• These tools can be used to:
– Provide remote access
.
– Write shell scripts without having access to an AIX partition
C
.F a
– Provide a Unix test environment on a Windows OS workstation
• Most common UNIX and shell emulation tools are:
C rm
– UWIN, a UNIX and Korn shell emulation from AT&T
– Cygwin, a UNIX-like environment and command line interface for
Microsoft Windows
to fo
ec vo

Figure B-6. UNIX and Korn shell for Windows AN212.0
Notes:
oy si
UWIN
u
The UWIN package allows UNIX applications to be built and run on Windows.
UWIN contains libraries that emulate a UNIX environment. The Korn shell runs in a console
cl
window just like the MS-DOS command shell. Once ksh is running, all of the UNIX utilities
can be executed. In addition, ksh can execute native Windows applications. The UWIN
Ex
console provides an emulation of the VT100 terminal so that programs that use the curses
library should work fine. All the environment variables of Windows that have been initialized
when ksh has been started can be accessed from ksh. Some variables, such as PATH,
which are understood by both Windows and UNIX utilities, but which use different formats,
pr
are converted to UNIX formats when executing UNIX utilities, and converted back when
executing Windows utilities.
UWIN is available at http://www.research.att.com/sw/license/ast-open.html
Student Notebook
CYGWIN
CYGWIN is a UNIX-like environment and command line interface for Microsoft Windows.
CYGWIN provides native integration of Windows-based applications, data, and other
system resources with applications, software tools, and data of the UNIX-like environment.
Thus, it is possible to launch Windows applications from the CYGWIN environment, as well
as to use CYGWIN tools and applications within the Windows operating context.
CYGWIN consists of an extensive collection of software tools and applications that provide
.I. n
a UNIX-like look and feel.
.T ció
CYGWIN is a free software released under the GNU General Public License.
Many UNIX programs have been ported to CYGWIN, including the X Window System,
KDE, GNOME, Apache, and TeX. CYGWIN permits installing inetd, syslogd, sshd, Apache,
.
and other daemons as standard Windows services, allowing Microsoft Windows systems to
C
.F a
emulate UNIX and Linux servers.
A CYGWIN-specific version of the UNIX mount command allows Windows paths to be
C rm
mounted as file systems in the UNIX file space. File systems can be mounted as binary (by
default) or as text-based, which enables automatic conversion between LF and CRLF
endings.
to fo
Extensions to CYGWIN are available, such as a port of the X Windows system called
CYGWIN/X.
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
Uempty
Examples of UNIX emulation tools

IBM Power Systems
.I. n
Uwin
.T ció
.
C
.F a
C rm
to fo
Cygwin
ec vo

Figure B-7. Examples of UNIX emulation tools AN212.0
Notes:
oy si
The top left side of the visual shows an example of the UWIN interface. UNIX commands
can be executed directly in the Windows and x86 environment.
u
The screen shot at bottom right of the visual is a Cygwin environment running on Windows.
cl
Ex
pr
Student Notebook
Microsoft Windows Services for UNIX

IBM Power Systems
• Free software package produced by Microsoft

– Windows NT / XP: Microsoft Windows Services for UNIX (SFU)
.I. n
– Windows Vista / 7: Subsystem for UNIX-based applications (SUA)
• Provides a UNIX environment on Windows operating systems
.T ció
• Contains:
– Over 350 UNIX utilities such as vi, ksh, csh, ls, cat, awk, grep, kill, and so forth
.
– GCC 3.3 compiler
C
.F a
– NFS server and client
– X11 tools and libraries
C rm
– Tools for making NFS mount points appear as Windows shares and vice-versa
– Some Windows/UNIX authentication information synchronization tools
• SFU does not contain certain features and functions, such as
to fo
bash, OpenSSH, sudo, and emacs.
ec vo

Figure B-8. Microsoft Windows Services for UNIX AN212.0
Notes:
oy si
Windows Services for UNIX 3.5 provides a full range of supported and fully integrated
cross-platform network services for enterprise customers to use in integrating Windows
u
into their existing UNIX-based environments.

cl
Microsoft Windows Services for UNIX is not an emulation of a UNIX kernel, but rather an
implementation of a user-mode subsystem running directly on top of the Windows kernel.
Ex
Microsoft Windows Services for UNIX is dedicated to technical collaborative work. It

provides interoperability components that leverage existing UNIX network resources and
expertise within organizations. It also provides manageability components that enable
organizations to simplify network administration and account management across both
pr
platforms.
V8.2
Student Notebook
Uempty
Remote graphical access to an AIX partition

IBM Power Systems
• Two choices:
– Install an X-Windows system on your local Microsoft Windows workstation.
.I. n
– Examples:
• Cygwin/X
.T ció
• Xming
• Hummingbird Exceed
.
– Use a graphical desktop application to remotely access the AIX partition and
C
relay the graphical screen back to the desktop.
.F a
• Virtual Network Computing (VNC)
C rm
to fo• Citrix Presentation Server for UNIX
ec vo

Figure B-9. Remote graphical access to an AIX partition AN212.0
Notes:
oy si
If you need to get graphical access to the AIX partition (for example, accessing the GUI for
the AIX installation, running webSM, or using a Web browser), then there are two solutions.
u
Install XWindows software or a graphical desktop sharing tool such as VNC on your local
PC.
cl
For both solutions, you might have to execute the xhost command on AIX to allow
connections of remote X servers and export the display to your local Xterm session using
Ex
export DISPLAY command.

pr
Student Notebook
Example of remote graphical access using

Cygwin/X
IBM Power Systems
• Cygwin/X allows X applications directly on to the normal Windows

desktop (rootless mode) rather than into an enclosing root
.I. n
window.
1. Log in to the remote machine.
.T ció
Example: ssh –X
root@remotehost
2. Execute X commands:
.
xcalc, xclock ….
C
.F a
Applications will be started on
the local X Windows server (in
C rm
this case Cygwin/X).
to fo
Note: ssh –X is functionally equivalent to:
ec vo

Figure B-10. Example of remote graphical access using Cygwin/X AN212.0
Notes:
oy si
In the visual, Cygwin/X is running rootless on Microsoft Windows XP. The screen shows X
applications (xeyes, xclock, xterm) sharing the screen with native Windows applications
u
(Date and Time, Calculator).

cl
For a complete list of Cygwin/X features, see: http://x.cygwin.com/features.html

Ex
pr
V8.2
Student Notebook
Uempty
Virtual Network Computing

IBM Power Systems
• Virtual Network Computing (VNC) is a free graphical desktop

sharing system which uses the RFB protocol to remotely control
another computer.
.I. n
• It is popular in both UNIX and Windows systems.
.T ció
VNC viewer,
for example: VNC traffic
.
UltraVNC
C
realVNC
VNC AIX
.F a
tightVNC
Server
C rm Can also be
tunnelled over an
to fo
SSH connection for
improved security
ec vo

Figure B-11. Virtual Network Computing AN212.0
Notes:
oy si
Virtual Network Computing (VNC) is a graphical desktop sharing system which uses the
RFB (remote framebuffer) protocol to remotely connect to another host or server. It
u
transmits the keyboard and mouse events from one host to another, relaying the graphical
screen updates back in the other direction, over a network.
cl
VNC is platform-independent. A VNC viewer on any operating system connects to a VNC

server running, in this case, on AIX. Multiple clients can connect to the VNC server at the
Ex
same time. Popular uses for this technology include remote technical support and
accessing files on one’s work computer from one’s home computer or vice versa.
VNC was originally developed at the Olivetti Research Laboratory in Cambridge, United
pr
Kingdom. The original VNC source code and many modern derivatives are open source
under the GNU General Public License.
Student Notebook
VNC configuration
IBM Power Systems
• In order to setup a VNC server on AIX, install vnc and zlib (compression
library) from the AIX toolbox.
• Start a VNC session by typing:
.I. n
– vncserver :<port number>
Note: The TCP/IP
.T ció
port started is
## vncserver
vncserver :33
:33 actually 5933. The
New
New 'X' desktop is
'X' desktop is neo:33
neo:33 “59” is implied and
is not required to
connect
.
Starting
Starting applications
applications specified
specified in
in //.vnc/xstartup
//.vnc/xstartup
C
Log
Log file
file is
is //.vnc/neo:33.log
//.vnc/neo:33.log
.F a
– To access the AIX desktop VNC session from
C rm
• UNIX, type: # vncview <hostname|IP address>:<port number>
• PC VNC client (viewer)
to fo
• Also, access can be obtains through a Web browser over HTTP http://neo:5833
ec vo

Figure B-12. VNC configuration AN212.0
Notes:
oy si
To run VNC on AIX, install the following filesets from the AIX toolbox CD. No further
configuration is required.
u
# lslpp -l |egrep -i "(vnc|zlib)"

cl
freeware.vnc.rte 3.3.3.2 COMMITTED Virtual Network Computing

freeware.zlib.rte 1.1.3.2 COMMITTED Data compression library
Ex
When a VNC session is started, two TCP/IP ports are opened, 59<number> and
58<number>. The 59 port must be used for the VNC Viewer application. The 59 prefix is
generally not required (that is, it is implied and hard coded into the viewer application). The
58 port is used to access VNC over HTTP. To connect in this way, the full port number
pr
(including 58) must be supplied.
V8.2
Student Notebook
Uempty
VNC over SSH

IBM Power Systems
.I. n
.T ció
********************************
********************************
** AIX
AIX Version
Version 6.1
6.1 TL04
TL04 SP00
SP00 **
********************************
********************************
nimmaster:/
nimmaster:/ ## aavnc
aavnc list
list
.
389288
389288 root
root 2440
2440 Xvnc
Xvnc :3
:3
C
.F a
C rm
to fo
ec vo

Figure B-13. VNC over SSH AN212.0
Notes:
oy si
Tunnelling VNC over SSH not only improves security but also performance over slow
WANs, especially when used in conjunction with SSH compression.
u
cl
Ex
pr
Student Notebook
Graphical tools for file transfer

IBM Power Systems
• The FTP command is available from the MS-DOS CLI

• This is not convenient for transfer of:
.I. n
– A large number of files
– Files spread across multiple directories
.T ció
– A mix of binary and text files
.
• Solution: Windows based graphical FTP client.
C
.F a
• Examples include:
C rm
– FileZilla (also supports secure FTP and compression)
– WinSCP (SCP and SFTP only)
to fo
ec vo

Figure B-14. Graphical tools for file transfer AN212.0
Notes:
oy si
Graphical file transfer tools allow users to navigate folders, view and alter file directory
contents (on both the local and remote machines) using an explorer-style tree interface,
u
drag and drop files between machines, and enable secure communication (optional).
cl
Many graphical FTP applications available on the Internet for free, such as FileZilla,
WinSCP3, Leechftp, total commander, and so forth. The choice of tool comes down to
preference. FileZilla is a powerful FTP-client for Windows. It is easy to use and includes
Ex
support for many features while still being fast and reliable. The main features of FileZilla
include the following:
• Ability to resume uploads/downloads (if the server supports it)
pr
• Custom commands
• Site manager with folders
• Keep alive system
• Timeout detection
V8.2
Student Notebook
Uempty • Firewall support

• SSL secured connections
• SFTP support
• Upload/Download queue
• Drag and drop a file or directory from the source pane to the destination pane
.I. n
• Multi-language support
• GSS authentication and encryption using Kerberos
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Sharing AIX file systems with Windows (Samba)

IBM Power Systems
• Server Message Block (SMB) is an application protocol

used to provide shared access to files, printers, and
.I. n
miscellaneous communications between Windows
clients and other TCP/IP hosts on a network.
.T ció
• SMB servers make their file systems and other resources
.
available to clients on the network.
C
.F a
• Samba is a free software implementation of the SMB
protocol and runs on most UNIX systems.
C rm
• Samba sets up network shares for chosen AIX
directories. They appear to Microsoft Windows users as
to fo
normal network drives accessible via the file explorer.
ec vo

Figure B-15. Sharing AIX file systems with Windows (Samba) AN212.0
Notes:
oy si
SMB servers make their file systems and other resources available to clients on the
network. Client computers might want access to the shared file systems and printers on the
u
server.
cl
SMB works through a client-server mechanism. The main section of the SMB protocol
specifically deals with access to file systems so that clients can make requests to a file
server.
Ex
SMB is managed through a protocol suite which is currently known as the Common
Internet File System, or CIFS.
SMB also provides an authenticated inter-process communication mechanism.
pr
The SMB protocol interacts with the Microsoft Windows platform. Samba is a free
implementation of a compatible SMB client and server for use with non-Microsoft operating
systems.
V8.2
Student Notebook
Uempty
Samba installation and configuration

IBM Power Systems
• Install the Samba filesets on AIX expansion disk

• Configure the directories to share (/usr/lib/smb.conf)
.I. n
• Start Samba daemons:
.T ció
– smbd provides file and printer sharing services, authentication, and authorization.
– nmbd provides a NetBIOS-to-IP-address name resolution service.
– Logs are stored in /var:
.
• log.smbd and /var/log.nmbd
C
.F a
• Samba also includes a Web
administration tool called
C rm
Samba Web Administration
Tool (SWAT) which allows
you to configure Samba
to fo
remotely using a Web browser.
ec vo

Figure B-16. Samba installation and configuration AN212.0
Notes:
oy si
Samba is software that can be run on platforms other than Microsoft Windows, for
example, AIX, Linux, IBM System 390, OpenVMS, and many others. Samba uses the
u
TCP/IP protocol that is installed on the host server. When correctly configured, it allows that
host to interact with a Microsoft Windows client or server as if it is a Windows file and print
cl
server.
Samba is a software package that gives network administrators flexibility and freedom in
Ex
terms of setup, configuration, and choice of systems.

You can find information at http://www.samba.org. Currently, with AIX6.1, you will find
Samba version 3.0.24.0 on the expansion disk or, alternatively, an older version 2.2.7.4 is
pr
available on the Linux Toolbox CD.

Samba installation and configuration example:
Install the samba server.
# installp -acXYd . samba*
Student Notebook
Edit the configuration file.

# vi /usr/lib/smb.conf
Add a stanza for the share directory at the end of the smb.conf file.
[test]
path = /tmp/test
writable = yes
.I. n
valid users = root, alex
Define the AIX users who can access the Samba share.
.T ció
Existing Users:
# smbpasswd -a root
.
C
New users:
.F a
# mkuser alex
C rm
# pdbedit -a alex
Start Samba daemons.
# smbd
# nmbd
to fo
Configuring SWAT
Add the following line to /etc/inetd.conf:
ec vo
swat stream tcp nowait root /usr/sbin/swat swat

Add the following line to /etc/services:
swat 910/tcp
oy si
Refresh inetd as follows:

# refresh -s inetd
u
Connect using a browser to the following URL: http://samba_server.my.domain.:910

cl
Ex
pr
V8.2
Student Notebook
Uempty
Sharing AIX file systems with Windows (SSHFS)

IBM Power Systems
• SSH file system is a client extension to SSH which enables UNIX

file systems to be mounted and mapped locally.
.I. n
• It is an alternative to NFS/SMB protocols and SCP/SFTP based
clients.
.T ció
• SSHFS is popular on Linux and MAC based systems.
– Based on Filesystem in UserSpacE (FUSE)
.
– Free Windows client is available from Dokan (http://dokan-dev.net)
C
.F a
C rm
to fo
ec vo

Figure B-17. Sharing AIX file systems with Windows (SSHFS) AN212.0
Notes:
oy si
The main advantage of SSHFS is that a UNIX file system can be mounted securely without
the requirement to load additional software or open additional ports in the firewall. Most
u
UNIX servers today have SSH enabled; therefore, SSHFS can be used without work being
performed on the server. It is worth noting, however, that SSHFS does not perform as well
cl
as alternatives, such as Samba, but works very well on networks with adequate throughput
and low latency.
Ex
As of today, there are popular SSHFS clients for Linux, MAC OS, and Windows, but FUSE
and SSHFS have not yet been ported to AIX. FUSE is the underlying technology to SSHFS
and makes it possible to implement a fully functional filesystem in a user space program.
pr
There are two popular SSHFS clients for Windows, Dokan (freeware) available from
http://dokan-dev.net and ExpanDrive (licensed) available from
http://www.expandrive.com/windows.
Student Notebook
Graphical traceroute
IBM Power Systems
• Graphical network diagnostic tools can be used to:

– Monitor latency, bottlenecks, and lost packets and list other enhanced statistics
.I. n
– Gather long term historical monitoring data
• Many graphical tools to monitor network performance are
.T ció
available. PingPlotter is a good example (free version also
available).
.
C
.F a
C rm
to fo
ec vo

Figure B-18. Graphical traceroute AN212.0
Notes:
oy si
You might encounter a network performance problem when connecting to the remote host.
You can use the DOS commands such as ping, route print, tracert, or PathPing to collect
u
network metrics and route information.

cl
Many free tools are available to monitor and investigate network problems. PingPlotter is
given as an example of one such free tool.
Ex
PingPlotter is an enhanced graphical traceroute program that can test your connection
repeatedly, helping you analyze network problems. The visual shows a traceroute between
a Windows client connected to a standard fibre optic DSL connection and an AIX web
server 50 miles (80km) away.
pr
Other software is also available, such as LoriotPro, PRTG Network Monitor, and so forth.
V8.2
Student Notebook
Uempty
Graphical packet capture

IBM Power Systems
• AIX natively includes iptrace and tcpdump commands.

– Disadvantage: Not very user friendly (command line interface only).
• Wireshark is a good example of a live graphical packet capture tool available
.I. n
for Windows, MAC OS, UNIX.
• Wireshark can import and display packet captures from AIX iptrace and
.T ció
tcpdump output.
.
C
FTP Packet
.F a
capture between
2 AIX hosts
C rm
to fo
ec vo

Figure B-19. Graphical packet capture AN212.0
Notes:
oy si
Wireshark is a popular open source tool which is used to capture and analyze network
traffic. Wireshark interactively examines packet data from a live network and can reads
u
previously captured packet data stored in various formats. There is no compiled version
available for AIX. However, Wireshark can import and display the results from both AIX
cl
iptrace and tcpdump outputs.

The data shown in the Wireshark screen above is the result of an ftp between two AIX
Ex
nodes. The output was transferred to Wireshark running on Windows.

The three panes that make up the main window are:
• The packet list pane displays a summary of each packet captured. By clicking on
pr
packets in this pane, you control what is displayed in the other two panes.
• The packet details pane displays the packet selected in the packet list pane in more
detail.
• The packet bytes pane displays the data from the packet selected in the packet list
pane, and highlights the field selected in the packet details pane.
Student Notebook
Checkpoint
IBM Power Systems
1. What is the most convenient tool to access the AIX

command line interface from your local Windows OS based
.I. n
workstation?
.T ció
2. List two UNIX emulation tools that can be installed on a
Windows OS based workstation.
.
C
.F a
3. Which popular desktop sharing tool can you use to access
C rm
the AIX GUI from a Windows OS based workstation?
4. Which software could you install to share the AIX files and
to fo
access them from a Windows OS file explorer on your PC?
ec vo

Figure B-20. Checkpoint AN212.0
Notes:
oy si

u
cl
Ex
pr
V8.2
Student Notebook
Uempty
IBM Power Systems
• In this lab exercise, you will:

– Install Samba software on your
.I. n
AIX partition
– Configure Samba to share an
.T ció
AIX directory to your Windows
OS workstation
.
C
.F a
C rm
to fo
ec vo

Figure B-21. Exercise introduction AN212.0
Notes:
oy si
u
cl
Ex
pr
Student Notebook
Unit summary
IBM Power Systems
.I. n
.T ció
• Perform file transfer between a Windows client and an AIX
.
partition
C
.F a
C rm
to fo
ec vo

Figure B-22. Unit summary AN212.0
Notes:
oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Appendix C. Checkpoint solutions
Unit 1, "Network concepts"
Solutions for Figure 1-25, "Checkpoint," on page 1-32
.I. n
.T ció
Checkpoint solutions
IBM Power Systems
1. Which layers are defined in the TCPIP Internet Protocol suite?
.
C
The answers are application, transport, IP, data link, and physical.
.F a
2. Which layer is required for frame transmission?
C rm
The answer is data link layer.
3. What is the role of the transport layer?

to fo
The answer is to encapsulate application data into suitable units for
transfer to the destination host.
4. Which protocol of the link layer translates IP addresses to MAC

ec vo
addresses?
The answer is ARP.
oy si
5. What is the purpose of VLSM?

The answer is to divide a network allocation into subnets of unequal
sizes.
u

cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix C. Checkpoint solutions C-1

Student Notebook
Unit 2, "Configuring TCP/IP"
Solutions for Figure 2-17, "Checkpoint (1 of 2)," on page 2-25
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
1. True or False: An IP address is assigned to the physical adapter.
.T ció
The answer is false.
.
2. Which two commands will display the MAC address of an Ethernet
C
adapter?
.F a
The answer is:
C rm
# netstat –i
# lscfg –v –l <adapter>
3. What is the difference between ent0, en0, and et0?

to fo
The answers are:
ent0 is the physical H/W adapter (layer 1 + 2 device).
en0 represents an interface associated with ent0. The notation en0 is
ec vo
used for standard (DIX) Ethernet. Most TCP/IP today uses DIX framing.
et0 also represents an interface associated with adapter ent0. The
notation et0 is used for the official standard of Ethernet, IEEE 802.3.
oy si

u
cl
Ex
pr
C-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
V8.2
Student Notebook
AP Solutions for Figure 2-18, "Checkpoint (2 of 2)," on page 2-26
IBM Power Systems
4. How would you list established TCP socket connections?
.I. n
The answer is # netstat –a | grep –i est.
.T ció
5. True or False: Smitty tcpip should be used to configure all
.
interfaces on the system.
C
.F a
C rm
to fo
ec vo

oy si
u
cl
Ex
pr

Student Notebook
Unit 3, "inetd remote command services"
.I. n
IBM Power Systems
1. Name three commands that can be used for remote login.
.T ció
The answers are rsh, rlogin, and telnet.
.
C
2. Name two commands that can be used to transfer files.
.F a
The answers are rcp and ftp.
C rm
3. Name two commands that can be used for remote execution.
The answers are rexec and rsh.
to fo
4. Name three mechanisms you can deploy to harden system
security.
ec vo
The answers are SSH, securetcpip, and aixpert.

oy si

u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 4, "OpenSSH"
.I. n
IBM Power Systems
1. Why are the traditional remote login, remote file transfer, and remote
.T ció
execution programs not safe?
The answer is they send passwords over the network as plain text and
.
can be configured to authenticate based on IP address, host name, or
C
user name, which makes them vulnerable to IP spoofing or DNS
.F a
hacks.
C rm
2. How does the SSH protocol counter these weaknesses?
The answer is it authenticates the host and, if necessary, the user
to fo
based on public-key authentication. Furthermore, all communication,
including the user’s password if required, is sent across an encrypted
connection.
ec vo
3. How is the SSH daemon managed?

The answer is through the System Resource Controller (SRC).
oy si

u
cl
Ex
pr

Student Notebook
IBM Power Systems
4. True or False: The SSH daemon can be configured to start
.I. n
on multiple ports.
.T ció
The answer is true.
.
5. What is the purpose of a passphrase?
C
.F a
The answer is to protect the user’s private key.
C rm
6. How can TCP port forwarding be disabled on an SSH
server?
to fo
The answer is by setting AllowTcpForwarding no in the
server configuration file /etc/ssh/sshd_config.
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 5, "VLAN theory"
.I. n
IBM Power Systems
1. List some advantages of using VLANs.
.T ció
The answers are performance, security, ease of management and flexibility,
cost (using a network switched with VLANs is cheaper than creating a routed
network).
.
C
.F a
2. True or False: IEEE 802.1Q trunk adapters can be created within the Power
Hypervisor for use by AIX.
C rm
The answer is true.
3. True or False: A virtual adapter can be created without belonging to a VLAN.

to fo
4. True or False: A control channel can belong to VLAN 1.
ec vo
5. True or False: A virtual adapter on AIX can belong to multiple VLANs.

The answer is true.
oy si

u
cl
Ex
pr

Student Notebook
Unit 6, "Routing"
.I. n
IBM Power Systems
1. When a network interface is configured, a route is created in
.T ció
the route table. What is the term associated with the
creation of this route?
.
a. Dynamic
C
.F a
b. Implicit
C rm
c. Static (or explicit)
The answer is implicit.
to fo
2. True or False: The route -f (or route flush) command
deletes all routes.
ec vo
oy si

u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 7, "Network availability"
.I. n
IBM Power Systems
1. Given the following output, which path will be taken to the 18/8
.T ció
network?
## netstat
netstat -C
-C |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 10
10 WRR
WRR en5
en5 00 00
C
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 20
20 -- en5
en5 11 11
.F a
The answer is the route with 1.1.1.1 as the gateway.
C rm
2. What will happen as a result of entering the following command?
# /usr/lib/methods/ethchan_config -d ent10 ent8
to fo
The answer is adapter ent8 will be removed from the
EtherChannel ent10.
3. True or False: EtherChannels can be configured without any

ec vo
switch configuration.
oy si

u
cl
Ex
pr

Student Notebook
IBM Power Systems
4. Can active channels in an LA or EtherChannel configuration be
.I. n
connected to different switch backplanes?
The answer is typically no, unless vendor specific technology is
.T ció
deployed.
.
C
.F a
5. True or False: Combining GFF, LA, and PowerHA results in
C rm
achieving the highest levels of network availability.
The answer is true.
to fo
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 8, "DNS and BIND"
.I. n
IBM Power Systems
1. True or False: On the client, the /etc/resolv.conf contains the
.T ció
default domain name for the system and the name servers it uses for
name resolution.
.
The answer is true.
C
.F a
C rm
2. True or False: The named daemon can be started automatically with a
command line entry in the inetd.conf file.
to fo
3. True or False: The named daemon must be running on every machine
ec vo
participating in the domain environment.

oy si

u
cl
Ex
pr

Student Notebook
Solutions for Figure 8-53, "Checkpoint (2 of 2) solutions," on page 8-62
IBM Power Systems
4. Name three DNS client resolvers.
.I. n
The answers are host, nslookup, and dig.
.T ció
.
C
.F a
5. What is the purpose of the netcd daemon?
C rm
The answer is to cache name lookup responses in order to
improve performance by reducing latency.
to fo
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 9, "DHCP"
.I. n
IBM Power Systems
1. True or False: In AIX, all hosts should get their IP addresses
.T ció
through DHCP.
.
C
.F a
C rm
2. A DHCP relay forwards DHCP requests to another network.
The answer is DHCP relay.
to fo
3. Which file contains a list of all the DHCP network options?
ec vo
The answer is the /etc/options.file.

oy si

u
cl
Ex
pr

Student Notebook
IBM Power Systems
4. True or False: A DHCP server can only allocate dynamic
.I. n
addresses to a client.
.T ció
.
C
.F a
5. Put the following DHCP messages in the correct order:
The correct order of the messages is:
C rm
• Client: DHCPDISCOVER
• Server: DHCPOFFER
• Client: DHCPREQUEST
to fo
• Server: DHCPACK
• Client: DHCPRELEASE
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 10, "Network File System"
.I. n
IBM Power Systems
1. What server daemon handles client requests for file system
.T ció
operations?
The answer is nsfd.
.
C
.F a
2. What file needs to be created and which command needs to be
executed on an NFS server in order to make files, directories, and file
C rm
systems available for mounting from clients?
The answer is /etc/exports and exportfs.
to fo
3. What file contains the startup script for NFS?
The answer is /etc/rc.nfs.
ec vo
4. True or False: AutoFS is a server-side service that allows for automatic

and transparent mounting and unmounting of NFS file systems.
The answer is false. It is a client-side service.
oy si

u
cl
Ex
pr

Student Notebook
IBM Power Systems
5. List three design goals of NFSv4.
.I. n
The answers are improved performance, increased security, and
cross-platform interoperability.
.T ció
6. Why is this configuration incorrect?
.
C
The answer is you cannot mix traditional exports with alias extensions.
.F a
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
C rm
/local/fsB
/local/fsB -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
nfs_server:/
nfs_server:/ ## exportfs
exportfs -a
-a
exportfs:
exportfs: /local/fsB:
/local/fsB: There
There are
are too
too many
many levels
levels of
of symbolic
symbolic
links
links to
to translate
translate aa path
path name.
to fo
name.
7. True or False: The NFS domain name must equal the DNS domain
name.
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 11, "Problem determination"
.I. n
IBM Power Systems
1. A system cannot communicate with the rest of the network. Using the
.T ció
example below, what is the problem?
The answer is the interface en0 is down.
.
C
## ifconfig
ifconfig en0
en0
en0:
.F a
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
262144 rfc1323
rfc1323 11
C rm
2. What is the difference between throughput and latency?
The answer is latency is measured from the time a a packet leaves the
to fo
client to the time the acknowledgment arrives back from the serving
entity. The unit of latency is time. Throughput, on the other hand, is the
amount of data that is transferred over a period of time.
ec vo
oy si

u
cl
Ex
pr

Student Notebook
IBM Power Systems
3. A client daemon (clinfoES) contacts a server every 30 seconds to
.I. n
obtain the status of a HA cluster. What command can you use to
analyze the client server interaction?
.T ció
The answer is iptrace or tcpdump.
## ifconfig
ifconfig en0
en0
.
en0:
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
broadcast 10.47.255.255
C
10.47.255.255
tcp_sendspace
262144 rfc1323
rfc1323 11
.F a
4. Which command can you use to check the physical link status of an
C rm
Ethernet adapter?
The answer is entstat.
to fo
5. How can you easily check bandwidth performance on a network?
The answer is using ftp and dd commands.
ec vo

oy si
u
cl
Ex
pr
V8.2
Student Notebook
AP Unit 12, "Time services"
.I. n
IBM Power Systems
1. What is the name of the subsystem that provides NTP time
.T ció
services on AIX and what configuration file does it use?
The answers are xntpd and /etc/ntp.conf.
.
C
.F a
2. True or False: When configuring NTP services, the server
C rm
directive can specify a serial port attached clock source or a
server in a lower stratum.
The answer is true.
to fo
3. How does the setclock command know what server to
query?
ec vo
The answer is the setclock command uses IP address

obtained by resolving the timeserver host name.
oy si

u
cl
Ex
pr

Student Notebook
Appendix A, "IPv6"
Solutions for Figure A-11, "Checkpoint," on page A-19
.I. n
IBM Power Systems
1. How many addresses are available in IPv4?
.T ció
The answer is 232 (a little over 4 billion).
2. How many in IPv6?
.
The answer is 2128 (a little over 340 undecillion).
C
.F a
3. What is the difference between a link-local and a site-local address?
The answer is a link-local address is only used within a physical network and
C rm
cannot be routed. A site-local address is used across multiple networks within
a site, but is not routable on the Internet.
4. A system has a network adapter with MAC address 00:0C:76:92:BD:64. What
will be its link-local IPv6 address?
to fo
The answer is fe80::20c:76ff:f392:bd64/64.
5. And what will be the reverse-lookup DNS name for that address?
The answer is
ec vo
4.6.d.b.2.9.3.f.f.f.6.7.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
6. How do you know if an application is ready for IPv6?
The answer is read the documentation or just try it out.
oy si

u
cl
Ex
pr
V8.2
Student Notebook
AP Appendix B, "AIX and Windows interoperability"
Solutions for Figure B-20, "Checkpoint," on page B-24
.I. n
IBM Power Systems
1. What is the most convenient tool to access the AIX command line interface
.T ció
from your local Windows OS based workstation?
The answer is the PuTTy tool makes it easy to log in via Telnet or SSH
and access LPARs and the HMC CLI.
.
C
.F a
2. List two UNIX emulation tools that can be installed on a Windows OS based
workstation.
The answer is UWIN and Cygwin are popular UNIX emulation tools to run on
C rm
your Windows OS based PC.
3. Which popular desktop sharing tool can you use to access the AIX GUI from
a Windows OS based workstation?
to fo
The answer is VNC is a widespread tool to share graphical user interface
remotely.
ec vo
4. Which software could you install to share the AIX files and access them from
a Windows OS file explorer on your PC?
The answer is Samba allows you to share AIX files as a Windows network
drive.
oy si

u
cl
Ex
pr

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Student Notebook
glos Glossary
A B
Acknowledgement A response sent by a receiver Baseband Characteristic of any network technology
to indicate successful reception of information. like Ethernet that uses a single carrier frequency
Acknowledgements may be implemented at any and requires all stations attached to the network to
level including the physical level (using voltage on participate in every transmission. See broadband.
one or more wires to coordinate transfer), at the link
.I. n
Baud Literally, the number of times per second the
level (to indicate successful transmission across a signal can change on a transmission line.
single hardware link), or at higher levels (for Commonly, the transmission line uses only two
.T ció
example, to allow an application program at the final signal states (for example, two voltages), making the
destination to respond to an application program at baud rate equal to the number of bits per second
the source). that can be transferred. The underlying transmission
Address Mask A bit mask used to select bits from technique may use some of the bandwidth, so it may
.
an Internet address for subnet addressing. The not be the case that users experience data transfers
mask is 32 bits long and selects the network portion at the line's specified bit rate. For example, because
C
of the Internet address and one or more bits of the asynchronous lines require 10 bit-times to send an
.F a
local portion. 8-bit character, a 9600 bps asynchronous
Address Resolution Conversion of an Internet transmission line can only send 960 characters per
second.
C rm
address into a corresponding physical address.
Depending on the underlying network, resolution BBN (Bolt, Beranek, and Newman, Incorporated)
may require broadcasting on a local network. See The Cambridge, MA company responsible for
ARP. development, operation, and monitoring of the
ANSI (American National Standards Institute) A ARPANET and, later, Internet core gateway system.
group that defines U.S. standards for the information CSNET Coordination and Information Center (CIC),
and NSFnet Network Service Center (NNSC). BBN
to fo
processing industry. ANSI participates in defining
network protocol standards. works on DARPA research contracts and has
contributed much to the Internet.
Archie A server that builds an index of file and
directory names that are located on public Best-effort Delivery Characteristic of network
anonymous FTP servers on the Internet. technologies that do not provide reliability at link
levels. Best-effort delivery systems work well with
ec vo
ARP (Address Resolution Protocol) The Internet the Internet because the Internet protocols assume
protocol used to dynamically bind a high level that the underlying network provides unreliable
Internet Address to a low level physical hardware connectionless delivery. The combination of Internet
address. ARP is only across a single physical protocols IP and UDP provides best-effort delivery
network and is limited to networks that support service to application programs.
hardware broadcast.
oy si
Big endian A format for storage or transmission of

ARPA (Advanced Projects Research Agency) binary data in which the most-significant byte (bit)
Former name of DARPA, the government agency comes first. The TCP/IP standard network byte
that funded the ARPANET and, later, the DARPA order is big endian. Also see little endian.
u
Internet. The group within ARPA with responsibility

for the ARPANET was IPTO (Information Processing BISYNC (Binary SYNchronous Communication)
Techniques Office), later ISTO (Information Systems An early, low level protocol developed by IBM and
cl
Technology Office). Located at 1400 Wilson Blvd, used to transmit data across a synchronous
Arlington, VA. communication link. Unlike most modern link level
protocols, BISYNC is byte-oriented, meaning that it
ARPANET A pioneering long haul network funded uses special characters to mark the beginning and
Ex
by ARPA (later DARPA) and built by BBN. It served end of frames. BISYNC is often called BSC,
from 1969 through 1990 as the basis for early especially in commercial products.
networking research as well as a central backbone
during development of the Internet. The ARPANET BITNET (Because It's Time NETwork) A low-cost,
consisted of individual packet switch nodes low-speed network started at City University of New
interconnected by leased lines. Also see PSN, York, that eventually connected to over 200
Internet. universities before it was merged with CSNET to
pr
produce CREN. BITNET attached to EARN in

Authority Zone A part of the domain name Europe. The technology consists of (mostly IBM)
hierarchy for which a single name server is the mainframe computers interconnected by 9600 bps
authority. leased lines. The fundamental paradigm is remote
Autonomous System Internet terminology for a job entry: one machine sends a set of card images
collection of gateways (routers), that fall under one which the receiver treats as a remote job to be
administrative entity and cooperate using a common executed. When the job runs, it produces a new set
Interior Gateway Protocol (IGP). of card images and sends them on to the next site,
where they are treated as a remote job. BITNET
© Copyright IBM Corp. 2010, 2013 Glossary X-1

Student Notebook
provides services like electronic mail by building a of the packet by recomputing the checksum and
remote job that invokes the mailer router program. comparing to the value sent. Many Internet protocols
At each node, the mailer examines the message, use a 16-bit checksum computed with one's
chooses a route, and encapsulates the message in complement arithmetic with all integer fields in the
a new job that it sends over the chosen route. packet stored in network byte order.
bps (bits per second) A measure of the rate of data Client-server The model of interaction in a
transmission. distributed system in which a program at one site
Bridge A computer that connects two or more sends a request to a program at another site and
networks and forwards packets among them. awaits a response. The requesting program is called
Usually, bridges operate at the physical network a client; the program satisfying the request is called
.I. n
level. For example, an Ethernet bridge connects two the server. It is usually easier to build client software
physical Ethernet cables and forwards from one than server software.
cable to the other exactly those packets that are not CMOT (CMip/cmis Over Tcp) The use of ISO
.T ció
local. Bridges differ from repeaters because bridges CMIP/CMIS network management protocols to
store and forward complete packets while repeaters manage gateways in a TCP/IP Internet. CMOT is a
forward electrical signals. They differ from IP co-recommended standard with SNMP. Also see
gateways or IP routers because they use physical MIB and SNMP.
.
addresses instead of IP addresses. Connection The path between two protocol
C
Broadband Characteristic of any network modules that provides reliable stream delivery
.F a
technology that multiplexes multiple, independent service. In a TCP/IP Internet, a connection extends
network carriers onto a single cable (usually using from a TCP module on one machine to a TCP
frequency division multiplexing). For example, a module on the other.
C rm
single 100 mbps broadband cable can be divided Connectionless Service Characteristic of the
into ten 1 0 mbps carriers, with each treated as an packet delivery service offered by most hardware
independent Ethernet. The advantage of broadband and by the Internet Protocol (IP). The
is less cable; the disadvantage is higher cost for connectionless service treats each packet or
equipment at connections. See baseband. An datagram as a separate entity that contains the
analog signalling technique used in IEEE Token Bus source and destination address. Usually,
to fo
LANs. Analog techniques allow a single medium to connectionless services can drop packets or deliver
be used for several information signals at once just them out of sequence.
as, for example, in cable TV systems.
Core Gateway One of a set of gateways operated
Broadcast A packet delivery system that delivers a by the Internet Network Operations Center (INOC)
copy of a given packet to all hosts that attach to it is at BBN. Gateways in the core system exchange
said to broadcast the packet. Broadcast may be
ec vo
routing updates periodically to ensure that their

implemented with hardware (for example, as in routing tables remain consistent. The core forms a
Ethernet) or with software (for example, as in central part of Internet routing in that all groups must
Cypress). advertise paths to their networks to core gateways
BSC (Binary Synchronous Communication) See using the Exterior Gateway Protocol.
BISYNC. Bus A linear topology for a local area CREN (Consortium for Research and Education
oy si
network wiring scheme. Network) The name of the organization that

resulted when BITNET and CSNET merged.
C CSMA (Carrier Sense Multiple Access) A
u
characteristic of network hardware that operates by

CITT (Consultative Committee on International allowing multiple stations to contend for access to a
Telephony and Telegraphy) An international transmission medium by listening to see if it is idle.
cl
organization that sets standards for interconnection

of telephone equipment. It defined the standards for CSMA/CD (Carrier Sense Multiple Access with
X.25 network protocols (Note: in Europe, PTTs offer Collision Detection) A characteristic of network
both voice telephone services and X.25 network hardware that uses CSMA access combined with a
Ex
services). mechanism that allows the hardware to detect when

two stations simultaneously attempt transmission.
Channel A path for electrical transmission. Ethernet is an example of a well-known network
Baseband systems provide a single channel on a based on CSMA/CD technology. The technique
physical medium. Broadband systems provide used by Ethernet stations to control access to their
multiple channels (by use of frequency division) on a shared communication channel. They listen before
physical medium. transmitting (and refrain from using the channel if it's
pr
Checksum A small, integer value computed from a already in use), and listen during transmission (to
sequence of octets by treating them as integers and determine whether their own signal is being
computing the sum. A checksum is used to detect corrupted by somebody else's). If such a collision is
errors that result when the sequence of octets is detected, the station will stop its transmission and
transmitted from one machine to another. Typically, attempt it again sometime later.
protocol software computes a checksum and CSNET (Computer Science NETwork) A network
appends it to a packet when transmitting. Upon that offered mail delivery service using dialup
reception, the protocol software verifies the contents telephone, as well as Internet connectivity using
X-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Student Notebook
X25NET and Cypress. CSNET offered other addresses. DNS also supports separate mappings
services like a registry of members and an Internet between mail destinations and IP addresses.
domain name server for member institutions that Domain In the Internet, a part of the DNS naming
could not run their own. Initially funded by the hierarchy. Syntactically, a domain name consists of
National Science Foundation, CSNET became a sequence of names (labels) separated by periods
self-sufficient before it merged with BITNET to form (dots).
CREN. Dotted Decimal Notation The syntactic
representation for a 32-bit integer that consists of
four 8-bit numbers written in base 10 with periods
D (dots) separating them. Many Internet application
.I. n
DARPA (Defense Advanced Projects Research programs accept dotted decimal notation in place of
Agency) Formerly called ARPA. The government destination machine names.
agency that funded research and experimentation DTE (Data Terminal Equipment) Term X.25
.T ció
with the ARPANET and, later, the DARPA Internet. protocol standards apply to computers and/or
The group within DARPA responsible for the terminals to distinguish them from the packet
ARPANET is ISTO (Information Systems switching network to which they connect. Also see
Techniques Office), formerly IPTO (Information DCE.
.
Processing Techniques Office). Located at 1400
Wilson Blvd, Arlington, VA. Datagram See IP
C
datagram. E
.F a
DCA (Defense Communication Agency) The EARN (European Academic Research Network)
government agency responsible for installation of A network using BITNET technology to connect
C rm
Defense Data Network (for example, ARPANET and universities and research labs in Europe. EARN
MILNET) lines and PSNs. DCA writes contracts for interconnects with BITNET in the U.S. and allows
operation of the DDN and pays for network services. electronic mail transfer as well as remote job entry.
DCE (Data Communications Equipment) Term EGP (Exterior Gateway Protocol) The protocol
X.25 protocol standards apply to switching used by a gateway in one autonomous system to
equipment that forms a packet switched network to advertise the Internet addresses of networks in that
to fo
distinguish it from the computers or terminals that autonomous system to a gateway in another
connect to the network. Also see DTE. autonomous system. Every autonomous system
DDCMP (Digital Data Communication Message must use EGP to advertise network reachability to
Protocol) The link-level protocol Digital Equipment the core gateway system.
Corporation uses in their network products. DDCMP EIA (Electronics Industry Association) A
operates over serial lines, delimits frames by a
ec vo
standards organization for the electronics industry.

special character, and includes checksums at the Known for RS232C and RS422 standards that
link level. It is relevant to the Internet because the specify the electrical characteristics of
original NSFNET used DDCMP over its backbone interconnections between terminals and computers
lines. or between two computers.
DDN (Defense Data Network) Used loosely to refer
oy si
Email A convenient, fast, and inexpensive method

to the MILNET, ARPANET, and the TCP/IP protocols of sending and receiving messages across a
they use. More literally, it is the MILNET and network to any Internet user.
associated parts of the connected Internet that
connect military installations. Encapsulation The technique used by layered
u
protocols in which a lower-level protocol accepts a

Demultiplex To separate from a common input into message from a higher-level protocol and places it
several outputs. Demultiplexing occurs at many in the data portion of the low-level frame.
cl
levels. Hardware demultiplexes signals from a Encapsulation often means that packets traveling
transmission line based on time or carrier frequency across a physical network have a sequence of
to allow multiple, simultaneous transmissions across headers in which the first header comes from the
a single physical cable. Internet protocol software physical network frame, the next from the Internet
Ex
demultiplexes incoming datagrams, sending each to Protocol, the next from the transport protocol, and
the appropriate high-level protocol module or so on.
application program.
Epoch Date A point in history chosen as the date
Directed broadcast address An IP address that from which time is measured. The Internet uses
specifies all hosts on a specific network. A single January 1, 1900, Universal Time (formerly called
copy of a directed broadcast is routed to the
pr
Greenwich Mean Time) as its epoch date.

specified network where it is broadcast to all Throughout the Internet, when programs exchange
machines on that network. date or time of day they express time as the number
DNS (Domain Naming System) The online of seconds past the epoch date.
distributed database system used to map Ethernet A popular local area network technology
human-readable machine names into IP addresses. invented at the Xerox Corporation Palo Alto
DNS servers throughout the connected Internet Research Center. An Ethernet itself is a passive
implement a hierarchical namespace that allows coaxial cable; the interconnections contain all active
sites freedom in assigning machine names and components. Ethernet is a best-effort delivery

Student Notebook
system that uses CSMA/CD technology. Xerox refer to the objects that physical networks transmit,
Corporation, Digital Equipment Corporation, and even if the network does not use traditional framing.
Intel Corporation developed and published the (X.25 networks use the term to specifically refer to
standard for 10 Mbps Ethernet. Originally, the the format of data transferred between a host and a
coaxial cable specified for Ethernet was a 1/2 inch packet switch.)
diameter heavily shielded cable. However, many FTP (File Transfer Protocol) The Internet
office environments now use a lighter coaxial cable standard, high level protocol for transferring files
sometimes called thinnet or cheapernet. It is also from one machine to another. Usually implemented
possible to run Ethernet over shielded twisted pair as application level programs, FTP uses the
cable. A baseband, CSMA/CD local area network TELNET and TCP protocols. The server side
which allows up to 1,024 stations to send frames to
.I. n
requires a client to supply a login identifier and
one another with digital signalling rates of 10 million password before it will honor requests.
bits per second.
Fuzzball Term applied to both a piece of gateway
.T ció
software and the Digital Equipment Corporation
F LSI-11 computer on which it runs. NSFnet uses
fuzzballs as packet switches on its backbone
FDDI (Fiber Distribution Data Interface) An network.
.
emerging standard for a network technology based
on fiber optics that has been established by the FYI (For Your Information) A subset of the RFCs
C
American National Standards Institute (ANSI). FDDI that are not technical standards or descriptions of
.F a
specifies a 100 mbps data rate using 1300 protocols. FYIs convey general information about
nanometer light wavelength and limits networks to topics related to TCP/IP or the connected Internet.
approximately 200 km in length, with repeaters
C rm
every 2 km or less. The access control mechanism
uses token-ring technology. G
File Server A process running on a computer that gated (GATEway Daemon) A program that runs
provides access to files on that computer to under 4.3 BSD UNIX on a gateway to allow the
programs running on remote machines. The term is gateway to collect information from within one
often loosely applied to computers that run file autonomous system using RIP, HELLO, or other
to fo
server programs. interior gateway protocols, and to advertise routes to
another autonomous system using the exterior
finger A command that shows user information on gateway protocol, EGP.
either a local system or other systems within a
network. Gateway A special purpose, dedicated computer
that attaches to two or more networks and routes
Flat Namespace Characteristic of any naming in
ec vo
packets from one to the other. In particular, an IP

which object names are selected from a single set of gateway routes IP datagrams among the networks
strings (for example, street names in a typical city). to which it connects. Gateways route packets to
Flat naming contrasts with hierarchical naming in other gateways until they can be delivered to the
which names are divided into subsections that final destination directly across one physical
correspond to the hierarchy of authority that network. The term is loosely applied to any machine
oy si
administers them (for example, telephone numbers that transfers information from one network to
that are divided into area code, exchange, and another, as in mail gateway. Although the original
subscriber). literature used the term gateway, vendors often
Flow Control Control of the rate at which hosts or called them IP routers.
u
gateways inject packets into a network or Internet, A device, or pair of devices, which interconnect two
usually to avoid congestion. Flow control or more networks or subnetworks enabling the
mechanisms can be implemented at various levels.
cl
passage of data from one (sub)network to another.

Simplistic schemes like ICMP source quench simply A gateway contains an IP module, a routing protocol
ask the sender to cease transmission until module and (for each connected subnetwork) a
congestion ends. More complex schemes vary the Subnetwork Protocol module (SNP). The routing
Ex
transmission rate continuously. protocol is used to coordinate with other gateways.

Fragment One of the pieces that results when an GGP (Gateway to Gateway Protocol) The protocol
Internet gateway divides an IP datagram into smaller core gateways use to exchange routing information,
pieces for transmission across a network that cannot GGP implements a distributed shortest path routing
handle the original datagram size. Fragments use computation. Under normal circumstances, all GGP
the same format as datagrams; fields in the IP participants will reach a steady state in which the
pr
header declare whether a datagram is a fragment, routing information at all gateways agrees. GGP is
and if so, the offset of the fragment in the original now obsolete.
datagram. IP software at the receiving end must
reassemble fragments into complete datagrams. Gopher An Internet navigation tool that allows you
to search the Internet by selecting resources from a
Frame Literally, a packet as it is transmitted across menu on a public Gopher server.
a serial line. The term derives from character
oriented protocols that added special start-of-frame
and end-of-frame characters when transmitting
packets. We use the term throughout this book to
Student Notebook
H case, Internet refers specifically to the connected

Internet and the TCP/IP protocols it uses.
Hardware Address The low-level addresses used
by physical networks. Each type of network Internet The collection of networks and gateways,
hardware has its own addressing scheme. For including the MILNET, and NSFNET, that use the
example, Ethernet uses 48-bit hardware addresses TCP/IP protocol suite and function as a single,
assigned by the vendor, while proNET-10 uses small cooperative virtual network. The Internet provides
integer hardware addresses assigned when a universal connectivity and three levels of network
connection to the network is installed. services: unreliable, connectionless packet delivery;
reliable, full duplex stream delivery; and application
HELLO The protocol used by a group of level services like electronic mail that build on the
cooperative, trusting packing switches to allow them
.I. n
first two. The Internet reaches many universities,
to discover minimal delay routes. It is important to government research labs, and military installations
the Internet primarily because fuzzballs on the and over a dozen countries.
.T ció
NSFnet backbone use it.
Internet Address See IP address.
Hierarchical Routing Routing that is based on a
hierarchical addressing scheme. Most Internet InterNIC A group responsible for providing users
routing is based on a 2-level hierarchy in which an with information about TCP/IP and the connected
Internet. The InterNIC registers new users and
.
Internet address is divided into a network portion
and a host portion. Gateways use only the network domains, assigns network numbers, and distributes
C
portion until the datagram reaches a gateway that RFCs and other documents related to TCP/IP.
.F a
can deliver it directly. Subnetting introduces IP (Internet Protocol) The Internet standard
additional levels of hierarchical routing. protocol that defines the Internet datagram as the
unit of information passed across the Internet and
C rm
Hop Count A measure of distance between two
points in the Internet. A hop count of n means that n provides the basis for the Internet connectionless,
gateways separate the source and destination. best-effort packet delivery service. IP includes ICMP
control and error message protocol as an integral
Host Any computer system that connects to a part. The Internet protocol suite is often referred to
network, particularly a source or destination of as TCP/IP because IP is one of the two most
messages on a communications network. fundamental protocols.
to fo
IP Address The 32-bit address assigned to hosts
that want to participate in the Internet using TCP/IP.
I Internet addresses are the abstraction of physical
IAB (Internet Architecture Board) A group who set hardware addresses just as the Internet is an
policy and standards for TCP/IP and the connected abstraction of physical networks. Actually assigned
ec vo
Internet. The IAB was reorganized in 1989, with to the interconnection of a host to a physical
technical people moved to research and engineering network, an Internet address consists of a network
subgroups. See IRTF and IETF. portion and a host portion. The partition makes
ICMP (Internet Control Message Protocol) An routing efficient.
integral part of the Internet Protocol (IP) that handles IP Datagram The basic unit of information passed
error and control messages. Specifically, gateways across the Internet. An IP datagram is to the Internet
oy si
and hosts use ICMP to send reports of problems as a hardware packet is to a physical network. It
about datagrams back to the original source that contains a source and destination address along
sent the datagram. ICMP also includes an echo with data.
u
request/reply used to test whether a destination is

reachable and responding. ISO (International Standards Organization) An
international body that drafts, discusses, proposes,
IGP (Interior Gateway Protocol) The generic term and specifies standards for network protocols. ISO
cl
applied to any protocol user to propagate network is best known for its 7-layer reference model that
reachability and routing information within an describes the conceptual organization of protocols
autonomous system. Although there is no single and its slowly emerging suite of protocols for Open
standard IGP, RIP is among the most popular. System Interconnection. The OSI protocols most
Ex
inetd Provides Internet service management for a like the TCP/IP protocol suite are known as TP-4/IP.
network. It invokes other daemons, such as telnet ISO Reference Model The International Standards
and ftp, only when they are needed. Organization Reference Model for Open Systems
INOC (Internet Network Operations Center) A Interconnection — A standard approach to network
subgroup of the NOC at BBN that monitors and design which introduces modularity by dividing the
complex set of functions into more manageable,
pr
controls the Internet core gateway system. The

INOC measures traffic flow, tests reachability, self-contained, functional layers, as follows:
monitors routing tables, and controls downloading of 1. Physical Layer — the level at which protocols
the new gateway software. provide the mechanical and electrical means by
Internet Physically, a collection of packet switching which devices are physically connected and
networks interconnected by gateways along with data is transmitted.
protocols that allow them to function logically as a
single, large, virtual network. When written in upper

Student Notebook
2. Data Link Layer — the level at which information passing between two networks to ensure that it
is moved reliably across the physical link. meets administrative constraints. In particular, mail
bridges between the ARPANET and MILNET do not
3. Network Layer — the level at which connections permit arbitrary mail flow.
between systems are established, maintained Mail Exploder Part of an electronic mail system that
and terminated; concerned with switching and accepts a piece of mail and a list of addresses as
routing information. input and sends a copy of the message to each
address on the list. Most electronic mail systems
4. Transport Layer — the level at which end-to-end incorporate a mail exploder to allow users to define
data integrity and quality of service are ensured. mailing lists locally.
.I. n
5. Session Layer — the level which standardizes Mail Gateway A machine that connects to two or
more electronic mail systems (especially dissimilar
the tasks of setting up a session and terminating mail systems on two different networks) and
.T ció
it; coordinates interaction between transfers mail messages among them. Mail
end-application processes. gateways usually capture an entire mail message,
reformat it according to the rules of the destination
6. Presentation Layer — the level at which the mail system, and then forward the message. See
.
character set and data code are specified — as mail bridge.
well as the way data is displayed on a screen or
C
MAN (Metropolitan Area Network) Any of several
.F a
printer. new physical network technologies that operate at
high speeds (usually hundreds of megabits per
7. Application Layer — concerned with the higher second) over distances sufficient for a metropolitan
C rm
level functions which provide support to the area. See LAN and WAN.
application of system activities. mbps (Millions of Bits Per Second) A measure of
the rate of data transmission.
K MIB (Management Information Base) The set of
variables (database) that a gateway running CMOT
kbps (Kilo Bits Per Second) A measure of the rate
to fo
or SNMP maintains. Managers can fetch or store
of data transmission. Also see mbps and baud. into these variables. MIB-II refers to an extended
management database that contains variables not
shared by both CMOT and SNMP. See also CMOT
L and SNMP.
LAN (Local Area Network) Any physical network MILNET (MILitary NETwork) Originally part of the
ec vo
technology that operates at high speed (usually tens ARPANET, MILNET was partitioned in 1984 to make
of megabits per second through several gigabits per it possible for military installations to have reliable
second) over short distances (up to a few thousand network service while the ARPANET continued to be
meters). Examples include Ethernet and proNET-10. used for research. MILNET uses exactly the same
See MAN and WAN. A network connecting various hardware and protocol technology as ARPANET.
electronic devices in a localized geographical area Under normal circumstances, MILNET is part of the
oy si
such as a single office building or a campus. connected Internet.

Level 2 A reference to link level communication (for MTU (Maximum Transfer Unit) The largest amount
example, frame formats) or link level connections of data that can be transferred across a given
u
derived from the ISO 7-layer reference model. For physical network. For local area networks like the
long haul networks, level 2 refers to the Ethernet, the MTU is determined by the network
communication between a host computer and a standard. For long haul networks that use serial
cl
network packet switch (for example, HDLC/LAPB). lines to interconnect packet switches, the MTU is
For local area networks, level 2 refers to physical determined by software.
frame format and addressing. Thus, a level 2
address is a physical frame address (for example, Multi-homed Host An Internet host with
Ex
connections to two or more physical networks.

an Ethernet address).
Multi-homed hosts can function as gateways if their
Level 3 A reference to transport level routing tables are assigned correct values for routes.
communication derived from the ISO 7-layer
reference model. For TCP/IP Internets, level 3 refers Multicast A technique that allows copies of a single
to IP and the IP datagram format. Thus, a level 3 packet to be passed to a selected subset of all
possible destinations. Some hardware (for example,
address is an IP address.
pr
Ethernet) supports multicast by allowing a network

Little Endian A format for storage or transmission of interface to belong to one or more multicast groups.
binary data in which the least significant byte (bit) Broadcast is a special form of multicast in which the
comes first. See big endian. subset of machines to receive a copy of a packet
consists of the entire set. IP supports an Internet
multicast facility.
M
Mail Bridge Used loosely to refer to any mail
gateway. Technically, a mail bridge screens mail
Student Notebook
N O
Name Resolution The process of mapping a name OSF (Open Software Foundation) A consortium of
into a corresponding address. The domain name hardware manufacturers who attempt to set
system provides a mechanism for naming common standards for open systems, including
computers in which programs use remote name operating systems and networks. Emerging OSF
servers to resolve machine names into IP addresses standards include the OSF/1 operating system,
for those machines. Distributed Computing Environment (DCE) and
NetBIOS (Network Basic Input Output System) Distributed Management Environment (DME).
NetBIOS is the standard interface to networks on OSI (Open Systems Interconnect) A reference to
IBM PC and compatible personal computers. In a protocols, specifically ISO standards, for the
.I. n
TCP/IP Internet, NetBIOS refers to a set of interconnection of cooperative computer systems.
guidelines that describes how to map NetBIOS OSPF Open Shortest Path First. It is an interior
.T ció
operations into equivalent TCP/IP operations. For gateway protocol based on a link state protocol
example, one of the NetBIOS naming operations model and is currently a ˇProposed Standardˇ for
maps into domain name system interactions. Internet routing in autonomous systems.
Network Byte Order The TCP/IP standard for
.
transmission of integers that specifies most
significant byte appears first (big endian). Sending P
C
machines are required to translate from the local
.F a
integer representation to network byte order, and Packet The unit of data sent across a packet
switching network. The term is used loosely. While
receiving machines are required to translate from
some TCP/IP literature uses it to refer specifically to
network byte order to the local machine
C rm
representation. data sent across a physical network, other literature
views an entire Internet as a packet switching
NFS (Network File System) A protocol developed network and describes IP datagrams as packets.
by SUN Microsystems that uses IP to allow a set of
cooperating computers to access each other's file PAD (Packet Assembler Disassembler) A term
used with X.25 networks that refers to a terminal
systems as if they were local. The key advantage of
multiplexer device that forms a connection between
to fo
NFS over conventional file transfer protocols is that
NFS hides the differences between local and remote terminals and hosts across an X.25 network. A PAD
accepts characters from a conventional terminal and
files by placing them in the same name space. NFS
was designed for UNIX systems, but has been sends them across an X.25 network; it accepts
implemented for many systems including personal packets from an X.25 network, extracts characters,
and displays them on a terminal.
computers like the IBM PC and Apple MacIntosh.
ec vo
NIS A distributed database system which allows the ping (Packet InterNet Groper) The name of a
program used in the Internet to test reachability of
sharing of system information. Examples of system destinations by sending them an ICMP echo request
information that can be shared include the
and waiting for a reply. The term has survived the
/etc/passwd, /etc/group, /etc/hosts files. original program and is now used like a verb as in,
NOC (Network Operations Center) The “please ping host A to see if it is alive.”
oy si
organization at BBN that monitors and controls

Port See protocol port.
several networks that form part of the Internet,
including the ARPANET, MILNET, and at least one Protocol A formal description of message formats
X.25 based network. and the rules two or more machines must follow to
u
exchange those messages. Protocols can describe

NREN (National Education and Research
low level details of machine to machine interfaces
Network) The planned successor to the connected (for example, the order in which the bits from a byte
cl
Internet that provides high-speed access to scientific are set across a wire), or high-level exchanges
and educational institutions.
between application programs (for example, the way
NSF (National Science Foundation) A government in which two programs transfer a file across an
agency that has funded the development of a cross Internet). Most protocols include both intuitive
Ex
country backbone network as well as regional descriptions of the expected interactions as well as
networks designed to connect scientists to the more formal specifications using finite state machine
connected Internet. NSF has also funded individual models.
researchers working in the network area as well as
Protocol Port The abstraction that transport
large projects spanning multiple institutions like
CSNET. NSFNET (National Science Foundation protocols use to distinguish among multiple
destinations within a given host computer. TCP/IP
pr
NETwork) Loosely used to describe collectively the protocols identify ports using small positive integers.
cross country backbone, mid-level networks, and Usually, the operating system allows an application
supercomputer consortia networks that have all program to specify which port it wants to use. Some
been started with NSF seed funds. In a narrow ports are reserved for standard services (for
sense, NSFNET refers only to the backbone example, electronic mail).
network.
PSN (Packet Switch Node) The name of an
ARPANET packet switch; PSNs were formerly called
IMPs. PSNs were implemented with BBN C30 or

Student Notebook
BBN C300 mini-computers and execute packet Route In general, a route is the path that network
switch software under control of the Network traffic takes from its source to its destination. In a
Operation Center at BBN. Each PSN connected to TCP/IP Internet, each IP datagram is routed
at least two other PSNs as well as from 1 to 16 host separately; the route a datagram follows may
computers. include many gateways and many physical
networks.
routed (Route Daemon) A program that runs under
R 4.3BSD UNIX to propagate routes among machines
RARP (Reverse Address Resolution Protocol) on a local area network. It uses the RIP protocol.
The Internet protocol a diskless machine uses a Pronounced "route-d."
.I. n
startup to find its Internet address. The machine Router Generically, any machine responsible for
broadcasts a request that contains its physical making decisions about which of several paths
hardware address and a server responds by network traffic follows. At the lowest level, a physical
.T ció
sending the machine its Internet address. RARP network bridge is a router because it chooses
takes its name and the message format from whether to pass packets from one physical wire to
another Internet address resolution protocol, ARP. another. Within a long-haul network, each individual
rcp Part of the Berkeley set of network commands. packet switch is a router because it chooses routes
.
Transfers files between a local and a remote host or for individual packets. In a TCP/IP Internet, each IP
between two remote hosts. gateway is a router because it uses IP destination
C
addresses to choose routes.
.F a
Regional Net The original term applied to NSFNET
mid-level networks. RS232 A standard by EIA that specifies the
electrical characteristics of slow speed
Repeater A hardware device that copies electrical
C rm
interconnections between terminal and computers or
signals from one Ethernet to another. Typically, sites between two computers. The specification limits
that have repeaters use them to connect a physical speeds to 20 Kbps and distance to 500 feet, but
Ethernet cable on each floor of a building to a
many manufacturers support speeds of 38.4 Kbps
backbone cable. The chief disadvantage of a and/or longer distances. Although the standard
repeater compared to a bridge is that it transfers commonly used is RS232C, most people refer to it
electrical noise as well as packets. At most, two
to fo
as RS232.
repeaters can appear between any two machines
connected to an Ethernet. rsh Part of the Berkeley set of network commands.
It executes the specified command at the remote
rexec Part of the Arpanet set of network commands. host or logs into the remote host.
It executes commands one at a time on a remote
host.
ec vo
RFC (Request For Comments) The name of a

series of notes that contain surveys, measurements,
S
ideas, techniques, and observations, as well as SDLC (Synchronous Data Link Control) A
proposed and accepted TCP/IP protocols standards. predecessor of HDLC defined by IBM Corporation
RFCs are edited but not refereed. They are and used in their SNA network products.
oy si
available on-line from the Network Information Segment The unit of transfer sent from TCP on one
Centre. machine to TCP on another. Each segment contains
RIP (Routing Information Protocol) The protocol part of a stream of bytes being sent between the
used by Berkeley 4.3 BSD UNIX systems to machines as well as additional fields that identify the
u
exchange routing information among a (small) set of current position in the stream and contain a
computers. Usually, the participating machines all checksum to ensure validity of received data.
attach to a single local area network. Implemented Sliding Window Characteristic of those protocols
cl
by the UNIX program routed, RIP derives from an that, when sending a stream of bytes, allow the
earlier protocol of the same name developed at sender to transmit up to n packets before an
Xerox. acknowledgement arrives. After the sender receives
an acknowledgement for the first outstanding
Ex
RJE (Remote Job Entry) The service offered by

many networks that allows one to submit a (batch) packet, it slides the packet window along the stream
job from a remote site. Although the Internet has a and sends another. Values for n are usually on the
protocol for RJE service, it is not very popular order of 10.
because many machines on the Internet support SLIP Serial Line Interface Protocol is an inexpensive
timesharing instead of batch job processing. TCP/IP point-to-point connection with each
pr
rlogin (Remote LOGIN) The service offered by connection considered a unique network.
Berkeley 4.3 BSD UNIX systems that allows users SLIPLOGIN An inexpensive TCP/IP password
of one machine to connect to other UNIX systems protect point-to-point serial connection that is
across an Internet and interact as if their terminals activated upon a call-in or dial-in process.
connected to the machines directly. Although rlogin SMTP (Simple Mail Transfer Protocol) The
offers essentially the same service as TELNET, it is TCP/IP standard protocol for transferring electronic
superior because the software passes information mail messages from one machine to another. SMTP
about the user's environment (for example, terminal specifies how two mail systems interact and the
type) to the remote machine.
Student Notebook
format of control messages they exchange to the user invokes a TELNET application program that
transfer mail. connects to a remote machine, prompts for a login id
SNA (System Network Architecture) The name and password, and then passes keystrokes from the
applied to an architecture and a class of network user's terminal to the remote machine and displays
products offered by IBM Corporation. SNA does not output from the remote machine on the user's
interoperate with TCP/IP. terminal.
SNMP (Simple Network Management Protocol) A TFTP (Trivial File Transfer Protocol) The TCP/IP
standard protocol used to monitor IP gateways and standard protocol for file transfer with minimal
the networks to which they attach. SNMP defines a capability and minimal overhead. TFTP depends
set of variables that the gateway must keep and only on the unreliable, connectionless datagram
.I. n
specifies that all operations on the gateway are a delivery service (UDP), so it can be used on
side effect of fetching or storing to the data machines like diskless workstations that keep such
variables. Also see CMOT and MIB. software in ROM and use it to bootstrap themselves.
.T ció
Socket The abstraction provided by Berkeley 4.3 Token Bus A type of network technology in which
BSD UNIX that allows a process to access the permission to transmit is specifically passed from
Internet. A process opens a socket, specifies the one station to another as a means for governing
service desired (for example, reliable stream shared access to the channel.
.
delivery), binds the socket to a specific destination, Token Ring When used in the generic sense, a type
C
and then sends or receives data. of network technology that controls media access by
.F a
Source Route A route that is determined by the passing a distinguished packet, called a token, from
source. TCP/IP implements source routing by using machine to machine. A computer can only transmit a
an option field in an IP datagram. The source fills in packet when holding the token. When used in a
C rm
a sequence of machines that the datagram must specific sense, it refers to the token ring network
visit along its trip to the destination. Each gateway hardware produced by IBM.
along the path honors source routing by following Topology A description of how stations on a
the list of machines to visit instead of following the network connect to a cable. Examples of specific
usual route to the destination. topologies include: Bus, Ring, Star and Tree. Two
kinds of topology include:
to fo
Subnet Address An extension of the IP addressing
scheme that allows a site to use a single IP network 1. Physical topology — The configuration of
address for multiple physical networks. Outside of network nodes and links. Description of the
the site using subnet addressing, routing continues physical geometric arrangement of the links and
as usual by dividing the destination address into a
network portion and local portion. Gateways and nodes that make up a network, as determined
by their physical connections.
ec vo
hosts inside a site using subnet addressing interpret

the local portion of the address by dividing it into a 2. Logical topology — Description of the possible
physical network portion and host portion.
connections between network nodes, indicating
which pairs of nodes are able to communicate,
T whether or not they have a direct physical
oy si
Talk A command that provides for the ability to carry connection.

on a conversation with another user either on the TP-4/IP A term often given to the ISO protocol suite
same system or different systems across a network. that closely resembles TCP/IP. Both TCP and ISO
u
TCP (Transmission Control Protocol) The TCP/IP TP-4 protocols provide reliable stream delivery
standard transport level protocol that provides the service using basically the same techniques of
reliable, full duplex, stream service on which many positive acknowledgement and retransmission.
cl
application protocols depend. TCP allows a process Trailer Protocol A nonconventional method of
on one machine to send a stream of data to a encapsulating IP datagrams for transmission across
process on another. It is connection-oriented in the a local area network (for example, Ethernet). Trailer
sense that before transmitting data, participants
Ex
protocols place the header at the end of the packet,

must establish a connection. Software implementing so the operating system can arrange to have the
TCP usually resides in the operating system and network hardware deposit incoming datagrams with
uses the IP protocol to transmit information across the data area starting on a page boundary. The
the underlying Internet. It is possible to terminate technique saves on the overhead of copying
(shut down) one direction of flow across a TCP datagrams once they arrive.
connection, leaving a one-way (simplex) connection.
pr
The entire protocol suite is often referred to as Transceiver A device that connects a host interface
TCP/IP because TCP and IP are the two most to local area network (for example, Ethernet).
fundamental protocols. Ethernet transceivers contain analog electronics that
apply signals to t he cable and sense collisions.
TELNET The TCP/IP standard protocol for remote
terminal connection service. TELNET allows a user TTL (Time To Live) A technique used in best-effort
at one site to interact with a remote timesharing delivery systems to avoid endlessly looping packets.
system at another site as if the user's terminal For example, each IP datagram is assigned an
connected directly to the remote machine. That is, integer time to live when it is created. IP gateways
decrement the time to live field when they process a

Student Notebook
datagram and discard the datagram if the time to live

counter reaches zero.
X
X.25 The CCITT standard protocol for transport level
network service. Originally designed to connect
U terminals to computers, X.25 provides a reliable,
stream transmission service that can support remote
UDP (User Datagram Protocol) The Internet login. The X25NET service offered by CSNET
standard protocol that allows an application program demonstrates that it is possible to run TCP/IP
on one machine to send a datagram to an protocols, IP in particular, over an X.25 network.
application program on another machine. UDP uses X.25 is most popular in Europe.
the Internet Protocol to deliver datagrams.
X25NET (X.25 NETwork) A service offered by
.I. n
Conceptually, the important difference between UDP
and IP is that UDP messages include a protocol port CSNET that passed IP traffic between a subscriber
number, allowing the sender to distinguish among site and the Internet using X.25.
.T ció
multiple destinations (application programs) on the X.400 The CCITT protocol for electronic mail that is
remote machine. In practice, UDP also includes a expected to become widely accepted. The current
checksum over the data being sent. version is X.400(88) because it was defined in 1988.
Universal Time The international standard time Work is underway to make TCP/IP mail systems
.
reference that was formerly called Greenwich Mean interoperate with X.400.
Time. It is also called Coordinated Universal Time.
C
XDR (eXternal Data Representation) The standard
.F a
UUCP (UNIX-to-UNIX Copy Program) An for a machine independent data structure
application program developed in the mid 1970s for representation developed by SUN Microsystems. To
version 7 UNIX that allows one UNIX timesharing use XDR, a sender translates from the local
C rm
system to copy files to or from another UNIX machine representation to the standard external
timesharing system over a single (usually dialup) representation and a receiver translates from the
link. Because UUCP is the basis for electronic mail external representation to the local machine
transfer in UNIX, the term is often used loosely to representation.
refer to UNIX mail transfer. XNS (Xerox Network Standard) The term used
collectively to refer to the suite of Internet protocols
to fo
developed by researchers at Xerox Corporation.
V Although similar in spirit to the TCP/IP protocols,
Veronica A server that builds a database of Gopher XNS uses different packet formats and terminology.
menus from all the Gopher servers referred to as Xstation A high-function LAN-attached terminal
Gopherspace. whose function is limited to the functions of an X
Window server.
ec vo
Virtual Circuit A network service enabling two end

points to communicate as though via a physical X-Window System A software system developed at
circuit; a logical transmission path. MIT for presenting and managing output on
bit-mapped displays. Each window consists of a
rectangular region of the display that contains
W textual or graphical output. X allows application
oy si
programs on a variety of computers to display output

WAIS Wide Area Information Servers know about in separate windows on a single display. X uses a
hundreds of databases that contain information of program called a window manager to allow the user
general topics.
to create, move, overlap, and destroy windows.
u
WAN (Wide Area Network) Any physical network

technology that spans large geographical distances.
Also called long-haul networks, WANs usually Z
cl
operate at slower speeds and have significantly

higher delays than networks that operate over Zone of Authority Term used in the domain name
shorter distances. See LAN and MAN. system to refer to the group of names for which a
given name server is an authority. Each zone must
Ex
Well-known Port Any of a set of protocol port be supplied by two name servers that have no
numbers preassigned for specific uses by transport common point of failure.
level protocols (that is, TCP and UDP). Servers
follow the well-known port assignments so clients
can locate them. Examples of well-known port
numbers include ports assigned to echo servers,
pr
time servers, remote login (TELNET) servers, and

file transfer (FTP) servers.
World Wide Web (WWW) An Internet navigation
tool that allows a user to browse a world-wide set of
services and documents using hypertext. It is based
on hypertext documents whose structure links
pages of hypertext to other documents on other
sites. The Web consists of the masses of linked
servers all over the world.
V8.2
Student Notebook
bibl Bibliography
Manuals:
SG24-7204-00 Securing NFS in AIX
SG24-6657-00 Implementing NFSv4 in the Enterprise
.I. n
Technical Education Courses:
.T ció
AU07 ERC 10 AIX 6 Network Administration I
AU09 ERC 8 AIX 5L TCP/IP II: Problem Determination
.
C
Web URLs:
.F a
http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.a
C rm
ix.doc/doc/base/aixparent.htm&tocNode=int_8
IBM’s AIX 6.1 Information centre
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Bibliography X-11

Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
V8.2
Ex backpg
Back page
cl
pr u
oy si
ec vo
to fo
C rm
.F a
.T ció
.I. n
C
.
Ex
cl
pr u
oy si
ec vo
to fo
C rm
.F a
.T ció
.I. n
C
.
CONTACTO
Teléfono
91 761 21 78
Póngase en contacto con nuestro equipo y le
informaremos de cualquier duda o cuestión
que pueda surgirle.
Email
formacion@arrowecs.es
Mándenos un email y le atenderemos
enseguida.
Online
@Arrow_Edu_ES
O bien puede contactarnos a través de
nuestro perfil en Twitter.
Visítenos
Arrow ECS Education Services
Avenida de Europa 21,
Parque Empresarial La Moraleja
28108 Alcobendas, Madrid
EDUCATION
S E R V I C E S

AIX 7 1 AN21 TCPIP For AIX Administrators Student

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIX 7 1 AN21 TCPIP For AIX Administrators Student

Uploaded by

Copyright:

Available Formats

Business Data

Enterprise Computing Solutions

Dirección General de Formación

Comunidad de Madrid UNIÓN EUROPEA

IBM Training Front cover

September 2013 edition

© Copyright International Business Machines Corporation 2010, 2013.

Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supernetting example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

The physical layer: Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Unit 2. Configuring TCP/IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

© Copyright IBM Corp. 2010, 2013 Contents iii

Name resolution: Local host file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12

Unit 4. OpenSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1

SSH protocol (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-4

Using SSH on AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-6

Logging in without supplying a password (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9

scp and sftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-13

iv TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

TOC SSH port forwarding to a third host example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

Unit 6. Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Establishing routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Dynamic routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13

ICMP redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Exercise: Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Unit 7. Network availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

© Copyright IBM Corp. 2010, 2013 Contents v

MPR metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-8

Link aggregation and gigabit fast failover configuration . . . . . . . . . . . . . . . . . . . . .7-43

Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-49

Unit 8. DNS and BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1

What is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-3

Internet domain name structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-7

Types of name servers (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-13

vi TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

TOC Name zone file (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-20

Remote name daemon control set up (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-49

Logging: Category statement syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Split DNS example (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

Removing BIND version information (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

Checkpoint (2 of 2) solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-62

Unit 9. DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

© Copyright IBM Corp. 2010, 2013 Contents vii

DHCP AIX implementation example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-11

NFS server configuration: Manual exporting . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-15

Automount overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-21

Topic summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-25

NFS version 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-28

NFSv4 pseudo file system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-32

NFSv4 replication (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-37

TOC Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47

Unit 11. Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Unit 12. Time services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Sources of time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

NTP communications methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Receiver pseudo IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

setclock command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-18

© Copyright IBM Corp. 2010, 2013 Contents ix

Appendix A. IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Appendix B. AIX and Windows interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

Appendix C. Checkpoint solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-1

x TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013

© Copyright IBM Corp. 2010, 2013 Trademarks xi