Professional Documents
Culture Documents
Cloud Mobility
Intelligence Centre
Student Manual
CONSEJERÍA DE EMPLEO,
TURISMO Y CULTURA
EDUCATION
S E R V I C E S
V8.2
cover
.I. n
Student Notebook
.T ció
TCP/IP for AIX Administrators
.
C
Course code AN21 ERC 2.0
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Student Notebook
Trademarks
IBM® is a registered trademark of International Business Machines Corporation.
The following are trademarks of International Business Machines Corporation in the United
States, or other countries, or both:
AFS™ AIX 5L™ AIX 6™
AIX® DB2® GPFS™
.I. n
HACMP™ Notes® POWER Hypervisor™
Power Systems™ Power® PowerHA®
.T ció
PowerVM® POWER6® System i®
System p® System x® System z®
.
Tivoli® 400®
C
.F a
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the
United States and other countries.
C rm
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
to fo
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other product and service names might be trademarks of IBM or other companies.
ec vo
oy si
u
cl
Ex
The information contained in this document has not been submitted to any formal IBM test and is distributed on an “as is” basis without
any warranty either express or implied. The use of this information or the implementation of any of these techniques is a customer
responsibility and depends on the customer’s ability to evaluate and integrate them into the customer’s operational environment. While
each item may have been reviewed by IBM for accuracy in a specific situation, there is no guarantee that the same or similar results will
result elsewhere. Customers attempting to adapt these techniques to their own environments do so at their own risk.
TOC Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
.I. n
Unit 1. Network concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
.T ció
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
The global picture of Internet network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Example of an enterprise network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
.
Computer networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
C
How data is transmitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
.F a
Data encapsulation through the protocol stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
The transport layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
C rm
Transmission Control Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
User Datagram Protocol (UDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
The Internet layer: Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
to fo
IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
IP and subnet addressing (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
IP and subnet addressing (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Subnetting example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
ec vo
IP routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
The link layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Address Resolution Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
u
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Ex
/etc/rc.tcpip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Ethernet adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Minimum Configuration & Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Additional IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Command line TCP/IP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
.I. n
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-25
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26
.T ció
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-28
.
Unit 3. inetd remote command services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
C
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
.F a
The inetd daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3
Remote commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5
C rm
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6
rexec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-7
ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9
r* commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-11
to fo
r* authentication files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
r* authentication files in action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
dsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
ec vo
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-20
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-21
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-22
oy si
.I. n
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
.T ció
Unit 5. VLAN theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
.
Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
C
IEEE 802.1Q VLAN tagging (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
.F a
IEEE 802.1Q VLAN tagging (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
AIX VLAN tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
C rm
Power systems, VLANs, and virtual Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
VIOS and VLAN bridging availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
VEth configuration example: Dual networks and dual VIOS . . . . . . . . . . . . . . . . . . 5-9
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14
to fo
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Routing implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
IP routing algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Viewing the routing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
oy si
.I. n
Test 3: Cost (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-17
Test 4: Active DGD (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
.T ció
Test 4: Active DGD (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-19
Test 5: Passive DGD (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
Test 5: Passive DGD (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-21
.
Gigabit fast failover: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-22
C
GFF implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
.F a
GFF testing: Primary port failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
GFF testing: Primary port recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-26
C rm
Link aggregation and EtherChannel: Overview (1 of 2) . . . . . . . . . . . . . . . . . . . . .7-27
Link aggregation and EtherChannel: Overview (2 of 2) . . . . . . . . . . . . . . . . . . . . .7-29
Link aggregation: Key AIX configuration options . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
Link aggregation: Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
to fo
Link aggregation: Attributes and status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
Link aggregation: Link failure and recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-40
Link aggregation: Dynamic changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41
Combining link aggregation and gigabit fast failover . . . . . . . . . . . . . . . . . . . . . . .7-42
ec vo
.I. n
DNS control file: /etc/named.conf (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-29
Caching-only / forwarder name server (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30
.T ció
Caching-only / forwarder name server (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32
Creating sub (child) domains (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-33
Creating sub (child) domains (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34
.
Adding static hosts to the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35
C
Adding hosts dynamically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36
.F a
Adding hosts dynamically using TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37
Adding hosts dynamically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38
C rm
Client set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39
Client name resolution order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40
Client resolvers (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-42
Client resolvers (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43
to fo
Client caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44
netcd example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-46
Administering the named daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-47
Remote name daemon control set up (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-48
ec vo
.I. n
Dynamic DNS updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-21
Dynamic DNS update example (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-22
.T ció
Dynamic DNS update example (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-23
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-24
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-25
.
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-26
C
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-27
.F a
Unit 10. Network File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-1
C rm
Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-2
10.1. NFS versions 2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-3
NFS versions 2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-4
Network File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5
to fo
Connection, state, and locking: NFS v2 and 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7
Daemons and NFS client server interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-9
Authorization methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11
NFS server configuration: Starting and stopping . . . . . . . . . . . . . . . . . . . . . . . . .10-13
ec vo
viii TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Cannot reach the destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5
Duplicate IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6
.T ció
Flow through the TCP/IP stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7
Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11
Network performance: Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12
.
Network performance: Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14
C
Tuning network parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15
.F a
Changing ISNO parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-24
Changing MTU parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29
C rm
Packet analysis: tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31
tcpdump examples (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-32
tcpdump examples (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-33
Packet analysis: iptrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-34
to fo
iptrace: Sample packet output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35
iptrace examples (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-36
iptrace examples (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37
Checkpoint (1 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38
ec vo
Checkpoint (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-39
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-40
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-41
oy si
.I. n
UNIX and Korn shell for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-7
Examples of UNIX emulation tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-9
.T ció
Microsoft Windows Services for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-10
Remote graphical access to an AIX partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-11
Example of remote graphical access using Cygwin/X . . . . . . . . . . . . . . . . . . . . . B-12
.
Virtual Network Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-13
C
VNC configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-14
.F a
VNC over SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-15
Graphical tools for file transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-16
C rm
Sharing AIX file systems with Windows (Samba) . . . . . . . . . . . . . . . . . . . . . . . . . B-18
Samba installation and configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-19
Sharing AIX file systems with Windows (SSHFS) . . . . . . . . . . . . . . . . . . . . . . . . B-21
Graphical traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-22
to fo
Graphical packet capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-23
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-24
Exercise introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-25
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-26
ec vo
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-1
oy si
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-11
u
cl
Ex
pr
TMK Trademarks
The reader should recognize that the following terms, which appear in the content of this
training document, are official trademarks of IBM or other companies:
IBM® is a registered trademark of International Business Machines Corporation.
The following are trademarks of International Business Machines Corporation in the United
.I. n
States, or other countries, or both:
.T ció
AFS™ AIX 5L™ AIX 6™
AIX® DB2® GPFS™
HACMP™ Notes® POWER Hypervisor™
.
Power Systems™ Power® PowerHA®
C
.F a
PowerVM® POWER6® System i®
System p® System x® System z®
C rm
Tivoli® 400®
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the
United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
to fo
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
ec vo
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other product and service names might be trademarks of IBM or other companies.
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
xii TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Duration: 4 days
.I. n
Purpose
.T ció
This course teaches implementing, using, and troubleshooting TCP/IP
on an AIX system. This includes defining multiple interfaces, VLAN
aware adapters, multiple routes, aggregated adapters, gigabit fast
.
failover, and controlling ports used for network services. It continues
C
with configuring AIX to participate as client or server in several
.F a
standard network services; for example: remote command and file
transfer services (both traditional and secured), configuring SSH
C rm
forwarding, DNS (including dynamic updates), time services, DHCP,
and NFS (V3 and V4).
This course provides essential networking skills which are important in
to fo
mastering advanced courses involving provisioning over the network,
performance, virtualization, high availability, and clustering. This
course is designed specifically for AIX version 7 but is also applicable
to previous versions.
ec vo
Audience
Network administrators or other personnel responsible for the
oy si
Prerequisites
cl
using the AIX commands line, vi, and SMIT. These skills can be
acquired by taking the following courses:
- AN10 AIX Basics
- AN12 Power Systems for AIX II: AIX Implementation and
pr
Administration
Objectives
After completing this course, you should be able to:
• Describe the fundamental concepts of TCP/IP, protocols, and
addressing
• Configure TCP/IP on AIX
• Configure and use telnet, ftp, rexec, rlogin, rsh, rcp, and dsh
• Configure and use the open secure shell (OpenSSH)
.I. n
• Connect multiple TCP/IP networks using static and dynamic
routing
.T ció
• Understand the theory of VLANs and how IEEE 802.1Q protocol is
used in Power systems
.
• Configure routing, multipath routing and dead gateway detection
C
(DGD)
.F a
• Understand and configure gigabit fast failover and link aggregation
or EtherChannel
C rm
• Describe Domain Name System (DNS) function
• Configure DNS on AIX
• Describe Dynamic Host Configuration Protocol (DHCP) function
• Configure DHCP on AIX
to fo
• Describe Network File System (NFS) function
• Configure NFS versions 3 and 4 on AIX
• Configure the NFS automounter on AIX
• Perform basic troubleshooting of network problems
ec vo
• IP version 6
• Interoperability with Microsoft Windows platforms
u
cl
Ex
pr
xiv TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
pref Agenda
Day 1
Welcome
Unit 1: Network concepts
Exercise 1: TCP/IP concepts
.I. n
Unit 2: Configuring TCP/IP
Exercise 2: Configuring TCP/IP
.T ció
Unit 3: inetd remote command services
Exercise 3: The inetd daemon and remote command inetd services
.
C
Day 2
.F a
Unit 4: OpenSSH
C rm
Exercise 4: OpenSSH
Unit 5: VLAN theory
Exercise 5: Configuring VLANs
Unit 6: Routing
to fo
Exercise 6: Routing
Unit 7: Network availability
Day 3
ec vo
Unit 9: DHCP
Exercise 9: Configuring a DHCP and dynamic DNS
u
Day 4
cl
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
xvi TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
It describes global network concepts, hardware and software
components, the layered TCP/IP model, TCP/IP protocols, and IP
.T ció
addressing and defines important terminology associated with TCP/IP.
.
What you should be able to do
C
.F a
After completing this unit, you should be able to:
C rm
• Describe global network concepts
• Define network components
• Describe the following:
to fo
- The main TCP/IP protocols
- The TCP/IP layering model
- IP addressing, subnetting, supernetting, and VLSM
ec vo
• Lab exercises
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Define network components
.T ció
• Describe the following:
– The main TCP/IP protocols
.
C
– The TCP/IP layering model
.F a
– IP addressing, subnetting, supernetting, and VLSM
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
1-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Managed using Web browsers, electronic mail, online chat, telephony,
file transfer, file sharing, data streaming, and collaborative applications
.T ció
• Consists of millions of private and public networks
• Linked by copper wires, fiber-optic cables, wireless connections, and
.
other technologies
C
.F a
• Results in a huge amount of online
information and shared resources
C rm
• Is a super fast highway
to fo
ec vo
Notes:
oy si
In the 1970s, the sharing of expensive computing resources, such as mainframes, was
causing a bottleneck in the development of new computer science technology, so
u
For example, the Europe to USA network traffic could increase up to hundreds of gigabits
per second depending on the hour of the day.
Ex
The responsibility for the architectural design of the Internet software systems has been
delegated to the Internet Engineering Task Force (IETF). The IETF conducts
standard-setting work groups, open to any individual, about the various aspects of Internet
architecture. Resulting discussions and final standards are published in Requests for
Comments (RFCs) and are freely available on the IETF web site.
The most prominent component of the Internet model is the Internet Protocol (IP) which
provides addressing systems for computers on the Internet and facilitates the
.I. n
Internetworking of networks.
.T ció
Similar to the way commercial Internet providers connect via Internet exchange points,
research networks tend to interconnect into large sub networks.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
1-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Provides Internet access and related
services Finance Marketing
.T ció
• Uses a vast array of network hardware
.
Internet
Internet
C
.F a
C rm
to fo
Building 1 Building 2
Trunk
ec vo
Notes:
oy si
An enterprise network is both local and wide area in scope. It integrates all the systems
within an organization, whether they are Windows computers, Apple Macintosh, UNIX
u
Computer networking
IBM Power Systems
.I. n
Protocol examples Network device examples
.T ció
Application Layer
HTTP, Telnet, SSH, FTP,
.
SMTP, POP, DHCP, DNS, Layer 7 switch
C
.F a
BOOTP, SNMP, NTP, LDAP
Transport Layer
C rm
TCP, UDP Firewall
Internet Layer
IPv4, IPv6, ICMP, IPSec Router, Layer 3 switch
to fo
Link Layer
ARP, NDP, CDP Switch, Bridge, NIC
ec vo
Notes:
oy si
The TCP/IP protocol suite consists of lots of different protocols, which are described in
many thousands of RFCs. Most of these protocols and RFCs are either application specific
u
(such as RFC 959, which describes the FTP protocol) or describe how data should be
transferred over a specific architecture (such as RFC 894, which describes IP over
cl
Ethernet). For now, it is important to understand the working and interdependency of only a
few core protocols. Since these protocols are built on top of each other, where one protocol
Ex
uses another protocol to get things done, the interdependency is just as important as
understanding each protocol independently.
From top to bottom we find the following protocols:
pr
• Applications use either the User Datagram Protocol (UDP) or the Transmission Control
Protocol (TCP) to transmit their data. Both TCP and UDP deliver the data to the right
process and make use of IP to arrange delivery to the right host. The difference
between UDP and TCP is that TCP implements a mechanism of acknowledgments,
whereby reliability can be guaranteed. UDP does not have such a mechanism, making
UDP less reliable.
1-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • The Internet layer is responsible for end-to-end (source to destination) packet delivery
including routing through intermediate hosts. Internet control message protocol (ICMP)
messages are typically generated in response to errors in IP datagrams or for
diagnostic or routing purposes. The IPsec protocol is responsible for securing Internet
protocol (IP) communications by authenticating and encrypting each IP packet of a data
stream.
• The network interface is the protocol layer which transfers data between hosts. In order
.I. n
to do this a physical medium, such as copper or fiber is required. Hence, the network
interface and physical layers are closely related.
.T ció
Common network devices
• Repeater. A repeater is an electronic device that receives a signal and retransmits it at
.
a higher level and a higher power so that the signal can cover longer distances without
C
degradation. Because repeaters work with the actual physical signal and do not attempt
.F a
to interpret the data being transmitted, they operate on the Physical layer, which is the
first layer of the OSI model.
C rm
• Network Interface Card (NIC). A NIC is a LAN adapter which is designed to allow
computers to communicate over a computer network. It is both a layer 1 (physical layer)
and layer 2 (data link layer) device because it provides physical access to a networking
to fo
medium and provides a low-level addressing system through the use of MAC
addresses.
• Bridge. A bridge is a hardware device for linking two networks that work with the same
protocol. Unlike a repeater, which works at the physical level, a bridge works at the
ec vo
logical level (on layer 2), which means it can filter frames so that it only lets past data
whose destination address corresponds to a machine located on the other side of the
bridge.
oy si
• Switch. A network switch is a device that connects network segments. The term
commonly refers to a network bridge that processes and routes data at the Data link
layer (layer 2) of the OSI model.
u
- Layer 3. Switches that additionally process data at the network layer (layer 3 and
cl
application layer of the OSI model), can redirect data based on advanced
application data contained in the data packets, for example, an awareness of the
type of the file being sent by FTP. For this reason, a layer 7 switch can be used for
load balancing by routing the incoming data flow to servers which have a lower load
or are responding more quickly.
• Before the final packet is established, the data is passed through the
following protocol layers:
.I. n
The application layer Data
.T ció
Package and multiplex data for multiple
The transport layer applications
.
C
.F a
The Internet layer Addresses
C rm
Post to the transport media
The link layer
to fo
The physical layer Network
ec vo
Notes:
oy si
The Internet Protocol Suite (commonly known as TCP/IP) is the set of communications
protocols used for the Internet and other similar networks. It is named from two of the most
u
important protocols in it: the Transmission Control Protocol (TCP) and the Internet Protocol
(IP).
cl
Each layer is a group of methods and protocols which provides a service and adds the
corresponding transmission data to the packet.
Ex
TCP/IP layers look like a logistic work-flow, and processes and tasks are executed at each
layer of the suite. Each layer and its function is described in the following slides.
The link layer is the lowest layer in the Internet Protocol Suite.
pr
The physical layer consists of the basic hardware transmission technologies of a network.
It is a fundamental layer underlying the logical data structures of the higher level functions.
The physical layer defines the means of transmitting raw bits rather than logical data
packets over a physical link connecting network nodes.
1-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Each layer adds the corresponding transmission data to the packet to
complete the frame.
.T ció
s
y er
a
.
l
e
th
C
gh Application layer
.F a
Data
rou
th
n
tio
C rm
TCP/UDP Transport layer
ul a Data
s header
p
ca
en IP
IP Data Internet layer
t a header
D a
to fo
Frame Frame Link layer
Frame Data
header footer
ec vo
Notes:
oy si
• Layer 4: Transport layer, TCP packet, and source and destination port numbers
including the payload or data.
cl
preamble. The preamble alerts and synchronizes the network interface card (NIC) to
the incoming data. The frame footer contains the frame check sequence. This provides
a cyclic redundancy check (CRC) on all data held in the frame. CRC is an error
detection mechanism generated by the NICs. The source NIC generates a 32 bit CRC
pr
figure from the address, type, and data fields. The destination NIC does the same
calculations. If the destination NIC calculates the same figure for the CRC as the
source, the frame was received error-free.
.I. n
• Essentially, two transport models exist:
.T ció
– Transmission Control Protocol (TCP)
– User Datagram Protocol (UDP)
.
• A port identifies the application on the host.
C
– Server side ports are well known and fixed in the range 0 to 1023.
.F a
• Stored in /etc/services
C rm
• For example, ftp uses port 21 and can be used over TCP or UDP
## grep
grep "^ftp
"^ftp .*]$"
.*]$" /etc/services
/etc/services
ftp
ftp 21/tcp
21/tcp ## File
File Transfer
Transfer [Control]
[Control]
to fo
ftp
ftp 21/udp
21/udp # File
# File Transfer
Transfer [Control]
[Control]
Notes:
oy si
The transport layer provides transparent transfer of data between end systems using the
services of the network (IP) layer. The transport layer multiplexes data from different
u
application processes. The connection-oriented model uses ports. Ports are essentially
ways to address multiple entities in the same location. For example, the first line of a postal
cl
address is a kind of port and distinguishes between different occupants of the same house.
Computer applications will each listen for information on their own ports, which is why you
Ex
can use more than one network-based application at the same time.
Essentially, two transport models exist:
• TCP is used for many protocols, including Web browsing and email.
pr
• UDP is used for multi-casting and broadcasting since retransmissions are not possible
to a large amount of hosts.
Each application is officially assigned a port number. Each process listens on the
destination port for incoming packets and sends outgoing packets to the source port.
Processes can bind to multiple ports, and well known ports are in the range 0 to 1023.
1-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Provides reliability, flow control, and error recovery
• Each byte transmitted requires an acknowledgment
.T ció
• Receiver indicates to the sender the number of bytes it can receive without
buffer overflow
• Missing packets are retransmitted
.
C
– Full duplex
.F a
Application DATA
C rm
User
Kernel
Transport TCP DA TCP TA
Segment MSS MSS
Notes:
oy si
TCP offers a connection-oriented interface to IP, which means that, if applications use TCP,
a reliable data transfer is guaranteed. If IP packets are lost, duplicated, or arrive out of
u
order, the TCP protocol will take all necessary actions to correct this and deliver the data to
the application in exactly the same way it was sent.
cl
This makes TCP the suitable protocol for all applications that require unicast (one-to-one)
reliable communications. Examples of these applications include Web servers, telnet, ftp,
Ex
• Connection setup: check whether the other party is alive and able and willing to receive
data on a certain port.
• Out-of-sequence arrival of packets.
• Duplicate arrival of packets.
.I. n
The MSS is only negotiated at the start of the connection and remains in force for the life of
the connection. The purpose of this negotiation is to avoid fragmentation at the IP layer. At
.T ció
the same time, we want to use the largest segment size possible. Since there is overhead
for each TCP segment, the largest segment size possible should be used, as long as there
is no IP fragmentation.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
1-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Does not assure datagram delivery or duplication protection
– No reliability, error recovery, or flow control
.T ció
– Typically provides higher throughput and shorter latency
.
C
.F a
Application DATA
User
Kernel
C rm
Transport UDP DATA
Datagram
IP IP UDP DA IP UDP TA
MTU Compliance
MTU (FRAGMENT 1) MTU (FRAGMENT 2)
to fo
Link
LINK IP UDP DA CHKSM
Frame
MTU: Maximum Transmit Unit
ec vo
Notes:
oy si
The UDP protocol is nothing more than a simple interface to IP with the addition of the
ports concept. As with IP, UDP does not guarantee packet delivery or duplication
u
protection.
cl
At first glance, this seems senseless. Which application is going to accept the loss of its
data? However, there are a few applications that benefit from this:
Ex
• Applications that use broadcasts or multi-casts. If you talk to ten, twenty, a hundred, or
more systems at once (for example, when doing Internet radio broadcasts), you
probably cannot or will not want to handle the complexities of every system reporting
back to you which packet they did or did not receive or resend all the packets that were
pr
lost. In such situations, if a packet is lost, nothing is done because nothing can
reasonably be done about it.
• Another reason for using UDP when streaming radio or video is that time goes on. If a
packet is lost and you want to resend it, you have to interrupt the stream momentarily
and can only continue when the packet has been resent. This might take a few
seconds, and during that time the user is staring at a blank screen. It is more likely that
the user, in case of a lost packet, will accept a little static on his or her screen for a few
milliseconds.
• The third reason why an application might want to use UDP is the low overhead of UDP.
This is really important where performance is critical, and the chance of data loss is low
and can be handled.
If the data being transmitted is greater than the size of the maximum transmission unit,
then it is fragmented into smaller chunks. Fragmentation degrades network performance
.I. n
as the packets have to be reassembled on the other side.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
1-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Sockets
IBM Power Systems
.I. n
• A pair of sockets defines a unique application network
connection.
.T ció
– Can be listed using netstat –a command
.
C
## netstat
netstat -a
-a |grep
|grep ftp
ftp
.F a
Proto
Proto Recv-Q
Recv-Q Send-Q
Send-Q Local
Local Address
Address Foreign
Foreign Address
Address (state)
(state)
tcp
tcp 00 00 nimmaster.41395
nimmaster.41395 grumpy.ftp
grumpy.ftp ESTABLISHED
ESTABLISHED
C rm
udp
udp 00 00 *.tftp
*.tftp *.*
*.*
to fo
ec vo
Notes:
oy si
A socket is the software structure created by the application process which consists of a
combination of a port number, transport layer protocol (TCP or UDP), and an IP address.
u
each client. These sockets share the same local socket address and have different remote
socket addresses. For example Port 80 of an HTTP server can serve multiple HTTP
clients. Several sockets will be created by the server for each client.
A communicating local and remote socket are called a socket pair, and this defines a
pr
.I. n
• The IP Layer provides the following functions:
.T ció
– Transmission of outgoing packets to the data link layer for delivery to the
destination host or gateway and incoming packets to the transport layer
– Error detection and diagnostics
.
C
• The Internet layer is not responsible for reliable transmission.
.F a
– Reliability of service provided by higher level protocols, such as the
C rm
Transmission Control Protocol (TCP) in the Transport Layer
Notes:
oy si
The IP protocol is the packet delivery protocol of the TCP/IP protocol suite. It is comparable
to the Postal Service in that it delivers the packet independent of the physical infrastructure
u
IP uses a best-effort approach. It tries to deliver the data to the destination, but in order to
be efficient it does not make any guarantees as to if and when the data will arrive. It might
well be that different packets that make up a connection will take a different route and will
Ex
arrive in the wrong order, duplicated, or not at all. It is up to the higher layer protocol to
correct this or not.
The routing of IP packets is based on a so-called “IP address” which can be compared to a
pr
zip code. At every hop, this IP address is read, a routing table is consulted, and the packet
is sent to the next hop, where again a routing table is consulted. These routing tables are
important, since a wrong routing table somewhere will mean that packets are not sent to
the destination via the shortest route but will either take a detour or not arrive at all. In fact,
incorrect routing tables might actually cause a packet to circle through a network
indefinitely (or until a timer runs out).
1-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Routing has its own unit later in this course. The IP protocol offers the following additional
features as well:
• If a packet is too large for the architecture that it has to pass through, then a packet can
be fragmented into multiple, smaller packets that are sent individually to the destination.
At the destination, the fragments are reassembled.
• Each IP packet can have a priority indication which identifies the type of service that is
needed: low latency, high bandwidth, low cost, or maximum reliability. Unfortunately,
.I. n
this priority mechanism is not often implemented. All packets are often using the same
.T ció
path to a destination, regardless of their requested type of service, and are transmitted
on a first-come, first-served basis.
• The IP protocol offers a broadcast capability, using a specially formed IP address. This
.
allows you to send an IP packet to all systems on the local network (LAN).
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
IP addressing
IBM Power Systems
.I. n
to a network.
.T ció
• IP version 4 uses four byte addresses which are presented in
dotted decimal notation (for example: 80.1.205.104).
.
C
• Each packet has both a source and destination IP addresses.
.F a
– Destination IP address used to forward packets to their correct
C rm
destination
– Source address provided to support acknowledgements and replies
Notes:
oy si
An Internet Protocol (IP) address is a numerical identification and logical address that is
assigned to devices participating in a computer network utilizing the Internet Protocol for
u
IP addresses are stored as binary numbers. They are usually displayed in human-readable
notation, for example: 80.1.205.104.
Ex
pr
1-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
10000001 00100001 10010111 00000111
.T ció
129 . 33 . 151 . 7
11111111 11111111 00000000 00000000 /16
.
255 . 255 . 0 . 0
C
Network identification Host identification
.F a
– The subnet mask = 255.255.0.0
C rm
– The network address = 129.33.0.0
– The broadcast address = 129.33.255.255
– The first host on the network = 129.33.0.1
to fo
– The last host on the network = 129.33.255.254
• The alternative CIDR notation specifies the number of network bits:
– The network address = 129.33/16
ec vo
Notes:
oy si
In order to be able to deliver the IP packet to the correct destination host, every host needs
an IP address. These IP addresses are 32-bit values and have to be unique. In most cases,
u
the IP address is not written in its binary form but in the so-called decimal dot notation,
where the 32 bits are grouped into four groups of eight bits each, and those eight bits are
cl
the address of the network and the host identification (host ID). Each bit with a 1 value in
the mask’s 32 bit string identifies that the corresponding bit position in the IP address is
part of the network ID. A value of 255 in a dotted decimal octet indicate that the entire
matching octet in the IP address is part of the network ID.
pr
Several addresses and address ranges are reserved for special purposes. The most
important ones are listed here:
• The IP address 127.0.0.1 (in fact, the whole 127.0.0.0/8 network) is reserved for the
loopback address. Hosts use the loopback address to send messages to themselves.
• Any IP address with the hostname part all zeros, such as 129.33.0.0, is reserved as an
identification for the network itself. It is not a valid IP address to be assigned to a host.
.I. n
• Any IP address with the hostname part all ones, such as 129.33.255.255, is reserved as
the local broadcast address. Data sent to this address is delivered to all systems on the
.T ció
local network.
.
It is valuable to know how many bits are needed in the host portion of the mask to support
C
a given number of hosts in the subnet. To assist with this, following is a table of the decimal
.F a
values for powers of 2.
C rm
Power of 2 Decimal Value
0 1
1 2
to fo
2 4
3 8
4 16
5 32
ec vo
6 64
7 128
8 256
9 512
oy si
10 1,024
11 2,048
12 4,096
u
13 8,192
14 16,384
cl
15 32,768
16 65,536
17 131,072
Ex
18 262,144
19 524,288
20 1,048,576
21 2,097,152
pr
22 4,194,304
23 8,388,608
1-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
A 255.0.0.0 (/8) 1-127 128 16.7 million
B 255.255.0.0 (/16) 128-191 16384 65534
.T ció
C 255.255.255.0 (/24) 192-223 2.1 Million 254
.
• Network assignment is managed by the IANA (Internet
C
.F a
Assigned Numbers Authority) through ISPs.
– Network address are generally either broken up and assigned to
C rm
physical networks (subnetting) or aggregated together (supernetting).
– This is achieved by manipulating the subnet mask.
to fo
ec vo
Notes:
oy si
IP addresses need to be assigned in such a fashion that they are unique across the whole
Internet. That is why there is a special organization that does this. This is the Internet
u
Assigned Number Authority, or IANA for short. They are responsible for assigning groups
of addresses (called classes) to organizations. They do not do this directly but have
cl
In addition to classes A to C, there are also classes D and E. Class D addresses are
reserved for multicasting. (Multicasting is a limited area type of broadcasting.) There is no
network or host portion in a multicast address. It is an integer number registered with the
InterNIC that identifies a group of machines. Class E is for experimental use only.
pr
Class A and B addresses contain lots of hosts and therefore need to be broken down into
smaller more manageable chunks. This is achieved through a process known as
subnetting. On the other hand, class C addresses contain very few hosts, which can also
be subnetted into smaller chunks but very often need to be aggregated together to form
larger networks. This is achieved through a process known as supernetting.
Subnetting example
IBM Power Systems
.I. n
.T ció
10000001 00100001 0000000 0 00000000
129 . 33 . 0 . 0
.
11111111 11111111 1111111 0 00000000 /23
C
.F a
255 . 255 . 254 . 0
Network identification Assigned by this Host identification
organization to the
C rm
network
Notes:
oy si
The default subnet mask for a class B network is 255.255.0.0. This translates to one
network with ((2^16)-2) with 65534 hosts. Organizations with class A and B addresses
u
often have hundreds, if not thousands, of physical networks split across both local and
geographically dispersed locations. The only way to do this is to split the network address
cl
into more manageable chunks. This is achieved by borrowing bits from the host ID and
using them for the network. Using 7 bits from the host ID allows for (2^7) 128 physical
Ex
networks. On each of the 128 networks there can be ((2^9)-2) 510 hosts. We have to
subtract two from the number of hosts because all 0’s are reserved for the network and all
1’s reserved for the broadcast address.
pr
1-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Supernetting example
IBM Power Systems
.I. n
network.
.T ció
11111100 10110100 011011 00 00000000
222 . 180 . 108 . 0
.
C
11111111 11111111 111111 00 00000000 /22
.F a
255 . 255 . 252 . 0
Network identification
C rm
Host identification
Notes:
oy si
Having four class C addresses, equates to four physical networks each with up to 254
hosts. Each network would require a router to route packets between them. Supernetting is
u
the opposite to subnetting and borrows bits from the network portion of the IP address. In
the example, we have borrowed two bits, changing the subnet mask from 255.255.255.0 to
cl
255.255.252.0. The result is that networks 222.180.109, 110, and 111 have become part of
the 222.180.108 network. The 222.180.108 network can have up to ((2^10)-2) 1022 hosts.
Ex
pr
• Subnetting has one big disadvantage. It breaks down the network into
equally sized subnets.
• Variable length subnet masking (VLSM) was developed to allow the
.I. n
network to be broken up into subnets of unequal size.
.T ció
• Take the previous class C example:
– 222.180.108/24 provides 254 hosts
.
• Let’s subdivide the network into six subnets:
C
.F a
– Subnet 1 = 126 hosts
14
– Subnet 2 = 64 hosts 14
C rm
– Subnet 3 = 14 hosts 14
– Subnet 4 = 14 hosts 14
12
– Subnet 5 = 14 hosts 6
64
to fo
– Subnet 6 = 14 hosts
ec vo
Notes:
oy si
The main weakness of conventional subnetting is that the subnet ID represents only one
additional hierarchical level in how IP addresses are interpreted. The subnet ID is the same
u
length throughout the network, so it is not possible to define a different number of hosts in
the subnetworks. This is inefficient even in small networks and can result in the need to use
cl
extra addressing blocks while wasting many of the addresses in each block.
The solution is an enhancement to the basic subnet addressing method called variable
Ex
subnets, allowing you to selectively cut the IP address pie so that some of the slices are
bigger than others.
VLSM does an initial subnetting of the network into large subnets, and then further breaks
down one or more of the subnets as required. You add bits to the subnet mask for each of
the sub-subnets and sub-sub-subnets to reflect their smaller size.
1-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
222.180.108.0/25 (subnet 1)
.T ció
222.180.108.128/25
.
C
222.180.108.128/26 (subnet 2)
.F a
222.180.108.192/26
C rm
Third division: split 222.180.108.192/26
into four /28 Subnetworks
222.180.108.192/28 (subnet 3)
222.180.108.208/28 (subnet 4)
to fo
222.180.108.224/28 (subnet 5)
222.180.108.240/28 (subnet 6)
ec vo
Notes:
oy si
Using the example shown on the previous page, we can now see how everything fits using
VLSM. We start with our Class C network: 222.180.108.0/24. We then do three subnettings
u
as follows:
cl
• The first step is to do an initial subnetting by using one bit for the subnet ID, leaving us
7 bits for the host ID. This gives us two subnets: 222.180.108.0/25 and
222.180.108.128/25. Each of these can have a maximum of 126 hosts. We set aside
Ex
Modifications to IP addressing
IBM Power Systems
.I. n
– A list defines which IP addresses, protocols, and ports
.T ció
are allowed or blocked.
.
C
• IP address translation
.F a
– Network Address Translator (NAT) acts as an intermediary agent.
C rm
• The (real) originating IP addresses of the private network are hidden from the
public network.
– Multiple hosts appear to share the same IP address on the external network.
– Only the outside interface of the NAT device needs to have routable address.
to fo
• Just as a company telephone number can have multiple specific extensions for
internal services.
ec vo
Notes:
oy si
Firewall
u
private networks based on the public IP of the client. Access control filter lists are
defined by the network administrator and can allow or restrict traffic based upon
Ex
In order to increase network security, the real originating IP addresses can be hidden
from the external systems receiving the request. A NAT device, typically a
router/firewall, will hide IP addresses behind the private network. Only the outside
interface of the NAT device needs to have an Internet-routable address.
1-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
IP routing
IBM Power Systems
.I. n
decisions across IP connected networks.
.T ció
• The following devices are capable of IP routing:
– Routers, bridges, gateways, firewalls, and layer 3 or > switches
.
– Hosts with multiple network cards
C
.F a
• The routing process directs IP packets based on routing tables.
C rm
– Small networks: Static routing with manually configured routing tables
– Large networks: Dynamic routing protocols which permanently update routing
tables
to fo
• Routing schemes differ in their delivery: unicast, broadcast, multicast,
and anycast.
ec vo
Notes:
oy si
Routing is the process of selecting paths in a network along which to send network traffic.
The routing process forwards IP packets based on routing tables which contain a list of
u
routes to network destinations. These routing tables are stored in the memory of the routing
devices. Multiple or alternative paths can be defined towards the same destination. This is
cl
networks involve dynamic routing using routing protocols such as Open Shortest Path First
(OSPF).
Routing schemes differ in their delivery semantics:
pr
.I. n
Access Control (MAC) addressing, and VLAN switching (packet
switching).
.T ció
• Each link layer implementation has its own method of
.
addressing, for example:
C
.F a
– All Ethernet adapters have a unique identifier called the Media Access
Control (MAC) address which corresponds to the physical address of
C rm
the device.
– Ethernet uses the Address Resolution Protocol (ARP) to resolve IP
addresses to data link addresses.
to fo
ec vo
Notes:
oy si
The link layer is the lowest layer in the Internet Protocol Suite.
u
It is the group of methods or protocols that only operate on a host’s link. The link is the
physical and logical network component used to interconnect hosts or nodes in the
cl
network.
A link protocol is a suite of methods and standards that operate only between adjacent
Ex
network nodes of a local area network segment or a wide area network connection.
The core protocols specified in this layer are the Address Resolution Protocol (ARP) and its
cousin, the Reverse Address Resolution Protocol (RARP).
The link layer also contains hardware specific interface methods such as Ethernet and
pr
1-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
remote host.
– ARP operates only on the local area network.
.T ció
• ARP is invoked automatically by IP if the destination MAC address is
unknown.
.
– When the MAC address of a remote host is not listed in the ARP table, ARP
C
sends a broadcast packet such as « Who is 9.143.22.166 ».
.F a
– Only the destination host answers and sends back a packet containing its
C rm
MAC address.
– ARP tables on both source and destination hosts are updated.
• Inverse ARP and reverse ARP are protocols used to obtain the IP
address from the MAC address.
to fo
• Gratuitous ARP is an ARP broadcast update message to the network.
– Typically used in high availability when an application address is moved from
adapter to adapter.
ec vo
Notes:
oy si
Address Resolution Protocol (ARP) is the method for finding the MAC address of a host
when only its IP address is known. ARP is responsible for converting unique IP addresses
u
It can be used to resolve many different network layer protocol addresses to interface
hardware addresses, not only IP to MAC address correspondence. ARP is a link layer
protocol and only operates on the local area network or point to point link.
Ex
ARP uses the broadcast facility of networks to discover the hardware (physical) address.
The operation is transparent to users and administrators.
When data is to be sent to the network, the destination MAC address is determined from
pr
the ARP table. If there is no destination MAC address in the ARP table, ARP on your
system obtains the address by broadcasting a request. The address of the destination is
stored into the ARP table. Entries in the ARP table are normally discarded if they have not
been used for 20 minutes. This default timeout can be changed using the no command; the
tunable parameter is arpt_killc.
.I. n
– The data field contains IP datagram.
– The frame contains source and destination MAC addresses, IP
.T ció
addresses, and port numbers.
.
• Ethernet is a technology based on a set of physical
C
.F a
components (adapters, connectors, cabling, and repeaters)
and technical rules (number of hosts, distance, and speed).
C rm Ethernet frame
to fo
ec vo
Notes:
oy si
Today, Ethernet is the de-facto standard of LAN technology, replacing older style Token
Ring and FDDI networks. Ethernet forms part of both the data link layer (standardized as
u
IEEE 802.3) and physical layer (RJ45/copper or long/short range, single/multi-mode Fiber
cabling). Further details on Ethernet are provided in the next unit.
cl
Ex
pr
1-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
Marie Web server
workstation
.T ció
httpd
Layers HTTP Virtual connection
HTTP HTTP
Application
Client Server
.
C
Transport TCP TCP
.F a
Paris router London router
IP IP
C rm
Internet
IP IP
Notes:
oy si
The figure shows an example of communication between a Web server located in the UK
and a workstation running a Web browser located in France. The packets are routed
u
The diagram shows the operation of the Internet Protocol suite between two Internet hosts
connected via two routers and the corresponding layers of the IP suite in use at each hop.
All hosts use the Internet layer to route packets to next hop solely based on the IP address
Ex
while only the hosts need the upper layers to send or receive application data. At the
transport layer and application layer the hosts can be said to have virtual connections
between them.
pr
Checkpoint
IBM Power Systems
.I. n
.T ció
2. Which layer is required for frame transmission?
.
3. What is the role of the transport layer?
C
.F a
C rm
4. Which protocol of the link layer translates IP addresses to
MAC addresses?
to fo
5. What is the purpose of VLSM?
ec vo
Notes:
oy si
1-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
addresses.
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
Unit summary
IBM Power Systems
.I. n
• Define network components
.T ció
• Describe the following:
– The main TCP/IP protocols
.
C
– The TCP/IP layering model
.F a
– IP addressing, subnetting, supernetting, and VLSM
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
1-34 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Configure TCP/IP
.
• Test and review the TCP/IP configuration
C
.F a
• Add IP aliases
• Remove IP configuration
C rm
How you will check your progress
to fo
• Checkpoint questions
• Lab exercises
ec vo
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Configure TCP/IP
• Test and review the TCP/IP configuration
.T ció
• Add IP aliases
.
• Remove IP configuration
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
2-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Partition activation
.I. n
Run time init Process /etc/inittab
.T ció
/sbin/rc.boot calls cfgmgr Process /etc/rc.net
.
C
.F a
/etc/rc.tcpip Starts TCP/IP subsystems
syslogd
C rm
/etc/rc.nfs snmpd
sendmail
portmap
Login
…
to fo
Inetd Æ /etc/inetd.conf
ec vo
Notes:
oy si
TCP/IP startup is initiated from the inittab processing. /sbin/rc.boot calls cfgmgr
during the second phase processing which will in turn initialize the network interfaces and
u
set up routing by processing the /etc/rc.net file. TCP/IP subsystems are started from
/etc/rc.tcpip script. This script can be edited directly to comment or uncomment
cl
subsystem startup. The inetd daemon is responsible for loading a network programs based
upon request, such as FTP, Telnet, and so on. Once the core TCP/IP subsystems have
Ex
been initialized, further TCP/IP based applications, such as NFS, NIM, and HACMP, can be
started.
pr
/etc/rc.tcpip
IBM Power Systems
.I. n
• Enable or disable subsystem start at next system restart:
.T ció
– Comment or uncomment line that starts the subsystem
• Example section of file:
.
start /usr/sbin/snmpd "$src_running"
C
.F a
#start /usr/sbin/dhcpsd "$src_running"
#start /usr/sbin/dhcprd "$src_running"
C rm
start /usr/sbin/hostmibd "$src_running"
• smit otherserv
– Can select a subsystem to start: NOW, Next System RESTART, or
to fo
BOTH.
– Executes undocumented chrctcp smit command.
ec vo
Notes:
oy si
The /etc/rc.tcpip file is a shell script that, when executed, uses SRC commands to initialize
selected daemons. The rc.tcpip shell script is automatically executed with each system
u
restart. It can also be executed at any time from the command line.
cl
The script defines functions that are used to manage the starting and stopping of the
subsystem. The most important is the start function. This function determines is any action
is needed (the subsystem may already be running) and it identifies if the SRC facility is
Ex
script.
You can either use SMIT (otherserv fastpath) to modify the file, or you can directly edit the
file. SMIT executes an undocumented SMIT command, chrctcp, to update the file.
2-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Ethernet adapters
IBM Power Systems
.I. n
• Each adapter (entX) has two interfaces (enX and etX)
– enX interface uses the standard DIX Ethernet frame format
.T ció
• Originally designed by Digital, Intel, and Xerox
– etX interface uses IEEE802.3 frame format (the same as DIX except Type field is
replaced by Length)
.
C
.F a
Interface en0 and et0 Adapter card ent0
Layer 3 logical devices Layer 1 and 2 physical device MAC
C rm
address
## lsdev
lsdev -Cl
-Cl ent0
ent0
ent0
ent0 Available 01-08
Available 01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter IP addresses
are assigned
## lscfg -v -l ent0 |grep Network
lscfg -v -l ent0 |grep Network to the
Network Address.............001125BF9018 interfaces, in
Network Address.............001125BF9018
to fo
this case en0.
## lsdev
lsdev -Cc
-Cc if
if
en0
en0 Available
Available 01-08
01-08 Standard
Standard Ethernet
Ethernet Network
Network Interface
Interface
et0 Defined
et0 Defined 01-08
01-08 IEEE 802.3 Ethernet Network Interface
IEEE 802.3 Ethernet Network Interface
ec vo
Notes:
oy si
The original Ethernet is called Experimental Ethernet today. It was developed by Robert
Metcalfe in 1972 (patented in 1978) and was based in part on the ALOHAnet protocol. The
cl
first Ethernet that was generally used was DIX Ethernet (known as Ethernet II) and was
derived from Experimental Ethernet. Today, there are many different standards of Ethernet
(under the umbrella of IEEE 802.3), and the technical community has accepted the term
Ex
Ethernet for all of them. Currently under development is IEEE 802.3ba (40 Gb/s and 100
Gb/s Ethernet). For further information see http://www.ieee802.org/3
Ethernet adapter support on AIX
pr
2-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty In virtually all cases on AIX, you will configure the en (DIX) interface; et interfaces are rarely
(if at all) used.
General note: Fiber versus Fibre. When talking about networks and fiber, it is important to
know when to use the correct spelling. Fiber refers to the medium (wire), whereas fibre
refers to the protocol, that is, Fibre Channel.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
TCP/IP configuration
IBM Power Systems
.I. n
.T ció
• Host with multiple adapters
– Use smitty tcpip for the first adapter
.
– And smitty chinet for subsequent adapters
C
.F a
• TCP/IP configuration can also be performed from the
C rm
command line
– Method 1: AIX. Data is held in the ODM.
– Method 2: BSD. Data must be stored in flat file configuration or is lost
to fo
on reboot.
ec vo
Notes:
oy si
u
cl
Ex
pr
2-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• smit mktcpip
Minimum
Minimum Configuration
Configuration && Startup
Startup
.I. n
[Entry
[Entry Fields]
Fields]
.T ció
** HOSTNAME
HOSTNAME [waldorf]
[waldorf]
** Internet
Internet ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [10.47.1.18]
[10.47.1.18]
Network MASK (dotted decimal)
Network MASK (dotted decimal) [255.255.0.0]
[255.255.0.0]
.
** Network
Network INTERFACE
INTERFACE en0
en0
C
NAMESERVER
NAMESERVER
.F a
Internet
Internet ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [10.47.1.33]
[10.47.1.33]
DOMAIN
DOMAIN Name
Name [lpar.co.uk]
[lpar.co.uk]
C rm
Default
Default Gateway
Gateway
Address
Address (dotted
(dotted decimal
decimal or
or symbolic
symbolic name)
name) [10.47.0.1]
[10.47.0.1]
Cost
Cost [0]
[0] ##
Do
Do Active
Active Dead
Dead Gateway
Gateway Detection?
Detection? no
no ++
to fo
Your CABLE Type
Your CABLE Type N/A
N/A ++
START
START Now
Now no
no ++
ec vo
Notes:
oy si
AIX provides a very quick and easy configuration SMIT panel for configuring TCP/IP on the
system. The essential items you will require are:
u
nameserver 10.47.1.33
domain lpar.co.uk
Cable type is generally not required and can be left as N/A. Start now will refresh (or start)
the TCP/IP subsystems (note: they should already be running).
Additional IP configuration
IBM Power Systems
.I. n
Change
Change // Show
Show aa Standard
Standard Ethernet
Ethernet Interface
Interface
.T ció
[Entry
[Entry Fields]
Fields]
Network
Network Interface
Interface Name
Name en1
en1
INTERNET
INTERNET ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [192.168.0.1]
[192.168.0.1]
.
Network
Network MASK
MASK (hexadecimal
(hexadecimal oror dotted
dotted decimal)
decimal) [255.255.255.0]
[255.255.255.0]
Current STATE up ++
C
Current STATE up
.F a
Use
Use Address
Address Resolution
Resolution Protocol
Protocol (ARP)?
(ARP)? yes
yes ++
BROADCAST
BROADCAST ADDRESS (dotted decimal)
ADDRESS (dotted decimal) []
[]
Interface
Interface Specific
Specific Network
Network Options
Options
C rm
('NULL'
('NULL' will
will unset
unset the
the option)
option)
rfc1323
rfc1323 []
[]
tcp_mssdflt
tcp_mssdflt []
[]
tcp_nodelay
tcp_nodelay []
[]
to fo
tcp_recvspace
tcp_recvspace []
[]
tcp_sendspace
tcp_sendspace []
[]
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
ec vo
Notes:
oy si
If SMIT is being used to configure further interfaces, then the fastpath smit chinet
should be used. All fields are optional but the following items are essential:
u
• Interface to be configured
• State of the interface (Default is down, so do not forget to switch this to up. This is a
very common configuration error.)
Ex
2-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Directly, using BSD UNIX commands: hostname, ifconfig, route
• Setting the hostname
.T ció
– AIX: # chdev –l inet0 –a hostname=sys1
– BSD: # hostname sys1
.
• Adding an IP address to an interface
C
.F a
– AIX: # chdev -l en0 -a netaddr=192.168.0.1 –a \
netmask=255.255.255.0 -a state=up
C rm
– BSD: # ifconfig en0 192.168.0.1 255.255.255.0 up
• If the direct method is used, place the commands at the end of:
– /etc/rc.net
to fo
or
– /etc/bsdnet (if inet0 bootup_option=yes)
ec vo
Notes:
oy si
In addition to SMIT, TCP/IP configuration can be driven from the command line. There are
two ways to handle this:
u
• The AIX way, in which configuration is stored in the AIX internal database (ODM). This
cl
.I. n
• Local /etc/hosts file:
## This
This is
is aa comment
comment
.T ció
## Format:
Format: IP
IP <space
<space or
or tab>
tab> name
name || [optional
[optional aliases]
aliases]
.
127.0.0.1
127.0.0.1 loopback
loopback localhost
localhost
C
10.10.1.1
10.10.1.1 system1
system1 nimserver
nimserver
.F a
10.10.1.2
10.10.1.2 system2
system2
10.10.1.3 system3
C rm
10.10.1.3 system3
Notes:
oy si
Systems use different methods for mapping host names to IP addresses. The method
depends upon the environment in which a system is going to participate.
u
• Flat Network. This method provides name resolution through the file /etc/hosts and
cl
tree like database structure. It was created due to growth of the Internet and designed
for large networks.
• Network Information System (NIS) Server. This method provides a centralized server
for administration of configuration and other files within a LAN environment.
pr
2-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
line.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
• netstat
## netstat
netstat -in
-in
Name
Name Mtu
Mtu Network Address ZoneID Ipkts
Ipkts Ierrs Opkts
Opkts Oerrs
Oerrs Coll
.I. n
Network Address ZoneID Ierrs Coll
en0
en0 1500
1500 link#2
link#2 ea.48.f0.0.b0.3
ea.48.f0.0.b0.3 3359653
3359653 00 238778
238778 00 00
en0
en0 1500
1500 10.47
10.47 10.47.1.23
10.47.1.23 3359653
3359653 00 238778
238778 00 00
.T ció
lo0
lo0 16896
16896 link#1
link#1 1201
1201 00 1214
1214 00 00
lo0
lo0 16896 127
16896 127 127.0.0.1
127.0.0.1 1201
1201 00 1214
1214 00 00
lo0
lo0 16896
16896 ::1
::1 00 1201
1201 00 1214
1214 00 00
.
C
• ifconfig
.F a
## ifconfig
ifconfig -a
-a
C rm
en0:
en0:
flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CH
flags=1e080863,480<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CH
ECKSUM_OFFLOAD(ACTIVE),CHAIN>
ECKSUM_OFFLOAD(ACTIVE),CHAIN>
inet
inet 10.47.1.23
10.47.1.23 netmask
netmask 0xffff0000
0xffff0000 broadcast
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
tcp_sendspace 262144 tcp_recvspace 262144
262144 tcp_recvspace 262144 rfc1323
rfc1323 11
to fo
lo0:
lo0: flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
flags=e08084b<UP,BROADCAST,LOOPBACK,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT>
inet
inet 127.0.0.1
127.0.0.1 netmask
netmask 0xff000000
0xff000000 broadcast
broadcast 127.255.255.255
127.255.255.255
inet6
inet6 ::1/0
::1/0
tcp_sendspace
tcp_sendspace 131072
131072 tcp_recvspace
tcp_recvspace 131072
131072 rfc1323
rfc1323 11
ec vo
Notes:
oy si
The netstat –i command shows the state of all configured interfaces. The –n flag shows
network addresses as numbers. When this flag is not specified, the netstat command
u
The ifconfig –a command instructs is used to display information about all interfaces in the
system. The key flags are up and running, which show the interface is available and
active.
Ex
pr
2-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• enstat
– Shows adapter statistics and link state
.I. n
– Applicable to both physical and virtual devices
## entstat
entstat –d
–d ent3
ent3 || head
head
.T ció
-------------------------------------------------------------
-------------------------------------------------------------
ETHERNET
ETHERNET STATISTICS
STATISTICS (ent3)
(ent3) ::
Device
Device Type: 2-Port 10/100/1000 Base-TX
Type: 2-Port 10/100/1000 Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
.
Hardware Address: 00:1a:64:a8:99:55
Hardware Address: 00:1a:64:a8:99:55
Elapsed
Elapsed Time:
Time: 00 days
days 00 hours
hours 44 minutes
minutes 14
14 seconds
C
seconds
.F a
Transmit
Transmit Statistics:
Statistics: Receive
Receive Statistics:
Statistics:
--------------------
-------------------- -------------------
-------------------
Packets:
Packets: 11 Packets:
Packets: 10
10
C rm
Bytes:
Bytes: 60
60 Bytes:
Bytes: 1246
1246
## entstat
entstat –d
–d ent3
ent3 || egrep
egrep –i
–i ‘(link|speed)’
‘(link|speed)’
Link
Link Status
Status :: Up
Up
Media
Media Speed
Speed Selected:
Selected: Auto
Auto negotiation
negotiation
to fo
Media
Media Speed
Speed Running:
Running: 1000
1000 Mbps
Mbps Full
Full Duplex
Duplex
## entstat
entstat -d
-d ent1
ent1 |grep
|grep -i
-i PVID
PVID
PVID:
PVID: 33 VIDs: None
VIDs: None
ec vo
Notes:
oy si
The entstat command displays the statistics gathered by the specified Ethernet device
driver. Full examples of the entstat command:
u
1. Physical adapter
cl
# entstat -d ent3
-------------------------------------------------------------
Ex
.I. n
Broadcast Packets: 1 Broadcast Packets: 29
Multicast Packets: 0 Multicast Packets: 0
.T ció
No Carrier Sense: 0 CRC Errors: 0
DMA Underrun: 0 DMA Overrun: 0
.
Lost CTS Errors: 0 Alignment Errors: 0
C
Max Collision Errors: 0 No Resource Errors: 0
.F a
Late Collision Errors: 0 Receive Collision Errors: 0
Deferred: 0 Packet Too Short Errors: 0
C rm
SQE Test: 0 Packet Too Long Errors: 0
Timeout Errors: 0 Packets Discarded by Adapter: 0
Single Collision Count: 0 Receiver Start Count: 0
Multiple Collision Count: 0
to fo
Current HW Transmit Queue Length: 0
General Statistics:
ec vo
-------------------
No mbuf Errors: 0
Adapter Reset Count: 0
Adapter Data Rate: 2000
oy si
Link Status : Up
Media Speed Selected: Auto negotiation
Media Speed Running: 1000 Mbps Full Duplex
PCI Mode: PCI-X (100-133)
pr
2-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Transmit and Receive Flow Control Threshold (Low): 24576
Transmit and Receive Storage Allocation (TX/RX): 16/48
.T ció
2. Virtual adapter
# entstat -d ent1
.
-------------------------------------------------------------
C
.F a
ETHERNET STATISTICS (ent1) :
Device Type: Virtual I/O Ethernet Adapter (l-lan)
C rm
Hardware Address: f6:c7:3d:dc:cc:85
Elapsed Time: 4 days 0 hours 37 minutes 10 seconds
Bad Packets: 0
Max Packets on S/W Transmit Queue: 0
S/W Transmit Queue Overflow: 0
u
General Statistics:
-------------------
No mbuf Errors: 0
.I. n
Adapter Reset Count: 0
Adapter Data Rate: 20000
.T ció
Driver Flags: Up Broadcast Running
Simplex 64BitSupport ChecksumOffload
DataRateSet
.
C
.F a
Virtual I/O Ethernet Adapter (l-lan) Specific Statistics:
---------------------------------------------------------
C rm
RQ Length: 4481
No Copy Buffers: 0
Trunk Adapter: False
to fo
Filter MCast Mode: False
Filters: 255
Enabled: 1 Queued: 0 Overflow: 0
LAN State: Operational
ec vo
Send Errors: 0
Hypervisor Receive Failures: 0
u
2-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• arp
## arp
arp -a
-a
.I. n
nimmaster
nimmaster (10.47.1.33)
(10.47.1.33) at
at 3a:6e:a6:2:67:9d
3a:6e:a6:2:67:9d [ethernet]
[ethernet] stored
stored in
in bucket
bucket 33
?? (10.47.1.254)
(10.47.1.254) atat 0:11:25:1:2f:1d
0:11:25:1:2f:1d [ethernet]
[ethernet] stored
stored in
in bucket
bucket 75
75
.T ció
hmc2.lpar.co.uk
hmc2.lpar.co.uk (10.47.1.134)
(10.47.1.134) atat (incomplete)
(incomplete)
hmc3.lpar.co.uk
hmc3.lpar.co.uk (10.47.1.135) at 0:d:60:b:dc:59
(10.47.1.135) at 0:d:60:b:dc:59 [ethernet]
[ethernet] stored
stored in
in bucket
bucket 105
105
bucket:
bucket: 00 contains:
contains: 0 entries
0 entries
bucket:
bucket: 11 contains:
contains: 00 entries
entries
.
……
…… [[ note:
note: buckets
buckets 2-147
2-147 removed
removed for
for clarity]
clarity]
C
bucket:
bucket: 148
148 contains:
contains: 00 entries
entries
.F a
There
There are
are 33 entries
entries in
in the
the arp
arp table.
table.
C rm
• The arp command can also be used to add (-s) and remove
(-d) entries from the arp table.
to fo
ec vo
Notes:
oy si
Name, IP, and MAC address information used or discovered by the ARP protocol is stored
in a table. This table can be viewed using the arp –a command. On AIX, entries stay within
u
the arp table for 20 minutes. This time can be tuned by changing the arpt_killc attribute
of network options along with the number of buckets (arptab_nb) and size of each bucket
cl
(arptab_bsiz). These ARP attributes can be viewed using the no –a | grep arp
command.
Ex
Example:
# no -a |grep arp
arpqsize = 12
pr
arpt_killc = 20
arptab_bsiz = 7
arptab_nb = 149
.I. n
PowerHA.
.T ció
## netstat
netstat -in
-in -I
-I en1
en1 || grep
grep –v
–v link
link
Name
Name Mtu
Mtu Network
Network Address
Address ZoneID
ZoneID Ipkts
Ipkts Ierrs
Ierrs Opkts
Opkts Oerrs
Oerrs
.
en1
en1 1500 192.168.0
1500 192.168.0 192.168.0.1
192.168.0.1 00 00 66 00
C
.F a
## ifconfig
ifconfig en1
en1 alias
alias 172.31.0.1
172.31.0.1 255.255.0.0
255.255.0.0
## ifconfig
ifconfig en1
en1 alias
alias 10.47.33.33
10.47.33.33 255.255.0.0
255.255.0.0
C rm
## netstat
netstat -in
-in -I
-I en1
en1 || grep
grep –v
–v link
link
Name Mtu
Name Mtu Network
Network Address
Address ZoneID
ZoneID Ipkts
Ipkts Ierrs
Ierrs Opkts
Opkts Oerrs
Oerrs
en1
en1 1500
1500 192.168.0
192.168.0 192.168.0.1
192.168.0.1 00 00 77 00
to fo
en1
en1 1500 172.31
1500 172.31 172.31.0.1
172.31.0.1 00 00 77 00
en1
en1 1500
1500 10
10 10.47.33.33
10.47.33.33 00 00 88 00
ec vo
Notes:
oy si
2-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
## ping
ping sys1
sys1
PING
PING sys1:
sys1: (192.108.14.2):
(192.108.14.2): 56
56 data
data bytes
bytes
64
64 bytes from 192.108.14.2: icmp_seq=0 ttl=255
bytes from 192.108.14.2: icmp_seq=0 ttl=255 time=0
time=0 ms
.I. n
ms
64
64 bytes
bytes from
from 192.108.14.2:
192.108.14.2: icmp_seq=1
icmp_seq=1 ttl=255
ttl=255 time=0
time=0 ms
ms
^C
^C
.T ció
----seraph
----seraph PING
PING Statistics----
Statistics----
22 packets
packets transmitted,
transmitted, 22 packets
packets received,
received, 0%
0% packet
packet loss
loss
.
## traceroute
traceroute sys1
C
sys1
.F a
trying
trying to
to get
get source
source for
for sys1
sys1
source should be 10.47.1.31
source should be 10.47.1.31
C rm
traceroute
traceroute to
to sys1
sys1 (192.108.14.2)
(192.108.14.2) from
from 10.47.1.31
10.47.1.31 (10.47.1.31),
(10.47.1.31), 30
30 hops
hops max
max
outgoing
outgoing MTU
MTU == 1500
1500
11 merovingian.lpar.co.uk
merovingian.lpar.co.uk (10.47.1.30)
(10.47.1.30) 11 ms
ms 00 ms
ms 00 ms
ms
22 7.7.7.1
7.7.7.1 (7.7.7.1)
(7.7.7.1) 00 ms
ms 00 ms
ms 00 ms
ms
33 sys1
sys1 (192.108.14.2)
(192.108.14.2) 00 ms
ms 00 ms
ms 00 ms
to fo
ms
Notes:
oy si
The ping command sends an ICMP echo_request to obtain an ICMP echo_response from
a host or router. If the host is operational and on the network, it responds to the echo.
u
The default is to continuously send echo requests until an interrupt is received with Ctrl-c,
cl
but there is an option (-c) to specify the number of packets sent. The ping command sends
one datagram per second and prints one line of output for every response received. It
calculates round trip times and packet loss statistics, and displays a brief summary upon
Ex
completion.
Be careful of some options like -f. This will cause ICMP packets to flood the network. Ping
is useful to test basic connectivity between hosts, but it cannot tell us anything about where
pr
the break is in the path. On the other hand, if ping cannot get a response, traceroute can
sometimes still give us information that helps to identify the outage.
The traceroute command is useful for displaying all the routers between end to end host
connectivity. It might turn out that the remote host is fine, but a router has failed along the
path. Traceroute works by increasing the time-to-live value of each successive batch of
packets sent. The first three packets sent have a time-to-live (TTL) value of one (implying
that they are not forwarded by the next router and make only a single hop). The next three
packets have a TTL value of 2, and so on. When a packet passes through a host, the host
normally decrements the TTL value by one and forwards the packet to the next host. When
a packet with a TTL of one reaches a host, the host discards the packet and sends an
ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these
returning packets to produce a list of hosts that the packets have traversed en route to the
destination. The three time stamp values returned for each host along the path are the
.I. n
delay (aka latency) values typically in milliseconds (ms) for each packet in the batch. If a
packet does not return within the expected timeout window, an asterisk is traditionally
.T ció
printed. The report indicates that the first listed host is at one hop, the second listed host at
two hops, and so on. IP does not guarantee that all the packets take the same route. Also
note that if the host at hop number N does not reply, the output will list * for that attempt,
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
2-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• netstat
## netstat
netstat –a
–a
Active
Active Internet connections
Internet connections (including
(including servers)
servers)
.I. n
Proto Recv-Q Send-Q Local Address
Proto Recv-Q Send-Q Local Address Foreign
Foreign Address
Address (state)
(state)
tcp4
tcp4 00 00 *.daytime
*.daytime *.*
*.* LISTEN
LISTEN
.T ció
tcp
tcp 00 00 *.ftp
*.ftp *.*
*.* LISTEN
LISTEN
tcp4
tcp4 00 00 *.ssh
*.ssh *.*
*.* LISTEN
LISTEN
tcp
tcp 00 0 *.telnet
0 *.telnet *.*
*.* LISTEN
LISTEN
.
tcp4
tcp4 00 00 *.smtp
*.smtp *.*
*.* LISTEN
LISTEN
C
tcp4
tcp4 00 0 *.time
0 *.time *.*
*.* LISTEN
LISTEN
.F a
tcp
tcp 00 00 *.http
*.http *.*
*.* LISTEN
LISTEN
tcp4
tcp4 00 10
10 waldorf.login
waldorf.login nimmaster.1023
nimmaster.1023 ESTABLISHED
ESTABLISHED
C rm
tcp4
tcp4 00 0 waldorf.51460
0 waldorf.51460 nimmaster.ssh
nimmaster.ssh ESTABLISHED
ESTABLISHED
udp4
udp4 00 00 *.daytime
*.daytime *.*
*.*
udp4
udp4 00 0 *.time
0 *.time *.*
*.*
udp
udp 00 00 *.tftp
*.tftp *.*
*.*
to fo
udp4
udp4 00 00 *.ntp
*.ntp *.*
*.*
udp
udp 00 0 *.snmp
0 *.snmp *.*
*.*
udp4
udp4 00 00 *.xdmcp
*.xdmcp *.*
*.*
udp4
udp4 00 0 *.syslog
0 *.syslog *.*
*.*
ec vo
Notes:
oy si
A socket is a combination of IP address, port number, and protocol family, which uniquely
identifies a single network process. A socket is also referred to as a communication end
u
point. A pair of sockets uniquely identifies the end to end connection. Socket
communication can be viewed with the netstat –a command. Open ports/sockets can be
cl
Removing IP configuration
IBM Power Systems
.I. n
## ifconfig
ifconfig <interface>
<interface> detach
detach
.T ció
• Preventing re-configuration at system restart:
– Remove or comment out ifconfig statements added to rc.net or
.
bsd.net
C
.F a
– Remove any ODM definition:
Method 1:
C rm
## chdev
chdev -l
-l <interface>
<interface> -a
-a state=detach
state=detach
Method 2:
to fo
## rmdev
rmdev –d
–d -l
-l <interface>
<interface>
## cfgmgr
cfgmgr
ec vo
Notes:
oy si
The effective interface configuration is in kernel memory. The ifconfig command can be
used to modify the interface definition in the kernel. Requesting a down state will stop the
u
use of that interface, but will leave the configuration parameters in place. Requesting a
detach state will detach the interface from the related adapter and will also remove the
cl
(this deletes the configuration details) or you can totally remove the ODM interface object
and then use cfgmgr to rediscover it.
2-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
.I. n
.T ció
2. Which two commands will display the MAC address of an
Ethernet adapter?
.
C
.F a
3. What is the difference between ent0, en0, and et0?
C rm
to fo
ec vo
Notes:
oy si
Checkpoint (2 of 2)
IBM Power Systems
.I. n
5. True or False: Smitty tcpip should be used to configure all
.T ció
interfaces on the system.
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
2-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
Unit summary
IBM Power Systems
.I. n
• Test and review the TCP/IP configuration
.T ció
• Add IP aliases
• Remove IP configuration
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
2-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
.
• Configure the inetd daemon
C
.F a
• Log in to remote hosts with telnet, rsh, and rlogin
• Transfer files between systems with ftp and rcp
C rm
• Execute commands on remote systems with rexec and rsh
• Execute commands concurrently on multiple hosts using dsh
• Discuss the security of these TCP/IP commands
to fo
How you will check your progress
ec vo
• Checkpoint questions
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• Configure the inetd daemon
• Log in to remote systems with telnet, rsh, and rlogin
.T ció
• Transfer files between systems with ftp and rcp
.
• Execute commands on remote systems with rexec and rsh
C
.F a
• Execute commands concurrently on multiple hosts using dsh
• Discuss the security of these TCP/IP commands
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
3-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Saves CPU, memory, and system startup time
– Examples: FTP, TFTP, login, Telnet, shell, exec, bootp, and time
.T ció
– To enable or disable a network program, comment or uncomment the
appropriate line in /etc/inetd.conf and refresh the inetd daemon
.
– Example: Disable FTP
C
.F a
vi
vi /etc/inetd.conf,
/etc/inetd.conf, locate
locate and
and comment
comment out
out ftp
ftp line
line
C rm
#ftp
#ftp stream
stream tcp6
tcp6 nowait
nowait root
root /usr/sbin/ftpd
/usr/sbin/ftpd ftpd
ftpd
telnet
telnet stream tcp6
stream tcp6 nowait root
nowait root /usr/sbin/telnetd
/usr/sbin/telnetd telnetd
telnetd -a
-a
shell
shell stream
stream tcp6
tcp6 nowait
nowait root
root /usr/sbin/rshd
/usr/sbin/rshd rshd
rshd
to fo
refresh
refresh –s
–s inetd
inetd
0513-095
0513-095 The request
The request for
for subsystem
subsystem refresh
refresh was
was completed
completed successfully.
successfully.
ec vo
Notes:
oy si
The inetd daemon was developed in the early days of the Internet when computers were
slow and did not have a lot of memory but were used to provide a lot of services.
u
If computers of that day and age needed to run dozens of individual daemons to provide all
cl
the different services, they would quickly run out of memory and CPU capacity, and their
startup time would be comparatively slow. Because of this, the inetd daemon was
developed.
Ex
The inetd daemon, sometimes also called the super daemon, is a relatively simple
program. It reads a file (/etc/inetd.conf) for the list of ports it needs to open. It opens
these TCP and UDP ports and then sits idle waiting for traffic to arrive on any of these
pr
ports. When traffic arrives, it looks again at the /etc/inetd.conf file to see which
daemon should be started. It then starts the daemon and lets the daemon handle the
traffic.
Because of this mechanism, the memory and CPU usage is rather low for ports that do not
receive a lot of traffic. And, since we are still interested in saving memory and CPU time
today, the inetd daemon is still used for low-usage services.
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
There is a slight delay each time a daemon needs to be started. Because of this, the inetd
daemon is not supposed to be used for busy servers that receive a lot of connections in a
short period of time. HTTP, for instance, is best served with a dedicated web server
daemon running 24/7.
Some daemons, such as FTP, can be run both from the inetd daemon and as a standalone
daemon. You would make that decision based on the amount of traffic you expect.
The /etc/inetd.conf file controls the behavior of the inetd daemon. It consists of the
.I. n
following seven columns:
.T ció
- The first column identifies the service name inetd will support. This service name is
translated into a port number via the /etc/services file.
- Columns two through four identify the socket type, protocol, and socket
.
management technique. The protocols are TCP or UDP. Generally the particular
C
.F a
protocol requires specific values in the other two fields:
• stream tcp nowait
C rm
• dgram udp wait
tcp6 and udp6 mean that the daemon is also able to handle IPv6 traffic.
- Column five is the username which the daemon should start. The inetd daemon
to fo
itself runs as root but can, if required, do a setuid() call before starting the
daemon. The daemon then runs as a regular user and, if hacked, can do less
damage to the system.
ec vo
- Column six is the path and name of the program that implements the service. This is
the daemon that is started by inetd.
- Column seven and on is the name of the program, plus all the options that are
oy si
command.
cl
Ex
pr
3-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Remote commands
IBM Power Systems
.I. n
– Remote execute: rexec Auto execution
(no password required)
– Remote file transfer: ftp
.T ció
$HOME/.netrc
• BSD
.
C
– Remote login: rlogin, rsh Auto execution
.F a
(no password required)
– Remote execute: rsh /etc/hosts.equiv
C rm
– Remote file transfer: rcp $HOME/.rhosts
• AIX (DSM)
to fo
– Remote execute: dsh
• Wrapper for rsh or ssh which allows commands/scripts to be executed on
multiple hosts simultaneously
ec vo
Notes:
oy si
Remote login, execute, and file transfer were the first services that were implemented
when the Internet was born. They allowed users to use other systems over the network as
u
if they were local users. There were two competing organizations, however, both of whom
implemented these services differently.
cl
TCP/IP under AIX uses two flavors of commands. ARPANET commands were designed for
large networks on the Internet consisting of multivendor operating systems. Berkeley
Ex
Distributed Systems Management (DSM). DSM filesets are distributed as part of the AIX
BOS. The dsh command is packaged as part of the DSM filesets and is a powerful utility
that is used to run commands and scripts on multiple hosts simultaneously.
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
telnet
IBM Power Systems
.I. n
LPAR:
telnet telnetd kenny LPAR:
kyle
.T ció
## telnet
telnet kenny
kenny
.
Trying...
Trying...
C
Connected
Connected to
to kenny.lpar.co.uk.
kenny.lpar.co.uk.
.F a
Escape
Escape character
character is
is '^]'.
'^]'.
telnet (kenny.lpar.co.uk)
telnet (kenny.lpar.co.uk)
C rm
AIX
AIX Version
Version 66
Copyright
Copyright IBM
IBM Corporation,
Corporation, 1982,
1982, 2009.
2009.
login:
login: root
root
root's
root's Password:
Password:
to fo
Last
Last unsuccessful login:
unsuccessful login: Mon
Mon 10
10 Dec
Dec 15:13:58
15:13:58 2007
2007 on
on /dev/vty0
/dev/vty0 from
from count.lpar.co.uk
count.lpar.co.uk
Last login: Tue 28 Jul 10:59:04 2009 on /dev/pts/0 from nimmaster
Last login: Tue 28 Jul 10:59:04 2009 on /dev/pts/0 from nimmaster
kenny.lpar.co.uk:/
kenny.lpar.co.uk:/ ##
ec vo
Notes:
oy si
The telnet command uses the TELNET protocol which allows remote login to other hosts.
The server host must have the telnetd available.
u
The default escape sequence to go into telnet sub command mode on a session started
using the tn command is Ctrl-t.
pr
3-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
rexec
IBM Power Systems
.I. n
LPAR:
rexec rexecd kenny LPAR:
kyle
.T ció
## rexec
rexec kenny
kenny date
date
.
Name
Name (kenny.lpar.co.uk:root):
(kenny.lpar.co.uk:root):
C
Auto login.
Password
Password (kenny.lpar.co.uk:root):
(kenny.lpar.co.uk:root):
.F a
Also applicable
Wed
Wed 55 Aug
Aug 17:55:04
17:55:04 2009
2009 with the FTP
command.
C rm
## cat
cat $HOME/.netrc
$HOME/.netrc
machine
machine kenny
kenny login
login root
root password
password ibmaix
ibmaix
machine
machine kyle
kyle login
login root
root password
password ibmaix
ibmaix
## rexec
rexec kenny
kenny date
date
to fo
Wed
Wed 5 Aug 18:01:18 2009
5 Aug 18:01:18 2009
ec vo
Notes:
oy si
The rexec command executes a command on the specified server machine. The host
parameter specifies the name of the host where the command is to be executed. The
u
such an entry is not found, rexec prompts for a valid user name and password for the
server host.
The rexec command does not recognize a macdef entry in the .netrc file. If a macdef
pr
entry exists, the rexec command does not fail, but the user gets an error message about
unknown options.
rexec cannot handle commands that use a full screen such as vi or graphical applications.
rexec command does support interactive command processing.
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
the permissions on .netrc must be set to 600 (read and write by owner only);
.T ció
otherwise automatic login will fail.
The machine, login, and password line may be typed horizontally or vertically in the file.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
3-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
ftp
IBM Power Systems
.I. n
LPAR:
ftp ftpd kenny LPAR:
kyle
.T ció
## ftp
ftp kenny
kenny
.
Connected
Connected to
to kenny.lpar.co.uk.
kenny.lpar.co.uk.
C
220
220 kenny.lpar.co.uk
kenny.lpar.co.uk FTP
FTP server
server (Version
(Version 4.2
4.2 Thu
Thu Dec
Dec 44 10:21:27
10:21:27 CST
CST 2008)
2008) ready.
ready.
.F a
331 Password required for root.
331 Password required for root.
230-Last
230-Last unsuccessful
unsuccessful login:
login: Mon
Mon 10
10 Dec
Dec 15:13:58
15:13:58 2007
2007 on
on /dev/vty0
/dev/vty0 from
from
count.lpar.co.uk
C rm
count.lpar.co.uk
230-Last
230-Last login:
login: Wed
Wed 55 Aug
Aug 18:09:48
18:09:48 2009
2009 on
on ftp
ftp from
from nimmaster
nimmaster
230 User root logged
230 User root logged in.in.
ftp>
ftp> put
put /unix
/unix /tmp/unix
/tmp/unix
200
200 PORT command successful.
PORT command successful.
150
150 Opening
Opening data
data connection
connection for
for /tmp/unix.
to fo
/tmp/unix.
226
226 Transfer
Transfer complete.
complete.
24456220
24456220 bytes
bytes sent
sent in
in 0.4098
0.4098 seconds
seconds (5.828e+04
(5.828e+04 Kbytes/s)
Kbytes/s)
local: /unix remote: /tmp/unix
local: /unix remote: /tmp/unix
ec vo
Notes:
oy si
Overview
u
FTP syntax is the command ftp followed by a valid host name on your network.
The remote user name specified at the login prompt must exist and have a password
cl
Additionally for FTP up to 16 macros containing, at most, 4096 characters for all macros
can be defined in one .netrc file. A special macdef named init is always executed upon
successful login to the specified server. All other macdefs must be called by their names
from the ftp> prompt by putting a $ in front of the macdef name.
It is required that macdefs be followed by a blank line including the last macdef in the file.
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
macdef inventory
type ascii
get widget /wooden
.T ció
<Blank line - must be here!! >
machine sys4 login team03 password p4ccf22
macdef init
.
put file1
C
get file2
.F a
quit
<Blank line - must be here!! >
C rm
The /etc/ftpusers file
User names listed in the /etc/ftpusers file on the server must also appear in the
server’s /etc/passwd file.
/etc/ftpusers is a list of client users who do not have permission to ftp into the server’s
to fo
system. The ftpd daemon on the server does not allow access to the users names listed
in this file.
/etc/ftpusers can be built with vi, through smit ftpusers or by using the ruser
command.
ec vo
Anonymous ftp
Anonymous ftp is a way to allow client users to use ftp to log in to a server without having to
supply a password. Although the client is prompted for a password, no password needs to
oy si
be supplied. By convention the password is the name of the client host initiating this type of
FTP.
u
There is a script provided that builds the anonymous ftp directory tree structure. This script
is named /usr/samples/tcpip/anon.ftp. It creates the directory structure and
cl
additionally creates the two anonymous FTP accounts called anonymous and ftp. Both
have an * in the password field on the server.
When users do an ftp to an anonymous ftp server and log in as ftp or anonymous they will
Ex
find themselves in the /home/ftp directory. The server executes the chroot command in
the home directory of the FTP user account when the FTP user logs in. For greater
security, be sure to implement the following rules when you construct the FTP subtree.
• Make the /home/ftp home directory owned by root with permissions of 555.
pr
• Make /home/ftp/bin directory owned by the root user and unwritable by anyone
else. The Is program must be present in this directory to support the list command. This
program should have permissions of 111 and the directory with permissions of 555.
• Make /home/ftp/etc directory owned by the root user and unwritable by anyone.
• /home/ftp/pub directory mode is 777 and owned by ftp. Users should then place files
that are to be accessible through the anonymous account in this directory.
3-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
r* commands
IBM Power Systems
.I. n
LPAR:
r* rlogind or rshd kenny LPAR:
kyle
.T ció
## rlogin
rlogin kenny
kenny
root's
root's Password:
Password:
.
##
C
<CTRL
<CTRL D>
D>
.F a
## rlogin
rlogin kenny
kenny –l
–l alex
alex (note:
(note: is
is the
the same
same as
as ## rsh
rsh kenny
kenny –l
–l alex)
alex)
C rm
alex's
alex's Password:
Password:
$$
<CRTL
<CRTL D>
D>
## rsh
rsh kenny
kenny –l
–l alex
alex date
date
to fo
rshd:
rshd: 0826-813
0826-813 Permission
Permission is
is denied.
denied.
## rcp
rcp -r
-r DNSbak
DNSbak alex@kenny:.
alex@kenny:.
rshd:
rshd: 0826-813
0826-813 Permission
Permission is
is denied.
denied.
ec vo
Notes:
oy si
The r* commands
u
• The rlogin command performs a remote login on behalf of the user. If the user wants to
log in using a user name other than the one he/she is currently logged in as, the -l
cl
without a command argument, it acts as an rlogin and logs the user in. The –l option is
also applicable to rsh. By default, if remote commands are to be executed,
authentication must be configured. Otherwise, a “Permission is denied” error will occur.
• The rcp command is a subset of the rshd and is responsible for copying files remotely.
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
r* authentication files
IBM Power Systems
• /etc/hosts.equiv
– Defines which client users are permitted to execute commands on the
.I. n
server without supplying a password
– Not applicable to root
.T ció
• $HOME/.rhosts
– Defines a list of users who are not required to supply a login password
.
when they execute rcp, rlogin, and rsh using a server user account
C
.F a
• Ideally, both files should be given 600 permissions.
C rm
## format
format for
for /etc/hosts.equiv
/etc/hosts.equiv // .rhosts
.rhosts
++ ## allow
allow all
all users
users from
from all
all hosts
hosts
++ root
root ## allow
allow any
any root
root user
user
to fo
kyle
kyle alex
alex ## allow
allow user
user alex
alex from
from kyle
kyle
kyle -francois
kyle -francois ## disallow user francois from kyle
disallow user francois from kyle
ec vo
Notes:
oy si
The /etc/hosts.equiv file, along with any local $HOME/.rhosts files, defines the
hosts (computers on a network) and user accounts that can invoke remote commands on a
u
local host without supplying a password. A user or host that is not required to supply a
password is considered trusted.
cl
When a local host receives a remote command request, the appropriate local daemon first
checks the /etc/hosts.equiv file to determine if the request originates with a trusted
Ex
user or host. For example, if the local host receives a remote login request, the rlogind
daemon checks for the existence of a hosts.equiv file on the local host. If the file exists
but does not define the host or user, the system checks the appropriate $HOME/.rhosts
file. This file is similar to the /etc/hosts.equiv file, except that it is maintained for
pr
individual users.
Both files, hosts.equiv and .rhosts, must have permissions denying write access to
group and other. If either group or other have write access to a file, that file will be ignored.
3-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Do not give write permission to the /etc/hosts.equiv file to group and other.
Permissions of the /etc/hosts.equiv file should be set to 600 (read and write by owner
only).
If a remote command request is made by the root user, the /etc/hosts.equiv file is
ignored and only the /.rhosts file is read.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• .rhosts example:
alex@kenny
alex@kenny $$ id
id
.I. n
uid=204(alex)
uid=204(alex) gid=1(staff)
gid=1(staff)
alex@kenny
alex@kenny $ cat .rhosts
$ cat .rhosts
.T ció
nimmaster
nimmaster zion
zion zion@nimmaster
zion@nimmaster ## rsh
rsh kenny
kenny -l
-l alex
alex date
date
Wed
Wed 55 Aug
Aug 20:18:16
20:18:16 2009
2009
.
• hosts.equiv example:
C
.F a
root@kenny
root@kenny ## cat
cat /etc/hosts.equiv
/etc/hosts.equiv
C rm
++ alex
alex
to fo alex@nimmaster
alex@nimmaster ## rcp
rcp file*
file* alex@kenny:.
alex@kenny:.
ec vo
Notes:
oy si
In the first example, a user named zion on the system names nimmaster tries to run the
date command on the system named kenny with the authority of the user alex (who is a
u
user defined on system kenny). The rshd daemon checks the .rhosts file in user alex’s
home directory and find that user zion from system nimmaster is allowed o run with the
cl
authority of alex.
In the second example, user alex on system nimmaster is trying to copy a file from
Ex
nimmaster to the system named kenny, with the authority of alex on the target system.
The /etc/hosts.quiv file has an entry that states that if a client system has pre-authenticated
alex, to allow that user to run with alex’s authority on this system also.
pr
3-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
dsh
IBM Power Systems
.I. n
number of hosts
.T ció
– Using either rsh (default) or ssh as the mechanism
• To use ssh # export DSH_REMOTE_CMD=/usr/bin/ssh
– Must be able to SSH without being prompted for a password (covered in the
.
following SSH unit).
C
.F a
nimmaster
nimmaster ## export
export DSH_GROUP_LIST=/aix/dshgroup
DSH_GROUP_LIST=/aix/dshgroup
nimmaster
nimmaster :/aix
:/aix ## cat
cat dshgroup
C rm
dshgroup
Error on kenny, rsh
kenny
kenny permissions
kyle
kyle incorrect
eric
eric
nimmaster
nimmaster :/aix
:/aix ## dsh
dsh "printf
"printf '$(date)';
'$(date)'; uname
uname -a"
-a"
kenny.lpar.co.uk:
kenny.lpar.co.uk: rshd: 0826-813 Permission is
rshd: 0826-813 Permission is denied.
to fo
denied.
dsh:
dsh: 2617-009
2617-009 kenny.lpar.co.uk
kenny.lpar.co.uk remote
remote shell
shell had
had exit
exit code
code 11
eric.lpar.co.uk:
eric.lpar.co.uk: Wed
Wed 55 Aug
Aug 20:35:43
20:35:43 2009AIX
2009AIX eric
eric 11 66 00CF2E7F4C00
00CF2E7F4C00
kyle.lpar.co.uk: Wed 5 Aug 20:35:43 2009AIX kyle 1 6 00CF2E7F4C00
kyle.lpar.co.uk: Wed 5 Aug 20:35:43 2009AIX kyle 1 6 00CF2E7F4C00
ec vo
Notes:
oy si
Overview
u
The dsh command concurrently runs commands on multiple nodes and hardware devices.
The dsh command issues a remote shell command for each target specified and returns
cl
the output from all targets, formatted so that command results from all nodes can be
managed. By default, /usr/bin/rsh is the model for syntax and security. This can be
changed by to ssh or kerberized rsh by setting the environment variable
Ex
targets are specified using the –a, --all-nodes context_list, –n node_list, and –N
nodegroups flags or the dsh_node_list environment variable. The dsh_node_list
and dsh_device_list environment variables specify files listing target nodes and
devices. The file format is one target per line. Blank lines and comment lines beginning with
# are ignored.
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
Mode
.T ció
DSH can be used in non-interactive (shown in the visual) or interactive mode. Here is an
example of using DSH in interactive mode:
.
# dsh -N dshgroup
C
dsh> df -m /var
.F a
eric.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
C rm
eric.lpar.co.uk: /dev/hd9var 320.00 219.70 32% 5016 7% /var
kenny.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
to fo
kenny.lpar.co.uk: /dev/hd9var 320.00 219.30 32% 5027 7% /var
kyle.lpar.co.uk: Filesystem MB blocks Free %Used Iused %Iused
Mounted on
kyle.lpar.co.uk: /dev/hd9var 320.00 219.07 32% 5029 7% /var
ec vo
dsh> ls -l /unix
kyle.lpar.co.uk: lrwxrwxrwx 1 root system 21 21 Jul 10:43
/unix -> /usr/lib/boot/unix_64
eric.lpar.co.uk: lrwxrwxrwx 1 root system 21 21 Jul 10:37
oy si
DSH can also run scripts held locally on remote systems and run them as specific
cl
3-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty command execution can be specified using the –S flag. If –S is not specified, the syntax
defaults to KSH syntax.
When commands are executed on the remote target, the path used is determined by the
dsh_path environment variable defined in the shell of the current user. If dsh_path is not
set, the path used is the remote shell default path. For example, to set the local path for the
remote targets, use: dsh_path=$path
The –E flag exports a local environment definition file to each remote target. Environment
.I. n
variables specified in this file are defined in the remote shell environment before the
.T ció
command_list is executed.
Command output
The dsh command waits until complete output is available from each remote shell process
.
and then displays that output before initiating new remote shell processes. This default
C
.F a
behavior is overridden by the –s flag.
The dsh command output consists of standard error and standard output from the remote
C rm
commands. The dsh standard output is the standard output from the remote shell
command. The dsh standard error is the standard error from the remote shell command.
Each line is prefixed with the host name of the node that produced the output. The host
name is followed by the : character and a command output line. A filter for displaying
to fo
identical outputs grouped by node is provided separately. See the dshbak command for
more information.
Output for each target can be copied to a file using the –F output_path flag. Standard
ec vo
output for each target is written to the target.output file in the output_path directory,
and standard error for each target is written to the target.error file in the
output_path directory. The –F flag does not suppress output on the console.
A command can be run silently using the –Q flag; no output from each target’s standard
oy si
Reporting
cl
Output from the dsh command can be saved to a report on the local host. The --report
report_path flag enables report generation to the specified report_path directory.
Reporting is also enabled by defining the dsh_report environment variable with the
Ex
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Security
IBM Power Systems
.I. n
– Authentication based on user name and IP address (easily forged)
• The securetcpip command, runs tcbck -a, which
.T ció
disables the nontrusted commands and daemons:
– rcp, rlogin, rlogind, rsh, rshd, tftp, and tftpd
.
C
– Ability to specify a password in .netrc files
.F a
• The aixpert command sets the system security level and
C rm
can disable insecure services
• telnet, ftp, rexec, rsh, rcp, and rlogin functions
normally replaced with the SSH protocol
to fo
– Some commands (rsh, rlogin, and others) can be kerberized using
Kerberos Version 5 support
ec vo
Notes:
oy si
A number of TCP/IP services could compromise the security of a system without careful
implementation. These include the Berkeley commands and tftp which allow access
u
without passwords and the ftp/exec commands which can have passwords supplied by the
.netrc file. Also, the commands that do use passwords send these passwords in plain
cl
manually by commenting out the proper lines from the /etc/inetd.conf file, but you can also
use the securetcpip command. The securetcpip script is in the directory
/usr/lpp/bos.net/inst_root/etc.
pr
The aixpert command can be used to set a wide variety of system security configuration
settings. The aixpert functionality is much more feature rich than using securetcpip.
If you have machines that require tftp protocol service to boot from a server, the tftp
daemon can be initialized only by using the /etc/tftpaccess.ctl file. A sample can be
found in /usr/samples/tcpip directory.
3-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Some commands can be Kerberized. Kerberos is a network authentication service that
provides a means of verifying the identities of principals (users and hosts) on physically
insecure networks. Kerberos provides mutual authentication, data integrity, and privacy
under the realistic assumption that network traffic is vulnerable to capture, examination,
and substitution. Kerberos Version 5 is available on the AIX expansion pack and is badged
under the name Network Authentication Service.
If you disable these commands, you are probably going to want functional replacements for
.I. n
them, which do solve the security issues. This is normally implemented with the SSH
protocol, which is covered in the next unit.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Checkpoint
IBM Power Systems
.I. n
2. Name two commands that can be used to transfer files.
.T ció
3. Name two commands that can be used for remote
.
execution.
C
.F a
C rm
4. Name three mechanisms you can deploy to harden system
security.
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
3-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
commands.
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 3. inetd remote command services 3-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit summary
IBM Power Systems
.I. n
• Configure the inetd daemon
• Log in to remote systems with telnet, rsh, and rlogin
.T ció
• Transfer files between systems with ftp and rcp
.
• Execute commands on remote systems with rexec and rsh
C
.F a
• Execute commands concurrently on multiple hosts using dsh
• Discuss the security of these TCP/IP commands
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
3-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Discuss problems with telnet, ftp, rlogin, rsh, rcp, rexec
.
• Describe the SSH protocol
C
.F a
• Manage the sshd subsystem on AIX
• Use ssh, scp, and ftp commands
C rm
• Log in using SSH protocol based commands without a password
• Protect the private key and login using a passphrase
to fo
• Configure port and X11 forwarding
• Use sshd as a web proxy / SOCKS server
• Checkpoint questions
• Lab exercises
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Describe the SSH protocol
.T ció
• Manage the sshd subsystem on AIX
• Use ssh, scp, and ftp commands
.
C
• Log in using SSH protocol based commands without a
.F a
password
C rm
• Protect the private key and login using a passphrase
• Configure port and X11 forwarding
to fo
• Use sshd as a web proxy and SOCKS server
ec vo
Notes:
oy si
u
cl
Ex
pr
4-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
execution
.T ció
• Authentication is usually based on password
– Send as plain text
.
C
– Vulnerable to sniffing
.F a
– Need to remember each password for each account
C rm
• Authentication can also be based on IP address
– Uses /etc/hosts.equiv or $HOME/.rhosts file
to fo
– Vulnerable to IP address spoofing
– Dependent on name resolution
ec vo
Notes:
oy si
Various problems are associated with the traditional methods of remote login, file transfer,
and remote execution. The most important problem is that passwords are passed around in
u
clear text, available for anybody to see with a sniffer. That person can then use your
password to authenticate as you and break into your account. This is made worse by the
cl
fact that people usually have accounts on multiple servers and do not use a different
password for each account. If they do, they generally need to write down all these
Ex
passwords somewhere because it is too hard to remember them all. The second problem is
that authentication can be configured by a user to be based on IP address instead of
password using the .rhosts file and by the superuser using the /etc/hosts.equiv
file. This is vulnerable to IP spoofing and, if hostnames instead of IP addresses are used,
pr
SSH protocol (1 of 2)
IBM Power Systems
.I. n
• OpenSSH is the most popular ssh implementation.
.T ció
• Based on a client server model.
.
C
– Server daemon:
.F a
• sshd Å /etc/ssh/sshd_config (configuration file)
C rm
– Client programs:
• ssh Æ remote login, remote execution
• scp Æ remote copy
• sftp Æ remote transfer
to fo
• OpenSSH defaults to SSH2 (version 2 of the protocol).
ec vo
Notes:
oy si
OpenSSH was created by the OpenBSD team as an alternative to the original SSH
software by Tatu Ylönen, which is now proprietary software. Tatu Ylönen was a researcher
u
The original SSH protocol RFCs were #4250-4256, 4335, 4344, and 4345
Modifications to the SSH protocol are in the RFCs: 4419, 4432, 4462, 4716, 5656, and
6594
4-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
SSH protocol (2 of 2)
IBM Power Systems
.I. n
– Sniffing attack no longer practical
.T ció
• Uses public key algorithms to authenticate server
.
– If using public key authentication, can prevent man-in-the-middle
C
attacks
.F a
C rm
• Can use public key algorithms to also authenticate user
– Account passwords no longer needed
to fo
ec vo
Notes:
oy si
SSH uses strong encryption to encrypt the data in transit and to authenticate the client, the
server and, optionally, the user as well. This prevents against sniffers. Use of public key
u
authentication can prevent man-in-the-middle attacks and can also spare the user from the
ordeal of having multiple passwords for all his accounts. A user is no longer authenticated
cl
.I. n
– openssh.base.server
Packaged in
– openssh.license
LPP format
.T ció
– openssh.man.en_US
• OpenSSH daemon automatically started through System V init scripts in
.
/etc/rc.d/rc2.d (not inetd)
C
• Start and stop control via SRC
.F a
C rm
## stopsrc
Defaults to
stopsrc -s
-s sshd
sshd
port 22
## startsrc
startsrc –s
–s sshd
sshd
to fo
## lssrc
lssrc -s
-s sshd
sshd
Subsystem
Subsystem Group
Group PID
PID Status
Status
sshd
sshd ssh
ssh 303258
303258 active
active
ec vo
Notes:
oy si
The OpenSSH filesets are contained on the AIX expansion pack. The server daemon
(sshd) is controlled via SRC commands. The SRC refresh operation is not supported.
u
Once installed, the SSH daemon is set to start by default at system boot time. This is done
cl
4-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
sshd
IBM Power Systems
• On startup:
– Reads: /etc/ssh/sshd_config
.I. n
– Loads host keys:
• /etc/ssh/ssh_host_rsa_key.pub
.T ció
• /etc/ssh/ssh_host_rsa_key
• /etc/ssh/ssh_host_dsa_key.pub
.
• /etc/ssh/ssh_host_dsa_key
C
.F a
• Can be configured to listen on multiple ports
• Host authentication defaults to RSA
C rm
• On first connection, the client (by default) will be provided with the
RSA key fingerprint (servers public key)
– User must accept the key, and then enter the login password
to fo
– Upon subsequent connections, keypairs verified
ec vo
Notes:
oy si
The sshd daemon process runs on the server. It is usually not run out of inetd because it
needs to generate an RSA key each time it starts, and this takes some time. Every sshd
u
host (server) needs to generate a host key pair. This is done at install time with the make
host-key command. Two key pairs are created; one for RSA (Rivest-Shamir-Adleman) and
cl
(public key).
New key pairs can be generated using the ssh-keygen command.
Note: A useful thing to know is that sshd can be started with the -d option. This prevents
pr
sshd from forking itself into the background and sends all debug output to
stdout/stderr. This is very useful for debugging a faulty configuration file.
.I. n
2048
2048 53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f
.T ció
• Syntax: ssh [options] [user@]hostname [command]
waldorf
waldorf (client)
(client) ## ssh
ssh root@statler
.
root@statler
The
The authenticity of host 'statler
authenticity of host 'statler (10.47.1.19)'
(10.47.1.19)' can't can't be
be established.
C
established.
.F a
RSA key fingerprint
RSA key fingerprint isis
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f.
53:81:d6:9e:a7:71:eb:8c:f7:46:7a:b4:d5:68:75:5f.
C rm
Are
Are you
you sure
sure you
you want
want to
to continue
continue connecting
connecting (yes/no)?
(yes/no)?
Warning:
Warning: Permanently
Permanently added
added 'statler,10.47.1.19'
'statler,10.47.1.19' (RSA) (RSA) to
to the
the list
list of
of
known
known hosts.
hosts.
Public key is written
root@statler's
root@statler's password:
password: to the known_hostss
statler:/
statler:/ ## exit file
to fo
exit
waldorf:/
waldorf:/ ## ls
ls -l
-l $HOME/.ssh/known_hosts
$HOME/.ssh/known_hosts
-rw-r--r--
-rw-r--r-- 11 root
root system
system 401
401 06
06 May
May 12:21
12:21 //.ssh/known_hosts
//.ssh/known_hosts
ec vo
Notes:
oy si
On first connection, the client will be presented with the public key (RSA key fingerprint) of
the server. The client then gets a warning that this host is unknown and is able to accept or
u
not. This public key must be accepted by the client user. Once accepted, it is written into
the $HOME/.ssh/known_hosts file. Upon subsequent connections, the keypairs are
cl
verified and the user is warned if the keys do not match. When the StrictHostKeyChecking
option is set either in $HOME/.ssh/config or in /etc/ssh/ssh_config, the user can
Ex
4-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• From the client, generate a public/private key pair
.T ció
## ssh-keygen
ssh-keygen -t
-t rsa
rsa
.
Generating
Generating public/private rsa
public/private rsa key
key pair.
pair.
C
Enter
Enter file
file in
in which
which to
to save
save the
the key
key (//.ssh/id_rsa):
(//.ssh/id_rsa):
.F a
Enter
Enter passphrase
passphrase (empty
(empty for
for no
no passphrase):
passphrase): Passphrase must be
blank
C rm
Enter
Enter same
same passphrase
passphrase again:
again:
Your
Your identification
identification has
has been
been saved
saved in
in //.ssh/id_rsa.
//.ssh/id_rsa.
Your
Your public
public key
key has
has been
been saved
saved in
in //.ssh/id_rsa.pub.
//.ssh/id_rsa.pub.
The
The key
key fingerprint
fingerprint is:
is:
to fo
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
root@waldorf.lpar.co.uk
root@waldorf.lpar.co.uk
ec vo
Notes:
oy si
keys in $HOME/.ssh. The usage of this key can be protected with a passphrase so the
system administrator cannot borrow them. The user then transfers the public key to the
cl
server and adds it to $HOME/.ssh/authorized_keys. After that, the user can log in
without needing to supply a password to authenticate itself.
Ex
pr
.I. n
– DSA key file: $HOME/.ssh/authorized_keys2
.T ció
waldorf:/
waldorf:/ ## MY_KEY=`cat
MY_KEY=`cat /.ssh/id_rsa.pub`
/.ssh/id_rsa.pub`
.
waldorf:/
waldorf:/ ## ssh
ssh root@statler
root@statler "echo
"echo $MY_KEY
$MY_KEY >>
>>
C
/.ssh/authorized_keys"
/.ssh/authorized_keys"
.F a
C rm
• User can now log in without entering password.
• Useful for automating tasks (for example, backups).
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
4-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Anyone who can use your private key (id_rsa) can log in to any system
where you are authorized.
• It is important to password-protect your private key by using a
.I. n
passphrase.
.T ció
• This procedure is identical to logging in without supplying a password,
except a passphrase is entered when generating the public/private key
pair.
.
C
.F a
waldorf:/
waldorf:/ ## ssh-keygen
ssh-keygen -t
-t rsa
rsa
Generating
Generating public/private rsa key
public/private rsa key pair.
pair.
C rm
Enter
Enter file in which to save the key (//.ssh/id_rsa):
file in which to save the key (//.ssh/id_rsa):
Enter
Enter passphrase
passphrase (empty
(empty for
for no
no passphrase):
passphrase): Enter
Enter
Enter same
same passphrase
passphrase again:
again: passphrase
Your
Your identification
identification has
has been
been saved
saved in
in //.ssh/id_rsa.
//.ssh/id_rsa. here
Your public key has been saved in //.ssh/id_rsa.pub.
to fo
Your public key has been saved in //.ssh/id_rsa.pub.
The
The key
key fingerprint
fingerprint is:
is:
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
a9:80:85:62:9f:da:6f:e5:c7:99:a3:18:73:f6:c6:b5
root@waldorf.lpar.co.uk
root@waldorf.lpar.co.uk
ec vo
Notes:
oy si
If the key is protected with a passphrase, the passphrase must be entered at login. The
advantage of this scheme is that a user is no longer required to authenticate to a server
u
using a password, but is authenticated based on public key algorithms. This greatly
simplifies account administration, both for the user and the system administrator. The only
cl
drawback is that the user’s private key has to be kept secret. That is why this key is usually
protected with a passphrase.
Ex
pr
waldorf:/
waldorf:/ ## ssh
ssh root@statler
root@statler
Enter
Enter passphrase for
passphrase for key
key '/.ssh/id_rsa':
'/.ssh/id_rsa':
.I. n
statler:/
statler:/ ##
.T ció
• Disadvantage: Need to type passphrase every time the key is used.
– Solution: ssh-agent
.
C
waldorf:/ ## ssh-agent
ssh-agent $SHELL
.F a
waldorf:/ $SHELL
waldorf:/
waldorf:/ ## ssh-add
ssh-add
C rm
Enter
Enter passphrase
passphrase for
for //.ssh/id_rsa:
//.ssh/id_rsa:
Identity
Identity added: //.ssh/id_rsa (//.ssh/id_rsa)
added: //.ssh/id_rsa (//.ssh/id_rsa)
waldorf:/ # ssh root@statler
waldorf:/ # ssh root@statler
statler:/
statler:/ ##
to fo
ec vo
Notes:
oy si
Passphrases are important as they protect the identity of the private key. However, as a
consequence, users can no longer log in without entering a password. This can be solved
u
by using the ssh-agent. The ssh-agent is a program which holds private keys used for
public key authentication (RSA, DSA) in memory. The idea is that ssh-agent is started in
cl
the beginning of an X-session or a login session, and all other windows or programs are
started as clients to the ssh-agent program. Private keys/passphrases are loaded into the
Ex
another file, you can specify this file too. The -l option to ssh-add shows all currently
retained keys, and the -d option deletes keys.
4-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• scp
– Is a secure copy (remote file copy) program
.I. n
– Syntax: scp [options] [sourcefile] ... [destinationfile]
– Filenames specified as: [[user@]host:]filename
.T ció
waldorf:/
waldorf:/ ## scp
scp –r
–r /home/db2
/home/db2 statler:/home
statler:/home
.
C
• sftp
.F a
– Is a file transfer program, similar to FTP
C rm
– Two modes, interactive and non-interactive
waldorf:/
waldorf:/ ## cat
cat batchfile
batchfile
put
put /unix
/unix /tmp/unix_a
/tmp/unix_a
mget
mget /home/db2/*
/home/db2/* /tmp/db2
/tmp/db2
to fo
waldorf:/
waldorf:/ ## sftp
sftp -b
-b batchfile
batchfile
root@statler
root@statler
ec vo
Notes:
oy si
The scp command lets you copy files to and from the remote system. It is even possible to
do third-party copies as follows: hostC # scp hostA:/tmp/fileA
u
hostB:/tmp/fileB
cl
The sftp command is a file transfer program, similar to FTP, which performs all operations
over an encrypted SSH transport.
Ex
pr
.I. n
– Useful for:
• Using insecure protocols over insecure networks
.T ció
• Accessing machines/ports behind firewalls
.
• SSH proxy (dynamic port forwarding)
C
.F a
– Useful for:
C rm
• Configuring a SOCKS or secure Web proxy
• X11 forwarding
to fo
– Useful for:
• Running X11 applications over a secure connection
ec vo
Notes:
oy si
u
cl
Ex
pr
4-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
Home Office
.T ció
Internet
VNC traffic
.
AIX
(SSH / VNC server)
C
.F a
C rm
VNC (insecure) is
tunneled over SSH
connection
to fo
ec vo
Notes:
oy si
Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through
SSH Secure Shell.
u
cl
Ex
pr
• ssh –L listeningPort:destHost:destPort \
[user@]sshdHostname
.I. n
– Executed at the application client host
– Application client connects to localhost:listeningPort
.T ció
Application client host Destination (and sshd) host
.
tunnel
C
ssh sshd
.F a
(port 22)
C rm
listening port localhost
Notes:
oy si
Setting up local port forwarding starts with executing the ssh client command at the host
where you want to run the application client and specifying the sshd server host to which
u
What allows you to use the establish ssh session to forward other application traffic is -L
option. This specifies that the ssh client detect connections to the specified listing port
number and cause the remote sshd to establish a connection with the application server at
Ex
the specified destination host and destination port. (The name of the destination host is
resolved at the destination end of the tunnel). Then all traffic on these two connections is
forward between them by the ssh session.
pr
In order to use the established ssh tunnel, the application client needs to treat the specified
listening port on the local host as the location of its application server.
4-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
Home
client
machine
.
C
2
.F a
C rm
Office
server
1 (lpar.co.uk)
to fo
ec vo
Notes:
oy si
The example in the visual shows ssh local port forwarding being setup and used to tunnel a
VNC session. The user wishes to run an Xwindows and motif based CDE graphical user
u
interface and use VNC to allow that graphics interface to be used remotely. The Host
running CDE has a hostname of nimmaster. It also happens that the IP address of the
cl
nimmaster administrator executed the command vncserver :3 at that server. This opens
up two TCP ports, 5803 (for VNC access over HTTP) and 5903 (for VNC client access).
The user plans to use a web browser with http protocol to connect to the VNC server.
pr
Next you need to select a listing port on the client machine, avoiding using a port number
that may be needed for other services. In this case we chose 1033.
Given this information, the ssh command that needs to be executed at the client side is
# ssh –L 1033:nimmaster:5803 root@lpar.co.uk
This command create an interactive ssh session with lpar.co.uk and also defines a tunnel
that we can use.
We will need to use a different window on the local client machine to start the application
client. On another local window you can now start a web browser an type in a URL of:
http://localhost:1033
This will connect to the listening port of the SSH tunnel. The SSH tunnel will establish a
.I. n
connection to the specified hostname and port number at the server end of the SSH
session, and forward traffic between the two connections.
.T ció
In the visual, the ssh command also specified the option:
-p 6000
.
which overrides the default sshd service port number of 22. This might be done if a firewall
C
.F a
is blocking port 22 but allows port 6000. To have this work, there must be an instance of the
sshd running on the server that has also been customized to use port 6000 instead of port
C rm
22.
This visual also shows a second port forwarding option of
–L 5903:nimmaster:5903
to fo
which illustrates that you can define multiple forwarding ports. In this situation the second
forwarding port is defined to support a VNC client in addition to a web browser.
ec vo
oy si
u
cl
Ex
pr
4-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Same tunnel defined, except initiated from the application server
– sshd server for the port forwarding is running on the app client system
.T ció
• Example:
.
Office
Office server:/
server:/ ## ssh
ssh –R
–R 2222:localhost:6000
2222:localhost:6000 root@<IP
root@<IP of
of Home
Home
C
machine>
machine>
.F a
Home
Home machine:/
machine:/ ## ping
ping –i
–i 20
20 127.0.0.1
127.0.0.1 1
C rm
Home
Home machine:/
machine:/ ## ssh
ssh –p
–p 2222
2222 root@localhost
root@localhost
2
to fo
root@localhost's password:
root@localhost's password:
Office
Office server:/
server:/ ##
ec vo
Notes:
oy si
Remote port forwarding is very similar to local port forwarding. The difference is that the
tunnel is initiated on the server side with the sshd service running on the application client
u
machine. The -R flag lets ssh know that the listening port will now be at the sshd end of the
tunnel rather than the ssh client end of the tunnel. The meaning of the -R positional
cl
parameters are the same as the -L parameters if viewed relative to the application client
and application server. This is useful when the firewall restrictions allow session initiation
Ex
as the actual hostname, since that is resolved at the application server end of the tunnel.
The ssh port forwarding session is being at the office server that will eventually act as the
application server. If we want to leave the port forwarding up for an extended period of time,
waiting for an application client to use the tunnel, then there is the danger of having the port
forwarding session terminated for inactivity. The port forwarding session is also an
interactive shell session which gives the user a prompt from the home system. By
executing a periodic ping of the loopback address on that home system, the STDOUT of
the ping is transmitted on the interactive session back to the office system, thus preventing
termination due to inactivity.
A user at the home server can now initiate another ssh session to the listening port on the
home server. This session is tunneled to the office server. The firewall does sees this as
traffic on the ssh port forwarding session that was initiated from inside rather than a new
.I. n
session being initiated from outside.
.T ció
Note that port forwarding session uses the sshd on the server with the listening port (home
server), while the ssh session that is being forwarded through the tunnel is using the sshd
on the office server.
.
While this technique can be useful, it is bypassing firewall security restrictions. You should
C
be aware of the security exposures and discuss these issues with the security officer in
.F a
your company.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
4-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• ssh –L listeningPort:destHost:destPort \
[user@]sshdHostname
.I. n
– same syntax as previous local port forwarding
– destination host is different from the sshd host
.T ció
Application client host sshd host
.
ssh tunnel
C
sshd
.F a
C rm
listening port Destination host
Notes:
oy si
The application client and server do not have to be located at the end points of the ssh
tunnel. For example, in local port forwarding, the destination host can be different than the
u
sshd host. In this situation, the connection between the sshd is a remote connection rather
than an internal connection (effectively through the local loopback address). This can be
cl
useful if you wish to connect to a server that does not have its own tunneling capability or if
you just want to use a single forwarding server to access multiple other servers.
Ex
pr
.I. n
Home Office
.T ció
Internet
lpar.co.uk aixod01
.
AIX
Client (SSH server running
C
on port 6000)
.F a
C rm
client:/
client:/ ## ssh
ssh –p
–p 6000
6000 –L
–L 2222:aixod01:22
2222:aixod01:22 root@lpar.co.uk
root@lpar.co.uk
to fo
client:/
client:/ ## ssh
ssh –p
–p 2222
2222 root@localhost
root@localhost
root@localhost’d password:
root@localhost’d password:
aixod01:/
aixod01:/
ec vo
Notes:
oy si
The example in the visual shows forwarding to a third host. Server aixod01 is connected to
a local private network and has no direct connectivity to the Internet. The command, # ssh
u
–p 6000 –L 2222:aixod01:22 root@lpar.co.uk allows the client user (at home) to connect
to the third machine (aixod01) through the SSH server running on lpar.co.uk.
cl
Ex
pr
4-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Example:
Danger, untrusted
network
.I. n
vnc
.T ció
Web server
AIX
(SSH server)
Internet
.
C
ftp
.F a
C rm
SSH proxy connection smtp
Notes:
oy si
SSH also supports dynamic port forwarding via SOCKS4 and SOCKS5. SOCKS (sockets
secure) defines a standard mechanism for a client to connect to a service by way of a proxy
u
server. The socks client identifies the destination IP address and port of the destination
service within the socks packet to send to the socks server. This means that the ssh setup
cl
does not need to define destination service information. The socks client must have logic
that understands how to work with a socks server and a method for configuring it with the
Ex
.I. n
.T ció
.
C
.F a
C rm 1
to fo
ec vo
Notes:
oy si
In order to configure dynamic port forwarding, you must first set up the SSH connection as
shown in the visual (step 1).
u
In this case, the IP address 192.168.0.33 is the address of the client. The port 3333 will be
used by the client to forward all Web traffic through the SSH tunnel.
Ex
Then (step2), configures the socks capable client to use the SOCKS proxy function and to
know the socks proxy bind-address and port. The client may or may not be on the socks
proxy system. The method of client configuration varies from one client to another. Some
environments allow system wide proxy settings.Clients applications may use the system
pr
4-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
X11 forwarding
IBM Power Systems
• Example:
.I. n
Client wkstn
Insecure AIX
.T ció
Examples:
MacOSX network (SSH server)
Windows (cygwin)
.
C
SSH connection
.F a
X11forwarding=yes
C rm
clientX:/ ## ssh ## vi
vi /etc/ssh/sshd_config
/etc/ssh/sshd_config
clientX:/ ssh root@statler
root@statler –X
–X
statler:/ ## xcalc X11Forwarding
X11Forwarding yes
yes
statler:/ xcalc
## stopsrc
stopsrc –s
–s sshd
sshd
## startsrc
startsrc –s sshd
–s sshd
to fo
ec vo
Notes:
oy si
SSH can be configured to allow forwarding of X11 graphical applications. First, the
X11Forwarding option must be set to yes in the server configuration file. Secondly, the
u
client must have an X11 based client. On UNIX based platforms, MAC OS, and Linux, X11
is provided. However, on Windows systems a third party X11 client application is required,
cl
X11 forwarding can introduce additional load on the network which can impact
performance.
pr
Restricting forwarding (1 of 2)
IBM Power Systems
.I. n
– It allows us as users to access any back-end application or port effectively
bypassing the firewall.
.T ció
• System wide restrictions can be set in the SSH server configuration
.
file.
C
– /etc/ssh/sshd_config
.F a
C rm
• To block all port forwarding:
– AllowTcpForwarding no (default is yes)
to fo
• To block X11 forwarding:
– X11Forwarding no (default is no)
ec vo
Notes:
oy si
4-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Restricting forwarding (2 of 2)
IBM Power Systems
.I. n
## vi
vi /etc/sshd_config
.T ció
/etc/sshd_config
.. .. ..
<< global
global settings
settings >>
.
.. .. ..
C
.F a
X11Forwarding
X11Forwarding nono
AllowTcpForwarding
AllowTcpForwarding no no
C rm
.. .. ..
Match
Match User
User morpheus
morpheus
PermitOpen
PermitOpen trinity:22
trinity:22
to fo
X11Forwarding
X11Forwarding yes
yes
AllowTcpForwarding
AllowTcpForwarding yes
yes
.. .. ..
ec vo
Notes:
oy si
u
cl
Ex
pr
Checkpoint (1 of 2)
IBM Power Systems
.I. n
.T ció
2. How does the SSH protocol counter these weaknesses?
.
C
.F a
C rm
3. How is the SSH daemon managed?
to fo
ec vo
Notes:
oy si
4-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
.I. n
.T ció
5. What is the purpose of a passphrase?
.
C
.F a
C rm
6. How can TCP port forwarding be disabled on an SSH
server?
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
Exercise introduction
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
4-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Describe the SSH protocol
.T ció
• Manage the sshd subsystem on AIX
• Use ssh, scp, and ftp commands
.
C
• Log in using SSH protocol based commands without a
.F a
password
C rm
• Protect the private key and login using a passphrase
• Configure port and X11 forwarding
to fo
• Use sshd as a web proxy and SOCKS server
ec vo
Notes:
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
4-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Describe VLANs (Virtual LAN) and IEEE 802.1Q theory
.
• Understand how VLANs and IEEE 802.1Q are used within Power
C
.F a
systems
C rm
How you will check your progress
• Checkpoint questions
to fo
ec vo
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Describe VLANs (virtual LAN) and IEEE 802.1Q theory
• Understand how VLANs and IEEE 802.1Q are used within
.T ció
Power systems
.
C
.F a
C rm
to fo
• Note: Implementing and configuring virtual Ethernet and
Virtual I/O Servers (VIOS) is covered in detail in AN30
ec vo
Notes:
oy si
u
cl
Ex
pr
5-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Virtual LANs
IBM Power Systems
.I. n
– To provide greater flexibility.
– To aid performance and security through isolation.
.T ció
– Ports in a VLAN share broadcast traffic and belong to the same broadcast
domain.
.
• The industry standard VLAN protocol is IEEE 802.1Q.
C
Broadcast
.F a
domain
C rm
to fo
VLAN 1
Building 1 Trunk Building 2
VLAN 2
ec vo
Notes:
oy si
VLANs are used to divide networks into smaller more manageable chunks. This helps to
reduce the size of the broadcast domain and also helps with security through isolation.
cl
.I. n
• When an untagged packet enters a port it will be automatically tagged
.T ció
with the port’s PVID.
.
C
.F a
C rm
• The packet can only travel to a destination port which belongs to the
same VLAN group.
to fo
• Ports can belong to multiple VLAN groups.
• Packets can either leave the switch port tagged or untagged.
ec vo
Notes:
oy si
802.1Q VLAN
u
In 802.1Q, the VLAN information is written into the Ethernet packet itself. Each packet
carries a VLAN ID called a tag. This allows VLANs to be configured across multiple
cl
switches. Packets can leave the switch tagged or untagged depending on the setting for
that port’s VLAN membership properties. When using 802.1Q, four bytes are added to the
Ethernet frame, 12 bits of which are used for the VLAN ID. Theoretically, there can be up to
Ex
5-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Packets can also be tagged by the operating system (in this case
from AIX).
– This is useful if you want to create multiple networks from a single Ethernet
.I. n
adapter.
.T ció
ent1 VLAN 1 network A
Network ent0 ent2 VLAN 2 network B
ent3 VLAN 3 network C
.
C
.F a
• If a tagged packet enters a switch port, the tag will be unaffected by
the default PVID setting.
C rm
– Note: The switch must be aware of the VLAN, otherwise the packet is dropped.
to fo
ec vo
Notes:
oy si
AIX implementation supports the IEEE 802.1Q VLAN tagging standard with the capability
to support multiple VLAN IDs running on Ethernet adapters. Each VLAN ID is associated
u
with a separate Ethernet interface to the upper layers (for example, IP) and creates unique
logical Ethernet adapter instances per VLAN, for example, ent1, ent2, and so on. For
cl
example, you might only have one physical Ethernet adapter on the system but want to
create multiple networks.
Ex
Note: ent0 (as shown in the visual) can either be physical or virtual. It the adapter is virtual,
the VLANs must be defined on the HMC as well as within AIX.
pr
.I. n
Available
Available Network
Network Adapters
Adapters
Move
Move cursor to desired item and press Enter. Use
cursor to desired item and press Enter. Use arrow
arrow keys
keys to
to scroll.
scroll.
.T ció
ent1
ent1 Available
Available 09-08
09-08 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (1410890)
(1410890)
ent0
ent0 Available
Available 01-08
01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14106902)
(14106902)
.
Add
Add AA VLAN
VLAN
[Entry
[Entry Fields]
C
Fields]
.F a
VLAN
VLAN Base
Base Adapter
Adapter ent1
ent1
** VLAN
VLAN Tag
Tag ID
ID [33]
[33] +#
+#
VLAN Priority [] +#
C rm
VLAN Priority [] +#
## lsdev
lsdev -Cc
-Cc adapter
adapter
ent0
ent0 Available
Available 01-08
01-08 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14106902)
(14106902)
ent1
ent1 Available 09-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
Available 09-08 2-Port 10/100/1000 Base-TX PCI-X Adapter
to fo
(14108902)
ent2 Packets which get
ent2 Available
Available VLAN
VLAN sent from adapter
ent2 are sent
tagged (33) out of
ent1.
ec vo
Notes:
oy si
Use smit addvlan fast path to configure VLANs. Start by selecting a base adapter
(which will be used to send the packets) and assign a VLAN tag. Optionally, you can also
u
specify a priority. This is used by the VLAN driver to prioritize packets if multiple VLANs are
created using the same base adapter. You can specify a value from 0-7, where 0 is the
cl
default priority, 1 is the highest, and then priorities are ranked in decreasing numerical
order from 2 through 7.
Ex
After you have configured a VLAN, configure the IP interface (for example, en2) for
standard Ethernet.
pr
5-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– AIX can have up to 256 virtual adapters per LPAR.
– Does not require a VIOS, unless a bridged connection to the outside world is
.T ció
required.
.
VLAN 100 frames
VIOS AIX LPAR 1 AIX LPAR 2 AIX LPAR 3
Untagged
Physical
C
Ethernet
.F a
VLAN 200 frames ent0
Tagged
C rm
Virtual
Virtual Virtual Ethernet
SEA Ethernet Ethernet ent0
Bridge ent0 ent0 PVID=100
PVID=100 PVID=100 ent1
Power Hypervisor
VID=200
Virtual Ethernet
switch
Virtual
to fo
Virtual Virtual
Ethernet
Ethernet Ethernet
ent1
ent1 ent1
PVID=100
PVID=200 PVID=200
VID=200
ec vo
Notes:
oy si
Virtual Ethernet adapters enable inter-partition communication without the need for
physical network adapters assigned to each partition. It can be used in both shared and
cl
dedicated POWER5 or POWER6 processor partitions provided the partition is running AIX
(Version 5.3 or later) or Linux. This technology enables IP-based communication between
logical partitions on the same system using a VLAN Ethernet switch (POWER Hypervisor)
Ex
within a single system to communicate with one another through a virtual Ethernet LAN.
The virtual Ethernet interfaces may be configured with both IPv4 and IPv6 protocols.
Note: Packets tagged by AIX or the VIOS with a PVID will leave the virtual switch port and
physical adapter untagged and, inversely, packets tagged by AIX or the VIOS with a VID
will leave the virtual switch port and physical adapter tagged.
.I. n
as an SPOF.
– Eliminate the VIOS and SEA bridge as a SPOF by deploying two VIO servers
.T ció
and using SEA failover.
switch1
switch2
.
C
VIOS 1 VIOS 2
.F a
primary secondary
C rm
ent0 ent1 ent2 ent0 ent1 ent2
ent3 (Etherchannel) ent3 (Etherchannel)
SEA SEA
ent5 ent5
to fo
Ctrl Ctrl
Veth Veth
channel VLAN 99 channel
ent4 ent4
ent6 ent6
ec vo
Notes:
oy si
and the VIOS/SEA bridge. A control channel is a virtual Ethernet adapter which is
configured on the HMC to act as a heart-beating path between the VIO servers. It must
cl
belong to a non-shared VLAN. If the channel fails, the secondary VIOS will take over.
Ex
pr
5-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
VEth configuration example: Dual networks and
dual VIOS
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Figure 5-8. VEth configuration example: Dual networks and dual VIOS AN212.0
Notes:
oy si
Virtual I/O server virtual Ethernet configuration, dual networks, without VLAN
tagging
u
ent9: 8023ad link aggregation device for ent2 and ent6 - storage network
ent10: Virtual Ethernet adapter / VLAN ID: 1 / access external network
ent11: Virtual Ethernet adapter / VLAN ID: 2 / access external network
ent12: Virtual Ethernet adapter VLAN ID: 91 (control channel)
ent13: Virtual Ethernet adapter VLAN ID: 92 (control channel)
.I. n
ent14: Shared Ethernet adapter (SEA) - bridges external user network with
hypervisor at TCPIP layer 2
.T ció
ent15: Shared Ethernet adapter (SEA) - bridges external storage network with
hypervisor at TCPIP layer 2
.
ent16: Virtual Ethernet adapter - VIOS connection to VLAN 100 for TCP/IP config
C
including SSH and DLPAR
.F a
• VIO server commands for this configuration
C rm
Run these commands on both VIO servers:
$ mkvdev -lnagg ent0,ent4 -attr mode=8023ad hash_mode=src_dst_port
ent8 Available
$ mkvdev -lnagg ent2,ent6 -attr mode=8023ad hash_mode=src_dst_port
to fo
ent9 Available
$ mkvdev -sea ent8 -vadapter ent10 -default ent10 -defaultid 1 -attr
ha_mode=auto ctl_chan=ent12
ent14 Available
ec vo
interface Port-channel83
cl
5-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty !
interface GigabitEthernet7/46
description LACP - VIO server #1 ethernet adapter #1
no ip address
switchport
switchport access vlan 100
switchport mode access
.I. n
switchport nonegotiate
spanning-tree portfast
.T ció
spanning-tree bpduguard enable
channel-protocol lacp
channel-group 83 mode passive
.
C
!
.F a
interface GigabitEthernet8/46
C rm
description LACP - VIO server #1 ethernet adapter #2
no ip address
switchport
switchport access vlan 100
switchport mode access
to fo
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
ec vo
channel-protocol lacp
channel-group 83 mode passive
!
oy si
Notes:
The storage Ethernet network configuration uses different interface and port channel
numbers and vlan 200 but is otherwise the same configuration.
u
Port security must be disabled to allow multiple MAC addresses (VIO client LPARs) on the
cl
This is required because LACP packets must not be tagged on the switch.
Virtual I/O server virtual Ethernet configuration, dual networks, with IEEE 802.1Q
VLAN tagging
• Ethernet adapters on each virtual I/O server
pr
.I. n
ent9: 8023ad link aggregation device for ent2 and ent6 – storage network
ent10: Virtual Ethernet adapter with 802.1Q enabled / VLAN ID: 1, 100 / access
.T ció
external network
ent11: Virtual Ethernet adapter with 802.1Q enabled / VLAN ID: 2, 200 / access
.
external network
C
ent12: Virtual Ethernet adapter VLAN ID: 91 (control channel)
.F a
ent13: Virtual Ethernet adapter VLAN ID: 92 (control channel)
C rm
ent14: Shared Ethernet adapter (SEA) - bridges external user network with
hypervisor at TCPIP layer 2
ent15: Shared Ethernet adapter (SEA) - bridges external storage network with
to fo
hypervisor at TCPIP layer 2
ent16: VIO server VLAN with TAG ID: 100
ent17: VIO server VLAN with TAG ID: 200
ec vo
ent18: Virtual Ethernet adapter - VIOS connection to VLAN 100 for TCP/IP config
including SSH and DLPAR
• VIO server commands for this configuration
oy si
ent8 Available
$ mkvdev -lnagg ent2,ent6 -attr mode=8023ad hash_mode=src_dst_port
cl
ent9 Available
$ mkvdev -sea ent8 -vadapter ent10 -default ent10 -defaultid 1 -attr
ha_mode=auto ctl_chan=ent12
Ex
ent14 Available
$ mkvdev -sea ent9 -vadapter ent11 -default ent11 -defaultid 2 -attr
ha_mode=auto ctl_chan=ent13
ent15 Available
pr
5-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • Cisco switch configuration example for the user Ethernet network
interface Port-channel83
description LACP channel - VIO server #1 - User network
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
.I. n
switchport mode trunk
switchport nonegotiate
.T ció
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast trunk
.
spanning-tree bpduguard enable
C
.F a
!
C rm
interface GigabitEthernet7/46
description LACP - VIO server #1 ethernet adapter #1
no ip address
switchport
switchport trunk encapsulation dot1q
to fo
switchport trunk allowed vlan 100
switchport mode trunk
switchport nonegotiate
ec vo
!
interface GigabitEthernet8/46
u
switchport
switchport trunk encapsulation dot1q
Ex
channel-protocol lacp
channel-group 83 mode passive
!
Checkpoint
IBM Power Systems
.I. n
2. True or False: IEEE 802.1Q trunk adapters can be created within the
Power Hypervisor for use by AIX.
.T ció
3. True or False: A virtual adapter can be created without belonging to a
.
VLAN.
C
.F a
4. True or False: A control channel can belong to VLAN 1.
C rm
5. True or False: A virtual adapter on AIX can belong to multiple VLANs.
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
5-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Understand how VLANs and IEEE 802.1Q are used within
.T ció
Power systems
.
C
.F a
C rm
to fo
• Note: Implementing and configuring virtual Ethernet and
Virtual I/O Servers (VIOS) is covered in detail in AN30.
ec vo
Notes:
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
5-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Describe the concept of routing
.
• Explain the IP routing algorithm
C
.F a
• List the types of routes in the route table
• Configure static routes
C rm
• Discuss dynamic routing
• Discuss troubleshooting routing problems
to fo
How you will check your progress
• Checkpoint questions
ec vo
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Describe the concept of routing
• Explain the IP routing algorithm
.T ció
• List the types of routes in the route table
.
• Configure static routes
C
.F a
• Discuss dynamic routing
• Discuss troubleshooting routing problems
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
6-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Routing
IBM Power Systems
Router
Routing table
.I. n
Interface X Interface Y
.T ció
Network
Network Network
Network
PP QQ
.
C
.F a
• Routers
C rm
– Attached two or more networks
– Configured to forward packets at the IP level
– Determine the route of a packet by consulting a routing table
to fo
– Route packets according to the destination network
• To enable forwarding: # no –o ipforwarding=1
ec vo
Notes:
oy si
A route defines a path for sending packets through the Internet to an address on another
network. A route does not define the complete path, only the path from a host to a gateway
u
(router) that can then forward packets on to either the destination or to another gateway.
The term routing refers to the process of choosing a path over which to send packets, and
cl
router refers to any computer making such a choice. Routing is performed by the IP layer.
IP routers are used to connect different networks. No daemons are necessary to make
Ex
routing occur on a host. Message distance is usually expressed in the number of gateway
hops or hop count (called the metric). The distance a message travels from originating host
to destination host depends upon the number of gateway hops it must make. A host is zero
hops from a network on which it is attached. It is one hop from a network that can be
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
6-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Routing implementation
IBM Power Systems
.I. n
.T ció
.
C
.F a
Routing table for sys17:
Destination Deliver via
C rm
address gateway
Host route Direct route
Network route Direct route
Host route Indirect route
to fo
Network route Indirect route
Default route Indirect route
ec vo
Notes:
oy si
A route does not define the complete path. It defines only the path segment from one host
to a gateway that can forward packets to a destination, or from one gateway to another.
u
Routes are defined in the kernel routing table. Each routing table entry has two
cl
components, the destination address (where you want to end up) and the gateway address
(where the packet gets sent on its way to its final destination). The routes are categorized
according to various criteria.
Ex
• A network route defines a route to any of the hosts on a specific network through a
gateway.
• A default route defines a gateway to use when a host or network route to a destination
is not otherwise defined.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
6-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
IP routing algorithm
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
Both hosts and gateways participate in IP routing. When an application program on a host
attempts to communicate with another host, one or more IP datagrams are generated. The
u
host must decide to which IP address the datagrams should go. This address might be to a
host on the same network or to another network.
cl
• Direct: This occurs when both the source and destination hosts are on the same
physical network. The packets can be sent directly from the source to the destination.
• Indirect: This occurs when the source and destination hosts are on different physical
networks. The only way to reach the host is through one or more IP gateways. The
pr
address of the first of these gateways (the first hop) is the only information needed by
the source host.
• Default: This is to be used if the destination IP network address is not found in the
direct or indirect entries.
The IP routing mechanism only considers the IP network address part of the destination
address.
• netstat command
## netstat
netstat –rn
–rn
.I. n
Routing tables
Routing tables
Destination
Destination Gateway
Gateway Flags
Flags Refs
Refs Use
Use If
If Exp
Exp Groups
Groups
.T ció
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 22 (Internet):
(Internet):
default
default 10.47.0.1
10.47.0.1 UG
UG 11 1994123
1994123 en0
en0 -- --
.
10.47.0.0
10.47.0.0 10.47.1.33
10.47.1.33 UHSb
UHSb 00 0 en0
0 en0 -- -- =>
=>
C
10.47/16 10.47.1.33 UU 33 4981045
4981045 en0 -- --
.F a
10.47/16 10.47.1.33 en0
10.47.1.33
10.47.1.33 127.0.0.1
127.0.0.1 UGHS
UGHS 22 402161
402161 lo0
lo0 -- --
10.47.255.255 10.47.1.33 UHSb 00 00 en0 -- --
C rm
10.47.255.255 10.47.1.33 UHSb en0
127/8
127/8 127.0.0.1
127.0.0.1 UU 15
15 6708
6708 lo0
lo0 -- --
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 24
24 (Internet
(Internet v6):
v6):
::1
::1 ::1
::1 UH
UH 11 387784
387784 lo0
lo0 -- --
to fo
ec vo
Notes:
oy si
• The destination address (host or network). If the destination is a network, the subnet
mask is indicated by /XX, where XX is the number of bits in the network portion of the
cl
address.
• The gateway address of the next hop gateway.
Ex
• Flags:
- U: Up
- H: Route is to a host
pr
- G: Route is to a gateway
- D: The route was created dynamically by a redirect
- M: The route has been modified by a redirect
- b: The route represents a broadcast address
6-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
• Groups: Provides a list of group IDs associated with that route.
.T ció
Protocol Family 2 is IPv4; Family 24 is IPv6. The IPv6 entry shown is the IPv6 loopback
address.
.
The -r flag shows routing statistics.
C
The -n flag displays the network address as an IP address. When this flag is not used, the
.F a
addresses are displayed symbolically.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
Establishing routes
IBM Power Systems
.I. n
Implicit Static Dynamic
.T ció
.
C
.F a
Routing table
C rm
to fo
ec vo
Notes:
oy si
Implicit routes: The implicit method is performed when you configure an interface.
u
routing environment and dynamic routing protocols such as OSPF. ICMP sends redirect
messages when a better route to a host is noted. ICMP redirects are only generated by
Ex
6-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Static routing
IBM Power Systems
• Manually updated
• Practical in small, stable networks
.I. n
• Configured through SMIT (mkroute) or route command
• No daemons involved
.T ció
Add
Add Static
Static Route
Route
[Entry
[Entry Fields]
Fields]
Destination
Destination TYPE
TYPE net
net ++
.
** DESTINATION Address
DESTINATION Address [9.19.98]
[9.19.98]
C
(dotted
(dotted decimal
decimal oror symbolic
symbolic name)
name)
.F a
** Default GATEWAY Address
Default GATEWAY Address [9.19.99.1]
[9.19.99.1]
(dotted
(dotted decimal
decimal oror symbolic
symbolic name)
name)
C rm
COST
COST [0]
[0] ##
Network
Network MASK
MASK (hexadecimal
(hexadecimal oror dotted
dotted decimal)
decimal) []
[]
Network Interface
Network Interface []
[] ++
(interface
(interface toto associate
associate route
route with)
with)
Enable
Enable Active Dead Gateway Detection?
Active Dead Gateway Detection? no
no ++
to fo
Is
Is this
this aa Local
Local (Interface)
(Interface) Route?
Route? no
no ++
Policy
Policy (for Multipath Routing
(for Multipath Routing Only)
Only) Default
Default (Global)
(Global) ++
Weight
Weight (for
(for Weighted
Weighted Multipath
Multipath Routing
Routing Policy)
Policy) [1]
[1] ##
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
ec vo
Notes:
oy si
With static routing, the routing table is maintained manually with the route command or
through SMIT.
u
cl
Ex
pr
Route command
IBM Power Systems
.I. n
– Add a default gateway
## route
route add
add 00 9.19.99.20
9.19.99.20
.T ció
– Add a host or network route
## route
route add
add 9.19.98.1
9.19.98.1 9.19.99.11
9.19.99.11
.
## route
route add
add –net
–net 9.19.98/24
9.19.98/24 9.19.99.11
C
9.19.99.11
.F a
– Delete a host route
C rm
## route
route delete
delete 9.19.98.1
9.19.98.1 9.19.99.11
9.19.99.11
Notes:
oy si
The route command allows you to make manual entries into the network routing tables.
There are many additional options that can be specified at definition, some of which will be
u
covered later. (See the route man page for further details.)
cl
These entries are good only until the next system reboot unless they are entered into the
/etc/rc.net file.
Ex
To delete a route, you must specify at minimum the destination and gateway of the existing
route. If there are duplicate routes through the same gateway, you must additional
attributes to make the request unique; for example, specifying the interface being used to
depart the local host.
pr
Routes can also be manipulated via SMIT (smit route). SMIT supports adding and deleting
routes. To modify a route, you need to delete and redefine the route.
6-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Dynamic routing
IBM Power Systems
.I. n
• This should automatically configure all routing tables properly.
.T ció
• Implemented through ICMP redirects and formal routing
protocols.
.
C
.F a
Dynamic routing
protocols
C rm
router1 router2
to fo
ec vo
Notes:
oy si
In larger networks, configuring all routing tables properly by hand will become tedious or
even impossible. In this case, you will want to use dynamic routing. This means that your
u
message containing the IP address of the proper router to use back to the originating
host. If the host is configured to accept ICMP redirects, it can use these messages to
update its routing table.
• In more complex networks, ICMP redirects are not enough, and you will need special
pr
routing protocols which routing daemons on all routers use to exchange routing
information with each other.
We are going to look at both solutions quickly, but as dynamic routing is beyond the scope
of this course, we are not going to do any exercises with them.
• This allows every router to find the best route to a certain network.
.I. n
• Basic algorithms:
.T ció
– Vector distance: Only communicate with your neighbor routers and let them
forward your information, with one hop added, to their neighbors.
.
– Link state: Communicate with all routers in your realm using IP multicasts.
C
.F a
• Protocols that implement these algorithms:
C rm
– RIP, RIPv2, OSPF, BGP, and so on
Notes:
oy si
When your network is large and you have a sizable number of routers, creating each
routing table by hand becomes tedious or simply impossible. Additionally, ICMP redirects
u
will not lead to a stable or optimal situation, particularly if multiple routes exist between two
systems. In these situations, dynamic routing protocols are used.
cl
A dynamic routing protocol generally works as follows: Each router runs a routing daemon.
This daemon communicates with other routers in the network and transfers its own routing
Ex
table (which, initially, only includes its implicit routes) to other routers. Based on the
information that each router receives, they can deduce an accurate picture of the whole
network and calculate the best route to each destination in the network. This information is
then fed into the routing table and used for routing the IP packets.
pr
This might seem simple, but in reality it is horribly complex. A lot of academic research has
been done in this area, and currently there are two algorithms being used:
In the vector distance algorithm, each router only communicates with his neighbors, using
broadcasts or direct unicasts. Routers update their own routing table with the information
6-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty received and transfer the whole routing table on to the next neighbor. That means each
transfer from one router to another might include information about other routers as well.
In general, vector distance algorithms have two disadvantages.
• Convergence is slow. This means that it takes a while (up to 45 minutes) before a
change in the network has propagated over all routers.
• The only metric that is being used is the hop count. If a low-bandwidth route to a
.I. n
destination takes three hops, but there is an alternative, high-bandwidth route available
that takes five hops, then a vector distance algorithm will always use the three hop
.T ció
route.
When using link state algorithms, each router multicasts its own table of implicit routes to
every other router in the network using IP multicasts. They do not transfer information
.
obtained from others.
C
.F a
With every router receiving all implicit routes of every router directly, they can, with a little
effort, construct a mental picture of the whole network. This is then used to calculate the
C rm
shortest route to each and every final destination in the network.
The advantage of this is that since each router has complete knowledge of the network,
routing does not have to be done based on hopcount alone. In fact, five different metrics
to fo
can be used.
• The normal metric (hopcount)
• Minimize delay (lowest latency, preferred for interactive communication)
ec vo
The disadvantage of link state algorithms is that they are a huge task to configure and
maintain. There are several courses, both from IBM and other vendors, that spend days
u
just covering the concepts and implementation of one specific link state protocol.
Based on these algorithms, several protocols have been designed which implement them.
cl
These protocols can be used in different situations and include RIP (Route Information
Protocol), RIPv2, OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol).
Ex
On AIX you will find two daemons that implement these protocols: routed and gated. The
routed daemon only implements RIP, while the gated daemon implements all current
protocols including RIP, OSPF, and BGP.
pr
ICMP redirects
IBM Power Systems
1. IP sys5
datagram
.I. n
destination
sys8
.T ció
3. ICMP redirect 4. Future IP datagrams
.
C
.F a
2. IP
C rm
sys4 datagram sys6
sys4e sys6e
to fo
## no
no -a
-a |grep
|grep -i
-i directs
directs
ipignoreredirects == 00
ipignoreredirects sys8
ipsendredirects
ipsendredirects == 11
ec vo
Notes:
oy si
When there is a better choice of a router for sending messages through than the one the IP
datagram was originally sent to, an ICMP redirect error message is generated which
u
updates the sending host’s routing tables. The process goes like this:
cl
a. An IP datagram is sent from sys5 with a destination of sys8. sys5’s routing table
shows sys4 as the router.
Ex
b. sys4 checks its routing table and sees there is a closer router to sys8’s network. It
sends on the IP datagram to sys8.
c. Then sys4 sends an ICMP redirect message to sys5 which updates its routing table.
d. Future IP datagrams destined for sys8 go to the new router.
pr
The ipsendredirects and ipignoreredirects network options are used to control how AIX
handles ICMP redirects. These options can be set with the no command.
6-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• The maximum transmission unit (MTU) is the largest size packet that can
be transmitted on a particular network, without fragmentation.
– Different networks can have different MTU values.
.I. n
• Path MTU is the smallest MTU of any network path between two hosts.
.T ció
• The goal of path MTU discovery is to prevent IP packet fragmentation at
the router.
.
– Fragmenting packets at the router is inefficient.
C
.F a
C rm
Net 1 Net 2 Net 3
MTU 9000 R MTU 1500
R MTU 9000
to fo
PMTU for Net 3 set to
1500
ec vo
Notes:
oy si
Maximum Transmission Unit (MTU): The MTU of a network is the largest packet size for
that network. For example, the MTU for standard Ethernet is 1500 bytes but is often set to
u
9000 bytes by enabling the jumbo frames attribute. For locally connected destinations, the
MTU attribute of the network interface is used by the IP protocol to determine the size of
cl
outgoing packets.
Path MTU: For remote destinations, AIX supports a path MTU discovery algorithm as
Ex
described in RFC 1911. If a PMTU value exists for a route, the IP protocol will fragment the
packet to fit within the PMTU value before sending it. It is much more efficient to fragment
the packet at the sender than to have packets be fragmented by routers along the path to
the destination.
pr
.I. n
dst
dst gw
gw If
If pmtu
pmtu refcnt
refcnt redisc_t
redisc_t exp
exp
.T ció
-------------------------------------------------------------------------
-------------------------------------------------------------------------
10.30.5.120
10.30.5.120 10.6.119.254
10.6.119.254 en0
en0 1500
1500 11 15
15 00
80.1.205.104
80.1.205.104 10.6.119.254
10.6.119.254 en0
en0 1500
1500 11 11
11 00
.
C
.F a
• To list or change PMTU options, use the no command:
C rm
## no
no –a
–a |grep
|grep pmtu
pmtu
pmtu_default_age
pmtu_default_age == 10
10
pmtu_expire
pmtu_expire == 10
10
pmtu_rediscover_interval
pmtu_rediscover_interval == 30
30
to fo
tcp_pmtu_discover = 1
tcp_pmtu_discover = 1
udp_pmtu_discover
udp_pmtu_discover == 11
ec vo
Notes:
oy si
The pmtu command is provided to manage and display the path MTU table. By default, the
Ipv4 pmtu entries are displayed. Ipv6 pmtu entries can be displayed using the -inet6
u
flag. The reference count (recnt) signifies the number of current TCP and UDP applications
using this PMTU entry. The rediscover time (redisc_t entry) signifies the amount of time
cl
value is 10 minutes.
• Since routes can change dynamically, the path MTU value for a path might also change
over time. Decreases in the path MTU value will result in packet fragmentation, so
discovered path MTU values are periodically checked for decreases. By default,
decreases are checked every 10 minutes, and this value can be changed by modifying
the value of the pmtu_default_age option.
6-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise: Routing
IBM Power Systems
135.9.19.5
sys1 sys8
.I. n
sys5
5.10.10.1 201.64.23.8
.T ció
sys2 135.9.19.4 135.9.19.6 sys9
sys4 sys6
.
5.10.10.2 201.64.23.9
C
sys4e sys6e
.F a
5.10.10.4 201.64.23.6
C rm
sys3 sys7 sys10
5.10.10.3 135.9.19.7 201.64.23.10
to fo
subnet mask = Subnet Mask = 255.255.0.0 subnet mask =
255.0.0.0 255.255.255.0
ec vo
Notes:
oy si
Take a few minutes and try to write out the routing table for each host you see in the picture
so that each host can communicate with each other host. Your instructor has the answers.
u
cl
Ex
pr
.I. n
– Disables hostname lookups
• route, netstat -r displays the routing table.
.T ció
– Read carefully!
• ping -R records the route traveled by a ping.
.
– Only works when the route is intact
C
.F a
– Limited to nine entries
• traceroute uses packets with incremental TTL to determine where a
C rm
route breaks.
– Useful in problem determination
– Might not work if filters or firewalls are involved
to fo
• Remember that routing is needed in both directions!
ec vo
Notes:
oy si
Debugging routing problems is one of the hardest tasks in debugging network problems.
The absolute first prerequisite is to know the network. You have to know what networks are
u
connected to other networks by which router and which IP addresses are used throughout
the network. It is extremely useful to draw maps of the network on a whiteboard or flipchart
cl
to networking (route, netstat, ping, traceroute) and prevents the command from doing a
reverse DNS lookup (determining the host or network name for a given IP address). Apart
from showing you the IP addresses instead of hostnames, it also isolates any DNS
problems you might have.
pr
As seen before, the route and netstat -r commands both show the routing table. This is
extremely useful provided that you know how to interpret the table and that you read it very
carefully.
We have seen the ping command already. The -R flag tells ping to record the route that the
packet has traveled in the IP header and to show that route when the reply comes in.
6-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty There is one thing you need to know about this. The number of routers that can be
recorded in the IP header is limited to nine.
The traceroute command appears to work the same as ping -R, but that is not true. ping
-R sends one packet the whole way and waits for the reply to come in. Only then is the
route shown. This means that if one of the routers or the final destination has problems, no
reply comes in and nothing can be shown. traceroute, in contrast, works differently. It
sends a UDP packet to the destination using a destination port which is known to be not in
.I. n
use, but configures a time to live (TTL) of one. When this packet arrives at the first router,
the router decreases the TTL with one, yielding zero, and discards the packet as per IP
.T ció
protocol requirements. It also returns an ICMP Time Exceeded message to the origin of
the packet. traceroute duly records this, and then sends a UDP packet with a TTL of two.
This packet is discarded at the second router, which returns ICMP Time Exceeded. This
.
process goes on until the UDP packet arrives at the final destination, which sends back an
C
.F a
ICMP Port Unreachable. Then traceroute knows that the destination has been
reached and quits. The advantage of traceroute is that it will give you information even if
C rm
the final destination or an intermediate router is having problems.
Finally, remember that routing is needed in both directions. It is not enough if your ping
(ICMP echo request) arrives at the destination. For you to see anything, the ping reply
(ICMP echo reply) must also traverse back through the network.
to fo
ec vo
oy si
u
cl
Ex
pr
Checkpoint
IBM Power Systems
.I. n
creation of this route?
a. Dynamic
.T ció
b. Implicit
c. Static (or explicit)
.
C
.F a
2. True or False: The route -f (or route flush) command
C rm
deletes all routes.
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
6-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Describe the concept of routing
• Explain the IP routing algorithm
.T ció
• List the types of routes in the route table
.
• Configure static routes
C
.F a
• Discuss dynamic routing
• Discuss troubleshooting routing problems
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
6-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
.
• Understand and configure routing for availability and load
C
balancing (multi-path routing with dead gateway detection)
.F a
• Understand and configure gigabit fast failover (GFF)
C rm
• Understand and configure link aggregation (LA) and EtherChannel
• Combine both GFF and LA technologies to achieve the highest
levels of availability
to fo
How you will check your progress
• Checkpoint questions
ec vo
• Lab exercises
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Understand and configure routing for availability and load
balancing (multi-path routing with dead gateway detection)
.T ció
• Understand and configure gigabit fast failover (GFF)
• Understand and configure link aggregation (LA) and
.
C
EtherChannel
.F a
• Combine both GFF and LA technologies to achieve the
C rm
highest levels of availability
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
7-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
3mins Host / Node
.T ció
3mins Network PowerHA (application recovery)
.
20-30secs Adapter
C
.F a
8 secs Routing Multipath Routing, DGD
C rm
Switch
250ms-2secs Link aggregation, EtherChannel
Adapter
to fo
3ms Port Gigabit fast failover (GFF)
ec vo
Notes:
oy si
Within Power systems and AIX, PowerHA is the key to maintaining application availability.
Failover recover times largely depend on the infrastructure and the application
u
• Physical Ethernet adapter (NIC): Typically 20-30 seconds (depending on the RSCT
topology settings)
Ex
• Network: 3 minutes
• Node: 3 minutes
• Site: 3 to 15 minutes (could be greater, depending on the distance between sites and
pr
EtherChannel and GFF are networking technologies which reside at lower levels and have
much faster recovery times than PowerHA or MPR. In fact, all three technologies can be
combined together to provide the maximum levels of availability.
A common form of network interruptions is loose cabling or cable malfunctions (especially
delicate fiber cables). GFF, a technology that can be used with IBM dual port adapters, can
protect against this with only 3 ms recovery time. Link aggregation can further help protect
against the loss of the physical adapter, the path to the switch, or the loss of a switch.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
7-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
1
Primary Default Router1
10.47.0.1
Host
10.47.1.18
.
Default Router2
C
Backup 10.47.0.254
.F a
C rm
2
Primary Default Router1
10.47.0.1
Host
10.47.1.18
Default Router2
to fo
Primary 10.47.0.254
ec vo
Notes:
oy si
Since AIX5L, it has been possible to configure multiple routes to the same destination. This
configuration is known as multipath routing (MPR). MPR allows us to load balance between
u
gateways or prioritize paths (using the weight and cost options). MPR also allows us to do
dead gateway detection (DGD) This allows the system to dynamically change the weight
cl
considerations). The less desirable route is only used for backup in case the preferred
route fails. All traffic should use the primary route unless it is not available, in which case
traffic should be routed over the backup route.
pr
The second example has two routes of equal desirability. In this situation connections
would be load-balanced between both routes in order to improve available bandwidth. If
one of them fails, all traffic will be routed over the remaining path, thus providing availability
though at a reduced bandwidth.
.I. n
– Depends on the following routing metrics:
• Cost
.T ció
– Set using the route command
• MPR policy
.
– Set using the no command
C
.F a
• Weight
– Set using the route command
C rm
Default Router1
10.47.0.1
Host
to fo
Which path should I take?
10.47.1.18
Default Router2
10.47.0.254
ec vo
Notes:
oy si
When a host has multiple paths to the same destination a decision must be made as to
which path to take. The first metric which is checked is the cost (hopcount). The route with
u
the lowest cost is the highest priority. If all costs are equal the MPR policy is used to
determine the path. The weight metric can be used to influence the outcome in certain
cl
7-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
# no –o mpr_policy=<code>
.I. n
• (code 1) Weighted round-robin:
– Selects routes on a round-robin basis, but biases how often each is selected
.T ció
based on the weight.
• (code 2) Random:
.
– Selects a route at random.
C
.F a
• (code 3) Weighted random:
– Selects a route at random, but biases how often each is selected based on
C rm
the weight.
• (code 4) Lowest utilization:
– Selects a route with the minimum number of current connections going
to fo
through it.
• (code 5) Hash-based:
– Selects a route by hashing based on the destination IP address.
ec vo
Notes:
oy si
The mpr_policy determines the policy that will be used. The default policy is weighted
round robin (WRR) which behaves just like round-robin when the weights are all 1.There
u
are five MPR policies to choose from (as stated in the mpr_policy help display):
• Weighted round-robin (1): Based on user-configured weights assigned to the multiple
cl
routes (through the route command) where round-robin is applied. If no weights are
configured, it behaves identical to plain round-robin.
Ex
number is zero. This picks a route in the range of the total number of routes available.
• Lowest utilization (4): Chooses a route with the minimum number of current connections
going through it.
• Hash-based (5): Hash-based algorithm chooses a route by hashing based on the
destination IP address.
To change the MPR policy type: # no –o mpr_policy=<number>
MPR metrics
IBM Power Systems
• Costs and weights can be set with route command and viewed with
netstat –C.
– Cost (-hopcount option): The smaller the number, the higher the priority.
.I. n
– Weight (-weight option): The larger the number, the higher the priority.
.T ció
– Cost takes precedence; MPR policy and weight only used when routes have
equal cost.
.
## route
route add
add 1/8
1/8 18.1.1.254
18.1.1.254 –weight
–weight 22 –hopcount
–hopcount 11
C
## route add 1/8 18.1.1.1
route add 1/8 18.1.1.1 –weight
–weight 3 –hopcount 55
3 –hopcount
.F a
## netstat
netstat -Cn
-Cn
C rm
Routing tables
Routing tables
Destination
Destination Gateway
Gateway Flags
Flags Wt
Wt Policy
Policy If
If Cost
Cost Config_Cost
Config_Cost
Route
Route Tree
Tree for
for Protocol
Protocol Family
Family 22 (Internet):
(Internet):
to fo
default
default 10.6.119.254
10.6.119.254 UG
UG 11 -- en0
en0 00 00
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 22 WRR en5
WRR en5 11 11 =>
=>
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 33 -"-
-"- en5
en5 55 55
ec vo
Notes:
oy si
Each route has a cost and a weight (Wt) field. You can also see the policy defined for the
route.
u
Costs takes precedence with the lowest cost route being selected. If there is more than one
cl
lowest cost route (equal costs), then the MPR policy determines the algorithm to load
balance between them. Some of the MPR policies (such as the default Weighted
Round-Robin policy) use the route weights as a factor.
Ex
The visual shows a netstat display of the routing table where two routes are defined with
different gateways to the same destination, and having different weights and costs. Notice
that the route report indicates that one route is an alternate path by displaying the => string
pr
7-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Works on a best effort basis
.T ció
– Configured using the no command
• To turn on: # no –p –o passive_dgd=1
• dgd_packets_lost: Number of TCP packets lost before DGD removes ARP
.
entry
C
.F a
• dgd_retry_time: After dgd_retry_time minutes, cost is restored to
Config_Cost
C rm
• Active DGD
– Set on a per route basis (-active_dgd)
– Use ping to detect gateway loss
– Behavior configured globally through the no command
to fo
• dgd_ping_time: How often to ping the gateway (in seconds)
• dgd_packets_lost: The number of packets that must be lost before the cost
is raised for all routes using this gateway
ec vo
Notes:
oy si
The dead gateway detection (DGD) feature in AIX implements a mechanism for hosts
to detect a dysfunctional gateway, adjust its routing table accordingly, and reroute
cl
network traffic to an alternate backup route if available. DGD is generally most useful for
hosts that use static rather than dynamic routing. There are two methods of DGD, active
and passive.
Ex
requests to a gateway, that gateway is assumed to be down, and the distance metrics
(also known as hopcount or cost) for all routes using that gateway are raised to the
maximum possible value. After dgd_retry_time minutes have passed, the route’s costs
are restored to their user-configured values. The host also takes action based on failing
TCP connections. If consecutive dgd_packets_lost TCP packets are lost, the ARP
entry for the gateway in use is deleted and the TCP connection tries the next-best route.
The next time the gateway is used, the above actions take place if the gateway is
actually down. The passive_dgd, dgd_packets_lost, and dgd_retry_time
parameters can all be configured using the no command.
Passive dead gateway detection has low overhead and is recommended for use on any
network that has redundant gateways. However, passive dead gateway detection is
done on a best-effort basis only. Some protocols, such as UDP, do not provide any
feedback to the host if a data transmission is failing. In this case no action can be taken
.I. n
by passive dead gateway detection.
.T ció
Active dead gateway detection
Hosts can also be configured to use active dead gateway detection on a per-route basis
with the -active_dgd flag of the route command. Active dead gateway detection pings
.
all gateways used by routes for which it is enabled every dgd_ping_time seconds. If no
C
response is received from a gateway, it is pinged more rapidly up to dgd_packets_lost
.F a
times. If still no response is received, the costs of all routes using that gateway are
raised. The gateway continues to be pinged and, if a response is eventually received,
C rm
the costs on the routes are restored to their user-configured values. The
dgd_ping_time parameter can be configured using the no command.
Active dead gateway detection is most useful when a host must immediately discover
to fo
when a gateway goes down. Since it queries each gateway for which it is enabled every
few seconds, there is some network overhead associated with its use. Active dead
gateway detection is recommended only for hosts that provide critical services on
networks with a limited number of hosts.
ec vo
oy si
u
cl
Ex
pr
7-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
MPR scenario
IBM Power Systems
lpar1
lpar
lpar 11 ## route
route add
add –net
–net 18/8
18/8 1.1.1.1
1.1.1.1
1.1.1.100 lpar
lpar 11 ## route
route add
add –net
–net 18/8
18/8 1.1.1.254
1.1.1.254
.I. n
1/8
1/8 router2
router1
network
.T ció
network
1.1.1.1 1.1.1.254
18.1.1.1 18.1.1.254
.
18/8
18/8
network
network
C
lpar
lpar 22 ## route
route add
add –net
–net 1/8
1/8 18.1.1.1
18.1.1.1
.F a
lpar 2 # route add –net 1/8 18.1.1.254
lpar 2 # route add –net 1/8 18.1.1.254
lpar2
C rm
18.1.1.100
weight policy cost
lpar
lpar 11 ## netstat
netstat -C
-C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -"-
-"- en5
en5 00 00
to fo
lpar
lpar 22 ## netstat
netstat -C
-C |grep
|grep 1/8
1/8
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 11 -"- en5
-"- en5 00 00
ec vo
Notes:
oy si
The following tests based on this scenario are used to demonstrate the effect of
multi-pathing metrics.
u
There are two networks (network 1 and network 18) each with a non-routing host. There
cl
are two routers that are available to route traffic between the two networks.
All the necessary routes are defined for the hosts to use either gateway. Initially they are
Ex
.I. n
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100 lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING ## ping
ping -R
-R 18.1.1.100
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes 18.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms ms
.T ció
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
1.1.1.1 1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.100 1.1.1.100
1.1.1.100
1.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms ms
.
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
C
1.1.1.254 1.1.1.254
1.1.1.254
1.1.1.254
.F a
1.1.1.100 1.1.1.100
1.1.1.100
1.1.1.100
64 64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms ms
RR: 18.1.1.1 RR:
RR: 18.1.1.254
18.1.1.254
RR: 18.1.1.1
18.1.1.100 18.1.1.100
18.1.1.100
18.1.1.100
C rm
1.1.1.1 1.1.1.1
1.1.1.1
1.1.1.1 1.1.1.100
1.1.1.100
1.1.1.100 1.1.1.100
64 64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms RR: 18.1.1.254
RR: 18.1.1.1 RR: 18.1.1.254
RR: 18.1.1.1 18.1.1.100
18.1.1.100 18.1.1.100
18.1.1.100 1.1.1.254
1.1.1.254 1.1.1.254
1.1.1.254 1.1.1.100
1.1.1.100 1.1.1.100
1.1.1.100 64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms
to fo
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms RR:
RR: 18.1.1.254
18.1.1.254
RR:
RR: 18.1.1.1
18.1.1.1 18.1.1.100
18.1.1.100
18.1.1.100
18.1.1.100 1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1 1.1.1.100
1.1.1.100
1.1.1.100
1.1.1.100
ec vo
Notes:
oy si
The IP addresses recorded by the ICMP echo request and echo reply are the departing
interfaces on each hop.
u
During the first ping, the outgoing path is always to router 1 (18.1.1.1). On the return, lpar2
cl
alternates which router is sent the echo reply packet (1.1.1.1 or 1.1.1.254). During the
second ping, router 2 is always chosen for the outgoing path route, while the echo replies
show the same alternating path (1.1.1.1 or 1.1.1.254) behavior as on the first ping.
Ex
pr
7-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Test 2: Weights (1 of 3)
IBM Power Systems
.I. n
lpar
lpar 22 ## route
route set
set 1/8
1/8 18.1.1.254
18.1.1.254 -weight
-weight 33
.T ció
lpar
lpar 22 ## netstat
netstat -C
-C |grep
|grep 1/8
1/8
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 33 WRR
WRR en5
en5 00 00 =>
=>
.
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 22 -"- en5
-"- en5 00 00
C
.F a
C rm
to fo
ec vo
Notes:
oy si
For the second test case, we will set the wighted to be different for the two routes. The
route using router 1 is given a weight of 2. The route using router 2 is given a weight of 3.
u
The route command subcommand that being used is the set subcommand. This is useful
cl
for changing route characteristic without having to delete and redefine the route.
Ex
pr
Test 2: Weights (2 of 3)
IBM Power Systems
• First ping
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
.T ció
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms (same
(same route)
to fo
ms route)
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0 ms ms
RR:
RR: 18.1.1.254
18.1.1.254
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo
Notes:
oy si
As before all outgoing echo requests bound to a single route (via router 2 in this case).
The first echo reply used router 1 (1.1.1.1).
cl
The second echo reply used router 2 (1.1.1.254), as did the next 2 packets - for a total of 3
consecutive echo replies using router 2.
Ex
The fifth echo reply used router 1, as did the next packet - for a total of 2 consecutive echo
replies using router 1.
The seventh echo reply used router 2, as did the next 2 packets - for a total of 3
pr
7-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Test 2: Weights (3 of 3)
IBM Power Systems
• Second ping
lpar
lpar 11 ## ping
ping -R
-R 18.1.1.100
18.1.1.100
PING
PING 18.1.1.100:
18.1.1.100: (18.1.1.100):
(18.1.1.100): 56
56 data
data bytes
bytes
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
.T ció
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
64 bytes from 18.1.1.100: icmp_seq=4 ttl=254 time=0
64 bytes from 18.1.1.100: icmp_seq=4 ttl=254 time=0 ms ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
to fo
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0
64 bytes from 18.1.1.100: icmp_seq=9 ttl=254 time=0 ms ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo
Notes:
oy si
The second ping produces exactly the same results; however, the output shows router 1 is
chosen on the outbound path.
u
cl
Ex
pr
Test 3: Cost (1 of 2)
IBM Power Systems
.I. n
.T ció
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.254
1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.254
1.1.1.254 -hopcount
-hopcount 11
.
C
lpar
lpar 11 ## netstat
netstat -C
-C |grep
|grep 18/8
18/8
.F a
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 WRR
WRR en5
en5 00 00 =>
=>
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11
C rm
to fo
ec vo
Notes:
oy si
For this test case, the route using router 2 for the outgoing first hop is modified to have a
higher cost than the route using router 1.
u
cl
Ex
pr
7-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Test 3: Cost (2 of 2)
IBM Power Systems
.I. n
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
.T ció
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
.
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
C rm
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=7
icmp_seq=7 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=8
icmp_seq=8 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
to fo
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=9
icmp_seq=9 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=10
icmp_seq=10 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
ec vo
Notes:
oy si
Setting the cost to 1 for the route to router2 results in the route to router1 becoming the
highest priority. However, if router1 were to fail, the host will not use the alternative path.
u
.I. n
lpar
lpar 11 ## route
route delete
delete 18/8 1.1.1.254
18/8 1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.1
1.1.1.1 -active_dgd
-active_dgd
.T ció
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.254
1.1.1.254 –hopcount
–hopcount 11 -active_dgd
-active_dgd #note:
#note: backup
backup
route
route
lpar
lpar 11 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UGA
UGA 11 WRR
WRR en5
en5 11 11 =>
=>
C
18/8
18/8 1.1.1.254
1.1.1.254 UGA
UGA 11 -"-
-"- en5
en5 00 00
.F a
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.1
18.1.1.1
C rm
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.254
18.1.1.254
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.1
-net 1/8 18.1.1.1 -active_dgd
-active_dgd
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.254 –hopcount
-net 1/8 18.1.1.254 –hopcount 11 -active_dgd
-active_dgd #note:
#note: backup
backup
route
route
to fo
lpar
lpar 22 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
1/8
1/8 18.1.1.1
18.1.1.1 UGA
UGA 11 WRR
WRR en5
en5 11 11 =>
=>
1/8
1/8 18.1.1.254
18.1.1.254 UGA
UGA 11 -"-
-"- en5
en5 00 00
ec vo
Notes:
oy si
In this test case, the alternate routes are both defined to use active dead gateway detection
(DGD). This will case AIX to periodically (every 5 seconds by default) send an echo request
u
to the gateway defined for that route, to determine its usability. If gateway is not accessible
over that route, the effective cost of that route is changed to make it a high cost route.
cl
This would not be helpful if only the one host used it, since the other host could continue to
select the preferred (but inoperative) router with the lower defined cost. Thus the visual
Ex
shows that active DGD is also being enabled on the other host.
The flag value of A indicates that his route is using active DGD.
pr
7-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
.T ció
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=3
icmp_seq=3 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
.
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=6
icmp_seq=6 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=7 ttl=254 time=0 ms (same
64 bytes from 18.1.1.100: icmp_seq=7 ttl=254 time=0 ms (same route) route)
C
64 bytes from 18.1.1.100: icmp_seq=8 ttl=254 time=0 ms (same
64 bytes from 18.1.1.100: icmp_seq=8 ttl=254 time=0 ms (same route) route)
.F a
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=9
icmp_seq=9 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=10
icmp_seq=10 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route) Router
64 bytes from 18.1.1.100: icmp_seq=11 ttl=254 time=0 ms (same
route)
route) Router 11 ##
64 bytes from 18.1.1.100: icmp_seq=11 ttl=254 time=0 ms (same route)
64 bytes from 18.1.1.100: icmp_seq=19 ttl=254 time=0 ms Disconnected
Disconnected from
from
64 bytes from 18.1.1.100: icmp_seq=19 ttl=254 time=0 ms
C rm
RR:
RR: 18.1.1.254
18.1.1.254 network
network
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
1.1.1.100
1.1.1.100
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=20
icmp_seq=20 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes from
bytes from 18.1.1.100:
18.1.1.100: icmp_seq=21
icmp_seq=21 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=22 ttl=254 time=0 ms (same
64 bytes from 18.1.1.100: icmp_seq=22 ttl=254 time=0 ms (same route) route)
to fo
The cost of the highest priority route is set to MAX to enable the secondary route.
lpar
lpar 11 ## netstat
netstat –C
–C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -- en5
en5 MAX
MAX 00
ec vo
Notes:
oy si
The ping shows the outbound and inbound path to destination via router1 (1.1.1.1).
Router1 is disconnected from the network. The system (using active DGD) detects the loss
u
and increases the effective cost to MAX. This makes the backup route using router2
(1.1.1.254) the lowest cost route This, in turn, results in the selection of the backup route
cl
for the connection. The same occurs at the other host, which results in the selection of the
backup route for each echo reply.
Ex
• Active DGD is removed from all routes and passive DGD is enabled:
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.1
1.1.1.1
.I. n
lpar
lpar 11 ## route
route delete
delete 18/8
18/8 1.1.1.254
1.1.1.254
lpar
lpar 11 ## route
route add
add -net
-net 18/8
18/8 1.1.1.1
1.1.1.1
lpar 11 ## route add
add -net 18/8 1.1.1.254 –hopcount
-net 18/8 1.1.1.254 –hopcount 11 #note:
#note: backup
backup route
.T ció
lpar route route
lpar
lpar 11 ## no
no -o
-o passive_dgd=1
passive_dgd=1
lpar
lpar 11 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 WRR
WRR en5
en5 11 11 =>
=>
C
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -"-
-"- en5
en5 00 00
.F a
lpar
lpar 22 ## route
route delete
delete 1/8
1/8 18.1.1.1
18.1.1.1
C rm
lpar
lpar 22 ## route
route delete 1/8 18.1.1.254
delete 1/8 18.1.1.254
lpar
lpar 22 ## route
route add
add -net
-net 1/8
1/8 18.1.1.1
18.1.1.1
lpar
lpar 22 ## route
route add
add -net 1/8 18.1.1.254
-net 1/8 18.1.1.254 –hopcount
–hopcount 11 #note:
#note: backup
backup route
route
lpar
lpar 22 ## no
no -o
-o passive_dgd=1
passive_dgd=1
to fo
lpar
lpar 22 ## netstat
netstat –Cn
–Cn |grep
|grep 18/8
18/8
1/8
1/8 18.1.1.1
18.1.1.1 UG
UG 11 WRR
WRR en5
en5 11 11 =>
=>
1/8
1/8 18.1.1.254
18.1.1.254 UG
UG 11 -"-
-"- en5
en5 00 00
ec vo
Notes:
oy si
For this test case, one route is given a higher cost forcing the selection of the other route.
Active DGD is not enabled on the routes. Instead the no command is used to globally
u
Passive DGD does not actively ping the router and thus has lower overhead. Instead it
waits for other protocols to notify it of an outage. This involves either TCP connections over
that router reporting excessive retries, or ARP timing out a the ARP entry for the router and
Ex
active DGD.
7-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=0
icmp_seq=0 ttl=254
ttl=254 time=0
time=0 ms
ms
RR:
RR: 18.1.1.1
18.1.1.1
18.1.1.100
18.1.1.100
.T ció
1.1.1.1
1.1.1.1
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=1
icmp_seq=1 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=2
icmp_seq=2 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64 bytes from 18.1.1.100: icmp_seq=3 ttl=254 time=0 ms (same
64 bytes from 18.1.1.100: icmp_seq=3 ttl=254 time=0 ms (same route) route)
.
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=4
icmp_seq=4 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route) Router
route) Router 11 ##
C
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=5
icmp_seq=5 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
Disconnected
Disconnected from
from
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=31
icmp_seq=31 ttl=254
ttl=254 time=0
time=0 ms
.F a
ms
RR:
RR: 18.1.1.254
18.1.1.254
network
network
18.1.1.100
18.1.1.100
1.1.1.254
1.1.1.254
C rm
1.1.1.100
1.1.1.100
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=32
icmp_seq=32 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=33
icmp_seq=33 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
64
64 bytes
bytes from
from 18.1.1.100:
18.1.1.100: icmp_seq=34
icmp_seq=34 ttl=254
ttl=254 time=0
time=0 ms
ms (same
(same route)
route)
to fo
The cost of the highest priority route is set to MAX to enable the secondary route.
lpar
lpar 11 ## netstat
netstat –C
–C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 11 -- en5
en5 11 11 =>
=>
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 11 -- en5
en5 MAX
MAX 00
ec vo
Notes:
oy si
Test five demonstrates a repeat of test four using passive DGD. The detection on loss of
route is significantly larger in this case. 26 packets were lost.
u
cl
Ex
pr
.I. n
– Not supported on the IVE adapters
• Averages 3 milliseconds downtime on loss of primary port (zero
.T ció
disruption)
• Can be combined with link aggregation and PowerHA for the highest
.
levels of network availability
C
.F a
• No switch configuration required
C rm
switch1 switch2
to fo
primary ent0 ent1 backup
host
ec vo
Notes:
oy si
The gigabit Ethernet fast failover device driver provides autonomous self healing adapter
ports to increase network availability and minimize interruptions in mission critical
u
environments. The millisecond failover time was designed as a migration path for dual ring
FDDI users accustomed to continuous network availability and instantaneous port failover.
cl
The new gigabit Ethernet failover feature is not instantaneous, but it averages an
impressive 0.003 second from the instant the link loss is detected to the instant the link is
Ex
recovered. Millisecond failover speeds are achieved with this failover feature because it is
implemented in the adapter device driver layer and port parameters and resources can be
shared by the two adapters sharing a single PCI-X slot.
For the highest availability, connect the two ports to different Ethernet network switches as
pr
shown in the visual. This failover feature requires no special support at the network switch
and can be used with EtherChannel and PowerHA.
At the time of this course revision, the adapters which supported GFF were:
• 2-port gigabit Ethernet-SX PCI-X (1410882)
7-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
GFF implementation
IBM Power Systems
.I. n
ent1
ent1 Available
Available 01-09
01-09 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
.T ció
• Set the failover mode on the ports
## chdev
chdev -l
-l ent0
ent0 -a
-a failover=primary
failover=primary
## chdev
chdev -l
-l ent1
ent1 -a
-a failover=backup
failover=backup
.
C
• Can be also done through smit (fastpath: chgenet)
.F a
Change
Change // Show
Show Characteristics
Characteristics of
of an
an Ethernet
Ethernet Adapter
Adapter
C rm
[Entry
[Entry Fields]
Fields]
Ethernet
Ethernet Adapter
Adapter ent0
ent0
Description
Description 2-Port
2-Port 10/100/1000
10/100/1000 Base-TX
Base-TX PCI-X
PCI-X Adapter
Adapter (14108902)
(14108902)
Status
Status Available
Available
to fo
## Note:
Note: some
some field
field removed
removed for
for clarity.
clarity.
Enable failover mode
Enable failover mode primary
primary ++
Notes:
oy si
previously for TCP/IP, remove the interface definitions in the ODM database via fastpath
smitty inet.
cl
1. Locate the dual port gigabit Ethernet adapter ports with the lsdev command.
Ex
7-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
LABEL: GOENT_RCVRY_EXIT
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
Type:
Type: INFO
INFO
.T ció
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
---------------------------------------------------------------------------
.
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_FAILOVER_SUCC
GOENT_FAILOVER_SUCC
C
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
.F a
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
C rm
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
---------------------------------------------------------------------------
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_LINK_DOWN
GOENT_LINK_DOWN
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:46:24
14:46:24 CEDT
CEDT 2009
2009
to fo
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET DOWN
DOWN
ec vo
Notes:
oy si
On loss of the primary port, the IP address and adapter (ent6 in this case) remain up and
available, but the packets will arrive and leave via the backup interface and port. Note that
u
the primary port can fail silently, and unless additional features are deployed, such as error
notification, no one will notice!
cl
Ex
pr
.I. n
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_FAILOVER_SUCC
GOENT_FAILOVER_SUCC
Date/Time:
Date/Time: Thu
Thu Jul
Jul 16
16 14:54:38
14:54:38 CEDT
CEDT 2009
2009
.T ció
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Description
Description
.
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
MODE
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
7-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Link aggregation and EtherChannel: Overview
(1 of 2)
IBM Power Systems
.I. n
• Link failover time, 250ms Æ 2secs
.T ció
• Up to eight links in an aggregate / channel active
– Plus 1 backup backup
.
C
switch1 switch1 switch2 switch1 switch2
.F a
C rm ent0 ent1 ent2 ent0 ent1 ent0 ent1 ent2
to fo
ent3 ent2 ent3
Notes:
oy si
The first problem is that Ethernet does not scale. If bandwidth problems are being
cl
experienced, the logical step was to move up to the next generation, for example 100
Mbit/s to 1000 Mbit/s or (more commonly today) 1000 Mbit/s to 10000 Mbit/s. In the early
1990s, Kalpana invented EtherChannel (later acquired by Cisco systems). Other network
Ex
several physical ports together to form a single logical channel. LACP allows a network
device to negotiate an automatic bundling of links by sending LACP packets to the host.
The second problem is having single points of failure within a typical port-cable-port
connection. If a link fails, link aggregation technology will automatically redistribute traffic
across the remaining links. If all active links within the primary channel fail, then traffic will
be redistributed to the backup link. Automatic recovery in an aggregate takes less than one
second and is transparent to network applications and the end user. This makes it very
resilient and desirable for mission critical applications. Automatic recovery to a backup
channel takes slightly longer, typically between 1 and 4 seconds.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
7-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Link aggregation and EtherChannel: Overview
(2 of 2)
IBM Power Systems
.I. n
• If you are using vendor specific link aggregation (such as Cisco
.T ció
EtherChannel), then the switch must be configured appropriately.
– Interoperability issues tend to be the cause of most problems.
.
• Drawbacks:
C
– Traditionally, links contained in an aggregate must go to the same switch.
.F a
– There are vendor specific implementations which allow active aggregate links
C rm
to go into different switches.
• For example: Cisco's Virtual Switching System (VSS) allows the creation of a
Multichassis EtherChannel (MEC).
– Cisco Catalyst 6500 chassis only.
to fo
• Nortel Split Multi-Link Trunking (SMLT)
– SMLT has been submitted to IETF to be made into a standard.
ec vo
Notes:
oy si
Generally speaking, if the switch natively supports 802.3ad, link aggregation control
protocol data units (LACPDUs) are exchanged between the server machine and the switch.
u
LACP will let the switch know that the adapters configured in the aggregation should be
considered as one on the switch without further user intervention. Cisco switches do
cl
support LACP but not natively. The port on the switch must be configured to support
EtherChannel or LACP.
Ex
Currently, there is no open standard for distributing active links across multiple switches.
This can be achieved via vendor specific features such as Cisco’s VSS and Nortel’s SMLT.
pr
.I. n
– round_robin (default)
.T ció
• Interoperability:
– If switch is configured for 802.3ad, use mode 8023ad in AIX
.
– If switch is configured for EtherChannel, use either standard or round_robin in
C
AIX
.F a
• Enable alternate address
C rm
– The Link Aggregation adapter can be configured with a locally administered
alternate MAC address.
– Provides stable MAC address regardless of adapter membership
to fo
• Backup adapter
– Backup link (different switch) in case the switch supporting the aggregated
links fails.
ec vo
Notes:
oy si
Modes:
u
• Standard: In this mode the EtherChannel uses an algorithm to choose which adapter it
will send the packets out on. The algorithm consists of taking a data value, dividing it by
cl
the number of adapters in the EtherChannel, and using the remainder (using the
modulus operator) to identify the outgoing link. The hash mode value determines which
data value is fed into this algorithm. (See the hash mode attribute for an explanation of
Ex
the different hash modes.) For example, if the hash mode is standard, it will use the
packet’s destination IP address. If this is 10.10.10.11 and there are two adapters in the
EtherChannel, (1 / 2) = 0 with remainder 1, then the second adapter is used. The
adapters are numbered starting from 0. The adapters are numbered in the order they
pr
are listed in the SMIT menu. This is the default operation mode.
• 8023ad: This options enables the use of the IEEE 802.3ad link aggregation control
protocol (LACP) for automatic link aggregation. Like EtherChannel, IEEE 802.3ad
requires support in the switch. Unlike EtherChannel, however, the switch does not need
to be configured manually to know which ports belong to the same aggregation. The
7-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty advantages of using IEEE 802.3ad link aggregation instead of EtherChannel are that it
creates the link aggregations in the switch automatically and that it allows you to use
switches that support the IEEE 802.3ad standard but do not support EtherChannel. In
IEEE 802.3ad, the link aggregation control protocol (LACP) automatically tells the
switch which ports should be aggregated. When an IEEE 802.3ad aggregation is
configured, link aggregation control protocol data units (LACPDUs) are exchanged
between the server machine and the switch. LACP will let the switch know that the
.I. n
adapters configured in the aggregation should be considered as one on the switch
without further user intervention.
.T ció
• Round-robin: In this mode the EtherChannel will rotate through the adapters, giving
each adapter one packet before repeating. The packets might be sent out in a slightly
different order than they were given to the EtherChannel, but it will make the best use of
.
its bandwidth. It is an invalid combination to select this mode with a hash mode other
C
.F a
than default. If you choose the round-robin mode, leave the hash mode value as
default.
C rm
Mode, hash mode, and outgoing traffic distribution: (across adapter ports within the
EtherChannel)
• mode: Standard or 8023ad hash_mode default
to fo
This is the traditional AIX behavior. The adapter selection algorithm uses the last byte of
the destination IP address (for TCP/IP traffic) or MAC address (for ARP and other
non-IP traffic). This mode is typically the best initial choice for a server with a large
number of clients.
ec vo
Local and Foreign columns shown by netstat -an command. Since each connection
has a unique TCP or UDP port, the three port-based hash modes provide additional
adapter distribution flexibility when there are several separate TCP or UDP connections
u
command output, the port is the TCP/IP address suffix value in the Local column.
• mode: Standard or 8023ad hash_mode dst_port
The outgoing adapter path is selected via algorithm using the destination system port
value. In netstat -an command output, the TCP/IP address suffix in the Foreign column
pr
.I. n
alternate MAC address for the EtherChannel.
.T ció
• Backup adapter: Specifies the adapter to use as your EtherChannel backup.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
7-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Add
Add An
An EtherChannel
EtherChannel // Link
Link Aggregation
Aggregation
[Entry
[Entry Fields]
.I. n
Fields]
EtherChannel
EtherChannel // Link
Link Aggregation
Aggregation Adapters
Adapters ent6,ent8
ent6,ent8 ++
Enable
Enable Alternate
Alternate Address
Address yes
yes ++
.T ció
Alternate
Alternate Address
Address [0x02deadbeef01]
[0x02deadbeef01] ++
Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames no
no ++
Mode
Mode round_robin
round_robin ++
.
Hash
Hash Mode
Mode default
default ++
C
Backup
Backup Adapter
Adapter ++
.F a
Automatically
Automatically Recover
Recover to
to Main
Main Channel
Channel yes
yes ++
Perform
Perform Lossless
Lossless Failover
Failover After
After Ping
Ping Failure
Failure yes
yes ++
Internet
Internet Address
Address to
to Ping []
C rm
Ping []
Number
Number of
of Retries
Retries []
[] +#
+#
Retry
Retry Timeout (sec)
Timeout (sec) []
[] +#
+#
## lsdev
lsdev -Cl
-Cl ent13
ent13
to fo
ent13
ent13 Available EtherChannel
Available EtherChannel // IEEE
IEEE 802.3ad
802.3ad Link
Link Aggregation
Aggregation
Notes:
oy si
The SMIT dialogue panel, which is shown in the visual, may be accessed using the menu
provided by using the fastpath of: etherchannel.
u
The new EtherChannel or LA adapter is being defined upon two existing Ethernet adapters:
cl
ent6 and ent8. These must be cabled to switch ports where the switch is either configured
to explicitly define these links as being in a channel grouping, or which support a protocol
that will dynamically discover that they are both part of the same 802.3ad aggregate. The
Ex
base adapters must not have their own configured interfaces; if the base adapters’
interfaces are configured, the existing interfaces will be detached and all configuration
attributes will be lost.
pr
The new aggregate adapter (ent13) will use a provided alternate address rather than using
the MAC of the first link in the channel. Load balancing will use a mode of round-robin. No
backup link is defined.
In this example, Cisco configuration was applied on the switch.The Cisco switch details
follow:
The adapter ports were connected to switch ports 4/32 and 4/33 on a VLAN 619.
interface GigabitEthernet4/32
description clp_2,600-752
.I. n
switchport access vlan 619
.T ció
switchport mode access
channel-group 11 mode on
.
spanning-tree bpduguard enable
C
.F a
!
interface GigabitEthernet4/33
C rm
description clp_2,600-752
switchport access vlan 619
switchport mode access
to fo
channel-group 11 mode on
spanning-tree bpduguard enable
ec vo
!
interface Port-channel11
description Gi4/32-33
oy si
switchport
switchport access vlan 619
u
Note: If the host (may be in an LPAR) cannot detect the physical loss of a link (common in
virtual LPARs), then an Internet address to ping must be supplied in order for the host to
switch back to the primary channel.
Ex
pr
7-34 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
adapter_names
adapter_names ent6,ent8
ent6,ent8 EtherChannel
EtherChannel Adapters
Adapters True
True
alt_addr
alt_addr 0x02deadbeef01
0x02deadbeef01 Alternate
Alternate EtherChannel
EtherChannel Address
Address True
True
auto_recovery
auto_recovery yes Enable
Enable automatic
automatic recovery
recovery after
after failover True
.T ció
yes failover True
backup_adapter
backup_adapter NONE
NONE Adapter used when whole channel fails
Adapter used when whole channel fails True
True
hash_mode
hash_mode default
default Determines
Determines how
how outgoing
outgoing adapter
adapter is
is chosen
chosen True
True
mode
mode round_robin
round_robin EtherChannel mode of operation
EtherChannel mode of operation True
True
.
netaddr
netaddr 00 Address
Address to
to ping
ping True
True
C
noloss_failover
noloss_failover yes
yes Enable
Enable lossless
lossless failover
failover after
after ping
ping failure
failure True
True
.F a
num_retries
num_retries 33 Times
Times to
to retry
retry ping
ping before
before failing
failing True
True
retry_time
retry_time 11 Wait
Wait time
time (in
(in seconds)
seconds) between
between pings
pings True
True
C rm
use_alt_addr
use_alt_addr no
no Enable
Enable Alternate EtherChannel Address
Alternate EtherChannel Address True
True
use_jumbo_frame
use_jumbo_frame no
no Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames True
True
###
### reset
reset stats
stats ###
• Viewing EtherChannel status ###
to fo
## entstat –r –d ent13
entstat –r –d ent13
– Active channel
###
### display
display stats
stats ###
###
– Statistics for each component adapter ## entstat
entstat –d
–d ent13
ent13
ec vo
Notes:
oy si
Documentation
u
The attributes of the EtherChannel can be documented by using the lsattr command.
Most importantly, the adapter_names attribute displays the list of links in the aggregate
cl
For general viewing or problem determination purposes, you can use the entstat
command to verify the configuration of the link aggregation, view the current status
(which links are active), and understand how traffic is being distributed over the
component adapters.
pr
.I. n
Interrupts: 0 Interrupts: 5087
Transmit Errors: 0 Receive Errors: 0
.T ció
Packets Dropped: 0 Packets Dropped: 0
Bad Packets: 0
Max Packets on S/W Transmit Queue: 25
.
S/W Transmit Queue Overflow: 0
C
.F a
Current S/W+H/W Transmit Queue Length: 0
Elapsed Time: 0 days 0 hours 0 minutes 0 seconds
C rm
Broadcast Packets: 0 Broadcast Packets: 248
Multicast Packets: 0 Multicast Packets: 0
No Carrier Sense: 0 CRC Errors: 0
to fo
DMA Underrun: 0 DMA Overrun: 0
Lost CTS Errors: 0 Alignment Errors: 0
Max Collision Errors: 0 No Resource Errors: 0
Late Collision Errors: 0 Receive Collision Errors: 0
ec vo
-------------------
No mbuf Errors: 0
Ex
7-36 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Transmit Statistics: Receive Statistics:
-------------------- -------------------
.T ció
Packets: 2443 Packets: 73
Bytes: 24833262 Bytes: 4380
Interrupts: 0 Interrupts: 72
.
Transmit Errors: 0 Receive Errors: 0
C
.F a
Packets Dropped: 0 Packets Dropped: 0
Bad Packets: 0
C rm
Max Packets on S/W Transmit Queue: 13
S/W Transmit Queue Overflow: 0
Current S/W+H/W Transmit Queue Length: 0
to fo
Broadcast Packets: 0 Broadcast Packets: 73
Multicast Packets: 0 Multicast Packets: 0
No Carrier Sense: 0 CRC Errors: 0
DMA Underrun: 0 DMA Overrun: 0
ec vo
General Statistics:
-------------------
No mbuf Errors: 0
Adapter Reset Count: 0
pr
------------------------------------------------------------------------
Link Status : Up
Media Speed Selected: Auto negotiation
Media Speed Running: 1000 Mbps Full Duplex
PCI Mode: PCI-X (100-133)
PCI Bus Width: 64-bit
.I. n
Latency Timer: 144
Cache Line Size: 128
.T ció
Jumbo Frames: Disabled
TCP Segmentation Offload: Enabled
TCP Segmentation Offload Packets Transmitted: 930
.
TCP Segmentation Offload Packet Errors: 0
C
.F a
Transmit and Receive Flow Control Status: Enabled
XON Flow Control Packets Transmitted: 0
C rm
XON Flow Control Packets Received: 0
XOFF Flow Control Packets Transmitted: 0
XOFF Flow Control Packets Received: 0
to fo
Transmit and Receive Flow Control Threshold (High): 49152
Transmit and Receive Flow Control Threshold (Low): 24576
Transmit and Receive Storage Allocation (TX/RX): 8/56
-------------------------------------------------------------
ec vo
7-38 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Single Collision Count: 0 Receiver Start Count: 0
Multiple Collision Count: 0
.T ció
Current HW Transmit Queue Length: 0
General Statistics:
-------------------
.
No mbuf Errors: 0
C
.F a
Adapter Reset Count: 0
Adapter Data Rate: 2000
C rm
Driver Flags: Up Broadcast Running
Simplex 64BitSupport ChecksumOffload
PrivateSegment LargeSend DataRateSet
to fo
2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902) Specific Statistics:
------------------------------------------------------------------------
Link Status : Up
Media Speed Selected: Auto negotiation
ec vo
ent6
ent6 port
port failure
failure
---------------------------------------------------------------------------
---------------------------------------------------------------------------
LABEL:
LABEL: GOENT_LINK_DOWN
GOENT_LINK_DOWN
Date/Time: Fri
Fri Jul
Jul 17
17 10:53:43
10:53:43 CEDT
CEDT 2009
.I. n
Date/Time: 2009
Type:
Type: TEMP
TEMP
Resource
Resource Name:
Name: ent6
ent6
Note: There was no loss of packets.
.T ció
Description
Description
ETHERNET
ETHERNET DOWN
DOWN
## entstat
entstat -d
-d ent13
ent13 |grep
|grep -i
-i LINK
LINK
.
Link Status : UNKNOWN
Link Status : UNKNOWN
Link
Link Status
Status :: Up
C
Up
.F a
ent6
ent6 Port
Port recovery
recovery
---------------------------------------------------------------------------
---------------------------------------------------------------------------
C rm
LABEL:
LABEL: GOENT_RCVRY_EXIT
GOENT_RCVRY_EXIT
Date/Time:
Date/Time: Fri
Fri Jul
Jul 17
17 10:55:58
10:55:58 CEDT
CEDT 2009
2009
Type:
Type: INFO
INFO
Resource
Resource Name:
Name: ent6
ent6
Description
Description
ETHERNET
ETHERNET NETWORK
NETWORK RECOVERY
RECOVERY MODE
to fo
MODE
## entstat
entstat -d
-d ent13
ent13 |grep
|grep -i
-i LINK
LINK
Link
Link Status
Status :: Up
Up
Link
Link Status
Status :: Up
Up
ec vo
Notes:
oy si
The visual show two events. The first is the loss of a link. The second is the recovery of a
link.
u
The GOENT_LINK_DOWN record report which link (ent6) and gone down. Since this is
cl
only one link being used by the EtherChannel, traffic continuous over the remaining link
and there is no impact on the application traffic using the EtherChannel. A examination of
the enstat details for the EtherChannel adapter shows that while one link has an
Ex
7-40 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Add or remove a backup adapter
.T ció
– Switch between standard mode, 802.3ad, and round robin
– To manually force a failover, use SMIT chgethch or ethchan_config
command
.
C
• Example commands:
.F a
## Add
Add an
an adapter
adapter (ent4)
(ent4) to
to the
the main
main channel
channel (ent3)
(ent3)
C rm
/usr/lib/methods/ethchan_config
/usr/lib/methods/ethchan_config -a
-a ent3
ent3 ent4
ent4
## Remove
Remove ent4
ent4 adapter
adapter from
from the
the EtherChannel
EtherChannel (ent3)
(ent3)
/usr/lib/methods/ethchan_config -d ent3 ent4
/usr/lib/methods/ethchan_config -d ent3 ent4
to fo
## To
To force
force aa manual
manual failover
failover to
to the
the backup
backup channel
channel
/usr/lib/methods/ethchan_config
/usr/lib/methods/ethchan_config –f ent3
–f ent3
ec vo
Notes:
oy si
The dynamic adapter membership feature (introduced in AIX 5L V5.2) allows you to
change most attributes of a link aggregation dynamically without interrupting traffic. This
cl
includes the ability to change the adapter membership for the aggregate.
ethchan_config
Ex
The ethchan_config command (or SMIT) can be used to make these dynamic
changes to the link aggregation.
ethchan_config can also be used to force a failover from the primary channel to the
backup adapter or a failback. This can be very useful for problem determination.
pr
.I. n
– Can be used as an underlying technology when configuring PowerHA
clusters
.T ció
– Applicable also to the Virtual I/O Server
.
switch1 switch2 switch3 switch4
C
.F a
C rm
LA primary / GFF primary
Figure 7-30. Combining link aggregation and gigabit fast failover AN212.0
Notes:
oy si
Combining GFF, LA, and PowerHA results in achieving the highest possible levels of
network availability. This articular scenarios uses a network interface back scenario where
u
the link aggregate has a single link and defines a backup link in case that aggregate fails.
cl
The base adapters for the Link Aggregate (LA) would be the GFF primary adapters: ent6
and ent8. Each of these this automatically backed up by the secondary port on that
adapter. If the primary adapter port (or its connection to the switch) fails, then the
Ex
secondary port will take over, transparent to the link aggregation. If the link aggregate fails
(both ent6 and ent7), then traffic continues over the backup channel link (the other
adapter).
pr
7-42 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Link aggregation and gigabit fast failover
configuration
IBM Power Systems
## chdev
chdev -l
-l ent6
ent6 -a
-a failover=primary
failover=primary
## chdev
chdev -l
-l ent7
ent7 -a
-a failover=backup
failover=backup
## chdev
chdev -l
-l ent8
ent8 -a
-a failover=primary
failover=primary
.I. n
## chdev
chdev -l
-l ent9
ent9 -a
-a failover=backup
failover=backup
.T ció
Add
Add An
An EtherChannel
EtherChannel // Link
Link Aggregation
Aggregation
[Entry
[Entry Fields]
Fields]
.
EtherChannel
EtherChannel // Link
Link Aggregation
Aggregation Adapters
Adapters ent6
ent6 ++
C
Enable
Enable Alternate
Alternate Address
Address yes
yes ++
.F a
Alternate
Alternate Address
Address []
[] ++
Enable
Enable Gigabit
Gigabit Ethernet
Ethernet Jumbo
Jumbo Frames
Frames no
no ++
Mode standard ++
C rm
Mode standard
Hash
Hash Mode
Mode default
default ++
Backup
Backup Adapter
Adapter ent8
ent8 ++
Automatically
Automatically Recover
Recover to
to Main
Main Channel
Channel yes
yes ++
Perform
Perform Lossless Failover After
Lossless Failover After Ping
Ping Failure
Failure yes
yes ++
Internet Address to Ping
Internet Address to Ping []
[]
to fo
Number
Number of
of Retries
Retries []
[] +#
+#
Retry
Retry Timeout (sec)
Timeout (sec) []
[] +#
+#
Figure 7-31. Link aggregation and gigabit fast failover configuration AN212.0
Notes:
oy si
## ping
ping 10.6.119.40
10.6.119.40
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=0
icmp_seq=0 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes from 10.6.119.40:
bytes from 10.6.119.40: icmp_seq=1
icmp_seq=1 ttl=64
ttl=64 time=0
time=0 ms
ms
.I. n
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=2
icmp_seq=2 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=3
icmp_seq=3 ttl=64
ttl=64 time=0
time=0 ms
ms
.T ció
64 bytes from 10.6.119.40:
64 bytes from 10.6.119.40: icmp_seq=4
icmp_seq=4 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40:
10.6.119.40: icmp_seq=5
icmp_seq=5 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes from 10.6.119.40:
bytes from 10.6.119.40: icmp_seq=6
icmp_seq=6 ttl=64
ttl=64 time=0
time=0 ms
ms
64
64 bytes
bytes from
from 10.6.119.40: icmp_seq=7 ttl=64 time=0 ms
.
10.6.119.40: icmp_seq=7 ttl=64 time=0 ms
C
.F a
On Jul 16 15:07:33 switch ports for ent6 and ent7 were disconnected from the switch.
-15:07:34 EtherChannel backup became active.
-Zero ICMP packets were lost.
C rm
Sample
Sample output
output from
from entstat
entstat shows
shows the
the swap
swap to
to the
the backup
backup channel.
channel.
Statistics for every adapter in the EtherChannel:
Statistics for every adapter in the EtherChannel:
-------------------------------------------------
-------------------------------------------------
to fo
Number
Number of
of adapters:
adapters: 22
Active
Active channel:
channel: backup
backup adapter
adapter
Operating
Operating mode: Network interface
mode: Network interface backup
backup mode
mode
ec vo
Notes:
oy si
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_SUCC
cl
LABEL: GOENT_FAILOVER_SUCC
Date/Time: Thu Jul 16 15:07:46 CEDT 2009
Type: TEMP
Resource Name: ent6
Description
7-44 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Description
ETHERNET NETWORK RECOVERY MODE
.T ció
---------------------------------------------------------------------------
LABEL: ECH_CHAN_FAIL
Date/Time: Thu Jul 16 15:07:34 CEDT 2009
.
Type: PERM
C
.F a
Resource Name: ent13
Description
C rm
ETHERCHANNEL FAILOVER
Detail Data
All primary Ether Channel adapters failed: switching over to backup adapter
to fo
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_FAIL
Date/Time: Thu Jul 16 15:07:34 CEDT 2009
Type: TEMP
ec vo
---------------------------------------------------------------------------
LABEL: GOENT_LINK_DOWN
u
ETHERNET DOWN
---------------------------------------------------------------------------
LABEL: GOENT_RCVRY_EXIT
Date/Time: Thu Jul 16 15:07:33 CEDT 2009
pr
Type: INFO
Resource Name: ent6
Description
ETHERNET NETWORK RECOVERY MODE
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_SUCC
Date/Time: Thu Jul 16 15:07:33 CEDT 2009
Type: TEMP
Resource Name: ent6
Description
ETHERNET NETWORK RECOVERY MODE
.I. n
---------------------------------------------------------------------------
LABEL: GOENT_LINK_DOWN
.T ció
Date/Time: Thu Jul 16 15:07:33 CEDT 2009
Type: TEMP
Resource Name: ent6
.
Description
C
.F a
ETHERNET DOWN
C rm
Errorlog on recovery:
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_SUCC
Date/Time: Tue Jul 21 14:04:29 CEDT 2009
to fo
Type: TEMP
Resource Name: ent6
Description
ETHERNET NETWORK RECOVERY MODE
ec vo
---------------------------------------------------------------------------
LABEL: ECH_CHAN_RCVRY
Date/Time: Tue Jul 21 14:04:15 CEDT 2009
Type: INFO
Resource Name: ent13
oy si
Description
ETHERCHANNEL RECOVERY
---------------------------------------------------------------------------
u
LABEL: GOENT_RCVRY_EXIT
Date/Time: Tue Jul 21 14:04:12 CEDT 2009
Type: INFO
cl
---------------------------------------------------------------------------
LABEL: GOENT_FAILOVER_SUCC
Date/Time: Tue Jul 21 14:04:11 CEDT 2009
Type: TEMP
Resource Name: ent6
pr
Description
ETHERNET NETWORK RECOVERY MODE
7-46 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
1. Given the following output, which path will be taken to the 18/8
network?
.I. n
## netstat
netstat -C
-C |grep
|grep 18/8
18/8
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 10
10 WRR
WRR en5
en5 00 00
.T ció
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 20
20 -- en5
en5 11 11
.
2. What will happen as a result of entering the following command?
C
.F a
# /usr/lib/methods/ethchan_config -d ent10 ent8
_____________________________________________________
C rm
_____________________________________________
Notes:
oy si
Checkpoint (2 of 2)
IBM Power Systems
.I. n
.T ció
5. True or False: Combining GFF, LA, and PowerHA results in
achieving the highest levels of network availability.
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
7-48 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
– Configure MPR with DGD
– Configure Ethernet fast failover
.T ció
and EtherChannel (optional)
.
C
• Note:
.F a
– Due the lab H/W configuration,
C rm
you might not be able to
complete all elements of the
optional section.
– This exercise might have to be
to fo
completed in a phased approach.
ec vo
Notes:
oy si
u
cl
Ex
pr
Unit summary
IBM Power Systems
.I. n
• Understand and configure routing for availability and load
balancing (multi-path routing with dead gateway detection)
.T ció
• Understand and configure gigabit fast failover (GFF)
• Understand and configure link aggregation (LA) and
.
C
EtherChannel
.F a
• Combine both GFF and LA technologies to achieve the
C rm
highest levels of availability
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
7-50 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
.
• Describe domain name history, concepts, and terminology
C
.F a
• List the types of name servers
• Identify files used with DNS
C rm
• Configure a DNS domain
- Primary, slave servers, clients, sub domains, and split DNS
• Use commands to query domain name servers
to fo
• Set up and use the rndc and netcd daemons
• Configure dynamic updates using TSIGs
• Remove BIND version information
ec vo
• Checkpoint solutions
• Lab exercises
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• List the types of name servers
.T ció
• Identify files used with DNS
• Configure a DNS domain
.
C
– Primary, slave servers, clients, sub domains, and split DNS
.F a
• Use commands to query domain name servers
C rm
• Set up and use the rndc and netcd daemons
• Configure dynamic updates using TSIGs
• Remove BIND version information
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
8-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
What is DNS?
IBM Power Systems
.I. n
• DNS is a global, hierarchical, and distributed database.
• It translates names into addresses and vice versa.
.T ció
– This process is known as name resolution.
.
Question:
Question: Who
Who is
is www.bbc.co.uk
www.bbc.co.uk ??
C
.F a
Answer:
Answer: www.bbc.co.uk
www.bbc.co.uk is
is canonical
canonical (meaning
(meaning
alias)
alias)
C rm
Host
Host == www.bbc.net.uk.
www.bbc.net.uk.
IP
IP == 212.58.251.195
212.58.251.195
to fo
ec vo
Notes:
oy si
The Domain Name System, or DNS, is one of the Internet’s fundamental building blocks. It
is a global, hierarchical, and distributed information database that is responsible for
u
translating names into addresses and vice versa, routing mail to its proper destination, and
many other services.
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
History of DNS
IBM Power Systems
.I. n
• Name resolution was managed by a single host file:
.T ció
– Named hosts.txt.
– Maintained by Standford Research Institute, Ca – Network Information
Centre (NIC).
.
C
• As the Internet adopted TCP/IP standards in the 1980s, the
.F a
growth exploded.
C rm
– A new mechanism was required to cope with large networks.
• Paul Mockapetris was responsible for designing the
architecture of DNS.
to fo
– The first DNS RFCs were released in 1984.
ec vo
Notes:
oy si
Through the 1970s, the ARPANET was a small, friendly community of a few hundred hosts.
A single file, HOSTS.TXT, contained all the information you needed to know about those
u
hosts. It held a name-to-address mapping for every host connected to the ARPANET. The
familiar UNIX host table, /etc/hosts, was compiled from HOSTS.TXT, mostly by deleting
cl
administrators typically e-mailed their changes to the NIC and periodically FTPed the file to
get the current HOSTS.TXT. Their changes were compiled into a new HOSTS.TXT once or
twice a week. As the ARPANET grew, this scheme became unworkable. The size of
HOSTS.TXT grew in proportion to the growth in the number of ARPANET hosts. Moreover,
pr
the traffic generated by the update process increased even faster, and when the ARPANET
moved to the TCP/IP protocols, the population of the network exploded.
The ARPANET’s governing bodies chartered an investigation into a successor for
HOSTS.TXT. Their goal was to create a system that solved the problems inherent in a
unified host table system.
8-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Paul Mockapetris, then of USC’s Information Sciences Institute, was responsible for
designing the architecture of the new system. In 1984, he released RFCs 882 and 883,
which describe the Domain Name System.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
History of BIND
IBM Power Systems
.I. n
• First implementation was written by a team of undergraduates
.T ció
for Berkeley 4.3 BSD UNIX and called BIND.
– BIND is now virtually the only major implementation of DNS today and
is ported to all versions of UNIX.
.
C
.F a
• BIND is now maintained by Internet Software Consortium
C rm
(ISC).
• Major versions:
– 9: Latest
to fo
– 8: Default version on AIX 5L and 6.1; development is suspended.
– 4: Depreciated
ec vo
Notes:
oy si
Following the RFCs, in 1984, a small group of students from Berkeley University wrote the
first UNIX implementation for Berkeley’s 4.3 BSD operating system. In 1985, Kevin Dunlap
u
of DEC significantly rewrote the DNS implementation and renamed it BIND (Berkeley
Internet Name Domain). BIND is the de facto standard of DNS used today and is supported
cl
by Internet Software Consortium. The latest version is BIND 9 which is a complete rewrite
of the previous versions.
Ex
pr
8-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
gTLDs
com org net nl fr uk ccTLDs
.T ció
.
ibm Zone of Authority
ibm.com domain
C
.F a
C rm
nl fr uk Each domain will
consist of several
zones!
Zone of
Authority
to fo
sys1 The FQDN of this node is
uk.ibm.com
sys1.uk.ibm.com.
domain FQDN (Fully Qualified Domain Name)
ec vo
Notes:
oy si
The visual shows an example of a possible DNS structure. The root domain is on top with
the gTLDs and the ccTLDs right below it. There is one subdomain, ibm.com, which has
u
authority. In reality, a zone of authority specifies authoritative control of zone files for that
domain. Note that when we are talking about fully qualified domain names (FQDN), the
Ex
final dot should be included. A FQDN is normally made up by a short name, such as sys1
followed by the domain name, such as uk.ibm.com. So the FQDN of sys1 is
sys1.uk.ibm.com.
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
DNS lookups
IBM Power Systems
Query
Referral
.I. n
.T ció
com org net ie au uk
co
.
C
ibm
.F a
bbc
nl
C rm fr uk
Ans: 212.58.251.195
bbc.co.uk
nameserver
to fo
UK namesever will
be polite and issue
iterative queries,
until it can return
an answer
sys1 Who is: www.bbc.co.uk ? Recursive
query
ec vo
Notes:
oy si
The visual shows the result of the command host www.bbc.co.uk, executed on host sys1.
In the example, ten DNS queries and responses are performed:
u
a. The first query is a so-called recursive query from sys1 for the IP address of
cl
www.bbc.co.uk to the DNS server of the uk.ibm.com domain. The IP address of this
name server is known to sys1; it is configured in its /etc/resolv.conf file. A
recursive query in this respect means, “I want the answer to this question.” This
Ex
means that the answer that sys1 expects is the IP address of www.bbc.co.uk.
b. The second query is a so-called iterative query from the name server of UK to one of
the root name servers. Again, the query is for the IP address www.bbc.co.uk. An
pr
8-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty d. The fifth packet is a reply from the UK name server, and identifies the name server
of the co.uk domain.
e. The sixth packet is again an interactive query from the UK name server to the co.uk
name server.
f. The seventh packet is a reply from the co.uk name server, and identifies the name
server of the bbc.co.uk domain.
.I. n
g. The eighth packet is again an interactive query from the UK name server to the
bbc.co.uk name server.
.T ció
h. The bbc.co.uk name servers are authoritative for the bbc.co.uk domain. This means
that they have the database which describes all nodes in the bbc.co.uk domain,
including the www.bbc.co.uk node. So the answer that these name servers can reply
.
(in packet number nine) is the IP address for the www.bbc.co.uk host.
C
.F a
i. The UK name server now knows the IP address of the www.bbc.co.uk host, and
returns this to sys1 in the tenth packet. Apart from the procedure to look up a
C rm
hostname, this also illustrates the benefit of having a combination of iterative and
recursive queries. Having a combination of clients doing recursive queries and
name servers doing iterative queries turns out to be the most efficient scheme.
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Reverse lookups
are handled
through a special
lookup branch
.I. n
arpa.in-addr
.T ció
com org net ie arpa
in-addr
.
C
ibm 0……. 212.......255
.F a
58….......255
C rm
0……….
nl fr uk 0……. 251.......255
195.......255
to fo
0…….
Ans: www.bbc.co.uk.
Notes:
oy si
IP address to host name lookups would, if nothing else was arranged, require you to go to
every DNS server on the Internet to see if the IP address was in its tables. Obviously this is
u
completely impossible; however, we can do reverse DNS lookups. This is done by using an
ingenious trick, which involves a special in-addr.arpa domain. The visual illustrates
cl
The first step then is to convert this IP address to its corresponding DNS name, which is
195.251.58.212.in-addr.arpa. This might look strange at first, but remember that IP
addresses become more specific when going from left to right and that host names become
more specific when reading from right to left. To fit IP address in a host name based
pr
8-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Note: It is extremely important that reverse DNS lookups are configured correctly. Almost
all services on the Internet can (and about half of the services actually will) perform a
reverse DNS lookup to retrieve the host name of a client. This host name is then used for
authorization and logging. If the reverse DNS lookup fails, chances are that the client is
simply not allowed to use the service or only after a long time out.
The host/nslookup and dig commands allow you to check whether regular and reverse
DNS lookups match.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Stores the master copy of the domain data in zones
.T ció
– Slave (secondary)
• Act as backup servers
.
C
• Download domain data (zone files) typically from the primary master (or
.F a
from another slave)
C rm
• A DNS server can be a master to one zone and a slave to
another.
to fo
ec vo
Notes:
oy si
A primary master name server is a name server which is authoritative for a domain or
multiple domains (most likely the domain itself and the associated reverse DNS domains).
u
This is the server where the administrator makes changes to the DNS tables. The master
name server can serve requests from clients and other name servers, both recursive and
cl
iterative. When it performs a lookup for another domain and it receives answers, it caches
these answers for later reference.
Ex
A slave name server is also authoritative for a domain, but it retrieves this data in a
so-called zone transfer from a master name server. It can also serve requests from clients
and other name servers and cache data from other domains. Note: In more complex
environments, slave name servers can also retrieve the data from other slave servers.
pr
8-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Non-authoritative server
– Caching only (also referred to as recursive servers)
.I. n
• Do not have any authoritative domain data
• Perform recursive lookups on behalf of clients and cache the answer (via
.T ció
hints file)
– Forwarders
.
• Perform recursive queries to other domain name servers
C
.F a
• Perform recursive lookups on behalf of clients and cache the answer (via
forward statement)
C rm
• All types of servers can be configured to forward
– Used in parenting
– Forward-only server
to fo
• A server which can only forward queries to other domain name servers
• General note: All DNS servers cache responses.
ec vo
Notes:
oy si
A caching-only name server does not have its own data and is not authoritative for a
domain. It just performs lookups for clients. All results obtained are cached, however,
u
making it a useful thing to have in a small network which is connected to the outside world
through a slow link.
cl
Caching name servers are also used to take the burden off master and slave servers. In
many configurations, administrators do not allow master and slave servers to cache for
Ex
also forward.
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Resource records
IBM Power Systems
.I. n
– The RR identifies the sort of data that is stored.
• Common RRs for domains:
.T ció
– SOA (Start of Authority): Information regarding the authoritative name
server
.
– NS (Name Server): The name server of the domain
C
.F a
– MX (Mail Exchanger): The mail server of the domain
• Common RRs for hosts:
C rm
– A (Address): The IP address of a host
– PTR (Pointer): The host name of a host
– CNAME (Canonical Name): An alias name for a host
to fo
– HINFO (Host Info): Information about a host
– AAAA or A6 (for IPv6): The IPv6 address of a host
ec vo
Notes:
oy si
The hierarchical structure as shown in the previous visual can be thought of as the key to
the database. With an FQDN we can find the record for a specific host. The next thing we
u
need to retrieve is the data that is stored about this host. This is done through a series of
resource records.
cl
Each resource record stores something about each host or domain. What is stored
depends on the resource record type. There are several kinds of resource records. Some
Ex
are typically only used for a host, and others are typically only used for a domain.
pr
8-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Switch to version 9
– Stop BIND daemon (named) daemon
.I. n
• Named daemon stops and starts the DNS subsystem
– Re-link named and the dynamic update binary (nsupdate)
.T ció
– Start named
.
## stopsrc
stopsrc –s
–s named
named
C
.F a
## cd
cd /usr/sbin
/usr/sbin
## ln
ln -fs
-fs /usr/sbin/named9
/usr/sbin/named9 /usr/sbin/named
/usr/sbin/named
C rm
## ln
ln -fs
-fs /usr/sbin/nsupdate9
/usr/sbin/nsupdate9 /usr/sbin/nsupdate
/usr/sbin/nsupdate
## startstc
startstc –s
–s named
named
## oslevel
oslevel -s;
-s; named
named -v
-v Actual
to fo
6100-03-01-0921
6100-03-01-0921 versions
BIND
BIND 9.4.1
9.4.1
ec vo
Notes:
oy si
The default version of BIND on AIX 5.3 and 6.1 is version 8. It is preferable to use BIND
version 9.
u
If you are not using AIX 7.1, the procedure for switching to using BIND 9 is covered in the
visual.
Ex
If you are using AIX 7.1 and you wish to use Dynamic DNS (DDNS), you will still need to
change the nsupdate command to link to nsupdate9 (it defaults to being a link to
nsupdate8). The named file should already be linked to named9 (the only option).
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Create name zone file
– Used for name to IP address translation
.T ció
• Create IP zone files
– Used for reverse IP to name translation
.
• Create local IP zone file
C
.F a
– Used to resolve the loopback address
C rm
• Create hints file (optional)
– Used to identify the root DNS severs.
– Optional because BIND contains a list of root servers hardcoded at
compilation time
to fo
• Create /etc/resolv.conf
• Start named daemon
ec vo
Notes:
oy si
All zone files are created using a standard resource record format. These standards are
explained as we look at each file. The named daemon must be started after all the files are
u
created.
cl
Ex
pr
8-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
uk
.T ció
co
.
recursion=no recursion=yes
C
.F a
snowwhite grumpy lpar doc sleepy
Primary nameserver Slave nameserver Caching-only nameservers (External)
C rm
10.47.1.33 10.47.100.2 Forwarders (Internal)
10.47.110.90 and 91
dopey aix
to fo
Primary (child) nameserver
10.47.10.33 Parent domain
Sub-domain
10.47/16
ec vo
Notes:
oy si
Domain characteristics:
u
- Note: Master and slave servers have caching and external access disabled
(recursion set to no). All external queries are handled by caching-only name servers
doc and sleepy which resolve internal queries by forwarding to snowwhite and
grumpy.
pr
- Clients within the 10.47/16 network will point to name servers doc and sleepy.
• Sub (Child) domain: aix.lpar.co.uk consisting of:
- Master name server: dopey 10.47.10.33
- There is no slave server in the sub-domain.
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
//
// lpar.co.uk
lpar.co.uk DNS
DNS primary
primary nameserver
nameserver
options
options {{
.I. n
directory
directory "/etc/named";
"/etc/named";
notify
notify yes;
yes; //
// notify
notify slaves
slaves on
on zone
zone updates
updates
.T ció
recursion
recursion no; // stops all external queries // lookups
no; // stops all external queries lookups
};
};
.
//
// secure
secure TSIG
TSIG key
key for
for dynamic
dynamic updates
updates and
and server-server
server-server
C
communication
.F a
communication
key
key ddns-key
ddns-key {{
algorithm
algorithm hmac-md5;
hmac-md5;
C rm
secret "yyvt9Oeax2MWqxUi8xtbuw==";
secret "yyvt9Oeax2MWqxUi8xtbuw==";
};
};
//
// Use
Use the
the secure
secure TSIG
TSIG key
key when
when communicating
communicating with
with slave
slave server
server
to fo
server
server 10.47.100.2
10.47.100.2 {{
keys
keys {ddns-key
{ddns-key ;; };
};
};
};
ec vo
Notes:
oy si
The /etc/named.conf file is read by the named daemon when it starts. It specifies the
location of all data which the daemon uses.
u
The options statement specifies the global options for the domain. The directory entry
cl
tells the named daemon that all file names listed in this file are stored in the /etc/named
directory.
Ex
The key statement defines the asymmetric transaction signature (TSIG) keys to be used
for server to server communication. Key generation will be covered later in this unit.
The server statement defines which key to use in communication with the host specified
(IP address).
pr
// represents a comment.
8-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
Allow update only
type
type master;
master; if the request was
.I. n
signed using “key”
file "named.lpar";
file "named.lpar"; ddns-key
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
.T ció
allow-transfer
allow-transfer {{ key
key ddns-key
ddns-key ;; };
};
};
};
Allow zone transfer
.
if the request was
zone
zone "47.10.in-addr.arpa"
"47.10.in-addr.arpa" {{ signed accordingly
C
type
type master;
.F a
master;
file
file "named.revip47";
"named.revip47";
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
C rm
};
allow-transfer
allow-transfer { key ddns-key ; };
{ key ddns-key ; };
};
}; Note: allow-update statements can be replaced by:
update-policy {
grant ddns-key subdomain lpar.co.uk. ANY;
zone
zone "0.0.127.in-addr.arpa"
"0.0.127.in-addr.arpa" {{
to fo
};
type update-policy {
type master;
master; grant ddns-key subdomain 47.10.in-addr.arpa. ANY;
file "named.local";
file "named.local"; };
};
};
ec vo
Notes:
oy si
Zones:
- lpar.co.uk represents the name to IP zone file.
cl
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
$ORIGIN
$ORIGIN .. ;; start
start of
of the
the domain
domain name
name space
space
$TTL
$TTL 9999999
9999999 ;; default
default TTL
TTL (16w
(16w 3d
3d 17hs
17hs 46m
46m 39s)
39s)
.I. n
lpar.co.uk
lpar.co.uk IN SOA snowwhite.lpar.co.uk.
IN SOA snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk.
((
.T ció
1328
1328 ;; serial
serial no.
no. of
of this
this zone
zone file
file
1d
1d ;; refresh
refresh (1(1 day)
day)
1h
1h ;; slave
slave retry
retry in
in case
case of
of problem
problem
.
4w
4w ;; slave
slave expiration
expiration time
time (4
(4 weeks)
weeks)
C
.F a
1h
1h ;; minimum caching time in case of
minimum caching time in case of failed
failed lookups
lookups
))
NS snowwhite.lpar.co.uk.
C rm
NS snowwhite.lpar.co.uk. ;; primary
primary
NS
NS grumpy.lpar.co.uk.
grumpy.lpar.co.uk. ; slave
; slave
MX
MX 00 snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk. ;; mail
mail server
server
$ORIGIN aix.lpar.co.uk.
$ORIGIN aix.lpar.co.uk. ;; sub child domain
sub child domain
dopey
dopey AA 10.47.10.23
10.47.10.23 ;; glue
glue (1.
(1. name
name
to fo
and
and IP
IP address
address of of the
the sub
sub domain
domain master
master DNS
DNS server)
server)
;; host
host records
records ...
... Continued
Continued on
on next
next page
page
ec vo
Notes:
oy si
The $ORIGIN Directive (standardized in RFC 1035) defines the domain name that will be
appended to any incomplete name defined in a resource record. An incomplete name is
u
one that does not end in a dot (.). In traditional BIND documentation, it is more common to
see the name zone file start like this:
cl
$ORIGIN lpar.co.uk.
Ex
$TTL <value>
@IN SOA …….( ………..
)
pr
However in AIX, the named daemon will change the format of the $ORIGIN statements as
shown in the visual when the dynamic update process is invoked.
The $TTL is the default time to live for all resource records. This is the maximum amount of
time that other name servers are allowed to cache the answer.
8-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
arithmetically higher than that currently stored by the slave, then a zone transfer is
.T ció
initiated.
• Refresh. Indicates the time when the slave will try to refresh the zone from the master
• Retry. Defines the time between retries if the slave fails to contact the master when
.
refresh (above) has expired.
C
.F a
• Expiry. Indicates when the zone data is no longer authoritative. Used by slave servers
only. BIND9 slaves stop responding to queries for the zone when this time has expired
C rm
and no contact has been made with the master.
• Negative caching TTL. RFC 2308 (implemented by BIND 9) redefined this value to be
the negative caching time. In previous BIND versions (4 and 8), this value was the
to fo
global TTL. The negative caching TTL is the time a name error (NXDOMAIN) result
might be cached by a resolver. Negative caching is useful because it reduces the
response time for negative answers. It also reduces the number of messages that have
to be sent between resolvers and name servers thereby reducing overall network traffic.
ec vo
A large proportion of DNS traffic on the Internet could be eliminated if all resolvers
implemented negative caching. With this in mind, negative caching should no longer be
seen as an optional part of a DNS resolver.
• The mail servers (MX records).
oy si
The $ORIGIN following the SOA identifies the child domain (aix.lpar.co.uk). Two records
are required, known as glue records because they bind together the parent and child
u
domains. The first glue record is an A record and identifies the name and IP address of the
master DNS server in the sub domain. This record must be under the sub domain
cl
$ORIGIN. The second glue record identifies the NS record of the master DNS server and
must be under the $ORIGIN of the parent domain (shown in the next visual).
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
$ORIGIN
$ORIGIN lpar.co.uk.
lpar.co.uk.
aix
aix NS
NS dopey.aix
dopey.aix ;; glue
glue (2.
(2. NS
NS record
record for
for
sub
sub domain)
domain)
.I. n
snowwhite
snowwhite AA 10.47.1.33
10.47.1.33
www
www CNAME
CNAME snowwhite
snowwhite
.T ció
data
data AA 10.47.1.38
10.47.1.38
dino
dino AA 10.47.1.30
10.47.1.30
ds4300A
ds4300A AA 10.47.100.98
10.47.100.98
.
ds4300B
ds4300B AA 10.47.100.99
10.47.100.99
C
ernie AA 10.47.1.18
.F a
ernie 10.47.1.18
fred
fred AA 10.47.1.10
10.47.1.10
grumpy AA 10.47.100.2
C rm
grumpy 10.47.100.2
grumpy-fsp
grumpy-fsp AA 10.47.100.254
10.47.100.254
hmc1
hmc1 AA 10.47.1.133
10.47.1.133
hmc2
hmc2 AA 10.47.1.134
10.47.1.134
hmc3
hmc3 AA 10.47.1.135
10.47.1.135
to fo
kyle
kyle AA 10.47.1.22
10.47.1.22
localhost
localhost CNAME
CNAME loopback
loopback
loopback
loopback AA 127.0.0.1
127.0.0.1
ec vo
Notes:
oy si
The rest of the information identifies the authoritative data for the zone.
u
• NS = Nameserver
• A = Address
cl
• CNAME = Alias
Ex
pr
8-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
IP zone file (1 of 2)
IBM Power Systems
$ORIGIN
$ORIGIN ..
$TTL
$TTL 9999999
9999999 ;; 16
16 weeks
weeks 33 days
days 17
17 hours
hours 46
46 minutes
minutes 39
39 seconds
seconds
.I. n
47.10.in-addr.arpa.
47.10.in-addr.arpa. IN IN SOA
SOA snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk. ( (
.T ció
754
754 ;; serial
serial no.
no. of
of this
this zone
zone file
file
1d
1d ; refresh (1 hour)
; refresh (1 hour)
1h
1h ;; slave
slave retry
retry in
in case
case of
of problem
problem
.
4w ;; slave expiration time (4 weeks)
slave expiration time (4
C
4w weeks)
.F a
1h
1h ;; minimum caching time in case of
minimum caching time in case of failed
failed
lookups
lookups
C rm
))
NS
NS snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
NS
NS grumpy.lpar.co.uk.
grumpy.lpar.co.uk.
to fo
;; PTR
PTR records
records ...
... Continued
Continued on
on next
next page
page
ec vo
Notes:
oy si
Names in DNS are set up in a hierarchy. To resolve an address, the system traces the
hierarchy, contacting a server for each sub domain in the name. Since this structure is
u
based on name, there is no easy way to translate a host address back into its host name.
cl
The in-addr.arpa record domain was created to allow reverse translation. This domain
uses the address of a host to point to the name and data for that host.
Ex
Valid resource record types are: Start of authority (SOA), name server (NS), and domain
name pointer (PTR).
There should be one reverse hosts data file per network.
Note: Since all systems are on the same network (10.47/16), only 1 IP zone file is required.
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-23
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
IP zone file (2 of 2)
IBM Power Systems
$ORIGIN
$ORIGIN 1.47.10.in-addr.arpa.
1.47.10.in-addr.arpa.
10
10 PTR
PTR fred.lpar.co.uk.
fred.lpar.co.uk.
.I. n
100
100 PTR
PTR vios1.lpar.co.uk.
vios1.lpar.co.uk.
101
101 PTR
PTR vios2.lpar.co.uk.
vios2.lpar.co.uk.
.T ció
12
12 PTR
PTR neo.lpar.co.uk.
neo.lpar.co.uk.
133
133 PTR
PTR hmc1.lpar.co.uk.
hmc1.lpar.co.uk.
134
134 PTR
PTR hmc2.lpar.co.uk.
hmc2.lpar.co.uk.
.
135
135 PTR
PTR hmc3.lpar.co.uk.
hmc3.lpar.co.uk.
C
14
14 PTR
PTR trinity.lpar.co.uk.
trinity.lpar.co.uk.
.F a
33 PTR
PTR zion.lpar.co.uk.
zion.lpar.co.uk.
30
30 PTR
PTR dino.lpar.co.uk.
dino.lpar.co.uk.
C rm
31
31 PTR
PTR sleepy.lpar.co.uk.
sleepy.lpar.co.uk.
$ORIGIN
$ORIGIN 100.47.10.in-addr.arpa.
100.47.10.in-addr.arpa.
100
100 PTR
PTR theswitch.lpar.co.uk.
theswitch.lpar.co.uk.
22 PTR
PTR grumpy.lpar.co.uk.
grumpy.lpar.co.uk.
to fo
254
254 PTR
PTR grumpy-fsp.lpar.co.uk.
grumpy-fsp.lpar.co.uk.
98
98 PTR
PTR ds4300A.lpar.co.uk.
ds4300A.lpar.co.uk.
99
99 PTR
PTR ds4300B.lpar.co.uk.
ds4300B.lpar.co.uk.
ec vo
Notes:
oy si
The $ORIGIN identifies the network. Only the final octet of the IP is required as a pointer to
the host name which must be specified as a FQDN.
u
cl
Ex
pr
8-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
$TTL
$TTL 86400
86400 ;; 11 day
day
;; SOA.
SOA.
.I. n
0.0.127.in-addr.arpa.
0.0.127.in-addr.arpa. IN
IN SOA
SOA snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk.
root.snowwhite.lpar.co.uk. ((
.T ció
11
11 ;; serial
serial
754
754 ;
; serial no.
serial no. of
of this
this zone
zone file
file
1d
1d ; refresh (1 hour)
; refresh (1 hour)
.
1h ;
; slave
slave retry
retry in
in case
case of
of problem
C
1h problem
.F a
4w
4w ;
; slave expiration time (4 weeks)
slave expiration time (4 weeks)
1h
1h ; minimum caching
; minimum caching TTLTTL
C rm
))
IN
IN NS
NS snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
11 IN PTR localhost.
IN PTR localhost.
to fo
ec vo
Notes:
oy si
The local IP zone file contains the local loopback address for the network 127.0.0.1. Valid
resource record types are: Start of authority (SOA), name server (NS), and domain name
u
pointer (PTR).
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-25
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• Create resolv.conf
## cat
cat /etc/resolv.conf
/etc/resolv.conf
.I. n
Domain
Domain lpar.co.uk
lpar.co.uk
Nameserver 0.0.0.0
.T ció
Nameserver 0.0.0.0
search
search lpar.co.uk
lpar.co.uk aix.lpar.co.uk
aix.lpar.co.uk
.
• Start the named subsystem, now.
C
.F a
# startsrc –s named
C rm
or
• Use SMIT to start it now and on system restarts
# smit named
to fo
Start using the named subsystem > BOTH
ec vo
Notes:
oy si
• The name server identifies the IP addresses of name servers to query. In this case, as
the host is the nameserver, 0.0.0.0 can be used.
Ex
• Search identifies the domain suffix search order to query for the answer.
The final step is to start the named subsystem. This can be done using the startsrc
command, but you are likely to want this service to start persistently through reboots.
pr
The recommended method to make the named service persistent is to use SMIT to start it
as a server network service. The fast path is named.
SMIT will execute an undocumented SMIT subcommand:
/usr/sbin/chrctcp -S -a named
8-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Create local IP zone file (for the loopback address) *
• Create hints file (optional) *
.T ció
• Create /etc/resolv.conf *
• Start named daemon *
.
C
• On start up, name and IP zone files will be downloaded from
.F a
the master. This process is known as zone transfer.
C rm
– When the primary server zone files are changed, the server, by
default, will inform slaves of the incremental change. This process is
known as notify.
– Notify will lead to a zone transfer. Zones transfer are either:
to fo
• Incremental (IXFR)
• Full (AXFR) * Same process as the master
ec vo
Notes:
oy si
The steps for creating a slave are similar to those for creating a master except there are no
zone files to create since they are downloaded from the master.
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-27
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
//
// lpar.co.uk
lpar.co.uk DNS
DNS slave
slave nameserver
nameserver
.I. n
options
options {{
directory
directory "/etc/named";
"/etc/named";
.T ció
};
};
//
// secure
secure TSIG
TSIG key
key for
for server-server
server-server comms
.
comms
key
key ddns-key
ddns-key {{
C
.F a
algorithm
algorithm hmac-md5;
hmac-md5;
secret "yyvt9Oeax2MWqxUi8xtbuw==";
secret "yyvt9Oeax2MWqxUi8xtbuw==";
C rm
};
};
//
// Use
Use the
the secure
secure TSIG
TSIG key
key when
when communicating
communicating with
with the
the primary
primary
server
server
to fo
server
server 10.47.1.33
10.47.1.33 {{
keys
keys {ddns-key
{ddns-key ;; };
};
};
};
ec vo
Notes:
oy si
8-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
type
type slave;
slave;
.I. n
masters
masters {10.47.1.33
{10.47.1.33 ;; };
};
file "named.lpar.slave";
file "named.lpar.slave";
.T ció
};
};
zone
zone "47.10.in-addr.arpa"
"47.10.in-addr.arpa" {{
.
type
type slave;
slave;
C
masters
masters {10.47.1.33
{10.47.1.33 ;; };
};
.F a
file "named.revip47.slave";
file "named.revip47.slave";
};
};
C rm
zone
zone "0.0.127.in-addr.arpa"
"0.0.127.in-addr.arpa" {{
type
type master;
master;
file "named.local";
file "named.local";
to fo
};
};
Notes:
oy si
The differences are: type is set to slave followed by the master statement identifying the IP
address of the master server.
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-29
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
– ftp://ftp.rs.internic.net/domain/named.root
;; example
example caching-only
caching-only DNS
DNS file
file (/etc/name.conf)
(/etc/name.conf)
.T ció
acl
acl “education_net” {10.47.0.0/16; };
“education_net” {10.47.0.0/16; };
options {
options {
directory
directory "/etc/named";
"/etc/named";
.
allow-query
allow-query {{ “education_net”;
“education_net”; };
};
C
forwarders Forwarder:
forwarders {{ 10.47.1.33;
10.47.1.33; 10.47.100.2;
10.47.100.2; };
.F a
}; Send recursive
};
}; queries to
snowwhite and
C rm
grumpy
zone
zone "."
"." {{
type
type hint;
hint; file
file "named.hint";
"named.hint";
};
}; Caching-only:
Send external
to fo
queries to root
zone
zone "0.0.127.in-addr.arpa"
"0.0.127.in-addr.arpa" {{ servers
type
type master;
master; file
file "named.local";
"named.local";
};
};
ec vo
Notes:
oy si
The example shown in the visual shows a combination of both a caching-only and
forwarder name server. When the server receives a query, the following search is
u
performed:
cl
hierarchy, usually the root name servers. When BIND is compiled, it contains a built in list
of default root name servers. Therefore, the hint zone is optional, especially if
bos.net.tcp.server is updated on a regular basis. If not, every few months or so, the latest
root name server list should be pulled from ftp://ftp.rs.internic.net/domain/named.root and
placed in the hint file (see next visual).
8-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Note: If a sub child domain is isolated, for example, has no valid route to the Internet and
the hints zone contains the details of the parent DNS servers, queries sent to the parent
are iterative. In this case, this mean that the parent will not return RR zone data that is not
authoritative. For this reason, sub domain servers use the forwarders option as shown in
the visual.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-31
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
;; example
example named.hint
named.hint file
file (/etc/named/named.hint)
(/etc/named/named.hint)
.T ció
.. 3600000
3600000 IN
IN NSNS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000
3600000 AA 198.41.0.4
198.41.0.4
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000
3600000 AAAA
AAAA 2001:503:BA3E::2:30
2001:503:BA3E::2:30
.
C
;; root
root servers
servers BB through
through LL removed
removed for
for clarity
.F a
clarity
.. 3600000 NS M.ROOT-SERVERS.NET.
C rm
3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000
3600000 AA 202.12.27.33
202.12.27.33
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000
3600000 AAAA
AAAA 2001:DC3::35
2001:DC3::35
;; End
End of
of File
File
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
8-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– For example:
• Parent domain = lpar.co.uk
.T ció
• Sub domain 1 = aix.lpar.co.uk
• Sub domain 2 = linux.lpar.co.uk
.
• Parent master servers require glue records to identify child
C
.F a
sub domains
C rm
– These are specified in the name and IP zone files
$ORIGIN
$ORIGIN aix.lpar.co.uk.
aix.lpar.co.uk. ;; sub
sub domain
domain
to fo
dopey
dopey AA 10.47.10.23
10.47.10.23 ;; glue
glue
$ORIGIN
$ORIGIN lpar.co.uk.
lpar.co.uk.
aix
aix NS
NS dopey.aix
dopey.aix ;; glue
glue
ec vo
Notes:
oy si
Creating a sub domain structure is identical to creating the parent master and slave DNS
servers. The additional effort required is in the creation of the glue records as shown in the
u
visual.
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-33
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
Sub-domain /etc/named.conf file
.T ció
options
options {{
forwarders
forwarders {{ 10.47.1.33;
10.47.1.33; 10.47.100.2;
10.47.100.2; };
};
.
……
C
.F a
};
};
C rm
to fo
ec vo
Notes:
oy si
There are no glue records as such from the sub domain perspective. However, the sub
domain does need to know the IP addresses of the parent domain servers. This is handled
u
via the forwarder statement within the global options. Optionally, a hints file can be defined
which identifies the parent servers. However, note that queries sent to hints servers in this
cl
way are non-recursive. This means that if the parent does not know the answer, the
process stops!
Ex
pr
8-34 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Add any optional records, for example CNAME (aliases)
– Increase serial value in SOA record
.T ció
• Update IP zone file
.
– Add IP address entry PTR record for each interface
C
– Increase serial value in SOA record
.F a
• Refresh named
C rm
Note: If zones
have been
protected they
cannot be updated
manually!!
to fo
zone
zone "lpar.co.uk"
"lpar.co.uk" {{
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
};
};
ec vo
Notes:
oy si
To remove a host, update the above files by deleting the host instead of adding the host.
Remember to always refresh the named daemon.
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-35
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Remember, DHCP servers need to dynamically update DNS
zone files.
.T ció
• Dynamic updates can be done:
.
– With no security (not recommended)
C
– Using ACLs (not recommended)
.F a
– Using secure transaction signatures or TSIGs (recommended)
C rm
• Transaction signatures (TSIGs) are the preferred choice for
server-to-server communication, including:
– Dynamic update
to fo
– Zone transfer
– Notify
ec vo
Notes:
oy si
Updating DNS files manually is not only tedious but also error prone. All updates ideally
should be handled through the dynamic update function.
u
Networking and the explosive growth of the Internet has led to IP address assignment
cl
becoming much more dynamic. Today, most clients get their addresses and network
specific information via DHCP.
Ex
In the dynamic update process, the DHCP server owns the IP address which it allocates to
the DHCP client and therefore is responsible for updating the DNS PTR reverse zone
record. In most situations, the DHCP client owns its host name and is responsible for
updating the DNS A zone record. However, the DHCP server or client can also update both
pr
8-36 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
Kddns-key.+157+44683
Kddns-key.+157+44683
## ls
ls
.T ció
Kddns-key.+157+58541.key
Kddns-key.+157+58541.key Kddns-key.+157+58541.private
Kddns-key.+157+58541.private
## cat
cat Kddns-key.+157+58541.private
Kddns-key.+157+58541.private
.
Private-key-format:
Private-key-format: v1.2
C
v1.2
.F a
Algorithm: 157 (HMAC_MD5)
Algorithm: 157 (HMAC_MD5)
Key:
Key: yyvt9Oeax2MWqxUi8xtbuw==
yyvt9Oeax2MWqxUi8xtbuw==
C rm
Insert the key into the /etc/named.conf file
key
key ddns-key
ddns-key {{
to fo
algorithm
algorithm hmac-md5;
hmac-md5;
secret
secret "yyvt9Oeax2MWqxUi8xtbuw==";
"yyvt9Oeax2MWqxUi8xtbuw==";
};
};
ec vo
Notes:
oy si
TSIG keys are generated using the dnssec-keygen command. The hmac-md5 secret is to
be extracted from the private key file and inserted into the /etc/named.conf as shown in
u
the visual.
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-37
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• Adding hosts
– Binary: /usr/sbin/nsupdate
.I. n
/usr/sbin/nsupdate
/usr/sbin/nsupdate -d
-d -y
-y ddns-key:yyvt9Oeax2MWqxUi8xtbuw==
ddns-key:yyvt9Oeax2MWqxUi8xtbuw== <<-
<<- EOF
EOF
update
update add
add 101.100.47.10.in-addr.arpa
101.100.47.10.in-addr.arpa $TTL
$TTL IN
IN PTR
PTR
.T ció
dummy.lpar.co.uk.
dummy.lpar.co.uk.
EOF
EOF
.
/usr/sbin/nsupdate
/usr/sbin/nsupdate -d
-d -y
-y ddns-key:yyvt9Oeax2MWqxUi8xtbuw==
ddns-key:yyvt9Oeax2MWqxUi8xtbuw== <<-
<<- EOF
EOF
C
update
update add
add dummy.lpar.co.uk.
dummy.lpar.co.uk. $TTL
$TTL IN
IN AA 10.47.100.101
10.47.100.101
.F a
EOF
EOF
C rm
• To remove hosts, substitute delete where add is shown.
• Dynamic updates are usually done through scripts.
– The most common dynamic DNS update scripts are
to fo
/usr/sbin/dhcpaction and dhcpremove
• These are wrapper scripts (around nsupdate) which DHCP uses to
dynamically update DNS.
ec vo
Notes:
oy si
Dynamic updates are usually handled through scripts. The supplied binary to invoke a
dynamic update is nsupdate. When using BIND version 9 the nsupdate9 binary must be
u
used. To make sure nsupdate9 is invoked when nsupdate is used, type the following:
cl
The –y option reads the secret key in the format key-name:key. Alternatively, the –k option
can be used to accept the name of the private key file, for example:
Kddns-key.+157+58541.private
pr
By default, the host will send the dynamic request to the name server specified in
/etc/resolv.conf. Alternatively, the nameserver can be directly specified to the
nsupdate command using the server directive.
AIX provide two dynamic DNS wrapper scripts to be used by both DHCP servers and
clients to dynamically update the DNS server. These are dhcpaction (for add) and
dhcpremove (for delete).
8-38 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Client set up
IBM Power Systems
• Create /etc/resolv.conf
domain
domain lpar.co.uk
lpar.co.uk ## The
The domain
domain the
the client
client belongs
belongs to
to (only
(only 11
.I. n
domain!)
domain!)
.T ció
## nameservers
nameservers to
to query.
query. Can
Can specify
specify up
up to
to 16
16 nameservers.
nameservers.
nameserver 10.47.110.90
nameserver 10.47.110.90 ## Hit the caching/forwarders. Server
Hit the caching/forwarders. Server 11
nameserver
nameserver 10.47.110.91
10.47.110.91 ## Server
Server 22
.
C
.F a
## query
query using
using the
the following
following suffix
suffix order
order
search
search lpar.co.uk
lpar.co.uk aix.lpar.co.uk
aix.lpar.co.uk
C rm
to fo
ec vo
Notes:
oy si
On the client, the /etc/resolv.conf contains the default domain name for the system
and the name servers it uses for name resolution. The domain name is the domain in which
u
this host resides. The client can list anywhere from one to a maximum of 16 name servers
in this file. Once an active name server is found, the search through this list stops.
cl
The search directive specifies the domain suffix to search for the answer. For example,
using the /etc/resolv.conf file in the visual, if an # nslookup test command was
Ex
typed on the host, the host would attempt to search for the answer using test.lpar.co.uk
then test.aix.lpar.co.uk. The search process stops on the first successful query.
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-39
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• The default search order on AIX is: DNS, NIS (auth), local
• To change the default order to local followed by bind:
.I. n
– Append to /etc/netsvc.conf
.T ció
• hosts = local, bind
OR
.
C
– Set environment variable nsorder in /etc/environment
.F a
• NSORDER=local,bind
C rm
• Change is effective at next login or process start
• nsorder overrides /etc/netsvc.conf
to fo
ec vo
Notes:
oy si
The default name resolution order can be changed on AIX using either the
/etc/netsvc.conf file or NSORDER environment variable. In certain environments, for
u
example, systems which are made highly available (using PowerHA), the system should
always resolve first using the local /etc/hosts file then DNS.
cl
• nis+ Uses NIS plus services for resolving names. NIS plus must be running if you
specify this option.
• ldap Uses LDAP services for resolving names
• ldap_nis Uses LDAP NIS services for resolving names
8-40 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • bind4 Uses BIND/DNS services for resolving only IPv4 addresses
• bind6 Uses BIND/DNS services for resolving only IPv6 addresses
• local4 Searches the local /etc/hosts file for resolving only IPv4 addresses
• local6 Searches the local /etc/hosts file for resolving only IPv6 addresses
• nis4 Uses NIS services for resolving only IPv4 addresses
.I. n
• nis6 Uses NIS services for resolving only IPv6 addresses
• nis+4 Uses NIS plus services for resolving only IPv4 addresses
.T ció
• nis+6 Uses NIS plus services for resolving only IPv6 addresses
• ldap4 Uses LDAP services for resolving only IPv4 addresses
.
• ldap6 Uses LDAP services for resolving only IPv6 addresses
C
.F a
• ldap_nis4 Uses NIS LDAP services for resolving only IPv4 addresses
C rm
• ldap_nis6 Uses NIS LDAP services for resolving only IPv6 addresses
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-41
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Client resolvers (1 of 2)
IBM Power Systems
• Host
## host
host mach1
mach1
.I. n
mach1.aix.lpar.co.uk
mach1.aix.lpar.co.uk is
is 10.47.10.101
10.47.10.101
## host
host 10.47.10.199
10.47.10.199
mach1.aix.lpar.co.uk is
is 10.47.10.101
.T ció
mach1.aix.lpar.co.uk 10.47.10.101
• nslookup
.
– Two modes: interactive and non-interactive Non-interactive
C
example
.F a
## nslookup
nslookup www.bbc.co.uk
www.bbc.co.uk
C rm
Server:
Server: 127.0.0.1
127.0.0.1
Address:
Address: 127.0.0.1#53
127.0.0.1#53
Non-authoritative
Non-authoritative answer:
answer:
to fo
www.bbc.co.uk
www.bbc.co.uk canonical
canonical name
name == www.bbc.net.uk.
www.bbc.net.uk.
Name:
Name: www.bbc.net.uk
www.bbc.net.uk
Address:
Address: 212.58.253.67
212.58.253.67
ec vo
Notes:
oy si
The host command returns the Internet address of a host machine when the host name
parameter is specified and the name of the host when the address parameter is specified.
u
Depending on the configuration of name resolution service, the host command might also
display any aliases associated with the host name parameter.
cl
The nslookup command queries only domain name servers and responds similarly to the
host command when used non-interactively. An interactive session allows you to
Ex
repeatedly query information without leaving the nslookup program. The > is the
interactive input symbol to continue, exit terminates the nslookup program. The nslookup
command has many options. Refer to the system documentation for further details.
pr
8-42 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Client resolvers (2 of 2)
IBM Power Systems
.I. n
;; <<>>
<<>> DiG
DiG 9.4.1
9.4.1 <<>>
<<>> @10.47.1.33
@10.47.1.33 alex.lpar.co.uk
alex.lpar.co.uk AA
.T ció
;; (1
(1 server
server found)
found)
;;
;; global
global options:
options: printcmd
printcmd
;;
;; Got
Got answer:
answer:
;;
;; ->>HEADER<<- opcode: QUERY,
->>HEADER<<- opcode: QUERY, status:
status: NOERROR,
NOERROR, id:
id: 344
344
;;
;; flags:
flags: qr
qr aa
aa rd
rd ra;
ra; QUERY:
QUERY: 1,
1, ANSWER:
ANSWER: 1,
1, AUTHORITY:
AUTHORITY: 2,2, ADDITIONAL:
ADDITIONAL: 22
.
;;
;; QUESTION
QUESTION SECTION:
SECTION:
C
;alex.lpar.co.uk.
;alex.lpar.co.uk. IN
IN AA
.F a
;;
;; ANSWER
ANSWER SECTION:
SECTION:
alex.lpar.co.uk.
alex.lpar.co.uk. 9999999
9999999 IN
IN AA 10.47.110.90
10.47.110.90
C rm
;;
;; AUTHORITY
AUTHORITY SECTION:
SECTION:
lpar.co.uk.
lpar.co.uk. 9999999
9999999 IN
IN NS
NS snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk.
lpar.co.uk.
lpar.co.uk. 9999999
9999999 IN
IN NS
NS grumpy.lpar.co.uk.
grumpy.lpar.co.uk.
;;
;; ADDITIONAL
ADDITIONAL SECTION:
SECTION:
grumpy.lpar.co.uk.
grumpy.lpar.co.uk. 9999999
9999999 IN
IN AA 10.47.100.2
10.47.100.2
snowwhite.lpar.co.uk.
snowwhite.lpar.co.uk. 9999999
9999999 IN AA 10.47.1.33
to fo
IN 10.47.1.33
;;
;; Query
Query time:
time: 00 msec
msec
;;
;; SERVER:
SERVER: 10.47.1.33#53(10.47.1.33)
10.47.1.33#53(10.47.1.33)
;;
;; WHEN: Mon Apr 20 10:50:51
WHEN: Mon Apr 20 10:50:51 2009
2009
;;
;; MSG
MSG SIZE
SIZE rcvd:
rcvd: 126
126
ec vo
Notes:
oy si
The dig (domain information groper) command is a flexible tool for interrogating DNS name
servers. It performs DNS lookups and displays the answers that are returned from the
u
queried name server(s). Most DNS administrators use the dig command to troubleshoot
DNS problems because of its flexibility, ease of use, and clarity of output.
cl
Where:
• server is the name or IP address of the name server to query. If no server argument is
given, dig consults /etc/resolv.conf and queries the name servers listed there.
• name is the name of the resource record to be looked up. If no name is given, then dig
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-43
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Client caching
IBM Power Systems
• AIX 6.1 (and later) clients can use a new network caching
daemon (netcd) to cache lookup responses to improve
.I. n
performance by reducing latency.
.T ció
• Caches are held in memory (hashed tables).
– Local based, for example /etc/hosts
.
C
– Network based, for example DNS
.F a
C rm
• Start up and stop through standard SRC commands
– netcd is not activated by default
– Management through command netcdctrl
to fo
– Configuration file: /etc/netcd.conf
– No SMIT panels exist
ec vo
Notes:
oy si
performance of applications. AIX V6.1 introduced the network caching daemon (netcd) to
improve performance for resolver lookups.
cl
The netcd daemon can be used to cache the resolver lookups. Translations for IPv4 and
IPv6 are supported. The communication between the resolver and the netcd daemon is
Ex
8-44 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Local resources, such as /etc/hosts, are loaded into local caches at the start up of
the netcd daemon. Therefore, local caches contain all entries of the corresponding local
resource, and a resolver request to it will always result in a cached netcd reply. In
environments with large local resources, resolver lookups to the hashed cache entries
will result in faster response time compared to the traditional linear search of the local
resource. The netcd daemon will periodically check if the local resources have changed
and, if necessary, reload them. The netcd daemon will also cache resolver lookups to a
.I. n
network resource such as DNS. In contrast to local caches, the network caches are
created with empty entries during the daemon startup. The netcd daemon will populate
.T ció
the cache with the result of each query at run time. Negative answers from the resource
are cached as well. When an entry is inserted to the cache, a time-to-live (TTL) is
associated to it. For DNS queries, the TTL value returned by the DNS server is used
.
with the default settings. The netcd daemon will check periodically for expired entries
C
and remove them.
.F a
netcd AIX integration
C rm
The netcd daemon is delivered as part of the bos.net.tcp.client package. Three new
important files are introduced with netcd:
• /usr/sbin/netcd The netcd daemon itself.
to fo
• /usr/sbin/netcdctrl The command to manage netcd daemon caches.
Operations include dumping caches, flushing caches, changing the logging level
of netcd, and display statistics.
The netcd daemon is part of the TCP/IP system resource controller (SRC) group. You
ec vo
can use the startsrc, stopsrc, and lssrc commands to control the daemon. The
refresh command is not supported.
The daemon is started in /etc/rc.tcpip script during AIX startup. Note that the
oy si
daemon is not activated by default. To make the activation of this subsystem persistent
through reboots, uncomment the appropriate lines in /etc/rc.tcpip
u
There is no SMIT panel available for managing the netcd. lines in /etc/rc.tcpip
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-45
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
netcd example
IBM Power Systems
## cp
cp /usr/samples/tcpip/netcd.conf
/usr/samples/tcpip/netcd.conf /etc/netcd.conf
/etc/netcd.conf
Edit /etc/netcd.conf as appropriate
Edit /etc/netcd.conf as appropriate
## startsrc
startsrc –s
–s netcd
netcd
.I. n
After
After some time …… dump
some time dump the
the cache
cache file
file
## netcdctrl
netcdctrl -t
-t dns
dns -e
-e hosts
hosts -a
-a /tmp/dnscache
/tmp/dnscache
.T ció
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> ELEM ELEM #1
#1
Expiration
Expiration date
date :: Mon
Mon Apr
Apr 20
20 19:19:20
19:19:20 2009
2009
Ulm or resolver name
Ulm or resolver name : dns : dns
.
Query type : 10100002
Query type : 10100002
Query
Query length
length :: 44
C
Answer
Answer (0:
(0: positive;
positive; otherwise
otherwise :: negative)
negative) :: 00
.F a
Query
Query key
key :: 1237211734
1237211734
String
String used
used inin query
query :: alex
alex Cache
Additional
Additional parameters
parameters in in query:
query:
query param1 : 2 file dump
C rm
query param1 : 2
query param2
query param2 : 0 : 0
Length
Length ofof cached
cached element
element :: 3737
###################
################### hostent
hostent
Number of aliases
Number of aliases = 0 = 0
Number
Number ofof addresses
addresses == 11
Type
Type == 22
Length
Length == 44
to fo
Host
Host name
name == alex.lpar.co.uk
alex.lpar.co.uk
Alias
Alias ==
Address = 10.47.110.90
Address = 10.47.110.90
####################
#################### end end of
of hostent
hostent
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>> END END ELEM
ELEM #1
#1
ec vo
Notes:
oy si
If the netcd daemon does not detect a configuration file during startup, it will use its default
values. The lssrc -l netcd command provides you with an overview of the currently active
cl
configuration:
# lssrc -ls netcd
Ex
8-46 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
• The remote name daemon control (rndc) program allows the
system administrator to control the operation of a name
server.
.
C
– Operations include:
.F a
• Reloading/refreshing zones
C rm
• Stopping the server
• Querying the status
• Flushing the server’s cache
to fo
• Dumping the server’s database
ec vo
Notes:
oy si
BIND includes a utility called rndc that allows you to administer the named daemon, locally
or remotely, with command line statements. If you run the rndc command with no
u
command line options or arguments, it prints a short summary of the supported commands
and the available options and their arguments.
cl
The rndc command communicates with the name server over a TCP connection (port
953), sending commands authenticated with digital signatures. In the current versions of
Ex
the rndc command and the named daemon, the only supported authentication algorithm is
HMAC-MD5, which uses a shared secret on each end of the connection. This provides
TSIG style authentication for the command request and the name server’s response. All
commands sent over the channel must be signed by a key_id known to the server. The
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-47
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
cat /etc/rndc.key
key
key "rndc-key"
"rndc-key" {{
algorithm
algorithm hmac-md5;
.T ció
hmac-md5;
secret
secret "iNKnjkSg7+BMY68ODM6VtQ==";
"iNKnjkSg7+BMY68ODM6VtQ==";
};
};
.
Copy the key statement into the /etc/rndc.conf file
C
.F a
and add an options statement:
## cp
cp /etc/rndc.key
/etc/rndc.key /etc/rndc.conf
/etc/rndc.conf
C rm
## vi
vi /etc/rndc.conf
/etc/rndc.conf
.. .. ..
Append
Append toto /etc/rndc.conf
/etc/rndc.conf file
file
options
options { {
to fo
default-server
default-server localhost;
localhost;
default-key
default-key rndc-key;
rndc-key;
};
};
ec vo
Notes:
oy si
To use the remote name daemon control (rndc) facility, you first need to generate a secret
key for secure communications between the rndc client and the named daemon. The
u
rndc-confgen command will generate a /etc/rndc.key file that contains a key statement with
a name of rndc-key and the generate key. This key statement uses a syntax that is the
cl
exact same syntax as the key statements used in both the rndc.conf and named.conf
configuration files.
Ex
The key statement needs to be placed in the /etc/rndc.conf file. If you do not already have
an /etc/rndc.conf file, you create one with the contents of your rndc.key file.
The /etc/rndc.conf file will also need an options statement which identifies the address of
pr
the default name server and the default key statement to use for that name server (the
client rndc command can override both the name server and key to be used).
8-48 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
## cat
cat /etc/rndc.key
/etc/rndc.key
key
key "rndc-key" {{
"rndc-key"
algorithm
algorithm hmac-md5;
hmac-md5;
.I. n
secret
secret "iNKnjkSg7+BMY68ODM6VtQ==";
"iNKnjkSg7+BMY68ODM6VtQ==";
};
};
.T ció
Copy the key statement into the /etc/named.conf file
key
key "rndc-key"
"rndc-key" {{
.
algorithm
algorithm hmac-md5;
hmac-md5;
C
secret
secret "iNKnjkSg7+BMY68ODM6VtQ==";
.F a
"iNKnjkSg7+BMY68ODM6VtQ==";
};
};
C rm
Add controls statement in /etc/named.conf to permit remote control
controls
controls {{
inet
inet ** allow
allow {{ localhost;
localhost; 10.47.0.0/16;
10.47.0.0/16; }} keys
keys {{ rndc-key;
rndc-key;
};
};
to fo
};
};
## refresh
refresh –s
–s named
named
ec vo
Notes:
oy si
The named also needs to know the secret key being used by rndc. Insert the key
statements (from /etc/rndc.key) into the /etc/named.conf file.
u
If the named daemon is to be controlled remotely using rndc, a controls statement needs
cl
control the named daemon remotely if the rndc client on that host uses a secret key that
matches what is defined for that network in the controls statement (what is defined in the
rndc-key key statement).
The named subsystem must either be stopped and started, or refreshed, in order for it to
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-49
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
rndc examples
IBM Power Systems
## rndc
rndc stats
stats
## cat named.stats
cat named.stats
+++
+++ Statistics
Statistics Dump
Dump +++
+++ (1240223747)
.I. n
(1240223747)
success
success 998
998
.T ció
referral
referral 00
nxrrset
nxrrset 582
582
nxdomain
nxdomain 6395
6395
.
recursion
recursion 22
22
C
failure
failure 00
.F a
duplicate
duplicate 00
C rm
dropped
dropped 00
---
--- Statistics
Statistics Dump
Dump ---
--- (1240223747)
(1240223747)
## rndc
rndc dumpdb
dumpdb –cache
–cache
Note:
Note: File
File is
is dumped
dumped to:
to: <dns-dir>/named_dump.db
<dns-dir>/named_dump.db
to fo
## rndc
rndc stop
stop
Note:
Note: save
save pending
pending dynamic
dynamic updates
updates and
and stop
stop the
the named
named
ec vo
Notes:
oy si
The rndc command controls the operation of a name server. If you run the rndc command
with no command line options or arguments, it prints a short summary of the supported
u
commands and the available options and their arguments. The rndc command
communicates with the name server over a TCP connection, sending commands
cl
• reconfig: Reload the configuration file and load new zones, but do not reload existing
zone files even if they have changed. This is faster than a full reload when there is a
large number of zones because it avoids the need to examine the modification times of
the zones files.
• stats: Write server statistics to the statistics file.
8-50 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • querylog: Toggle query logging. Query logging can also be enabled by explicitly
directing the queries category to a channel in the logging section of named.conf.
• dumpdb: Dump the server’s caches to the dump file.
• stop: Stop the server, making sure any recent changes made through dynamic update
or IXFR are first saved to the master files of the updated zones.
• halt: Stop the server immediately. Recent changes made through dynamic update or
.I. n
IXFR are not saved to the master files, but will be rolled forward from the journal files
when the server is restarted.
.T ció
• trace: Increment the servers debugging level by one.
• trace level: Sets the server’s debugging level to an explicit value.
.
• notrace: Sets the server’s debugging level to 0.
C
.F a
• flush: Flushes the server’s cache.
• status: Display status of the server.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-51
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Logging
IBM Power Systems
.I. n
• All log output is divided into categories and redirected to one
of many channels.
.T ció
– Category: Output type
.
– Channel: Output location, severity information
C
• There are four predefined channels.
.F a
– default_syslog Send to syslog daemon
C rm
– default_debug Write to file
– default_stderr Writes to stderr
– null Throw away
to fo
• Custom channels can be created.
ec vo
Notes:
oy si
The logging statement configures a wide variety of logging options for the name server. It
is channel phrase that associates output methods, format options, and severity levels with
u
a name that can then be used with the category phrase to select how various classes of
messages are logged.
cl
Only one logging statement is used to define as many channels and categories as are
required.
Ex
pr
8-52 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Syntax:
– Channel “<channel_name>” {
.I. n
( file path name
[ versions ( number | unlimited ) ]
.T ció
[ size size spec ]
| syslog syslog_facility
| stderr | null );
.
[ severity (critical | error | warning | notice |
C
.F a
info | debug [ level ] | dynamic ); ]
[ print-category yes or no; ]
C rm
[ print-severity yes or no; ]
[ print-time yes or no; ]
};
to fo
ec vo
Notes:
oy si
All log output goes to one or more channels. You can make as many channels as you want.
Every channel definition must include a destination clause that says whether messages
u
selected for the channel go to a file, to a particular syslog facility, to the standard error
stream, or are discarded. Optionally, it can also limit the message severity level that will be
cl
accepted by the channel (the default is info) and whether to include a named-generated
time stamp, the category name, and severity level (the default is not to include any).
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-53
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• Syntax:
– Category “<category name>” { “channel1”;
.I. n
channel..etc..”; };
• Log output is broken down into 19 categories.
.T ció
Examples:
.
– default
C
– general
.F a
– database
C rm
– config
– update
– client
to fo
– queries
– notify
ec vo
Notes:
oy si
There are many categories, so you can send the logs you want to see wherever you want
without seeing logs you do not want. If you do not specify a list of channels for a category,
u
log messages in that category will be sent to the default category instead.
cl
Ex
pr
8-54 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
logging
logging {{
channel
channel "debug"
"debug" {{
file
file "dnsdebug.out“
"dnsdebug.out“ versions
versions 33 size
size 20m;
.I. n
20m;
severity
severity debug
debug 3;
3; //
// very
very verbose
verbose
.T ció
print-time
print-time yes;
yes;
};
};
channel
channel “syslog”
“syslog” {{
.
syslog
syslog daemon;
daemon;
C
severity
severity info;
info;
.F a
};
};
channel
channel “dynamic_updates”
“dynamic_updates” {{
C rm
file
file "dynamic_updates”;
"dynamic_updates”;
severity
severity info;
info;
};
};
category
category "default"
"default" {{ "debug";
"debug"; };
};
to fo
category
category “security” { “syslog”; };
“security” { “syslog”; };
category
category “update” { “dynamic_updates” };
“update” { “dynamic_updates” };
};
};
ec vo
Notes:
oy si
In this example we have three categories which are directed through three channels.
u
• Default The default category defines the logging options for those categories where no
specific configuration has been defined. This category is directed through channel
cl
debug. Very verbose output will be written to three generations of the file
dnsdebug.out, each of which will 20 MB in size.
Ex
• Security Approval and denial of requests. This category is directed through channel
syslog. General security information will be written to the syslog daemon.
• Update Dynamic updates. This category is directed through channel
dynamic_updates. General dynamic update information will be written to the file
pr
dynamic_updates.
Severity Controls the logging level. Options can be critical, error, warning, notice, info,
debug (1 – low -> 3 high), and dynamic.
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-55
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Split DNS
IBM Power Systems
• Split DNS is the process of separating internal and external DNS views
of your domain data (for security purposes).
• This can be achieved using internal and external name servers or using
.I. n
a single DNS server using a new BIND 9 configuration option: views
.T ció
DMZ (demilitarized zone)
.
C
Internal External
.F a
zones zones
C rm
Internal
Internal Internet
Internet
namesevers
namesevers
network
network
to fo
ec vo
Notes:
oy si
DNS servers are one of the top 10 most attacked services on the Internet. It is important for
security that the internal and external data is separated. In reality, external Internet facing
u
DNS servers contain very few RRs, for example, WWW, FTP, and mail servers.
cl
In previous versions of BIND, split DNS configurations had to be achieved using different
servers. BIND version 9 allows a single DNS server to split DNS data by creating views.
Ex
pr
8-56 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
//
// All
All clients
clients on
on the
the 10
10 and
and 192.168
192.168 networks
networks are
are internal
internal
// and private.
// and private.
.T ció
match-clients
match-clients {{ 10.0.0.0/8;
10.0.0.0/8; 192.168.0.0/16;
192.168.0.0/16; };
};
//
// Provide
Provide recursive
recursive service
service to
to internal
internal clients
clients only.
only.
.
recursion
recursion yes;
yes;
C
.F a
//
// Internal
Internal zones
zones ...
...
C rm
zone
zone "lpar.co.uk" {{
"lpar.co.uk"
type
type master;
master;
file "named.lpar.internal";
file "named.lpar.internal";
allow-update
allow-update {{ key
key ddns-key
ddns-key ;; };
};
to fo
allow-transfer
allow-transfer {{ key
key ddns-key
ddns-key ;; };
};
};
};
};
};
ec vo
Notes:
oy si
The view statement is a powerful new feature of BIND 9 that lets a name server answer a
DNS query differently depending on who is asking. It is particularly useful for implementing
u
Each view statement defines a view of the DNS namespace that will be seen by a subset
of clients. A client matches a view if its source IP address matches the address_match_list
of the view’s match-clients clause and its destination IP address matches the
Ex
client request will be resolved in the context of the first view that it matches.
Zones defined within a view statement will only be accessible to clients that match the
view. By defining a zone of the same name in multiple views, different zone data can be
given to different clients, for example, internal and external clients in a split DNS setup.
The visual shows an example of an internal view.
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-57
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
//
// Match
Match all
all clients
clients not
not matched
matched by
by the
the previous
previous view.
view.
.T ció
match-clients
match-clients {{ any;
any; };
};
//
// Refuse
Refuse recursive
recursive service
service to
to external
external clients.
clients.
.
recursion
recursion no;
no;
C
.F a
//
// Provide
Provide aa restricted
restricted view
view of
of the
the lpar.co.uk
lpar.co.uk zone
zone
C rm
//
// containing only publicly accessible hosts.
containing only publicly accessible hosts.
//
// For
For example:
example: www,
www, ftp
ftp servers,
servers, mail
mail (MX
(MX records)
records)
zone “lpar.co.uk"
zone “lpar.co.uk" {{
type
type master;
master;
to fo
file
file “named.lpar.external";
“named.lpar.external";
};
};
};
};
ec vo
Notes:
oy si
The visual shows an example of an external view. The keyword of any allows this view to
be used by any query which was not already matched to previous view statements. This
u
external view statement should be placed after the internal view statement. The view
restricts access to what is defined in the named.lpar.extrnal zone file. It also rejects
cl
recursive queries.
Ex
pr
8-58 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
undocumented weaknesses.
.T ció
• Servers should be configured so the version information will
not be disclosed.
.
C
## nslookup
nslookup
.F a
>> set
set class=chaos
class=chaos
>> set
set type=txt
type=txt
C rm
>> version.bind
version.bind
Server: 10.47.1.33 Same result can be
Server: 10.47.1.33
achieved with dig.
Address:
Address: 10.47.1.33#53
10.47.1.33#53
to fo
version.bind
version.bind text
text == "9.4.1“
"9.4.1“
## dig
dig @10.47.1.33
@10.47.1.33 version.bind
version.bind txt
txt chaos
chaos
ec vo
Notes:
oy si
The visual illustrates how nslookup or dig can identify the version of bind being used on a
server. This can be used to narrow a hacker attack based upon the known vulnerabilities of
u
that version.
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-59
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
options
options {{
……
.T ció
version
version "Not
"Not disclosed";
disclosed";
……
.
};
};
C
.F a
C rm
## nslookup
nslookup
>> set
set class=chaos
class=chaos
>> set
set type=txt
type=txt
>> version.bind
version.bind
to fo
Server:
Server: 10.47.1.33
10.47.1.33
Address:
Address: 10.47.1.33#53
10.47.1.33#53
version.bind
version.bind text
text == "Not
"Not disclosed"
disclosed"
ec vo
Notes:
oy si
The options statement allows you to override the default version information with text of
your own choosing. In the shown example, the version field in the nslookup results
u
8-60 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (1 of 2)
IBM Power Systems
.I. n
name servers it uses for name resolution.
.T ció
.
2. True or False: The named daemon can be started
C
automatically with a command line entry in the
.F a
inetd.conf file.
C rm
3. True or False: The named daemon must be running on
to fo
every machine participating in the domain environment.
ec vo
Notes:
oy si
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-61
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Checkpoint (2 of 2)
IBM Power Systems
.I. n
.T ció
.
5. What is the purpose of the netcd daemon?
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
8-62 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
– Configure a DNS slave server
– Set up rndc
.T ció
– Add DNS records dynamically
using TSIG’s
.
– Configure a domain client
C
.F a
– Use the network caching
daemon
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 8. DNS and BIND 8-63
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit summary
IBM Power Systems
.I. n
• List the types of name servers
.T ció
• Identify files used with DNS
• Configure a DNS domain
.
C
– Primary, slave servers, clients, sub domains, and split DNS
.F a
• Use commands to query domain name servers
C rm
• Set up and use the rndc and netcd daemons
• Configure dynamic updates using TSIGs
to fo
• Remove BIND version information
ec vo
Notes:
oy si
u
cl
Ex
pr
8-64 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Discuss the DHCP functions and features
.
• Configure a DHCP network on AIX
C
.F a
How you will check your progress
C rm
• Checkpoint questions
• Lab exercises
to fo
ec vo
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Discuss the DHCP functions and features
• Configure a DHCP network on AIX
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
9-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Permanent configuration configured on the actual host. For example: smitty
mktcpip
.T ció
• Typically used for server and network devices (routers, firewalls, switches,
and so forth)
.
C
.F a
– Dynamic
• Temporary configuration
C rm
– Based on a pre-determined fixed lease time
• TCP/IP configuration handled through the DHCP (Dynamic Host
Configuration Protocol)
to fo
• Typically used for clients (for example, PCs running Windows, MAC OS,
Linux)
ec vo
Notes:
oy si
Every host in an IP network needs to be configured with several parameters, including the
IP address, the subnet-mask, the default router, the IP addresses of DNS servers, and so
u
forth. There are basically two ways of supplying these parameters to the host.
cl
When a site uses static configuration, all parameters are configured on the local system
and stored on some sort of local medium. In most cases this is the local hard disk. With
static configuration, every host on a network needs its own IP address, even when the
Ex
system is off or not connected to the network at all. Think, for instance, about the situation
where your company has a thousand mobile workers, each with its own laptop, who can
hook up to any network in any of your ten buildings throughout the country. Since you never
know when or where someone is logged in, you need to reserve 10.000 IP addresses, one
pr
thousand for each network, even if a network has only ten connections available. This is a
tremendous waste of IP addresses and does not the user who will need to do some local
configuration every time he connects to another network.
When a site uses dynamic addressing, no IP configuration is stored locally. Instead, when
the system boots up it requests the local configuration from a server. When the system
shuts down, it notifies the server that the configuration is no longer needed and can be
reused. This limits the number of IP addresses that need to be reserved, since only the
systems that are actually in use on a network need an IP address for this network. It also
saves the user from doing a lot of local configuration.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
9-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• DHCP
– Is an extension of BOOTP
.I. n
– A DHCP server dynamically assigns TCP/IP configuration to DHCP
clients.
.T ció
• TCP/IP supplied configuration can be
– Dynamic IP addresses from a pool
.
C
– Fixed IP addresses
.F a
– Network options (subnet mask, DNS server, default routers, and so
C rm
forth)
• A client should only receive TCP/IP information from one
DHCP server.
to fo
• There are no DHCP backup servers.
– Availability can be achieved using PowerHA.
ec vo
Notes:
oy si
BOOTP protocol
u
BOOTP is usually used during the bootstrap process when a computer is starting up. A
BOOTP configuration server assigns an IP address to each client from a pool of addresses.
Ex
BOOTP uses the User Datagram Protocol (UDP) as a transport on IPv4 networks only.
BOOTP has been superseded by DHCP. However, it is still used in AIX today by NIM
servers to provide clients with the location of their boot image from a known IP address.
This is used for BOS installs and booting the system into maintenance mode over the
pr
network.
DHCP protocol
DHCP supports the following types of IP address allocation:
• Dynamic allocation - host is assigned an address from a pool of addresses for a limited
time lease or until the host relinquishes it.
• Automatic allocation - host is assigned a permanent IP address from the range defined
by the administrator.
• Manual allocation - host is assigned a static address by the network administrator.
Typically, a DHCP client should only receive offers from a single DHCP server on the
network. If there are multiple DHCP servers, a client will accept the first IP address offered.
There is no backup concept with DHCP. DHCP availability can be achieved by using a
PowerHA solution. A kind of poor man’s availability can be achieved by having more than
.I. n
one DHCP server on a network which will allocate IP addresses in different ranges within
.T ció
the same subnet.
DHCP is backwards compatible with BOOTP.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
9-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Client Server
1 Start-up DHCP
.I. n
255.255.255.255 Broadcast
2 DHCPdiscover
.T ció
3 DHCPoffer
TCP/IP configuration
.
4 DHCPrequest Accept or Deny
C
.F a
Client is now running with 5 DHCPack
Acknowledgement. Transaction completed.
TCP/IP configuration BOUND state.
C rm
6 T1 (50% of the lease time)
Renew the lease
DHCPrequest (unicast)
7 DHCPack
to fo
8 Stop DHCP. DHCPrelease 9 IP freed
Time
ec vo
Notes:
oy si
The visual shows the exchange of packets that enable a client to obtain a lease on an IP
address.
u
255.255.255.0. This message is received by all DHCP servers and DHCP relays on
the network. A DHCP relay relays the message as a unicast message to one or
more DHCP servers. DHCP relay code is typically included in a router, saving you
Ex
from having to put a DHCP server or other special system on each network.
b. All servers check their local configuration to see if they have any IP addresses for
that network that can be used by this client. Each server that wants to offer a lease
pr
d. The server receives the DHCPREQUEST, stores the client’s configuration details,
and sends a DHCPACK message to the client.
e. After half of the lease period (usually called T1) the client contacts the server with a
unicast DHCPREQUEST requesting a renewal of the lease. If the server is still
available and willing, it sends a DHCPACK back to the client, confirming the renewal
of the lease. The timers will now be reset, and the lease period countdown starts
again. If the server does not react to the unicast DHCPREQUEST (not shown on the
.I. n
diagram for clarity), the client waits until T2, which is about 0.875th of the lease
period. It then does a broadcast DHCPREQUEST. This broadcast contains the ID of
.T ció
the DHCP server. If the client still has no confirmation from the server by the time the
lease expires, it starts a DHCPDISCOVER sequence again to get another IP
address from another server. Plus, since the lease has expired, it sends a
.
DHCPRELEASE to the previous server. This DHCPRELEASE probably gets lost
C
.F a
since the server has not been responding anyway.
f. If the DHCP subsystem on the client stops, the client will relinquish its lease for a
C rm
graceful shutdown and will send the server a DHCPRELEASE message.
Servers do not commit the IP address for the client until they receive the DHCPREQUEST
packet; therefore, it might happen that a server sends multiple DHCPOFFERs to multiple
clients with the same IP address. The first client that actually claims the IP address (with a
to fo
DHCPREQUEST) is confirmed with the DHCPACK, and other clients are reneged with a
DHCPNACK message. The client, therefore, can only use an IP address after it has
received the DHCPACK.
ec vo
oy si
u
cl
Ex
pr
9-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
• In order to have a client and server on different subnets the
router must be configured as a DHCP relay.
.
C
.F a
Cisco router
“configured”
as a DHCP relay
C rm
DHCP
client 1. Broadcast 2. Forward (unicast) AIX DHCP
server
Notes:
oy si
By default, routers do not forward broadcasts. In internetworks, most of the time, a DHCP
server is located on a different network than the majority of its clients.
u
For DHCP messages to be able to reach the server, configuration of DHCP server IP
cl
addresses is required. The router will intercept DHCP broadcast messages and forward
them as unicasts to the DHCP server, hence, providing relay functionality.
Ex
DHCP relay agents provide extra security to the network by hiding the server’s IP address
from the clients. The client knows only the IP address of the relay agent.
pr
Network options
IBM Power Systems
.I. n
• Complete list described in /etc/options.file
.T ció
• Popular examples:
Option number Description
1 subnet mask
.
C
2 time offset
.F a
3 router
C rm
4 time server
6 DNS server
12 hostname
15 DNS domain name
to fo
33 static routes
ec vo
Notes:
oy si
This visual lists some of the more interesting options a DHCP server can send to a client.
For a complete listing of available options within AIX, refer to /etc/options.file.
u
cl
Ex
pr
9-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
AN21system 10.1.3.30
Cisco
Router 10.1.1.1
.T ció
10.1.2.0 10.1.2.1
subnet
10.1.1.0
.
10.1.3.0
subnet
subnet 10.1.2.2
C
10.1.1.2
.F a
10.1.3.1 AIX
Router AIX DHCP
server
C rm
DHCP
clients
10.1.3.40
MAC Address = ea48f000E008
to fo
• Server to provide: IP address, subnet mask, default router,
nameserver address, and domain name
ec vo
Notes:
oy si
The example in the visual shows the network is made up of three LANs connected by two
routers, one of which is an AIX system. Each LAN has a number of AIX hosts. The network
u
administrator wants the hosts on each LAN to be configured with an IP address, subnet
mask, default router, the address of a name server, and the domain name for the network.
cl
The administrator has decided to run a DHCP server on LAN 10.1.1.0 and use a DHCP
relay to forward requests from clients on the other two LANs. Both AIX and CISCO routers
Ex
are configured to pick up DHCP client requests originating in those networks and forward
them to the server located on LAN 10.1.1.0.
All IP addresses for each subnet will be allocated dynamically from a pool except for two
pr
machines in the 10.1.3 subnet. One system, named AN21system, will have a permanent
address assigned from the pool. The other system, with a MAC address of ea48f000E008,
will be assigned a static address outside of the dynamic pool range.
## /etc/dhcpsd.cnf
/etc/dhcpsd.cnf AIX
AIX Server
Server DHCP
DHCP configuration
configuration file
file
.I. n
numLogFiles
numLogFiles 44
logFileSize
logFileSize 100
100
.T ció
logFileName
logFileName /tmp/dhcpsd.log
/tmp/dhcpsd.log
logItem
logItem SYSERR
SYSERR
logItem OBJERR
.
logItem OBJERR
C
leaseTimeDefault
leaseTimeDefault 30
30 minutes
minutes
.F a
leaseExpireInterval
leaseExpireInterval 33 minutes
minutes
C rm
to fo
ec vo
Notes:
oy si
The first part of the server configuration file specifies the logging options as follows:
u
9-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
network
network 10.0.0.0
10.0.0.0 2424
{{
option
option 11 255.255.255.0
255.255.255.0 ## Subnet
Subnet mask
mask
.I. n
option
option 66 10.1.1.3
10.1.1.3 ## Name
Name server
server
option
option 15
15 lpar.co.uk
lpar.co.uk .. ## Domain
Domain
.T ció
subnet
subnet 10.1.1.0
10.1.1.0 10.1.1.10-10.1.1.254
10.1.1.10-10.1.1.254 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
{{
option
option 33 10.1.1.1
10.1.1.1 ## Default
Default router
router
}}
.
subnet
subnet 10.1.2.0
10.1.2.0 10.1.2.10-10.1.2.254
10.1.2.10-10.1.2.254 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
C
{{
.F a
option
option 33 10.1.2.1
10.1.2.1 ## Default
Default router
router
option
option 33 10.1.2.1
10.1.2.1 ## Default
Default router
router
C rm
}}
subnet
subnet 10.1.3.0
10.1.3.0 10.1.3.10-10.1.3.30
10.1.3.10-10.1.3.30 ## subnet:
subnet: dynamic
dynamic pool
pool range
range
{{
option
option 33 10.1.3.1
10.1.3.1 ## Default
Default router
router
client
client 11 ea48f000E008
ea48f000E008 10.1.3.30
10.1.3.30 ## Allocate
Allocate fixed IP
fixed IP from
from the
the pool
pool to
to MAC
MAC
address
address (ea48f000E008)
(ea48f000E008)
to fo
client
client 00 an21system
an21system 10.1.3.40
10.1.3.40 ## Allocate
Allocate fixed
fixed IP
IP from
from outside
outside the
the pool
pool to
to
hostname
hostname (an21system)
(an21system)
}}
}}
ec vo
Notes:
oy si
• network: Specifies the dotted decimal notation address for a network administered by
this server. Optionally, the address can be followed by the subnet mask or a range of
u
addresses administered by this server. Options particular to the network can also be
specified within curly braces following the network statement. (Note that the subnet
cl
mask can be specified either in the traditional notation, for example, 255.255.255.0, or
as the number of bits in the mask, for example, 24. The latter method is used in the
Ex
example.)
• subnet: Specifies a subnet administered by this server optionally followed by a range of
addresses in this subnet which are to be administered. As with the network statement,
options for the subnet can be specified within curly braces following the subnet
pr
statement.
• class: Specifies the ASCII string name of a class. A class can be used to designate
particular types of systems, for example, a print server or a Windows client. When the
DHCP client sends requests to the server, it might include its class name in order to
cause the server to provide particular types of options. The class might be further
9-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty defined by the range of addresses that are given to clients which request the class.
Options particular to the class can also be specified following the statement in curly
braces.
• client: Specifies elements particular to a client. Elements which can be defined include
id type (0 represents a hostname and 1 a MAC address), id value (hardware address
for the RFC 1340 hardware ID types or a character string for id type 0), and address.
Options particular to this client can also be specified as with network, subnet, and
.I. n
class. If manual allocation is used for a client, a specific address is entered for the client
in this field. In our example, our administrator does not provide specific client address
.T ció
information, so the server allocates an address from its pool of available addresses.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
AIX:
## /etc/dhcpcd.ini
.I. n
/etc/dhcpcd.ini
## AIX
AIX client
client DHCP
DHCP configuration
configuration file
file
Windows:
.T ció
numLogFiles
numLogFiles 44
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcpcd.log
/tmp/dhcpcd.log
.
logItem
logItem SYSERR
SYSERR
logItem OBJERR
C
logItem OBJERR
.F a
interface
interface en0
en0
C rm
to fo
ec vo
Notes:
oy si
On AIX, the client configuration file must contain the interfaces which are required to be
configured via DHCP. The logging statements are the same as on the server and are
u
On Windows platforms, the client is set to use DHCP by selecting Control panel >
Network connections, then selecting the network adapter and clicking Properties >
Internet protocol > Properties. Then as per the diagram shown as in the visual above.
Ex
pr
9-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• AIX router
## /etc/dhcprd.cnf
/etc/dhcprd.cnf AIX
AIX relay
relay DHCP
DHCP configuration
configuration file
file
.I. n
numLogFiles
numLogFiles 44
.T ció
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcprelay.log
/tmp/dhcprelay.log
logItem
logItem SYSERR
SYSERR
server 10.1.1.2
.
server 10.1.1.2
C
.F a
• Cisco router DHCP server
C rm
## Example
Example (subset)
(subset) CISCO
CISCO router
router DHCP
DHCP relay
relay configuration
configuration
interface
interface Ethernet1
Ethernet1
ip
ip address
address 10.1.2.1
10.1.2.1 255.255.255.0
255.255.255.0
ip helper-address 10.1.1.2
to fo
ip helper-address 10.1.1.2
duplex
duplex auto
auto
speed
speed auto
auto
!!
ec vo
Notes:
oy si
For DHCP messages to be able to reach the server, routers must be configured to intercept
DHCP broadcast messages and forward them as unicasts to the DHCP server, hence,
u
On AIX, this is done via the server statement in the /etc/dhcprd.cnf file.
On Cisco routers, within the definition of the interface statement, the IP helper addresses
Ex
• Server
– Manual start: startsrc –s dhcpsd
– Start now and at system restart: chrctcp -S -a dhcpsd
.I. n
– Manual stop: stopsrc –s dhcpsd
.T ció
– Stop now and at system restart: chrctcp -S -d dhcpsd
• Client
.
– Manual start: startsrc –s dhcpcd
C
– Start now and at system restart: chrctcp -S -a dhcpcd
.F a
– Manual stop: stopsrc –s dhcpcd
C rm
– Stop now and at system restart: chrctcp -S -d dhcpcd
• Relay
– Manual start: startsrc –s dhcprd
to fo
– Start now and at system restart: chrctcp -S -a dhcprd
– Manual stop: stopsrc –s dhcprd
– Stop now and at system restart: chrctcp -S -d dhcprd
ec vo
Notes:
oy si
DHCP control on AIX is handled through SRC. Daemons can be started at boot time by
uncommenting the appropriate statements in the /etc/rc.tcpip file. This can be
u
9-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
## lssrc
lssrc -ls
-ls dhcpsd
dhcpsd
Log
Log File:
File: /tmp/dhcpsd.log
/tmp/dhcpsd.log
.I. n
Log
Log Level:
Level: 0x806
0x806
Client
Client Expire
Expire Interval:
Interval: 3600
3600
.T ció
Reserve
Reserve Expire
Expire Interval:
Interval: 900
900
Bad
Bad Addr
Addr Reclaim
Reclaim Interval:
Interval: 4294967295
4294967295
Database
Database Save
Save Interval: 3600
.
Interval: 3600
C
IP Address
IP Address Status
Status Duration
Duration Time
Time Stamp
Stamp Client
Client ID
ID
.F a
--------------- --------
--------------- -------- -------- ------------ --------------
-------- ------------ --------------
10.1.1.41
10.1.1.41 Leased
Leased 1800
1800 Jun
Jun 66 18:02
18:02 1-ea48f000e009
1-ea48f000e009
C rm
10.1.1.42
10.1.1.42 Free
Free
10.1.1.43
10.1.1.43 Free
Free
10.1.1.44
10.1.1.44 Released
Released 1800
1800 Jun
Jun 66 18:02
18:02 1-ea48f000e008
1-ea48f000e008
10.1.1.45 Free
to fo
10.1.1.45 Free
10.1.1.46
10.1.1.46 Leased
Leased 1800
1800 Jun
Jun 88 13:06
13:06 0-an21system
0-an21system
10.1.1.47
10.1.1.47 Free
Free
ec vo
Notes:
oy si
In order to list the current status of IP assignment on the server, use the lssrc –ls dhcpsd
command. In addition to this, the dadmin command can also be used to query the server.
u
For example, dadmin –s will produce output similar to that shown on the visual.
cl
Additionally, the server records the current IP assignment (held in an internal database) to
a file /etc/db_file.cr. The server also maintains a checkpoint files
/etc/db_file.chkpt. If the server crashes or you have to shut down and cannot do a
Ex
normal closing of the database, the server can process the checkpoint and database files
to reconstruct a valid database.
pr
## lssrc
lssrc -ls
-ls dhcpcd
dhcpcd
LogFileName:
LogFileName: /tmp/dhcpcd.log
/tmp/dhcpcd.log
.I. n
Logging:
Logging: ENABLED
ENABLED
Tracing:
Tracing: NOT
NOT ACTIVE
ACTIVE
.T ció
Interface
Interface IP Address
IP Address Duration
Duration Start
Start End
End
en0
en0 10.1.1.46
10.1.1.46 1800
1800 1244463676
1244463676 1244465476
1244465476
Subsystem Group PID Status
.
Subsystem Group PID Status
dhcpcd tcpip 397508 active
C
dhcpcd tcpip 397508 active
.F a
C rm
to fo
ec vo
Notes:
oy si
In order to list the current status of IP assignment on the client, use the lssrc –ls dhcpcd
command.
u
cl
Ex
pr
9-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
to be resolvable.
– Solution: Dynamic DNS updates
.T ció
.
The preferred solution
C
.F a
1 1
IP information Lease expiration
C rm
DHCP DHCP DHCP
DHCP client
server client server
2 2
Dynamic DNS update (add) Dynamic DNS update (remove)
PTR and A records
to fo
PTR and A records
DNS DNS
server server
ec vo
Notes:
oy si
Networking and the explosive growth of the Internet has led to IP address assignment
becoming much more dynamic. Most client hosts get their addresses and network specific
u
information via DHCP. However, without name resolution, the connection to hosts and
application use simply will not work. The solution is dynamic DNS (DDNS).
cl
By default, in the dynamic DNS process, the DHCP server owns the IP address which it
allocates to the DHCP client and therefore is responsible for updating the DNS PTR
Ex
reverse zone record. Typically, the DHCP client owns its host name and is responsible for
updating the DNS A zone record. However, the DHCP server or client can also update both
A and PTR records. This is known as DDNS proxy behavior, and this is the preferred
solution. Why? Simply from a security perspective, DNS servers should accept dynamic
pr
updates from as few hosts as possible, and generally this is limited to DHCP only. Also, this
avoids problems with Windows platforms because DCHP clients do not support transaction
signatures.
.I. n
numLogFiles
numLogFiles 44
.T ció
logFileSize
logFileSize 100
100
logFileName
logFileName /tmp/dhcpcd.log
/tmp/dhcpcd.log
logItem
logItem SYSERR
SYSERR
logItem OBJERR
.
logItem OBJERR
interface
interface en0
en0
C
{{
.F a
option
option 12
12 “the_client_hostname"
“the_client_hostname"
}}
C rm
to fo
ec vo
Notes:
oy si
The first step in configuring dynamic update is to assign a host name or IP label to the
interface. On AIX, this is done through the option 12 statement as shown.
u
If there are multiple interface stanzas, specifying option 12, then the first option string is
cl
9-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
## /etc/dhcpsd.cnf
/etc/dhcpsd.cnf AIX
AIX server
server DHCP
DHCP configuration
configuration file
file
.T ció
updateDNS
updateDNS "/usr/sbin/dhcpaction9
"/usr/sbin/dhcpaction9 '%s'
'%s' '%s'
'%s' '%s'
'%s' '%s'
'%s' >>
>> /tmp/updns.out
/tmp/updns.out 2>&1
2>&1 ""
removeDNS
removeDNS "/usr/sbin/dhcpremove9
"/usr/sbin/dhcpremove9 '%s'
'%s' >> /tmp/rmdns.out 2>&1 "
>> /tmp/rmdns.out 2>&1 "
.
• updateDNS provides four positional parameters:
C
.F a
– Host name, domain name, IP address, lease time
• removeDNS provides one parameter:
C rm
– IP address
• AIX provides two scripts: dhcpaction8 and dhcpremove8
to fo
– Copy scripts and modify to change each nsupdate8 to nsupdate9
– Modify nsupdate9 invocations for TSIG if using security
ec vo
Notes:
oy si
The second step is to uncomment the updateDNS and removeDNS lines in the DHCP
server configuration files.
u
The format for updateDNS directive is: updateDNS string, where string is the script to be
cl
called followed by four %s’s to indicate the placement of the provided positional
parameters. Those positional parameters are: hostname, domain name, IP
address, lease time.
Ex
The format for removeDNS directive is: removeDNS string, where string is the script to be
called followed by one %s to indicate the placement of the IP address.
By default, IBM provides two wrapper scripts around nsupdate8, dhcpaction8 (add), and
pr
dhcpremove8 (delete). They are specifically designed to be used as the scripts in these
directives. For BIND9, the scripts need to be copied (with new names of dhcpaction9 and
dhcpremove9 and modified to use nsupdate9. If the name server requires secure
connections, the nsupdate invocations also need to provide the needed TSIG information.
Checkpoint (1 of 2)
IBM Power Systems
.I. n
.T ció
2. A (blank) forwards DHCP requests to another network.
.
C
.F a
C rm
3. Which file contain a list of all the DHCP network options?
to fo
ec vo
Notes:
oy si
9-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
.I. n
.T ció
5. Put the following DHCP messages in the correct order:
.
• DHCPACK
C
.F a
• DHCPREQUEST
• DHCPRELEASE
C rm
• DHCPDISCOVER
• DHCPOFFER
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
Exercise introduction
IBM Power Systems
.I. n
client
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
9-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Discuss the DHCP functions and features
• Configure a DHCP network on AIX
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
9-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Define NFS terminology and concepts including:
.
- Identify the NFS daemons and their roles
C
.F a
- Describe NFS client server interaction and authorization
methods
C rm
• Configure and manage NFS, including:
- Stop and start NFS
- Configure an NFS server and an NFS client
to fo
• Configure and use the automount subsystem
• Describe the goals of NFSv4 and the roles of its daemons
• Configure NFSv4, including:
ec vo
• Lab exercises
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
– Identify the NFS daemons and their roles
– Describe NFS client server interaction and authorization methods
.T ció
• Configure and manage NFS, including:
– Stop and start NFS
.
– Configure an NFS server and an NFS client
C
.F a
• Configure and use the automount subsystem
• Describe the goals of NFSv4 and the roles of its daemons
C rm
• Configure NFSv4, including:
– Configure an NFSv4 domain and pseudo-root file system
– Extend the pseudo-root file system using alias tree extensions
to fo
– Configure NFSv4 features: Referrals, replication, and delegation
– Configure NFSv3 and v4 side-by side
• Identify NFSv4 security mechanisms
ec vo
Notes:
oy si
u
cl
Ex
pr
10-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Identify the NFS daemons and their roles
.T ció
• Understand NFS client server interaction
• Describe NFS authorization methods
.
C
• Stop and start NFS
.F a
• Configure an NFS server
C rm
• Configure an NFS client
• Understand the role of the automouter
to fo
• Configure the automount subsystem
ec vo
Notes:
oy si
u
cl
Ex
pr
10-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Based on a client/server model using RPCs
• Filesets:
.T ció
– Server: bos.net.nfs.server
– Client: bos.net.nfs.client
.
C
.F a
/home
C rm
/data client1 client2
/data
to fo
/data nfs_server /home
ec vo
Notes:
oy si
Overview
u
Network File System (NFS) is a facility for sharing files in a heterogeneous environment of
machines, operating systems, and networks. The NFS function is built into the kernel of the
cl
In order to access such files, two things must happen. First, the remote system must make
the files available to other systems on the network. Second, these files must be mounted
on the local system to be able to access them. The mounting process makes the remote
files appear as if they are resident on the local system. The system that makes its files
pr
available to others on the network is called a server, and the system that uses a remote file
is called a client.
NFS is implemented as a set of Remote Procedure Calls (RPC) by the client.
Remote Procedure Call (RPC) -- backbone of NFS
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
RPC is a library of procedures. The procedures allow the client process to direct the server
process to execute procedure calls as if the client process had executed the calls in its own
address space. Since the client and the server are two separate processes, they need not
exist on the same physical system. Because the server and client processes can reside on
two different systems which might have completely different architectures, RPC must
address the possibility that the two systems might not represent data in the same format.
So RPC uses data types defined by the eXternal Data Representation (XDR) protocol.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Server does not remember anything about transactions
– All of the information that the client needs is kept on the client
.T ció
– No system recovery procedures
.
C
• Locking
.F a
– NFS supports advisory locking as requested by applications, for
example, fcntl() and lockf() library routines
C rm
– Uses a separate RPC protocol and two daemons, rpc.lockd and
rpc.statd
• Optional, but started by default
to fo
– Implemented on both the client and server
– File locking is stateful
ec vo
Notes:
oy si
NFS uses a stateless protocol. Each remote procedure call contains all of the information
necessary to complete the call, and the server does not keep track of any past requests.
cl
Clients must maintain all of this information. They are not notified if the server is down. This
avoids complex crash recovery. A packet is just sent again until the packet gets through.
Ex
Note: Both NFS v2 and v3 operate over the User Datagram Protocol (UDP) and the
Transmission Control Protocol (TCP). NFS V3 uses TCP by default. NFS v4 only uses
TCP.
Locking
pr
The network lock manager is a facility that works in cooperation with the NFS to provide a
System V style of advisory file and record locking over the network.
The network lock manager (rpc.lockd) and the network status monitor (rpc.statd) are
network-service daemons. The rpc.statd daemon is a user level process while the rpc.lockd
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
daemon is implemented as a set of kernel threads (similar to the NFS server). Both
daemons are essential to the ability of the kernel to provide fundamental network services.
Note: Mandatory or enforced locks are not supported over NFS. Network Lock Manager is
specific to NFS Version 2 and Version 3.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
client server
call to portmap
mount request portmap
.I. n
returns mountd port #
.T ció
filesystem mount request
rpc.mountd
check permissions
.
OK or denied
kernel /etc/xtab
C
.F a
I/O
C rm
requests
ds
a
re
th
el
rn
ke
kernel threads
read/write request
to fo
biods data
nfsd
buffer cache
Notes:
oy si
Mounting process
u
The mountd is a server daemon that answers a client’s request to mount a server’s
exported file system or directory. The mountd daemon finds out which file systems are
cl
available by reading the /etc/xtab file. The mount process takes place as shown in the
visual.
Ex
a. Client mount makes call to server’s portmap daemon to find the port number
assigned to the rpc.mountd daemon.
b. The portmap passes the port number to the client.
c. Client mount then contacts the server rpc.mountd daemon directly and passes the
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
I/O Requests
When a thread in a client system attempts to read or write a file in an NFS-mounted
directory, the request is redirected from the usual I/O mechanism to one of the client’s biod
threads. The biod thread sends the request to the appropriate server, where it is assigned
to one of the server’s NFS threads (nfsd thread). While that request is being processed,
neither the biod nor the nfsd thread involved do any other work.
The nfsd and biod daemons are both multithreaded, which means there are multiple kernel
.I. n
threads within a process. Also, the daemons are self-tuning in that they create or delete
threads as needed based on the amount of NFS activity.
.T ció
The biod daemon
The biod daemon is the block input/output daemon and is required in order to perform
.
read-ahead and write-behind requests as well as directory reads and bringing data over in
C
chunks (NFS v3 defaults to 32k). The biod daemon threads improve NFS performance by
.F a
filling or emptying the buffer cache on behalf of the NFS client applications. When a user on
a client system wants to read from or write to a file on a server, the biod threads send the
C rm
requests to the server. Many operations, such as mkdir, rmdir, symlink, and fsstat are
sent directly to the server from the operating system’s NFS client kernel extension and do
not require the use of the biod daemon.
The maximum number of biod threads can be controlled by: # mount -o biods=n where
to fo
n is the number of threads specified. The default is four biod threads per mount point.
The nfsd daemon
The nfsd is a server daemon that handles client requests for file system operations. Each
ec vo
nfsd handles one request at a time. The receipt of any one NFS protocol request from a
client requires the dedicated attention of an nfsd daemon until that request is satisfied, and
the results of the request processing are sent back to the client. The nfsd daemons are the
oy si
active agents providing NFS services. Threads are dynamically created and are limited by
the number specified in the startup file /etc/rc.nfs or nfso settings.
The portmap daemon
u
The portmap daemon converts RPC program numbers into Internet port numbers. When
cl
an RPC server starts up, it registers with the portmap daemon. The server tells the daemon
which port number it is listening on and which RPC program numbers it serves. By this
process, the portmap daemon knows the location of every registered port used by RPC
Ex
servers on the host, and which programs are available on each of these ports. When
mounting, the mount request starts with an RPC call named GETPORT that calls the
portmap, which in turn informs the client of the port number that the called RPC server
listens to. After this, the port number is used as reference for further communication. This is
pr
why the NFS daemons must be registered with the portmap daemon.
A client will only consult the portmap daemon once for each program the client tries to call.
The portmap daemon tells the client which port to send the call to. The client stores this
information for future reference. As standard RPC servers are normally started by the inetd
daemon, the portmap daemon must be started before the inetd daemon is invoked.
10-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Authorization methods
IBM Power Systems
• Standard UNIX authorization based on the UID and GID of the user
– Ideally there should be a mechanism in place to ensure all users have the
same credentials, for example, LDAP.
.I. n
– The client root user by default is mapped to user nobody.
• Extended file permissions: Access control lists (ACLs)
.T ció
– NFSv3 (and v4) supports AIX ACLs (type AIXC)
• AIX client support only
.
– NFSv4 supports NFSv4 ACLs (type NFS4)
C
.F a
• Operating system independent (includes Windows)
attributes:
attributes: SUID
SUID Example: AIX ACL
C rm
base
base permissions:
permissions:
owner
owner (frank):
(frank): rw-
rw-
group
group (system):
(system): r-x
r-x
others
others :: ---
---
extended
extended permissions:
permissions:
to fo
enabled
enabled
permit
permit rw-
rw- u:dhs
u:dhs
deny
deny r--
r-- u:chas,
u:chas, g:system
g:system
specify
specify r--
r-- u:john,
u:john, g:gateway,
g:gateway, g:mail
g:mail
ec vo
Notes:
oy si
When deciding which user authorization method to implement, think about your
requirements for controlling access to data. Do you have simple or complex data access
cl
requirements?
Standard UNIX permissions enable you to control access to only three identities: the
Ex
owning user, the owning group, and everyone else. If that is not sufficient to meet your
access control requirements, then you should choose one of the ACL options. For
example, if you have data where you need one group to have write access, one or more
other groups to have read-only access, and everyone else to have no access at all, you will
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
You should not use AIX ACLs if you have non-AIX NFS clients that must be able to
manipulate ACLs for data on your NFS server. AIXC ACLs are only supported in AIX.
AIXC ACLs are supported on both NFS V3 and NFS V4 AIX clients. To be able to see and
modify AIXC ACLs from an NFS client, you must mount your file systems with the acl
option (noacl is the default).
For more information regarding ACLs, see the AIX Version 6.1 Security Guide.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Server configuration
Start NFS (now and system restart): Stop NFS:
.I. n
• /usr/sbin/mknfs –B /usr/sbin/rmnfs –N
.T ció
## lssrc
lssrc –g
–g nfs
nfs ## lssrc
lssrc –g
–g nfs
nfs
Subsystem
Subsystem Group
Group PID
PID Status
Status Subsystem
Subsystem Group
Group Status
Status
biod
biod nfs
nfs 209010
209010 active
active biod
biod nfs
nfs inoperative
inoperative
nfsd nfs 249988
249988 active nfsd nfs inoperative
.
nfsd nfs active nfsd nfs inoperative
rpc.mountd
rpc.mountd nfs
nfs 319652
319652 active
active rpc.mountd
rpc.mountd nfs
nfs inoperative
inoperative
C
rpc.statd nfs 311458 active rpc.statd nfs inoperative
.F a
rpc.statd nfs 311458 active rpc.statd nfs inoperative
rpc.lockd
rpc.lockd nfs
nfs 323774
323774 active
active rpc.lockd
rpc.lockd nfs
nfs inoperative
inoperative
nfsrgyd
nfsrgyd nfs
nfs inoperative
inoperative nfsrgyd
nfsrgyd nfs
nfs inoperative
inoperative
C rm
gssd
gssd nfs
nfs inoperative
inoperative gssd
gssd nfs
nfs inoperative
inoperative
Start up ## cat
cat /etc/inittab
/etc/inittab
....
....
to fo
rctcpip:23456789:wait:/etc/rc.tcpip
rctcpip:23456789:wait:/etc/rc.tcpip Starts daemons
rcnfs:23456789:wait:/etc/rc.nfs
rcnfs:23456789:wait:/etc/rc.nfs Exports filesystems
....
....
ec vo
Notes:
oy si
The mknfs command configures the system to run the NFS daemons. The mknfs
command accepts the following flags:
u
• -B: Adds an entry to the inittab file to execute the /etc/rc.nfs file on system restart
cl
and executes the /etc/rc.nfs file immediately to start the NFS daemons.
• -I: Adds an entry to the inittab file to execute the /etc/rc.nfs file on system restart.
Ex
• -N: Starts the /etc/rc.nfs file to start the NFS daemons immediately. When started
this way, the daemons run until the next system restart.
When NFS is started the following daemons are invoked:
pr
• The biod daemon runs on all NFS client systems. When a user on a client wants to read
or write to a file on a server, the biod daemon sends this request to the server. The biod
daemon is activated during system startup and runs continuously.
• The nfsd daemon runs on the server and handles client requests for file system
operations.
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• The rpc.mountd daemon answers client requests to mount file systems. The mountd
daemon finds out which file systems are available by reading the /etc/xtab file. The
/etc/xtab file is created when file systems are exported on the server. This process
is covered in the next visual.
• The rpc.statd and rpc.lockd daemons work together to maintain stateful locking. NFS
implements an advisory locking mechanism, meaning if a program is ill-behaved and
does not pay any attention to the locking messages it receives, it can go ahead and
.I. n
access the file. In the event of a server crash, the locking information will be recovered.
The status monitor maintains information on the location of connections as well as the
.T ció
status in the /etc/sm directory, the /etc/sm.bak file, and the /etc/state file.
When restarted, the statd daemon queries these files and tries to reestablish the
connection it had prior to termination.
.
C
The rmnfs command changes the configuration of the system to stop running NFS
.F a
daemons. It accepts the same flags as mknfs.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• To export directories:
nfs_server
nfs_server ## vi
vi /etc/exports
/etc/exports
.I. n
.T ció
/home
/home
/usr/man
/usr/man -ro
-ro
/data
/data -root=kenny:kyle,access=kenny:kyle:eric,rw=kenny:kyle
-root=kenny:kyle,access=kenny:kyle:eric,rw=kenny:kyle
.
C
.F a
nfs_server
nfs_server ## exportfs
exportfs -va
-va
Exported
Exported /usr/man
/usr/man
C rm
Exported
Exported /data
/data
Exported /home
Exported /home
to fo
/etc/xtab input rpc.mountd
ec vo
Notes:
oy si
• The permissions (for example, read-write, read-only) clients will have when accessing
the files
Ex
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Only when the NFS subsystem is activated, using the mknfs command, can directories be
made available. When the /etc/export file has been configured the exportfs command
is used to make the directories available for client mounting. The exportfs -a command
exports all items listed in the /etc/exports file and automatically copies the entries to
the /etc/xtab file. /etc/xtab file entries are used by the system and always reflect
what is currently exported. This leaves the /etc/exports file available for updating at
any time. The /etc/xtab file must never the edited directly.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
[TOP]
[TOP] [Entry
[Entry Fields]
Fields]
** Pathname
Pathname of
of directory
directory toto export
export [/data]
[/data] //
.T ció
Anonymous UID
Anonymous UID [-2]
[-2]
Public
Public filesystem?
filesystem? no
no ++
** Export
Export directory
directory now,
now, system
system restart
restart or
or both
both both
both ++
.
Pathname of alternate exports
Pathname of alternate exports filefile []
[]
Allow
Allow access
access by
by NFS
NFS versions [] ++
C
versions []
.F a
** Security method
Security method 1 1 [sys]
[sys] ++
** Mode
Mode to
to export
export directory
directory read-mostly
read-mostly ++
Hostname
Hostname list.
list. If
If exported
exported read-mostly [kenny]
C rm
read-mostly [kenny]
Hosts
Hosts & netgroups allowed client access
& netgroups allowed client access [kyle]
[kyle]
Hosts
Hosts allowed
allowed root
root access
access [eric]
[eric]
Note:
to fo
– Version 4 specific fields have been removed
– There are five security stanzas. Each method can have different
properties.
ec vo
Notes:
oy si
The operation shown in the visual populates the /etc/exports file and invokes the
exportfs command to make the file system available for mounting. Allowing access by
u
/exports -sec=sys,rw=kenny,access=kyle,root=eric
If not using SMIT, the command for updating /etc/exports (and optionally generating a new
/etc/xtab) is the mknfsexp command. See the man page for more details.
pr
Note: The option Public filesystems? field was added at AIX version 4.2.1 to support an
NFS (versions 2 and 3) extension called WebNFS. WebNFS provides for NFS over a Web
browser via a URL (for example, nfs://<server>/<nfs_public_dir>). This functionality is
rarely (if ever) used. AIX clients do not support the mounting of public exports and the
default option should always be left as no.
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
nfs_client
nfs_client ## showmount
showmount -e
-e nfs_server
nfs_server
export list for nfs_server:
export list for nfs_server:
.T ció
/usr/man
/usr/man (everyone)
(everyone)
/data
/data kenny,kyle,eric
kenny,kyle,eric
/home (everyone)
.
/home (everyone)
C
.F a
• Mounting an NFS server directory:
## mkdir /data_client_mnt
C rm
mkdir /data_client_mnt
## mount
mount nfs_server:/data
nfs_server:/data /data_client_mnt
/data_client_mnt
nfs_client
nfs_client ## df
df /data
/data
to fo
Filesystem
Filesystem 512-blocks
512-blocks Free
Free %Used
%Used Iused
Iused %Iused
%Iused Mounted
Mounted on
on
nfs_server:/data
nfs_server:/data 278528
278528 212920
212920 24%
24% 1317
1317 6%
6% /data_client_mnt
/data_client_mnt
• Predefined mounts can also be defined using smit mknfsmnt
ec vo
Notes:
oy si
The showmount command is useful for viewing which directories are available for
mounting on a particular NFS server (v2 and v3 only). To mount an NFS directory, first
u
create a mount point directory, and then issue the mount command as shown in the visual.
cl
10-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
– smit mknfsmnt
Add
Add aa File
File System
System for
for Mounting
Mounting
.I. n
** Pathname
Pathname ofof mount
mount point
point [/data_client_mnt]
[/data_client_mnt] //
** Pathname of remote directory
Pathname of remote directory [/data]
[/data]
.T ció
** Host
Host where
where remote
remote directory
directory resides
resides [nfs_server]
[nfs_server]
** Security
Security method
method [sys]
[sys] ++
** Mount
Mount now,
now, add
add entry
entry to
to /etc/filesystems
/etc/filesystems oror both?
both? Both
Both ++
** /etc/filesystems entry will mount the directory
/etc/filesystems entry will mount the directory no
no ++
.
on
on system
system restart.
restart.
C
** Mode
Mode for
for this
this NFS
NFS file
file system
system read-write
read-write ++
.F a
** Attempt
Attempt mount
mount in
in foreground
foreground or or background
background background
background ++
** Mount
Mount file
file system
system soft
soft or
or hard
hard hard
hard
C rm
Note: Many options removed for clarity.
Note: Many options removed for clarity.
/data_client_mnt:
/data_client_mnt: /etc/filesystems
dev
dev == "/data"
"/data"
vfs
vfs == nfs
nfs
to fo
nodename
nodename == nfs_server
nfs_server
mount
mount == false
false
options
options == bg,hard,intr,sec=sys
bg,hard,intr,sec=sys
account
account == false
false
ec vo
Notes:
oy si
Predefined mounts are NFS mounts which are defined in /etc/filesystems for ease of
use when manually mounting or to enable remote file systems to be mounted during
u
to UNIX, DES, Kerberos 5, Kerberos 5 with integrity, and Kerberos 5 with privacy. The
default NFS security used in most implementations is standard UNIX (sys). The other
methods are used in special situations where authentication and encryption are
required. These methods are supported by a new version of NFS (NFS version 4). NFS
pr
v4 is not the default version used in AIX and is a fairly complex topic. The next section
will cover some of the highlights of using NFSv4.
• Mode: Read-write or read-only.
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• Attempt mount in: Values are background (default) or foreground. If the attempt to
mount the directory fails, the mount will be retried in the background. If foreground is
selected the mount request stays in the foreground even if the mount request fails.
• Mount type: Values are hard or soft. If the mount is soft, the system returns an error if
the server does not respond. If the mount is hard, the client continues trying until the
server responds. The hard mount is the default. When a hard mount is selected an
extra option (intr) is included in /etc/filesystems. The intr option allows signals to
.I. n
interrupt an NFS call. This is useful for aborting an NFS mount process when the server
does not respond.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Automount overview
IBM Power Systems
.I. n
the number of active mounts.
.T ció
• Uses automount map files to find the mount directories and mount
arguments
• Three types of map files:
.
C
– Direct (absolute paths)
.F a
– Indirect (relative paths)
C rm
– Master (pointer to direct and indirect map files)
• Is invoked from the client using the automount command
– Starts the automountd daemon
to fo
– If a master map file exists, the automountd is started a boot time.
– New NFS mounts can be added on the fly by adding them as
appropriate to the map files.
ec vo
Notes:
oy si
The autofs kernel extension monitors specified directory mount points and, when a file I/O
operation is requested to that mount point, requests automountd to mount the directory
u
within autofs. The automount command is used to propagate the automatic mount
information to the autofs kernel extension and start automountd daemon. After a period of
cl
inactivity (five minutes by default) for directories under its control, autofs will attempt to
unmount the quiescent NFS filesystem.
Ex
Using the automount, you neither have to keep the /etc/filesystems file up to date
with NFS stanzas nor do you have to keep file systems mounted that are not being used.
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Map files
IBM Power Systems
• Indirect ## cat
cat /etc/auto_indirect
/etc/auto_indirect
inventory
inventory kenny:/books
kenny:/books
.I. n
subscription
subscription kenny:/magazine
kenny:/magazine
review
review kenny:/article
kenny:/article
.T ció
## cat
cat /etc/auto_direct
/etc/auto_direct
• Direct /home
/home kenny:/home
kenny:/home
.
/usr/games
/usr/games -ro
-ro kenny:/usr/games
kenny:/usr/games
C
.F a
Master map
## cat file name is
cat /etc/auto_master
/etc/auto_master
• Master fixed!
C rm
/publishing
/publishing /etc/auto_indirect
/etc/auto_indirect
/-
/- /etc/auto_direct
/etc/auto_direct
## automount
automount –v
To invoke:
to fo
–v
This
This operation will
operation will start
start the
the automountd
automountd
and process the master map file
and process the master map file
ec vo
Notes:
oy si
The automount indirect local map will contain the name of the client subdirectory mount
point, any optional mount options, and full path name of the server’s exported directory.
cl
The directories inventory, subscription, and review do not have to exist on the client. The
file name /etc/auto_indirect is arbitrary. Any name can be used, but it must be
created and stored in the /etc directory. For simple system administration, use the word
Ex
auto followed by a name that describes the contents of the map. Grouping automount
maps by a naming convention makes it easier to keep updated. Indirect map files are used
for mounting NFS exported directories to local mount points which cannot already exist. In
this example, the local mounts points are created within the /publishing directory.
pr
10-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty The format of the file is identical to the indirect map file, but the client mount point must be
the full absolute name of a directory.
Master map file
AIX requires all map files to be referenced from within the file /etc/auto_master. This
filename is not optional. The syntax for the master map file is the local directory mount
point, followed by the map name and any optional mount options. /- for direct maps is a
way of saying no mount point is needed to be referenced because it is implicitly stated
.I. n
within the direct map file itself.
.T ció
The automount command
The automount command is used as an administration tool for AutoFS. Popular flags
include:
.
C
• -v: Displays verbose status and warning messages to standard out.
.F a
• -i Interval: Specifies the amount of time, in seconds, that an inactive autofs mounted
C rm
directory exists. The default is 300 seconds.
• -t Duration: Specifies the amount of time, in seconds, that the auto unmount process
sleeps before it starts to work again. The minimum value is 21. The default value is 120.
The maximum value is 600.
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-23
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Automount in operation
IBM Power Systems
.I. n
---------------
/dev/hd4
/dev/hd4 // jfs
jfs 27
27 Jul
Jul 13:24
13:24 rw,log=/dev/hd8
rw,log=/dev/hd8
/dev/hd2
/dev/hd2 /usr
/usr jfs
jfs 27
27 Jul 13:24 rw,log=/dev/hd8
Jul 13:24 rw,log=/dev/hd8
.T ció
/dev/hd9var
/dev/hd9var /var
/var jfs
jfs 27
27 Jul
Jul 13:24
13:24 rw,log=/dev/hd8
rw,log=/dev/hd8
/dev/hd3
/dev/hd3 /tmp
/tmp jfs
jfs 27
27 Jul
Jul 13:24
13:24 rw,log=/dev/hd8
rw,log=/dev/hd8
Note:
Note: some
some AIX
AIX File
File systems
systems removed
removed for
for clarity
clarity
/etc/auto_indirect
/etc/auto_indirect /publishing
/publishing autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
.
/etc/auto_direct /usr/games
/etc/auto_direct /usr/games autofs
autofs 27 Jul 13:24 ignore
27 Jul 13:24 ignore
C
.F a
• On access of NFS file system data
## mount
mount
C rm
node
node mounted
mounted mounted
mounted over
over vfs
vfs date
date options
options
-------- --------------- --------------- ------ ------------ ---------------
-------- --------------- --------------- ------ ------------ ---------------
Note:
Note: AIX
AIX File
File systems
systems removed
removed for
for clarity
clarity
/etc/auto_indirect
/etc/auto_indirect /publishing
/publishing autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
/etc/auto_direct
/etc/auto_direct /usr/games
/usr/games autofs
autofs 27
27 Jul
Jul 13:24
13:24 ignore
ignore
kenny /books /publishing/inventory
/publishing/inventory nfs3 27
27 Jul
Jul 13:37
to fo
kenny /books nfs3 13:37
kenny
kenny /article
/article /publishing/review nfs3
/publishing/review nfs3 27
27 Jul 13:37
Jul 13:37
kenny
kenny /magazine
/magazine /publishing/subscription
/publishing/subscription nfs3
nfs3 27 27 Jul
Jul 13:37
13:37
kenny
kenny /usr/games
/usr/games /usr/games
/usr/games nfs3
nfs3 2727 Jul
Jul 13:37
13:37 ro
ro
kenny
kenny /home
/home /home
/home nfs3
nfs3 2727 Jul
Jul 13:38
13:38
ec vo
Notes:
oy si
On start up of AIX, if a master file map exists, the automountd daemon is started
automatically and processes the file. At this point, no NFS file systems have been
u
mounted. This can be seen in the first half of the visual. The second half of the visual
shows all the NFS file systems mounted as data has been accessed.
cl
Ex
pr
10-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Topic summary
IBM Power Systems
.I. n
• Identify the NFS daemons and their roles
.T ció
• Understand NFS client server interaction
• Describe NFS authorization methods
.
C
• Stop and start NFS
.F a
• Configure an NFS server
C rm
• Configure an NFS client
• Understand the role of the automouter
to fo
• Configure the automount subsystem
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-25
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-27
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
NFS version 4
IBM Power Systems
.I. n
• Describe the role of the new NFSv4 daemons
.T ció
• Configure an NFSv4 domain and pseudo-root file system
• Extend the pseudo-root file system using alias tree extensions
.
C
• Describe and configure NFSv4 features:
.F a
– Referrals, replication, and delegation
C rm
• Configure NFSv3 and v4 side by side
• Identify NFSv4 security mechanisms
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
10-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Potentially improved performance
– Less impact from WAN latencies
.T ció
– Ability to use parallel NFS (pNFS)
• Increased security (RPCSEC-GSS)
.
• Integrated locking support
C
.F a
– NFS v4 protocol is stateful
C rm
– File locking is implemented and, by default, is the main protocol
– There are no rcp.statd and rpc.lockd daemons required
• Cross platform interoperability, including Microsoft Windows
to fo
• Backwards compatibility with NFSv3
• Movement toward an open standard, managed by the IETF,
whereas previous versions of NFS were proprietary.
ec vo
Notes:
oy si
NFS V2 was released in 1985 with the SunOS V2 operating system. Many UNIX vendors
licensed this version of NFS from Sun. NFS V2 suffered many undocumented and subtle
Ex
changes throughout its 10-year life. Some vendors allowed NFS V2 to read or write more
than 4 K bytes at a time. Others increased the number of groups provided as part of the
RPC authentication from 8 to 16. These minor changes created occasional
incompatibilities between different NFS implementations; however, the protocol continued
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-29
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
incorporated many performance improvements over Version 2 but did not significantly
change the way that NFS worked or the security model used by the network file system.
NFS V4 design motivations
Increasingly, businesses have needed to secure and protect data. Earlier versions of NFS
had weaknesses that kept them from meeting these needs. The following list is an example
of areas that NFS V2 and NFS V3 have failed to address:
.I. n
• Strong authentication to prevent malicious users from masquerading as valid users of
the system
.T ció
• Fine-grained access control to make sure only the right people have access to sensitive
data
.
• Encrypting data traffic to protect it from unauthorized disclosure as it travels over the
C
network
.F a
• Uniquely identifying users in a large organization
C rm
• Good system and file I/O performance, including access from remote locations
• Being able to access shared data from many different platforms
• The use of an open systems design
to fo
NFS V4 in AIX
NFS v4 is not the default version used in AIX. This course topic will cover some of the
highlights of using NFSv4 in AIX. For more detail than can be covered in this course, refer
ec vo
10-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• nfsrgyd
– Mandatory daemon (on both server and client)
.I. n
– Provides name translation services for NFS servers and clients
• gssd
.T ció
– Optional daemon, depending on the NFS security method
– Kerberos 5 as an NFS security method, is provided under a mechanism called
.
General Security Services (GSS).
C
– In AIX, GSS is provided by a library in the IBM Network Authentication Service
.F a
(NAS) fileset.
## lssrc
lssrc –g
–g nfs
C rm
nfs
Subsystem
Subsystem Group
Group PID
PID Status
Status
biod
biod nfs
nfs 209010 active
209010 active
nfsd
nfsd nfs
nfs 249988
249988 active
active
rpc.mountd
rpc.mountd nfs
nfs 319652
319652 active
active
to fo
rpc.statd
rpc.statd nfs
nfs 311458
311458 active
active
rpc.lockd
rpc.lockd nfs
nfs 323774 active
323774 active
nfsrgyd
nfsrgyd nfs
nfs 324433
324433 active
active
gssd
gssd nfs
nfs inoperative
inoperative
ec vo
Notes:
oy si
The nfsrgyd daemon provides a name translation service for NFS servers and clients. This
daemon must be running in order to perform translations between NFS string attributes and
u
Some NFS security methods, such as Kerberos 5, are provided under a more general
mechanism called General Security Services or GSS. In AIX, GSS services are provided
by a library in the IBM Network Authentication Service (NAS) fileset. NAS is shipped on the
Ex
expansion pack. The gssd daemon makes these GSS services available to the NFS server
kernel code. If the gssd daemon is not running, then efforts to access files via NFS using
GSS security methods such as Kerberos 5 will fail.
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-31
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
alex francois projA projB projC
nfs_server:/
nfs_server:/ ## /usr/sbin/chnfsdom
/usr/sbin/chnfsdom lpar.co.uk
lpar.co.uk Sets the NFS domain
.
nfs_server:/ # chnfs -r /nfsv4
nfs_server:/ # chnfs -r /nfsv4 –B–B to “lpar.co.uk” and
nfsroot to “nfsv4”
C
nfs_server:/
nfs_server:/ ## nfsd
nfsd -getnodes
-getnodes
.F a
#root:public
#root:public
/nfsv4:/nfsv4
/nfsv4:/nfsv4
C rm
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/nfsv4/home -vers=4,sec=sys,rw,root=nfs_client
/nfsv4/home -vers=4,sec=sys,rw,root=nfs_client
/nfsv4/projects
/nfsv4/projects -vers=4,sec=sys,rw,root=nfs_client
-vers=4,sec=sys,rw,root=nfs_client
Mount nfsroot
to fo
nfs_client:/
nfs_client:/ ## /usr/sbin/chnfsdom
/usr/sbin/chnfsdom lpar.co.uk
lpar.co.uk
nfs_client:/
nfs_client:/ # mount -o vers=4 nfs_server:/ /mnt
# mount -o vers=4 nfs_server:/ /mnt
nfs_client:/
nfs_client:/ ## ls
ls /mnt
/mnt
home
home projects
projects
ec vo
Notes:
oy si
NFS V4 no longer has a separate mount protocol. Instead of exporting a number of distinct
exports, an NFS V4 client sees the NFS V4 server’s exports as existing inside a single file
cl
tree called the nfsv4 pseudo file system. The pseudo file system tree constructed by the
server creates a single logical view of all the different exported file systems.
Ex
NFSv4 is in use. The NFSv4 server creates a pseudo view for the NFSv4 clients, so all the
exported file systems are visible when a user changes directory to /mnt.
First steps
The first step in configuring NFSv4 is to set an NFS domain name. This is done using the
chnfsdom command. Although any domain name can be used, it is usually best practice
10-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty that the domain name matches the DNS or Kerberos domain/realm names. The next step
on the server is to set the location of the nfsroot directory. This step is optional because, by
default, it is set to the root /. However, for best practice, it should be relocated elsewhere
using the chnfs command.
AUTH_SYS method
By default, NFS uses the AUTH_SYS (sec=sys) method to authenticate user identities.
Under the AUTH_SYS security flavor, the user is authenticated at the client, usually via a
.I. n
logon name and password. The NFS server trusts the user and group identities presented
.T ció
by its clients.
Note: NFS V4 does not support file exporting. If you need to export a specific file, export it
as Version 2 or 3 (using the vers=2 or vers=3 options).
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-33
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
NFS domain root
lpar.co.uk / pseudo-root
.T ció
separate local /exports
filesystems
.
fsA fsB 3rdparty fsA fsB code
C
.F a
code
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
C rm
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
/local/fsB
/local/fsB -vers=4,sec=sys,rw,exname=/exports/fsB
-vers=4,sec=sys,rw,exname=/exports/fsB
/local/3rdparty/code
/local/3rdparty/code -vers=4,sec=sys,rw,exname=/exports/code
-vers=4,sec=sys,rw,exname=/exports/code
nfs_server:/
nfs_server:/ # exportfs -va
# exportfs -va
to fo
nfs_client:/
nfs_client:/ ## mount
mount -o
-o vers=4
vers=4 nfs_server:/
nfs_server:/ /mnt
/mnt
nfs_client:/ # ls /mnt
nfs_client:/ # ls /mnt
code
code fsA
fsA fsB
fsB
ec vo
Notes:
oy si
The alias tree model adds more flexibility to NFSv4 exports. External name space
(exname) is not part of the NFS V4 RFC. This is an option specific to AIX implementation.
u
The exname option extends the pseudo file system concept. The external name in your
/etc/exports file must begin with the nfsroot name.
cl
Note:
• The described pseudo-root FS setup (on the previous visual) cannot coexist with the
Ex
alias tree model. You must choose between the two models.
• Each of the exported directories shown above (/local/fsA, /local/fsB, and
/local/3rdparty/code) are individual file systems. This is a mandatory
requirement. For example:
pr
10-34 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
NFSv4 referrals (1 of 2)
IBM Power Systems
• Referrals
– Allow us to build a distributed namespace
.I. n
– Mask the real NFS servers from the clients
.T ció
.
C
Master nfs
.F a
server
nfs servers nfs clients
C rm
Referrals
to fo
ec vo
Notes:
oy si
The NFSv4 protocol provides referral and replication functions that enable the distribution
of data across multiple servers in a way that is transparent to the users of that data. A
u
referral is a special NFSv4 object, created in the namespace of a server, to which location
information is attached. This server redirects, or refers, operations to the server specified in
cl
the location information. In other words, the referral server does not actually contain the file
system but automatically redirects the client to another server that does. This is a very
Ex
powerful capability because it hides from the end user where the actual data is located. In
addition, the administrator can redirect clients from one server to another simply by
changing the referral statement in the exports file on the server.
Note: Circular referrals can be created. This must be avoided.
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-35
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
NFSv4 referrals (2 of 2)
IBM Power Systems
publications:/
publications:/ ## cat
cat data:/
data:/ ## cat
cat /etc/exports
/etc/exports
/etc/exports
/etc/exports /local/data -vers=4,sec=sys,rw
/local/data -vers=4,sec=sys,rw
.I. n
/local/docs
/local/docs -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
.T ció
master_nfs_server:/
master_nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/local/docs -vers=4,refer=/local/docs@publications
/local/docs -vers=4,refer=/local/docs@publications
.
/local/data
/local/data -vers=4,refer=/local/data@data
-vers=4,refer=/local/data@data
C
.F a
C rm
nfs_client:/
nfs_client:/ ## mount
mount -o
-o vers=4
vers=4 master_nfs_server:/
master_nfs_server:/ /mnt
/mnt
nfs_client:/
nfs_client:/ ## ls /mnt
ls /mnt
to fo
local
local
ec vo
Notes:
oy si
The visual above demonstrates the referral feature. The client gains access to two NFS
directories, /mnt/local/docs and /mnt/local/data, by mounting the nfsroot
u
directory on the master server. Both directories reside on the publications and data servers
respectively.
cl
Ex
pr
10-36 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
NFSv4 replication (1 of 2)
IBM Power Systems
• Replication
– Ideal for read-only file systems
– Client can continue to access data if an NFS server fails
.I. n
– The actual replication of data is not performed by NFS!
.T ció
nfs sever
Replica1
/data network nfs client
.
network
mount
C
.F a
/data
nfs sever
C rm
Replica2
/data
nfs_lpar1:/
nfs_lpar1:/ ## chnfs
chnfs –R
–R on
on –B
–B
to fo
nfs_lpar1:/
nfs_lpar1:/ ## nfsd -getreplicas
nfsd -getreplicas
replicas=on
replicas=on
Notes:
oy si
Replication is a means of specifying locations where copies of data can be found. It allows
copies of data to be placed on multiple NFSv4 servers and informs NFSv4 clients where
u
the replicas can be located. There are two primary reasons for replicating data:
cl
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-37
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
NFSv4 replication (2 of 2)
IBM Power Systems
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -vers=4,sec=sys,ro,replicas=/exports@nfs_lpar1:/exports@nfs_lpar2
-vers=4,sec=sys,ro,replicas=/exports@nfs_lpar1:/exports@nfs_lpar2
.I. n
nfs_lpar2:/
nfs_lpar2:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -vers=4,sec=sys,ro,replicas=/exports@nfs_lpar2:/exports@nfs_lpar1
-vers=4,sec=sys,ro,replicas=/exports@nfs_lpar2:/exports@nfs_lpar1
.T ció
nfs_client
nfs_client ## mount
mount -o
-o vers=4
vers=4 nfs_lpar1:/
nfs_lpar1:/ /mnt
/mnt
nfs_client
nfs_client ## nfs4cl
nfs4cl showfs
showfs /mnt/exports
/mnt/exports |grep
|grep -v
-v options
options
.
Server
Server Remote
Remote Path
Path fsid
fsid Local
Local Path
Path
C
--------
-------- ---------------
--------------- ---------------
--------------- ---------------
---------------
.F a
nfs_lpar1
nfs_lpar1 /exports
/exports 0:42949672973
0:42949672973 /mnt/exports
/mnt/exports
Current Server: nfs_lpar1:/exports
Current Server: nfs_lpar1:/exports
C rm
Replica
Replica Server:
Server: nfs_lpar2:/exports
nfs_lpar2:/exports
nfs_client
nfs_client ## nfs4cl
nfs4cl setfsoptions
setfsoptions /mnt/exports
/mnt/exports prefer=nfs_lpar2
prefer=nfs_lpar2
nfs_client
nfs_client # nfs4cl showfs /mnt/exports |grep
# nfs4cl showfs /mnt/exports |grep -v
-v options
options
Server
Server Remote
Remote Path
Path fsid
fsid Local
Local Path
Path
to fo
--------
-------- ---------------
--------------- ---------------
--------------- ---------------
---------------
nfs_lpar2
nfs_lpar2 /exports
/exports 0:42949672973
0:42949672973 /mnt/exports
/mnt/exports
Current Server: nfs_lpar2:/exports
Current Server: nfs_lpar2:/exports
Replica
Replica Server:
Server: nfs_lpar1:/exports
nfs_lpar1:/exports
ec vo
Notes:
oy si
When the client is no longer able to access replicated data on its current server, it attempts
to access the data from the next most favored server. The client creates a preference list
cl
when it mounts a file system from the server, using the order specified in the server’s
/etc/exports entry for that file system. This order can be overridden by the client using
the nfs4cl command as shown in the visual.
Ex
Important: The NFSv4 replication protocol does not provide automatic data
synchronization among replica sites.
Synchronizing replicas
pr
10-38 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
nfs_lpar1 # rsh nfs_lpar2 "find /exports -print | cpio -oacvU " | cpio -icvUud
.T ció
After the command completes, the /exports file system on nfs_lpa1 is a copy of the
/exports file system on nfs_lpar2.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-39
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
NFSv4 delegation
IBM Power Systems
.I. n
• Read delegation (what AIX supports) ensures the file is not
modified, eliminating the need to periodically check for
.T ció
changes.
.
– Both client and server delegation is on by default (1):
C
.F a
master_nfs_server:/
master_nfs_server:/ ## nfso
nfso –a
–a |grep
|grep delegation
delegation
C rm
client_delegation =
client_delegation = 11
server_delegation
server_delegation == 11
– Can also be set on a per file system basis (if turned off at a global
level):
to fo
master_nfs_server:/
master_nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/exports
/exports -deleg=yes,vers=4,sec=sys,rw
-deleg=yes,vers=4,sec=sys,rw
ec vo
Notes:
oy si
Most NFS client implementations cache both data and attributes to improve performance
and reduce network traffic. With caching, some amount of server interaction is still required
cl
to maintain the required semantics of the NFS protocol. Clients must check with servers at
file OPEN time to validate and flush cached information as appropriate. In addition, the
client periodically polls the server while files are in use. Depending on the application
Ex
environment, the network traffic associated with client cache maintenance can be modest.
In less reliable or slower networks, this traffic can represent a performance restriction.
NFS V4 provides an optional protocol mechanism called delegation that can improve the
pr
caching of NFS. With delegations, the open time network traffic can be avoided as well as
the periodic checks to servers. The reduction in network traffic can help increase the
performance and scale of an NFS environment.
When a file is opened, the server can provide the client a read delegation for the file. If the
client is granted a read delegation, it is assured that no other client has the ability to write to
the file for the duration of the delegation. If the client is granted a write delegation, the client
10-40 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty is assured that no other client has read or write access to the file. The AIX server only
grants read delegations. The AIX server only supports delegation with the 64-bit AIX
kernel. The AIX client supports both read and write delegations.
In order for the server to grant a delegation to the client, the client must first provide a
callback address to the server. When a delegation is recalled, the server will send the recall
request to this address. By default, the client will indicate the IP address that is being used
for normal communication with the server. For clients with multiple network interfaces, a
.I. n
specific address can be specified in the /etc/nfs/nfs4_callback.conf file. The
format of the entries in this file is: server-host client-ip-address
.T ció
Server-host is the name or address of an NFSv4 server and client-ip-address is the client
address to be used when providing the server callback information.
.
Delegations can be recalled by the server. If another client requests access to the file in
C
such a way that the access conflicts with the granted delegation, the server is able to notify
.F a
the initial client and recall the delegation. This requires that a callback path exists between
the server and client. If this callback path does not exist, then delegations cannot be
C rm
granted. If a file delegation has been granted, access from other NFSv4 clients, NFS
versions 2 and 3 clients, and local accesses to the file at the file server can cause the
delegation to be recalled. If GPFS is being NFSv4 exported, an access at a GPFS node in
the network might cause the delegation to be recalled.
to fo
The essence of a delegation is that it allows the client to locally service operations such as
open, close, lock, locku, read, and write without immediate interaction with the server.
Server and client delegation is enabled by default. Server delegation can be disabled with
ec vo
to disable or enable the granting of delegations on a per-file system basis, which will
override the nfso setting. The deleg option can also be specified in the /etc/exports file
u
delegation must be set before any mounts take place on the client.
If the administrator is exporting a file system where many clients will be writing to many
Ex
common files, the administrator might want to disable delegations for that file system.
If the client cannot be contacted (for example, if the network or client is experiencing an
outage) other clients might be delayed in accessing the data.
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-41
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• NFSv3 example:
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
.I. n
/exports –rw
/exports –rw
/data
/data -ro
-ro
.T ció
– Can be changed to support both v3 and v4 clients
.
nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
C
.F a
/exports –vers=3:4,rw,sec=sys,krb5
/exports –vers=3:4,rw,sec=sys,krb5
/data
/data –vers=3:4,ro,sec=sys,kbr5
–vers=3:4,ro,sec=sys,kbr5
C rm
nfs_lpar1:/
nfs_lpar1:/ ## exportfs
exportfs -va
-va
Notes:
oy si
Despite the addition of new NFSv4 functionality in AIX, many customer sites require the
ability to provide both NFSv3 and NFSv4 services concurrently. This can be necessary in
u
order to support existing systems or other operating systems that presently do not offer
NFSv4 implementations. Coexistence of both versions is not difficult to achieve, and a
cl
10-42 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• RPCSEC_GSS mechanisms:
– Kerberos Version 5
– SPKM (Simple Public-Key Mechanism)
.I. n
– LIPKEY (Low Infrastructure Public Key Mechanism using SPKM)
.T ció
• Currently, AIX only provides support for Kerberos v5 security.
– krb5: Authentication only nfs_lpar1:/
nfs_lpar1:/ ## cat
cat /etc/exports
/etc/exports
/data –vers=4,rw,sec=krb5p,krb5i,krb5
– krb5i: Authentication and integrity /data –vers=4,rw,sec=krb5p,krb5i,krb5
.
– Krb5p: Authentication, integrity, and privacy
C
.F a
nfs traffic
C rm
AIX NFS server AIX NFS client
[Optional]
Integrity checking and encryption
Kerberos client Kerberos client
Kerberos domain lpar.co.uk Kerberos domain lpar.co.uk
Au
n
t
io
he
at
nt
For further details,
tic
to fo
ic
at
en
n
including configuration,
Au
Notes:
oy si
NFSv4 Security
u
NFS has always relied on client-side authentication to provide security. This has generally
not been a problem because NFS has largely been used within private networks. One of
cl
the objectives of the Version 4 protocol is to enable increased use of NFS to wide area
networks. The basic NFS security mechanisms are extended in NFS V4 through the
mandated support of the RPCSEC_GSS. RPCSEC_GSS is implemented at the RPC layer.
Ex
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-43
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Distribution Center (KDC). The KDC issues all of the Kerberos tickets to the clients. In
the Kerberos protocol, a database is maintained that keeps a record of every principal.
The record contains the name, private key, expiration date of the principal, and some
administrative information about each principal. This Kerberos database is maintained
on the master KDC and can be replicated to one or more replica KDCs.
Other existing distributed file systems, such as DFS (Distributed File System) and AFS
(Andrew File System), also use the Kerberos mechanism for their security.
.I. n
• SPKM, (IETF RFC-2025)
.T ció
SPKM is a GSS-API mechanism based on a public key technology, unlike Kerberos,
which is based on symmetric key technology. SPKM provides authentication, key
establishment, data integrity, and data confidentiality in an on-line distributed
.
application environment using a public key infrastructure. SPKM data formats and
C
procedures are designed to be as similar to those of the Kerberos mechanism as is
.F a
practical, for easy implementation in those environments where Kerberos has already
been implemented. For applications that need to have a GSS-API mechanism based on
C rm
a public key infrastructure, SPKM is the answer.
• LIPKEY (Low Infrastructure Public Key Mechanism using SPKM, IETF RFC-2847)
GSS-API mechanisms, such as Kerberos Version 5 [IETF RFC-1964] and SPKM [IETF
to fo
RFC-2025], require a great deal of infrastructure. LIPKEY is a low infrastructure-based
GSS-API security mechanism that maps to a typical Transport Layer Security (TLS)
deployment scenario. It consists of a client with no public key certificate accessing a
server with a public key certificate. The LIPKEY mechanism can be used when the
ec vo
initiator (client) does not possess a public key certificate, and instead uses user name
and password for authentication.
Typically, most of the LIPKEY implementations use the native password database
oy si
residing on the server’s operating system for client authentication. Some LIPKEY
implementations might provide a plug-in architecture that lets administrators use
different authentication databases for verification of username and password supplied
u
by the client.
cl
Because of the asymmetric nature, these security mechanisms based on public key
technology are more suitable for Internet-based solutions. The long-term plan for NFS
Version 4 is to make it available on the Internet, separate from its usage in
Ex
details on integrating NFSv4 with Kerberos v5 on AIX, refer to the Redbook Securing NFS
in AIX, SG24-7204-00.
10-44 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Topic summary
IBM Power Systems
.I. n
• Define the goals of NFSv4
• Describe the role of the new NFSv4 daemons
.T ció
• Configure an NFSv4 domain and pseudo-root file system
.
• Extend the pseudo-root file system using alias tree extensions
C
.F a
• Describe and configure NFSv4 features:
– Referrals, replication, and delegation
C rm
• Configure NFSv3 and v4 side by side
• Identify NFSv4 security mechanisms
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-45
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
.I. n
2. What file needs to be created and which command needs to be
.T ció
executed on an NFS server in order to make files, directories, and file
systems available for mounting from clients?
.
C
3. What file contains the startup script for NFS?
.F a
C rm
4. True or False: AutoFS is a server-side service that allows for automatic
and transparent mounting and unmounting of NFS file systems.
to fo
ec vo
Notes:
oy si
10-46 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
.I. n
6. Why is this configuration incorrect?
.T ció
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
.
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
C
/local/fsB
/local/fsB -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
.F a
/local/3rdparty/code
/local/3rdparty/code -vers=4,sec=sys,rw,exname=/exports/code
-vers=4,sec=sys,rw,exname=/exports/code
nfs_server:/
nfs_server:/ ## exportfs
exportfs -a
-a
C rm
exportfs:
exportfs: /local/fsB: There are
/local/fsB: There are too
too many
many levels
levels of
of symbolic
symbolic
links to translate a path name.
links to translate a path name.
to fo
7. True or False: The NFS domain name must equal the DNS domain
name.
ec vo
Notes:
oy si
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-47
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Exercise introduction
IBM Power Systems
.I. n
AIX
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
10-48 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
– Identify the NFS daemons and their roles
– Describe NFS client server interaction and authorization methods
.T ció
• Configure and manage NFS, including:
– Stop and start NFS
.
– Configure an NFS server and an NFS client
C
.F a
• Configure and use the automount subsystem
• Describe the goals of NFSv4 and the roles of its daemons
C rm
• Configure NFSv4, including:
– Configure an NFSv4 domain and pseudo-root file system
– Extend the pseudo-root file system using alias tree extensions
to fo
– Configure NFSv4 features: Referrals, replication, and delegation
– Configure NFSv3 and v4 side-by side
• Identify NFSv4 security mechanisms
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 10. Network File System 10-49
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
10-50 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
understanding problem areas in networking.
.T ció
What you should be able to do
After completing this unit, you should be able to:
.
C
• Perform TCP/IP troubleshooting on AIX
.F a
• Solve common TCP/IP problems
C rm
- Connectivity
- Duplicate IP addresses
- Problems with network services
to fo
- Identify errors which can occur through the IP stack
• Understand factors which affect network performance
• Tune key network parameters
ec vo
• Checkpoint solutions
• Lab exercises
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• Solve common TCP/IP problems
.T ció
– Connectivity
– Duplicate IP addresses
.
– Problems with network services
C
.F a
– Identify errors which can occur through the IP stack
C rm
• Understand factors which affect network performance
• Tune key network parameters
• Inspect IP data using tcpdump and iptrace
to fo
• Analyze the output of an iptrace
ec vo
Notes:
oy si
u
cl
Ex
pr
11-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Problem determination
.I. n
netstat
.T ció
ping arp
tcpdump traceroute
entstat
.
C
Tuning
.F a
Documentation iptrace
no ifconfig
C rm
lsattr lscfg
lsdev chdev
Monitoring
nmon
to fo
topas
errlog
ec vo
Notes:
oy si
Most of these commands should be familiar to you by now. The ping command is probably
the most useful because it allows us to determine whether a particular host is responding. If
u
a host does not respond or there is a slow delay in communication, the traceroute
command will trace the number of hops through gateways and record the round-trip time of
cl
each successful hop. This is particularly useful in large networks where there are many
networks between the source and destination hosts.
Ex
The commands iptrace, tcpdump, and no are possibly commands you have not used or
seen before. We shall cover these later in the unit.
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Bottlenecks and errors through the TCP/IP stack
.T ció
• Network services not running or incorrectly configured
• Performance
.
C
.F a
• Actions:
C rm
– Approach problems methodically
• Start at a high level (for example, ping) before digging deeper (for
example, iptrace)
to fo
– Monitor the system and network workloads
– Tune network options
– Perform packet analysis
ec vo
Notes:
oy si
Be methodical in solving the problem. Work through the protocols from bottom to top,
hardware to networking to application. Identify what works and what specifically will not.
Many times the problem can be identified when you examine your assumptions. What has
pr
changed? What used to work or works now? Eliminate variables one by one.
As a system administrator you should closely monitor the system over time, using
commands such as: nmon, netpmon, and netstat and work closely with the network team
in order to understand the network infrastructure topology and the monitoring and
performance of the network.
11-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Actions:
– Attempt to ping or ping –R or traceroute to the destination.
.I. n
– Check cables and link status (entstat) and switch port settings.
– Test to ensure the local IP stack is up by pinging the loopback.
.T ció
– Check to ensure the adapter is available.
• Command? _______________________
.
C
– Check interface settings. Look for flags up and running.
.F a
• Command? _______________________
C rm
– Check to see if the correct path is taken. View the routing table.
• Command? _______________________
– Check name resolution.
to fo
• Commands? ___________ ______________ _______________
– Check the arp table.
• Command? _______________________
ec vo
Notes:
oy si
Make a note of the commands above. If you have access to a AIX console, type these
commands as you go and review the output with the class and your instructor.
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Duplicate IP address
IBM Power Systems
• Actions:
– Connect to one of the hosts with the duplicate IP address.
– Check the error log on the host.
.I. n
– Locate the MAC address of the other host/adapter.
• Log in to the network switch and locate and disable the port of one of the systems
.T ció
with the duplicate address.
– In AIX, remove one of the duplicate IP addresses.
.
## errpt
errpt –A
–A
C
---------------------------------------------------------------------------
.F a
---------------------------------------------------------------------------
LABEL:
LABEL: AIXIF_ARP_DUP_ADDR
AIXIF_ARP_DUP_ADDR
Date/Time:
Date/Time: Mon
Mon 28
28 Sep
Sep 10:55:18
10:55:18 2009
2009
C rm
Type:
Type: PERM
PERM
Resource
Resource Name:
Name: SYSXAIXIF
SYSXAIXIF
Description
Description
DUPLICATE
DUPLICATE IP
IP ADDRESS
ADDRESS DETECTED
DETECTED IN
IN THE
THE NET
NET
Detail Data
Detail Data MAC address of
to fo
DUPLICATE
DUPLICATE IP
IP ADDRESS
ADDRESS the other
0404
0404 0404
0404 host/adapter
MAC
MAC ADDRESS
ADDRESS
EA48
EA48 F000
F000 7004
7004
ec vo
Notes:
oy si
Duplicate IP addresses will cause connectivity problems in the network. Depending on the
switch model and type, errors will be logged to the network switch as well as the error log of
u
each of the AIX hosts with the duplicate address. There are many ways in which these
types of problems can be resolved. One such method might involve connecting to one of
cl
the hosts and checking the error log to confirm there is a duplicate IP problem. The error
log will report the MAC address of the other host with the duplicate address. The ARP table
Ex
on the switch should indicate to which physical network ports the two hosts are connected.
One of the ports could be disabled from the switch. On Cisco hardware, this can be done
using the following command: ssh <admin_user>@<switch name> netpro
<switch name> <port number> -cmd set disable. Alternatively, you can change
pr
the IP parameters for the host to which you are currently connected, empty the ARP table,
re-arp for the duplicate IP address, and then connect to the host and decide whether to
alter, remove, or keep the address.
11-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Application Application
Memory
Write buffer Read buffer
(svmon, nmon, netstat)
.I. n
.T ció
Transport Socket send Socket receive TCP/UDP statistics
Buffer Buffer
tcp_sendspace tcp_recvspace
# netstat –p tcp
udp_sendspace udp_recvspace # netstat –p udp
.
C
Internet MTU
IP input
.F a
Compliance/ IP statistics
Queue # netstat –p ip
Enforcement ipqmaxlen
MTU size
C rm
Link
Transmit Receive Adapter statistics
Queue Queue # entstat <entX>
tx_que_sz rxdesc_que_sz # netstat -v
to fo
Physical
Network
(specific network s/w)
ec vo
Notes:
oy si
Overview
u
Data is written from the application to a write buffer into system memory. Data to be
transferred across the network is then queued to a socket send buffer (either TCP or UDP
cl
depending on what the application requested). The port number of the sending application
is included here along with the port number of the receiving application which was
requested by the sending application. TCP segments the data stream (according to the
Ex
MTU), adds its control information, and passes it to IP. IP adds its information including the
correct IP source and destination addresses, applies MTU compliance (fragmenting if
necessary - normally on UDP traffic), checks the ARP table, and puts the data in the
transmit queue of the network interface. It then gets taken from the transmit queue and put
pr
on the physical network medium (copper or fiber) after the appropriate network interface
control information is added.
The destination machine receives the message from the transport medium and puts it in
the receive queue. Once the network interface has completed its check, it passes to the IP
input queue where IP puts the data stream back together if it had to be fragmented at the
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
sending side. When complete, the data stream is copied to the socket receive buffer and
the application notified. The data is then put in the application read buffer. The buffer and
the IP input queue use system memory, a potentially limited resource. The transmit and
receive queues use memory on the adapters. There are many places along the way where
a message can be delayed or lost. That is why it is a good idea to use this layered
approach to isolating a problem starting from what every other layer depends on, the
hardware layer.
.I. n
Memory
.T ció
If memory fills up on a system, performance problems will occur. There are many tools in
AIX to monitor memory usage (for example, svmon and topas-nmon). The topas-nmon
utility is particularly useful as it allows us to monitor system statistics over time.
.
The netstat command with the –m flag will show network memory statistics. The kernel
C
allocates memory from the network memory buffer pool, commonly called the mbuf pool, to
.F a
be used as buffers by the networking subsystem. Watch out for positive values in the failed
column. You should not see a large number of failed calls. There might be a few which
C rm
trigger the system to allocate more buffers as the buffer pool size increases. There is a
predefined set of buffers of each size that the system starts with after each reboot, and the
number of buffers increases as necessary, up to a limit. To zero network memory statistics
type: # netstat –Zm
to fo
For further details regarding memory performance, refer to the AIX performance courses:
AN51 and AN52.
Transport layer – TCP (netstat –p tcp)
ec vo
Statistics of interest are packets sent, data packets, data packets retransmitted, packets
received, completely duplicate packets, and retransmit timeouts.
For the TCP statistics, compare the number of packets sent to the number of data packets
oy si
retransmitted. If the number of packets retransmitted is over 10-15% of the total packets
sent, TCP is timing out, indicating that network traffic might be too high for
u
acknowledgments (ACKs) to return before a time out. A bottleneck on the receiving node or
general network problems can also cause TCP retransmissions. TCP retransmissions
cl
packets. If TCP on a sending node times out before an ACK is received from the receiving
node, it retransmits the packet. Duplicate packets occur when the receiving node
eventually receives all the retransmitted packets. If the number of duplicate packets
exceeds 10-15%, the problem might again be too much network traffic or a bottleneck at
pr
11-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
were broadcast datagrams, ICMP errors are not generated. If this value is high,
investigate how the application is handling sockets.
.T ció
• Socket buffer overflows Socket buffer overflows could be due to insufficient transmit
and receive UDP sockets, too few nfsd daemons, or too small network options
(nfs_socketsize, udp_recvspace, and sb_max values).
.
C
If the netstat -p udp command indicates socket overflows, then you might need to
.F a
increase the number of nfsd daemons on the server. First, check the affected system for
CPU or I/O saturation, and verify the recommended setting for the other communication
C rm
layers by using the no -a command. If the system is saturated, you must either reduce its
load or increase its resources.
IP layer (netstat –p ip)
to fo
Statistics of interest are:
• Total packets received Number of total IP datagrams received.
• Bad header checksum or fragments dropped If the output shows bad header
ec vo
checksum or fragments dropped due to dup or out of space, this indicates either a
network that is corrupting packets or a device driver receive queues that are not large
enough.
oy si
fragments of the datagram arrived. To avoid this, use the no command to increase the
value of the ipfragttl network parameter. Another reason could be a lack of mbufs;
cl
from this system. This counter does not include the forwarded datagrams (passthrough
traffic).
• Fragments created Number of fragments created in this system when IP datagrams
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
network path might also have a much smaller MTU size than the other nodes in the
network. The same logic can be applied to packets sent and fragments created.
• Fragmentation results in additional CPU overhead so it is important to determine its
cause. Be aware that some applications, by their very nature, can cause fragmentation
to occur. For example, an application that sends small amounts of data can cause
fragments to occur. However, if you know the application is sending large amounts of
data and fragmentation is still occurring, determine the cause. It is likely that the MTU
.I. n
size used is not the MTU size configured on the systems.
.T ció
Network Interface layer (entstat –d)
The entstat command displays statistics gathered by the specified Ethernet device driver.
If no flags are specified, only the device generic statistics are displayed. This command is
.
also invoked when the netstat command is run with the -v flag. The netstat command
C
does not issue any entstat command flags.
.F a
Statistics of interest are:
C rm
• No mbuf errors The number of times that mbufs were not available to the device driver.
This usually occurs during receive operations when the driver must obtain mbuf buffers
to process inbound packets. If the mbuf pool for the requested size is empty, the packet
will be discarded. The netstat -m command can be used to confirm this.
to fo
• Transmit errors The number of output errors encountered on this device. This is a
counter for unsuccessful transmissions due to hardware or network errors.
• Packets dropped The number of packets accepted by the device driver for
ec vo
transmission which were not (for any reason) given to the device.
• S/W transmit queue overflow The number of outgoing packets which have overflowed
the software transmit queue. For physical adapters try increasing the software transmit
oy si
queue size of the adapter using smitty chgenet. Note: All interfaces must be down in
order for this parameter to be changed.
u
cl
Ex
pr
11-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Network services
IBM Power Systems
• Actions:
– Check daemons are running OK (lssrc -s)
.I. n
– Check processes and threads (# ps –A; ps –A –o THREAD)
– Check active sockets (netstat –a)
.T ció
– Check application specific configuration and debug files
• Examples:
.
C
– inetd (/etc/inetd.conf)
.F a
– DHCP server (/etc/dhcpsd.conf)
C rm
– Activate tracing or debugging tools
• For example: traceson –s clinfoES
– Use tcpdump and iptrace commands to analyze incoming and
outgoing packets
to fo
ec vo
Notes:
oy si
For network service problems, first check that the service is running and the associated
processes and threads are listed in the process table. Second, check to make sure the
u
configuration of the service is correct. If everything seems well but problems remain, you
might need to turn on tracing and analyze incoming and outgoing packets using
cl
tcpdump/iptrace commands.
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
– Network load
– Throughput
.T ció
– Latency
– Packet loss
.
C
– Retransmission
.F a
ňņtopas_nmonņņc=CPUņņņņņņņņņņņņņņHost=aixod04ņņņņņņņņRefresh=2
ňņtopas_nmonņņc=CPUņņņņņņņņņņņņņņHost=aixod04ņņņņņņņņRefresh=2 secsņņņ13:59.51ņʼn
secsņņņ13:59.51ņʼn
ŇŇ Network
Network ņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ŇI/F
ŇI/F Name
Name Recv=KB/s
Recv=KB/s Trans=KB/s
Trans=KB/s packin
packin packout
packout insize
insize outsize
outsize Peak->Recv
Peak->Recv TransKBŇ
TransKBŇ
C rm
ŇŇ en0
en0 0.2
0.2 0.3
0.3 3.5
3.5 1.0
1.0 48.3
48.3 338.0
338.0 0.2
0.2 0.6Ň
0.6Ň
ŇŇ en1
en1 0.1
0.1 0.4
0.4 2.5
2.5 2.5
2.5 60.8
60.8 149.2
149.2 0.4
0.4 0.4Ň
0.4Ň
nmon ŇŇ en2
en2 0.1
0.1 0.3
0.3 1.0
1.0 1.0
1.0 71.0
71.0 271.0
271.0 0.1
0.1 0.3Ň
0.3Ň
ŇŇ lo0 0.0 0.0 0.0 0.0 0.0 0.0 0.5 0.5Ň
View: Network statistics lo0
ŇŇ Total
0.0
0.0
0.0
0.0
0.0 0.0 0.0 0.0 0.5 0.5Ň
ŇŇ
Total 0.0 0.0 inin Mbytes/second
Mbytes/second Overflow=0
Overflow=0
ŇI/F
ŇI/F Name
Name MTU
MTU ierror
ierror oerror
oerror collision
collision Mbits/s
Mbits/s Description
Description ŇŇ
ŇŇ en0
en0 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
to fo
ŇŇ en1
en1 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
ŇŇ en2
en2 1500
1500 00 00 00 2047
2047 Standard
Standard Ethernet
Ethernet Network
Network InterfaceŇ
InterfaceŇ
ŇŇ lo0
lo0 16896
16896 00 00 00 00 Loopback
Loopback Network
Network Interface
Interface ŇŇ
ŇņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ŇņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņņŇ
ec vo
Notes:
oy si
There are many factors which can effect network performance. It is important as a general
rules to deploy tools which can monitor the system, system workloads, and physical
u
network infrastructure. The latter will usually required specific network management
software provided by vendors such as Cisco and Nortel.
cl
As data is broken into component parts (often known frames, packets, or segments) for
transmission, several factors can affect their delivery.
Ex
11-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • Latency The round trip time for a packet to be delivered between source and
destination hosts, delivered across intervening networks.
• Packet loss In some cases, intermediate devices in a network will lose packets. This
might be due to errors, to overloading of the intermediate network, or to intentional
discarding of traffic in order to enforce a particular service level.
• Retransmission When packets are lost in a reliable network, they are retransmitted.
This incurs two delays. First, the delay from re-sending the data, and second, the delay
.I. n
resulting from waiting until the data is received in the correct order before forwarding it
.T ció
up the protocol stack.
These factors and others, such as the performance of the network signaling on the end
nodes, compression, encryption, concurrency, and so on, all affect the effective
.
performance of a network. In some cases, the network might not work at all. In others, it
C
might be slow or unusable. Because applications run over these networks, application
.F a
performance suffers. Various intelligent solutions are available to ensure that traffic over
the network is effectively managed to optimize performance for all users. This usually takes
C rm
the form of traffic shaping by means of deploying quality of service (QoS) rules.
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• Actions:
– Measure network throughput and latency:
.I. n
## ftp
ftp remote_node
remote_node 1 GB was transfer
Connected
Connected to
to remote_node
remote_node over a Gbit network
.T ció
in 11 seconds. That
ftp>
ftp> put "|dd if=/dev/zero
put "|dd if=/dev/zero bs=1M
bs=1M count=1024"
count=1024" /dev/null
/dev/null is 93 MB per second
226
226 Transfer
Transfer complete.
complete. throughpput.
1073741824
1073741824 bytes
bytes sent
sent in
in 11.02
11.02 seconds
seconds (9.517e+04
(9.517e+04 Kbytes/s)
Kbytes/s)
.
## ping
ping -c
-c 100
100 remote_node
remote_node |grep round-trip
C
|grep round-trip
.F a
round-trip
round-trip min/avg/max == 3/7/22
min/avg/max 3/7/22 ms
ms Average
latency: 7ms
C rm
– Deploy tools to measure systems workloads and the workload of the
physical network infrastructure.
– Check for bottlenecks and errors through the TCP/IP stack.
to fo
– Tune network options.
– Liaise with the network team.
ec vo
Notes:
oy si
Comparing against the baseline is also important for normal monitoring of the system to
spot trends in performance degradation, which in time might result in performance goals
Ex
for your environment. Some experimentation might be necessary in order to obtain the
optimum settings. When tuning the network or when dealing with network related problems,
you should always work closely with the network team, as they will have a thorough
understanding on the underlying infrastructure.
11-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– For example, socket buffers, routing, arp, system security, and many
more
.T ció
– Can improve performance and inadvertently affect performance!
• System wide network tunables are viewed and changed via the no
.
command
C
.F a
– List: # no –L or # no -a
– Change: # no -o option=NewValue Example: # no –p –o
C rm
rfc1323=1
• Interface specific options (ISNO) can be set through chdev and
ifconfig commands
to fo
– # chdev -l Name -a Attribute=value Example: # chdev –l en0 –a -a
rfc1323=0
– # ifconfig interface parameter Example: # ifconfig en0 rfc1323 1
ec vo
Notes:
oy si
The no command is used to configure network tuning parameters. The no command sets
or displays current or next boot values for network tuning parameters. This command can
cl
either make permanent changes (-p) or defer changes until the next reboot (-r).
Parameters are stored in the /etc/tunables directory. There are two files, lastboot
(settings used during the current boot) and nextboot (parameters to be used during the
Ex
next boot).
Warning: Be careful when using the no command. If used incorrectly, the no command
can cause undesirable behavior in certain network functions and inadvertently affect
pr
performance!
For further information, access the AIX Information center and lookup Network option
tunable parameters and the no command.
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• tcp_sendspace
.T ció
• tcp_recvspace
• tcp_mssdflt
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
11-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
DEPENDENCIES
--------------------------------------------------------------------------------
bsd_loglevel 3 3 3 0 7 numeric D
.T ció
--------------------------------------------------------------------------------
fasttimo 200 200 200 50 200 millisecond D
--------------------------------------------------------------------------------
.
init_high_wat 0 0 0 0 10 %_of_thewall D
--------------------------------------------------------------------------------
C
nbc_limit 192K 192K 192K 0 8E-1 kbyte D
.F a
thewall
--------------------------------------------------------------------------------
C rm
nbc_max_cache 128K 128K 128K 1 192M byte D
nbc_min_cache
nbc_limit
--------------------------------------------------------------------------------
nbc_min_cache 1 1 1 1 128K byte D
to fo
nbc_max_cache
--------------------------------------------------------------------------------
nbc_ofile_hashsz 12841 12841 12841 1 999999 segment D
--------------------------------------------------------------------------------
nbc_pseg 0 0 0 0 2G-1 segment D
ec vo
--------------------------------------------------------------------------------
nbc_pseg_limit 384K 384K 384K 0 768K kbyte D
--------------------------------------------------------------------------------
ndd_event_name {all} {all} {all} 0 128 string D
--------------------------------------------------------------------------------
oy si
--------------------------------------------------------------------------------
net_buf_type {all} {all} {all} 0 128 string D
cl
--------------------------------------------------------------------------------
net_malloc_frag_mask {0} {0} {0} 0 128 string D
--------------------------------------------------------------------------------
Ex
netm_page_promote 1 1 1 0 1 numeric D
--------------------------------------------------------------------------------
sb_max 1M 1M 1M 4K 8E-1 byte D
--------------------------------------------------------------------------------
send_file_duration 300 300 300 0 4G-1 second D
--------------------------------------------------------------------------------
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
--------------------------------------------------------------------------------
tcp_inpcb_hashtab_siz 24499 24499 24499 1 999999 numeric R
--------------------------------------------------------------------------------
tcptr_enable 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
thewall 768K 768K 768K 0 64M kbyte S
--------------------------------------------------------------------------------
udp_inpcb_hashtab_siz 24499 24499 24499 1 83000 numeric R
--------------------------------------------------------------------------------
.I. n
use_sndbufpool 1 1 1 0 1 boolean R
--------------------------------------------------------------------------------
.T ció
TCP Network Tunable Parameters
--------------------------------------------------------------------------------
NAME CUR DEF BOOT MIN MAX UNIT TYPE
.
DEPENDENCIES
C
--------------------------------------------------------------------------------
.F a
clean_partial_conns 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
C rm
delayack 0 0 0 0 3 boolean D
--------------------------------------------------------------------------------
delayackports {} {} {} 0 10 ports_list D
--------------------------------------------------------------------------------
hstcp 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
to fo
limited_ss 0 0 0 0 100 numeric D
--------------------------------------------------------------------------------
rfc1323 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
ec vo
rfc2414 1 1 1 0 1 boolean C
--------------------------------------------------------------------------------
rto_high 64 64 64 2 8E-1 roundtriptime R
rto_low
--------------------------------------------------------------------------------
oy si
rto_length 13 13 13 1 64 roundtriptime R
--------------------------------------------------------------------------------
rto_limit 7 7 7 1 64 roundtriptime R
u
rto_high
rto_low
--------------------------------------------------------------------------------
cl
rto_low 1 1 1 1 63 roundtriptime R
rto_high
--------------------------------------------------------------------------------
Ex
sack 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_bad_port_limit 0 0 0 0 8E-1 numeric D
--------------------------------------------------------------------------------
tcp_cwnd_modified 0 0 0 0 1 boolean C
pr
--------------------------------------------------------------------------------
tcp_ecn 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_ephemeral_high 64K-1 64K-1 64K-1 32K+1 64K-1 numeric D
tcp_ephemeral_low
--------------------------------------------------------------------------------
tcp_ephemeral_low 32K 32K 32K 1K 65534 numeric D
tcp_ephemeral_high
11-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty --------------------------------------------------------------------------------
tcp_fastlo 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_fastlo_crosswpar 0 0 0 0 1 boolean C
--------------------------------------------------------------------------------
tcp_finwait2 1200 1200 1200 0 32K-1 halfsecond D
--------------------------------------------------------------------------------
tcp_icmpsecure 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
.I. n
tcp_init_window 0 0 0 0 32K-1 byte C
--------------------------------------------------------------------------------
.T ció
tcp_keepcnt 8 8 8 0 32K-1 numeric D
--------------------------------------------------------------------------------
tcp_keepidle 14400 14400 14400 1 32K-1 halfsecond C
--------------------------------------------------------------------------------
.
tcp_keepinit 150 150 150 1 32K-1 halfsecond D
C
--------------------------------------------------------------------------------
.F a
tcp_keepintvl 150 150 150 1 32K-1 halfsecond C
--------------------------------------------------------------------------------
C rm
tcp_limited_transmit 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
tcp_low_rto 0 0 0 0 3000 numeric D
timer_wheel_tick
--------------------------------------------------------------------------------
tcp_maxburst 0 0 0 0 32K-1 numeric D
to fo
--------------------------------------------------------------------------------
tcp_mssdflt 1460 1460 1460 1 64K-1 byte C
--------------------------------------------------------------------------------
tcp_nagle_limit 64K-1 64K-1 64K-1 0 64K-1 byte D
ec vo
--------------------------------------------------------------------------------
tcp_nagleoverride 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
tcp_ndebug 100 100 100 0 32K-1 numeric D
--------------------------------------------------------------------------------
oy si
tcp_newreno 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
tcp_nodelayack 0 0 0 0 1 boolean D
u
--------------------------------------------------------------------------------
tcp_recvspace 16K 16K 16K 4K 8E-1 byte C
sb_max
cl
--------------------------------------------------------------------------------
tcp_sendspace 16K 16K 16K 4K 8E-1 byte C
sb_max
Ex
--------------------------------------------------------------------------------
tcp_tcpsecure 0 0 0 0 7 numeric D
--------------------------------------------------------------------------------
tcp_timewait 1 1 1 1 5 15_second D
--------------------------------------------------------------------------------
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
--------------------------------------------------------------------------------
NAME CUR DEF BOOT MIN MAX UNIT TYPE
DEPENDENCIES
--------------------------------------------------------------------------------
udp_bad_port_limit 0 0 0 0 8E-1 numeric D
--------------------------------------------------------------------------------
udp_ephemeral_high 64K-1 64K-1 64K-1 32K+1 64K-1 numeric D
udp_ephemeral_low
--------------------------------------------------------------------------------
.I. n
udp_ephemeral_low 32K 32K 32K 1K 65534 numeric D
udp_ephemeral_high
.T ció
--------------------------------------------------------------------------------
udp_recvspace 42080 42080 42080 4K 8E-1 byte C
sb_max
--------------------------------------------------------------------------------
.
udp_sendspace 9K 9K 9K 4K 8E-1 byte C
C
sb_max
.F a
--------------------------------------------------------------------------------
udp_ttl 30 30 30 1 255 second C
C rm
--------------------------------------------------------------------------------
udpcksum 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
ie5_old_multicast_mapping 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ip6_defttl 64 64 64 1 255 numeric D
--------------------------------------------------------------------------------
oy si
--------------------------------------------------------------------------------
ip6srcrouteforward 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
cl
ip_ifdelete_notify 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ip_nfrag 200 200 200 1 32K-1 byte D
Ex
--------------------------------------------------------------------------------
ipforwarding 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ipfragttl 2 2 2 1 255 halfsecond D
--------------------------------------------------------------------------------
pr
ipignoreredirects 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
ipqmaxlen 100 100 100 100 2G-1 numeric R
--------------------------------------------------------------------------------
ipsendredirects 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
ipsrcrouteforward 1 1 1 0 1 boolean D
--------------------------------------------------------------------------------
11-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
--------------------------------------------------------------------------------
ndogthreads 0 0 0 0 1K numeric D
.T ció
--------------------------------------------------------------------------------
nonlocsrcroute 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
subnetsarelocal 1 1 1 0 1 boolean D
.
--------------------------------------------------------------------------------
C
tn_filter 1 1 1 0 1 boolean D
.F a
--------------------------------------------------------------------------------
C rm
ARP/NDP Network Tunable Parameters
--------------------------------------------------------------------------------
NAME CUR DEF BOOT MIN MAX UNIT TYPE
DEPENDENCIES
--------------------------------------------------------------------------------
arpqsize 1K 1K 1K 1 32K-1 numeric D
to fo
tcp_pmtu_discover
udp_pmtu_discover
--------------------------------------------------------------------------------
arpt_killc 20 20 20 0 255 minute D
ec vo
--------------------------------------------------------------------------------
arptab_bsiz 7 7 7 1 32K-1 bucket_size R
--------------------------------------------------------------------------------
arptab_nb 149 149 149 1 32K-1 buckets R
--------------------------------------------------------------------------------
oy si
--------------------------------------------------------------------------------
dgd_retry_time 5 5 5 1 32K-1 numeric D
--------------------------------------------------------------------------------
cl
--------------------------------------------------------------------------------
ndpqsize 50 50 50 1 32K-1 numeric D
--------------------------------------------------------------------------------
ndpt_down 3 3 3 1 8E-1 halfsecond D
--------------------------------------------------------------------------------
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
passive_dgd 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
rfc1122addrchk 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
.I. n
--------------------------------------------------------------------------------
lowthresh 90 90 90 0 100 %_of_thewall D
.T ció
--------------------------------------------------------------------------------
medthresh 95 95 95 0 100 %_of_thewall D
--------------------------------------------------------------------------------
nstrpush 8 8 8 8 32K-1 numeric S
.
--------------------------------------------------------------------------------
C
psebufcalls 20 20 20 20 8E-1 numeric I
.F a
--------------------------------------------------------------------------------
psecache 1 1 1 0 1 boolean D
C rm
--------------------------------------------------------------------------------
psetimers 20 20 20 20 8E-1 numeric I
--------------------------------------------------------------------------------
strctlsz 1K 1K 1K 0 32K-1 byte D
--------------------------------------------------------------------------------
strmsgsz 0 0 0 0 32K-1 byte D
to fo
--------------------------------------------------------------------------------
strthresh 85 85 85 0 100 %_of_thewall D
--------------------------------------------------------------------------------
strturncnt 15 15 15 1 8E-1 numeric D
ec vo
--------------------------------------------------------------------------------
DEPENDENCIES
--------------------------------------------------------------------------------
bcastping 0 0 0 0 1 boolean D
u
--------------------------------------------------------------------------------
dgd_flush_cached_route 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
cl
--------------------------------------------------------------------------------
ifsize 256 256 256 8 1K numeric R
--------------------------------------------------------------------------------
igmpv2_deliver 0 0 0 0 1 boolean D
--------------------------------------------------------------------------------
pr
11-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
--------------------------------------------------------------------------------
routerevalidate 0 0 0 0 1 boolean D
.T ció
--------------------------------------------------------------------------------
rtentry_lock_complex 1 1 1 0 1 boolean R
--------------------------------------------------------------------------------
site6_index 0 0 0 0 32K-1 numeric D
.
--------------------------------------------------------------------------------
C
tcp_pmtu_discover 1 1 1 0 1 boolean D
.F a
--------------------------------------------------------------------------------
udp_pmtu_discover 1 1 1 0 1 boolean D
C rm
--------------------------------------------------------------------------------
Parameter types:
to fo
S = Static: cannot be changed
D = Dynamic: can be freely changed
B = Bosboot: can only be changed using bosboot and reboot
R = Reboot: can only be changed during reboot
ec vo
Value conventions:
oy si
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-23
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
## cat ## no
no –a
–a
cat /etc/tunables/lastboot
/etc/tunables/lastboot |grep
|grep use_isno
use_isno
tcp_recvspace
tcp_recvspace == 131072
131072
use_isno = "1"
use_isno = "1" tcp_sendspace
tcp_sendspace == 16384
16384
rfc1323
rfc1323 == 00
.I. n
...
...
.T ció
Change
Change // Show
Show aa Standard
Standard Ethernet
Ethernet Interface
Interface
Network
Network Interface
Interface Name
Name en4
en4
INTERNET
INTERNET ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) [3.18.8.71]
[3.18.8.71]
Network
Network MASK
MASK (hexadecimal
(hexadecimal or
or dotted
dotted decimal)
decimal) []
[]
Defaults
.
Current
Current STATE
STATE up
up ++
Use
Use Address
Address Resolution
Resolution Protocol
Protocol (ARP)?
(ARP)? yes
yes ++
C
BROADCAST
BROADCAST ADDRESS
ADDRESS (dotted
(dotted decimal)
decimal) []
[]
Interface
Interface Specific
Specific Network
Network Options
.F a
Options
('NULL'
('NULL' will
will unset
unset the
the option)
option)
rfc1323
rfc1323 [1]
[1]
C rm
tcp_mssdflt
tcp_mssdflt []
[]
tcp_nodelay
tcp_nodelay []
[]
tcp_recvspace
tcp_recvspace [262144]
[262144]
tcp_sendspace
tcp_sendspace [262144]
[262144]
## ifconfig
ifconfig en4
en4
to fo
en4:
en4:
flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64B
flags=5e080863,c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64B
IT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
IT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
inet
inet 3.18.8.71
3.18.8.71 netmask
netmask 0xff000000
0xff000000 broadcast
broadcast 3.255.255.255
3.255.255.255
tcp_sendspace
tcp_sendspace 262144
262144 tcp_recvspace
tcp_recvspace 262144
262144 rfc1323
rfc1323 11
ec vo
Notes:
oy si
RFC1323:
u
The rfc1323 tunable enables the TCP window scaling option. The TCP window scaling
option is a TCP negotiated option, so it must be enabled on both endpoints of the TCP
cl
connection to take effect. By default, the TCP window size is limited to 65536 bytes (64 K)
but can be set higher if the rfc1323 value is set to 1. If you are setting the tcp_recvspace
value to greater than 65536, set the rfc1323 value to 1 on each side of the connection. If
Ex
you do not set the rfc1323 value on both sides of the connection, the effective value for the
tcp_recvspace tunable will be 65536. This option adds 12 more bytes to the TCP protocol
header, which deducts from the user payload data, so on small MTU adapters this option
might slightly hurt performance.
pr
11-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty TCP controls this maximum size, known as maximum segment size (MSS), for each TCP
connection. For direct-attached networks, TCP computes the MSS by using the MTU size
of the network interface, and then subtracting the protocol headers to come up with the size
of data in the TCP packet. For example, Ethernet with an MTU of 1500 would result in an
MSS of 1460 after subtracting 20 bytes for IPv4 header and 20 bytes for TCP header.
The TCP protocol includes a mechanism for both ends of a connection to advertise the
MSS to be used over the connection when the connection is created. Each end uses the
.I. n
Options field in the TCP header to advertise a proposed MSS. The MSS that is chosen is
the smaller of the values provided by the two ends. If one endpoint does not provide its
.T ció
MSS, then 536 bytes is assumed, which is bad for performance.
The problem is that each TCP endpoint only knows the MTU of the network it is attached
.
to. It does not know the MTU size of other networks that might be between the two
C
endpoints. So TCP only knows the correct MSS if both endpoints are on the same network.
.F a
Therefore, TCP handles the advertising of MSS differently depending on the network
configuration. It wants to avoid sending packets that might require IP fragmentation over
C rm
smaller MTU networks.
The value of MSS advertised by the TCP software during connection setup depends on
whether the other end is a local system on the same physical network (that is, the systems
have the same network number) or whether it is on a different (remote) network.
to fo
The tcp_mssdflt option is the TCP MSS size, which represents the TCP data size. There is
no need to adjust for other protocol options because TCP handles this adjustment if other
options, like the rfc1323 option, are used.
ec vo
In an environment with a larger-than-default MTU, this method has the advantage in that
the MSS does not need to be set on a per-network basis. The disadvantages are as
follows:
oy si
• The tcp_mssdflt option must be set to the same value on the destination host.
Note: You can only use the tcp_mssdflt option if the tcp_pmtu_discover option is set to 0.
cl
In AIX, the TCP_NODELAY socket option is disabled by default, which might cause large
delays for request/response workloads that might only send a few bytes and then wait for a
response. TCP implements delayed acknowledgments because it expects to piggy back a
TCP acknowledgment on a response packet. The delay is normally 200 ms.
pr
Most TCP implementations implement the nagle algorithm, where a TCP connection can
only have one outstanding small segment that has not yet been acknowledged. This
causes TCP to delay sending any more packets until it receives an acknowledgment or
until it can bundle up more data and send a full size segment.
Applications that use request/response workloads should use the setsockopt() call to
enable the TCP_NODELAY option. For example, the telnet and rlogin utilities, Network File
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-25
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
System (NFS), and Web servers already use the TCP_NODELAY option to disable nagle.
Some applications do not do this, which might result in poor performance depending on the
network MTU size and the size of the sends (writes) to the socket.
Setting the tcp_nodelay value to 1 causes TCP to not delay, which disables nagle, and
send each packet for each application send or write.
The tcp_sendspace tunable
.I. n
The tcp_sendspace tunable specifies how much data the sending application can buffer in
the kernel before the application is blocked on a send call. You should set the
.T ció
tcp_sendspace tunable value at least as large as the tcp_recvspace value, and, for higher
speed adapters, the tcp_sendspace value should be at least twice the size of the
tcp_recvspace value.
.
The tcp_recvspace tunable
C
.F a
The tcp_recvspace tunable specifies how many bytes of data the receiving system can
buffer in the kernel on the receiving sockets queue.
C rm
The tcp_recvspace tunable is also used by the TCP protocol to set the TCP window size,
which TCP uses to limit how many bytes of data it will send to the receiver to ensure that
the receiver has enough space to buffer the data. The tcp_recvspace tunable is a key
to fo
parameter for TCP performance because TCP must be able to transmit multiple packets
into the network to ensure the network pipeline is full. If TCP cannot keep enough packets
in the pipeline, then performance suffers.
A common guideline for the tcp_recvspace tunable is to set it to a value that is at least 10
ec vo
times less than the MTU size. You can determine the tcp_recvspace tunable value by
dividing the bandwidth-delay product value by 8. Bandwidth-delay is computed with the
following formula:
oy si
Dividing the capacity value by 8 provides a good estimate of the TCP window size needed
to keep the network pipeline full. The longer the round trip delay and the faster the network
cl
speed, the larger the bandwidth-delay product value, and thus the larger the TCP window.
An example of this is a 100 Mbit network with a round trip time of 0.2 milliseconds. You can
calculate the bandwidth-delay product value with the formula above.
Ex
11-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty whole system with the no command use_isno option. It is a restricted tunable (not intended
to be changed unless told to do so by AIX Support), and thus should be left enabled.
Example: # no -p -o use_isno=0
Modification to restricted tunable use_isno, confirmation
required yes/no: yes
Warning: a restricted tunable has been modified
.I. n
Setting use_isno to 0
.T ció
Setting use_isno to 0 in nextboot file
Most ISNO settings on an interface are set automatically by the method invoked when a
high bandwidth network adapter is defined to the kernel. The ISNO setting is made directly
.
to the kernel definitions (as displayed by the ifconfig command) and are not automatically
C
.F a
applied to the ODM. The SMIT display of the ODM defined interface attributes will not show
these automatic ISNO setting.
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-27
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
11-28 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
## lsattr
lsattr -El
-El en4
en4 |grep
|grep mtu
mtu
mtu
mtu 1500
1500 Maximum
Maximum IP
IP Packet
Packet Size
Size for
for This
This Device
Device True
True
remmtu
remmtu 576
576 Maximum IP Packet Size for REMOTE Networks True
Maximum IP Packet Size for REMOTE Networks True
.I. n
Change
Change // Show
Show Characteristics
Characteristics of
of an
an Ethernet
Ethernet Adapter
Adapter
.T ció
[Entry
[Entry Fields]
Fields]
Ethernet
Ethernet Adapter
Adapter ent0
ent0
.
Description
Description 2-Port
2-Port 10/100/1000
10/100/1000
Base-TX Set MTU to 9000
Base-TX PCI-X
PCI-X Adapter
C
Adapter
.F a
Status
Status Available
Available Note: some items
Software removed for
Software transmit
transmit queue
queue size
size [8192]
[8192] +#
+# clarity.
Rcv
Rcv descriptor
descriptor queue
queue size [1024] +#
C rm
size [1024] +#
TX
TX descriptor
descriptor queue
queue size
size [512]
[512] +#
+#
Transmit
Transmit jumbo frames
jumbo frames yes
yes ++
Apply
Apply change
change to
to DATABASE
DATABASE only
only no
no ++
Enable failover mode
Enable failover mode disable
disable ++
to fo
## chdev
chdev –l
–l en4
en4 –a
–a mtu=<value>
mtu=<value>
## ifconfig
ifconfig en4
en4 mtu
mtu <value>
<value>
Custom settings
ec vo
Notes:
oy si
The maximum transmission unit (MTU) and maximum segment size (MSS) setting are
important factors in tuning AIX for throughput.
u
For best throughput for systems on the same type of network, it is advisable to use a large
cl
MTU. In multi-network environments, if data travels from a network with a large MTU to a
smaller MTU, the IP layer has to fragment the packet into smaller packets to facilitate
transmission on a smaller MTU network. This costs the receiving system CPU time to
Ex
reassemble the fragment packets. When the data travels to a remote network, TCP in AIX
defaults to a maximum segment size (MSS) of 512 bytes (remmtu = 576 bytes). This
conservative value is based on a requirement that all IP routers support an MTU of at least
576 bytes.
pr
Do not increase MTU on only one station in a LAN. All stations on a LAN should have the
same effective MTU value.
Note: Jumbo frames can be enabled on gigabit Ethernet and 10 gigabit Ethernet adapters.
Doing so raises the MTU to 9000 bytes. Because there is less overhead per packet, jumbo
frames typically provide better performance, CPU consumption, or both. Consider using
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-29
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
jumbo frames especially if you have a network dedicated to backup tasks. Jumbo frames
should only be considered if all equipment between most of your clients and servers
supports jumbo frames, including routers and switches.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
11-30 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Supports filtering of packets
.T ció
– Otherwise prints a lot of information
.
• Default is to send one line summary of each captured packet
C
to standard output
.F a
C rm
• Can send output to a file using the –w flag
– Use –r flag to read the output file
– Can also send to stdout and to a file using the –l flag
to fo
• Example: # tcpdump -l | tee /tmp/data_dump
ec vo
Notes:
oy si
The tcpdump command prints out the headers of packets on a network interface that
match a Boolean expression.
u
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-31
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
tcpdump examples (1 of 2)
IBM Power Systems
.I. n
decode
listening
listening on
on en0,
en0, link-type
link-type 1,
1, capture
capture size
size 96
96 bytes
bytes
12:25:01.686703
12:25:01.686703 IPIP statler.lpar.co.uk.39953
statler.lpar.co.uk.39953 >> nimmaster.lpar.co.uk.domain:
nimmaster.lpar.co.uk.domain: 23909+
23909+ AA
.T ció
(QM)
(QM) www.bbc.co.uk.
www.bbc.co.uk. (31)
(31)
12:25:01.705845
12:25:01.705845 IPIP nimmaster.lpar.co.uk.domain
nimmaster.lpar.co.uk.domain >> statler.lpar.co.uk.39953:
statler.lpar.co.uk.39953: 23909
23909
2/2/2 CNAME[|domain]
2/2/2 CNAME[|domain]
.
C
.F a
• Window 2: DNS client
C rm
statler.lpar.co.uk:/
statler.lpar.co.uk:/ ## echo
echo "\n$(date)\n"
"\n$(date)\n" &&
&& host
host www.bbc.co.uk
www.bbc.co.uk
Tue
Tue 22
22 Sep
Sep 12:25:01
12:25:01 2009
2009
www.bbc.net.uk
www.bbc.net.uk is
is 212.58.253.67,
212.58.253.67, Aliases:
Aliases: www.bbc.co.uk
www.bbc.co.uk
to fo
ec vo
Notes:
oy si
The visual shows the packet header transactions between a DNS client and server when a
client issues a lookup request.
u
cl
Ex
pr
11-32 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
tcpdump examples (2 of 2)
IBM Power Systems
.I. n
.T ció
• To print all FTP traffic through Internet gateway R123:
– # tcpdump 'gateway R123 and (port ftp or ftp-data)‘
.
C
.F a
• To print all ICMP packets that are not echo requests or replies
(for instance, not ping packets):
C rm
– # tcpdump 'icmp[icmptype] != icmp-echo and \
icmp[icmptype] != icmp-echoreply'
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-33
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• If you wish to view the entire packet including the payload
(data) then iptrace must be used.
.T ció
• As with tcpdump, flags can be used to filter the traffic.
.
– Based on source and destination host, interface, protocol, and port
C
number
.F a
• Example of use:
C rm
– /usr/sbin/iptrace [flags] logfile
– iptrace can also be managed through SRC
• The ipreport command must be used to view the output.
to fo
ec vo
Notes:
oy si
The iptrace daemon records Internet packets received from configured interfaces.
Command flags provide a filter so that the daemon traces only packets meeting specific
u
criteria. Packets are traced only between the local host on which the iptrace daemon is
invoked and the remote host.
cl
The ipreport command must be used to view the output of an iptrace. The output can be
transferred and viewed in a product called Wireshark (see Windows interoperability unit).
Ex
11-34 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Packet
Packet Number
Number 55
ETH: Layer 2
ETH: ====( 150
====( 150 bytes
bytes transmitted
transmitted on
on interface
interface en0en0 )====
)==== 13:19:33.360833294
13:19:33.360833294
ETH:
ETH: [[ ea:48:f0:00:30:02
ea:48:f0:00:30:02 ->-> 3a:6e:a6:02:67:9d
3a:6e:a6:02:67:9d ]] type
type 800
800 (IP)
(IP)
.I. n
IP:
IP: << SRC
SRC == 10.47.1.19
10.47.1.19 >> (statler.lpar.co.uk)
(statler.lpar.co.uk)
IP:
IP: << DST
DST == 10.47.1.33
10.47.1.33 >> (nimmaster)
(nimmaster) Layer 3
.T ció
IP:
IP: ip_v=4,
ip_v=4, ip_hl=20,
ip_hl=20, ip_tos=16,
ip_tos=16, ip_len=136,
ip_len=136, ip_id=4542,
ip_id=4542, ip_off=0
ip_off=0 DF
DF
IP:
IP: ip_ttl=60,
ip_ttl=60, ip_sum=1611,
ip_sum=1611, ip_p
ip_p == 66 (TCP)
(TCP)
TCP:
TCP: <source
<source port=21(ftp), destination port=42408
port=21(ftp), destination port=42408 >> Layer 4
TCP: th_seq=49635133, th_ack=2486030143
.
TCP: th_seq=49635133, th_ack=2486030143
TCP:
TCP: th_off=8,
th_off=8, flags<PUSH
flags<PUSH || ACK>
ACK>
C
TCP: th_win=65522,
th_win=65522, th_sum=0,
th_sum=0, th_urp=0
.F a
TCP: th_urp=0
TCP:
TCP: nop
nop
TCP:
TCP: nop
nop
C rm
TCP:
TCP: timestamps
timestamps TSVal:
TSVal: 0x4b2476c5
0x4b2476c5 TSEcho:
TSEcho: 0x4ae40b2a
0x4ae40b2a
TCP: 00000000
TCP: 00000000 32323020 73746174 6c65722e 6c706172
32323020 73746174 6c65722e 6c706172 |220
|220 statler.lpar|
statler.lpar|
TCP:
TCP: 00000010
00000010 2e636f2e
2e636f2e 756b2046
756b2046 54502073
54502073 65727665
65727665 |.co.uk
|.co.uk FTP
FTP serve|
serve|
TCP:
TCP: 00000020
00000020 72202856
72202856 65727369
65727369 6f6e2034
6f6e2034 2e322057
2e322057 |r
|r (Version
(Version 4.2
4.2 W|
W|
TCP:
TCP: 00000030
00000030 6564204f
6564204f 63742031
63742031 2030393a
2030393a 34303a30
34303a30 |ed
|ed Oct
Oct 11 09:40:0|
09:40:0|
to fo
TCP:
TCP: 00000040
00000040 35204344
35204344 54203230
54203230 30382920
30382920 72656164
72656164 |5
|5 CDT
CDT 2008)
2008) read|
read| data
TCP: 00000050
TCP: 00000050 792e0d0a
792e0d0a |y...
|y... ||
ec vo
Notes:
oy si
When looking at a sample packet (captured using iptrace), we can see the following
information:
u
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-35
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
iptrace examples (1 of 2)
IBM Power Systems
.I. n
[262184]
[262184]
statler.lpar.co.uk:/
statler.lpar.co.uk:/ ## kill
kill 262184
262184
statler.lpar.co.uk:/
statler.lpar.co.uk:/ ## iptrace:
iptrace: unload
unload success!
success!
.T ció
nimmaster:/
nimmaster:/ ## ftp
ftp statler
statler
Connected
Connected to
to statler.lpar.co.uk.
statler.lpar.co.uk.
.
220
220 statler.lpar.co.uk
statler.lpar.co.uk FTP
FTP server
server (Version
(Version 4.2
4.2 Wed
Wed Oct
Oct 11 09:40:05
09:40:05 CDT
CDT 2008)
2008) ready.
ready.
C
Name (statler:root):
Name (statler:root):
.F a
331
331 Password
Password required
required for
for root.
root.
Password:
Password:
C rm
230-Last
230-Last unsuccessful
unsuccessful login:
login: Thu
Thu 77 May
May 09:56:26
09:56:26 2009
2009 on
on ssh
ssh from
from waldorf.lpar.co.uk
waldorf.lpar.co.uk
230-Last
230-Last login:
login: Tue
Tue 22
22 Sep
Sep 12:01:13
12:01:13 2009
2009 on
on /dev/pts/0
/dev/pts/0 from
from nimmaster
nimmaster
230
230 User
User root
root logged
logged in.
in.
ftp> bye
ftp> bye
221
221 Goodbye.
Goodbye.
to fo
statler.lpar.co.uk:/
statler.lpar.co.uk:/ ## ipreport
ipreport -n
-n -s
-s /tmp/iptrace
/tmp/iptrace |grep
|grep "|PASS"
"|PASS"
TCP:
TCP: 00000000
00000000 50415353
50415353 2069626d
2069626d 6169780d
6169780d 0a
0a |PASS
|PASS ibmaix..
ibmaix.. ||
ec vo
Notes:
oy si
The example in the visual shows how the root password can be captured using iptrace and
ipreport commands.
u
cl
Ex
pr
11-36 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
iptrace examples (2 of 2)
IBM Power Systems
.I. n
– # iptrace -i en0 -s lpar1 -b /tmp/iptrace_capt
.T ció
• To record all packets (promiscuous mode) on all network
adapters, suppressing ARP packets:
.
C
– # iptrace –a -e /tmp/iptrace_prom_capt
.F a
C rm
• Record all ICMP and UDP protocol traffic:
– # iptrace -P icmp,udp /tmp/iptrace.proto
to fo
• Record all traffic on ports 22 and 25
– # iptrace -p 22, 25 /tmp/iptrace.port
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-37
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Checkpoint (1 of 2)
IBM Power Systems
.I. n
## ifconfig
ifconfig en0
en0
en0:
en0: flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
.T ció
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
0xffff0000 broadcast
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
tcp_sendspace 262144
262144 tcp_recvspace
tcp_recvspace 262144
262144 rfc1323
rfc1323 11
.
C
.F a
C rm
2. What is the difference between throughput and latency?
to fo
ec vo
Notes:
oy si
11-38 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint (2 of 2)
IBM Power Systems
.I. n
.T ció
4. Which command can you use to check the physical link status of an
.
Ethernet adapter?
C
.F a
C rm
5. How can you easily check bandwidth performance on a network?
to fo
ec vo
Notes:
oy si
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-39
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Exercise introduction
IBM Power Systems
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
11-40 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Solve common TCP/IP problems
.T ció
– Connectivity
– Duplicate IP addresses
.
C
– Problems with network services
.F a
– Identify errors which can occur through the IP stack
C rm
• Understand factors which affect network performance
• Tune key network parameters
• Inspect IP data using tcpdump and iptrace
to fo
• Analyze the output of an iptrace
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 11. Problem determination 11-41
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
11-42 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
• Describe the Network Time Protocol
.
• Configure the xntpd daemon
C
.F a
• Configure the timed daemon
C rm
How you will check your progress
• Checkpoint questions
to fo
• Lab exercises
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• Describe the Network Time Protocol
• Configure the xntpd daemon
.T ció
• Configure the timed daemon
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
12-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Synchronizes time between systems
.T ció
• μsec precision
.
C
.F a
C rm
to fo
Time Server
ec vo
Notes:
oy si
The Network Time Protocol (NTP) is an Internet standard protocol which synchronizes time
between systems on a TCP/IP network. Depending on circumstances, the precision is in
u
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Sources of time
IBM Power Systems
.I. n
• Radio time receiver
.T ció
– Fairly expensive
– Precise
.
• Global positioning system (GPS) satellite receiver
C
.F a
– Cheap
– Reception problem: does not work indoors
C rm
• Another NTP server
– Adds incremental error
• Internal system clock
to fo
– Useful if no other sources are available
ec vo
Notes:
oy si
Keeping accurate track of the correct time has been a problem for many centuries. As it
turns out, the rotation speed of the earth is not constant enough to rely on, so people have
u
used stellar observations, moon phases, and even witchcraft to track the current time.
cl
Recently, atomic clocks have been introduced which measure time by measuring the
natural resonance frequency of a single Cesium-atom (9,192,631,770 Hz). These systems
are off by less than a second in a million years. For an example of such a clock see
Ex
http://www.boulder.nist.gov/timefreq/cesium/fountain.htm.
Obviously, it would be ridiculous as an individual to go out and buy such an atomic clock
and connect it to your AIX system. That is why various state-sponsored organizations with
pr
an atomic clock have connected radio transmitters to their clock and broadcast the correct
time to anyone interested. By connecting a (still fairly expensive) receiver to your computer,
you can synchronize your computer to the atomic clock of that organization. This method is
very precise, since the source of the signal is well known and the distance can be easily
measured.
12-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty Another, more recent method is using the signal from global positioning system (GPS)
satellites to measure the correct time. Each GPS has its own atomic clock on board which
it uses to send the correct time and its current position to earth. By tracking four or more
satellites and measuring the differences in received time, you can work out the exact time
and the exact position of the receiver. Most GPS receivers can be connected to a computer
using the serial or USB port and thus can become a source of correct time. One
disadvantage of GPS is that the signals do not pass through buildings, so you have to
.I. n
place your receiver near a window or buy an extra antenna.
Once you have a system set to the correct time, you can use the NTP protocol to transfer
.T ció
this time to other clients. Note, however, that each communication link, because of
variations in latency and bandwidth, adds a little error. This is normally countered by using
multiple servers. Various public NTP servers on the Internet exist which can be used.
.
C
As a last resort, if no other means are available, you can connect your NTP server to the
.F a
local clock of your system. This is useful if you are on an isolated network and do not want
to invest in radio or GPS receivers but keeping time synchronized between the systems is
C rm
nevertheless necessary.
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Stratum
IBM Power Systems
• The stratum number identifies how far you are from the time
source.
.I. n
• The maximum stratum is 15.
.T ció
sender
.
C
receiver Stratum 0
.F a
time server Stratum 1
Notes:
oy si
The stratum number is the number of hops you are away from the correct time. For the
purpose of NTP, stratum 0 (zero) is defined as the receiver (radio, GPS) itself. Stratum 1 is
u
the server which connects to this receiver directly, stratum 2 retrieves the time from the
stratum 1 server, and so forth.
cl
12-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Unicast
.I. n
• Broadcast using local broadcast address
.T ció
• Multicast using IANA reserved address 224.0.1.1
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
All NTP communications are done using port 123. There are three ways a client can obtain
the time from the server.
u
• The first method is by starting a unicast connection to the server. In this case, the server
cl
server is active. It periodically broadcasts time information to the local network. The
broadcast address being used is the local broadcast address (the host part of the IP
address is all ones).
• The third method is by listening to a multicast from the server. In this case, the server is
pr
again active. It periodically broadcasts time information to the IANA assigned multicast
address 224.0.1.1. If all routers are configured correctly, this ensures that the
information is only sent to the clients who are really interested in time information. And
since multicasts can traverse routers, you have effectively ensured that you only need
one or a few time servers in your network instead of needing one for every subnet.
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
NTP overview
IBM Power Systems
• ntpdate: Retrieves time from NTP server and sets internal clock (only
once)
– Run before starting xntpd
.I. n
• xntpd: Synchronizes time with another NTP server (continuously)
.T ció
– Can act as server and client
– Configuration file /etc/ntp.conf
.
C
• ntpq: Queries a time server
.F a
• ntptrace: Determines where NTP server gets its time
C rm
– Can follow the chain of servers
– Identify master time source
to fo
• xntpdc: Queries and controls the xntpd daemon
– Documentation under man pages
– Subcommands with online help
ec vo
Notes:
oy si
The NTP package implements an NTP time server. The package contains a number of
binary programs, sample configuration files, and on-line documentation. The two most
u
ntpdate is usually started by hand (although some people run it out of cron). It connects to
a time server, retrieves the correct time, sets the local clock to the correct time, and exits.
This provides a lightweight method of setting the time on your system, but after ntpdate is
Ex
server, providing time for other clients. It is configured with the file /etc/ntp.conf.
Important to note is that ntpd will not start if the time difference between itself and the time
server to be used is large. It is therefore common to run ntpdate before starting ntpd.
12-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– /etc/rc.tcpip
– Command line (SRC subsystem)
.T ció
• Most common directives in /etc/ntp.conf:
– server <ip address>: Connect to server with lower stratum
.
C
– peer <ip address>: Synchronize with peer of equal stratum
.F a
– fudge <ip address> <options>: Change parameters of a server or
C rm
peer (for example, stratum)
– broadcast <ip address>: Broadcast time to <ip address> (can also be
224.0.1.1)
– broadcastclient: Listen to local broadcast address
to fo
– multicastclient: Listen to multicast address 224.0.1.1
– driftfile <filename>: File where local clock drift is stored
ec vo
Notes:
oy si
The xntpd subsystem can be started from the command line using:
u
# startsrc -s xntpd
If you want it to also start at each system restart, it needs to be uncommented in the
cl
/etc/rc.tcpip script. SMIT provides a convenient way to both start it now and update rc.tcpip:
# smit xntpd
Ex
The /etc/ntp.conf file configures the xntpd daemon. It usually consists of a few lines
only. The following directives are common:
• server <ip address> identifies the server to connect to for the correct time. The
pr
xntpd daemon also automatically retrieves the stratum number of that server and sets
its own statum number one higher.
• Multiple server statements can be used. If one of the statements has the prefer
keyword, then this server has preference over other servers.
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
• peer <ip address> identifies a peer server to connect to for the correct time. A peer
server always has the same stratum. If the times on two peers are not the same, the
average is taken.1
• fudge <ip address> <options> changes the parameters of an earlier defined
server or peer. For example, normally a server or peer will automatically transfer its
stratum number to the client, but with the fudge option you can change that stratum
number to something else.
.I. n
• broadcast <ip address> configures this NTP server to broadcast the time to the
.T ció
specified broadcast address (this should be the local broadcast address) or to the
multicast address 224.0.1.1.
• broadcastclient configures this NTP client to listen to NTP broadcasts on the local
.
broadcast address.
C
.F a
• multicastclient configures this NTP client to listen to NTP multicasts on the
multicast address 224.0.1.1.
C rm
• driftfile is the name of the file where the drift of the local clock is stored. This drift is
automatically determined by measuring the adjustments needed to the local clock over
a period of time. In case the NTP server cannot be contacted, the ntpd daemon will
nevertheless keep applying the same adjustments (taken from the driftfile) to reach a
to fo
high degree of precision.
ec vo
oy si
u
cl
Ex
pr
.
1 Actually, the algorithm is a little more ingenious than this, but the times will slowly converge
12-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– t is the clock type
– u indicates the connection (values 0 through 3)
.T ció
• Clock types can be found at:
http://doc.ntp.org/4.1.2/refclock.html
.
• The connection number maps to the port by creating a link:
C
.F a
# ls –sf /dev/tty# /dev/wwvb<u>
C rm
• Examples:
– server 127.127.1.0: Local system clock (undisciplined)
– server 127.127.20.0: GPS receiver conforming to NMEA protocol on
tty0
to fo
• These are only for local reference clocks
– The pseudo IP address is not used to communicate over the network.
ec vo
Notes:
oy si
If you want to receive time from a radio or GPS receiver, there is nothing magical you need
to do. xntpd has built in support for most receivers. This support is activated by using the
u
server keyword in the /etc/ntp.conf file with a pseudo IP address of the form 127.127. t. u.
Such an IP address would normally not be used (technically, it is one of the 16 million
cl
reserved loopback addresses) and is therefore used within ntpd to address the receiver.
The value t identifies the clock type, and the value u defines the connection, such as the
Ex
serial port to use. To relate the u value to the actual serial port being used, you need to
create a symbolic link between the reference clock special device filename of /dev/wwvb#
(where # is the u value) and the tty special device filename (such as /dev/tty0).
The following two examples are useful:
pr
• Server 127.127.1.0 identifies the (first) local PC clock. By connecting to this clock, you
get a free running NTP server which can be used on an isolated network. The stratum
number obtained when connecting to this address is three instead of one, but you can
change this with the fudge keyword.
• Server 127.127.20.0 identifies a GPS receiver which conforms to the NMEA protocol on
tty0. (tty1 would be 127.127.20.1.) Most GPS receivers support this.
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Timed daemon
IBM Power Systems
.I. n
• Makes sure clocks are synchronized with each other, but not
necessarily absolutely correct
.T ció
• Supports automatic discovery of time servers
Timed
.
C
Master
.F a
Server
C rm
to fo
Timed Timed
Submaster Submaster
Server Server
ec vo
Notes:
oy si
If you do not have a good time source for the NTP protocol, or no Internet connection to
use public NTP servers, you might benefit from using the timed daemon instead of xntpd.
u
The timed daemon synchronizes one machine’s clock with those of other machines on the
cl
local area network that are also running the timed daemon. The timed daemon slows the
clocks of some machines and speed up the clocks on other machines to create an average
network time. It is important to realize that this average network time is not synchronized to
Ex
any clock outside the network so, after a while, it will be off anyway. For some protocols,
such as Kerberos and DHCP, it is only important that there is no difference between the
different systems, not that the time is absolutely correct. In those situations, the timed
daemon can help.
pr
When the timed daemon is started without the -M flag, the machine locates the nearest
master time server (through a broadcast) and asks for the network time. The machine then
uses the date command to set the machine’s clock to the network time. The machine
accepts synchronization messages sent periodically by the master time server and calls
the adjtime subroutine to perform the needed corrections on the machine’s clock.
12-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty The timedc command controls the operation of the timed daemon. The timedc command
can measure the difference between clocks on various machines on a network, find the
location of the master time server, enable or disable tracing of messages received by the
timed daemon, and debug.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
timed command
IBM Power Systems
.I. n
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
.T ció
[Entry Fields]
.
* Include this host in the ELECTION of MASTER timeserver no +
VALID NETWORK to check for timeserver [ ]
C
IGNORE this NETWORK when checking for timeserver [ ]
.F a
C rm
to fo
ec vo
Notes:
oy si
Flags
-c Specifies that the master-timed daemon should ignore the time values it gets from the
cl
other slave-timed daemons when for calculating the average network time. This flag
changes the network time to be the same as the system clock on the master-timed
Ex
daemon.
-i Network Specifies a network to be excluded from clock synchronization. The network
variable can be either a network address or a network name. If a network name is specified
for the network variable, the network name must be defined in the /etc/networks file.
pr
Specify one network address or network name with each -i flag. Do not use this flag with
the -n flag.
-M Specifies the machine as a master or submaster time server on its local area networks.
If a master time server is not currently available on a network, the machine becomes the
master time server for that network. If a master time server already exists on a network, the
machine becomes a submaster time server on that network. However, the machine can
12-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty become the master time server if the current master time server becomes inoperative. The
timed daemon creates the /var/adm/timed.masterlog file when the timed daemon is
started with the -M flag.
-network Network Specifies a network to include in clock synchronization. The network
variable can be either a network address or a network name. If a network name is specified
for the network variable, the network name must be defined in the /etc/network file.
Specify on network address or network name with each -n flag. Do not use this flag with the
.I. n
-i flag.
.T ció
-t Allows the timed daemon to trace the messages it receives and store them in the
/var/adm/timed.log file. You can also use the timedc command to activate tracing.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
timedc command
IBM Power Systems
• Purpose
– Returns information about the timed daemon
.I. n
.T ció
• Syntax
– timedc [ Subcommand [ Parameter ... ] ]
.
C
.F a
• Example
– timedc msite
C rm
to fo
ec vo
Notes:
oy si
• clockdiff Host ... Computes the differences between the clock of the host machine and
the clocks of the machines given as variables.
• election Host ... Requests that the timed daemon on the specified hosts reset its
election timers and ensure that a timed master server is available. Up to 4 hours can be
pr
specified. If a master timed server is no longer available, then the timed daemon on the
specified hosts will request to become the new timed master server. The specified hosts
must be running the timed daemon in submaster mode with the -M flag.
12-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty • help [ Parameter ...] Displays a short description of each subcommand specified in the
parameter list. If you give no variables, the help subcommand shows a list of
subcommands recognized by the timedc command.
• msite Finds the location of the master site.
• quit Exits the timedc command.
• trace { on | off} Enables or disables tracing of incoming messages to the timed
.I. n
daemon. The messages are held in the /var/adm/timed.log file.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
setclock command
IBM Power Systems
• Purpose
– Sets the time and date for a host on a network
.I. n
.T ció
• Syntax
– /usr/sbin/setclock [ TimeServer ]
.
C
.F a
• If the timeserver argument is missing, setclock uses
timeserver hostname, if defined.
C rm
to fo
ec vo
Notes:
oy si
The /usr/sbin/setclock command gets the time from a network time server and, if run
by a user with root user authority, sets the local time and date accordingly.
u
The setclock command takes the first response from the time server, converts the
cl
calendar clock reading found there, and displays the local date and time. If the setclock
command is run by the root user, it calls the standard workstation entry points to set the
system date and time.
Ex
If no time server responds or if the network is not operational, the setclock command
displays a message to that effect and leaves the current date and time settings of the
system unchanged.
pr
Parameter - TimeServer - The host name or address of a network host that services time
requests. The setclock commands sends an Internet time service request to a time server
host. If the time server name is omitted, the setclock command sends the request to the
default time server. The default time server is the IP address related to the hostname:
timeserver (resolved through either DNS or /etc/hosts).
12-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint
IBM Power Systems
.I. n
.T ció
2. True or False: When configuring NTP services, the server
.
directive can specify a serial port attached clock source or a
C
server in a lower stratum.
.F a
C rm
3. How does the setclock command know what server to
query?
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Exercise introduction
IBM Power Systems
.I. n
service on AIX
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
12-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Unit summary
IBM Power Systems
.I. n
• Describe the Network Time Protocol
• Configure the xntpd daemon
.T ció
• Configure the timed daemon
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Unit 12. Time services 12-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
12-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
What you should be able to do
.T ció
After completing this unit, you should be able to:
.
• Describe the main differences between IPv4 and IPv6
C
.F a
• Describe the IPv6 address notation
• List the most important classes of IPv6 addresses
C rm
• Configure IPv6 on an AIX system
• Configure DNS for IPv6
• Discuss connectivity to the worldwide IPv6 network
to fo
• Discuss application requirements for IPv6
• Checkpoint questions
oy si
u
cl
Ex
pr
Unit objectives
IBM Power Systems
.I. n
• Describe the main differences between IPv4 and IPv6
.T ció
• Describe the IPv6 address notation
• List the most important classes of IPv6 addresses
.
• Configure IPv6 on an AIX system
C
.F a
• Configure DNS for IPv6
C rm
• Discuss connectivity to the worldwide IPv6 network
• Discuss application requirements for IPv6
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
A-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
IP version 6
IBM Power Systems
.I. n
• Major improvements over IPv4:
– Hugely expanded address space
.T ció
– Performance improvements
– Functionality enhancements
.
– Security enhancements
C
.F a
• Most modern routers, operating systems, and applications
support IPv6 today.
C rm
• An IPv6 backbone has existed on the Internet for a number of
years.
– Accessible via a tunnel over IPv4
to fo
• On July 20, 2004, ICANN added the root DNS zones for IPv6
to the root DNS servers.
ec vo
Notes:
oy si
IP Version 6 is deemed to be the successor to the current IP Version 4 protocol. There has
been a proposal for IP Version 5 (the stream protocol, see RFC 1819), but this protocol has
u
tremendously. This is the most obvious change as you go from IPv4 to IPv6, and
is also the most important reason for the switch. We are going to cover this in the
next visual.
• There have been several performance enhancements. One example of this is
pr
the fact that the IPv6 header no longer contains a checksum. In IPv4, this
checksum was present, and needed to be checked and recalculated at every
hop (router), because the checksum also covered the hop counter (TTL) which
changes at every hop.
.I. n
faster than having to make a full routing decision.
.T ció
Yet another performance improvement is the fact that the IPv6 header no longer
supports options. Because of this, the header size is now fixed, which allows for yet
more performance optimizations in router code.
.
• There are several functionality enhancements. Most of these are in the form of
C
additional headers which can be inserted between the main IPv6 header and the
.F a
higher-layer protocol header (for example, TCP or UDP).
C rm
• Security has now been incorporated in the protocol in the form of IPSec. This
means that encryption and authentication can be done at a really low level in the
protocol stack which makes it easier to obtain good security in applications.
Most modern operating systems, routers, and other devices have supported IPv6 for a
to fo
number of years now. Also, IPv6 support has been available on the Internet for a number of
years. The final bits were put in place on July 20th, 2004, when the ICANN added the
resource records and zone files for IPv6 to the root name servers.
ec vo
oy si
u
cl
Ex
pr
A-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
IPv6 addresses
IBM Power Systems
.I. n
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
(340 undecillion* and then some)
.T ció
• Notation using hexadecimal using colons after each 16 bits:
3ffe:ffff:0100:f101:0000:0000:0000:9566
.
• May remove leading zeros within a block and one consecutive
C
.F a
series of blocks of zeros: 3ffe:ffff:100:f101::9566
C rm
• Netmasks work just like IPv4, but only the CIDR notation is
used: 3ffe:ffff:100:f101::9566/64
to fo
* 1036 …a really BIG number!
ec vo
Notes:
oy si
The most obvious change in IPv6 is the increase in IP address length. IPv4 has an address
length of 32 bits, which gives 232 addresses (a little over four billion). IPv6, in contrast, has
u
an address length of 128 bits which gives 2128 addresses (a little over 340 undecillion). And
because IPv6 uses Classless Inter Domain Routing (CIDR) from the start, and a more
cl
granular way of distributing IP addresses over providers, the portion of the address space
that can actually be used is also larger than IPv4. So IPv6 should provide us with enough
Ex
addresses for many years to come. That is probably a good thing because we might just be
able to switch the whole of the current Internet over from IPv4 to IPv6, but it will be almost
impossible to switch to yet another version of IP after that.
Because IPv6 addresses are so incredibly large, the notation of these addresses has
pr
changed. We no longer use decimal addresses but use hexadecimal instead: 8 groups of
16 bits each, written in hexadecimal and separated by colons. To make things a little
shorter, you can leave out the leading zeros in a block and replace a single series of blocks
of zeros with ::.
Netmasks work just like in IPv4, but only the CIDR slash notation is used.
Another useful difference is that in IPv6, each interface can explicitly have multiple IP
addresses. This was not possible according to the IPv4 standard, and that is why, in IPv4,
we sometimes need to do IP aliasing. That is no longer needed in IPv6.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
A-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• ::1/128: Loopback address
.T ció
• fe80::/64: Prefix used for link-local addresses
– Automatically assigned to an interface
.
– Cannot be routed
C
.F a
– The host part is typically based on the MAC address
• fec0::/64 - feff::/64: Prefix used for site-local
C rm
addresses
– Used for intranets like RFC 1918 addresses
• 2xxx::/64 and 3xxx::/64: Prefix used for globally
to fo
assigned unicast addresses
• ffxx::/64: Used for various multicast addresses
ec vo
Notes:
oy si
Just as with IPv4, the IPv6 address range has been divided up into a number of ranges,
each with their own purpose.1 Here are the most important addresses and address ranges:
u
• ::1/128 (127 zeros followed by a 1) is the loopback address. In IPv6, only one
loopback address is assigned. IPv4 had the whole 127.0.0.0/255.0.0.0 network
(16 million addresses) reserved for loopback.
• fe80::/64 is the address range which is used for so-called link-local
pr
addresses. Link-local addresses are addresses that only operate on a single link
(LAN). They are not routable. On local area networks, the host part of the IP
address (the last 64 bits) is based on the 48-bit MAC address of the adapter.
This host part is calculated using the IEEE EUI-64 method. We will cover that in
the next visual.
1 Actually, most of the address space has not been divided up yet and is left open for future applications.
There are more addresses reserved for link-local addresses (fe80::/64 through
febf::/64), but only fe80::/64 is in use today.
• fec0::/64 through feff::/64 is reserved for site-local addresses. This
means that you can use these addresses on intranets, just like 10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16 on IPv4. Site-local addresses are not
routable on the Internet, so they also provide you with a measure of security.
• All addresses 2xxx::/64 and 3xxx::/64 are currently reserved as globally
.I. n
routable, Internet addresses and are given out by ISPs to customers. If you hook
.T ció
up to the global IPv6 Internet, you will need an address range which is a subset
of this range.
There are two exceptions to this. 2001:0db8::/32 and 3ffe:ffff::/32 are
.
ranges that are set apart for documentation and examples. They should not be routable
C
on the Internet. The idea is that people who blindly copy configuration files and
.F a
examples will not by accident use IP addresses assigned to somebody else.
C rm
• Finally, all addresses ffxx::/64 are used for various multicast address ranges.
Several multicast scopes exist (node, link, site, organization, and global), each
with their own address range.
Note that, within IPv6, there is no such thing as a broadcast anymore. The broadcast in
to fo
the IPv4 since has been replaced with a link-local multicast.
ec vo
oy si
u
cl
Ex
pr
A-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
next reboot.
• To configure IPv6 addresses on an adapter:
.T ció
– ifconfig en0 inet6 fec0:1::2/64 up
– ifconfig en0 inet6 3ffe:ffff::2/64 alias
.
• To change the ODM:
C
– chdev -l en0 -a netaddr6=fec0:1::2 -a prefixlen-64 -a
.F a
state=up
– chdev -l en0 -a alias6=3ffe:ffff::2 -a prefixlen=64 -a
C rm
state=up
• To assign the default route:
– route add -inet6 default 3ffe:ffff::1
to fo
• To put the default route in the ODM:
– chdev -l inet0 -a rout6=net,,,,,'default','3ffe:ffff::1'
• Or use smitty configtcp6
ec vo
Notes:
oy si
To start using IPv6, the first thing you need to do is run the autoconf6 -A command. This
configures all interfaces with the appropriate link-local address. It also configures the
u
loopback interface with the correct IPv6 loopback interface and enables IPv6. If you only
want to run IPv6 on the en0 interface, use the command autoconf6 -i en0 instead.
cl
To make sure IPv6 is enabled at system boot, uncomment the autoconf6 line in
/etc/rc.tcpip, and add -A or -i <interface> as appropriate. The line will then look like
Ex
this:
start autoconf6 ““ -A
You can now add IPv6 addresses to interfaces. The first interface is added with the
pr
following command: ifconfig en0 inet6 <address>/<prefixlen> up. Note that this will
overwrite any link-local addresses that autoconf6 configured though. For any additional
addresses, use alias instead of up.
To set the default router, use the route add -inet6 default <address> command.
Make sure that all your changes make it into the ODM as well by executing the appropriate
chdev command or from SMIT with the configtcp6 fastpath.
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
A-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
– Takes over all IPv6 addresses and configures them with a link-local address
– Upon reception of a router advertisement message, configures all interfaces
.T ció
with appropriate site-local and global addresses plus any routing table entries
– startsrc -s ndpd-host
.
• ndpd-router
C
– Runs on an IPv6 router
.F a
– Takes over all IPv6 addresses and configures them with a link-local address
C rm
– Configures site-local and global addresses on all interfaces based on
information in /etc/gateway6
– Advertises the site-local and global addresses to all hosts
– startsrc -s ndpd-router
to fo
• View status of discovered neighbors with ndp -a
ec vo
Notes:
oy si
Just as with IPv4, it is also possible to dynamically assign IPv6 addresses to hosts. In fact,
it is easier to do this with IPv6 than with IPv4 due to the vastly increased address space.
u
After all, with so many addresses available we can (and do) simply incorporate the MAC
address into the IP address, with an appropriate prefix, without worrying that we might run
cl
out of addresses. It is also usually not necessary to worry about lease times and such.
In fact, the only thing a host needs to know to configure the appropriate IPv6 address is the
Ex
site-local or global prefix. These prefixes are normally advertised by IPv6 routers through
the neighbor discovery protocol.
Under AIX, the NDP is implemented in two daemons, one running on a non-routing host,
pr
The ndpd-router daemon runs on an AIX router. It is configured with appropriate site-local
and global address prefixes, plus a series of options, in the /etc/gateway6 file. It will
then advertise its routes on all locally connected networks. The hosts on these networks
can use these advertisement messages to configure their own site-local and global
addresses.
As IPv6 routing is normally done on dedicated equipment and not on AIX, we will not cover
the configuration of the ndpd-router daemon in this course.
.I. n
To view the cache of the ndpd-host daemon, use the ndp program. The -a option shows
.T ció
the full cache.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
A-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
setup an IPv6-over-IPv4 tunnel to an ISP offering IPv6
services.
.T ció
• This can be done using various standard and non-standard
methods, depending on provider and operating system in use.
.
C
• Examples:
.F a
– http://www.6bone.net
C rm
– http://www.freenet6.net
• When signing up, you typically get a full /48 network
(64000 networks of 264 hosts each)
to fo
ec vo
Notes:
oy si
Once we have configured our own internal IPv6 network, we will want to connect it to the
worldwide IPv6 network. This is a step which is slightly more complicated than with IPv4,
u
since most ISPs do not offer IPv6 connectivity by default (yet). If your ISP offers it at all,
then it is usually a premium service.
cl
All is not lost, however, if your regular ISP does not offer IPv6 connectivity. There are
several standard and non-standard methods of creating tunnels to an IPv6 capable ISP
Ex
over a regular IPv4 network. What method to choose is dependent on the IPv6 ISP you use
and the operating system in use.
When you sign up for IPv6 connectivity, you will typically receive your own /48 network
pr
(64000 network of 264 hosts each) for free. This whole address range (280 addresses) is
fully routable on the whole Internet. This is a vast improvement over IPv4, where you have
to make a serious business case if you want to receive more than a handful of routable IP
addresses for your environment.
.I. n
– Use AAAA resource record type to assign an IPv6 address to a host
name
.T ció
• Reverse lookups:
.
– Use ip6.arpa reverse lookup zone (current standard)
C
– Use ip6.int reverse lookup zone (for backwards compatibility)
.F a
– Both can refer to the same zone file
C rm
to fo
ec vo
Notes:
oy si
With IPv6 addresses being four times as large as IPv4 addresses, we will definitely want
these addresses to be incorporated in our DNS tables. Fortunately, this is possible
u
hosts. Also, BIND 9 supports ACLs based on IPv6 addresses and so forth.
• Support for IPv6-specific resource record types.
Here, we are going to discuss the second item; the changes that need to be made to our
zone data to incorporate IPv6 addresses in our tables. There are two issues to discuss:
pr
A-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty For reverse lookups (IP address to hostname), two new domains have been introduced.
Initially, the proposal was to use the ip6.int domain. Some implementations actually use
this domain. Later, a new proposal was accepted to use the ip6.arpa domain. This is the
current standard which you should support at least. For backwards compatibility, it is a
good idea to also support the ip6.int domain for the next few years. Fortunately, if you
configure things smartly, the amount of administration involved in supporting both is
minimal since they can use the same zone file.
.I. n
We will look at the contents of the files in the next visual.
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
# cat named.conf
.
zone “example.com" {
.I. n
type master; file "named.example.com";
};
zone “0.0.10.in-addr.arpa" {
Unchanged
.T ció
type master; file "named.10.0.0";
};
zone "0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa" {
type master; file "named.3ffe:ffff::";
.
};
zone "0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.int" {
C
type master; file "named.3ffe:ffff::";
.F a
};
.
C rm
# cat named.example.com
.
sysX IN A 10.0.0.100
sysX IN AAAA 3ffe:ffff:1
to fo
.
# cat named.3ffe:ffff::
.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR sysX.example.com.
.
ec vo
Notes:
oy si
The visual shows the three files in your DNS setup that need to be changed and added in
order to support IPv6.
u
For forward lookups, the change is minimal; you just need to add an AAAA record for a
cl
to incorporate an IP address in the DNS structure. Let’s review how IPv4 did things. The
IPv4 address 9.19.98.1 becomes the FQDN 1.98.19.9.in-addr.arpa. 98.19.9.in-addr.arpa
becomes the zone identifier, and 1 is the node within that zone. This node then gets a PTR
record to the hostname.
pr
IPv6 does things the same way except in the ip6.arpa zone. The major complication is that
IPv6 addresses are incredibly large, and we will want to do things a little more granular to
support CIDR better. So the IPv6 address 3ffe:ffff::1 (which, when written in full, is
3ffe:ffff:0000:0000:0000:0000:0000:0001) becomes the FQDN
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.f.f.f.e.f.f.3.ip6.arpa. Again, the zone
A-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
distribution, otherwise it is a nice challenge to create them yourself based on the
.T ció
information in this unit.
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
.I. n
– netstat
– traceroute
.T ció
– host (use option -t AAAA to display IPv6 addresses)
– dig
.
C
• All AIX libraries are IPv6-ready.
.F a
• IPv6 support in applications depends on the developer.
C rm
– Check manual page and other documentation.
to fo
ec vo
Notes:
oy si
Now that our IPv6 infrastructure has been configured, we can start running our applications
on top of it.
u
The first set of applications we might want to discuss are troubleshooting applications like
cl
ping, netstat, traceroute, host, and dig. All of these have been extended to include IPv6
support, although with some of these you need to add specific options.
Ex
Furthermore, all relevant AIX libraries haven been updated to include IPv6 support.
The last set of applications to discuss is generic user applications and daemons. Support
for IPv6 in these applications varies wildly. Some support IPv6 fully, and in some cases the
developer has never heard of IPv6 at all. There is no generic way of finding out whether an
pr
application supports IPv6. You need to read the manual page and other documentation for
that. If the application you need does not support IPv6, you can get in touch with the
developer or write the code yourself.
A-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Checkpoint
IBM Power Systems
.I. n
2. How many in IPv6?
.T ció
3. What is the difference between a link-local and a site-local address?
.
C
4. A system has a network adapter with MAC address
.F a
00:0C:76:92:BD:64. What will be its link-local IPv6 address?
C rm
5. And what will be the reverse-lookup DNS name for that address?
Notes:
oy si
Unit summary
IBM Power Systems
.I. n
• Describe the main differences between IPv4 and IPv6
.T ció
• Describe the IPv6 address notation
• List the most important classes of IPv6 addresses
.
• Configure IPv6 on an AIX system
C
.F a
• Configure DNS for IPv6
C rm
• Discuss connectivity to the worldwide IPv6 network
• Discuss application requirements for IPv6
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
A-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
Power systems environment from a Windows based PC workstation.
.T ció
What you should be able to do
After completing this unit, you should be able to:
.
C
• List methods and tools for remote HMC/AIX partition access
.F a
• Download and install tools for graphical access
C rm
• Perform file transfer between a Windows client and an AIX partition
• Mount an AIX file system on a Windows client
• Use graphical network diagnostic tools on Windows
to fo
How you will check your progress
• Checkpoint questions
ec vo
• Lab exercises
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-1
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit objectives
IBM Power Systems
.I. n
• List methods and tools for remote HMC/AIX partition access
• Download and install tools for graphical access
.T ció
• Perform file transfer between a Windows client and an AIX
partition
.
C
• Mount an AIX file system on a Windows client
.F a
• Use graphical network diagnostic tools on Windows
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
B-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
LAN B LAN C
.T ció
LAN A
.
C
.F a
VIOS VIOS LPAR LPAR LPAR
#1 #2 #1 #2 #3
C rm
POWER Hypervisor
HMC
to fo
Private LAN
ec vo
Notes:
oy si
The network configuration can be more complex than just a single LAN. You might have to
consider network components such as firewalls or others devices that make remote access
u
complex.
cl
In the example shown in the visual, the logical partitions #2 and #3 are connected to a
secured network. RMC ports must be authorized on the firewall to get access to the HMC in
order to perform certain operations like DLPAR.
Ex
The system administrator can ask the network administrator to open ports corresponding to
the tools that will be installed for remote access, such as ports 5800, 5801, … 5900, 5901
… for VNC software.
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-3
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
• Typically, most users work remotely and connect to:
.T ció
– The Power Hypervisor interface (ASMI) and the HMC GUI using a
Web browser via https
– The HMC command line interface using SSH
.
C
– The AIX partition CLI using a protocol such as Telnet or SSH
.F a
– The AIX partition graphical interface using an Xwindows based
C rm
appliance
• Additionally, day-to-day activities might involve:
– Transferring files to the partitions using FTP, SCP, or SFTP
to fo
– Accessing AIX file system data on your workstation
ec vo
Notes:
oy si
As an AIX administrator, you must be able to access the Power systems environment from
your local workstation over the network.
u
Your workstation is usually Windows or Linux based, so you can install additional tools to
cl
be able to access command line interface, graphical interface, or transfer files to perform
day-to-day administration tasks.
Ex
For example, if you are using a Windows based workstation, you are not able to connect by
default to the HMC CLI. HMC CLI remote connection can be done by only using SSH which
is not included in the default Windows installation.
In addition, Windows is not able to connect to a UNIX X Windows server, so you will need
pr
B-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Security implications and usability (for example, copy and paste facilities)
– There is no default support for SSH
.T ció
• The workaround is to use the terminal emulation tool, PuTTY
.
C
• PuTTY:
.F a
– Is free open source software
C rm
– Is a small lightweight self-contained
executable (does not require installation)
– Supports all SSH client functionality
to fo
– Additionally provides Telnet, rlogin,
serial, and raw connectivity options
ec vo
Notes:
oy si
If your local workstation is Windows based you should install an SSH based command line
tool. PuTTY is a terminal emulator application which acts as a client for the SSH, Telnet,
u
• Control over port forwarding with SSH (local, remote, or dynamic port forwarding),
including built in handling of X11 forwarding.
• SSH tunneling
• Emulates most xterm, VT102 control sequences
pr
• IPv6 support
• Public key authentication support
• Support for local serial port connections
You can configure options to control the key sequences. For example, you can configure
the backspace key as Control^H instead of typing the « stty erase ^? » AIX
command.
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-5
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
PuTTY Session Manager is a tool that allows system administrators to organize their
PuTTY sessions into folders and assign hot keys to their favorite sessions.
Ex
pr
B-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
• These tools can be used to:
– Provide remote access
.
– Write shell scripts without having access to an AIX partition
C
.F a
– Provide a Unix test environment on a Windows OS workstation
• Most common UNIX and shell emulation tools are:
C rm
– UWIN, a UNIX and Korn shell emulation from AT&T
– Cygwin, a UNIX-like environment and command line interface for
Microsoft Windows
to fo
ec vo
Notes:
oy si
UWIN
u
The UWIN package allows UNIX applications to be built and run on Windows.
UWIN contains libraries that emulate a UNIX environment. The Korn shell runs in a console
cl
window just like the MS-DOS command shell. Once ksh is running, all of the UNIX utilities
can be executed. In addition, ksh can execute native Windows applications. The UWIN
Ex
console provides an emulation of the VT100 terminal so that programs that use the curses
library should work fine. All the environment variables of Windows that have been initialized
when ksh has been started can be accessed from ksh. Some variables, such as PATH,
which are understood by both Windows and UNIX utilities, but which use different formats,
pr
are converted to UNIX formats when executing UNIX utilities, and converted back when
executing Windows utilities.
UWIN is available at http://www.research.att.com/sw/license/ast-open.html
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-7
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
CYGWIN
CYGWIN is a UNIX-like environment and command line interface for Microsoft Windows.
CYGWIN provides native integration of Windows-based applications, data, and other
system resources with applications, software tools, and data of the UNIX-like environment.
Thus, it is possible to launch Windows applications from the CYGWIN environment, as well
as to use CYGWIN tools and applications within the Windows operating context.
CYGWIN consists of an extensive collection of software tools and applications that provide
.I. n
a UNIX-like look and feel.
.T ció
CYGWIN is a free software released under the GNU General Public License.
Many UNIX programs have been ported to CYGWIN, including the X Window System,
KDE, GNOME, Apache, and TeX. CYGWIN permits installing inetd, syslogd, sshd, Apache,
.
and other daemons as standard Windows services, allowing Microsoft Windows systems to
C
.F a
emulate UNIX and Linux servers.
A CYGWIN-specific version of the UNIX mount command allows Windows paths to be
C rm
mounted as file systems in the UNIX file space. File systems can be mounted as binary (by
default) or as text-based, which enables automatic conversion between LF and CRLF
endings.
to fo
Extensions to CYGWIN are available, such as a port of the X Windows system called
CYGWIN/X.
ec vo
oy si
u
cl
Ex
pr
B-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
Uwin
.T ció
.
C
.F a
C rm
to fo
Cygwin
ec vo
Notes:
oy si
The top left side of the visual shows an example of the UWIN interface. UNIX commands
can be executed directly in the Windows and x86 environment.
u
The screen shot at bottom right of the visual is a Cygwin environment running on Windows.
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-9
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
– Windows Vista / 7: Subsystem for UNIX-based applications (SUA)
• Provides a UNIX environment on Windows operating systems
.T ció
• Contains:
– Over 350 UNIX utilities such as vi, ksh, csh, ls, cat, awk, grep, kill, and so forth
.
– GCC 3.3 compiler
C
.F a
– NFS server and client
– X11 tools and libraries
C rm
– Tools for making NFS mount points appear as Windows shares and vice-versa
– Some Windows/UNIX authentication information synchronization tools
• SFU does not contain certain features and functions, such as
to fo
bash, OpenSSH, sudo, and emacs.
ec vo
Notes:
oy si
Windows Services for UNIX 3.5 provides a full range of supported and fully integrated
cross-platform network services for enterprise customers to use in integrating Windows
u
Microsoft Windows Services for UNIX is not an emulation of a UNIX kernel, but rather an
implementation of a user-mode subsystem running directly on top of the Windows kernel.
Ex
platforms.
B-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
• Two choices:
– Install an X-Windows system on your local Microsoft Windows workstation.
.I. n
– Examples:
• Cygwin/X
.T ció
• Xming
• Hummingbird Exceed
.
– Use a graphical desktop application to remotely access the AIX partition and
C
relay the graphical screen back to the desktop.
.F a
• Virtual Network Computing (VNC)
C rm
to fo• Citrix Presentation Server for UNIX
ec vo
Notes:
oy si
If you need to get graphical access to the AIX partition (for example, accessing the GUI for
the AIX installation, running webSM, or using a Web browser), then there are two solutions.
u
Install XWindows software or a graphical desktop sharing tool such as VNC on your local
PC.
cl
For both solutions, you might have to execute the xhost command on AIX to allow
connections of remote X servers and export the display to your local Xterm session using
Ex
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-11
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
window.
1. Log in to the remote machine.
.T ció
Example: ssh –X
root@remotehost
2. Execute X commands:
.
xcalc, xclock ….
C
.F a
Applications will be started on
the local X Windows server (in
C rm
this case Cygwin/X).
to fo
Note: ssh –X is functionally equivalent to:
ec vo
Notes:
oy si
In the visual, Cygwin/X is running rootless on Microsoft Windows XP. The screen shows X
applications (xeyes, xclock, xterm) sharing the screen with native Windows applications
u
B-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• It is popular in both UNIX and Windows systems.
.T ció
VNC viewer,
for example: VNC traffic
.
UltraVNC
C
realVNC
VNC AIX
.F a
tightVNC
Server
C rm Can also be
tunnelled over an
to fo
SSH connection for
improved security
ec vo
Notes:
oy si
Virtual Network Computing (VNC) is a graphical desktop sharing system which uses the
RFB (remote framebuffer) protocol to remotely connect to another host or server. It
u
transmits the keyboard and mouse events from one host to another, relaying the graphical
screen updates back in the other direction, over a network.
cl
same time. Popular uses for this technology include remote technical support and
accessing files on one’s work computer from one’s home computer or vice versa.
VNC was originally developed at the Olivetti Research Laboratory in Cambridge, United
pr
Kingdom. The original VNC source code and many modern derivatives are open source
under the GNU General Public License.
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-13
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
VNC configuration
IBM Power Systems
• In order to setup a VNC server on AIX, install vnc and zlib (compression
library) from the AIX toolbox.
• Start a VNC session by typing:
.I. n
– vncserver :<port number>
Note: The TCP/IP
.T ció
port started is
## vncserver
vncserver :33
:33 actually 5933. The
New
New 'X' desktop is
'X' desktop is neo:33
neo:33 “59” is implied and
is not required to
connect
.
Starting
Starting applications
applications specified
specified in
in //.vnc/xstartup
//.vnc/xstartup
C
Log
Log file
file is
is //.vnc/neo:33.log
//.vnc/neo:33.log
.F a
– To access the AIX desktop VNC session from
C rm
• UNIX, type: # vncview <hostname|IP address>:<port number>
• PC VNC client (viewer)
to fo
• Also, access can be obtains through a Web browser over HTTP http://neo:5833
ec vo
Notes:
oy si
To run VNC on AIX, install the following filesets from the AIX toolbox CD. No further
configuration is required.
u
When a VNC session is started, two TCP/IP ports are opened, 59<number> and
58<number>. The 59 port must be used for the VNC Viewer application. The 59 prefix is
generally not required (that is, it is implied and hard coded into the viewer application). The
58 port is used to access VNC over HTTP. To connect in this way, the full port number
pr
B-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
.T ció
********************************
********************************
** AIX
AIX Version
Version 6.1
6.1 TL04
TL04 SP00
SP00 **
********************************
********************************
nimmaster:/
nimmaster:/ ## aavnc
aavnc list
list
.
389288
389288 root
root 2440
2440 Xvnc
Xvnc :3
:3
C
.F a
C rm
to fo
ec vo
Notes:
oy si
Tunnelling VNC over SSH not only improves security but also performance over slow
WANs, especially when used in conjunction with SSH compression.
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-15
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
– A large number of files
– Files spread across multiple directories
.T ció
– A mix of binary and text files
.
• Solution: Windows based graphical FTP client.
C
.F a
• Examples include:
C rm
– FileZilla (also supports secure FTP and compression)
– WinSCP (SCP and SFTP only)
to fo
ec vo
Notes:
oy si
Graphical file transfer tools allow users to navigate folders, view and alter file directory
contents (on both the local and remote machines) using an explorer-style tree interface,
u
drag and drop files between machines, and enable secure communication (optional).
cl
Many graphical FTP applications available on the Internet for free, such as FileZilla,
WinSCP3, Leechftp, total commander, and so forth. The choice of tool comes down to
preference. FileZilla is a powerful FTP-client for Windows. It is easy to use and includes
Ex
support for many features while still being fast and reliable. The main features of FileZilla
include the following:
• Ability to resume uploads/downloads (if the server supports it)
pr
• Custom commands
• Site manager with folders
• Keep alive system
• Timeout detection
B-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
• Multi-language support
• GSS authentication and encryption using Kerberos
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-17
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
miscellaneous communications between Windows
clients and other TCP/IP hosts on a network.
.T ció
• SMB servers make their file systems and other resources
.
available to clients on the network.
C
.F a
• Samba is a free software implementation of the SMB
protocol and runs on most UNIX systems.
C rm
• Samba sets up network shares for chosen AIX
directories. They appear to Microsoft Windows users as
to fo
normal network drives accessible via the file explorer.
ec vo
Figure B-15. Sharing AIX file systems with Windows (Samba) AN212.0
Notes:
oy si
SMB servers make their file systems and other resources available to clients on the
network. Client computers might want access to the shared file systems and printers on the
u
server.
cl
SMB works through a client-server mechanism. The main section of the SMB protocol
specifically deals with access to file systems so that clients can make requests to a file
server.
Ex
SMB is managed through a protocol suite which is currently known as the Common
Internet File System, or CIFS.
SMB also provides an authenticated inter-process communication mechanism.
pr
The SMB protocol interacts with the Microsoft Windows platform. Samba is a free
implementation of a compatible SMB client and server for use with non-Microsoft operating
systems.
B-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• Start Samba daemons:
.T ció
– smbd provides file and printer sharing services, authentication, and authorization.
– nmbd provides a NetBIOS-to-IP-address name resolution service.
– Logs are stored in /var:
.
• log.smbd and /var/log.nmbd
C
.F a
• Samba also includes a Web
administration tool called
C rm
Samba Web Administration
Tool (SWAT) which allows
you to configure Samba
to fo
remotely using a Web browser.
ec vo
Notes:
oy si
Samba is software that can be run on platforms other than Microsoft Windows, for
example, AIX, Linux, IBM System 390, OpenVMS, and many others. Samba uses the
u
TCP/IP protocol that is installed on the host server. When correctly configured, it allows that
host to interact with a Microsoft Windows client or server as if it is a Windows file and print
cl
server.
Samba is a software package that gives network administrators flexibility and freedom in
Ex
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-19
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
valid users = root, alex
Define the AIX users who can access the Samba share.
.T ció
Existing Users:
# smbpasswd -a root
.
C
New users:
.F a
# mkuser alex
C rm
# pdbedit -a alex
Start Samba daemons.
# smbd
# nmbd
to fo
Configuring SWAT
Add the following line to /etc/inetd.conf:
ec vo
B-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
• It is an alternative to NFS/SMB protocols and SCP/SFTP based
clients.
.T ció
• SSHFS is popular on Linux and MAC based systems.
– Based on Filesystem in UserSpacE (FUSE)
.
– Free Windows client is available from Dokan (http://dokan-dev.net)
C
.F a
C rm
to fo
ec vo
Figure B-17. Sharing AIX file systems with Windows (SSHFS) AN212.0
Notes:
oy si
The main advantage of SSHFS is that a UNIX file system can be mounted securely without
the requirement to load additional software or open additional ports in the firewall. Most
u
UNIX servers today have SSH enabled; therefore, SSHFS can be used without work being
performed on the server. It is worth noting, however, that SSHFS does not perform as well
cl
as alternatives, such as Samba, but works very well on networks with adequate throughput
and low latency.
Ex
As of today, there are popular SSHFS clients for Linux, MAC OS, and Windows, but FUSE
and SSHFS have not yet been ported to AIX. FUSE is the underlying technology to SSHFS
and makes it possible to implement a fully functional filesystem in a user space program.
pr
There are two popular SSHFS clients for Windows, Dokan (freeware) available from
http://dokan-dev.net and ExpanDrive (licensed) available from
http://www.expandrive.com/windows.
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-21
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Graphical traceroute
IBM Power Systems
.I. n
– Gather long term historical monitoring data
• Many graphical tools to monitor network performance are
.T ció
available. PingPlotter is a good example (free version also
available).
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
You might encounter a network performance problem when connecting to the remote host.
You can use the DOS commands such as ping, route print, tracert, or PathPing to collect
u
Many free tools are available to monitor and investigate network problems. PingPlotter is
given as an example of one such free tool.
Ex
PingPlotter is an enhanced graphical traceroute program that can test your connection
repeatedly, helping you analyze network problems. The visual shows a traceroute between
a Windows client connected to a standard fibre optic DSL connection and an AIX web
server 50 miles (80km) away.
pr
Other software is also available, such as LoriotPro, PRTG Network Monitor, and so forth.
B-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
.I. n
for Windows, MAC OS, UNIX.
• Wireshark can import and display packet captures from AIX iptrace and
.T ció
tcpdump output.
.
C
FTP Packet
.F a
capture between
2 AIX hosts
C rm
to fo
ec vo
Notes:
oy si
Wireshark is a popular open source tool which is used to capture and analyze network
traffic. Wireshark interactively examines packet data from a live network and can reads
u
previously captured packet data stored in various formats. There is no compiled version
available for AIX. However, Wireshark can import and display the results from both AIX
cl
packets in this pane, you control what is displayed in the other two panes.
• The packet details pane displays the packet selected in the packet list pane in more
detail.
• The packet bytes pane displays the data from the packet selected in the packet list
pane, and highlights the field selected in the packet details pane.
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-23
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Checkpoint
IBM Power Systems
.I. n
workstation?
.T ció
2. List two UNIX emulation tools that can be installed on a
Windows OS based workstation.
.
C
.F a
3. Which popular desktop sharing tool can you use to access
C rm
the AIX GUI from a Windows OS based workstation?
4. Which software could you install to share the AIX files and
to fo
access them from a Windows OS file explorer on your PC?
ec vo
Notes:
oy si
B-24 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Uempty
Exercise introduction
IBM Power Systems
.I. n
AIX partition
– Configure Samba to share an
.T ció
AIX directory to your Windows
OS workstation
.
C
.F a
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
© Copyright IBM Corp. 2010, 2013 Appendix B. AIX and Windows interoperability B-25
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
Unit summary
IBM Power Systems
.I. n
• List methods and tools for remote HMC/AIX partition access
.T ció
• Download and install tools for graphical access
• Perform file transfer between a Windows client and an AIX
.
partition
C
.F a
• Mount an AIX file system on a Windows client
• Use graphical network diagnostic tools on Windows
C rm
to fo
ec vo
Notes:
oy si
u
cl
Ex
pr
B-26 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
.I. n
.T ció
Checkpoint solutions
IBM Power Systems
.
C
The answers are application, transport, IP, data link, and physical.
.F a
2. Which layer is required for frame transmission?
C rm
The answer is data link layer.
addresses?
The answer is ARP.
oy si
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
.T ció
The answer is false.
.
2. Which two commands will display the MAC address of an Ethernet
C
adapter?
.F a
The answer is:
C rm
# netstat –i
# lscfg –v –l <adapter>
used for standard (DIX) Ethernet. Most TCP/IP today uses DIX framing.
et0 also represents an interface associated with adapter ent0. The
notation et0 is used for the official standard of Ethernet, IEEE 802.3.
oy si
C-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
The answer is # netstat –a | grep –i est.
.T ció
5. True or False: Smitty tcpip should be used to configure all
.
interfaces on the system.
C
.F a
The answer is false.
C rm
to fo
ec vo
Checkpoint solutions
.I. n
IBM Power Systems
.T ció
The answers are rsh, rlogin, and telnet.
.
C
2. Name two commands that can be used to transfer files.
.F a
The answers are rcp and ftp.
C rm
3. Name two commands that can be used for remote execution.
The answers are rexec and rsh.
to fo
4. Name three mechanisms you can deploy to harden system
security.
ec vo
C-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
AP Unit 4, "OpenSSH"
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
1. Why are the traditional remote login, remote file transfer, and remote
.T ció
execution programs not safe?
The answer is they send passwords over the network as plain text and
.
can be configured to authenticate based on IP address, host name, or
C
user name, which makes them vulnerable to IP spoofing or DNS
.F a
hacks.
C rm
2. How does the SSH protocol counter these weaknesses?
The answer is it authenticates the host and, if necessary, the user
to fo
based on public-key authentication. Furthermore, all communication,
including the user’s password if required, is sent across an encrypted
connection.
ec vo
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
on multiple ports.
.T ció
The answer is true.
.
5. What is the purpose of a passphrase?
C
.F a
The answer is to protect the user’s private key.
C rm
6. How can TCP port forwarding be disabled on an SSH
server?
to fo
The answer is by setting AllowTcpForwarding no in the
server configuration file /etc/ssh/sshd_config.
ec vo
C-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions
.I. n
IBM Power Systems
.T ció
The answers are performance, security, ease of management and flexibility,
cost (using a network switched with VLANs is cheaper than creating a routed
network).
.
C
.F a
2. True or False: IEEE 802.1Q trunk adapters can be created within the Power
Hypervisor for use by AIX.
C rm
The answer is true.
Unit 6, "Routing"
Checkpoint solutions
.I. n
IBM Power Systems
.T ció
the route table. What is the term associated with the
creation of this route?
.
a. Dynamic
C
.F a
b. Implicit
C rm
c. Static (or explicit)
The answer is implicit.
to fo
2. True or False: The route -f (or route flush) command
deletes all routes.
The answer is false.
ec vo
oy si
C-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
1. Given the following output, which path will be taken to the 18/8
.T ció
network?
## netstat
netstat -C
-C |grep
|grep 18/8
18/8
.
18/8
18/8 1.1.1.1
1.1.1.1 UG
UG 10
10 WRR
WRR en5
en5 00 00
C
18/8
18/8 1.1.1.254
1.1.1.254 UG
UG 20
20 -- en5
en5 11 11
.F a
The answer is the route with 1.1.1.1 as the gateway.
C rm
2. What will happen as a result of entering the following command?
# /usr/lib/methods/ethchan_config -d ent10 ent8
to fo
The answer is adapter ent8 will be removed from the
EtherChannel ent10.
switch configuration.
The answer is false.
oy si
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
connected to different switch backplanes?
The answer is typically no, unless vendor specific technology is
.T ció
deployed.
.
C
.F a
5. True or False: Combining GFF, LA, and PowerHA results in
C rm
achieving the highest levels of network availability.
The answer is true.
to fo
ec vo
C-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
.T ció
default domain name for the system and the name servers it uses for
name resolution.
.
The answer is true.
C
.F a
C rm
2. True or False: The named daemon can be started automatically with a
command line entry in the inetd.conf file.
The answer is false.
to fo
3. True or False: The named daemon must be running on every machine
ec vo
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
The answers are host, nslookup, and dig.
.T ció
.
C
.F a
5. What is the purpose of the netcd daemon?
C rm
The answer is to cache name lookup responses in order to
improve performance by reducing latency.
to fo
ec vo
C-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
AP Unit 9, "DHCP"
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
.T ció
through DHCP.
The answer is false.
.
C
.F a
C rm
2. A DHCP relay forwards DHCP requests to another network.
The answer is DHCP relay.
to fo
3. Which file contains a list of all the DHCP network options?
ec vo
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
addresses to a client.
.T ció
The answer is false.
.
C
.F a
5. Put the following DHCP messages in the correct order:
The correct order of the messages is:
C rm
• Client: DHCPDISCOVER
• Server: DHCPOFFER
• Client: DHCPREQUEST
to fo
• Server: DHCPACK
• Client: DHCPRELEASE
ec vo
C-14 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
.T ció
operations?
The answer is nsfd.
.
C
.F a
2. What file needs to be created and which command needs to be
executed on an NFS server in order to make files, directories, and file
C rm
systems available for mounting from clients?
The answer is /etc/exports and exportfs.
to fo
3. What file contains the startup script for NFS?
The answer is /etc/rc.nfs.
ec vo
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
The answers are improved performance, increased security, and
cross-platform interoperability.
.T ció
6. Why is this configuration incorrect?
.
C
The answer is you cannot mix traditional exports with alias extensions.
.F a
nfs_server:/
nfs_server:/ ## cat
cat /etc/exports
/etc/exports
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
C rm
/local/fsA -vers=4,sec=sys,rw,exname=/exports/fsA
/local/fsB
/local/fsB -vers=4,sec=sys,rw
-vers=4,sec=sys,rw
/local/3rdparty/code
/local/3rdparty/code -vers=4,sec=sys,rw,exname=/exports/code
-vers=4,sec=sys,rw,exname=/exports/code
nfs_server:/
nfs_server:/ ## exportfs
exportfs -a
-a
exportfs:
exportfs: /local/fsB:
/local/fsB: There
There are
are too
too many
many levels
levels of
of symbolic
symbolic
links
links to
to translate
translate aa path
path name.
to fo
name.
7. True or False: The NFS domain name must equal the DNS domain
name.
ec vo
C-16 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions (1 of 2)
.I. n
IBM Power Systems
1. A system cannot communicate with the rest of the network. Using the
.T ció
example below, what is the problem?
The answer is the interface en0 is down.
.
C
## ifconfig
ifconfig en0
en0
en0:
en0: flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
.F a
flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
0xffff0000 broadcast
broadcast 10.47.255.255
10.47.255.255
tcp_sendspace
tcp_sendspace 262144
262144 tcp_recvspace
tcp_recvspace 262144
262144 rfc1323
rfc1323 11
C rm
2. What is the difference between throughput and latency?
The answer is latency is measured from the time a a packet leaves the
to fo
client to the time the acknowledgment arrives back from the serving
entity. The unit of latency is time. Throughput, on the other hand, is the
amount of data that is transferred over a period of time.
ec vo
oy si
Checkpoint solutions (2 of 2)
IBM Power Systems
.I. n
obtain the status of a HA cluster. What command can you use to
analyze the client server interaction?
.T ció
The answer is iptrace or tcpdump.
## ifconfig
ifconfig en0
en0
.
en0:
en0: flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
flags=1e080863,480<BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
inet
inet 10.47.1.19
10.47.1.19 netmask
netmask 0xffff0000
0xffff0000 broadcast
broadcast 10.47.255.255
C
10.47.255.255
tcp_sendspace
tcp_sendspace 262144
262144 tcp_recvspace
tcp_recvspace 262144
262144 rfc1323
rfc1323 11
.F a
4. Which command can you use to check the physical link status of an
C rm
Ethernet adapter?
The answer is entstat.
to fo
5. How can you easily check bandwidth performance on a network?
The answer is using ftp and dd commands.
ec vo
C-18 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions
.I. n
IBM Power Systems
.T ció
services on AIX and what configuration file does it use?
The answers are xntpd and /etc/ntp.conf.
.
C
.F a
2. True or False: When configuring NTP services, the server
C rm
directive can specify a serial port attached clock source or a
server in a lower stratum.
The answer is true.
to fo
3. How does the setclock command know what server to
query?
ec vo
Appendix A, "IPv6"
Checkpoint solutions
.I. n
IBM Power Systems
1. How many addresses are available in IPv4?
.T ció
The answer is 232 (a little over 4 billion).
2. How many in IPv6?
.
The answer is 2128 (a little over 340 undecillion).
C
.F a
3. What is the difference between a link-local and a site-local address?
The answer is a link-local address is only used within a physical network and
C rm
cannot be routed. A site-local address is used across multiple networks within
a site, but is not routable on the Internet.
4. A system has a network adapter with MAC address 00:0C:76:92:BD:64. What
will be its link-local IPv6 address?
to fo
The answer is fe80::20c:76ff:f392:bd64/64.
5. And what will be the reverse-lookup DNS name for that address?
The answer is
ec vo
4.6.d.b.2.9.3.f.f.f.6.7.c.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
6. How do you know if an application is ready for IPv6?
The answer is read the documentation or just try it out.
oy si
C-20 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
Checkpoint solutions
.I. n
IBM Power Systems
1. What is the most convenient tool to access the AIX command line interface
.T ció
from your local Windows OS based workstation?
The answer is the PuTTy tool makes it easy to log in via Telnet or SSH
and access LPARs and the HMC CLI.
.
C
.F a
2. List two UNIX emulation tools that can be installed on a Windows OS based
workstation.
The answer is UWIN and Cygwin are popular UNIX emulation tools to run on
C rm
your Windows OS based PC.
3. Which popular desktop sharing tool can you use to access the AIX GUI from
a Windows OS based workstation?
to fo
The answer is VNC is a widespread tool to share graphical user interface
remotely.
ec vo
4. Which software could you install to share the AIX files and access them from
a Windows OS file explorer on your PC?
The answer is Samba allows you to share AIX files as a Windows network
drive.
oy si
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
C-22 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
glos Glossary
A B
Acknowledgement A response sent by a receiver Baseband Characteristic of any network technology
to indicate successful reception of information. like Ethernet that uses a single carrier frequency
Acknowledgements may be implemented at any and requires all stations attached to the network to
level including the physical level (using voltage on participate in every transmission. See broadband.
one or more wires to coordinate transfer), at the link
.I. n
Baud Literally, the number of times per second the
level (to indicate successful transmission across a signal can change on a transmission line.
single hardware link), or at higher levels (for Commonly, the transmission line uses only two
.T ció
example, to allow an application program at the final signal states (for example, two voltages), making the
destination to respond to an application program at baud rate equal to the number of bits per second
the source). that can be transferred. The underlying transmission
Address Mask A bit mask used to select bits from technique may use some of the bandwidth, so it may
.
an Internet address for subnet addressing. The not be the case that users experience data transfers
mask is 32 bits long and selects the network portion at the line's specified bit rate. For example, because
C
of the Internet address and one or more bits of the asynchronous lines require 10 bit-times to send an
.F a
local portion. 8-bit character, a 9600 bps asynchronous
Address Resolution Conversion of an Internet transmission line can only send 960 characters per
second.
C rm
address into a corresponding physical address.
Depending on the underlying network, resolution BBN (Bolt, Beranek, and Newman, Incorporated)
may require broadcasting on a local network. See The Cambridge, MA company responsible for
ARP. development, operation, and monitoring of the
ANSI (American National Standards Institute) A ARPANET and, later, Internet core gateway system.
group that defines U.S. standards for the information CSNET Coordination and Information Center (CIC),
and NSFnet Network Service Center (NNSC). BBN
to fo
processing industry. ANSI participates in defining
network protocol standards. works on DARPA research contracts and has
contributed much to the Internet.
Archie A server that builds an index of file and
directory names that are located on public Best-effort Delivery Characteristic of network
anonymous FTP servers on the Internet. technologies that do not provide reliability at link
levels. Best-effort delivery systems work well with
ec vo
ARP (Address Resolution Protocol) The Internet the Internet because the Internet protocols assume
protocol used to dynamically bind a high level that the underlying network provides unreliable
Internet Address to a low level physical hardware connectionless delivery. The combination of Internet
address. ARP is only across a single physical protocols IP and UDP provides best-effort delivery
network and is limited to networks that support service to application programs.
hardware broadcast.
oy si
Technology Office). Located at 1400 Wilson Blvd, used to transmit data across a synchronous
Arlington, VA. communication link. Unlike most modern link level
protocols, BISYNC is byte-oriented, meaning that it
ARPANET A pioneering long haul network funded uses special characters to mark the beginning and
Ex
by ARPA (later DARPA) and built by BBN. It served end of frames. BISYNC is often called BSC,
from 1969 through 1990 as the basis for early especially in commercial products.
networking research as well as a central backbone
during development of the Internet. The ARPANET BITNET (Because It's Time NETwork) A low-cost,
consisted of individual packet switch nodes low-speed network started at City University of New
interconnected by leased lines. Also see PSN, York, that eventually connected to over 200
Internet. universities before it was merged with CSNET to
pr
provides services like electronic mail by building a of the packet by recomputing the checksum and
remote job that invokes the mailer router program. comparing to the value sent. Many Internet protocols
At each node, the mailer examines the message, use a 16-bit checksum computed with one's
chooses a route, and encapsulates the message in complement arithmetic with all integer fields in the
a new job that it sends over the chosen route. packet stored in network byte order.
bps (bits per second) A measure of the rate of data Client-server The model of interaction in a
transmission. distributed system in which a program at one site
Bridge A computer that connects two or more sends a request to a program at another site and
networks and forwards packets among them. awaits a response. The requesting program is called
Usually, bridges operate at the physical network a client; the program satisfying the request is called
.I. n
level. For example, an Ethernet bridge connects two the server. It is usually easier to build client software
physical Ethernet cables and forwards from one than server software.
cable to the other exactly those packets that are not CMOT (CMip/cmis Over Tcp) The use of ISO
.T ció
local. Bridges differ from repeaters because bridges CMIP/CMIS network management protocols to
store and forward complete packets while repeaters manage gateways in a TCP/IP Internet. CMOT is a
forward electrical signals. They differ from IP co-recommended standard with SNMP. Also see
gateways or IP routers because they use physical MIB and SNMP.
.
addresses instead of IP addresses. Connection The path between two protocol
C
Broadband Characteristic of any network modules that provides reliable stream delivery
.F a
technology that multiplexes multiple, independent service. In a TCP/IP Internet, a connection extends
network carriers onto a single cable (usually using from a TCP module on one machine to a TCP
frequency division multiplexing). For example, a module on the other.
C rm
single 100 mbps broadband cable can be divided Connectionless Service Characteristic of the
into ten 1 0 mbps carriers, with each treated as an packet delivery service offered by most hardware
independent Ethernet. The advantage of broadband and by the Internet Protocol (IP). The
is less cable; the disadvantage is higher cost for connectionless service treats each packet or
equipment at connections. See baseband. An datagram as a separate entity that contains the
analog signalling technique used in IEEE Token Bus source and destination address. Usually,
to fo
LANs. Analog techniques allow a single medium to connectionless services can drop packets or deliver
be used for several information signals at once just them out of sequence.
as, for example, in cable TV systems.
Core Gateway One of a set of gateways operated
Broadcast A packet delivery system that delivers a by the Internet Network Operations Center (INOC)
copy of a given packet to all hosts that attach to it is at BBN. Gateways in the core system exchange
said to broadcast the packet. Broadcast may be
ec vo
Checksum A small, integer value computed from a already in use), and listen during transmission (to
sequence of octets by treating them as integers and determine whether their own signal is being
computing the sum. A checksum is used to detect corrupted by somebody else's). If such a collision is
errors that result when the sequence of octets is detected, the station will stop its transmission and
transmitted from one machine to another. Typically, attempt it again sometime later.
protocol software computes a checksum and CSNET (Computer Science NETwork) A network
appends it to a packet when transmitting. Upon that offered mail delivery service using dialup
reception, the protocol software verifies the contents telephone, as well as Internet connectivity using
X-2 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
X25NET and Cypress. CSNET offered other addresses. DNS also supports separate mappings
services like a registry of members and an Internet between mail destinations and IP addresses.
domain name server for member institutions that Domain In the Internet, a part of the DNS naming
could not run their own. Initially funded by the hierarchy. Syntactically, a domain name consists of
National Science Foundation, CSNET became a sequence of names (labels) separated by periods
self-sufficient before it merged with BITNET to form (dots).
CREN. Dotted Decimal Notation The syntactic
representation for a 32-bit integer that consists of
four 8-bit numbers written in base 10 with periods
D (dots) separating them. Many Internet application
.I. n
DARPA (Defense Advanced Projects Research programs accept dotted decimal notation in place of
Agency) Formerly called ARPA. The government destination machine names.
agency that funded research and experimentation DTE (Data Terminal Equipment) Term X.25
.T ció
with the ARPANET and, later, the DARPA Internet. protocol standards apply to computers and/or
The group within DARPA responsible for the terminals to distinguish them from the packet
ARPANET is ISTO (Information Systems switching network to which they connect. Also see
Techniques Office), formerly IPTO (Information DCE.
.
Processing Techniques Office). Located at 1400
Wilson Blvd, Arlington, VA. Datagram See IP
C
datagram. E
.F a
DCA (Defense Communication Agency) The EARN (European Academic Research Network)
government agency responsible for installation of A network using BITNET technology to connect
C rm
Defense Data Network (for example, ARPANET and universities and research labs in Europe. EARN
MILNET) lines and PSNs. DCA writes contracts for interconnects with BITNET in the U.S. and allows
operation of the DDN and pays for network services. electronic mail transfer as well as remote job entry.
DCE (Data Communications Equipment) Term EGP (Exterior Gateway Protocol) The protocol
X.25 protocol standards apply to switching used by a gateway in one autonomous system to
equipment that forms a packet switched network to advertise the Internet addresses of networks in that
to fo
distinguish it from the computers or terminals that autonomous system to a gateway in another
connect to the network. Also see DTE. autonomous system. Every autonomous system
DDCMP (Digital Data Communication Message must use EGP to advertise network reachability to
Protocol) The link-level protocol Digital Equipment the core gateway system.
Corporation uses in their network products. DDCMP EIA (Electronics Industry Association) A
operates over serial lines, delimits frames by a
ec vo
levels. Hardware demultiplexes signals from a Encapsulation often means that packets traveling
transmission line based on time or carrier frequency across a physical network have a sequence of
to allow multiple, simultaneous transmissions across headers in which the first header comes from the
a single physical cable. Internet protocol software physical network frame, the next from the Internet
Ex
demultiplexes incoming datagrams, sending each to Protocol, the next from the transport protocol, and
the appropriate high-level protocol module or so on.
application program.
Epoch Date A point in history chosen as the date
Directed broadcast address An IP address that from which time is measured. The Internet uses
specifies all hosts on a specific network. A single January 1, 1900, Universal Time (formerly called
copy of a directed broadcast is routed to the
pr
system that uses CSMA/CD technology. Xerox refer to the objects that physical networks transmit,
Corporation, Digital Equipment Corporation, and even if the network does not use traditional framing.
Intel Corporation developed and published the (X.25 networks use the term to specifically refer to
standard for 10 Mbps Ethernet. Originally, the the format of data transferred between a host and a
coaxial cable specified for Ethernet was a 1/2 inch packet switch.)
diameter heavily shielded cable. However, many FTP (File Transfer Protocol) The Internet
office environments now use a lighter coaxial cable standard, high level protocol for transferring files
sometimes called thinnet or cheapernet. It is also from one machine to another. Usually implemented
possible to run Ethernet over shielded twisted pair as application level programs, FTP uses the
cable. A baseband, CSMA/CD local area network TELNET and TCP protocols. The server side
which allows up to 1,024 stations to send frames to
.I. n
requires a client to supply a login identifier and
one another with digital signalling rates of 10 million password before it will honor requests.
bits per second.
Fuzzball Term applied to both a piece of gateway
.T ció
software and the Digital Equipment Corporation
F LSI-11 computer on which it runs. NSFnet uses
fuzzballs as packet switches on its backbone
FDDI (Fiber Distribution Data Interface) An network.
.
emerging standard for a network technology based
on fiber optics that has been established by the FYI (For Your Information) A subset of the RFCs
C
American National Standards Institute (ANSI). FDDI that are not technical standards or descriptions of
.F a
specifies a 100 mbps data rate using 1300 protocols. FYIs convey general information about
nanometer light wavelength and limits networks to topics related to TCP/IP or the connected Internet.
approximately 200 km in length, with repeaters
C rm
every 2 km or less. The access control mechanism
uses token-ring technology. G
File Server A process running on a computer that gated (GATEway Daemon) A program that runs
provides access to files on that computer to under 4.3 BSD UNIX on a gateway to allow the
programs running on remote machines. The term is gateway to collect information from within one
often loosely applied to computers that run file autonomous system using RIP, HELLO, or other
to fo
server programs. interior gateway protocols, and to advertise routes to
another autonomous system using the exterior
finger A command that shows user information on gateway protocol, EGP.
either a local system or other systems within a
network. Gateway A special purpose, dedicated computer
that attaches to two or more networks and routes
Flat Namespace Characteristic of any naming in
ec vo
administers them (for example, telephone numbers that transfers information from one network to
that are divided into area code, exchange, and another, as in mail gateway. Although the original
subscriber). literature used the term gateway, vendors often
Flow Control Control of the rate at which hosts or called them IP routers.
u
gateways inject packets into a network or Internet, A device, or pair of devices, which interconnect two
usually to avoid congestion. Flow control or more networks or subnetworks enabling the
mechanisms can be implemented at various levels.
cl
header declare whether a datagram is a fragment, routing information at all gateways agrees. GGP is
and if so, the offset of the fragment in the original now obsolete.
datagram. IP software at the receiving end must
reassemble fragments into complete datagrams. Gopher An Internet navigation tool that allows you
to search the Internet by selecting resources from a
Frame Literally, a packet as it is transmitted across menu on a public Gopher server.
a serial line. The term derives from character
oriented protocols that added special start-of-frame
and end-of-frame characters when transmitting
packets. We use the term throughout this book to
X-4 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
.I. n
first two. The Internet reaches many universities,
to discover minimal delay routes. It is important to government research labs, and military installations
the Internet primarily because fuzzballs on the and over a dozen countries.
.T ció
NSFnet backbone use it.
Internet Address See IP address.
Hierarchical Routing Routing that is based on a
hierarchical addressing scheme. Most Internet InterNIC A group responsible for providing users
routing is based on a 2-level hierarchy in which an with information about TCP/IP and the connected
Internet. The InterNIC registers new users and
.
Internet address is divided into a network portion
and a host portion. Gateways use only the network domains, assigns network numbers, and distributes
C
portion until the datagram reaches a gateway that RFCs and other documents related to TCP/IP.
.F a
can deliver it directly. Subnetting introduces IP (Internet Protocol) The Internet standard
additional levels of hierarchical routing. protocol that defines the Internet datagram as the
unit of information passed across the Internet and
C rm
Hop Count A measure of distance between two
points in the Internet. A hop count of n means that n provides the basis for the Internet connectionless,
gateways separate the source and destination. best-effort packet delivery service. IP includes ICMP
control and error message protocol as an integral
Host Any computer system that connects to a part. The Internet protocol suite is often referred to
network, particularly a source or destination of as TCP/IP because IP is one of the two most
messages on a communications network. fundamental protocols.
to fo
IP Address The 32-bit address assigned to hosts
that want to participate in the Internet using TCP/IP.
I Internet addresses are the abstraction of physical
IAB (Internet Architecture Board) A group who set hardware addresses just as the Internet is an
policy and standards for TCP/IP and the connected abstraction of physical networks. Actually assigned
ec vo
Internet. The IAB was reorganized in 1989, with to the interconnection of a host to a physical
technical people moved to research and engineering network, an Internet address consists of a network
subgroups. See IRTF and IETF. portion and a host portion. The partition makes
ICMP (Internet Control Message Protocol) An routing efficient.
integral part of the Internet Protocol (IP) that handles IP Datagram The basic unit of information passed
error and control messages. Specifically, gateways across the Internet. An IP datagram is to the Internet
oy si
and hosts use ICMP to send reports of problems as a hardware packet is to a physical network. It
about datagrams back to the original source that contains a source and destination address along
sent the datagram. ICMP also includes an echo with data.
u
applied to any protocol user to propagate network is best known for its 7-layer reference model that
reachability and routing information within an describes the conceptual organization of protocols
autonomous system. Although there is no single and its slowly emerging suite of protocols for Open
standard IGP, RIP is among the most popular. System Interconnection. The OSI protocols most
Ex
inetd Provides Internet service management for a like the TCP/IP protocol suite are known as TP-4/IP.
network. It invokes other daemons, such as telnet ISO Reference Model The International Standards
and ftp, only when they are needed. Organization Reference Model for Open Systems
INOC (Internet Network Operations Center) A Interconnection — A standard approach to network
subgroup of the NOC at BBN that monitors and design which introduces modularity by dividing the
complex set of functions into more manageable,
pr
2. Data Link Layer — the level at which information passing between two networks to ensure that it
is moved reliably across the physical link. meets administrative constraints. In particular, mail
bridges between the ARPANET and MILNET do not
3. Network Layer — the level at which connections permit arbitrary mail flow.
between systems are established, maintained Mail Exploder Part of an electronic mail system that
and terminated; concerned with switching and accepts a piece of mail and a list of addresses as
routing information. input and sends a copy of the message to each
address on the list. Most electronic mail systems
4. Transport Layer — the level at which end-to-end incorporate a mail exploder to allow users to define
data integrity and quality of service are ensured. mailing lists locally.
.I. n
5. Session Layer — the level which standardizes Mail Gateway A machine that connects to two or
more electronic mail systems (especially dissimilar
the tasks of setting up a session and terminating mail systems on two different networks) and
.T ció
it; coordinates interaction between transfers mail messages among them. Mail
end-application processes. gateways usually capture an entire mail message,
reformat it according to the rules of the destination
6. Presentation Layer — the level at which the mail system, and then forward the message. See
.
character set and data code are specified — as mail bridge.
well as the way data is displayed on a screen or
C
MAN (Metropolitan Area Network) Any of several
.F a
printer. new physical network technologies that operate at
high speeds (usually hundreds of megabits per
7. Application Layer — concerned with the higher second) over distances sufficient for a metropolitan
C rm
level functions which provide support to the area. See LAN and WAN.
application of system activities. mbps (Millions of Bits Per Second) A measure of
the rate of data transmission.
K MIB (Management Information Base) The set of
variables (database) that a gateway running CMOT
kbps (Kilo Bits Per Second) A measure of the rate
to fo
or SNMP maintains. Managers can fetch or store
of data transmission. Also see mbps and baud. into these variables. MIB-II refers to an extended
management database that contains variables not
shared by both CMOT and SNMP. See also CMOT
L and SNMP.
LAN (Local Area Network) Any physical network MILNET (MILitary NETwork) Originally part of the
ec vo
technology that operates at high speed (usually tens ARPANET, MILNET was partitioned in 1984 to make
of megabits per second through several gigabits per it possible for military installations to have reliable
second) over short distances (up to a few thousand network service while the ARPANET continued to be
meters). Examples include Ethernet and proNET-10. used for research. MILNET uses exactly the same
See MAN and WAN. A network connecting various hardware and protocol technology as ARPANET.
electronic devices in a localized geographical area Under normal circumstances, MILNET is part of the
oy si
derived from the ISO 7-layer reference model. For physical network. For local area networks like the
long haul networks, level 2 refers to the Ethernet, the MTU is determined by the network
communication between a host computer and a standard. For long haul networks that use serial
cl
network packet switch (for example, HDLC/LAPB). lines to interconnect packet switches, the MTU is
For local area networks, level 2 refers to physical determined by software.
frame format and addressing. Thus, a level 2
address is a physical frame address (for example, Multi-homed Host An Internet host with
Ex
X-6 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
N O
Name Resolution The process of mapping a name OSF (Open Software Foundation) A consortium of
into a corresponding address. The domain name hardware manufacturers who attempt to set
system provides a mechanism for naming common standards for open systems, including
computers in which programs use remote name operating systems and networks. Emerging OSF
servers to resolve machine names into IP addresses standards include the OSF/1 operating system,
for those machines. Distributed Computing Environment (DCE) and
NetBIOS (Network Basic Input Output System) Distributed Management Environment (DME).
NetBIOS is the standard interface to networks on OSI (Open Systems Interconnect) A reference to
IBM PC and compatible personal computers. In a protocols, specifically ISO standards, for the
.I. n
TCP/IP Internet, NetBIOS refers to a set of interconnection of cooperative computer systems.
guidelines that describes how to map NetBIOS OSPF Open Shortest Path First. It is an interior
.T ció
operations into equivalent TCP/IP operations. For gateway protocol based on a link state protocol
example, one of the NetBIOS naming operations model and is currently a ˇProposed Standardˇ for
maps into domain name system interactions. Internet routing in autonomous systems.
Network Byte Order The TCP/IP standard for
.
transmission of integers that specifies most
significant byte appears first (big endian). Sending P
C
machines are required to translate from the local
.F a
integer representation to network byte order, and Packet The unit of data sent across a packet
switching network. The term is used loosely. While
receiving machines are required to translate from
some TCP/IP literature uses it to refer specifically to
network byte order to the local machine
C rm
representation. data sent across a physical network, other literature
views an entire Internet as a packet switching
NFS (Network File System) A protocol developed network and describes IP datagrams as packets.
by SUN Microsystems that uses IP to allow a set of
cooperating computers to access each other's file PAD (Packet Assembler Disassembler) A term
used with X.25 networks that refers to a terminal
systems as if they were local. The key advantage of
multiplexer device that forms a connection between
to fo
NFS over conventional file transfer protocols is that
NFS hides the differences between local and remote terminals and hosts across an X.25 network. A PAD
accepts characters from a conventional terminal and
files by placing them in the same name space. NFS
was designed for UNIX systems, but has been sends them across an X.25 network; it accepts
implemented for many systems including personal packets from an X.25 network, extracts characters,
and displays them on a terminal.
computers like the IBM PC and Apple MacIntosh.
ec vo
NIS A distributed database system which allows the ping (Packet InterNet Groper) The name of a
program used in the Internet to test reachability of
sharing of system information. Examples of system destinations by sending them an ICMP echo request
information that can be shared include the
and waiting for a reply. The term has survived the
/etc/passwd, /etc/group, /etc/hosts files. original program and is now used like a verb as in,
NOC (Network Operations Center) The “please ping host A to see if it is alive.”
oy si
Internet that provides high-speed access to scientific are set across a wire), or high-level exchanges
and educational institutions.
between application programs (for example, the way
NSF (National Science Foundation) A government in which two programs transfer a file across an
agency that has funded the development of a cross Internet). Most protocols include both intuitive
Ex
country backbone network as well as regional descriptions of the expected interactions as well as
networks designed to connect scientists to the more formal specifications using finite state machine
connected Internet. NSF has also funded individual models.
researchers working in the network area as well as
Protocol Port The abstraction that transport
large projects spanning multiple institutions like
CSNET. NSFNET (National Science Foundation protocols use to distinguish among multiple
destinations within a given host computer. TCP/IP
pr
NETwork) Loosely used to describe collectively the protocols identify ports using small positive integers.
cross country backbone, mid-level networks, and Usually, the operating system allows an application
supercomputer consortia networks that have all program to specify which port it wants to use. Some
been started with NSF seed funds. In a narrow ports are reserved for standard services (for
sense, NSFNET refers only to the backbone example, electronic mail).
network.
PSN (Packet Switch Node) The name of an
ARPANET packet switch; PSNs were formerly called
IMPs. PSNs were implemented with BBN C30 or
BBN C300 mini-computers and execute packet Route In general, a route is the path that network
switch software under control of the Network traffic takes from its source to its destination. In a
Operation Center at BBN. Each PSN connected to TCP/IP Internet, each IP datagram is routed
at least two other PSNs as well as from 1 to 16 host separately; the route a datagram follows may
computers. include many gateways and many physical
networks.
routed (Route Daemon) A program that runs under
R 4.3BSD UNIX to propagate routes among machines
RARP (Reverse Address Resolution Protocol) on a local area network. It uses the RIP protocol.
The Internet protocol a diskless machine uses a Pronounced "route-d."
.I. n
startup to find its Internet address. The machine Router Generically, any machine responsible for
broadcasts a request that contains its physical making decisions about which of several paths
hardware address and a server responds by network traffic follows. At the lowest level, a physical
.T ció
sending the machine its Internet address. RARP network bridge is a router because it chooses
takes its name and the message format from whether to pass packets from one physical wire to
another Internet address resolution protocol, ARP. another. Within a long-haul network, each individual
rcp Part of the Berkeley set of network commands. packet switch is a router because it chooses routes
.
Transfers files between a local and a remote host or for individual packets. In a TCP/IP Internet, each IP
between two remote hosts. gateway is a router because it uses IP destination
C
addresses to choose routes.
.F a
Regional Net The original term applied to NSFNET
mid-level networks. RS232 A standard by EIA that specifies the
electrical characteristics of slow speed
Repeater A hardware device that copies electrical
C rm
interconnections between terminal and computers or
signals from one Ethernet to another. Typically, sites between two computers. The specification limits
that have repeaters use them to connect a physical speeds to 20 Kbps and distance to 500 feet, but
Ethernet cable on each floor of a building to a
many manufacturers support speeds of 38.4 Kbps
backbone cable. The chief disadvantage of a and/or longer distances. Although the standard
repeater compared to a bridge is that it transfers commonly used is RS232C, most people refer to it
electrical noise as well as packets. At most, two
to fo
as RS232.
repeaters can appear between any two machines
connected to an Ethernet. rsh Part of the Berkeley set of network commands.
It executes the specified command at the remote
rexec Part of the Arpanet set of network commands. host or logs into the remote host.
It executes commands one at a time on a remote
host.
ec vo
available on-line from the Network Information Segment The unit of transfer sent from TCP on one
Centre. machine to TCP on another. Each segment contains
RIP (Routing Information Protocol) The protocol part of a stream of bytes being sent between the
used by Berkeley 4.3 BSD UNIX systems to machines as well as additional fields that identify the
u
exchange routing information among a (small) set of current position in the stream and contain a
computers. Usually, the participating machines all checksum to ensure validity of received data.
attach to a single local area network. Implemented Sliding Window Characteristic of those protocols
cl
by the UNIX program routed, RIP derives from an that, when sending a stream of bytes, allow the
earlier protocol of the same name developed at sender to transmit up to n packets before an
Xerox. acknowledgement arrives. After the sender receives
an acknowledgement for the first outstanding
Ex
rlogin (Remote LOGIN) The service offered by connection considered a unique network.
Berkeley 4.3 BSD UNIX systems that allows users SLIPLOGIN An inexpensive TCP/IP password
of one machine to connect to other UNIX systems protect point-to-point serial connection that is
across an Internet and interact as if their terminals activated upon a call-in or dial-in process.
connected to the machines directly. Although rlogin SMTP (Simple Mail Transfer Protocol) The
offers essentially the same service as TELNET, it is TCP/IP standard protocol for transferring electronic
superior because the software passes information mail messages from one machine to another. SMTP
about the user's environment (for example, terminal specifies how two mail systems interact and the
type) to the remote machine.
X-8 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
Student Notebook
format of control messages they exchange to the user invokes a TELNET application program that
transfer mail. connects to a remote machine, prompts for a login id
SNA (System Network Architecture) The name and password, and then passes keystrokes from the
applied to an architecture and a class of network user's terminal to the remote machine and displays
products offered by IBM Corporation. SNA does not output from the remote machine on the user's
interoperate with TCP/IP. terminal.
SNMP (Simple Network Management Protocol) A TFTP (Trivial File Transfer Protocol) The TCP/IP
standard protocol used to monitor IP gateways and standard protocol for file transfer with minimal
the networks to which they attach. SNMP defines a capability and minimal overhead. TFTP depends
set of variables that the gateway must keep and only on the unreliable, connectionless datagram
.I. n
specifies that all operations on the gateway are a delivery service (UDP), so it can be used on
side effect of fetching or storing to the data machines like diskless workstations that keep such
variables. Also see CMOT and MIB. software in ROM and use it to bootstrap themselves.
.T ció
Socket The abstraction provided by Berkeley 4.3 Token Bus A type of network technology in which
BSD UNIX that allows a process to access the permission to transmit is specifically passed from
Internet. A process opens a socket, specifies the one station to another as a means for governing
service desired (for example, reliable stream shared access to the channel.
.
delivery), binds the socket to a specific destination, Token Ring When used in the generic sense, a type
C
and then sends or receives data. of network technology that controls media access by
.F a
Source Route A route that is determined by the passing a distinguished packet, called a token, from
source. TCP/IP implements source routing by using machine to machine. A computer can only transmit a
an option field in an IP datagram. The source fills in packet when holding the token. When used in a
C rm
a sequence of machines that the datagram must specific sense, it refers to the token ring network
visit along its trip to the destination. Each gateway hardware produced by IBM.
along the path honors source routing by following Topology A description of how stations on a
the list of machines to visit instead of following the network connect to a cable. Examples of specific
usual route to the destination. topologies include: Bus, Ring, Star and Tree. Two
kinds of topology include:
to fo
Subnet Address An extension of the IP addressing
scheme that allows a site to use a single IP network 1. Physical topology — The configuration of
address for multiple physical networks. Outside of network nodes and links. Description of the
the site using subnet addressing, routing continues physical geometric arrangement of the links and
as usual by dividing the destination address into a
network portion and local portion. Gateways and nodes that make up a network, as determined
by their physical connections.
ec vo
TCP (Transmission Control Protocol) The TCP/IP TP-4 protocols provide reliable stream delivery
standard transport level protocol that provides the service using basically the same techniques of
reliable, full duplex, stream service on which many positive acknowledgement and retransmission.
cl
application protocols depend. TCP allows a process Trailer Protocol A nonconventional method of
on one machine to send a stream of data to a encapsulating IP datagrams for transmission across
process on another. It is connection-oriented in the a local area network (for example, Ethernet). Trailer
sense that before transmitting data, participants
Ex
The entire protocol suite is often referred to as Transceiver A device that connects a host interface
TCP/IP because TCP and IP are the two most to local area network (for example, Ethernet).
fundamental protocols. Ethernet transceivers contain analog electronics that
apply signals to t he cable and sense collisions.
TELNET The TCP/IP standard protocol for remote
terminal connection service. TELNET allows a user TTL (Time To Live) A technique used in best-effort
at one site to interact with a remote timesharing delivery systems to avoid endlessly looping packets.
system at another site as if the user's terminal For example, each IP datagram is assigned an
connected directly to the remote machine. That is, integer time to live when it is created. IP gateways
decrement the time to live field when they process a
.I. n
Conceptually, the important difference between UDP
and IP is that UDP messages include a protocol port CSNET that passed IP traffic between a subscriber
number, allowing the sender to distinguish among site and the Internet using X.25.
.T ció
multiple destinations (application programs) on the X.400 The CCITT protocol for electronic mail that is
remote machine. In practice, UDP also includes a expected to become widely accepted. The current
checksum over the data being sent. version is X.400(88) because it was defined in 1988.
Universal Time The international standard time Work is underway to make TCP/IP mail systems
.
reference that was formerly called Greenwich Mean interoperate with X.400.
Time. It is also called Coordinated Universal Time.
C
XDR (eXternal Data Representation) The standard
.F a
UUCP (UNIX-to-UNIX Copy Program) An for a machine independent data structure
application program developed in the mid 1970s for representation developed by SUN Microsystems. To
version 7 UNIX that allows one UNIX timesharing use XDR, a sender translates from the local
C rm
system to copy files to or from another UNIX machine representation to the standard external
timesharing system over a single (usually dialup) representation and a receiver translates from the
link. Because UUCP is the basis for electronic mail external representation to the local machine
transfer in UNIX, the term is often used loosely to representation.
refer to UNIX mail transfer. XNS (Xerox Network Standard) The term used
collectively to refer to the suite of Internet protocols
to fo
developed by researchers at Xerox Corporation.
V Although similar in spirit to the TCP/IP protocols,
Veronica A server that builds a database of Gopher XNS uses different packet formats and terminology.
menus from all the Gopher servers referred to as Xstation A high-function LAN-attached terminal
Gopherspace. whose function is limited to the functions of an X
Window server.
ec vo
Well-known Port Any of a set of protocol port be supplied by two name servers that have no
numbers preassigned for specific uses by transport common point of failure.
level protocols (that is, TCP and UDP). Servers
follow the well-known port assignments so clients
can locate them. Examples of well-known port
numbers include ports assigned to echo servers,
pr
X-10 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Student Notebook
bibl Bibliography
Manuals:
SG24-7204-00 Securing NFS in AIX
SG24-6657-00 Implementing NFSv4 in the Enterprise
.I. n
Technical Education Courses:
.T ció
AU07 ERC 10 AIX 6 Network Administration I
AU09 ERC 8 AIX 5L TCP/IP II: Problem Determination
.
C
Web URLs:
.F a
http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.ibm.a
C rm
ix.doc/doc/base/aixparent.htm&tocNode=int_8
IBM’s AIX 6.1 Information centre
to fo
ec vo
oy si
u
cl
Ex
pr
.I. n
.T ció
.
C
.F a
C rm
to fo
ec vo
oy si
u
cl
Ex
pr
X-12 TCP/IP for AIX Administrators © Copyright IBM Corp. 2010, 2013
Course materials may not be reproduced in whole or in part
without the prior written permission of IBM.
V8.2
Ex backpg
Back page
cl
pr u
oy si
ec vo
to fo
C rm
.F a
.T ció
.I. n
C
.
Ex
cl
pr u
oy si
ec vo
to fo
C rm
.F a
.T ció
.I. n
C
.
CONTACTO
Teléfono
91 761 21 78
Póngase en contacto con nuestro equipo y le
informaremos de cualquier duda o cuestión
que pueda surgirle.
Email
formacion@arrowecs.es
Mándenos un email y le atenderemos
enseguida.
Online
@Arrow_Edu_ES
O bien puede contactarnos a través de
nuestro perfil en Twitter.
Visítenos
Arrow ECS Education Services
Avenida de Europa 21,
Parque Empresarial La Moraleja
28108 Alcobendas, Madrid
EDUCATION
S E R V I C E S