SCNA for Solaris10 (TCP-IP) Cx310-203

Sun Microsystems, Inc.UBRM05-104

500 Eldorado Blvd.Broomfield, CO 80021

U.S.A.

Revision A.1

StudentGuide

Network Administration for theSolaris™ 10 Operating System

SA-300-S10

March 9, 2005 2:48 pm

Please

Recycle

Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.

This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, anddecompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization ofSun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Sun, Sun Microsystems, the Sun logo, Solaris, Java, JumpStart, OpenBoot, Sun BluePrints, Sun Fire, and Sun StorEdge are trademarks orregistered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. andother countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledgesthe pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry.Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees whoimplement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

Federal Acquisitions: Commercial Software – Government Users Subject to Standard License Terms and Conditions

Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of othercountries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery toYou. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargoor terrorist controls as specified in the U.S. export laws. You will not use or provide Products, Services, or technical data for nuclear, missile,or chemical biological weaponry end uses.

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, ANDWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEOR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BELEGALLY INVALID.

THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BEUSED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONETRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED.

Export Commodity Classification Number (ECCN) assigned: 12 December 2001

Please

Recycle

Copyright 2005 Sun Microsystems Inc. 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution,et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit,sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licenciépar des fournisseurs de Sun.

Sun, Sun Microsystems, the Sun logo, Solaris, Java, JumpStart, OpenBoot, Sun BluePrints, Sun Fire, et Sun StorEdge sont des marques defabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par SunMicrosystems, Inc.

UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

L’interfaces d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés.Sun reconnaît les efforts de pionniers de Xerox pour larecherche et le développement du concept des interfaces d’utilisation visuelle ougraphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox,cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outrese conforment aux licences écrites de Sun.

Législation en matière dexportations. Les Produits, Services et données techniques livrés par Sun peuvent être soumis aux contrôlesaméricains sur les exportations, ou à la législation commerciale dautres pays. Nous nous conformerons à lensemble de ces textes et nousobtiendrons toutes licences dexportation, de ré-exportation ou dimportation susceptibles dêtre requises après livraison à Vous. Vousnexporterez, ni ne ré-exporterez en aucun cas à des entités figurant sur les listes américaines dinterdiction dexportation les plus courantes,ni vers un quelconque pays soumis à embargo par les Etats-Unis, ou à des contrôles anti-terroristes, comme prévu par la législationaméricaine en matière dexportations. Vous nutiliserez, ni ne fournirez les Produits, Services ou données techniques pour aucune utilisationfinale liée aux armes nucléaires, chimiques ou biologiques ou aux missiles.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIESEXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, YCOMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNEUTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

CE MANUEL DE RÉFÉRENCE DOIT ÊTRE UTILISÉ DANS LE CADRE D’UN COURS DE FORMATION DIRIGÉ PAR UNINSTRUCTEUR (ILT). IL NE S’AGIT PAS D’UN OUTIL DE FORMATION INDÉPENDANT. NOUS VOUS DÉCONSEILLONS DEL’UTILISER DANS LE CADRE D’UNE AUTO-FORMATION.

viiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Table of Contents

About This Course ............................................................Preface-xviiCourse Goals....................................................................... Preface-xviiCourse Map........................................................................ Preface-xviiiTopics Not Covered.............................................................Preface-xixHow Prepared Are You?...................................................... Preface-xxIntroductions ........................................................................Preface-xxiHow to Use Course Materials ...........................................Preface-xxiiConventions ........................................................................Preface-xxiii

Icons ............................................................................Preface-xxiiiTypographical Conventions ................................... Preface-xxivAdditional Conventions........................................... Preface-xxv

Introducing the TCP/IP Model .........................................................1-1Objectives ........................................................................................... 1-1Introducing Network Model Fundamentals.................................. 1-2

Network Protocols .................................................................... 1-2Network Model Concepts........................................................ 1-3

Introducing the Layers of the TCP/IP Model................................ 1-4Network Interface Layer ......................................................... 1-5Internet Layer ............................................................................ 1-6Transport Layer......................................................................... 1-7Application Layer ..................................................................... 1-8

Describing Basic Peer-to-Peer Communication,Encapsulation, and Decapsulation ............................................. 1-10

Peer-to-Peer Communication................................................ 1-10Encapsulation and Decapsulation ........................................ 1-11

TCP/IP Protocols ............................................................................. 1-12Exercise: Reviewing the TCP/IP Model ....................................... 1-16

Preparation............................................................................... 1-16Tasks ......................................................................................... 1-16

Exercise Summary............................................................................ 1-18Exercise Solutions ............................................................................ 1-19

viii Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Introducing LANs and Their Components..................................... 2-1Objectives ............................................................................................ 2-1Introducing Network Topologies .................................................... 2-2

Bus Topologies .......................................................................... 2-2Star Topologies ......................................................................... 2-3Ring Topologies......................................................................... 2-4VLAN Topologies .................................................................... 2-5

Introducing LAN Media ................................................................... 2-8IEEE Identifiers.......................................................................... 2-8IEEE 802.3 Types ....................................................................... 2-9

Introducing Network Devices........................................................ 2-12Repeaters .................................................................................. 2-12Hubs.......................................................................................... 2-12Bridges ...................................................................................... 2-12Switches.................................................................................... 2-12

Exercise: Reviewing LANs and Their Components ................... 2-14Preparation............................................................................... 2-14Tasks ......................................................................................... 2-14


Describing Ethernet Interfaces....................................................... 3-1Objectives ........................................................................................... 3-1Introducing Ethernet Concepts........................................................ 3-2

Major Ethernet Elements.......................................................... 3-2CSMA/CD Access Method ..................................................... 3-2Full-Duplex and Half-Duplex Mode...................................... 3-4Ethernet Statistics...................................................................... 3-4

Introducing Ethernet Frames ........................................................... 3-6Ethernet Addresses................................................................... 3-6Setting a Local Ethernet Address........................................... 3-8Ethernet-II Frame Analysis................................................... 3-10Maximum Transmission Units............................................. 3-12Ethernet Frame Errors ............................................................ 3-13

Using Network Utilities .................................................................. 3-14Using the snoop Utility .......................................................... 3-14Using the netstat Command ............................................. 3-17Using the ndd Command....................................................... 3-18

Exercise: Reviewing Ethernet Interfaces....................................... 3-21Preparation............................................................................... 3-21Tasks ......................................................................................... 3-21


ixCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Describing ARP and RARP..............................................................4-1Objectives ........................................................................................... 4-1Introducing ARP ................................................................................ 4-2

Purpose of ARP ......................................................................... 4-2Operation of ARP...................................................................... 4-3

Introducing RARP.............................................................................. 4-9Purpose of RARP....................................................................... 4-9Operation of RARP ................................................................... 4-9

Exercise: Reviewing ARPs and RARPs......................................... 4-12Preparation............................................................................... 4-12Tasks ........................................................................................ 4-13


Configuring IP...................................................................................5-1Objectives ............................................................................................ 5-1Introducing the Internet Layer Protocols ....................................... 5-3

Purpose of IP.............................................................................. 5-3Purpose of ICMP....................................................................... 5-4

Introducing the IP Datagram ........................................................... 5-6IP Datagram Header Fields ..................................................... 5-6IP Datagram Payload................................................................ 5-8

Introducing IP Address Types ......................................................... 5-9Unicast Addresses..................................................................... 5-9Broadcast Addresses............................................................... 5-11Multicast Addresses ............................................................... 5-11

Introducing Subnetting and VLSM ............................................... 5-12Subnetting ................................................................................ 5-12Netmasks.................................................................................. 5-13Configuring the Netmask ..................................................... 5-16The /etc/inet/netmasks File............................................. 5-17VLSM ....................................................................................... 5-20

Introducing the Interface Configuration Files ............................. 5-22The /etc/hostname. interface File.................................. 5-22The /etc/inet/hosts File ................................................... 5-22The /etc/nodename File........................................................ 5-23

Administering Logical Interfaces .................................................. 5-24Introducing Logical Interfaces .............................................. 5-24Configuring Logical Interfaces............................................. 5-26Unconfiguring Logical Interfaces ......................................... 5-28

Exercise: Reviewing IP .................................................................... 5-29Preparation............................................................................... 5-29Task Summary......................................................................... 5-29Tasks ........................................................................................ 5-30


x Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Configuring IP Network Multipathing............................................. 6-1Objectives ............................................................................................ 6-1Increasing Network Availability ..................................................... 6-2

Limitations of Network Interfaces.......................................... 6-2Configuring IP Network Multipathing........................................... 6-3

Introducing IPMP ..................................................................... 6-3Probe-based IPMP Configuration........................................... 6-4Configuring Probe-based IPMP by Using

Configuration Files ................................................................ 6-6Configuring Probe-based IPMP on the

Command Line.................................................................... 6-12Link-based IPMP Configuration.......................................... 6-20Configuring Link-based IPMP by Using

ConfigurationFiles ....................................................................................... 6-21

Configuring a Singleton IPMP Group ................................. 6-26Viewing IPMP Operation ..................................................... 6-28Troubleshooting an IPMP Configuration........................... 6-30

Exercise: Configuring IPMP ........................................................... 6-32Preparation............................................................................... 6-32Tasks ........................................................................................ 6-34


Configuring Routing ........................................................................ 7-1Objectives ............................................................................................ 7-1Identifying the Fundamentals of Routing ...................................... 7-3

Purpose of Routing ................................................................... 7-3Types of Routes ......................................................................... 7-4

Introducing the Routing Table......................................................... 7-6Static Routes............................................................................... 7-6Dynamic Routes ....................................................................... 7-7

Introducing Routing Protocol Types............................................... 7-8Autonomous Systems............................................................... 7-8Interior Gateway Protocols...................................................... 7-9Exterior Gateway Protocols ................................................... 7-10

Working With the Routing Table .................................................. 7-12Displaying the Routing Table ............................................... 7-12Introducing Routing Table Information .............................. 7-13Searching the Routing Table................................................. 7-14Associating Names and Network Numbers ....................... 7-16

Configuring Static Routes............................................................... 7-18Configuring Static Direct Routes .......................................... 7-18Configuring the /etc/defaultrouter File ...................... 7-19Configuring the /etc/gateways File ................................. 7-20Configuring Static Routes on the Command Line ............ 7-21

Configuring Dynamic Routing ...................................................... 7-25

xiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

RIP Version 1 ........................................................................... 7-25RIP Version 2 ........................................................................... 7-27The in.routed Daemon....................................................... 7-28The RDISC Protocol ............................................................... 7-30ICMP Redirects........................................................................ 7-31

Introducing CIDR ............................................................................ 7-33Purpose of CIDR ..................................................................... 7-33Operation of CIDR .................................................................. 7-33

Configuring Routing at Boot Time................................................ 7-38Initializing a Router ................................................................ 7-38Configuring a Router Without Rebooting........................... 7-40Initializing a Multihomed Host ............................................ 7-40Initializing a Non-Router ....................................................... 7-41

Troubleshooting Routing................................................................ 7-42Troubleshooting the Router Configuration......................... 7-42Troubleshooting Network Names....................................... 7-44

Exercise: Reviewing Routing Configuration................................ 7-45Preparation............................................................................... 7-45Tasks ........................................................................................ 7-47


Configuring IPv6...............................................................................8-1Objectives ............................................................................................ 8-1Introducing IPv6 ................................................................................ 8-3

The Need for IPv6 ..................................................................... 8-3Features of IPv6........................................................................ 8-4

Introducing IPv6 Addressing........................................................... 8-5Address Types........................................................................... 8-5IPv6 Address Representation.................................................. 8-6Format Prefixes.......................................................................... 8-6

Introducing IPv6 Autoconfiguration .............................................. 8-8Stateful Autoconfiguration ...................................................... 8-8Stateless Autoconfiguration .................................................... 8-8Interface Identifier Calculation ............................................... 8-9Duplicate Address Detection ................................................ 8-10

Introducing Unicast Address Types ............................................. 8-11Link-Local Addresses ............................................................. 8-11Site-Local Addresses............................................................... 8-12Aggregatable Global-Unicast Addresses............................. 8-12Prefix Notation ........................................................................ 8-13Embedded IPv4 Addresses.................................................... 8-13Unspecified Address Types................................................... 8-14Loopback Address Types ...................................................... 8-14

Introducing Multicast Address Types .......................................... 8-15

xii Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Purpose of Multicast Addresses ........................................... 8-15Scope Bits................................................................................. 8-16ICMPv6 Group Membership................................................. 8-17

Enabling IPv6.................................................................................... 8-18The in.ndpd Daemon on a Non-Router.............................. 8-18Configuring IPv6 on Non-Routers ....................................... 8-19Troubleshooting a Non-Router Configuration................... 8-22The in.ndpd Daemon on the Router ................................... 8-23IPv6 Routing Information Protocol ...................................... 8-23Configuring an IPv6 Router ................................................. 8-24Configuring an IPv6 6to4 Router.......................................... 8-30Configuring a 6to4 Boundary Router.................................. 8-31Troubleshooting a Router Configuration ............................ 8-33

Managing IPv6 ................................................................................. 8-35Displaying the State of IPv6 Interfaces ................................ 8-35Modifying the Configuration of an IPv6 Interface............. 8-35Configuring Logical Interfaces.............................................. 8-36Troubleshooting IPv6 Interfaces ........................................... 8-36Displaying the IPv6 Routing Table ...................................... 8-36

Exercise 1: Configuring IPv6 .......................................................... 8-37Preparation............................................................................... 8-37Task 1 – Configuring IPv6 on the Local Subnet ................. 8-37Task 2 – Configuring 6to4 Routing...................................... 8-39Task 3 – Configuring IPv6 Across the Whole

Network................................................................................ 8-41Exercise Summary............................................................................ 8-44Exercise 1 Solutions ......................................................................... 8-45

Task 1 – Configuring IPv6 on the Local Subnet ................. 8-45Task 2 – Configuring 6to4 Routing...................................... 8-48Task 3 – Configuring IPv6 Across the Whole

Network................................................................................ 8-52Configuring IPv6 Multipathing ..................................................... 8-58

Configuring IPMP Manually................................................. 8-58Configuring IPMP at Boot Time .......................................... 8-68Configure a Singleton IPMP Group in IPv6........................ 8-73

Exercise 2: Configuring IPv6 Multipathing.................................. 8-74Preparation............................................................................... 8-74Tasks ......................................................................................... 8-74

Exercise Summary............................................................................ 8-77Exercise 2 Solutions ......................................................................... 8-78

Task Solutions.......................................................................... 8-78

xiiiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Describing the Transport Layer ......................................................9-1Objectives ............................................................................................ 9-1Introducing Transport Layer Fundamentals ................................. 9-2

Protocol Characteristics............................................................ 9-2Transport Protocols in TCP/IP .............................................. 9-8

Introducing UDP................................................................................ 9-9Purpose of UDP......................................................................... 9-9UDP Datagram Header ............................................................ 9-9

Introducing TCP............................................................................... 9-10TCP Segment Header ............................................................. 9-10Virtual Circuit Connection .................................................... 9-11Full-Duplex Connection......................................................... 9-11Unstructured Stream Orientation......................................... 9-11Buffered Transfer .................................................................... 9-11

Introducing TCP Flow Control ...................................................... 9-12Receiver-Side Window Advertisements.............................. 9-12Sender-Side Congestion Window......................................... 9-12TCP Large Window ................................................................ 9-13

Exercise: Describing the Transport Layer..................................... 9-14Preparation............................................................................... 9-14Tasks ......................................................................................... 9-14


Configuring DNS.............................................................................10-1Objectives .......................................................................................... 10-1Introducing DNS Basics .................................................................. 10-2

BIND ......................................................................................... 10-2Top-Level Domains ................................................................ 10-2Zones of Authority.................................................................. 10-4Server Types ............................................................................ 10-4Answer Types.......................................................................... 10-7Name-Resolution Process ...................................................... 10-7Resource Records .................................................................. 10-11

Configuring a DNS Server............................................................ 10-15Gathering Information ......................................................... 10-15Editing the BIND Configuration File ................................. 10-16Editing the named.root File .............................................. 10-19Editing the Forward Domain File...................................... 10-21Editing the Reverse Domain File ....................................... 10-24Editing the Reverse Loopback Domain File...................... 10-25Configuring Dynamic Updates.......................................... 10-26Configuring Security ........................................................... 10-27Configuring Secondary DNS Servers................................ 10-29Checking Configuration and Database Files.................... 10-31Configuring DNS Clients.................................................... 10-32

xiv Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Troubleshooting the DNS Server by Using BasicUtilities.......................................................................................... 10-33

Implementing named Logging............................................. 10-33Examining the/var/adm/messages File........................... 10-35Using the dig Utility ........................................................... 10-36Dumping a Snapshot of the DNS Database by

Using the rndc Utility ...................................................... 10-39Forcing the named Daemon to Reread the

Configuration and Changed Zone Files ......................... 10-44Managing a DNS Server by Using the rndc

Utility .................................................................................. 10-45 Exercise: Configuring DNS.......................................................... 10-50

Preparation............................................................................. 10-50Task Summary....................................................................... 10-51Tasks ....................................................................................... 10-51

Exercise Summary.......................................................................... 10-57Exercise Solutions .......................................................................... 10-58

Task Solutions........................................................................ 10-58

Configuring DHCP ......................................................................... 11-1Objectives .......................................................................................... 11-1Introducing the Fundamentals of DHCP ..................................... 11-2

Purpose of DHCP.................................................................... 11-2DHCP Client Functions.......................................................... 11-3DHCP Server Functions ......................................................... 11-4

Configuring a DHCP Server........................................................... 11-7Configuring DHCP by Using Different Methods ............. 11-8Performing Initial DHCP Server Configuration by

Using the dhcpmgr Utility.................................................. 11-9Adding Addresses by Using the dhcpmgr Utility ............ 11-21Using the dhcpconfig Command..................................... 11-28Introducing DHCP Network Files...................................... 11-30Using the pntadm Command .............................................. 11-31Introducing the dhcptab Table........................................... 11-34

Configuring and Managing DHCP Clients................................ 11-39Configuring a DHCP Client ................................................ 11-39

Troubleshooting a DHCP Server ................................................. 11-42Troubleshooting DHCP Clients ................................................... 11-45Exercise: Configuring a DHCP Server and Client..................... 11-46

Preparation............................................................................. 11-46Task Summary...................................................................... 11-47Task 1 – Configuring the DHCP Server............................. 11-47Task 2 – Configuring the DHCP Client ............................ 11-48Task 3 – Using the snoop Utility to View DHCP

Client-Server Interaction................................................... 11-48Exercise Summary.......................................................................... 11-50Exercise Solutions .......................................................................... 11-51

Task 1 – Configuring the DHCP Server............................. 11-51

xvCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Task 2 – Configuring the DHCP Client ............................. 11-69Task 3 – Using the snoop Utility to View DHCP

Client-Server Interaction................................................... 11-70

Configuring NTP.............................................................................12-1Objectives .......................................................................................... 12-1Identifying NTP Basics.................................................................... 12-2

How Computers Keep Time.................................................. 12-2Uses of NTP ............................................................................ 12-3NTP Terms ............................................................................... 12-3

Configuring an NTP Server............................................................ 12-5Using an Undisciplined Local Clock.................................... 12-7Using External NTP Reference Servers................................ 12-9Managing Daemons.............................................................. 12-10Determining NTP Peers ...................................................... 12-12

Configuring an NTP Client .......................................................... 12-13Establishing Basic Configuration........................................ 12-13Starting the NTP Client Daemon........................................ 12-13Stopping the NTP Client Daemon...................................... 12-14

Troubleshooting NTP.................................................................... 12-15Viewing Messages................................................................. 12-15Using the snoop Utility ....................................................... 12-16

Exercise: Configuring NTP........................................................... 12-17Preparation............................................................................. 12-17Task Summary....................................................................... 12-17Tasks ...................................................................................... 12-18


Task Solutions........................................................................ 12-22

Configuring the Solaris™ IP Filter Firewall..................................13-1Objectives .......................................................................................... 13-1Identifying Firewall Basics ............................................................. 13-2Configuring the Behavior of the Solaris IP Filter

Firewall ........................................................................................... 13-3Enabling Packet Filtering With the Solaris IP Filter

Firewall .................................................................................. 13-3Configuring the Solaris IP Filter Firewall Actions ............. 13-5Configuring Packet Direction................................................ 13-6Configuring Filter Rules......................................................... 13-7Configuring Specific Matching ............................................. 13-8Changing and Updating the Solaris IP Filter

Firewall Configuration...................................................... 13-14Viewing the Solaris IP Filter Firewall

Configuration ..................................................................... 13-15Configuring Logging in the Solaris IP

Filter Firewall...................................................................... 13-16

xvi Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Exercise: Configuring the Solaris IP Filter Firewall .................. 13-19Preparation............................................................................. 13-19Task Summary....................................................................... 13-19Task 1 – Configuring Firewall Rules ................................. 13-20Task 2 – Disabling Services................................................. 13-26


Task 1 Solutions..................................................................... 13-32Task 2 Solutions..................................................................... 13-41

Bibliography ................................................................. Bibliography-1Sun Microsystems Publications ................................. Bibliography-1Books.............................................................................. Bibliography-2Online References ........................................................ Bibliography-3RFCs ............................................................................... Bibliography-4

Glossary/Acronyms............................................................Glossary-1

Index.................................................................................................. 1-1

Preface-xviiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Preface

About This Course

Course Goals

Upon completion of this course, you should be able to:

● Configure the Network Interface layer

● Configure the network (Internet and Transport layers)

● Configure and manage network applications

Course Map

Preface-xviii Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Course Map

The course map enables you to see what you have accomplished andwhere you are going in reference to the instructional goals.

Configuring the Network Interface Layer

Introducing theTCP/IPModel

Introducing LANsand Their

Components

DescribingEthernet

Interfaces

DescribingARP and

RARP

Configuring the Network

ConfiguringIP

Configuring IPNetwork

Multipathing

ConfiguringRouting

ConfiguringIPv6

Describingthe Transport

Layer

Configuring and Managing Network Applications

Configuring theSolaris™ IP

Filter Firewall

ConfiguringDNS

ConfiguringDHCP

ConfiguringNTP

Topics Not Covered

About This Course Preface-xixCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Topics Not Covered

This course does not cover the following topics. Many of these topics arecovered in other courses offered by Sun Educational Services:

● Solaris™ Operating System (Solaris OS) system administration –Covered in SA-200-S10: Intermediate System Administration for theSolaris™ 10 Operating System and SA-202-S10: Advanced SystemAdministration for the Solaris™ 10 Operating System

● Server storage administration – Covered in ES-222: Solaris™ VolumeManager Administration and ES-310: Volume Manager With SunStorEdge™

● Network Information Services Plus (NIS+) – Covered inSA-385: NIS+ Administration

● Solaris OS tuning – Covered in SA-400: Solaris™ Systems PerformanceManagement

● Network Troubleshooting - Covered in IN-425: TCP/IP NetworkTroubleshooting in the Solaris™ OS

Refer to the Sun Educational Services catalog for specific information andregistration.

How Prepared Are You?

Preface-xx Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

How Prepared Are You?

To be sure you are prepared to take this course, can you answer yes to thefollowing questions?

● Can you perform basic host operations, such as startup andshutdown, to initialize certain network configuration changes?

● Can you manipulate startup and shutdown scripts to configurenetworks?

● Can you set up user accounts when configuring network services forsystem users?

● Can you locate and install network software packages required to setup various network services?

Introductions

About This Course Preface-xxiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Introductions

Now that you have been introduced to the course, introduce yourself tothe other students and the instructor, addressing the following items:

● Name

● Company affiliation

● Title, function, and job responsibility

● Experience related to topics presented in this course

● Reasons for enrolling in this course

● Expectations for this course

How to Use Course Materials

Preface-xxii Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

How to Use Course Materials

To enable you to succeed in this course, these course materials employ alearning module that is composed of the following components:

● Objectives – You should be able to accomplish the objectives aftercompleting a portion of instructional content. Objectives supportgoals and can support other higher-level objectives.

● Lecture – The instructor will present information specific to theobjective of the module. This information will help you learn theknowledge and skills necessary to succeed with the activities.

● Activities – The activities take on various forms, such as an exercise,self-check, discussion, and demonstration. Activities are used tofacilitate mastery of an objective.

● Visual aids – The instructor might use several visual aids to convey aconcept, such as a process, in a visual form. Visual aids commonlycontain graphics, animation, and video.

Note – Many system administration tasks for the Solaris OS can beaccomplished in more than one way. The methods presented in thecourseware reflect recommended practices used by Sun EducationalServices.

Conventions

About This Course Preface-xxiiiCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Conventions

The following conventions are used in this course to represent varioustraining elements and alternative learning resources.

Icons

?!

Discussion – Indicates a small-group or class discussion on the currenttopic is recommended at this time.

Note – Indicates additional information that can help students but is notcrucial to their understanding of the concept being described. Studentsshould be able to understand the concept or complete the task withoutthis information. Examples of notational information include keywordshortcuts and minor system adjustments.

Caution – Indicates that there is a risk of personal injury from anonelectrical hazard, or risk of irreversible damage to data, software, orthe operating system. A caution indicates that the possibility of a hazard(as opposed to certainty) might happen, depending on the action of theuser.

Conventions

Preface-xxiv Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Typographical Conventions

Courier is used for the names of commands, files, directories, usernames, host names, programming code, and on-screen computer output;for example:

Use the ls -al command to list all files.host1# cd /home

Courier bold is used for characters and numbers that you type; forexample:

To list the files in this directory, type the following:# ls

Courier italics is used for variables and command-line placeholdersthat are replaced with a real name or value; for example:

To delete a file, use the rm filename command.

Courier italic bold is used to represent variables whose values are tobe entered by the student as part of an activity; for example:

Type chmod a+rwx filename to grant read, write, and executerights for filename .

Palatino italics is used for book titles, new words or terms, or words thatyou want to emphasize; for example:

Read Chapter 6 in the User’s Guide.These are called class options.

Conventions

About This Course Preface-xxvCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Additional Conventions

Java™ programming language examples use the following additionalconventions:

● Method names are not followed with parentheses unless a formal oractual parameter list is shown; for example:

“The doIt method...” refers to any method called doIt .

“The doIt() method...” refers to a method called doIt that takesno arguments.

● Line breaks occur only where there are separations (commas),conjunctions (operators), or white space in the code. Broken code isindented four spaces under the starting code.

● If a command used in the Solaris OS is different from a commandused in the Microsoft Windows platform, both commands areshown; for example:

If working in the Solaris OS

$ cd $SERVER_ROOT/bin

If working in Microsoft Windows

C:\> cd %SERVER_ROOT%\bin

1-1Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Module 1

Introducing the TCP/IP Model

Objectives

This module describes the fundamentals of the Transmission ControlProtocol/Internet Protocol (TCP/IP) model, including network protocolsand concepts. This module also describes the layers of the TCP/IP model,including the Network Interface, Internet, Transport, and Applicationlayers. In addition, this module describes basic peer-to-peercommunication and some common TCP/IP protocols.

Upon completion of this module, you should be able to:

● Describe network model fundamentals

● Describe the layers of the TCP/IP model

● Describe basic peer-to-peer communication and related protocols

● Identify TCP/IP protocols

The course map in Figure 1-1 shows how this module fits into the currentinstructional goal.

Figure 1-1 Course Map




Components

DescribingEthernet

Interfaces

DescribingARP and

RARP

Introducing Network Model Fundamentals

1-2 Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1


The fundamentals required to understand computer networking are thenetwork model, the functions of the layers, and the protocols that governdata transfer between two or more systems.

Network Protocols

Computer networks use protocols to communicate. Protocols define theprocedures to be followed by the systems involved in the communicationprocess. A data communication protocol is a set of rules that must befollowed for two electronic devices to communicate with each other.These rules describe:

● Syntax – Data format and coding

● Semantics – Control information and error handling

● Timing – Speed matching and sequencing

Functions of Protocols

A protocol defines how systems can communicate and facilitatescommunication between software, firmware, and other devices in datatransfer.

Each protocol provides a function essential for data communication. Eachsoftware module that implements a protocol can be developed andupdated independently of other modules, as long as the interface betweenthe modules remains constant.

Many protocols provide and support data communication. Manyprotocols are used so that communication can be broken into smaller,manageable processes. They form a communication architecture, alsoknown as a protocol stack. The TCP/IP model is a protocol stack used bythe Solaris OS for data communication.


Introducing the TCP/IP Model 1-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

The features of a protocol stack are:

● Each layer has a specific purpose and exists on both the source anddestination hosts.

● Each layer communicates with its peer layer on another host in agiven process of communication.

● Each layer on a host acts independently of other layers on the samemachine but is synchronous with the same layer on other hosts.

Network Model Concepts

A networking model refers to a common structure that enablescommunication between two or more systems.

Networking models consist of layers. You can think of layers as a series ofsteps or functions that must be sequentially completed for communicationto occur between two systems.

The following mapping helps you to understand the network model:

● Model = structure

● Layer = functions

● Protocol = rules

Advantages of Using a Layered Model

Some of the advantages of a layered model are that it:

● Separates the complexity of networking into many functions orlayers

● Enables you to introduce changes or new features in one layerwithout having to change the other layers

● Provides a standard to follow, enabling inter-operability betweensoftware and hardware vendors

● Simplifies troubleshooting

Introducing the Layers of the TCP/IP Model



Table 1-1 shows the four layers of the TCP/IP model. The TCP/IP modelis a four-layered structure resting on a common hardware platform. TheTCP/IP model was developed by the United States Department ofDefense (DOD) in the 1970s. It has standards that are defined anddescribed in Request for Comment (RFC) documents.

RFCs are a frame of reference for describing the protocol architecture andfunctions specific to the TCP/IP protocol stack. For a complete listing ofRFCs, visit http://www.ietf.org/rfc.html .

Table 1-1 TCP/IP Network Model

TCP/IP Layer Description

Application ● Consists of user-accessed application programsand network services

● Defines how cooperating networks representdata

Transport ● Manages the transfer of data by usingacknowledged and unacknowledged transportprotocols

● Manages the connections between cooperatingapplications

Internet ● Manages data addressing and delivery betweennetworks

● Fragments data for the Network Interface layer

NetworkInterface

● Manages the delivery of data across the physicalnetwork

● Provides error detection and packet framing



Network Interface Layer

Figure 1-2 shows the position of the Network Interface layer in theTCP/IP network model. The primary functions of this layer are:

● Managing the delivery of data across the physical network

● Detecting errors

● Framing packets

Figure 1-2 TCP/IP Network Interface Layer

The Network Interface layer services the Internet layer by providingcommunication between nodes on the same network. This layer defineshow bits are assembled into manageable units of data. A packet data unit(PDU) is a structured series of bits with a well-defined beginning and awell-defined end. Figure 1-3 shows a specific type of PDU known as anEthernet frame, where the bits are divided into fields containinginformation labels, such as preamble, destination and source hardwareaddress, frame length or type, data, and cyclic redundancy check (CRC).

Figure 1-3 Structure of a Frame

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer

Network Interface LayerPacket

data unit

PreambleDestination

Address

Source

AddressCRCDataType



Examples of Network Interface layer protocols are:

● Institute of Electrical and Electronics Engineers (IEEE) 802.3 –Ethernet standards

● IEEE 802.4 – Token bus standards

● IEEE 802.5 – Token ring standards

● IEEE 802.11 – Wireless network standards

Internet Layer

The Internet layer attempts to ensure that messages reach theirdestination system using the most efficient route. Figure 1-4 shows theposition of the Internet layer in the TCP/IP network model. The primaryfunctions of the Internet layer are:

● Routing data between networks

● Fragmenting and reassembly of data

Figure 1-4 TCP/IP Internet Layer

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer


Datagram



Using routing information, the Internet layer determines the next directlyaccessible node in the path to a packet’s destination. This node is eitherthe destination itself if the destination is on the local network, or the nextgateway node in the route if the destination is on another network. TheInternet layer uses the Internet Protocol (IP) and Internet Control MessageProtocol (ICMP). IP is responsible for fragmenting and routing data, andICMP assists routing and performs error detection and other networkmanagement tasks. IP encapsulates data in datagrams, which in turn areencapsulated inside Network Interface layer PDUs.

Transport Layer

The Transport layer manages the transfer of application data betweencommunicating hosts. It also controls the flow of data and defines thetransport quality of the data transmission. Figure 1-5 shows the positionof the Transport layer in the TCP/IP network model.

Figure 1-5 TCP/IP Transport Layer

The mechanisms used by the Transport layer to determine whether datahas been correctly delivered are:

● Acknowledgement responses

● Sequencing

● Flow control

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer


Segment

or

datagram



The Transport layer facilitates end-to-end data transfer. It supportsmultiple operations simultaneously. Two Transport layer protocols arefound in the Solaris OS TCP/IP stack: the Transmission Control Protocol(TCP) and the User Datagram Protocol (UDP). TCP uses packets calledsegments, and UDP uses packets called datagrams. Both TCP segments andUDP datagrams are encapsulated in Internet layer datagrams fortransmission to the next node.

The Transport layer facilitates two types of communication:

● Connection-oriented (TCP) – A connection must be established at theTransport layer of both systems before the application can transmitany data.

● Connectionless (UDP) – Systems do not need to establish aconnection with the recipient prior to data exchange.

TCP is a more reliable form of data exchange than UDP.

Application Layer

The top layer of the TCP/IP stack is the Application layer. Figure 1-6shows the position of the Application layer in the TCP/IP network model.

Figure 1-6 TCP/IP Application Layer

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer

Network Interface LayerLayer 1

Layer 2

Layer 3

Layer 4Stream

or

Message



The Application layer includes all of the protocols that use Transport layerprotocols to deliver data to the Internet layer. There are many applicationprotocols, and new protocols are frequently included in the Solaris OSTCP/IP stack.

Some common TCP/IP applications or protocols include:

● Telnet Protocol

● File Transfer Protocol (FTP)

● Simple Network Management Protocol (SNMP)

● Simple Mail Transfer Protocol (SMTP)

● Dynamic Host Configuration Protocol (DHCP)

● Domain Name System (DNS)

● Network Information Service (NIS)

● Network File System (NFS)

● Secure shell (SSH)

The Application layer handles the details of the particular application.The primary functions of this layer are:

● Formatting data – Data is formatted based on a computer’sarchitecture. For example, alphanumeric characters are representedby using American Standard Code for Information Interchange(ASCII) on a UNIX® host, and Extended Binary Coded DecimalInterchange Code (EBCDIC) on an IBM mainframe computer.Protocols operating at this layer of the model encapsulate packetsinto streams or messages.

● Presenting data – If end users specify how they want their datapresented to them, the Application layer makes sure that it reachesthe end users in this format. A common syntax ensures compatibilitybetween various end-user applications and machines. TheApplication layer also provides translations between locallyrepresented data and data used for transfer between end systems.

● Transporting data – The Application layer stipulates a transfersyntax, which represents a coding agreement for the data to beformatted and transferred. Remote procedure call (RPC) librariesenable high-level language programs to make procedure calls toother machines on a network. Application layer protocols, such asNIS and NFS, use RPC for session management between clients andservers.

Describing Basic Peer-to-Peer Communication, Encapsulation, and Decapsulation


Describing Basic Peer-to-Peer Communication,Encapsulation, and Decapsulation

In the TCP/IP model, adjacent layers in the model interact with eachother, and the corresponding layers at either end are also considered tointeract with each other.

Peer-to-Peer Communication

Peer-to-peer communication occurs when one layer on a systemcommunicates with a corresponding layer on another system. Figure 1-7illustrates the peer-to-peer communications between the layers at eitherend of a network interaction. For example, the Application layer on thesource system interacts with the Application layer on the destinationsystem.

Figure 1-7 Peer-to-Peer Communication

Source System

Application X

Destination System

Application Y

Application

Layer

Transport Layer

Internet Layer

NetworkInterface Layer

Hardware Layer

Communication Path

Physical Transmission Medium

Application

Layer

Transport Layer

Internet Layer

NetworkInterface Layer

Hardware Layer

Frame

Signal

Message orStream

Segment orDatagram

Datagram

Frame

Encapsulation Decapsulation

Message orStream

Segment orDatagram

Datagram

NH NTI-PDU

IH T-PDU

TH

User Data

A-PDU

NH NTI-PDU

IH T-PDU

TH

User Data

A-PDU

TH = Transport Header IH = Internet Header NH = Network Header NT = Network Trailer

Describing Basic Peer-to-Peer Communication, Encapsulation, and Decapsulation


Encapsulation and Decapsulation

Data passed down through each layer on the sender is encapsulated.During encapsulation:

● Header information is added at each layer before the data is passeddown to the next layer. The header information helps the destinationsystem to direct the data to the appropriate protocol.

● At the final layer, trailer information is also added.

Figure 1-7 on page 1-10 shows data encapsulation occurring on the sourcesystem.

Data arriving at a destination system is decapsulated. Duringdecapsulation:

● Data travels up through the layers.

● Headers and trailers are removed at each layer before the data ispassed up to the next layer.

Figure 1-7 on page 1-10 shows data decapsulation occurring on thedestination system.

TCP/IP Protocols


TCP/IP Protocols

The following tables describe briefly the common TCP/IP protocols.

Table 1-2 shows a list of Network Interface layer protocols, theircorresponding RFCs, and a short description of each protocol.

Table 1-2 Some TCP/IP Network Interface Layer Protocol Descriptions

RFC Protocol Description

1055 SLIP Serial Line Internet Protocol compresses IP datagrams on seriallines.

1661 PPP Point-to-Point Protocol transmits datagrams over serial,point-to-point links.

TCP/IP Protocols


Table 1-3 shows a list of Internet layer protocols, their correspondingRFCs, and a short description of each protocol.

Table 1-4 shows a list of Transport layer protocols, their correspondingRFCs, and a short description of each protocol.

Table 1-3 Some TCP/IP Internet Layer Protocol Descriptions


826 ARP Address Resolution Protocol defines the method used to map a32-bit IP address to a 48-bit Ethernet address.

903 RARP Reverse Address Resolution Protocol defines the method used tomap a 48-bit Ethernet address to a 32-bit IP address.

791, 950,919, 922

IP Internet Protocol determines the path that a datagram must take,based on the destination host’s IP address.

792 ICMP Internet Control Message Protocol communicates error messagesand other controls within IP datagrams.

2401,2406,2402,2407,2408

IPSec-relatedRFCs

• Internet Protocol Security Architecture

• Encapsulating Security Payload (ESP)

• IP authentication header

• Internet IP security domain of interpretation for the InternetSecurity Association and Key Management Protocol (ISAKMP)

Table 1-4 Some TCP/IP Transport Layer Protocol Descriptions


793 TCP Transmission Control Protocol is a connection-oriented protocolthat provides the full-duplex, stream service on which manyapplication protocols depend.

768 UDP User Datagram Protocol is a connectionless protocol that providesnon-acknowledged datagrams delivered over reliable networks.

TCP/IP Protocols


Table 1-5 shows a list of some Application layer protocols, theircorresponding RFCs, and a short description of each protocol.

Table 1-5 Some TCP/IP Application Layer Protocol Descriptions


1034, 1035 DNS Domain Name System is a text-based, distributeddatabase for domain names, host names, and IPaddresses. Domain names index a hierarchical treeof names and ultimately identify hosts anddomains.

959 FTP File Transfer Protocol is used to transfer filesbetween systems.

854, 855 Telnet Telnet Protocol enables terminals andterminal-oriented processes to communicate on anetwork by using TCP/IP.

1258, 1280 Remote login The rlogin command enables users to log in toremote hosts.

2131 DHCP Dynamic Host Configuration Protocol isresponsible for automatically assigning IPaddresses in an organization’s network.

2821 SMTP Simple Mail Transfer Protocol transfers electronicmail (email) messages from one machine to another.

1157 SNMP Simple Network Management Protocol enablessystem administrators to monitor and controlnetwork devices.

1939 POP3 Post Office Protocol, version 3, enables users toaccess their email box across a wide area network(WAN) or local area network (LAN) from a POP3server.

2060 IMAP4 Internet Message Access Protocol, version 4, enablesusers to access their email box across the networkfrom an IMAP4 server. IMAP4 is suited to mobileusers because the mail remains on the server.IMAP4 is server-centric, whereas POP3 isclient-centric.

TCP/IP Protocols


1945, 2068None

HTTPHTTPS

Hypertext Transfer Protocol and Secure HypertextTransfer Protocol are used on the World Wide Webto transfer text, pictures, audio, and othermultimedia information that is accessible through aweb browser.

None SSH Secure shell is based on a number of drafts. SSHlogs in securely to a system across a network.

Table 1-5 Some TCP/IP Application Layer Protocol Descriptions (Continued)


Exercise: Reviewing the TCP/IP Model



In this exercise, you review the TCP/IP model.

Preparation

There is no preparation for this exercise.

Tasks

Perform the following steps:

1. List the layers of the TCP/IP network model by their name andfunction.

Name:_______________________________________________________

Function: ____________________________________________________

Name:_______________________________________________________

Function: ____________________________________________________

Name:_______________________________________________________

Function: ____________________________________________________

Name:_______________________________________________________

Function: ____________________________________________________

2. In your own words, define the term peer-to-peer.

_____________________________________________________________

_____________________________________________________________

3. In your own words, define the term protocol.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________



4. Which protocols are part of the TCP/IP suite?

a. ARP

b. IP

c. TCIP

d. ICMP

5. Which statements describe data encapsulation?

a. Data travels up through layers at the destination system’s end.

b. Data travels down through layers at the source system’s end.

c. Headers and trailers are removed before the data is passed upto the next layer.

d. Headers and trailers are added before the data is passed downto the next layer.

Exercise Summary


Exercise Summary

?!

Discussion – Take a few minutes to discuss what experiences, issues, ordiscoveries you had during the lab exercise.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Solutions to the exercise are as follows:

1. List the layers of the TCP/IP network model by their name andfunction.

Name: Application

Function: Consists of user-accessed application programs and networkservices. This layer is also responsible for defining the way in whichcooperating networks represent data.

Name: Transport

Function: Manages the transfer of data using connection-oriented andconnectionless transport protocols.

Name: Internet

Function: Manages data addressing and delivery between networks, as wellas fragmenting data for the Network Interface layer.

Name: Network Interface

Function: Manages the delivery of data across the physical network. Thislayer provides error detection and packet framing.

2. In your own words, define the term peer-to-peer.

Peer-to-peer communication is the ability of a specific layer to communicatewith a corresponding layer on another host.

3. In your own words, define the term protocol.

A protocol is set of rules governing the exchange of data between twoentities. These rules describe:

● Syntax – Data format and coding

● Semantics – Control information and error handling

● Timing – Speed matching and sequencing

Exercise Solutions


4. Which protocols are part of the TCP/IP suite?

a. ARP

b. IP

d. ICMP

5. Which statements describe data encapsulation?

b. Data travels down through layers at the source system’s end.

d. Headers and trailers are added before the data is passed down to thenext layer.


Module 2

Introducing LANs and Their Components

Objectives

This module describes LANs and their components. This module alsointroduces LAN media, including IEEE LAN media identifiers andEthernet media. In addition, this module introduces network devices,including shared hubs, bridges, and switches.


● Describe network topologies

● Describe LAN media

● Describe network devices






Components

DescribingEthernet

Interfaces

DescribingARP and

RARP

Introducing Network Topologies



The topology of a network relates to the way nodes on the network arephysically wired together. Many different network topologies arecommonly implemented in today’s network environments. Topology isone of the most important considerations when you design a network.Consider the size of the network, the type of business, any failoverrequirements, and the amount of network traffic you expect when youmake decisions about which topology to use.

Bus Topologies

The bus configuration was the typical LAN topology for the originalEthernet network specification. A typical bus configuration has coaxialcables running through an area. Systems are attached at points along thecable to enable communication with each other. The bandwidth of thecable is shared between all the systems connected to the cable. Figure 2-2shows an example of a bus configuration.

Figure 2-2 Bus Configuration


Introducing LANs and Their Components 2-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Star Topologies

The LAN topology in a star configuration uses a central location, or hub,from which a number of signal-carrying cables extend to each individualdevice on a branch. Star configurations are well suited to many of today’sLAN network methodologies.

An intelligent hub controls:

● Which messages are transferred between which ports

● What devices are connected to each port or segment

Note – A non-intelligent hub does not make any decisions about whichports to send data. This essentially makes star configurations behaveexactly like bus configurations from the point of view of the nodes. Abenefit of the star configuration is that a fault on the cable to a nodeaffects only that node.

Depending upon the LAN methodology, there is a limit to the number ofsegments that can be linked together. Figure 2-3 shows an example of thestar configuration.

Figure 2-3 Star Configuration

Hub



Ring Topologies

In a ring configuration, the output of one node connects to the input of thenext node. Each node in the ring is between two other nodes. In a ringnetwork, if one node stops functioning the ring can be broken, whichaffects communication on the network.

With the invention of the intelligent central hub, a ring configuration canbe implemented with the reliability of a star configuration. The reliabilityis a result of the intelligent hub’s ability to bypass a non-functioning nodein the ring. Figure 2-4 shows a star-wired ring configuration.

Figure 2-4 Ring Configuration



VLAN Topologies

Virtual local area network (VLAN) topologies are becoming increasinglypopular. A VLAN topology is implemented with a central device thatsupports VLAN technology. All systems are physically connected to thesame device; however, the device is configured with multiple logicalnetworks (the VLANs) that have one or more ports on the switch assignedto them. For example, on an 8-port switch, ports 1, 2, 5, and 6 can beassigned to network A, while ports 3, 4, 7, and 8 can be assigned tonetwork B. The traffic on network A is separated from the traffic onnetwork B, and traffic does not pass between the two networks. Ports canbe assigned to different VLANs based on port number, the hardware orsoftware address of the systems, or the protocols used by the systems.

Using VLANs reduces the size of broadcast domains. You can movecomputer systems between VLANs without any hardware configuration.Although the term VLAN is in common use, every vendor provides theirown VLAN implementation and enhancements. This makes the task ofdefining the term VLAN difficult.

Figure 2-5 shows an example of a network with all systems on the samebroadcast domain.

Figure 2-5 VLAN With All Systems on the Same Domain

All systems on the same broadcast domain



Figure 2-6 shows how a single switch can be configured into three VLANsso that there are three separate, smaller broadcast domains.

Figure 2-6 VLAN Configurations

Smaller Broadcast Domains



Figure 2-7 shows, through shading, how the three VLANs are configuredby using software on the switch to which all systems are connected.

Figure 2-7 Three VLANs Defined

Three VLANs defined (by color)

Introducing LAN Media



Many types of LAN methodologies include the media’s specifications aspart of the LAN’s name (identifier).

IEEE Identifiers

For the various types of LANs, the IEEE identifier indicates the types ofmedia used. These identifiers include three pieces of information:

● The first piece of information, 10, 100, or 1000, represents a mediaspeed of 10 megabits per second (Mbps), 100 Mbps, or 1000 Mbps,respectively.

● The second piece of information, BASE, stands for baseband, which isa type of signalling. Baseband signalling uses the entire bandwidthof the cable for one signal. Two systems cannot transmit signals atthe same time.

● The third piece of information indicates the segment type or theapproximate segment length. For thick coaxial cable, 5 indicates the500-meter maximum length allowed for individual segments. Forthin coaxial cable, 2 indicates 200 meters, which is rounded up fromthe 185-meter maximum length for individual thin coaxial segments.The designation T indicates that the segment type is twisted-pair,and the designation F stands for fiber-optic cable.

An example identifier is 100BASE-T, which means that the transmissionspeed is 100 megabits per second, baseband signaling is used, and themedia is twisted pair. Figure 2-8 shows how baseband segments aredesignated.

Figure 2-8 IEEE Media Identifier

10 BASE-5Speed = 10 MbsSegment Length

= 500 Meter

Type of Signal = Baseband

10 BASE-TType of Media

= Twisted Pair



The thick coaxial cable media segment was the first media segment to bedefined in the Ethernet specifications. The thin coaxial cable mediasegment was defined next, followed by the twisted-pair and fiber-opticmedia segments. The twisted-pair segment type is widely used today formaking network connections to the desktop.

IEEE 802.3 Types

Many different types of LAN media have been used, from half-inch thickcoaxial cable to optical fibre measured in microns. Consider the physicaldistance, the security, the cost of the media, the cost to install the media,and the media that is supported by current technology when you makedecisions about which LAN media to use.

10BASE-T Media Type

The 10BASE-T media type uses twisted-pair cables. The specifications forthis media type were published in 1990. This is one of the most widelyused media types for connections to the desktop.

The 10BASE-T media type uses two pairs of wires: one pair receives datasignals, and the other pair transmits data signals. The two wires in eachpair must be twisted together for the entire length of the segment. This isa standard technique that improves the signal-carrying characteristics of awire pair. Multiple twisted-pair segments communicate using a multiporthub or switch. You can implement 10BASE-T over Category 3 (two tothree twists per foot) or Category 5 (two to three twists per inch)twisted-pair cable.

100BASE-TX Media Type

The 100BASE-TX media type is based on specifications published in theAmerican National Standards Institute (ANSI) Twisted-Pair – PhysicalMedia Standard (TP-PMD). The 100BASE-TX media type carries 100 Mbpssignals over two pairs of wire. Because the ANSI TP-PMD specificationprovides for the use of either unshielded twisted-pair or shieldedtwisted-pair cable, 100BASE-TX uses both. You can only implement100BASE-TX over Category 5 cable.



100BASE-T4 Media Type

The 100BASE-T4 media type operates over four pairs of wires. Thesignaling system makes it possible to provide fast Ethernet signals(100 megaHertz (MHz)) over any existing standard voice-gradeCategory 3 or 4 unshielded twisted-pair cable that might be installed. Onepair of wires transmits data (TX), one pair receives data (RX), and twopairs are bidirectional (BI) data pairs.

The 100BASE-T4 specifications recommend using Category 5 patch cables,jumpers, and connecting hardware whenever possible because thesehigher-quality components and cables improve the reception of signals onthe link.

100BASE-FX Media Type

The 100BASE-FX (fast fiber-optic) media system uses pulses of lightinstead of electrical currents to send signals. The use of fiber providessuperior electrical isolation for equipment at each end of the fiber link.While LAN equipment used in metallic media segments has protectioncircuits designed for typical indoor electrical hazards, fiber-optic media isnonconductive. This complete electrical isolation provides immunity frommuch larger electrical hazards, such as lightning strikes, and from theflow of current that can result from having different levels of electricalground currents that can be found in separate buildings. Completeelectrical isolation is essential when using LAN segments to link separatebuildings.

An advantage of the 100BASE-FX fiber-optic link segment is that it canspan long distances. Fiber also provides more security because the opticalsignal does not cause induction.

1000BASE-X Media Type

In 1998, the IEEE Standards Board approved the gigabit Ethernet standardfor 1000 Mbps over multimode fiber (MMF) and single-mode fiber.Gigabit Ethernet is an extension of the successful 10-Mbps and 100-Mbps802.3 standards. Gigabit Ethernet provides a raw bandwidth of 1000 Mbpsand maintains full compatibility with the installed base of over 100million Ethernet nodes. Gigabit Ethernet includes both full-duplex andhalf-duplex operating modes.

The 1000BASE-X standard refers to two implementations of fiber-opticsegment types: 1000BASE-SX and 1000BASE-LX.



1000BASE-SX Media Type

The 1000BASE-SX media system is the shortest wavelength specificationbecause it uses short wavelength lasers to transmit data over fiber-opticcable. Sun’s implementation of the 1000BASE-SX system specificationsupports the following distances:

● 300 meters over 62.5-micron MMF cable

● 550 meters over 50-micron MMF cable

1000BASE-LX Media Type

The 1000BASE-LX media system is the longest wavelength specificationbecause it uses longwave lasers to transmit data over fiber-optic cable.Sun’s implementation of the 1000BASE-SX system specification supportsthe following distances:

● 550 meters over 62.5-micron and 50-micron MMF cable

● 3000 meters over 9-micron single-mode fiber cable

1000BASE-CX Media Type

The 1000BASE-CX media system is the shortest-haul copper specificationbecause it uses high-quality shielded copper jumper cables to connectdevices. The 1000BASE-CX system uses connecting equipment in smallareas, such as wiring closets. Sun’s implementation of the 1000BASE-CXsystem specification supports the 25 meters over twin-axial cable.

1000BASE-T Media Type

In 1999, the IEEE Standards Board approved the standard for the1000BASE-T media system, for data transmissions of 1000 Mbps. Thisstandard is for gigabit Ethernet over four pairs of Category 5 unshieldedtwisted-pair (UTP) cable.

The 1000BASE-T system uses the previously defined standards100BASE-TX, 100BASE-T2, and 100BASE-T4 for its signal methodology.Sun’s implementation of the 1000BASE-T system specification supportsdistances up to 100 meters over four pairs of Cat-5 UTP (using a complexencoding scheme).

Introducing Network Devices



Networks consist of many different devices and device types. Devices thatare found on LANs range from printers to sophisticated switchingdevices.

Repeaters

Repeaters are devices that amplify and regenerate the data signal, bit bybit, to extend the distance of the transmission. A repeater does not read orinterpret the data.

Hubs

Shared hubs are the central devices of a star topology network. The hubsconnect all the hosts in a twisted-pair Ethernet installation. Hubs aretypically used in small LANs in which network performance is notcritical. Collisions commonly occur on a network implementing hubsbecause the collision domain consists of all systems connected to the hub.

Bridges

A bridge is a network-layer device that reads and interprets addresses forfiltering or forwarding packets. Bridges connect two or more networksegments. Collisions commonly occur on a bridged network because thecollision domains often consist of more than one system.

Switches

Switches are multiport devices that control the logical dynamicconnection and disconnection between any two cable segments. Switchesare high-bandwidth devices because multiple data paths can beestablished and used simultaneously.

Switches reduce the number of collisions on a network by replacing asingle shared data path with multiple dedicated data paths.



Figure 2-9 shows how you can use an Ethernet switch to interconnectshared hubs. Interconnecting the hubs increases intranet transfer ratesgreatly and makes connections more economical. Because connectingmultiple subnets to an intranet using a switch requires no protocolchanges, the cost of a speed increase is minimized.

Figure 2-9 Ethernet Switches

Hub

10BASE-T

100BASE-T

Ethernet Switch

10BASE-T

10BASE-T 10BASE-T

10BASE-T

Hub

Hub

HubHub

Exercise: Reviewing LANs and Their Components



In this exercise, you test your knowledge about common LANterminology.

Preparation

Refer to the lecture notes as necessary to perform the tasks listed.

Tasks

To test your knowledge about common LAN terminology, answer thefollowing questions:

1. Match the terms to their definition.

_____ Star topology a. This topology uses a central device,from which signal-carrying cablesare connected to each individualdevice on a branch. Additionally,each individual device can beconfigured to be in its own broadcastdomain.

_____ VLAN topology b. The cabling standard for 100-Mbps,unshielded, twisted-pair media.

_____ 100BASE-TX c. The central device through which allhosts connect in a single broadcastdomain in a twisted-pair, Ethernetinstallation.

_____ Category 5 d. This topology uses a central device,from which signal-carrying cablesextend to each individual device onthis branch.

_____ Switch e. The IEEE standard for 100-Mbps,twisted-pair media.

_____ Shared hub f. The multiport device that providesfor the logical dynamic connectionand disconnection between any twocable segments without operatorintervention.



2. Which are topologies found in LANs?

a. Ring

b. Star

c. Bus

d. Wing

3. Which specifications support a media speed of 100 Mbps?

a. 10BASE-5

b. 10BASE-2

c. 100BASE-FX

d. 10BASE-T

e. 100BASE-T4

f. 100BASE-TX

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions



d Star topology a. This topology uses a centraldevice, from which signal-carryingcables are connected to eachindividual device on a branch.Additionally, each individualdevice can be configured to be inits own broadcast domain.

a VLAN topology b. The cabling standard for100-Mbps, unshielded,twisted-pair media.

e 100BASE-TX c. The central device through whichall hosts connect in a singlebroadcast domain in atwisted-pair, Ethernet installation.

b Category 5 d. This topology uses a centraldevice, from which signal-carryingcables extend to each individualdevice on this branch.

f Switch e. The IEEE standard for 100-Mbps,twisted-pair media.

c Shared hub f. The multiport device that providesfor the logical dynamic connectionand disconnection between anytwo cable segments withoutoperator intervention.

Exercise Solutions


2. Which are topologies found in LANs?

a. Ring

b. Star

c. Bus

3. Which specifications support a media speed of 100 Mbps?

c. 100BASE-FX

e. 100BASE-T4

f. 100BASE-TX


Module 3

Describing Ethernet Interfaces

Objectives

This module describes Ethernet’s Carrier Sense Multiple Access/CollisionDetect (CSMA/CD) access method. This module also describes theEthernet frame, including addresses, frame fields, encapsulation,maximum transmission units (MTUs), and errors. In addition, thismodule describes network utilities that assist in configuring andtroubleshooting the system’s network interfaces.


● Describe Ethernet concepts

● Describe Ethernet frames

● Use network utilities






Components

DescribingEthernet

Interfaces

DescribingARP and

RARP

Introducing Ethernet Concepts



Ethernet was designed as a packet-switching LAN over broadcasttechnology. Devices connect to the network and compete for access to ashared communications channel. The IEEE 802.3 standard for Ethernetwas defined in 1985. Ethernet standards are implemented at the NetworkInterface layer of the TCP/IP protocol model.

Major Ethernet Elements

The three major elements of Ethernet networks are:

● Ethernet packets, called frames – These are units of data sent acrossthe network.

● The Ethernet access method, CSMA/CD – This method controlspacket transmission and information flow across the Ethernethardware.

● Hardware cables, connectors, and circuitry – These transfer data toand from systems across the network.

CSMA/CD Access Method

Non-switched Ethernet uses a broadcast delivery mechanism in whicheach frame that is transmitted is heard by every station. CSMA/CD is anarbitrary access method that provides a method to detect and recoverfrom simultaneous transmissions. Each interface monitors the network fora carrier signal (Carrier Sense). During a gap between transmissions, eachinterface has an equal chance to transmit data (Multiple Access). If twointerfaces try to transmit data at the same time, the transceiver circuitrydetects a transmit collision (Collision Detection). Both interfaces mustwait a short period of time before they attempt to resend data. The waitperiod is determined by using an exponential back-off algorithm.


Describing Ethernet Interfaces 3-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Figure 3-2 shows how CSMA/CD accesses the network. The figurerepresents the CSMA/CD developed for the original Ethernet topology.Ethernet originally consisted of a single-wire, bidirectional backbone. Thetheory of operation is still the same today, but Ethernet topologies usemore advanced components that permit a higher transmission rate.

Figure 3-2 Structure of CSMA/CD

No

No

Yes

Yes

The host sends

a message.

Send the

jam signal.

Wait. Back off

exponentially.

Success.

Is there

traffic on the

network?

Was there

a collision?

The host has

a message.

Carrier

Sense

Multiple

Access

Collision

Detect



Full-Duplex and Half-Duplex Mode

Full-duplex network mode is when a system can send and receive datasimultaneously on a bidirectional network.

Half-duplex network mode is when a system can either send or receivedata on a bidirectional network. The system cannot send and receive datasimultaneously.

Full-duplex networking is more efficient than half-duplex networking.

Ethernet Statistics

The netstat command provides statistics on network-relatedinformation, such as the collision rate. In a shared-media topology,collisions occur frequently. The more transmitting nodes there are on anetwork, the greater the likelihood that collisions occur because of anincrease in network traffic. The collision rate increases exponentially untilthere is almost no throughput of data.

To display the current usage of the Ethernet interfaces, execute thenetstat command with the -i option, for example:

# netstat -iName Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queuelo0 8232 loopback localhost 52559 0 52559 0 0 0hme0 1500 sys11 sys11 18973 0 30292 0 0 0#

Collision Rates

Collisions occur when two or more systems attempt to transmit data onthe network at the same time. Collision rates indicate the number ofcollisions that occur on a network. Use collision rates to diagnose networkperformance problems that are caused by collisions on a network.

To compute the collision rate, multiply 100 by the number of collisions,and divide the product by the total number of output packets.

For example, assume that the netstat command reports 12 collisions and1302 output packets. Calculate the collision rate as follows:

100 * 12 / 1302 = 1.0 percent collision rate



In general:

● Collision rates higher than 5 percent on a 10-Mbps Ethernet network,and 10 percent on a 100-Mbps Ethernet network, are the firstindication of network overload.

● Faulty network cabling frequently causes collisions through electricalproblems. Technical experts use special electronic equipment todetect the elements that cause a collision and to provide a solution.

● Switches minimize collisions by limiting the collision domain to onesystem.

Input and Output Errors

If the netstat command reports large numbers (approximately20–25 percent) of input or output errors on the network system, you canattribute the problem to one of the following reasons:

● Duplicate IP addresses used on the same network

● A faulty cable

● A faulty port on a concentrator, hub, switch, or router

● A faulty interface

Introducing Ethernet Frames



An Ethernet frame is a single unit of data transported across the LAN. It isa series of bits with a well-defined beginning and a well-defined end. TheEthernet specification describes how bits are encoded on the cable andhow devices on the network detect the beginning and the end of atransmission.

Ethernet Addresses

An Ethernet address is the device’s unique hardware address. AnEthernet address is sometimes referred to as a media access control(MAC) address. An Ethernet address is 48 bits long and is displayed as12 hexadecimal digits (six groups of two digits) separated by colons. Anexample of an Ethernet address is 08:00:20:1e:56:7d .

● The IEEE administers unique Ethernet addresses. IEEE designatesthe first three octets as vendor-specific. Sun has various Ethernetprefixes, which include 08:00:20 , 00:00:be , and 00:03:ba . Sunassigns the last three octets to the products it manufactures to ensurethat each node on an Ethernet network has a unique Ethernetaddress.

The list of vendor specific Ethernet addresses can be found at:

http://standards.ieee.org/regauth/oui/oui.txt

● The IEEE specification enables the vendor to decide whether to usethe host-based addressing approach or the port-based addressingapproach. By default, Sun uses host-based addressing on itsnetworks interface cards (NICs).

The network interface drivers in Sun systems obtain the Ethernetaddress for the Ethernet interface from a system’s hardware. Forexample, desktop systems use the address in the nonvolatile randomaccess memory (NVRAM) chip, while some large server systemsobtain their address from a special board installed in the system. Bydefault, all interface addresses on a system use just one Ethernetaddress, either the NVRAM or the special board, even though eachEthernet interface controller has a built-in Ethernet address.

For systems configured to have more than one interface on the samephysical subnet, you need a unique Ethernet address that is different fromthe primary host-based assigned Ethernet address.



Types of Ethernet Addresses

There are three types of Ethernet addresses: unicast, broadcast, andmulticast.

Unicast Addresses

Unicast addresses are used for one-to-one communication. The systemuses a unicast address to send a message to another system on the localEthernet network. You can use a system’s unique Ethernet address as aunicast address.

Broadcast Addresses

A device uses a broadcast address to send messages to all systems on thelocal Ethernet network. The Ethernet broadcast address is represented inthe form of all 1s in binary format and as ff:ff:ff:ff:ff:ff inhexadecimal format. When the Network Interface layer receives anEthernet frame with a destination address of all 1s, it passes the address tothe next layer for processing.

Multicast Addresses

A system uses a multicast address to send a message to a subset ofsystems on the local Ethernet. In Ethernet multicast addressing, the valueof the first three octets determines if the address is multicast. The lastthree octets determine the specific multicast’s group identity.



Setting a Local Ethernet Address

In today’s network environments, many systems have multiple interfaces,often on the same subnet or collision domain. Because an Ethernetaddress targets systems, each interface on the same network or subnet ona multi-interface system must have a unique Ethernet address. Sunnetwork adapters have local Ethernet addresses encoded in theirprogrammable read-only memories (PROMs).

To view the current, host-based Ethernet address, execute the bannercommand at the ok prompt:

ok bannerSun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz), No KeyboardOpenBoot 3.19, 128 MB (50 ns) memory installed, Serial #12153379.Ethernet address 8:0:20:b9:72:23, Host ID: 80b97223.ok

To display the Ethernet address assigned to each interface, execute theifconfig -a command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23#

Set the local-mac-address? variable in the system’s electrically erasableprogrammable read-only memory (EEPROM) to true to enable the use ofport-based Ethernet addresses.

To view the current value of the local-mac-address? variable in theEEPROM, execute the following command:

# eeprom local-mac-address?local-mac-address?=false#



You can set the local-mac-address? variable to true by using theeeprom command. This enables network drivers to use their ownport-based addresses after a reboot and not the system-default, host-basedaddresses. To make this change, type the following command:

# eeprom local-mac-address?=true#

You can also use the ifconfig ether command to configure port-basedaddressing. This might be necessary if the interface card cannot supply itsown unique Ethernet address. You can change the interface Ethernetaddress of 8:0:20:b9:72:23 from an Ethernet address assigned globallyto an address of 0a:0:20:f0:ac:61 assigned locally by changing theseventh bit to 1, and assigning a local unique number to the last threebytes.

To change the Ethernet address, type the following command:

# ifconfig hme0 ether a:0:20:f0:ac:61#

To verify a change in the Ethernet address, type the following command:

# ifconfig hme0hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether a:0:20:f0:ac:61#

This change of Ethernet address is effective until you reboot the system.To make the change persistent across reboots, modify the/etc/hostname. interface file.



Ethernet-II Frame Analysis

The Ethernet-II frame is a single unit of data transported through theLAN. It is a series of bits with a definite beginning and a definite end. TheEthernet specification describes how bits are encoded on the network andhow hosts on the network detect the beginning and the end of atransmission. Figure 3-3 shows the Ethernet-II frame format.

Figure 3-3 Ethernet-II Frame

Note – There are two common Ethernet frame formats: the Ethernet-IIformat and the logical link control (802.3) format. The primary differencebetween these formats is that in the Ethernet-II format, the fourth field isa type field, while in the 802.3 format, the fourth field is a frame lengthfield. In the TCP/IP environments, typically the Ethernet-II frame formatis used.

Preamble64 Bits

Octet Location:1-6

7-1213-14

15-1514 (Maximum)Last 4 Octets

D addr48 BitsSaddr48 Bits Type

16 BitsData(Maximum 1500 Bytes) CRC

32 Bits



The information in each frame is necessary to receive and transmit data.Table 3-1 shows a description of each frame field.

Table 3-1 Ethernet-II Frames

Field Description

Preamble The 64-bit Ethernet preamble field is used forsynchronization and is composed of 1s and 0s. Interfacesynchronization helps the receiving network interfacesdetermine where the Ethernet frame begins.

D addr The Ethernet address of the destination host.

S addr The Ethernet address of the source host.

Type The type of data encapsulated in the Ethernet frame, suchas IP, ARP, RARP, and IP version 6 (IPv6).

Data The data payload, which consists of header informationand data from the higher-level protocols.

CRC The cyclic redundancy check (CRC) used for errordetection. The value is calculated based on frame contentsby both the sending and the receiving hosts. If the twovalues are not equivalent, the frame is discarded.



Maximum Transmission Units

The maximum transmission unit (MTU) is the largest amount of data thatcan be transferred across a physical network. The MTU is hardwarespecific. For a physical Ethernet interface, the MTU is 1500 bytes, whilethe MTU is 8232 bytes for a loopback interface. The loopback interface is apseudo device that communicates, or loops back, to the host itself.

Note – The Sun GigaSwift Ethernet adapters hardware implements jumboframes, which support MTUs of up to 9194 bytes.

Figure 3-4 shows how application data is broken down according to themaximum frame size across the LAN.

Figure 3-4 Transportation of Data Across an Ethernet Network

Application DataApplication

Layer

Transport

Layer Transport Datagram

Internet

Layer Internet Datagram

Network

Interface

Layer1500-byte Payload

Hardware Layer



Ethernet Frame Errors

Ethernet frames can be significantly damaged when they traverse anetwork. When a host receives a frame, the Ethernet interface performsintegrity checking to verify Ethernet frame validity. Table 3-2 shows someof these error conditions.

Table 3-2 Error Conditions

Error Definition

Runts Packets that are less than 64 bytes, including the header, aretoo short and are discarded. Runts are usually caused bycollisions. These can be formed by poor wiring andelectrical interference.

Jabbers Frames that are greater than 1518 bytes, including theheader, are too long and are discarded. These indicate that adevice has electrical problems.

Long A frame that is between 1518 bytes and 6000 bytes in length,including the header, is too long. These are often caused byfaulty hardware or software on the sending system.

Giant A frame that is more than 6000 bytes long, including theheader, is too long. These are often caused by faultyhardware or software on the sending system.

Bad CRC If the received packet fails the CRC, the packet is corruptedand discarded. This is also known as a frame check sequence(FCS) error.

Using Network Utilities



The Solaris 10 OS includes many different utilities to help you configureand troubleshoot the system’s network interfaces.

Using the snoop Utility

The superuser can run the snoop utility to capture network packets and todisplay the packet contents on the screen. Alternatively, you can capturepackets to a file as they are received, decreasing packet loss underhigh-traffic conditions. You can use the snoop utility to display thecontents of the file. The snoop utility displays packet data in one of threeforms:

● Summary – This is the output mode when the -v or -V options arenot used on the command line.

Only data that pertains to the highest-level protocol header isdisplayed. For example, an NFS packet only displays NFSinformation. The underlying RPC, UDP, IP, and Ethernet frameheader information are not displayed.

To examine only broadcast frames on the hme0 interface in summarymode, type the following:

# snoop -d hme0 broadcastUsing device /dev/hme (promiscuous mode)192.168.1.12 -> (broadcast) ARP C Who is 192.168.1.3, sys13 ? sys12 -> (broadcast) ARP C Who is 192.168.1.2, sys12 ? sys12 -> (broadcast) ARP C Who is 192.168.1.1, sys11 ?#

● Verbose – To invoke the verbose option, use the -v option on thecommand line.

Multiple lines of output display for every protocol header in thenetwork packet.



To examine only broadcast packets on the hme0 interface in theverbose mode, type the following:

# snoop -v -d hme0 broadcastUsing device /dev/hme (promiscuous mode)ETHER: ----- Ether Header -----ETHER:ETHER: Packet 8 arrived at 13:18:44.01ETHER: Packet size = 60 bytesETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)ETHER: Source = 8:0:20:90:b5:c7, SunETHER: Ethertype = 0806 (ARP)ETHER:ARP: ----- ARP/RARP Frame -----ARP:ARP: Hardware type = 1ARP: Protocol type = 0800 (IP)ARP: Length of hardware address = 6 bytesARP: Length of protocol address = 4 bytesARP: Opcode 1 (ARP Request)ARP: Sender's hardware address = 8:0:20:90:b5:c7ARP: Sender's protocol address = 192.168.1.2, sys12ARP: Target hardware address = ?ARP: Target protocol address = 192.168.1.1, sys11ARP:

● Verbose summary – A single line of output is displayed for everyprotocol or application contained within the packet.

You can examine packets by using both verbose summary mode andby filtering the packets by IP address.

The snoop utility only displays output when there is network trafficand the traffic matches the filter criteria.

For example, to examine packets by using verbose summary modeand by filtering the packets by IP address on the hme0 interface,perform the following command:

# snoop -d hme0 -V 192.168.1.2Using the /dev/hme device (promiscuous mode)...sys12 -> sys11 ETHER Type=0800 (IP), size = 98 bytessys12 -> sys11 IP D=192.168.1.1 S=192.168.1.2 LEN=84, ID=48009, TOS=0x0, TTL=255sys12 -> sys11 ICMP Echo request (ID: 345 Sequence number: 0)...sys11 -> sys12 ETHER Type=0800 (IP), size = 98 bytessys11 -> sys12 IP D=192.168.1.2 S=192.168.1.1 LEN=84, ID=45375, TOS=0x0, TTL=255sys11 -> sys12 ICMP Echo reply (ID: 345 Sequence number: 0)#



To capture this information to a file, type the following command:

# snoop -d hme0 -o /tmp/snooper 192.168.1.2Using device /dev/hme (promiscuous mode)2 <Control>-C#

To capture broadcast traffic on the hme0 interface and store it in the/tmp/snooper file, type the following command:

# snoop -d qfe0 -o /tmp/snooper broadcast#

While the snoop utility is capturing information, a record counterdisplays the number of recorded packets. You finish the capture by typinga Control+C key sequence. The information in the file that is captured bythe snoop utility is in a data-compressed format, and can only be read byexecuting the snoop -i command.

# file /tmp/snooper/tmp/snooper: snoop capture file - version 2#

To read this format, type the following command:

# snoop -i /tmp/snooper -V... 1 0.00000 sys12 -> sys11 ETHER Type=0800 (IP), size = 98 bytes 1 0.00000 sys12 -> sys11 IP D=192.168.1.1 S=192.168.1.2 LEN=84, ID=48010, TOS=0x0, TTL=255 1 0.00000 sys12 -> sys11 ICMP Echo request (ID: 346 Sequence number: 0)... 2 0.00010 sys11 -> sys12 ETHER Type=0800 (IP), size = 98 bytes 2 0.00010 sys11 -> sys12 IP D=192.168.1.2 S=192.168.1.1 LEN=84, ID=45376, TOS=0x0, TTL=255 2 0.00010 sys11 -> sys12 ICMP Echo reply (ID: 346 Sequence number: 0)#

To filter out specific protocols or portions of the network trace, pipe theoutput from the snoop -i command through the egrep command.

For example, the egrep -iv 'nfs|ack|contin|ftp|ip' commandignores case (-i ) and prints all lines except (-v ) lines that contain thepatterns nfs , ack , contin , ftp , and ip .

# snoop -i /tmp/snooper -V | egrep -iv 'nfs|ack|contin|ftp|ip'... 1 0.00000 sys12 -> sys11 ICMP Echo request (ID: 346 Sequence number: 0)

... 2 0.00010 sys11 -> sys12 ICMP Echo reply (ID: 346 Sequence number: 0)

#



Using the netstat Command

The netstat command includes many options and is useful as a networktroubleshooting tool.

To display the current usage of the Ethernet interfaces, use the netstatcommand with the -i option:

# netstat -iName Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queuelo0 8232 loopback localhost 83505 0 83505 0 0 0hme0 1500 sys11 sys11 21775 0 53541 0 0 0#

Table 3-3 shows the descriptions of the output fields from the netstatcommand.

Table 3-3 The netstat Output Field Descriptions

Field Description

Name The name of the device (interface).

Mtu The MTU in bytes.

Net/Dest The network number. The number can be resolved to aname in the /etc/inet/networks file.

Address The IP address for that interface. The address can beresolved to a name in the /etc/inet/hosts file.

Ipkts Input packets.

Ierrs Input errors.

Opkts Output packets.

Oerrs Output errors.

Collis The number of collisions on this interface.

Queue The number of packets that are waiting fortransmission.



To display protocol-related statistics, use the netstat command with the-s option:

# netstat -s<truncated output>RAWIP rawipInDatagrams = 298 rawipInErrors = 0...UDP udpInDatagrams = 45966 udpInErrors = 0...TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400...IPv4 ipForwarding = 1 ipDefaultTTL = 255...IPv6 ipv6Forwarding = 2 ipv6DefaultHopLimit = 255...ICMPv4 icmpInMsgs = 3719 icmpInErrors = 0...ICMPv6 icmp6InMsgs = 0 icmp6InErrors = 0...IGMP: 123079 messages received...#

Using the ndd Command

You use the ndd command to examine and set many parametersassociated with networking.

To list the parameters for the hmedriver, perform the command:

# ndd /dev/hme \?? (read only)transceiver_inuse (read only)link_status (read only)link_speed (read only)link_mode (read only)ipg1 (read and write).........instance (read and write)lance_mode (read and write)ipg0 (read and write)#



The \ character prevents the shell from interpreting ? as a specialcharacter. Using the ? parameter lists all parameters for the driver andindicates whether the parameter is read-only or read and write. You canread the current parameter value or status information for the parametersthat are marked with at least a read; however, you may only change avalue if it is marked as read and write.

You can adjust most parameters accessible through the ndd commandwithout rebooting the system.

The following example shows how to use the ndd command to examinethe value of the link_speed parameter for the hme0 interface. Becausemultiple hme interfaces might exist, use the ndd command to set theinstance parameter first. The instance parameter determines whichhme interface is addressed by subsequent ndd commands.

To set the instance to 0, use the following command:

# ndd -set /dev/hme instance 0#

To view the current link speed of the hme0 interface, type the command:

# ndd /dev/hme link_speed1#

The output of 1 indicates that the hme0 interface is currently running at100 Mbps, and a value of 0 indicates that the hme0 interface is running at10 Mbps. The ndd parameters are also available for other network devicesand protocols. For example, to see which parameters are available forother drivers, type the commands:

# ndd /dev/arp \?# ndd /dev/ip \?# ndd /dev/icmp \?# ndd /dev/tcp \?

Sun Microsystems does not currently provide extensive ndd parameterdocumentation, except for network card configuration.



There are several trade-offs involved in setting driver parameters. Becausethe Solaris 10 OS is preconfigured, changing most driver parametersrequires you to change the Solaris 10 OS configuration. The defaultsettings are suitable for most situations. Sun Microsystems does notencourage making parameter changes, because adjusting parameters canaffect normal system operation. Sun might also change the names ofparameters in future versions of the Solaris OS.

You can set device driver parameters in two ways: by using the nddcommand or by creating a Service Management Facility (SMF) service.

● Use the ndd command to set parameters that are valid until youreboot the system. A good way to test parameter settings is by usingthe ndd command on the command line.

● You can also create an SMF service.

Note – Information about setting ndd parameters in system startupscripts can be found in Chapter 4 of the Solaris Tunable Parameters ReferenceManual located at the Uniform Resource Locator (URL)http://docs.sun.com .

Exercise: Reviewing Ethernet Interfaces



In this exercise, you review many Ethernet concepts.

Preparation


Tasks



_____ MTU a. A general term that describes the unitof data sent across a packet-switchingnetwork

_____ Unicast b. The process of passing data from layerto layer in the protocol stack andadding header information to the dataat each layer

_____ Preamble c. The field in the Ethernet frame thatdescribes the type of data beingcarried in the frame

_____ Encapsulation d. An address format that reaches aspecific host

_____ Packet e. The field in an Ethernet frame used forsynchronization purposes

_____ Frame f. The maximum number of bytes thatare contained in the payload section ina Network Interface layer frame

_____ Type field g. The unit of data sent from theEthernet interface to the Hardwarelayer



2. Open a terminal window, and type the command:

# man snoop

Look at the various modes and options for capturing and viewingframes available to you.

a. Which snoop option displays the size of the entire Ethernetframe in bytes on the summary line?

________________________________________________________

b. Which snoop option captures packets to a file instead of tostandard output?

________________________________________________________

c. Which snoop option displays the most verbose output?

________________________________________________________

d. Which snoop option displays frames arriving on a non-primaryinterface?

________________________________________________________

3. Open another terminal window, and execute the netstat commandto determine the name of your Ethernet interface. What are thenames of the Ethernet interfaces on your system, and what are theirpurposes?

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

4. In one terminal window, execute the snoop utility on the defaultinterface to capture only broadcast frames. Let this command run forthe next step.

5. Using another terminal window, log in to another host on yoursubnet, and type the rup command.

a. Does the rup command send broadcast frames?

________________________________________________________

b. Do you see the replies to the rup command? Why?

________________________________________________________



Now you use different options of the snoop utility to provide differentamounts of output.

6. Stop the snoop utility that is currently running, and restart the snooputility in verbose mode. Capture only broadcast frames.

Write the command that you use:

_____________________________________________________________

7. In the terminal window logged in to the remote host, execute the rupcommand again. Observe the format of the output from the snooputility running in verbose mode.

8. Stop the snoop utility, and execute the snoop utility in verbosesummary mode, capturing only broadcast frames.


_____________________________________________________________

9. In the terminal window that is logged in to the remote host, executethe rup command again. How do the two formats differ?

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

10. Log off of the remote host, and quit all instances of the snoop utilitythat you are running.

Note – While you might not understand everything that you see in thissection of the exercise, you should at least become familiar with thecommand syntax, options, and output format of the ndd command. Theresults of the exercise vary, depending on the type of network interface inthe system.



In this part of the exercise, you manipulate a specific interface on yoursystem.

11. Use the appropriate argument with the ndd command to make surethat any instance information retrieved is for the primary networkinterface.


_____________________________________________________________

12. Use the ndd command to determine the value of the link_statusparameter of the primary network interface on your system. A statusof 0 indicates that the interface is down. A status of 1 indicates thatthe interface is up.


_____________________________________________________________

13. What command do you use to make the ndd command set yoursystem’s link_status parameter to 0?

_____________________________________________________________

14. Use the ndd command to determine the read and write attributes ofndd parameters for your interface driver. For example, if yoursystem’s interface is an hme0 interface, use /dev/hme as theparameter.


_____________________________________________________________

Do you expect your command from Step 13 to work if you entered itat the command line as the root user? Why?

________________________________________________________

Exercise Summary


Exercise Summary

?!

Discussion – Take a few minutes to discuss the experiences, issues, ordiscoveries that you had during the lab exercises.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions



2. Open a terminal window, and type the command:

# man snoop

Look at the various modes and options for capturing and viewingframes available to you.

a. Which snoop option displays the size of the entire Ethernetframe in bytes on the summary line?

-S

b. Which snoop option captures packets to a file instead of tostandard output?

-o filename

f MTU a. A general term that describes the unitof data sent across a packet-switchingnetwork

d Unicast b. The process of passing data from layerto layer in the protocol stack andadding header information to the dataat each layer

e Preamble c. The field in the Ethernet frame thatdescribes the type of data beingcarried in the frame

b Encapsulation d. An address format that reaches aspecific host

a Packet e. The field in an Ethernet frame used forsynchronization purposes

g Frame f. The maximum number of bytes thatare contained in the payload section ina Network Interface layer frame

c Type field g. The unit of data sent from theEthernet interface to the Hardwarelayer

Exercise Solutions


c. Which snoop option displays the most verbose output?

-v

d. Which snoop option displays frames arriving on a non-primaryinterface?

-d interface name

3. Open another terminal window, and execute the netstat commandto determine the name of your Ethernet interface. What are thenames of the Ethernet interfaces on your system, and what are theirpurposes?

# netstat -i

The hme0 interface, the qfe0 interface, or perhaps the eri0 interface,depending on your system. The purpose of the network interface is toprovide access to the LAN.

4. In one terminal window, execute the snoop utility on the defaultinterface to capture only broadcast frames. Let this command run forthe next step.

# snoop broadcast

5. Using another terminal window, log in to another host on yoursubnet, and type the rup command.

a. Does the rup command send broadcast frames?

Yes, you will observe the rup utility sending remote status (RSTAT)requests.

b. Do you see the replies to the rup command? Why?

No status replies are seen because the replies are sent to the host byusing a unicast address.

Now you use different options of the snoop utility to provide differentamounts of output.

6. Stop the snoop utility that is currently running, and restart the snooputility in the verbose mode. Capture only the broadcast frames.

# snoop -v broadcast

7. In the terminal window logged in to the remote host, execute the rupcommand again. Observe the format of the output from the snooputility running in the verbose mode.

8. Stop the snoop utility, and execute the snoop utility in verbosesummary mode, capturing only broadcast frames.

# snoop -V broadcast

Exercise Solutions


9. In the terminal window that is logged in to the remote host, executethe rup command again. How do the two formats differ?

The -v option executes the verbose mode. It prints packet headers in greatdetail. This display consumes many lines per packet and should be usedonly on selected packets.

The -V option executes the summary verbose mode. This is halfway betweenthe summary mode and verbose mode in degree of verbosity. It displays asingle summary line for each protocol layer in the packet instead ofdisplaying multiple lines from each layer of encapsulation.

10. Log off of the remote host, and quit all instances of the snoop utilitythat you are running.

Note – While you might not understand everything that you see in thissection of the exercise, you should at least become familiar with thecommand syntax, options, and output format of the ndd command. Theresults of the exercise vary, depending on the type of network interface inthe system.

In this part of the exercise, you manipulate a specific interface on yoursystem.

11. Use the appropriate argument of the ndd command to make surethat any instance information retrieved is for the primary networkinterface.

# ndd -set /dev/hme instance 0

12. Use the ndd command to determine the value of the link_statusparameter of the primary network interface on your system. A statusof 0 indicates that the interface is down. A status of 1 indicates thatthe interface is up.

# ndd /dev/hme link_status

Exercise Solutions


13. What command do you use to make the ndd command set yoursystem’s link_status parameter to 0?

# ndd -set /dev/hme link_status 0

14. Use the ndd command to determine the read and write attributes ofndd parameters for your interface driver. For example, if yoursystem’s interface is an hme0 interface, use /dev/hme as theparameter.

# ndd /dev/ device_of_interest \?

Do you expect your command from Step 13 to work if you entered itat the command line as the root user? Why?

The command would fail because the link_status parameter is read only.


Module 4

Describing ARP and RARP

Objectives

This module describes the Address Resolution Protocol (ARP) and theReverse Address Resolution Protocol (RARP). Additionally, this moduledescribes the ARP table, the in.rarpd RARP daemon, and the/etc/inet/hosts and /etc/ethers databases.


● Describe ARP

● Describe RARP






Components

DescribingEthernet

Interfaces

DescribingARP and

RARP

Introducing ARP


Introducing ARP

ARP is the method used to map a 32-bit IP address to a 48-bit Ethernetaddress.

Purpose of ARP

The ARP function occurs between the Internet and Network Interfacelayers of the TCP/IP model. Figure 4-2 shows the location of the ARPfunction in the model.

Figure 4-2 ARP in the TCP/IP Model

Data is encapsulated into an Ethernet frame before it is transmitted. AnEthernet frame includes a destination Ethernet address. Figure 4-3 showsthe Ethernet frame.

Figure 4-3 Ethernet Frame

When two systems need to communicate, they need each other’s Ethernetaddresses. ARP supplies the destination Ethernet address information ifthe sending system does not already know the destination address.

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer


ARP

Destination

Ethernet

Address

Source

Ethernet

AddressType Data

Cyclic

Redundancy

Check

Introducing ARP

Describing ARP and RARP 4-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Operation of ARP

If the final destination (receiving system) of the message being sent is onthe same LAN as the sending system, only one address resolution isrequired. If the final destination is on a different network, an addressresolution might be required on each network that the message traverseson the path to its final destination.

Figure 4-4 shows a simplification of the address resolution process.

Figure 4-4 Address Resolution Process

For example, assume that the sys11 system must communicate with thesys13 system:

1. The sys11 system sends an ARP request to the local network byusing the Ethernet broadcast address (ff:ff:ff:ff:ff:ff ). TheARP request includes the IP address of the sys13 system.

2. The broadcast is seen by the sys12 and sys13 systems.

3. The sys12 and sys13 systems recognize that the ARP requestcontains the IP address and the Ethernet address of the sys11system, and add this information to their ARP tables if it is notalready present. This type of entry is known as an unsolicited entrybecause the information was not explicitly requested.

192.168.1.1

sys11

192.168.1.2

sys12

192.168.1.3

sys13

Who is 192.168.1.3?

192.168.1.3 is 8:00:20:c0:78:73

2

1

Introducing ARP


4. The sys13 system identifies its own IP address in the ARP requestand sends an ARP reply to the sys11 system. The ARP replyincludes the Ethernet address of the sys13 system, and it is sentusing the unicast Ethernet address of the sys11 system(8:0:20:b9:72:23 ).

5. The sys11 system receives the ARP reply and stores the informationabout sys13 in its ARP table. This type of entry is a solicited entrybecause the sys11 system requested the information.

ARP Table

ARP responses are stored in the ARP table so that the information isavailable if it is required again in the near future. The ARP table, held inmemory, stores IP addresses and Ethernet addresses. This table is readeach time a destination Ethernet address is required to prepare anEthernet frame for transmission. If an Ethernet address does not appear inthe ARP table, an ARP request is sent to the local network. Other hoststhat see the ARP request also update their ARP table with the IP andEthernet addresses of the requesting host.

Use the ndd /dev/ip ip_ire_arp_interval command to display thelength of time that solicited ARP entries are cached. The default value is1200000 . This value is stored in milliseconds and translates to 20 minutes.

Use the ndd /dev/arp arp_cleanup_interval command to displaythe length of time that unsolicited ARP entries are cached. The defaultvalue is 300000. This value is stored in millisecond and translates to5 minutes.

Solicited entries are those for which an Ethernet address was askedspecifically by a host, whereas unsolicited entries are a result of storinginformation learned about a host that was performing an ARP request onthe local network.

Introducing ARP


ARP Table Management

The arp command displays and controls the ARP table entries that mapIP addresses to Ethernet addresses. Complete entries map an IP address toan Ethernet address. Incomplete entries contain an IP address only.

For example, to examine all entries in the ARP table type the command:

# arp -aNet to Media Table: IPv4Device IP Address Mask Flags Phys Addr------ -------------------- --------------- ----- ---------------hme0 sys13 255.255.255.255 08:00:20:c0:78:73hme0 sys11 255.255.255.255 SP 08:00:20:b9:72:23hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00#

The fields displayed in the output from the arp -a command are shownin Table 4-1.

Table 4-1 ARP Fields

Field Description

Device The network device (network interface) for this entry. Thisis the interface connected to the network on which thissystem resides.

IPAddress

The IP address or host name of the system to which thisentry applies.

Mask The host mask value applied. This indicates whether theentry refers to a host or the multicast address range.

Flags The status of the ARP entry:

● S is a static entry. Static entries do not time out.

● P is a published entry. A system can be configured topublish (advertise) an ARP entry on behalf ofsystems that cannot respond to ARP requests.

● Mis a mapped entry. This is used for the 224.0.0.0multicast entry only.

● U is an unresolved or incomplete entry.

Phys Addr The physical address for the entry, also known as the MACor the Ethernet address.

Introducing ARP


To examine a specific ARP table entry, type the command:

# arp hostname

where hostname is the name of the host or its decimal-dot notated IPaddress. For example:

# arp sys13sys13 (192.168.1.3) at 8:0:20:c0:78:73#

Information about any flags is also displayed. For example:

# arp sys11sys11 (192.168.1.1) at 8:0:20:b9:72:23 permanent published#

The keyword permanent relates to the S flag. The keyword publishedrefers to the P flag.

To add a static (until reboot) ARP table entry, type the command:

# arp -s hostname ethernet_address

The preceding command overrides the default time-to-live (TTL) value forARP table entries by creating a static entry. For example, to add a host’sEthernet address manually to the ARP table, type the command:

# arp -s 192.168.1.99 1:2:3:4:5:6

Use the arp and grep commands to search for the new table entry:

# arp -a | grep 99hme0 192.168.1.99 255.255.255.255 S 01:02:03:04:05:06#

Populate an ARP table manually in situations in which the destinationdevice cannot respond to ARP requests, such as a system which is reachedthrough a modem connection.

Use a published ARP entry when you want a host to answer an ARPrequest on behalf of another host. This is a useful option forheterogeneous environments and for some SLIP or PPP configurations inwhich some hosts cannot respond to ARP requests for themselves.

To add a published ARP table entry, execute the command:

# arp -s hostname ethernet_address pub

Introducing ARP


To add ARP table entries from a file, execute the command:

# arp -f filename

Entries in the file can be in the following form:

hostname ethernet_address [pub]

To delete an ARP table entry, execute the command:

# arp -d hostname

where hostname is the name of the host or its decimal-dot notated IPaddress.

For example, to remove the static entry that was added, type thecommand:

# arp -d 192.168.1.99192.168.1.99 (192.168.1.99) deleted#

To view the network traffic generated by an ARP request, use the snooputility:

# snoop -v -d hme0 arp

In a second window, use the ping utility to contact another system on thenetwork that is not listed currently in the system’s ARP table:

# ping sys12sys12 is alive#

Observe the output from the snoop utility:

Using device /dev/hme (promiscuous mode)ETHER: ----- Ether Header -----ETHER:ETHER: Packet 1 arrived at 13:47:30.00038ETHER: Packet size = 42 bytesETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)ETHER: Source = 8:0:20:b9:72:23, SunETHER: Ethertype = 0806 (ARP)ETHER:ARP: ----- ARP/RARP Frame -----ARP:ARP: Hardware type = 1

Introducing ARP


ARP: Protocol type = 0800 (IP)ARP: Length of hardware address = 6 bytesARP: Length of protocol address = 4 bytesARP: Opcode 1 ( ARP Request )ARP: Sender’s hardware address = 8:0:20:b9:72:23ARP: Sender’s protocol address = 192.168.1.1, sys11ARP: Target hardware address = ?ARP: Target protocol address = 192.168.1.2, sys12ARP:

ETHER: ----- Ether Header -----ETHER:ETHER: Packet 2 arrived at 13:47:30.00038ETHER: Packet size = 60 bytesETHER: Destination = 8:0:20:b9:72:23, SunETHER: Source = 8:0:20:90:b5:c7, SunETHER: Ethertype = 0806 (ARP)ETHER:ARP: ----- ARP/RARP Frame -----ARP:ARP: Hardware type = 1ARP: Protocol type = 0800 (IP)ARP: Length of hardware address = 6 bytesARP: Length of protocol address = 4 bytesARP: Opcode 2 ( ARP Reply )ARP: Sender’s hardware address = 8:0:20:90:b5:c7ARP: Sender’s protocol address = 192.168.1.2, sys12ARP: Target hardware address = 8:0:20:b9:72:23ARP: Target protocol address = 192.168.1.1, sys11ARP:

<Control>-C #

Introducing RARP


Introducing RARP

RARP is the method used to map a 48-bit Ethernet address to a 32-bit IPaddress.

Purpose of RARP

RARP is one of the protocols that a system can use when it needs todetermine its IP address.

Diskless clients and JumpStart™ software clients depend upon anotherhost or server from which to retrieve a network boot file. Each networkboot file has a name that is based on the IP address of each client. Torequest the correct network boot file, each client uses RARP to obtain itsIP address at boot time.

Operation of RARP

A system sends a RARP request to the Ethernet broadcast address whenthe system is booting and does not have any way to determine what its IPaddress will be without requesting the information over the network. Anysystem on the subnet running the RARP server daemon (in.rarpd ), andthat also has appropriately configured files or network naming serviceinformation, responds with the booting system’s IP address.

RARP operations include a request and a reply. The RARP request isreported as a REVARPrequest by the snoop utility. For example:

# snoop -v -d hme0 rarpUsing device /dev/hme (promiscuous mode)ETHER: ----- Ether Header -----ETHER:ETHER: Packet 1 arrived at 12:52:11.00053ETHER: Packet size = 64 bytesETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)ETHER: Source = 8:0:20:90:b5:c7, SunETHER: Ethertype = 8035 (RARP)ETHER:ARP: ----- ARP/RARP Frame -----ARP:ARP: Hardware type = 1ARP: Protocol type = 0800 (IP)

Introducing RARP


ARP: Length of hardware address = 6 bytesARP: Length of protocol address = 4 bytesARP: Opcode 3 ( REVARP Request )ARP: Sender’s hardware address = 8:0:20:90:b5:c7ARP: Sender’s protocol address = 0.0.0.0, OLD-BROADCASTARP: Target hardware address = 8:0:20:90:b5:c7ARP: Target protocol address = ?ARP:

<Control>-C #

The RARP reply is reported as a REVARPreply by the snoop utility. Forexample:

# snoop -v -d hme0 rarpUsing device /dev/hme (promiscuous mode)ETHER: ----- Ether Header -----ETHER:ETHER: Packet 1 arrived at 12:52:19.00053ETHER: Packet size = 42 bytesETHER: Destination = 8:0:20:90:b5:c7, SunETHER: Source = 8:0:20:b9:72:23, SunETHER: Ethertype = 8035 (RARP)ETHER:ARP: ----- ARP/RARP Frame -----ARP:ARP: Hardware type = 1ARP: Protocol type = 0800 (IP)ARP: Length of hardware address = 6 bytesARP: Length of protocol address = 4 bytesARP: Opcode 4 ( REVARP Reply )ARP: Sender’s hardware address = 8:0:20:b9:72:23ARP: Sender’s protocol address = 192.168.1.1, sys11ARP: Target hardware address = 8:0:20:90:b5:c7ARP: Target protocol address = 192.168.1.2, sys12ARP:

<Control>-C #

By default, the OpenBoot™ PROM is configured to use RARP as thenetwork boot strategy. To force a system to perform a RARP boot, type thecommand:

ok boot net:rarp

Introducing RARP


The in.rarpd RARP Daemon

The in.rarpd RARP daemon must be running (as the root user) onsystems that provide RARP responses to requests. Thesvc:/network/rarp SMF service enables the in.rarpd RARP daemon.

Note – Before the Solaris 10 OS, the in.rarpd RARP daemon was startedby the /etc/rc3.d/S16boot.server start script if either the /tftpbootdirectory or the /rplboot directory existed. Before the Solaris 9 OS, thein.rarpd RARP daemon was started by the /etc/rc3.d/S15nfs.server start script.

The /etc/ethers and the /etc/inet/hosts Databases

The /etc/ethers and the /etc/inet/hosts files (or the correspondingnetwork-naming service databases) support the Ethernet address-to-IPaddress relationship, which is needed to respond to RARP requests.

The /etc/ethers file contains the Ethernet address and correspondinghost name for a system. View the /etc/ethers file with any text viewer,for example:

# cat /etc/ethers8:0:20:c0:78:73 sys138:0:20:90:b5:c7 sys12#

Note – Usually, the /etc/ethers file is created on boot servers only.

The in.rarpd daemon queries the /etc/ethers file (or correspondingnetwork-naming service database) for the host name of the system that isperforming the RARP request. The host name is resolved to an IP addressby using the /etc/inet/hosts file (or corresponding network-namingservice database) on the server. The resulting IP address is returned to thesystem that made the RARP request. Whether the boot server uses thelocal /etc/ethers and /etc/inet/hosts files or the correspondingnaming service database, is specified in the /etc/nsswitch.conf file.

Exercise: Reviewing ARPs and RARPs



In this exercise, you become more familiar with the ARP table and the arpcommand. You force systems to perform ARP requests, and you view theARP transactions with the snoop utility.

Preparation


Be sure to write, in the space provided, any commands that you useduring the exercise so that you can use this exercise as a reference afteryou have completed this course.

Work with other students to make sure that you all can see the expectedresults in the next part of this exercise.



Tasks


1. In a terminal window, display the current contents of the ARP tableon your host.

_____________________________________________________________

Explain why the table contents contain the entries reported by thearp command.

_____________________________________________________________

_____________________________________________________________

To communicate with another host, the system must first learn theEthernet address of that host.

2. Issue the ping command to a host in your local network that is notcurrently in your ARP table.

_____________________________________________________________

3. Examine the ARP table again. Observe the new ARP entry for thehost with which your system just communicated.

_____________________________________________________________

4. Use the arp command to delete all host entries except for themulticast entry (224.0.0.x ) and your host’s own entries.

_____________________________________________________________

5. In another window, start the snoop utility in verbose summary modeto filter out all but the broadcast frames.

_____________________________________________________________

6. Open a terminal on your local host, and check the contents of yourARP table for another host in your subnet that is not currently listed.

____________________________________________________________

7. Use the ping command to communicate with a host that is not inyour system’s ARP table.

____________________________________________________________

8. Examine the output from the snoop utility.

Why did you receive this result?

____________________________________________________________

____________________________________________________________



9. Stop the snoop utility.

____________________________________________________________

10. Start the snoop utility in verbose summary mode to filter out all butthe ARP frames.

____________________________________________________________

11. Delete the ARP table entry for the host that you previously used.

____________________________________________________________

12. Use the ping command, and attempt to contact the host again.

____________________________________________________________


a. Did you see the ARP request?

_______________________________________________________

b. Why?

_______________________________________________________

c. Did you see the ARP response?

_______________________________________________________

d. Why?

_______________________________________________________

_______________________________________________________

_______________________________________________________


____________________________________________________________



_______________________________________________________

b. Why?

_______________________________________________________

_______________________________________________________

_______________________________________________________

16. Quit the snoop utility.

____________________________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


1. In a terminal window, display the current contents of the ARP tableon your host.

# arp -aNet to Media Table: IPv4Device IP Address Mask Flags Phys Addr------ -------------------- --------------- ----- ---------------hme0 sys13 255.255.255.255 08:00:20:c0:78:73hme0 sys11 255.255.255.255 SP 08:00:20:b9:72:23hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00#

Explain why the table contents contain the entries reported by thearp command.

If the system has previously contacted another system on the LAN, an entryis present. Locally configured interfaces have their own static, publishedentries and multicast entries by default. Unsolicited entries generated byARP requests from other hosts might also be present.

To communicate with another host, the system must first learn theEthernet address of that host.

2. Issue the ping command to a host in your local network that is notcurrently in your ARP table.


3. Examine the ARP table again. Observe the new ARP entry for thehost with which your system just communicated.

# arp -aNet to Media Table: IPv4Device IP Address Mask Flags Phys Addr------ -------------------- --------------- ----- ---------------hme0 sys13 255.255.255.255 08:00:20:c0:78:73hme0 sys12 255.255.255.255 08:00:20:90:b5:c7hme0 sys11 255.255.255.255 SP 08:00:20:b9:72:23hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00#

Exercise Solutions


4. Use the arp command to delete all host entries except for themulticast entry (224.0.0.x ) and your host’s own entries.

# arp -d sys12sys12 (192.168.1.2) deleted# arp -d sys13sys13 (192.168.1.3) deleted#

5. In another window, start the snoop utility in verbose summary modeto filter out all but the broadcast frames.

# snoop -V broadcastUsing device /dev/hme (promiscuous mode)

6. Open a terminal on your local host, and check the contents of yourARP table for another host in your subnet that is not currently listed.

# arp -a

Net to Media Table: IPv4Device IP Address Mask Flags Phys Addr------ -------------------- --------------- ----- ---------------hme0 sys11 255.255.255.255 SP 08:00:20:b9:72:23hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00#

7. Use the ping command to communicate with a host that is not inyour system’s ARP table.



Why did you receive this result?

The following is observed in the terminal running the snoop utility:

________________________________ sys11 -> (broadcast) ETHER Type=0806 (ARP), size = 42 bytes sys11 -> (broadcast) ARP C Who is 192.168.1.2, sys12 ?

An address resolution was required because the host did not have thedestination host address information in its ARP table.

The snoop utility is filtering on broadcasts, resulting in the broadcastrequests that are observed in the snoop utility’s output. Recall that ARPreplies are unicasts, which explains why the ARP reply and the ICMPtraffic were not observed.

Exercise Solutions


9. Stop the snoop utility.

Press the Control+C key sequence to stop the snoop utility.

Control-C #

10. Start the snoop utility in verbose summary mode to filter out all butthe ARP frames.

# snoop -V arpUsing device /dev/hme (promiscuous mode)

11. Delete the ARP table entry for the host that you previously used.

# arp -d sys12sys12 (192.168.1.2) deleted#




________________________________ sys11 -> (broadcast) ETHER Type=0806 (ARP), size = 42 bytes sys11 -> (broadcast) ARP C Who is 192.168.1.2, sys12 ?________________________________ sys13 -> sys11 ETHER Type=0806 (ARP), size = 60 bytes sys13 -> sys11 ARP R 192.168.1.2, sys12 is 8:0:20:90:b5:c7


Yes.

b. Why?

The snoop utility is filtering out all but the ARP packets.

c. Did you see the ARP response?

Yes.

d. Why?

The snoop utility is filtering out all but ARP packets. The ARPresponses are unicast but are still ARP packets.



Exercise Solutions



No output is seen from the snoop utility.


No.

b. Why?

The system resolved the destination Ethernet address by using its localARP table; therefore, an ARP request was unnecessary. The snooputility filters out all but ARP packets, which explains why you did notsee any ARP traffic resulting from the ping command.

16. Quit the snoop utility.

Press the Control+C key sequence.

Control-C #


Module 5

Configuring IP

Objectives

This module describes the features of IP, including the purpose of IP, theIP datagram, and IP address types. This module also describes subnettingand the variable length subnet mask (VLSM). Additionally, this moduleexplains the purpose of interface configuration files and describes how toconfigure logical interfaces.


● Describe the Internet layer protocols

● Describe the IP datagram

● Describe the IP address types

● Describe subnetting and VLSMs

● Describe the interface configuration files

● Administer logical interfaces

Objectives





ConfiguringIP


Multipathing

ConfiguringRouting

ConfiguringIPv6


Layer

Introducing the Internet Layer Protocols

Configuring IP 5-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1


IP is implemented at the Internet layer and is documented in RFC 791.

Purpose of IP

IP is provided by a loadable kernel module and has two main functions.IP provides:

● Connectionless delivery of datagrams on the network

● Fragmentation and reassembly of data to accommodate data linksthat implement different sizes of MTUs

A companion protocol for IP, ICMP, enables systems to send control orerror messages to other systems. These messages provide acommunication mechanism between the IP layer on one system and theIP layer on another system. Message types that are sent include echorequest, echo reply, destination unreachable, router advertisement,redirect, router solicitation, and time exceeded.

Application data must fit in the data portion of an Ethernet frame. Theupper limit on the amount of data in the Ethernet frame is defined by theMTU of the Network Interface layer. If the amount of application data islarger than the MTU, fragments are created as units of data that arebroken into smaller units for transmission. Internet Protocol version 4(IPv4) specifies that fragmentation occur at each router, based on the MTUof the interface through which the IP datagrams must pass.

To view the MTU of an interface, type the ifconfig -a command:




Purpose of ICMP

ICMP enables IP on one system to send control and error messages to IPon other systems. This communication can include a control message,such as a routing redirect, or an error message, such as Network isunreachable . Network administrators and system utilities, such as thetraceroute command, use this error messaging feature as a diagnostictool.

ICMP Message Types

Some common ICMP message types include:

● Echo request and reply

● Destination unreachable

● Router advertisement

● Router solicitation

● Redirect

● Time exceeded

Note – To obtain supported ICMP message type information, view the/usr/include/netinet/ip_icmp.h file.

ICMP messages are defined in RFC 792. The ICMP header appears afterthe IP header and varies depending on the type of ICMP message. Forexample, Figure 5-2 shows an ICMP header when the destination isunreachable.

Figure 5-2 ICMP Destination Unreachable Header Template Format

Type Code

Unused

Checksum

0

0 1 2 3 4 5 6 7 8 9

1

0 1 2 3 4 5 6 7 8 9

2

0 1 2 3 4 5 6 7 8 9

3

0 1



Figure 5-3 shows an ICMP header for a redirect message.

Figure 5-3 ICMP Redirect Message Header Template Format

Figure 5-4 shows an ICMP header for an echo request or echo replymessage.

Figure 5-4 ICMP Echo Request or Echo Reply Message HeaderTemplate Format

Type Code

Gateway Internet Address

Checksum

0

0 1 2 3 4 5 6 7 8 9

1

0 1 2 3 4 5 6 7 8 9

2

0 1 2 3 4 5 6 7 8 9

3

0 1

Type Code

Identifier Sequence Number

Checksum

0

0 1 2 3 4 5 6 7 8 9

1

0 1 2 3 4 5 6 7 8 9

2

0 1 2 3 4 5 6 7 8 9

3

0 1

Introducing the IP Datagram



IP datagrams are the basic units of information that are passed across aTCP/IP network. The datagram header contains information, such as thesource IP address and the destination IP address. The header also containsinformation about which protocol will receive data from IP. Theseprotocols are UDP, TCP, and ICMP. The TTL field determines how manyrouters or hosts can process a datagram before the datagram must bediscarded.

IP Datagram Header Fields

Figure 5-5 shows the IPv4 datagram header fields.

Figure 5-5 IPv4 Datagram Header Fields

Version

Flags

Datagram Length

Fragment Offset

Datagram Identifier

Time to Live

Protocol

ChecksumSource IP Address

Destination IP AddressIP Options and Padding If Required

HeaderLength Type ofService

4 Bits4 Bits

4 Bits4 Bits

4 Bits4 Bits

4 Bits4 Bits



The fields in the datagram header are described in Table 5-1.

Refer to RFC 791 for detailed information about the header fields.

Table 5-1 IP Datagram Header Fields

Field Description

Version The version of the protocol, for example 4(IPv4).

Header length The length of a datagram header. This valuemust be at least 20 bytes

Type of service The specified quality of service.

Datagram length The length of the entire datagram, measured inbytes.

Datagramidentifier

The value assigned by the sender to makereassembly of fragments possible for thereceiving system.

Flags Information related to fragmentation. Theseflags define whether the datagram can befragmented and whether the datagram is partof a message that was fragmented.

Fragment offset The location of the fragment in the overall set ofapplication data.

Time to live The maximum number of routers throughwhich the datagram can pass.

Protocol The Transport layer protocol to which the datain this datagram is delivered.

Checksum The header checksum used to verify that theheader is not damaged.

Source IP address The source system’s IPv4 address.

Destination IPaddress

The destination system’s IPv4 address.

IP options andpadding

Optional information and padding, if required.



IP Datagram Payload

The IP datagram payload can contain any one of the following: a UDPdatagram, a TCP segment, an ICMP message, or an Internet GroupManagement Protocol (IGMP) message.

Introducing IP Address Types



IPv4 addresses are 32 bits in length. They are normally represented asfour dot-separated, 8-bit fields, or octets, each represented by a decimalnumber between 0–255 (for example, 129.150.182.31 ).

Each IPv4 address identifies a network and a unique interface on thatnetwork.

Unicast Addresses

Unicast addresses identify a single interface on a network. Unicastaddresses are used when a system needs to communicate with anothersystem. There are three classes of unicast addresses: Class A, Class B, andClass C. The value of the high-order bits (first three bits) determines whichportion of the IPv4 address is the network number and which portion isthe host number. This addressing scheme is called classful IPv4 addressing.

Class A Addresses

Class A addresses are for very large networks and provide 16,777,214 hostaddresses. Figure 5-6 shows the beginning of the address in binary format.

Figure 5-6 Class A Unicast Addresses

If the first bit is 0, that bit and the next seven bits define the networknumber, and the remaining 24 bits define the host number. This makespossible up to 128 Class A networks.

The Internet Assigned Numbers Authority (IANA) has reserved theClass A network 10.0.0.0 –10.255.255.255 for private networks. Theseaddresses are not routed in the Internet. Refer to RFC 1918 for additionaldetails. In addition, the 127.0.0.0 address range cannot be used because127.0.0.1 is reserved for the loopback interface.

1 - 127 Example: 10.102.2.113

0



Class B Addresses

Class B addresses are for large networks and provide 65,534 hostaddresses. Figure 5-7 shows the beginning of the address in binary format.

Figure 5-7 Class B Unicast Addresses

If the first two bits are 10, those two bits and the next 14 bits define thenetwork number, and the remaining 16 bits define the host number. Thismakes possible 16,384 Class B networks. The IANA has reserved theClass B networks 172.16.0.0 –172.31.255.255 for private networks.These addresses are not routed in the Internet. Refer to RFC 1918 foradditional details.

Class C Addresses

Class C addresses are for small-sized and medium-sized networks andprovide 254 host addresses. Figure 5-8 shows the beginning of the addressin binary format.

Figure 5-8 Class C Unicast Addresses

If the first three bits are 110, those three and the next 21 bits define thenetwork number, and the remaining eight bits define the host number.This makes possible up to 2,097,152 Class C networks. The IANA hasreserved the Class C networks 192.168.0.0 –192.168.255.255 forprivate networks. These addresses are not routed in the Internet. Refer toRFC 1918 for additional details.

128 - 191 0 - 255 Example: 129.150.254.2

1 0

192 - 223 Example: 192.9.227.13

1 1 0

0 - 255 0 - 255



Broadcast Addresses

A broadcast address is the address that reaches all systems on a particularnetwork. A broadcast means that data is sent to all of the hosts on theLAN. In the Solaris 10 OS, the default broadcast address is an address thathas a host number of all ones when represented in binary. An example ofa broadcast address is 192.168.1.255 . You use the ifconfig commandto configure an interface’s broadcast address.

Multicast Addresses

Multicasting is a very efficient way to send large amounts of data to manysystems at the same time. A multicast address identifies interfaces thatbelong to a specific multicast group. Packets that are sent to a multicastaddress are received by all interfaces that are associated with the multicastaddress. Figure 5-9 shows the beginning of a multicast address in binaryformat.

Figure 5-9 Multicasting

If the first four bits are 1110 , which makes the first field an integer valuebetween 224 and 239, the address is a multicast address. The remaining28 bits comprise a group identification number for a specific multicastgroup. An IPv4 multicast address is a destination address for one or morehosts, while a Class A, B, or C address is an address for an individualhost. The IPv4 multicast address maps to an Ethernet multicast address sothat the network interface listens for a multicast traffic. The low-order23 bits of the IPv4 multicast address are placed into the low-order 23 bitsof the Ethernet multicast address. Therefore, an IPv4 multicast address of224.0.0.1 maps to 01:00:5e:00:00:01 .

224 - 239 0 - 255

Example: 224.0.1.8

111 0

0 - 255 0 - 255

Introducing Subnetting and VLSM



The Internet is composed of many routers that interconnect differentnetworks. Each router interface must be on a unique network and musthave a unique address. Assigning different IP addresses to differentnetworks is required because of the IP addressing scheme required byrouters. Subnetting and VLSMs are two ways of dividing an assignednetwork address into multiple, smaller networks for use within anorganization. These smaller networks are referred to as subnetworks, orsubnets.

Subnetting

You can divide a network into subnets to do the following:

● Isolate network traffic within local subnets, therefore reducingcontention for network bandwidth

● Secure or limit access to a subnet

● Enable localization of specific network protocols to a subnet

● Permit the association of a subnet with a specific geography or adepartment

● Enable administrative work to be broken into logical units

Figure 5-10 shows the basic idea of subnetting, which is to divide thestandard host number field into two parts: the subnet number and thehost number on that subnet.

Figure 5-10 Subnetting

Network Number

Two-level Hierarchy

Host Number

Network Number

Three-level Hierarchy

Subnet Number Host Number



Netmasks

An IP address contains both the network on which the Solaris OS islocated and the host number on the network assigned to that system. In asubnet environment, you need to be able to determine how much of the IPaddress represents the network and how much of the IP addressrepresents the host number. The netmask is the mechanism by which this isdetermined.

Each IP address has a netmask associated with it. A netmask is 32 bits inlength. Each bit in the netmask is used to state whether the correspondingbit in the IP address forms part of the network number or the hostnumber. The bit values are associated with either the network number orthe host number as follows:

Netmasks are written by using the same decimal dot-separated notationthat is used for IP addresses. For example, a netmask which has the firstsixteen bits set to 1 and the last sixteen bits set to 0 is written:

255.255.0.0

A netmask which has the first twenty bits set to 1 and the last twelve bitsset to 0 is written:

255.255.240.0

There are standard netmasks for the three classes of unicast address. Thenetmask for a Class A network is 255.0.0.0 . The netmask for a Class Bnetwork is 255.255.0.0 . The netmask for a Class C network is255.255.255.0 .

1 The corresponding bit in the IP address is part of the networknumber.

0 The corresponding bit in the IP address is part of the host number.



For example, consider the Class B network 172.16.0.0 . The defaultnetmask for this network is 255.255.0.0 , and the broadcast address is172.16.255.255 . This gives a single network of 65,534 hosts. By using adifferent netmask, it is possible to divide this single network in to more,smaller networks.

If you choose to divide this single network into, for example, eight smallernetworks, you can do so by changing the netmask. To do this, you firstneed to know what power of 2 the number 8 is. (Netmasks always createa total number of networks that is a power of 2.) The power of 2 valuedetermines how many extra 1s are required in the netmask.

Because the number 8 is the number 2 to the power 3, to create 8 separatenetworks you need three additional 1s in the netmask. The defaultnetmask value (in binary) is:

11111111 11111111 00000000 00000000

The additional 1s are placed in the netmask next to the existing 1s to give:

11111111 11111111 11100000 00000000

Written in decimal format, this is 255.255.224.0 .

This netmask creates eight new, smaller networks, each with 8190 hosts.The network numbers and broadcast addresses of the eight new networksare listed in Table 5-2.

Table 5-2 Netmask Network Addresses

Network Number Broadcast Address

172.16.0.0 172.16.31.255

172.16.32.0 172.16.63.255

172.16.64.0 172.16.95.255

172.16.96.0 172.16.127.255

172.168.128.0 172.16.159.255

172.168.160.0 172.16.191.255

172.168.192.0 172.16.223.255

172.168.224.0 172.16.255.255



Contiguous Netmasks

Each bit in a netmask is independent of any other bit. It is possible to havenetmasks in which the 1s and 0s are interleaved, but this is notrecommended. RFC 950 recommends the use of contiguous subnet masksonly. A contiguous subnet mask is one that uses only contiguous,high-order bits (that is, the netmask consists of a sequences of 1s followedby a sequence of 0s). For example:

11111111 11111111 11111111 11110000

Noncontiguous Netmasks

Although RFC 950 recommends the use of contiguous subnet masks only,nothing prevents the use of noncontiguous subnet masks. For example:

11111111 11111111 11111111 01001010

Using noncontiguous subnet masks makes administration of the networkmore difficult and should be avoided if at all possible.



Configuring the Netmask

A netmask is configured on each network interface when an IP address isassigned. The default behavior is to apply the appropriate class ofnetmask depending upon the address, but it is possible to specify anetmask other than the default.

When configuring an interface on the command line by using theifconfig command, use the netmask argument to set the netmask foran interface. The netmask argument is followed by the netmask value,specified as:

● Dot-separated decimals

● A single, hexadecimal value preceded by 0x

● A + (plus) sign

● A name listed in the /etc/inet/networks file or equivalentnaming service database

For example:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23# ifconfig hme0 down# ifconfig hme0 netmask 255.255.240.0# ifconfig hme0 up# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask fffff000 broadcast 192.168.1.255 ether 8:0:20:b9:72:23#



The broadcast address for an interface is related to the netmask. If thenetmask is changed, the broadcast address must also be changed to reflectthe new network. The simplest way to do this is to use thebroadcast + argument to the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask fffff000 broadcast 192.168.1.255 ether 8:0:20:b9:72:23# ifconfig hme0 down# ifconfig hme0 broadcast +# ifconfig hme0 up# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask fffff000 broadcast 192.168.15.255 ether 8:0:20:b9:72:23#

The /etc/inet/netmasks File

The svc:/network/physical SMF service configures the networkinterfaces at system boot. This method uses the ifconfig command toconfigure the network interfaces. When configuring network interfaces,the ifconfig command can be supplied with a netmask as an argument,or it can determine which netmask to use based upon system information.

Note – Before the Solaris 10 OS, the network interfaces were configured atboot time during the execution of the /etc/rcS.d/S30network.sh inthe Solaris 9 OS while earlier releases were configured as part of theS30rootusr.sh script.



Netmasks for particular networks can be defined in the/etc/inet/netmasks file. The /etc/netmasks file is linkedsymbolically to the /etc/inet/netmasks file. The/etc/inet/netmasks file enables the permanent assignment of anetmask. The ifconfig command consults the /etc/inet/netmasksfile (or equivalent naming-service database) if no netmask is specified asan argument. For every network that is subnetted, an individual line isentered into this file. Each entry in the /etc/inet/netmasks file containsthe netmask definition of a network number.



For example:

# cat /etc/inet/netmasks## The netmasks file associates Internet Protocol (IP) address# masks with IP network numbers.## network-number netmask## The term network-number refers to a number obtained from the InternetNetwork# Information Center.## Both the network-number and the netmasks are specified in# "decimal dot" notation, e.g:## 128.32.0.0 255.255.255.0#192.168.1.0 255.255.255.0#

The netmask value in the netmask file can be specified when configuringthe network interface by using the + (plus) argument with the netmaskargument:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask fffff000 broadcast 192.168.15.255 ether 8:0:20:b9:72:23# ifconfig hme0 down# ifconfig hme0 netmask + broadcast +# ifconfig hme0 up# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23#



VLSM

RFC 950 specifies how an IP network could use subnet masks. When an IPnetwork is assigned more than one subnet mask, it is considered anetwork with VLSMs because the extended-network numbers havedifferent lengths at each subnet level.

Two of the main advantages to assign more than one subnet mask to agiven IP network number are:

● Multiple subnet masks permit more efficient use of an organization’sassigned IP address space.

● Multiple subnet masks permit route aggregation, which cansignificantly reduce the amount of routing information at thebackbone level within an organization’s routing domain.

An example of VLSM entries in the /etc/inet/netmasks file is:

12.0.0.0 255.255.0.012.3.0.0 255.255.255.012.3.254.0 255.255.255.224

Note – VLSM subnet masks’ syntax has been recognized since theSolaris 2.6 OS.

Figure 5-11 shows these additional subnet and host addresses.

Figure 5-11 Subnet Mask Addresses

12.0.0.0

16-bit

Subnet Mask

12.1.0.0

12.2.0.0

12.3.0.0

.

.

.

12.252.0.0

12.253.0.0

12.254.0.0

12.3.1.0

12.3.2.0

12.3.3.0

.

.

.

12.3.252.0

12.3.253.0

12.3.254.0

12.3.254.0

12.3.254.32

12.3.254.64

.

.

.

12.3.254.192

12.3.254.224

24-bit

Subnet Mask

27-bit

Subnet Mask



One of the major problems with supporting only a single subnet maskacross a given network number is that once the mask is selected, it locksthe organization into a fixed number of fixed-sized subnets. For example,a Class B subnet that is masked with 255.255.252.0 yields additionalsubnet and host addresses.

Figure 5-12 shows the breakdown of the number of networks and thenumber of hosts as a result of a fixed subnet mask being applied to theaddress.

Figure 5-12 Breakdown of Hosts and Subnets

11111111 11111111 11111100 00000000

1024 � Two Hosts Per Subnet

64 Subnets

Introducing the Interface Configuration Files



System administrators often configure system interfaces from thecommand line so that the changes are made immediately without havingto reboot the system. This configuration must be performed manuallyeach time the system is restarted for any reason because changes made atthe command line are not stored in configuration files.

Configuration files enable systems to automatically configure interfacesduring the boot process.

The /etc/hostname. interface File

The svc:/network/physical SMF service reads the/etc/hostname. interface file. The service assigns an IPv4 address onthe local system for each IPv4 interface. At least one/etc/hostname. interface file must exist on the local system for eachinterface to be configured. Additional interfaces can be configured bycreating additional hostname. interface files manually. These files mustcontain at least one entry: the host name or the IPv4 address that isassociated with the network interface. For example, if the hme0 interface isthe primary network interface for a system called sys11 , the file is called/etc/hostname.hme0 and it contains at least one line, which is the nameof the system, sys11 .

Note – In the Solaris 9 OS, the /etc/rcS.d/S30network.sh startup scriptreads the /etc/hostname.interface file. In earlier releases of Solaris,the S30rootusr.sh script reads the /etc/hostname.interface file.

The /etc/inet/hosts File

The /etc/inet/hosts file contains the IPv4 addresses and the hostnames of the interfaces on your system. The /etc/hosts file is linkedsymbolically to the /etc/inet/hosts file. This file is referenced when the/etc/nsswitch.conf file has the files keyword for host resolution.This file is also referenced at system startup when the interfaces are beingconfigured.



An example of an /etc/inet/hosts file is:

# more /etc/inet/hosts## Internet host table#127.0.0.1 localhost192.168.1.1 sys11 loghost#

In this example, the IPv4 address 127.0.0.1 is the loopback address, thereserved network address that supports interprocess communication bypermitting the local system to send packets to itself. Every system on aTCP/IP network must use the IP address 127.0.0.1 for the local host.

The /etc/nodename File

The /etc/nodename file contains one entry: the host name of the localsystem. For example, on system sys11 , the /etc/nodename file containsthe entry sys11 . This file establishes the canonical name for the system forapplications.

If a system requires a host name change, the following files must beedited to reflect the new host name:

● The /etc/inet/hosts file

● The /etc/nodename file

● The /etc/hostname. interface file

Note – Versions of the Solaris OS before Solaris 10 OS required the/etc/net/ * /hosts files to be edited when changing a system’s hostname. Editing these files is not required in the Solaris 10 OS.

Administering Logical Interfaces



Logical interfaces are also referred to as virtual interfaces. You canconfigure a single, physical network interface to have many different IPaddresses, including IP addresses that are in different IP classes. Logicalinterfaces do not have to exist on the same subnet as the primaryinterface. This is one way in which a single system can appear to bemultiple systems.

To view the number of logical addresses that can be configured, type thecommand:

# ndd /dev/ip ip_addrs_per_if256#

This represents the physical interface and a further 255 logical interfaces.The ndd command can be used to change this value up to a maximum of8192.

Introducing Logical Interfaces

Each logical interface is assigned a unique IP address and a unique hostname. Example scenarios in which logical interfaces might be appliedinclude:

● Systems that use high-availability failover

● Web servers that require multiple web site URLs

● Servers that run several applications which must appear as separatesystems

Some advantages of logical interfaces are:

● Lower cost – You do not need to purchase additional Ethernet cards.

● Easier to back up and administer – Backup and maintenance can bedone on one host instead of on several hosts.



Some disadvantages of logical interfaces are:

● Heavy network load – Having many logical addresses tied to aspecific Ethernet interface can cause a network performancebottleneck.

● Slower system start – Each logical interface must be configured onsystem boot, which can be a lengthy process when a large number ofinterfaces are configured.

Physical network interfaces have names of the form:

driver-name physical-unit-number

For example:

hme0qfe3

Logical interfaces have names of the form:

driver-name physical-unit-number:logical-unit-number

For example:

hme0:1qfe3:1

Figure 5-13 shows how a system with one interface can appear as twodifferent systems.

Figure 5-13 System Interfaces

hme0 192.168.1.1 www.sys11.com

Web Server With One IP Address

hme0 192.168.1.1 www.sys11.com

Web Server Configured With Multiple IP Addresses

on a Single Ethernet Interface

hme0:1 192.168.1.99 www.sys99.com



Configuring Logical Interfaces

After a physical interface is plumbed (it has STREAMS set up for IP and isopen), and is configured as up by the ifconfig command, you canconfigure logical interfaces that are associated with the physical interfaceby using separate plumb or addif options to the ifconfig command.

To view the current configuration of the interfaces on the system beforeadding a logical interface, use the ifconfig command:


To configure logical network interface 1 on the hme0 physical interface,use the ifconfig command. In this example, the logical interface isassigned an IP address of 192.169.1.1 :

# ifconfig hme0:1 plumb 192.169.1.1 up#

To view the changes made to the interface, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.169.1.1 netmask ffffff00 broadcast 192.169.1.255#

The hme0:1 interface is now configured, it has a default netmask offfffff00 (255.255.255.0 ), and it has a broadcast address of192.169.1.255 . You can assign different values for the netmask andbroadcast address if you choose to. Notice that the index number isunique for each physical interface, while logical interfaces use thephysical interface’s index number.



The addif Option

It can be tedious to increment the logical interface number each time youadd logical interfaces. The ifconfig command includes the addifoption, which causes the command to use the next available logicalinterface.

For example, to add the next logical interface with an IP address of192.168.55.1 , use the following command:

# ifconfig hme0 addif 192.168.55.1 upCreated new logical interface hme0:2#

The same results can be achieved by editing the /etc/hostname.hme0 fileso that its contents are similar to the following:

# cat /etc/hostname.hme0sys11 upaddif 192.168.55.1 up

Then reboot the system to configure the logical interface.

# init 6#

To view the changes made to the interface, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.55.1 netmask ffffff00 broadcast 192.168.55.255#

The hme0:1 interface is added and is functional.



Unconfiguring Logical Interfaces

To unconfigure a logical interface, use the ifconfig command with thedown and unplumb options. Use the down option before the unplumboption to make sure that the interface is shut down in the correct orderand that no data is lost. For example, to unconfigure the hme0:1 interface,type the following:

# ifconfig hme0:1 down unplumb#

To verify that the interface is removed, use the ifconfig command:


The hme0:1 interface is no longer available.

When you know the logical interface’s IP address, but you do not know towhich logical interface the address is assigned, use the ifconfigcommand with the removeif option. For example;

# ifconfig hme0 removeif 192.168.55.1#

Caution – If you are logged in remotely and are using this interface foryour connection, you will lose your connectivity to the system.

Exercise: Reviewing IP



In this exercise, you define logical interfaces in two ways: by explicitlynaming the logical interface and by using a command to automaticallyadd the next available logical interface.

Preparation


Task Summary

In this exercise, you accomplish the following:

● Use the ifconfig command to define and configure a hme0:1interface on a different network to the hme0 interface.

● Define the RFC 1918-compliant address by replacing the 192.168part of your system’s address with 172.18/24 . The /24 means thatthe first 24 bits of the address represent the network address, and theremaining 8 bits represent the host portion of the address.

● Configure the interface to use a Class C broadcast address. Forexample, if your hme0 interface has an address of 192.168.1.2 ,configure the hme0:1 interface to have an IP address of 172.18.1.2 ,a netmask of 255.255.255.0 , and a broadcast address of172.18.1.255 .



Tasks

Complete the following steps:

1. Use the ifconfig command to view the system’s interfaceconfiguration before making any changes, so that you can easilyrestore your system to its original state if needed.

Write the command that you use:_____________________________________________________________

2. Use the ifconfig command to configure the hme0:1 interface withthe appropriate IP address and a netmask of 255.255.255.0 . Forexample, if your IP address begins with 192.168 , then change it sothat it begins with 172.18 . Use the appropriate command to causethe interface to function properly.


3. View the configuration of the interfaces on the system. Notice thatthe index for the new logical interface is the same as the physicalinterface and that no Ethernet address is listed under the new logicalinterface.


4. Use the ifconfig command with the appropriate option toconfigure the next available logical interface with an IP address thatis incremented by 1 in the second octet. For example if you used172.18.1.2 in the previous step, use 172.19.1.2 for this interface.Configure a netmask of 255.255.255.0 and a broadcast address of172.19.1.255 . Be sure to use the appropriate command to cause theinterface to function properly.


5. View the configuration of the interfaces on the system. Notice thatthe next sequential logical interface was defined (hme0:2 in thisexample). Also notice that the index for the new logical interface isthe same as the physical interface and that no Ethernet address islisted under the new logical interface.




6. Use the removeif option of the ifconfig command to remove thefirst logical interface that you defined.


7. View the configuration of the interfaces on the system. Notice thatthe first logical interface is removed.


8. Use the appropriate command to specifically remove the secondlogical interface that you defined.


9. View the configuration of the interfaces on the system.


Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


1. Use the ifconfig command to view the system’s interfaceconfiguration before making any changes, so that you can easilyrestore your system to its original state if needed.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23

#

2. Use the ifconfig command to configure the hme0:1 interface withthe appropriate IP address and a netmask of 255.255.255.0 . Forexample, if your IP address begins with 192.168 , then change it sothat it begins with 172.18 . Use the appropriate command to causethe interface to function properly.

# ifconfig hme0:1 plumb 172.18.1.2 netmask 255.255.255.0 broadcast 172.18.1.255 up#

3. View the configuration of the interfaces on the system. Notice thatthe index for the new logical interface is the same as the physicalinterface and that no Ethernet address is listed under the new logicalinterface.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.18.1.2 netmask ffffff00 broadcast 172.18.1.255#

Exercise Solutions


4. Use the ifconfig command with the appropriate option toconfigure the next available logical interface with an IP address thatis incremented by 1 in the second octet. For example if you used172.18.1.2 in the previous step, use 172.19.1.2 for this interface.Configure a netmask of 255.255.255.0 and a broadcast address of172.19.1.255 . Be sure to use the appropriate command to cause theinterface to function properly.

# ifconfig hme0 addif 172.19.1.2 netmask 255.255.255.0 broadcast 172.19.1.255 upCreated new logical interface hme0:2#

5. View the configuration of the interfaces on the system. Notice thatthe next sequential logical interface was defined (hme0:2 in thisexample). Also notice that the index for the new logical interface isthe same as the physical interface and that no Ethernet address islisted under the new logical interface.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.18.1.2 netmask ffffff00 broadcast 172.18.1.255hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.19.1.2 netmask ffffff00 broadcast 172.19.1.255#

6. Use the removeif option of the ifconfig command to remove thefirst logical interface that you defined.

# ifconfig hme0 removeif 172.18.1.2#

7. View the configuration of the interfaces on the system. Notice thatthe first logical interface is removed.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23hme0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 172.19.1.2 netmask ffffff00 broadcast 172.19.1.255#

Exercise Solutions


8. Use the appropriate command to specifically remove the secondlogical interface that you defined.

# ifconfig hme0:2 down unplumb#

9. View the configuration of the interfaces on the system.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23

#


Module 6

Configuring IP Network Multipathing

Objectives

This module describes how to configure IP Network Multipathing(IPMP). This module also describes the limitations of network interfaces,IPMP requirements, configuration of IPMP on the command line and atsystem boot, and troubleshooting.


● Describe IP multipathing

● Implement IP multipathing




ConfiguringIP


Multipathing

ConfiguringRouting

ConfiguringIPv6


Layer

Increasing Network Availability


Increasing Network Availability

In today’s computing environments, the availability of networkconnectivity is important. The Solaris 10 OS includes the IPMP feature,which provides enhanced availability of network connections.

Limitations of Network Interfaces

Network interfaces are exposed to failure because they connect tonetwork cables and hardware components in the form of switches orhubs. Failure of any of these interfaces results in network failure, even ifthe NIC that is in place does not fail.

IPMP enables multiple interfaces with different IP addresses on the samesubnet to be grouped together. If any one of these interfaces fail, currentnetwork connections through that interface will be migrated to anotherinterface in the group automatically to maintain network connectivity.

Figure 6-2 shows how a system can have multiple interfaces on the sameLAN.

Figure 6-2 IPMP Configuration

Server

Client

qfe0qfe1qfe2

qfe3


Configuring IP Network Multipathing 6-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1


IPMP is a product that is included with the Solaris 10 OS and providesenhanced network availability.

Introducing IPMP

IPMP enables the Solaris 10 OS to recover from network path failures.IPMP also provides increased throughput by spreading the outboundload across interfaces when multiple network adapters are connected tothe same IP network, such as to the same Ethernet switch.

If a failure occurs in the network link and an alternate adapter isconfigured, the IP address fails over. The network access changesautomatically from the failed adapter to the new adapter, providinguninterrupted access to the network.

IPMP has the following features:

● It eliminates a single network adapter as a single point of failure inthese cases:

● Network adapter failure

● Network link failure

● It enables interfaces to fail over within approximately 10 secondswhen using the default configuration.

● It can be configured by adjusting the parameters in the/etc/default/mpathd file.

● It can be configured for use with both IPv4 and IPv6.

● It enables interfaces to be configured as standby interfaces. Thesetypes of interfaces are only used for failover and are not used foroutbound load spreading, unless they are explicitly chosen by anapplication.

Probe-based IPMP Configurations Compared With Link-basedIPMP Configurations

There are two methods for configuring IPMP: probe-based and link-based.Probe-based IPMP utilizes test addresses to monitor the health ofinterfaces. Link-based IPMP does not utilize test addresses. Instead, theinterface kernel driver performs this function.



Probe-based IPMP Configuration

Probe-based failure detection for IPMP uses test addresses to detectfailures, and notify the networking subsystem.

Probe-based IPMP Requirements

The following items are required to configure probe-based IPMP on asystem:

● The Solaris 8 10/00 OS, as a minimum, must be installed.

● Unique MAC addresses must be configured on each networkinterface.

The default configuration for most Sun network adapters has allnetwork interfaces on a system using the same MAC (Ethernet)address. IPMP requires that all interfaces in an IPMP group beconnected to the same IP link. Switched networks use MACaddresses when making decisions about where to send packets.Therefore, you must change the system’s default configuration forMAC addresses to avoid a MAC address conflict.

● Multiple network adapter interfaces must be connected on eachsubnet.

You can configure IPMP with a single network interface to takeadvantage of network failure detection. To use the full benefit ofIPMP, make sure that two or more network interfaces are connectedto the same subnet.

● An IPMP group name must be assigned to interfaces.

Interfaces that are to be deployed as part of an IPMP configurationmust belong to an IPMP group. Each IPMP group has an IPMPgroup name. The in.mpathd daemon uses the IPMP group names.Use a meaningful name that does not include spaces when youchoose a group name. The IPMP group name is local to the systemand is not used across the network.



● A test address is assigned to an interface.

The in.mpathd daemon uses test addresses, which must beroutable addresses, to monitor the status of each individual interface.The test addresses are used to detect failure and recovery of aninterface. These addresses are deprecated at configuration time tomake sure that they cannot be used as source addresses by otherapplications.

● Additional hosts or devices must exist on the same subnet.

The test interfaces are used to send ICMP echo requests to targets onthe local link, either by addressing a default router on the local linkor by using the all hosts multicast group (224.0.0.1 ), to test thatthe network link is functioning.

Interface Failure Detection and Repair

Network interfaces on which IPMP is configured are monitored by thein.mpathd daemon. The in.mpathd daemon can detect both the failureand the repair of an interface by:

● Sending ICMP echo requests and receiving ICMP echo repliesthrough the interface

● Monitoring the internal IFF_RUNNINGflag on the interface

An interface has failed if either of these two detection methods indicates afailure. An interface is considered repaired only if both methods reportthat the interface is operational and can send and receive packets throughthe interface.

To detect the failure or repair of interfaces that belong to the IPMP group,the in.mpathd daemon sends ICMP echo requests from the test addresseson the IPMP interfaces to targets connected to the local network. Thein.mpathd daemon determines which targets to probe dynamically. If fiveconsecutive probes do not receive replies, the interface is consideredfailed. Adjust the failure detection time by editing theFAILURE_DETECTION_TIMEvariable from the default value of 10,000milliseconds (10 seconds) in the /etc/default/mpathd file.

When responses to the ICMP echo requests are not received and a specifictime period has elapsed, the physical interface is considered failed. The IPaddress that is associated with the failed address is moved to a newlogical interface associated with another physical interface in the sameIPMP group. Communications that were taking place continue to functionas though the original interface is still working properly.



ICMP echo requests are still attempted through the failed NIC to detect ifa physical interface is repaired.

If all the NICs or targets appear to fail at the same time, this is a groupfailure, and no fail over is performed. The in.mpathd daemon flushes allof the current targets and attempts to discover new targets. You cannotconfigure the targets because the in.mpathd daemon determinesdynamically which targets to probe. Default routers connected to the linkare chosen as targets for probing. If no routers exist on the link, arbitraryhosts on the link are chosen by sending a multicast packet to the all hostsmulticast address. When you configure IPMP, be sure to have at least oneadditional system on the network that can act as a target.

You can configure IPMP by changing configuration files and rebooting, oryou can work at the command line to avoid rebooting the system.

Configuring Probe-based IPMP by Using ConfigurationFiles

This example shows IPMP configuration on an existing configured hme0interface and on an existing but unconfigured qfe1 interface on the sys11(192.168.1.1 ) system. The multipath group is called mpgrp-one .

Note – To maximize the resistance of your configuration to failure, theIPMP group should consist of interfaces that each reside on a differentinterface card. This approach minimizes the number of commoncomponents in a configuration.

The test addresses are:

● The 192.168.1.51 address for the hme0 interface

● The 192.168.1.71 address for the qfe1 interface

The data address for the hme0 interface remains as 192.168.1.1 , and thedata address for the qfe1 interface is 192.168.1.21 .



To configure probe-based IPMP, complete the following steps, which aredescribed in greater detail in the next sections.

1. Verify the Solaris OS release.

2. Configure unique MAC addresses.

3. Define IP addresses.

4. Configure the interfaces.

5. Reboot the system.

6. View the interface configuration.

You must know the state of the system if you need to restore it. Beforemaking any changes to the system, view the system’s interfaceconfiguration by executing the command:


Verify the Solaris OS Release

The /etc/release file contains information about the installed version ofthe Solaris OS.

The following system meets the minimum requirements:

# cat /etc/release Solaris 8 10/00 s28s_u2wos_11b SPARC Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. Assembled 31 August 2000#

The following system exceeds the minimum requirements:

# cat /etc/releaseSolaris 10 3/05 s10_74L2a SPARC Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 January 2005

#



Configure Unique MAC Addresses

To determine if unique MAC addresses are permitted, use the eepromcommand to view the contents of the system’s EEPROM:

# eeprom "local-mac-address?"local-mac-address?=false#

The preceding output indicates that the system is still in its default modeand uses the same MAC address for every interface. This is indicated bythe setting of the local-mac-address? variable to false . Use the eepromcommand to change the local-mac-address? variable to true :

# eeprom "local-mac-address?=true"#

Verify that the local-mac-address? variable is set to true :

# eeprom "local-mac-address?"local-mac-address?=true#

Note – Depending on the combination of your system’s firmware andhardware architecture, you must either plumb an interface or reboot thesystem to enable unique MAC address assignment after changing thelocal-mac-address? variable.

Define the IP Addresses

Add the data and test IP addresses to the /etc/inet/hosts file for thesake of clarity. After editing the /etc/inet/hosts file, use the catcommand to view the new information:

# cat /etc/inet/hosts## Internet host table127.0.0.1 localhost192.168.1.1 sys11 loghost # Data address for hme0# Modifications made for IPMP192.168.1.21 sys11-data-qfe1 # Data address for qfe1192.168.1.51 sys11-test-hme0 # Test address for hme0192.168.1.71 sys11-test-qfe1 # Test address for qfe1#



Configure the Interfaces

Multipath information is placed in the /etc/hostname.hme0 and/etc/hostname.qfe1 files. Modify the /etc/hostname.hme0 file tocontain contents similar to the following:

# cat /etc/hostname.hme0sys11 netmask + broadcast + group mpgrp-one up \addif sys11-test-hme0 deprecated netmask + broadcast + -failover up#

Table 6-1 describes the entries in the /etc/hostname.hme0 file.:

Table 6-1 Interface Configuration Entries

Entry Purpose

sys11 Assigns the address associated with the sys11 name.

netmask + Looks up the netmask in the netmasks database.

broadcast + Assigns the broadcast address. The + (plus) indicates thatthe broadcast address should be calculated automaticallyfrom the IP address and netmask.

group mpgrp-one Assigns mpgrp-one as the name for the IPMP group ofwhich this interface is a member.

up Marks the interface as up.

addif sys11-test-hme0 Creates the next unused logical interface, and assigns it theIP address associated with the sys11-test-hme0 name.

deprecated Marks the address as a deprecated address. Addresses thatare marked as deprecated are not used as source addressesfor outgoing packets unless either there are no otheraddresses available on this interface or the application isbound to this address explicitly. The output from theifconfig -a command shows DEPRECATED as one of theflags associated with this interface.

-failover Marks the address as a non-failover address. Addressesthat are marked in this way do not fail over when thenetwork interface fails. The output from the ifconfig -acommand shows NOFAILOVERas one of the flags associatedwith this interface.



Create the /etc/hostname.qfe1 file with contents similar to thefollowing:

# cat /etc/hostname.qfe1sys11-data-qfe1 netmask + broadcast + group mpgrp-one up \addif sys11-test-qfe1 deprecated netmask + broadcast + -failover up#

Cable the Interfaces

You should ensure that all of the interfaces that are part of the IPMPconfiguration have cables connecting them to the same IP link.

Note – In versions of the Solaris OS before the Solaris 10 OS, at this pointin the procedure, you had to disable the automatic configuration of thesystem as a router. For example, if your host does not act as a routercurrently, rebooting it with two interfaces configured causes it to beconfigured as a router after the reboot. For a system that runs IPMP and isconnected to a single IP link, this is undesirable. To prevent this, type thecommand touch /etc/notrouter .

Reboot the System

Reboot the system to enable IPMP:

# init 6



View the Interface Configuration

To view the configuration of the interfaces when the system is booted, usethe ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>mtu 1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:ac:9b:21qfe1:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER>mtu 1500 index 3 inet 192.168.1.71 netmask ffffff00 broadcast 192.168.1.255#

Observe the additional information that is reported by the precedingifconfig command for the hme0:1 interface:

hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255

This information includes the following:

● The interface’s index number is 2, the same as the physical interface.

● The hme0:1 interface’s MAC address is not shown because logicalinterfaces use the same MAC address as the physical interface.

● The DEPRECATEDand NOFAILOVERflags indicate that the interface isnot to be used by any application (other than the in.mpathddaemon), and the interface must not be failed if a communicationfailure occurs.

● The RUNNINGflag is also monitored by the in.mpathd daemon toensure that communications are functioning as expected.

The system remains available to users if either of the interfaces fails orbecomes unusable for any reason.



Configuring Probe-based IPMP on the Command Line

A system can be configured for IPMP without being rebooted if thesystem’s EEPROM is already configured to support unique MACaddresses. The following steps demonstrate use of the ifconfigcommand to configure IPMP on the command line. Although not shownin this section, you can also use the ifconfig command to change anddelete IPMP group memberships.

This example shows configuring IPMP on an existing configured hme0interface and on an existing, but unconfigured, qfe1 interface, where theIPMP group is called mpgrp-one .

This configuration is on the sys11 (192.168.1.1 ) system, where the testaddress is:

● The 192.168.1.51 address for the hme0 interface

● The 192.168.1.71 address for the qfe1 interface

The data address for the hme0 interface remains 192.168.1.1 , and thedata address for the qfe1 interface is 192.168.1.21 .

To configure IPMP, complete the following steps, which are described ingreater detail in the next sections.



3. Configure IP addresses.

4. Configure the hme0 interface as part of an IPMP group.

5. Configure a test address for the hme0 interface.

6. Configure the qfe1 interface as part of the same IPMP group.

7. Configure a test address for the qfe1 interface.




You must know what state the system is in if you need to restore it. Beforemaking any changes to the system, view the system’s interfaceconfiguration by typing the command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23#






# cat /etc/release Solaris 10 3/05 s10_74L2a SPARC Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 22 January 2005#


To determine if unique MAC addresses are permitted, use the eepromcommand to view the contents of the EEPROM:




The preceding output indicates that the system is still in its default modeand uses the same MAC address for each interface. This is indicated bythe setting of the local-mac-address? variable to false . Use the eepromcommand to change the EEPROM’s local-mac-address? variable totrue . Type the command:


Note – Depending on the combination of your system’s firmware andhardware architecture, you will have to either plumb the interface orreboot the system to enable unique MAC address assignment afterchanging the local-mac-address? variable.


# eeprom "local-mac-address?"local-mac-address?=true#

Configure the IP Addresses

You can add the data and test IP addresses to the /etc/inet/hosts filefor the sake of clarity. After editing the /etc/inet/hosts file, use the catcommand to view the new information:

# cat /etc/inet/hosts## Internet host table#127.0.0.1 localhost192.168.1.1 sys11 loghost # Data address for hme0# Modifications made for IPMP192.168.1.21 sys11-data-qfe1 # Data address for qfe1192.168.1.51 sys11-test-hme0 # Test address for hme0192.168.1.71 sys11-test-qfe1 # Test address for qfe1#



Configure the hme0Interface as Part of a Multipath Group

To configure the hme0 interface as part of an IPMP group, specify thename of the group, mpgrp-one , of which the hme0 interface will be amember:

# ifconfig hme0 group mpgrp-one

To view the changes to the interface, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23#

Configure a Test Address for the hme0Interface

Next, you configure a test address for the hme0 interface. You can assignan alias name to this address by using the /etc/inet/hosts file. Do notuse this address for any purpose other than using it for the in.mpathddaemon. When you define the address, mark it so that the in.mpathddaemon recognizes it as a test address that must not fail over (-failover )and must not be used by the system for any application data transmission(deprecated ). Type the command:

# ifconfig hme0 addif 192.168.1.51 deprecated netmask + \ broadcast + -failover upCreated new logical interface hme0:1Setting netmask of hme0:1 to 255.255.255.0#


# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255#



Configure the qfe1 Interface as Part of the IPMP Group

Now, you configure the qfe1 interface and make it part of the same IPMPgroup as the hme0 interface. Type the commands:

# ifconfig qfe1 plumb sys11-data-qfe1 netmask + broadcast +Setting netmask of qfe1 to 255.255.255.0# ifconfig qfe1 group mpgrp-one up


# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:ac:9b:21#

Observe the additional information that is reported by the precedingoutput of the ifconfig command, for the qfe1 interface:

qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:ac:9b:21


● The interface index number is incremented to 3 because a uniqueindex number is assigned to each non-logical interface as it isconfigured. Since lo0 is 1 and hme0 is 2, qfe1 is assigned 3.

● The qfe1 interface’s MAC address is different from the hme0interface’s MAC address, which is caused by changing thelocal-mac-address? variable in the system’s EEPROM.



Configure a Test Address for the qfe1 Interface

Now, you configure a test address for the qfe1 interface. You can alias thisaddress to a name by using the /etc/inet/hosts file. Do not use thisaddress for any purpose other than using it for the in.mpathd daemon.When you define the address, mark it so that the in.mpathd daemonrecognizes it as a test address that must not fail over (-failover ) andmust not be used by the system for any application data transmission(deprecated ).

Type the command:

# ifconfig qfe1 addif 192.168.1.71 deprecated netmask + \ broadcast + -failover upCreated new logical interface qfe1:1Setting netmask of qfe1:1 to 255.255.255.0#


# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:ac:9b:21qfe1:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 3 inet 192.168.1.71 netmask ffffff00 broadcast 192.168.1.255#

The interface’s index number is 3, which is the same as the physicalinterface that supports this logical interface. Notice that the qfe1:1interface MAC address is not shown because logical interfaces use thesame MAC address as the physical interface that supports the logicalinterface.



Start the in.mpathd Daemon to Monitor the Interfaces

The starting of the in.mpathd daemon is controlled by theTRACK_INTERFACES_ONLY_WITH_GROUPSparameter in the/etc/default/mpathd file. The contents of this file are:

# cat /etc/default/mpathd##pragma ident "@(#)mpathd.dfl 1.2 00/07/17 SMI"## Time taken by mpathd to detect a NIC failure in ms. The minimum time# that can be specified is 100 ms.#FAILURE_DETECTION_TIME=10000## Failback is enabled by default. To disable failback turn off this option#FAILBACK=yes## By default only interfaces configured as part of multipathing groups# are tracked. Turn off this option to track all network interfaces# on the system#TRACK_INTERFACES_ONLY_WITH_GROUPS=yes#

If the TRACK_INTERFACES_ONLY_WITH_GROUPSvariable is set to yes , theifconfig command’s group option starts the in.mpathd daemonautomatically. That is, as soon as you use the ifconfig command withthe group option in the command, the in.mpathd daemon starts.

If the TRACK_INTERFACES_ONLY_WITH_GROUPSvariable is set to no, thein.mpathd daemon will track all interfaces, including those that are notpart of an IPMP group.

The in.mpathd daemon is started by the svc:network/net-init SMFservice:

# grep in[.]mpathd /lib/svc/method/net-init/usr/bin/pgrep -x -u 0 in.mpathd >/dev/null 2>&1 || /usr/lib/inet/in.mpathd -a

Note – Before the Solaris 10 OS, the in.mpathd daemon was startedduring the execution of the /etc/rc2.d/S69inet start script.



If necessary, the in.mpathd daemon can be started from the commandline by running the command as the root user:

# /sbin/in.mpathd#

View the Interface Configuration

Now that IPMP is completely configured, to view the configuration of theinterfaces, use the ifconfig command:


The system remains available to users if either of the network interfacesfail or become unusable for any reason.



Link-based IPMP Configuration

Link-based failure detection for IPMP uses the network interface kerneldriver to detect failures and notify the networking subsystem.

Link-based IPMP Requirements

The following items are required to configure link-based IPMP on asystem:

● Solaris 9 12/02 OS, at a minimum, must be installed.

● Network interfaces must use any of the following drivers:

● hme

● eri

● ce

● ge

● bge

● qfe

● dmfe

● Unique MAC addresses must be configured on each of the interfaces.

● An IPMP group name must be assigned to interfaces.



Configuring Link-based IPMP by Using ConfigurationFiles

This example shows IPMP configuration on an existing, configured hme0interface and on an existing, but unconfigured, hme1 interface on thesys11 (192.168.1.1 ) system. The multipath group is calledipmp-group0 .

The data address for the hme0 interface remains 192.168.1.1 , and thedata address for the hme1 interface is 192.168.1.21 .

To configure link-based IPMP, complete the following steps, which aredescribed in greater detail in the next sections.



3. Define IP addresses.




You must know the state of the system if you need to restore it. Beforemaking any changes to the system, view the system’s interfaceconfiguration by executing the command:

# ifconfig -al o0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23

#










To determine if unique MAC addresses are permitted, use the eepromcommand to view the contents of the system’s EEPROM:


The preceding output indicates that the system is still in its default modeand uses the same MAC address for every interface. This is indicated bythe setting of the local-mac-address? variable to false . Use the eepromcommand to change the local-mac-address? variable to true :



# eeprom "local-mac-address?"local-mac-address?=true



Define the IP Addresses

Add the IP addresses to the /etc/inet/hosts file for the sake of clarity.After editing the /etc/inet/hosts file, use the cat command to viewthe new information:

# cat /etc/inet/hosts## Internet host table127.0.0.1 localhost192.168.1.1 sys11 loghost # Data address for hme0# Modifications made for IPMP192.168.1.21 sys11-hme1 # Data address for hme1#

Configure the Interfaces

Network interfaces are configured in the /etc/hostname.hme0 and/etc/hostname.hme1 files. Modify the /etc/hostname.hme0 file tocontain contents similar to the following:

# cat /etc/hostname.hme0sys11 netmask + broadcast + group ipmp_group0 up#

Create the /etc/hostname.hme1 file to contain contents similar to thefollowing:

# cat /etc/hostname.hme1sys11-hme1 netmask + broadcast + group ipmp_group0 up#

Cable the Interfaces

You should ensure that all of the interfaces that are part of the IPMPconfiguration have cables connecting them to the same IP link.

Reboot the System

Reboot the system to enable IPMP:

# init 6



View the Link-based IPMP Configuration


# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8:0:20:b9:72:23hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8:0:20:ac:9b:21#

To verify that the IPMP daemon is running, use the following command:

# pgrep -fl mpathd119 /usr/lib/inet/in.mpathd -a

Messages to the console (and to /var/adm/messages ) from in.mpathdindicate that the system is configured for link-based IPMP, rather than forprobe-based IPMP.

Dec 16 12:40:33 sys11 in.mpathd[119]: [ID 975029 daemon.error] No testaddress configured on interface hme1; disabling probe-based failuredetection on itDec 16 12:40:33 sys11 in.mpathd[119]: [ID 975029 daemon.error] No testaddress configured on interface hme0; disabling probe-based failuredetection on it



Verify Link-based IPMP Operation

To verify the system’s IPMP configuration, the if_mpadm command canbe used. You can use this command to take a network interface offline(detach it), which forces a failover. Messages are sent to the console and to/var/adm/messages that indicate any failovers or failbacks which occur.

Take the hme0 interface offline to force a failover:

# if_mpadm -d hme0

The message on the console indicates that the failover was successful:

Dec 16 13:24:31 sys11 in.mpathd[119]: Successfully failed over from NIC hme0 to NIC hme1

To view the current status of the network interfaces, use the ifconfigcommand:

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=89000842<BROADCAST,RUNNING,MULTICAST,IPv4,NOFAILOVER,OFFLINE> mtu 0 index 2 inet 0.0.0.0 netmask 0 groupname ipmp_group0 ether 8:0:20:b9:72:23hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8:0:20:ac:9b:21hme1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255

Notice, that the IP address of the hme0 interface is 0.0.0.0 , and a newlogical interface hme1:1 is created on the remaining physical interfacehme1. The new logical interface has the IP address (192.168.1.1 ) thatwas assigned to the physical hme0 interface before it failed.

Reattach the hme0 interface, to force a failback:

# if_mpadm -r hme0

The message on the console indicates that the failback was successful:

Dec 16 13:41:47 sys11 in.mpathd[119]:Successfully failed back to NIC hme0



To view the current status of the network interfaces, use the ifconfigcommand:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8:0:20:b9:72:23hme1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8:0:20:ac:9b:21#

The hme0 interface is reassigned its original IP address, and the hme1:1logical interface is removed automatically.

Configuring a Singleton IPMP Group

It is possible to configure an IPMP group that contains only one interface.This enables you to monitor the status of the interface by using IPMP andto receive notifications about the interface’s status, although it is notpossible to fail the interface over onto another network interface.

With only a single interface in the group, the data address can never moveon to a different interface, and so is always associated with the interfacebeing monitored. In this configuration, it is not necessary to configure aseparate test address because the system can use the data address fortesting purposes.



Configure a Single IPMP Group on the Command Line

To create a singleton IPMP group, assign a multipath group name to theinterface:

# ifconfig hme0 group singleton# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu8232 index 1 inet 127.0.0.1 netmask ff000000hme0 flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname singleton ether 8:0:20:b9:72:23#

Note – Do not use the deprecated option because this preventsapplications from using the interface’s only IP address as a sourceaddress.

If the single interface will be included in an IPMP group with multipleinterfaces, also set the NOFAILOVERflag on the interface by using the-failover option.

Configure a Single IPMP Group at System Boot

To create a singleton IPMP group at system boot, ensure that the interfaceconfiguration file contains the group option and the IPMP group name:

# cat /etc/hostname.hme0sys11 group singleton up#

Note – Use IPMP only on a single interface if multiple default routersexist on the local network. This enables multiple targets to be probedwhen checking the availability of the network.



Viewing IPMP Operation

To verify the system’s failover configuration, or to change the operationalstatus of IPMP interfaces, use the if_mpadm command. You can use thiscommand to take an interface offline (detach) by forcing a fail over andverifying that an alternate interface takes over as expected. Ifconfiguration errors occur, they appear at this stage. Also, use theif_mpadm command to reattach a detached interface.

For example, to detach the hme0 interface, type the command:

# if_mpadm -d hme0Aug 4 14:00:38 sys11 in.mpathd[535]: Successfully failed over from NIChme0 to NIC qfe1#

The message indicates that the failover was successful.

Note – This message appears in the console window and is not seen if youare using an xterm or dtterm window.

To view the status of the interfaces, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=89000842<BROADCAST,RUNNING,MULTICAST,IPv4,NOFAILOVER,OFFLINE> mtu 0 index 2 inet 0.0.0.0 netmask 0 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=89040842<BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER,OFFLINE>mtu 1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:ac:9b:21qfe1:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 3 inet 192.168.1.71 netmask ffffff00 broadcast 192.168.1.255qfe1:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255#



The detached interface is assigned an IP address of 0.0.0.0 , and a newlogical interface, qfe1:2 , is created automatically on the functional qfe1physical interface. The new logical interface has the IP address that wasassigned to the physical hme0 interface while it was working.

To reattach an offline interface, type the command:

# if_mpadm -r hme0Aug 4 14:02:09 sys11 in.mpathd[535]: Successfully failed back to NIChme0#

Note – This message appears in the console window and is not seen if youare using an xterm or dtterm window.

The message indicates that the fail back was successful. To view the statusof the interfaces, use the ifconfig command:


The hme0 interface is reassigned its original IP address, and the qfe1:2logical interface is removed automatically.



Troubleshooting an IPMP Configuration

Incorrectly configured network interfaces might not properly fail overwhen connectivity to an interface fails for any reason. It is important tothoroughly test your network interface after you configure IPMP.

Carefully read messages in the /var/adm/messages file or in the consolewindow to take the proper troubleshooting steps when you configure andtest the IPMP. For example:

# Aug 4 13:54:51 sys11 in.mpathd[535]: No test address configured oninterface hme0; disabling probe-based failure detection on it

The message indicates that the in.mpathd daemon with a processidentifier (ID) of 535 senses that IPMP is not properly configured. Toinvestigate further, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23#

The output indicates that the configuration process is not complete. Recallthat IPMP requires a test address on a logical interface for each physicalinterface. To configure a test interface, use the ifconfig command:

# ifconfig hme0 addif 192.168.1.51 deprecated netmask + \> broadcast + -failover upCreated new logical interface hme0:1Setting netmask of hme0:1 to 255.255.255.0#

After defining a test interface with the ifconfig command, the followingmessage appears:

# Aug 4 13:55:37 sys11 in.mpathd[355]: Test address now configured oninterface hme0; enabling probe-based failure detection on it



The in.mpathd daemon reports that it can now perform failure detection.Be aware that more than one interface is required to provide effectivefailover. To view the interface configuration, use the ifconfig command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4 ,VIRTUAL > mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8:0:20:b9:72:23hme0:1: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu1500 index 2 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255#

Both the physical and logical interfaces are configured properly.

Exercise: Configuring IPMP



In this exercise, you configure IPMP on your system.

Preparation


At least two interfaces of the same type (for example, Ethernet) arerequired for this exercise. Verify that your system meets the minimumrequirements and has enough network cabling before you continue. Workwith another student if your system does not have enough interfaces.

Caution – Remove any interfaces that you configured that are not part ofprevious exercises before starting this exercise.

You need the following information when you configure IPMP in thisexercise:

● The IPMP group name – This name is required for each physicalinterface that will be part of the IPMP group.

● A data IP address for each physical interface – Users andapplications use this address when accessing the system.

● A logical interface for each physical interface – The in.mpathddaemon uses this interface to monitor the status of the physicalinterface.

● A second physical interface – This interface must be connected witha network cable.

● An IP address for each logical interface – This is the test address.



Write the names and addresses that you will use:

● The IPMP group name is unique to your system.

Write the IPMP group name:_____________________________________________________________

● The new physical interface uses an IP address of your system’s IPaddress plus 20; for example, the new interface has an address of192.168.1.21 .

Write the new physical interface’s IP address:

_____________________________________________________________

● The test IP address for each logical interface is the physicalinterface’s IP address plus 50. For example, the physical interfaceaddress of 192.168.1.1 uses test a test address of 192.168.1.51 ,and the physical interface IP address of 192.168.1.21 uses a testaddress of 192.168.1.71 .

Write the first logical interface’s IP address:_____________________________________________________________

Write the second logical interface’s IP address:_____________________________________________________________

The following is an example of a complete list of the information that youneed when you configure multipathing in the exercise.

● Assume that the IPMP group name is mpgrp-one .

● Assuming that the existing IP address is 192.168.1.1 , the newphysical interface’s IP address is 192.168.1.21 .

● The first logical interface’s IP address is 192.168.1.51 .

● The second logical interface’s IP address is 192.168.1.71 .



Tasks


1. Open a console window to see any messages that might be sent tothe console but perform the other steps in a different (non-console)window.

2. Verify that your system has a supported version of the Solaris OS.

Write the command that you use:_________________________________________________

3. Can the system that displayed the preceding output be configured tosupport IPMP? Why or why not?

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

4. View and document your system’s current interface informationwith the ifconfig command, so that you can compare the outputafter you configure IPMP.


_____________________________________________________________

5. Document the existing interface information. Ignore the loopbackinterface that has an index of 1.

Write the interface type for index 2:

_____________________________________________________________

6. Configure your system to use unique MAC addresses.


_____________________________________________________________

7. Reboot your system to enable unique MAC address assignment.

8. Edit your /etc/inet/hosts file, and add entries for the interfaces.Use comments to help limit confusion.


_____________________________________________________________

_____________________________________________________________

_____________________________________________________________



9. Determine if the IPMP daemon is running on your system.

● Write the command that you use:

________________________________________________________

● Is the daemon running? Why or why not?

________________________________________________________

________________________________________________________

________________________________________________________

10. Configure IPMP on your system without rebooting, as follows:

a. Assign the system’s existing interface to an IPMP group.


________________________________________________________

b. Determine if the IPMP daemon is running on your system.


________________________________________________________

c. Is the daemon running? Why or why not?

________________________________________________________

________________________________________________________

________________________________________________________

11. Configure a test interface for the physical interface that you justassigned to an IPMP group. Be sure to set the appropriate netmaskand broadcast addresses. Deprecate the interface, and configurefailover appropriately. Then, configure the interface so that it is up.


_____________________________________________________________

_____________________________________________________________



12. Verify that the new physical interface is connected to the networkbefore proceeding with the following steps:

a. Configure and plumb the second physical interface. Specify theappropriate IP address and addresses for broadcast andnetmask. Do not assign it membership in the IPMP group yet orbring the interface up.

________________________________________________________

b. Assign the newly plumbed interface to the appropriate IPMPgroup and bring the interface up.

________________________________________________________

13. Configure a test interface for the physical interface that you justconfigured. Be sure to configure the netmask and broadcastaddresses. Deprecate the interface, and configure failoverappropriately. Then, configure the interface so that it is up.


_____________________________________________________________

14. Work with another teammate for this step. Have your teammate:

a. Connect to one of your system’s physical IP addresses over thenetwork by using the telnet command.

b. Open an edit session by using an editor of your teammate’schoice in the telnet session.

c. Start typing. While your teammate is typing, either unplug thenetwork cable to the interface or use the if_mpadm command todetach one of your system’s IPMP interfaces.

Write the command you need if you used the if_mpadmcommand:

________________________________________________________

Notice that your teammate’s work is frozen for a moment andthen continues, even though the interface to which yourteammate is connected is disabled.

d. Repair the interface by reconnecting the network cable or byusing the if_mpadm command.

Write the command that you need if you used the if_mpadmcommand:

________________________________________________________



15. Configure your system so that the interfaces are configuredautomatically for IPMP at boot time. Be sure to make copies of yoursystem’s original configuration files because you will need to restoreyour system’s configuration later in this exercise.

Document your configuration steps here:

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

16. Reboot your system to test the IPMP configuration.


_____________________________________________________________

Pay careful attention to the system’s console while it is booting. Lookfor any error messages relating to interfaces and addressassignments.





Write the command you need if you used the if_mpadmcommand:

________________________________________________________



Write the command that you need if you used the if_mpadmcommand:

________________________________________________________



18. To prepare your system for future exercises, complete the followingsteps and remove the IPMP configuration:

a. Restore the first hostname. interface file that you savedearlier and delete the second interface file.

b. Reboot your system.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


1. Open a console window to see any messages that might be sent tothe console but perform the other steps in a different (non-console)window.

# dtterm -C &

2. Verify that your system has a supported version of the Solaris OS.


3. Can the system that displayed the preceding output be configured tosupport IPMP? Why or why not?

Yes. This system can be configured with IPMP because it has a version ofthe operating environment that is at a minimum the Solaris 8 10/00 OS.

4. View and document your system’s current interface informationwith the ifconfig command, so that you can compare the outputafter you configure IPMP.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23#

5. Document the existing interface information. Ignore the loopbackinterface that has an index of 1.

Write the interface type for index 2:

hme0

6. Configure your system to use unique MAC addresses.

Use the eeprom command.


Exercise Solutions


7. Reboot your system to enable unique MAC address assignment.

# init 6

8. Edit your /etc/inet/hosts file, and add entries for the interfaces.Use comments to help limit confusion.

The following is an example of the /etc/inet/hosts file:

# cat /etc/inet/hosts## Internet host table#127.0.0.1 localhost192.168.1.1 sys11 loghost # Existing phys hme0 interface# entries added for IPMP example192.168.1.51 sys11-hme0-ipmp-test # IPMP logical test addr for hme0192.168.1.21 sys11-local-qfe1 # IPMP phys interface for qfe1192.168.1.71 sys11-qfe1-ipmp-test # IPMP logical test addr for qfe1#

9. Determine if the IPMP daemon is running on your system.

● Write the command that you use:

# pgrep -lf in.mpathd#

● Is the daemon running? Why or why not?

No, the in.mpathd daemon should not be running because nointerfaces were defined as part of an IPMP group.

10. Configure multipathing on your system without rebooting, asfollows:

a. Assign the system’s existing interface to an IPMP group.


# ifconfig hme0 group mpgrp-one#

b. Determine if the IPMP daemon is running on your system.

# pgrep -lf in.mpathd 603 /usr/lib/inet/in.mpathd#

c. Is the daemon running? Why or why not?

Yes, the in.mpathd daemon should be running because you justassigned an IPMP group name to an interface. Recall that the groupoption of the ifconfig command starts the in.mpathd daemonautomatically.

Exercise Solutions


11. Configure a test interface for the physical interface that you justassigned to an IPMP group. Be sure to set the appropriate netmaskand broadcast addresses. Deprecate the interface, and configurefailover appropriately. Then, configure the interface so that it is up.

# ifconfig hme0 addif 192.168.1.51 deprecated netmask + \broadcast + -failover upCreated new logical interface hme0:1#

12. Verify that the new physical interface is connected to the networkbefore proceeding with the following steps:

a. Configure and plumb the second physical interface. Specify theappropriate IP address and addresses for broadcast andnetmask. Do not assign it membership in the IPMP group yet orbring the interface up.

# ifconfig qfe1 plumb 192.168.1.21 netmask 0xffffff00 broadcast +

b. Assign the newly plumbed interface to the appropriate IPMPgroup and bring the interface up.

# ifconfig qfe1 group mpgrp-one up

Console message:

in.mpathd[603]: No test address configured on interface qfe1; disablingprobe-based failure detection on it

13. Configure a test interface for the physical interface that you justconfigured. Be sure to configure the netmask and broadcastaddresses. Deprecate the interface, and configure failoverappropriately. Then, configure the interface so that it is up.


# ifconfig qfe1 addif 192.168.1.71 deprecated netmask 0xffffff00 \broadcast + -failover upCreated new logical interface qfe1:1#

Console message:

in.mpathd[603]: Test address now configured on interface qfe1; enablingprobe-based failure detection on it

Exercise Solutions






# if_mpadm -d qfe1#

Console message:

in.mpathd[603]: Successfully failed over from NIC qfe1 to NIC hme0



# if_mpadm -r qfe1#

Console message:

in.mpathd[603]: Successfully failed back to NIC qfe1

15. Configure your system so that the interfaces are automaticallyconfigured for IPMP at boot time. Be sure to make copies of yoursystem’s original configuration files because you will need to restoreyour system’s configuration later in this exercise.

a. Copy your system’s interface files for future use:

# cp /etc/hostname.hme0 /etc/_hostname.hme0

b. Edit the /etc/hostname.hme0 file so that it has contents similar tothe following:

sys11 netmask 0xffffff00 broadcast + group mpgrp-one upaddif 192.168.1.51 deprecated netmask 0xffffff00 broadcast + -failover up

c. Create a /etc/hostname.qfe1 file so that it has contents similar tothe following:

sys11-local-qfe1 netmask 0xffffff00 broadcast + group mpgrp-one upaddif 192.168.1.71 deprecated netmask 0xffffff00 broadcast + -failover up

Exercise Solutions


16. Reboot your system to test the IPMP configuration.


# init 6#

Pay careful attention to the system’s console while it is booting. Lookfor any error messages relating to interfaces and addressassignments.





# if_mpadm -d qfe1#

Console message:

in.mpathd[159]: Successfully failed over from NIC qfe1 to NIC hme0



# if_mpadm -r qfe1#

Console message:

in.mpathd[159]: Successfully failed back to NIC qfe1

Exercise Solutions


18. To prepare your system for future exercises, complete the followingsteps and remove the IPMP configuration:

a. Restore the first hostname. interface file that you savedearlier and delete the second interface file.

# cp /etc/_hostname.qfe0 /etc/hostname.qfe0# rm /etc/hostname.qfe1

b. Reboot your system.

# init 6


Module 7

Configuring Routing

Objectives

This module describes how to configure routing, routing schemes, routingtypes, and troubleshooting.


● Identify the fundamentals of routing

● Describe routing table population

● Describe routing protocol types

● Describe the routing table

● Configure static routing

● Configure dynamic routing

● Describe classless inter-domain routing (CIDR)

● Configure routing at system boot

● Troubleshoot routing

Objectives





ConfiguringIP


Multipathing

ConfiguringRouting

ConfiguringIPv6


Layer

Identifying the Fundamentals of Routing

Configuring Routing 7-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1


Routers are devices that forward IP datagrams between networks. Theprocess of forwarding IP datagrams to their destinations is calledforwarding. The process of sharing information about networks and routesto networks is called routing. Routers and routing eliminate the concept ofone single, large, and very busy worldwide network.

Purpose of Routing

Routing is one of the important functions of the Internet layer in theTCP/IP network model. This function is primarily supported by IP. An IProuter connects two or more networks and forwards IP datagramsbetween them. An IP router can forward IP datagrams based on theinformation in the IP header and information obtained from its routingtable. Figure 7-2 shows the layer in the TCP/IP network model in whichrouting takes place.

Figure 7-2 TCP/IP Network Model

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer




Types of Routes

Routes can be dividing in to two types: direct routes and indirect routes.

A direct route is a route in which the destination system is on the samelocal network as the source system. The source system can send the IPdatagram to the destination system without any involvement fromanother system. This activity could be thought of as direct delivery of adatagram because no routers are required to complete the transaction.

An indirect route is a route in which the destination system is not on thesame local network as the source system. The IP datagram is sent throughone or more routers or gateways on its way to the destination. Because thedelivery of the datagram is not direct and other systems are involved inthe delivery, this is called an indirect route.

Note – A router connects two networks running the same protocol stack.A gateway connects two networks running different protocol stacks.



Figure 7-3 shows an example of direct and indirect routes. The sys11system has a direct route to the sys13 system and an indirect route to thesys24 system through the sys21 router.

Figure 7-3 Direct and Indirect Routes

Direct Route

Indirect Route

sys11

instructor

sys21

sys12

sys13 sys24

192.168.1.0 192.168.30.0 192.168.4.0

Introducing the Routing Table



The Solaris OS kernel uses a random access memory-based (RAM-based)table, called the routing table, to store information needed to deliver IPdatagrams to their destinations. This table is populated with either staticor dynamic entries.

Static Routes

Static routes are permanent entries in the routing table. Static routes canbe removed through manual intervention only. The most common staticentries are the direct routes that a system creates to its local networks.

The ifconfig command updates the routing table with static entries fornetworks that are directly connected to the local network interfaces whenan interface is configured as up. Therefore, even in single-user mode, asystem can route directly to its local network or networks because theinterfaces are initialized by the ifconfig command.

Static routes can also be added to your system’s routing table manually byusing the /etc/defaultrouter file or by using entries placed in the/etc/gateways file. The /etc/defaultrouter file defines one or morestatic default routes for a system. A default route defines the router to usefor all destinations that do not have an explicit routing table entry. The/etc/gateways file is used to define static indirect routes to networksand hosts.



Dynamic Routes

Dynamic routes are added to or removed from the routing table byprocesses, such as the in.routed daemons. When the routing table isupdated with information about other reachable networks, the router canforward or deliver datagrams to these networks.

The svc:/network/initial SMF service enables routing. Routing in theSolaris 10 OS is implemented by the in.routed daemon. Thein.routed daemon implements three routing protocols:

● Routing Information Protocol version 1 (RIPv1)

● Routing Information Protocol version 2 (RIPv2)

● ICMP Router Discovery Protocol

Routers advertise the networks that they know about. Other hosts androuters listen to these periodic announcements and update their routingtable with the most current and correct information. Only those entriescalculated to be the best paths to a network destination remain in therouting table.

Introducing Routing Protocol Types



A single routing protocol cannot efficiently handle all situations becausenetworks can be connected in many different ways. As a result, differentprotocols were developed to manage routing in different areas of theInternet.

Autonomous Systems

An autonomous system (AS), as shown in Figure 7-4, is a collection ofnetworks and routers under a single administrative control. This broaddefinition was incorporated into the Internet in an attempt to reduceexcessively large routing tables.

Figure 7-4 Autonomous Systems

An autonomous system number is a unique 16-bit address that is assignedby the Internet Corporation for Assigned Names and Numbers (ICANN).The Internet can be considered to be a set of autonomous systems that areconnected together.

AS

AS

AS



Interior Gateway Protocols

Routing within an AS is managed by an Interior Gateway Protocol (IGP).IGPs manage the sharing of routing information between networks in theAS, and are also responsible for sharing information about any externalroutes that the gateways (the routers which connect the AS to the rest ofthe Internet) might be advertising to the networks in the AS.

Figure 7-5 shows how IGPs are used in networks.

Figure 7-5 Use of IGPs in Networks

Many routing protocols are designed to pass routing information withinan autonomous system. Two popular protocols are RIP and the OpenShortest Path First (OSPF) Protocol.

RIP is a distance-vector protocol that exchanges route informationbetween IP routers. Distance-vector algorithms obtain their name from thefact that they compute the least-cost path by using information that isexchanged with other routers that describes reachable networks with theirdistances, in the form of hop counts. There are two versions of RIP: RIPv1and RIPv2.

IGP

IGP

IGP

AS

AS

AS



OSPF is a link-state protocol. OSPF maintains a map of the networktopology instead of computing route paths that are based on distancevectors in the way that RIP computes the route paths.

OSPF provides a view of the entire network and provides the shortestpath choices on routes. The map on each OSPF router is updatedregularly.

Exterior Gateway Protocols

An Exterior Gateway Protocol (EGP) is a routing protocol used to forwardpackets between autonomous systems.

EGPs are used between organizations or sites, for example in a largeWAN, such as the Internet or a large corporation’s intranet.

Figure 7-6 shows the role of EGPs in Internet routing.

Figure 7-6 Role of EGPs in Internet Routing

EGP and the Border Gateway Protocol (BGP) are the two principalprotocols that exchange routing information among autonomous systems.

EGP

EGP

EGP

AS

AS

AS



EGP was developed in the early 1980s. The concept of an autonomoussystem developed out of the research and development of EGP.

BGP was developed in the mid 1990s to replace EGP. BGP replaces thedistance-vector algorithm of EGP with a path-vector algorithm. The pathvector that is implemented by BGP causes the routing information toinclude a complete path (all autonomous system numbers) from thesource to the destination. This eliminates the possibility of loopingproblems that might arise from complex network topologies, such as theInternet. A loop is detected by BGP when the path it receives has anautonomous system listed twice. If this occurs, BGP generates an errorcondition.

Working With the Routing Table



A system’s routing table is used to store routing information for thesystem. The routing table is referenced when a path to another computeris required. The routing table is often interrogated when you troubleshootconnectivity issues.

Displaying the Routing Table

To display the contents of a system’s routing table without interpretingthe names of the systems, use the netstat command with the -r and -noptions. The -r option causes the routing table to be displayed. The -noption causes the IP addresses to be displayed instead of resolving themto names. For example:

# netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.1 U 1 51 hme0192.168.30.0 192.168.30.31 U 1 54 qfe0224.0.0.0 192.168.1.1 U 1 0 hme0127.0.0.1 127.0.0.1 UH 37 132 lo0#



Introducing Routing Table Information

Table 7-1 describes the output from the netstat -rn command.

Table 7-1 Routing Table Entries

Field Description

Destination The destination network or host address. This entry canalso contain the keyword default to represent adefault route.

Gateway The system that delivers or forwards the datagram.

Flags The status of this route. This field uses the followingflags:

● U– The interface is up.

● H– Host route. The destination is a system, not anetwork.

● G– The delivery system is another system (anindirect route).

● D– The entry was added dynamically by anICMP redirect.

Ref The current number of routes that share the samenetwork interface (Ethernet) address.

Use The number of datagrams that have used this route. Forthe localhost entry, it is a snapshot of the number ofdatagrams that are received.

Interface The local interface used to reach the destination.



Searching the Routing Table

Figure 7-7 shows the kernel routing algorithm.

Figure 7-7 The kernel Routing Algorithm

Extract the destination

IP address, and compute the

network number.

Encapsulate the datagramby setting the destinationEthernet address to thatof the router associatedwith the host route table

entry. Deliver theframe through the interfaceconnected to the system.

Encapsulate the datagramby setting the destinationEthernet address to thatof the router associated

with the route tableentry. Deliver the

frame through the interfaceconnected to the system.

Encapsulate the datagramby setting the destinationEthernet address to that

of the default router foundin the route table.

Deliver the packet throughthe interface frame

connected to the system.

Generate a routing error

message through ICMP

Is there

a default entry in

the route table?

Does the

destination IP address

match a host-specific route

in the route

table?

Does the

network number match

one found in the

route table?

Yes

No

Yes

No

Yes

No



The kernel routing algorithm searches for routing table entries in thefollowing order when determining where to send a datagram:

1. The kernel routing algorithm checks to see if the IP address is on alocal network.

The kernel extracts the destination IP address from the IP datagramand computes the destination network number. The destinationnetwork number is then compared with the network numbers of allof the local interfaces (interfaces that are physically attached to thesystem) for a match. If the destination network number matches thatof a local interface network number, the kernel encapsulates the IPdatagram inside an Ethernet frame and sends it through thematching local interface for delivery.

2. The kernel routing algorithm checks the routing table for a route toa matching host IP address on a non-local network.

The kernel searches the routing table entries for a matching host IPaddress. If an entry that matches the host IP address is found, thekernel encapsulates the IP datagram inside an Ethernet frame andsends the frame to the router that is associated with that destination.

3. The kernel routing algorithm checks the routing table for a route toa matching network number.

The kernel searches the routing table for a matching networknumber. If a matching number is found, the kernel sets thedestination Ethernet address to that of the corresponding router anddelivers the frame to that router. The router that receives the framerepeats the execution of the route algorithm, but leaves thedestination IP address unchanged.

4. The kernel routing algorithm checks for a default route in therouting table.

The kernel searches the routing table for a default entry, whichsignifies that a default route is configured. If a default route is found,the kernel encapsulates the datagram, sets the destination Ethernetaddress to that of the default router, leaves the destination IP addressunchanged, and delivers the datagram through the interface that islocal to the default router.

5. If there is no route to the destination, the kernel routing algorithmcheck generates an ICMP error message. The kernel cannot forwardthe datagram. The error message states either No route to hostor Network is unreachable .



Associating Names and Network Numbers

The netstat -rn command displays the routing table without resolvingany of the IP addresses in the routing table to names. If the netstat -rcommand is used instead, the netstat command attempts to resolve IPaddresses to names, and displays the names instead of the numbers.

IP addresses and host names are associated by using the/etc/inet/hosts file. An equivalent file for associating network namesand numbers also exists: the /etc/inet/networks file. The/etc/networks file is a symbolic link to the /etc/inet/networksfile.

The fields in the /etc/inet/networks file are organized by networkname, network number, and nicknames. For example:

# cat /etc/inet/networks#ident "@(#)networks 1.4 92/07/14 SMI" /* SVr4.0 1.1 */## The networks file associates Internet Protocol (IP) network numbers# with network names. The format of this file is:## network-name network-number nicnames . . .#

## The loopback network is used only for intra-machine communication#loopback 127

## Internet networks#arpanet 10 arpa # Historical

one 192.168.1 onetwo 192.168.2 twothree 192.168.3 threethirty 192.168.30 thirty#

When the /etc/inet/networks file is modified, you can use the definednetwork name in a command instead of a network address.



To view how defined networks are displayed in the output from thenetstat command, use the netstat command with the -r option:

# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------one sys11 U 1 53 hme0two sys11ext UG 1 0three sys11ext UG 1 0thirty sys11ext U 1 56 qfe0224.0.0.0 sys11 U 1 0 hme0localhost localhost UH 3 132 lo0#

Observe that the destination networks are now displayed by name insteadof by network number, and the loopback address is replaced by its entryfrom the /etc/inet/hosts file.

Configuring Static Routes



You can configure a route that does not change or time-out. This type ofroute is called a static route. Static routes are not removed from therouting table by the system.

Configuring Static Direct Routes

Static direct routes are routes to local networks which do not expire fromthe routing table. A static direct route is added to a network when anetwork interface is configured as up by the ifconfig command.

The ifconfig command builds the direct route entries initially when thenetwork interface is configured during system startup. To view the staticdirect routes configured by the ifconfig command, use thenetstat -rn command:

# netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.1 U 1 53 hme0......192.168.30.0 192.168.30.31 U 1 77 qfe0224.0.0.0 192.168.1.1 U 1 0 hme0127.0.0.1 127.0.0.1 UH 3 132 lo0#

The 127.0.0.1 entry in the routing table is a loopback route to the localhost that is created when the lo0 pseudo interface is configured.



Configuring the /etc/defaultrouter File

Default routes are routing table entries that define the default routers touse if no specific host or network routes are available. Default routeentries can be either static entries or dynamic entries. The/etc/defaultrouter file is used to define static default routes. Defaultroutes mean that you do not need to define every reachable networkbecause datagrams that are addressed to non-local destinations use adefault router in the absence of an explicit route.

You can define default routers by creating entries in the/etc/defaultrouter file, which lists the host names or IP addresses ofthe default routers. You must use host names that exist in the system’s/etc/inet/hosts file because no name-resolution services are availableat the time that this file is read at system boot. A system that is configuredwith an /etc/defaultrouter file does not execute the in.routeddaemon.

Some advantages of default routing are:

● The /etc/defaultrouter file prevents unneeded routing processesfrom starting.

● The default entries result in a smaller routing table, which reducesthe processing time spent on each IP datagram.

● Multiple default routers can be identified, which eliminate singlepoints-of-failure within a network.

● Systems that use default route entries do not depend on actualrouting protocols.

Some disadvantages of default routing are:

● The default entries created by the /etc/defaultrouter file arealways present, even when the default router is not available. Thesystem does not learn about other possible routes.

● All systems must have a local /etc/defaultrouter file configuredproperly because this file cannot be administered by a name service.This can be an administrative problem on large, evolving networks.



Configuring the /etc/gateways File

The /etc/gateways file, if it exists, is read by the in.routed daemonwhen the daemon starts. The in.routed daemon uses the contents of the/etc/gateways file to add additional static routes to the routing table.Static route entries in the /etc/gateways file use the format:

net|host destination gateway gateway metric hops [passive|active|extern]

For example:

# cat /etc/gatewaysnet 192.168.3.0 gateway sys31ext metric 1#

Note – It is a better practice to use IP addresses rather than the hostnames because it might not be possible to resolve host names.

The /etc/gateways file also supports the use of directives to control thebehavior of the system. For example, you can disable the RIP protocols(RIPv1 and RIPv2) by placing the following directive in the/etc/gateways file:

no_rip

Use the no_rip_v1in directive when you want your system to ignoreRIPv1 information received on a specific interface. For example, to ignoreRIPv1 information received on the qfe3 interface, use the followingdirective in the /etc/gateways file:

no_ripv1_in if=qfe3

You can disable the RDISC protocol by placing the following directive inthe /etc/gateways file:

no_rdisc

Refer to the gateways man page for more information on the/etc/gateways file.



Configuring Static Routes on the Command Line

The route command enables manual manipulation of the routing table.The route command can be used to add, remove, and change routingtable entries. The route command uses sub-commands to perform itstasks.

To add routes to the routing table, you use the route add command. Itsbasic format is:

route add destination gateway

The destination can be a host, a network, or a default route. For example,to add a static route to the 192.168.3.0 network with the sys31extsystem as the gateway, type the command:

# route add net 192.168.3.0 sys31extadd net 192.168.3.0: gateway sys31ext#

To add a static route to the sys24 host with the sys21ext system as thegateway, type the command:

# route add host sys24 sys21extadd host sys24: gateway sys21ext#

To add a default route with the instructor system as its gateway, typethe command:

# route add default instructoradd default: gateway instructor#

To delete a route, you use the route delete command. Its basic formatis:

route delete destination gateway

For example, to delete the route to the host sys24 using the gatewaysys21ext , type the command:

# route delete sys24 sys21extdelete host sys24: gateway sys21ext#



To retrieve information about a specific route, use the route getcommand. For example, to retrieve information about the default route,type the following command:

# route get default route to: defaultdestination: default mask: default gateway: instructor interface: hme0 flags: <UP,GATEWAY,DONE,STATIC> recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire 0 0 0 0 0 0 1500 0#

To change the routing table, use the route change command. Forexample, to change the default route from instructor to sys41 , type acommand similar to the following:

# route change default sys41change net default: gateway sys41#

To continuously report any changes to the routing table, route look-upmisses, or suspected network partitionings, use the route monitorcommand. For example, when a route is deleted, to receive the followingoutput, type the route monitor command:

# route monitorgot message of size 124RTM_DELETE: Delete Route: len 124, pid: 633, seq 1, errno 0,flags:<UP,GATEWAY,DONE,STATIC>locks: inits:sockaddrs: <DST,GATEWAY,NETMASK> 192.168.3.0 sys11ext 255.255.255.0

To flush (remove) the routing table of all gateway entries, use theroute flush command. For example:

# route flush192.168.9 sys13 donetwo sys13 donetwo sys11ext donedefault 172.20.4.248 done#



To cause the routing table to flush before the remaining options areevaluated, use the flush option in combination with other options. Forexample, to flush the routing table of gateways and to add a route to the192.168.2.0 network, type a command similar to the following:

# route -f add net 192.168.2.0 sys21extadd net 192.168.2.0: gateway sys21ext#

To add a route manually to the multicast address range of 224–239, typethe command:

# route add 224.0/4 ‘uname -n‘

Note – You can find the command syntax in the/lib/svc/method/net-svc SMF method file.

To define a route that uses a specific netmask to support a network, usethe -netmask option with the route command. For example, to add aroute to the 192.168.3.0 network that uses a netmask of255.255.255.224 , type the command:

# route add net 192.168.3.0 sys31ext -netmask 255.255.255.224add net 192.168.3.0: gateway sys31ext#

To achieve the same results in a more concise way, specify the length ofthe subnet mask after the destination. For example, enter:

192.168.3.0/27

The 255.255.255.224 netmask for the 192.168.3.0 network is11111111.11111111.11111111.11100000 in binary format. There are27 ones (1s) in the binary netmask, hence the /27 after the networkaddress. A command similar to the following is identical to the commandin the preceding example:

# route add net 192.168.3.0/27 sys31extadd net 192.168.3.0/27: gateway sys31ext#



Note – The in.routed process does not detect any routing table changesthat are performed by other programs on the machine, for example, routesthat are added, deleted, or flushed as a result of the route command.Therefore, do not perform these types of changes while the in.routedprocess is running. Instead, shut down the in.routed process, make therequired changes, and then restart the in.routed process. This ensuresthat the in.routed process learns of any changes.

Network names can also be used to define routes. To add a route to thetwo network, defined in the /etc/inet/networks file, type a commandsimilar to the following:

# route add net two 192.168.30.31add net two: gateway 192.168.30.31#

Note – Use of the metric argument in the route command is no longersupported.

Configuring Dynamic Routing



RIP is a routing protocol that is used commonly on computer systems toprovide dynamic routing. RIPv1 and RIPv2 are bundled with theSolaris 10 OS. RIP is an Application layer protocol.

RIP Version 1

RIP version 1 is a distance-vector protocol that exchanges routeinformation between IP routers. RIP version 1 does not support VLSM orCIDR.

Distance-Vector Protocols

Distance-vector algorithms compute the least-cost path of a route by usinginformation that is exchanged with other routers. This informationdescribes how far away (in distance) reachable networks are from thesending or receiving system. This distance is measured by a metric knownas a hop. The total number of hops is called the hop count. The efficiencyof a route is determined by its distance from the source to the destination.RIP maintains only the best route to a destination. When multiple paths toa destination exist, only the first path with the lowest hop count ismaintained. Figure 7-8 shows the least hop count between a source hostand a destination host.

Figure 7-8 Least Hop Count

RIP specifies a number of features that make its operation more stable inthe face of rapid network topology changes. These stability featuresinclude a hop-count limit, hold-down states, split horizons, triggeredupdates, and route poisoning.

Source

Host

Destination

Host

Router

Metric = 1

(propagated to route tables)

Metric = 2

(discarded)

Router Router



Hop-Count Limits

RIP permits a maximum hop count of 15. A destination greater than15 hops away is tagged as unreachable. The maximum hop count of RIPgreatly restricts its use in large networks but prevents a problem calledcount to infinity from causing endless network routing loops.

This upper limit of 15 does not cause problems since RIP is an IGP and isused within autonomous systems only.

Hold-Down States

Hold-down states prevent regular update messages from inappropriatelyreinstating a route that has gone bad. When a route goes down,neighboring routers detect this condition. These routers then calculatenew routes and send route update messages to inform their neighbors ofthe route change. This activity begins a wave of route updates that filterthrough the network. These updates do not instantly arrive at everynetwork device. It is possible that a device that has yet to be informed ofa network failure can send a regular update message (indicating that aroute that has just gone down is still available) to a device that has justbeen notified of the network failure. In this case, the latter device nowcontains (and potentially advertises) incorrect route information.

Hold-down states tell routers to hold down any changes that can affectrecently removed routes for a specified period of time. The hold-downperiod is usually calculated to be just greater than the period of time thatis necessary to update the entire network with a route change.

Split Horizons

Split horizons derive from the fact that it is never useful to sendinformation about a route back in the direction from which it came. Thesplit-horizon rule prohibits this from happening. This helps preventtwo-node routing loops.

Triggered Updates

Triggered updates propagate changing route information quicklythroughout the network. As the router becomes aware that new routes areavailable or that existing routes are not available, it advertises thisinformation immediately rather than waiting until the next 30-second(default) advertisement interval occurs.



Route Poisoning

When a router learns that a destination is no longer available, it issues atriggered update for that destination. This update includes a hop-countadvertisement of 16. All other hosts and routers consider the destinationas unreachable, and the hosts and routers remove the route entry. This isto ensure that other systems do not attempt to use the bad route.

RIP Version 2

RIP version 2 was developed to address some of the limitations of RIPv1,while maintaining backward compatibility combined with the simplicityof RIPv1. RIPv2 has the following characteristics:

● RIPv2 supports VLSM and non-byte-bounded subnet masks.

● RIPv2 uses muticast to advertise routes. The 224.0.0.9 multicastaddress is reserved for RIPv2.

● RIPv2 includes support for simple authentication of messages.

Note – RIP version 2 is defined in RFC 2453.



The in.routed Daemon

RIPv1 and RIPv2 are implemented by the /usr/sbin/in.routeddaemon. The /usr/sbin/in.routed daemon causes a system tobroadcast its own routing information if IP forwarding and IP routing areenabled by the routeadm command. A router sends routing informationto the networks to which it is directly connected every 30 seconds. Youcannot change this time interval.

If RIPv2 multicasts are being processed, only those hosts listening for theRIPv2 multicast address process the information. If RIPv1 broadcasts arebeing processed, all hosts receive the information, but only those hoststhat run the in.routed daemon use the information. Routers andnon-routers run the in.routed daemon.

The in.routed daemon is started at boot time if the ipv4-routingoption is specifically enabled by using the routeadm command, or if the/etc/defaultrouter file is empty or does not exist.

Stopping and Starting the in.routed Daemon

The in.routed daemon can be stopped and started on the commandline by using the routeadm command. The routeadm command is usedto control whether a system runs the in.routed routing daemon andwhether a system forwards IP packets between networks.

To view the current configuration, type the routeadm command with noarguments:

# routeadm Configuration Current Current Option Configuration System State

IPv4 forwarding default (disabled) disabled IPv4 routing default (enabled) enabled IPv6 forwarding default (disabled) disabled IPv6 routing default (disabled) disabled

IPv4 routing daemon "/usr/sbin/in.routed" IPv4 routing daemon args "" IPv4 routing daemon stop "kill -TERM ‘cat /var/tmp/in.routed.pid‘" IPv6 routing daemon "/usr/lib/inet/in.ripngd" IPv6 routing daemon args "-s" IPv6 routing daemon stop "kill -TERM ‘cat /var/tmp/in.ripngd.pid‘"#



To stop the in.routed daemon, type the command:

# routeadm -u -d ipv4-routing#

To start the in.routed daemon, type the command:

# routeadm -u -e ipv4-routing#

The -d option changes the contents of the /etc/inet/routing.conffile to list the argument as disabled explicitly. The -e option changes thecontents of the /etc/inet/routing.conf file to list the argument asenabled explicitly. The -u option updates the system’s currentconfiguration by using the contents of the /etc/inet/routing.conffile.

Note – Using the routeadm command without the -u option causes theconfiguration to be changed in the /etc/inet/routing.conf file, butdoes not change the current configuration of the system.

To cause the system to revert to default behavior at system boot (start thein.routed daemon unless the /etc/defaultrouter file is notempty), type the command:

# routeadm -r ipv4-routing#



The RDISC Protocol

The RDISC Protocol sends and receives router advertisement messagespertaining to default routes. RFC 1256 specifies the format of relatedICMP messages. The in.routed daemon implements the RDISC Protocol.

Routers that run the in.routed daemon advertise their presence by usingthe 224.0.0.1 multicast address every 600 seconds (10 minutes).Non-routers running the in.routed daemon listen to the 224.0.0.1multicast address for these router advertisement messages. Thein.routed process builds a default route entry for each router fromwhich an advertisement is received.

Some advantages of the RDISC Protocol are that it:

● Is independent of routing protocol

● Uses a multicast address

● Results in small routing tables

● Provides redundancy through multiple default-route entries

Note – The RDISC Protocol was previously implemented by using thein.rdisc daemon. While the in.rdisc daemon is still present in theSolaris 10 OS, it is no longer started at system boot. In the Solaris 10 OS,the in.routed daemon has been enhanced to include equivalent routediscovery funtionality.

Some disadvantages of the RDISC protocol are:

● An advertisement period of 10 minutes can result in a black hole. Ablack hole is the time period in which a router path is present in thetable, but the router is not actually available. The default lifetime fora non-advertised route is 30 minutes (three times the advertisingtime interval).

● Routers must still run a routing protocol, such as RIP, to learn aboutother networks. The RDISC protocol provides a default route fromhosts to routers, not between routers.

The behavior of the RDISC protocol can be controlled by entries in the/etc/gateways file. For example, to change the advertisement intervalto 100 seconds, create the entry:

rdisc_interval=100



ICMP Redirects

ICMP provides control and error messages. ICMP on a router or gatewayattempts to send reports of problems to the original source if an IPdatagram cannot be delivered for some reason. ICMP datagrams arealways encapsulated in IP.

ICMP redirects occur when a system uses more than one default route. Ifthe router determines a more efficient route, or if there is only one way toforward the datagram, it redirects the datagram using the better or onlyroute and reports that route to the sender. Figure 7-9 on page 7-32 showsan ICMP redirect process where the sys21 system needs to communicatewith the server1 system and has a default route of sys11 . Theinformation does reach the server1 system and the sys11 system sendsan ICMP redirect to the sys21 system, telling it that the best route to theserver1 system is through the instructor system.

The sending system’s routing table is updated with the new information.The drawback to this method of routing is that for every ICMP redirect,there is a separate entry in the sending system’s routing table. This actioncan lead to a large routing table. However, this method of routing alsoensures that the datagrams that are going to all reachable hosts are takingthe shortest route.

Caution – An attacker might forge redirect errors to install false routes,which might initiate a denial of service attack if the newly specified routeris not a router at all. There are rules governing valid redirect errors, all ofwhich can be spoofed easily. Use this ndd command to ignore IPv4 ICMPredirect errors: ndd -set /dev/ip ip_ignore_redirect 1 .Refer to the Sun BluePrints™ document Solaris Operating EnvironmentNetwork Settings for Security, available at:http://www.sun.com/solutions/blueprints/1200/network-updt1.pdf .



Figure 7-9 ICMP Redirect

1 Datagram

2 Datagram

4 Datagram

5 Datagram

3 ICMP Redirect

server1

sys21

sys11

instructor

#telnet server1

Introducing CIDR


Introducing CIDR

The rapid growth of the Internet in the early 1990s created concerns aboutthe ability to scale and support future growth. The most severe problemsare:

● Impending depletion of Class B networks

● Increasing the size of routing tables

Depletion of Class B networks creates a problem for large organizationsbecause Class C addresses with 254 as their maximum number of hostaddresses are not large enough. Assigning multiple Class C networks tocompanies will, over time, dramatically increase the number of routes inthe routing table. Large routing tables cause poor router performancebecause the router spends excessive time performing address lookups.

Purpose of CIDR

A task force was created by the Internet Engineering Task Force (IETF) todevelop a solution to the scale and growth problems. The solution becameknown as CIDR, or supernetting, and is a way to make more-efficient useof the IP address space. CIDR is documented in RFC 1517, RFC 1518,RFC 1519, and RFC 1520. Three important features of CIDR that addressscalability and growth issues for the Internet are:

● Elimination of network classes (Class A, Class B, and Class C)

● Block address allocation

● Hierarchical routing

Operation of CIDR

CIDR uses classless addresses. Netmasks are referred to as network prefixesand are used to create networks of varying sizes. The network prefix isexpressed in the following notation: X.X.X.X/ Y. The value Y is an integervalue that specifies the number of 1s in the netmask. For example, using/18 is equivalent to a netmask of 255.255.192.0 . The first 18 bitsidentify the network, and the remaining 14 bits identify the host.

Introducing CIDR


Figure 7-10 shows an example of a CIDR prefix.

Figure 7-10 CIDR Prefix

This use of variable length subnet masks means making efficient use ofnetwork address space by supernetting or subnetting.

Supernetting is the combining of two or more contiguous networkaddresses. For example, 192.168.2/24(11000000.10101000.00000010, 0xffffff00, or 255.255.255.0)and192.168.3/24 (11000000.10101000.00000011, 0xffffff00, or 255.255.255.0) canbe supernetted by using a prefix of /23(11000000.10101000.0000001X, 0xfffffe00, or 255.255.254.0).

The systems on the supernetted networks must all use the following inorder to properly communicate without a router:

● Network address – 192.168.2.0/23

● Broadcast address – 192.168.3.255

Valid host addresses for this supernetted network range from192.168.2.1 –192.168.3.254 (510 addresses). The 192.168.2.255 and192.168.3.0 addresses are valid host addresses, but they are not used inthe Solaris 10 OS.

Classful Routing Protocols

Evolution of Routing Protocols

Classless Routing Protocols

Network Route

Subnet Route

Host Route

Prefix Length

Prefix Route

10nnnnnn.nnnnnnnn.00000000.00000000

10nnnnnn.nnnnnnnn.ssssssss.ss0000000

10nnnnnn.nnnnnnnn.ssssssss.sshhhhhhh

pppppppp.pppppppp.pp000000.00000000

n = Network

s = Subnet

h = Host

Introducing CIDR


Following is an example that configures an interface on this supernettednetwork:

# ifconfig eri0 plumb 192.168.3.239/23 broadcast + up# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4 inet 192.168.3.239 netmask fffffe00 broadcast 192.168.3.255 ether 0:3:ba:2a:9d:7a

# netstat -rnvIRE Table: IPv4 Destination Mask Gateway Device Mxfrg Rtt Ref Flg Out In/Fwd--------------- --------------- --------------- ------ ----- ---- --- --- ---- ------172.20.221.6 255.255.255.255 192.168.2.254 1500* 0 1 UGH 0 0192.168.2.0 255.255.254.0 192.168.3.239 eri0 1500* 0 1 U 0 0127.0.0.1 255.255.255.255 127.0.0.1 lo0 8232* 0 1 UH 10 0#

A CIDR and VLSM aware routing protocol, such as RIPv2, must be usedon the router that connects this supernetted network to other networks.

Subnetting is the application of a netmask on an IP address to divide thenetwork up into smaller pieces.

CIDR and VLSM permit a portion of the IP address space to be dividedinto successively smaller pieces. For example, an Internet service provider(ISP) could be allocated blocks of address space, which they then assign insubset address blocks to smaller ISPs. These smaller ISPs can then supplyan even smaller subset of addresses to a customer or private organization.CIDR and VLSM make this aggregation and subdivision of address spacepossible.

The routing table entry for each ISP or organization reflects the firstaddress in the block assigned to it, for example, 204.106.8.0/22 , eventhough there can be additional network addresses that are associated withthe block. A range of CIDR addresses is known as a CIDR block. Thissupport of network addresses eliminates the number of entries required inthe backbone routing tables.

Introducing CIDR


Consider an ISP that requires IP addresses for 1000 clients. Based on254 clients per Class C network, the ISP requires four Class C networks.You can supernet four Class C networks, for example:

● 204.106.8.0

● 204.106.9.0

● 204.106.10.0

● 204.106.11.0

Figure 7-11 shows the network addresses that can result from applyingdifferent network prefixes.

Figure 7-11 CIDR Network Addresses

It can be seen from Figure 7-11 that the four networks being consideredhave identical values in their first 22 bits. Therefore, if you consider thefirst 22 bits only of an address on any of these networks to represent thenetwork portion of the address, every address on the four networks hasthe same network address. The networks can therefore be supernettedand a single route can be used to reach all four networks.

Introducing CIDR


Figure 7-12 shows an example of supernetting.

Figure 7-12 Supernetting Example

An ISP who is given a block of supernetted addresses can then divide therange into different sized blocks to suit the needs of their customers, whileminimizing the number of routing table entries required.

Internet

Internet Service Provider

204.106.0.0/16

(65,536 Host Addresses)

204.106.0.0/20

(4096 Host Addresses)

204.106.0.0/21


Address Range

204.106.0.0�204.106.7.0

204.106.8.0/22


Address Range

204.106.8.0�204.106.11.0

Configuring Routing at Boot Time



The behavior of a Solaris 10 system in regard to route configuration isdifferent to previous versions of the Solaris OS.

The /etc/inet/routing.conf file contains two options regardingroute configuration on a Solaris 10 system: ipv4-routing andipv4-forwarding . The ipv4-routing option refers to whether asystem will start the in.routed daemon. The ipv4-forwardingoption refers to whether a system will be configured to forward packetsbetween networks.

Initializing a Router

When a system boots, the system first checks the contents of the/etc/inet/routing.conf file. If the ipv4-routing oripv4-forwarding options are set explicitly to either enabled ordisabled , the setting is applied. If either option has not been setexplicitly, then the system determines whether or not to enable or disableeach option.

IPv4 routing is disabled if the /etc/defaultrouter file is not empty. Ifthe /etc/defaultrouter file is not present, or is empty, IPv4 routing isenabled (the in.routed daemon is started).

IPv4 forwarding is disabled by default and must be enabled explicitly byusing the routeadm command.



Figure 7-13 shows how the /lib/svc/method/net-init methodconfigures a system for IPv4 forwarding and routing.

Figure 7-13 IPv4 Router Initialization

Start

End

Does/etc/defaultrouter

exist?

DisableIPv4 forwarding

Disable

IPv4 routing

Disable

IPv4 routing

Enable

IPv4 routing

Enable

IPv4 forwarding

Disable

IPv4 forwarding

Yes

Yes

No

No

No

IPv4 routingenabled byrouteadm?

YesIPv4

forwardingenabled byrouteadm?



Configuring a Router Without Rebooting

To configure a Solaris OS system as a router without rebooting, completethe following steps:

1. Verify that the /etc/hostname .interface and the/etc/inet/hosts files are configured properly.

2. Do one of the following:

● Turn on IP forwarding on all of the interfaces:

# routeadm -u -e ipv4-forwarding

● Turn on IP forwarding for specific interfaces:

# ifconfig specific_interface router

3. Stop and restart the in.routed daemon:

# routeadm -u -d ipv4-routing# routeadm -u -e ipv4-routing#

The system now functions as a router.

Initializing a Multihomed Host

A multihomed host is a system with two or more physical networkinterfaces that does not forward IP datagrams between the networks towhich it is attached. In the Solaris 10 OS, all systems with two or morephysical network interfaces are multihomed hosts by default.

To create a multihomed host, complete the following steps:

1. Become a superuser on the prospective multihomed system.

2. Create an /etc/hostname .interface file for each additionalnetwork interface that is installed in the system. For example, if theqfe2 interface is to be enabled and known on the network, youcreate the /etc/hostname.qfe2 file, containing contents similar tothe following:

# cat /etc/hostname.qfe2sample-hostname-for-qfe2#

This causes the interfaces to be configured by the SMF methods atboot time.



3. Add an entry to the /etc/inet/hosts file so that the interface canbe assigned an IP address at boot time. The entry looks similar to thefollowing:

# grep sample /etc/inet/hosts192.168.19.1 sample-hostname-for-qfe2#

4. Do either of the two following procedures:

● Reboot the system with the init 6 command.

● Complete the following steps to enable the configurationwithout rebooting:

1. Use the ifconfig command to configure the new interfaceas appropriate, but do not enable the interface at this stage:

# ifconfig qfe2 plumb 192.168.19.1 netmask + broadcast +#

2. Use the routeadm command to disable IP forwardingexplicitly:

# routeadm -u -d ipv4_forwarding#

3. Use the ifconfig command to enable the interface:

# ifconfig qfe2 up#

The system is now a multihomed host that has connectivity to more thanone network and can be used without concern of advertising routes andpotentially causing routing issues on any of the networks to which itbelongs.

Initializing a Non-Router

Disabling IP forwarding stops a router from forwarding packets betweenthe networks to which it is connected. To initialize a non-router, use therouteadm command to disable IP forwarding on all interfaces by typingthe following command:

# routeadm -u -d ipv4_forwarding

Troubleshooting Routing



One of the most challenging tasks that a network administrator has toperform is troubleshooting routing. Router configuration andtroubleshooting relies on mastering other basic network skills.

Troubleshooting the Router Configuration

When troubleshooting a problem, verify the following:

● The device information tree recognizes the additional interfaces. Usethe prtconf command, and search for the interface with the grepcommand. For example, to determine if the qfe interface is in thedevice tree, use the following command:

# prtconf | grep qfe SUNW,qfe, instance #0 SUNW,qfe, instance #1 SUNW,qfe, instance #2 SUNW,qfe, instance #3#

● The ifconfig command reports the interface to be configured asexpected. For example, to determine if the qfe0 interface isconfigured as expected, use the following command:

# ifconfig qfe0qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:ac:9b:20#

If the interface is up, examine the inet (IP address), netmask, andbroadcast entries, and make sure that they are set correctly. If the IPaddress is set incorrectly, check the contents of the /etc/inet/hostsfile.

If the netmask and broadcast addresses are wrong, check thecontents of the /etc/inet/netmasks file.

● The correct device and file name are defined for the interface. Forexample, if you are configuring the qfe0 interface, to verify that thehostname.qfe0 file is correct, type the command:

# ls -al /etc/hostname.qfe0-rw-r--r-- 1 root other 113 Nov 16 14:58 /etc/hostname.qfe0#



● The name that is assigned to the interface is correct. For example, todetermine if qfe0 has an assigned host name of sys11ext , type thecommand:

# cat /etc/hostname.qfe0sys11ext#

● The name that is defined in the hostname .interface file exists inthe /etc/inet/hosts file and is associated with the correct address.For example, to determine if sys11 has an assigned IP address of192.168.1.1 , type the command:

# grep sys11 /etc/inet/hosts192.168.30.31 sys11ext192.168.1.1 sys11 # Data address for hme0192.168.1.21 sys11-data-qfe1 # Data address for qfe1192.168.1.51 sys11-test-hme0 # qfe0:1 Test address for hme0192.168.1.71 sys11-test-qfe1 # qfe1:1 Test address for qfe1#



Troubleshooting Network Names

The netstat command, when used with the -r option, displays routingtable information. For example:

# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------three sys33ext UG 1 0one sys11 U 1 189 hme0two sys32ext UG 1 0192.168.30.0 sys11ext U 1 175 qfe0224.0.0.0 sys11 U 1 0 hme0localhost localhost UH 3 132 lo0#

Observe how some of the destinations have names instead of numbers.This can lead to errors when you configure a new interface. To reportaddresses as numbers instead of names, use the -n option with thenetstat command. For example:

# netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.3.0 192.168.30.33 UG 1 0192.168.1.0 192.168.1.1 U 1 191 hme0192.168.2.0 192.168.30.32 UG 1 0192.168.30.0 192.168.30.31 U 1 176 qfe0224.0.0.0 192.168.1.1 U 1 0 hme0127.0.0.1 127.0.0.1 UH 3 132 lo0#

Exercise: Reviewing Routing Configuration



In this exercise, you configure a Sun Microsystems workstation as a routerand use the route command to configure the system’s routing tablesmanually. At times, you are instructed to work as a group on the systemthat is your subnet’s router. Be sure to watch for prompts in the task stepsto ensure that you are working on the correct system.

Preparation


Populate your system’s /etc/inet/hosts file with all of the hosts in theclass network if this is not already done. Your /etc/inet/hosts fileshould have contents similar to the following:

# cat /etc/inet/hosts## Internet host table#127.0.0.1 localhost loghost# SA-300-S10 host information192.168.30.31 sys11ext # router to get to instructor->Internet192.168.1.1 sys11192.168.1.2 sys12192.168.1.3 sys13192.168.1.4 sys14#192.168.30.32 sys21ext # router to get to instructor->Internet192.168.2.1 sys21192.168.2.2 sys22192.168.2.3 sys23192.168.2.4 sys24#192.168.30.33 sys31ext # router to get to instructor->Internet192.168.3.1 sys31192.168.3.2 sys32192.168.3.3 sys33192.168.3.4 sys34#192.168.30.30 instructor#



Caution – If your system is designated by the instructor as being a router,verify that its second interface is not configured. If the interface isconfigured, the command output will not match the solutions properly forthe exercises.

Figure 7-14 shows the classroom’s network diagram. Take a few momentsto familiarize yourself with the diagram.

Figure 7-14 Classroom Network Diagram

instructor

sys21

xxx.xxx.xxx.xxx

sys22

sys23

.30

.32

.1

192.168.2.0

192.168.30.0

.2

.3

sys31

sys32

sys33

.33

.1

192.168.3.0

.2

.3

sys11

sys12

sys13

.31

.1

192.168.1.0

.2

.2

sys24

.4

sys34

.4

sys14

.4

Internet



Tasks


1. In your own words, define each of the following routing schemes:

a. Static route

________________________________________________________

________________________________________________________

________________________________________________________

b. Dynamic route

________________________________________________________

________________________________________________________

________________________________________________________

c. Default route

________________________________________________________

________________________________________________________

________________________________________________________

2. What is a multihomed host?

_____________________________________________________________

_____________________________________________________________

3. Define the term autonomous system.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

4. In your own words, describe the differences between an interiorgateway protocol and an exterior gateway protocol.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

5. Give two examples of an interior gateway protocol.

_____________________________________________________________

_____________________________________________________________



6. Give two examples of an exterior gateway protocol.

_____________________________________________________________

_____________________________________________________________

7. Explain the purpose of ICMP redirects.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

Subnet Group: Working on the Routers

8. Before making any changes to the interfaces, write the netmask andbroadcast values of the Ethernet interface.

Command used: ______________________________________________

Netmask: ____________________________________________________

Broadcast: ___________________________________________________

Caution – Do not proceed if your system has more than one physicalinterface configured. If additional interfaces are configured, remove therelevant /etc/hostname .interface files, and use the ifconfigcommand or reboot the system to remove the interface configuration. Thesuccess of this exercise depends on your system having only oneconfigured physical interface.

If the /etc/defaultrouter file or the /etc/gateways file exists onyour system:1. Remove the file/s.2. Reboot the system in order to restore it to a default state for thisexercise.

a. Which class of IPv4 address (A, B, or C) is assigned to yoursystem?

________________________________________________________

b. How many bits of your IPv4 address are currently being usedfor your network address?________________________________________________________



9. Use the netstat -r command to observe your current routing table.Write down which route destinations are available.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

10. Use the netstat command with the -rn options. What is thedifference between this output and the previous netstat -r output?

_____________________________________________________________

11. Use the ps command to determine if the routing daemon is currentlyrunning on the system.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

Individually: Working on Non-Router Systems


_____________________________________________________________

_____________________________________________________________

_____________________________________________________________


13. Configure the router for your subnet.

a. Create the /etc/hostname .interface file for your system’ssecond interface, and place the host name in it so that thesecond interface is configured automatically at boot time.

b. Verify that the name to be associated with the second interfacethat is used in the /etc / hostname .interface file exists in the/etc/inet/hosts file. If it does not, edit the /etc/inet/hostsfile, and place an appropriate name in the file.



14. Configure IP forwarding and IP routing for IPv4 to become enabledon the next boot of the router.


_____________________________________________________________

Note – Do not proceed beyond this point until everyone in the class hascompleted this step.

15. Reboot the router.


_____________________________________________________________

16. Verify that each router is correctly configured.

a. Display the configuration of each network interface.

How many external interfaces are configured and runningnow?

________________________________________________________

b. Display the contents of the routing table.

Which network destinations are now available?

________________________________________________________

________________________________________________________

________________________________________________________

c. Determine that the routing daemon is running on the router.

________________________________________________________

________________________________________________________

________________________________________________________

What does this daemon do?

________________________________________________________

________________________________________________________

________________________________________________________






17. Complete the following steps:

a. Determine if the routing daemon is running on each non-routersystem.

________________________________________________________

________________________________________________________

Why is this daemon running?

________________________________________________________

________________________________________________________

b. Run the netstat -r command, and record the current networkdestinations.

________________________________________________________

________________________________________________________

________________________________________________________

c. Run the ifconfig -a command, and record the currentnetmask and broadcast values.

________________________________________________________

________________________________________________________

________________________________________________________



Subnet Group: Working on Your Router System

18. Start the snoop utility on the router to watch for network trafficassociated with multicast address 224.0.0.2 as the non-routersreboot. (Hint: Use the icmp option on the snoop command line.) Besure to use the snoop utility on the appropriate interface for thenetwork that you want to monitor. Be prepared to see ICMP routeradvertisements after the next step.


_____________________________________________________________


19. Reboot your non-router workstation.


_____________________________________________________________


20. Observe the snoop output on the router system.


21. Use the netstat -r command, and observe the change to therouting tables.

Which new type of entry is now present? How was it entered intothe routing table?

_____________________________________________________________

22. Use the ps command on the non-router systems to determine if therouting daemon is now running.


_____________________________________________________________


_____________________________________________________________




23. Terminate the snoop trace that you had running, and then start averbose snoop trace in a separate window on your router system.


_____________________________________________________________

24. Working in a new window, use the routeadm command to terminatethe in.routed process on the router.


_____________________________________________________________

25. View the output from the snoop utility. Look for the routernotification when the in.routed daemon terminates gracefully.Hint: Look for multicasts and ICMP messages.

a. Examine the snoop trace. Did you see the router notificationwhen the in.routed daemon terminated gracefully?________________________________________________________

b. What was the ETHER destination, as reported by the snooptrace?________________________________________________________

c. What protocol did the router notification use?________________________________________________________

d. What was the destination IP address of the router notification?________________________________________________________

26. Verify that the process has been terminated.


_____________________________________________________________


27. Use the netstat command to view the routing tables on one of thenon-router systems. What is missing?

_________________________________________________





28. Verify that the snoop session started earlier on your router is stillrunning, and then start the in.routed process on your routersystem, changing the advertisement interval to 90 seconds by placingthe appropriate entry in the /etc/gateways file.

What entry do you place in the /etc/gateways file?

_____________________________________________________________

Which command do you use to restart the in.routed daemon?

_____________________________________________________________

Observe ICMP and other traffic as the in.routed daemon is started.


29. Use the netstat command to view the routing tables on one of thenon-router systems to verify that the default route has been insertedinto the routing table.


_____________________________________________________________

In this section, you test to see how long it takes for the default route to beremoved when no communications are received from a router. You usethe 9 (KILL ) signal to kill the in.routed daemon, so that the daemondoes not have a chance to advertise that it is going down.

30. On a non-router, use the date and netstat commands to determinehow long before the default route entry is removed.

Note – The while statement syntax assumes that you are using theBourne shell:while true> do date; netstat -rn | grep default; sleep 20> done




31. Simulate a router crash, and kill the in.routed daemon on therouter again, but use the 9 (KILL ) signal this time.


_____________________________________________________________


32. Watch the output from the script, and keep track of the time. Whenthe default entry stops being reported, subtract the start time fromthe finish time to determine how long the system took to remove thedefault route entry.

Approximately how long did it take for the default entry to beremoved from the table?

_____________________________________________________________

When done, stop the script by pressing the Control+C key sequence.

33. Stop the in.routed daemon on the non-router systems.


_____________________________________________________________

Caution – Do not proceed beyond this point until everyone in the classhas completed this step.

Individually: Working on All Systems

34. Flush the routing tables on routers first and then the non-routersystems.


_____________________________________________________________


35. Working on a non-router system, use the ping command to attemptto contact a non-router system on one of the other subnets.

What is the response from the ping command?

_____________________________________________________________




36. Add routes manually to the other subnets by using the routecommand.

Write the commands that you use:

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________


37. Add routes manually by using the route command to the remotesubnets.

Write the commands that you use.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________





38. Working on all systems, observe the routing tables.


_____________________________________________________________



What is the response from the ping command?_____________________________________________________________

40. Edit the contents of the /etc/inet/networks file, and add the one ,two and three network names.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

41. Observe the changes to the routing table on all non-router systems.


_____________________________________________________________

Are the networks described in the /etc/inet/networks file presentin the routing table?

_____________________________________________________________


42. Reboot the routers. Schedule a job so that the non-routers reboot twominutes later. Check to see if the in.routed daemon was started oneach of the non-router systems. Explain why you see the results thatyou do.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________




Perform the following steps to leave your router system in a knownrouting configuration for subsequent exercises:

43. Configure to enable IPv4 routing when the system next boots.

_____________________________________________________________

44. Configure to enable IPv4 forwarding when the system next boots.

_____________________________________________________________

45. If they exist, remove the /etc/gateways and /etc/defaultrouterfiles.

_____________________________________________________________



_____________________________________________________________


Perform the following steps to leave your non-router system in a knownrouting configuration for subsequent exercises:

47. Remove the /etc/inet/routing.conf file.

_____________________________________________________________


_____________________________________________________________

49. Reboot the system

_____________________________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


1. In your own words, define each of the following routing schemes:

a. Static route

Static routes are routes that are do not time-out and must be removedmanually. Rebooting the system removes the static entries. The mostcommon static entry is a system that routes datagrams to the locallyconnected networks.

b. Dynamic route

Dynamic routing means that the routing environment changes.Dynamic routing identifies other network destinations that are notconnected directly but are reachable through a router. After therouting table identifies the other reachable networks, the identifiedrouter can forward or deliver the datagrams.

c. Default route

A default route is a table entry that permits a system to define defaultroutes to use if a route entry for a specific destination does not exist. Itis used for all indirectly connected workstations. The default routersmust be reliable. There is no need to define every reachable network.All indirectly connected datagram destinations go to the defaultrouter.

2. What is a multihomed host?

A multihomed host is a host that has more than one physical networkinterface and does not forward IP datagrams between networks.

3. Define the term autonomous system.

An autonomous system is a collection of networks and routers under asingle administrative control. This intentionally broad definition wasincorporated into the Internet to handle overly large routing tables.

4. In your own words, describe the differences between an interiorgateway protocol and an exterior gateway protocol.

A routing protocol used within an autonomous system is called an interiorgateway protocol. A routing protocol that communicates routes betweenautonomous systems is called an exterior gateway protocol.

5. Give two examples of an interior gateway protocol.

OSPF protocol and RIP.

Exercise Solutions


6. Give two examples of an exterior gateway protocol.

EGP and BGP.

7. Explain the purpose of ICMP redirects.

ICMP redirects are used most commonly when a system uses defaultrouting. If the router determines a more efficient way to forward thedatagram, it redirects the datagram using the best route and reports thecorrect route to the sender.


8. Before making any changes to the interfaces, write the netmask andbroadcast values of the Ethernet interface.

router# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23

The netmask is ffffff00.

The broadcast address is 192.168.1.255 .


If the /etc/defaultrouter file or the /etc/gateways file exist on yoursystem:1. Remove the file/s.2. Reboot the system in order to restore it to a default state for thisexercise.

a. Which class of IPv4 address (A, B, or C) is assigned to yoursystem?

Class C (this might be different in your classroom).

b. How many bits of your IPv4 address are currently being usedfor your network address?

Twenty-four bits (this might be different in your classroom).

Exercise Solutions


9. Use the netstat -r command to observe your current routing table.Write down which routing destinations are available.

router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys11 U 1 0 hme0224.0.0.0 sys11 U 1 0 hme0localhost localhost UH 2 6 lo0

10. Use the netstat command with the -rn options. What is thedifference between this output and the previous netstat -r output?

The netstat -rn command displays the table in numeric form.

router# netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.1 U 1 0 hme0224.0.0.0 192.168.1.1 U 1 0 hme0127.0.0.1 127.0.0.1 UH 2 6 lo0


router# ps -ef | grep in[.]root 153 1 0 04:42:54 ? 0:00 /usr/sbin/in.routed

The in.routed process is running.



non-router# ps -ef | grep in[.]root 153 1 0 04:45:56 ? 0:00 /usr/sbin/in.routed

Exercise Solutions



13. Configure the router for your subnet.

a. Create the /etc/hostname .interface file for your system’ssecond interface, and place the host name in it so that thesecond interface is configured automatically at boot time.

For example, if your second interface is qfe0 , the contents of the/etc/hostname . qfe0 file should be similar to:

router# cat /etc/hostname.qfe0sys11ext

b. Verify that the name to be associated with the second interfacethat is used in the /etc / hostname .interface file exists in the/etc/inet/hosts file. If it does not, edit the /etc/inet/hostsfile, and place an appropriate interface name in the file.

router# grep sys11ext /etc/inet/hosts192.168.30.31 sys11ext # router to get to instructor->Internet

14. Configure IP forwarding and IP routing for IPv4 to become enabledon the next boot of the router.


router# routeadm -e ipv4-forwardingrouter# routeadm -e ipv4-routing




router# init 6

Exercise Solutions


16. Verify that each router is correctly configured.

a. Display the configuration of each network interface.

router# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:ac:9b:20

How many external interfaces are configured and runningnow?

Two interfaces: hme0 and qfe0 . The interfaces might be different onyour system.

b. Display the contents of the routing table.

router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys11 U 1 0 hme0192.168.2.0 sys21ext UG 1 0192.168.30.0 sys11ext U 1 1 qfe0224.0.0.0 sys11 U 1 0 hme0localhost localhost UH 2 6 lo0

Which network destinations are now available?

You should see the following routes if all of the groups in theclassroom have configured their routers (you may have to wait up to5 minutes):

● 192.168.1.0

● 192.168.2.0

● 192.168.3.0

● 192.168.30.0

● 224.0.0.0

● 127.0.0.1 (localhost)

c. Determine that the routing daemon is running on the router.

router# ps -ef | grep in[.] root 94 1 0 10:52:12 ? 0:00 /usr/sbin/in.routed

What does this daemon do?

The /usr/sbin/in.routed daemon sends ICMP routeradvertisement messages and RIP messages.

Exercise Solutions





17. Complete the following steps:

a. Determine if the routing daemon is running on each non-routersystem.

non-router# ps -ef | grep in[.]root 156 1 0 13:31:57 ? 0:00 /usr/sbin/in.routed


The daemon is responsible for listening for ICMP routeradvertisements and RIP messages.

b. Run the netstat -r command, and record the currentnetwork destinations.

non-router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys12 U 1 1 hme0192.168.2.0 sys11 UG 1 1 hme0192.168.30.0 sys11 UG 1 1 hme0224.0.0.0 sys12 U 1 0 hme0localhost localhost UH 2 6 lo0

c. Run the ifconfig -a command, and record the currentnetmask and broadcast values.

non-router# ifconfig -al o0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:a4:8f:80

Exercise Solutions



18. Start the snoop utility on the router to watch for network trafficassociated with multicast address 224.0.0.2 as the non-routersreboot. (Hint: Use the icmp option on the snoop command line.) Besure to use the snoop utility on the appropriate interface for thenetwork that you want to monitor. Be prepared to see ICMP routeradvertisements after the next step.

router# snoop -d hme0 icmpUsing device /dev/hme (promiscuous mode)


19. Reboot your non-router workstation.

non-router# init 6


20. Observe the snoop output on the router system.

sys11 -> 224.0.0.1 ICMP Router advertisement (Lifetime 1800s [1]: {sys11 0}) sys11 -> 224.0.0.1 ICMP Router advertisement (Lifetime 1800s [1]: {sys11 0}) sys11 -> 224.0.0.1 ICMP Router advertisement (Lifetime 1800s [1]: {sys11 0})

Notice that routers send direct advertisements to the multicast adddress towhich clients are listening.

Exercise Solutions



21. Use the netstat -r command, and observe the change to therouting tables.

non-router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys12 U 1 0 hme0224.0.0.0 sys12 U 1 0 hme0default sys11 UG 1 0 hme0localhost localhost UH 2 6 lo0

Which new type of entry is now present? How was it entered intothe routing table?

The newest entry is a default route. The system learns the default routefrom routers on the subnet through the router discovery ICMP messages.

22. Use the ps command on the non-router systems to determine if therouting daemon is now running.

non-router# ps -ef | grep in[.] root 91 1 0 12:36:05 ? 0:00 /usr/sbin/in.routed


The in.routed daemon is running because the daemon is invoked bydefault, at boot time. This is controlled by the routeadm utility. You canview the configuration by looking at the contents of the/etc/inet/routing.conf file.


23. Terminate the snoop trace that you had running, and then start averbose snoop trace in a separate window on your router system.

router# snoop -v -d hme0Using device /dev/hme (promiscuous mode)

24. Working in a new window, use the routeadm command to terminatethe in.routed process on the router.

router# routeadm -u -d ipv4-routing

Exercise Solutions


25. View the output from the snoop utility. Look for the routernotification when the in.routed daemon terminated gracefully.Hint: Look for multicasts and ICMP messages.

ETHER: ----- Ether Header -----ETHER:ETHER: Packet 8 arrived at 12:46:52.27ETHER: Packet size = 50 bytesETHER: Destination = 1:0:5e:0:0:1, (multicast)ETHER: Source = 8:0:20:ac:9b:20, SunETHER: Ethertype = 0800 (IP)ETHER:......IP: Protocol = 1 ( ICMP)IP: Header checksum = ea98IP: Source address = 192.168.1.1, sys11IP: Destination address = 224.0.0.1, 224.0.0.1......

a. Examine the snoop trace. Did you see the router notificationwhen the in.routed daemon terminated gracefully?

Yes.

b. What was the ETHERdestination, as reported by the snooptrace?

1:0:5e:0:0:1 .

c. What protocol did the router notification use?

ICMP.

d. What was the destination IP address of the router notification?

224.0.0.1 .

26. Verify that the process has been terminated.

router# ps -ef | grep routed root 94 1 0 10:52:12 ? 0:00 grep routed

Exercise Solutions



27. Use the netstat command to view the routing tables on one of thenon-router systems. What is missing?

non-router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys12 U 1 0 qfme0224.0.0.0 sys12 U 1 0 qfe0localhost localhost UH 2 6 lo0

The default route through the sys11 system was removed.



28. Verify that the snoop session started earlier on your router is stillrunning, and then start the in.routed process on your routersystem, changing the advertisement interval to 90 seconds by placingthe appropriate entry in the /etc/gateways file.

What entry do you place in the /etc/gateways file?

rdisc_interval=90

Which command do you use to restart the in.routed daemon?

router# routeadm -u -e ipv4-routing

Observe ICMP and other traffic as the in.routed daemon is started.

Output from snoop trace:

ETHER: Packet 8 arrived at 16:39:16.72ETHER: Packet size = 50 bytesETHER: Destination = 1:0:5e:0:0:1, (multicast)ETHER: Source = 8:0:20:ac:9b:20, Sun......

Exercise Solutions


IP: Source address = 192.168.1.1, sys11IP: Destination address = 224.0.0.1, 224.0.0.1IP: No optionsIP:ICMP: ----- ICMP Header -----ICMP:ICMP: Type = 9 (Router advertisement)ICMP: Code = 0 (Lifetime 270s [1]: {sys11 0})......


29. Use the netstat command to view the routing tables on one of thenon-router systems to verify that the default route has been insertedinto the routing table.

non-router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys12 U 1 0 qfe0224.0.0.0 sys12 U 1 0 qfe0default sys11 UG 1 0 qfe0localhost localhost UH 2 6 lo0

In this section, you test to see how long it takes for the default route to beremoved when no communications are received from a router. You usethe 9 (KILL ) signal to kill the in.routed daemon, so that the daemondoes not have a chance to advertise that it is going down.

30. On a non-router, use the date and netstat commands to determinehow long before the default route entry is removed.

Note – The while statement syntax assumes that you are using theBourne shell.

non-router# while true> do> date> netstat -rn | grep default> sleep 20> doneTue Dec 4 17:17:44 MST 2004

Exercise Solutions


default sys11 UG 1 0Tue Dec 4 17:18:04 MST 2004default sys11 UG 1 0......


31. Simulate a router crash, and kill the in.routed daemon on therouter again, but use the 9 (KILL ) signal this time.

router# pkill -9 in.routed


32. Watch the output from the script, and keep track of the time. Whenthe default entry stops being reported, subtract the start time fromthe finish time to determine how long the system took to remove thedefault route entry.

...

...Tue Dec 4 17:20:24 MST 2004default sys11 UG 1 0Tue Dec 4 17:20:44 MST 2004default sys11 UG 1 0Tue Dec 4 17:21:04 MST 2004Tue Dec 4 17:21:25 MST 2004......

Approximately how long did it take for the default entry to beremoved from the table?

Four and a half (4-1/2) minutes.

When done, stop the script by pressing the Control+C key sequence.

33. Stop the in.routed daemon on the non-router systems.

non-router# ps -ef | grep in[.] root 91 1 0 12:36:05 ? 0:00 /usr/sbin/in.routednon-router#non-router# routeadm -u -d ipv4-routing


Exercise Solutions


Individually: Working on Your Router System

34. Flush the routing tables on routers first and then the non-routersystems.


router# route flush192.168.2 sys21ext done


non-router# route flush



non-router# ping sys23ICMP Host Unreachable from gateway sys12 (192.168.1.2) for icmp from sys12 (192.168.1.2) to sys23 (192.168.2.3


ICMP Host Unreachable from gateway.


36. Add routes manually to the other subnets by using the routecommand.

router# route add net 192.168.2.0 192.168.30.32add net 192.168.2.0: gateway 192.168.30.32router#router# route add net 192.168.3.0 192.168.30.33add net 192.168.3.0: gateway 192.168.30.33

Exercise Solutions



37. Add routes manually by using the route command to the remotesubnets.

non-router# route add net 192.168.30.0 192.168.1.1add net 192.168.30.0: gateway 192.168.1.1non-router#non-router# route add net 192.168.2.0 192.168.1.1add net 192.168.2.0: gateway 192.168.1.1non-router#non-router# route add net 192.168.3.0 192.168.1.1add net 192.168.3.0: gateway 192.168.1.1



38. Working on all systems, observe the routing tables.

On non-router systems:

non-router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys12 U 1 0 hme0192.168.2.0 sys11 UG 1 0192.168.3.0 sys11 UG 1 0192.168.30.0 sys11 UG 1 0224.0.0.0 sys12 U 1 0 hme0localhost localhost UH 2 6 lo0non-router#

On router systems:

router# netstat -rRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 sys11 U 1 16 hme0192.168.2.0 sys21ext UG 1 0192.168.3.0 sys31ext UG 1 0192.168.30.0 sys11ext U 1 14 hme0224.0.0.0 sys11 U 1 0 hme0localhost localhost UH 2 6 lo0

Exercise Solutions




non-router# ping sys23sys23 is alive


sys23 is alive .

40. Edit the contents of the /etc/inet/networks file, and add the one ,two and three network names.

non-router# vi /etc/inet/networksnon-router# tail -3 /etc/networksone 192.168.1two 192.168.2three 192.168.3

41. Observe the changes to the routing table on all non-router systems.

non-router# netstat -r

Routing Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------one sys12 U 1 1 hme0two sys11 UG 1 2three sys11 UG 1 0192.168.30.0 sys11 UG 1 0224.0.0.0 sys12 U 1 0 hme0localhost localhost UH 2 6 lo0

Are the networks described in the /etc/inet/networks file presentin the routing table?

Yes.


42. Reboot the routers. Schedule a job so that the non-routers reboot twominutes later. Check to see if the in.routed daemon was started oneach of the non-router systems. Explain why you see the results thatyou do.

Exercise Solutions



router# init 6

INIT: New run level: 6...


non-router# at now+2minutesat> init 6at> ^D<EOT>commands will be executed using /sbin/shjob 1007515599.a at Tue Dec 4 18:26:39 2004


Perform the following steps to leave your router system in a knownrouting configuration for subsequent exercises:

43. Configure to enable IPv4 routing when the system next boots.

router# routeadm -e ipv4-routing

44. Configure to enable IPv4 forwarding when the system next boots.

router# routeadm -e ipv4-forwarding


router# rm /etc/gateways; rm /etc/defaultrouter



router# init 6


Perform the following steps to leave your non-router system in a knownrouting configuration for subsequent exercises:


non-router# rm /etc/gateways; rm /etc/defaultrouter

Exercise Solutions


48. Remove the /etc/inet/routing.conf file.

non-router# rm /etc/inet/routing.conf


non-router# init 6


Module 8

Configuring IPv6

Objectives

This module describes IPv6 management, features, configuration andtroubleshooting, and IPv6 addressing and interfaces.


● Describe IPv6

● Describe IPv6 addressing

● Describe IPv6 autoconfiguration

● Describe IPv6 unicast address types

● Describe IPv6 multicast address types

● Enable IPv6

● Manage IPv6

● Configure 6to4 routing

● Configure IPv6 multipathing

Objectives





ConfiguringIP


Multipathing

ConfiguringRouting

ConfiguringIPv6


Layer

Introducing IPv6

Configuring IPv6 8-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Introducing IPv6

IPv6 is the most recent version of the IP specification. Refer to RFC 2460for a description of IPv6. In 1991, the Internet Architecture Board (IAB)sponsored a working group to address a pending IP address shortage.The IAB predicted that all Class B networks would be allocated by 1994and that all IP addresses would be allocated by 2002 (see ChristianHuitema, Routing in the Internet, Second Edition, 2000).

The Need for IPv6

The IPv4 address shortage is only one reason that IPv6 was developed.IPv6 was defined to resolve the following:

● IPv4 address shortage – IPv6 implements a 128-bit address schemethat supports 340,282,366,920,938,463,463,347,607,431,768,211,456nodes. IPv4, with a 32-bit address scheme, provides for more than4 billion addresses. However, many of these addresses were notusable because classful addressing techniques wasted large numbersof possible IPv4 addresses. A technique for using IP addresses onprivate networks without exposing them to the Internet is defined inRFC 1918. This technique helps to alleviate the IP address shortage.

● Autoconfiguration – IPv6 systems configure their IPv6 addressesautomatically. There is no need to assign manually an IPv6 address,as is done in IPv4 by editing the /etc/inet/hosts file and creating/etc/hostname. xxx files. Autoconfiguration allocates IPv6addresses to systems automatically. Administrators, however, stillhave to administer the name-to-IPv6 address mapping.

Introducing IPv6


Features of IPv6

The IPv6 features are:

● Expanded addressing – The address size is increased from 32-bitaddresses to 128-bit addresses.

● Simplified header format – This format reduces the number ofheader fields in an IPv6 datagram from 10 fields to 6 fields.

● Improved extension header and option support – This featuresupports extension headers in addition to the primary header.Extension headers are located between the required IPv6 datagramheader and the payload; therefore, they provide special treatment ofsome datagrams without a performance penalty.

● Quality of service – A flow label in the header provides for flows.Flows identify a sequence of datagrams from the same source to thesame destination when the source requests special handling of thespecified datagram sequence by the intervening routers.

● Authentication and privacy headers – An authentication header(AH) provides the authentication services, and the encapsulatingsecurity payload (ESP) header provides privacy.

Introducing IPv6 Addressing



IPv6 addressing uses 128 bits. Because of the autoconfiguration capabilityin IPv6, it is no more difficult to administer IPv6 addressing than it is withIPv4. The first part of the address is the format prefix, followed by aroutable prefix or padding. The second part of the address is the interfaceidentifier, analogous to the IPv4 host portion, and is derived from thesystem’s MAC address.

Address Types

Like IPv4, IPv6 has three types of addresses that you can use tocommunicate across a network. For sending messages, IPv6 supports:

● Unicast addresses

● Multicast addresses

● Anycast addresses

IPv6 differs from IPv4 in that IPv6 does not provide broadcast addressesas a mechanism for communicating with other hosts on a subnet.

In IPv6 it is normal for several IPv6 addresses to be assigned to the samephysical interface.

Unicast Addressing

With the unicast address type, a unique address is assigned to aninterface. A unicast datagram is sent to a single machine with thematching destination IPv6 address. Unicast addressing is calledpoint-to-point addressing in IPv4.

Multicast Addressing

With the multicast address type, an address is assigned to a group ofsystems. Datagrams are delivered to all interfaces as identified by themulticast address. Multicast addressing in IPv6 replaces broadcastaddressing in IPv4.



Anycast Addressing

With the anycast address type, an address is assigned to a group ofsystems. Anycast addresses identify the nearest member of a group ofsystems that provide a particular type of service. Datagrams are deliveredto the nearest interface member, as identified by the routing protocol,instead of being delivered to all members of a group.

IPv6 Address Representation

RFC 2373 describes how IPv6 128-bit hexadecimal addresses can berepresented in multiple ways:

● Eight 16-bit hexadecimal numbers, for example:

fe80:0000:0000:0000:0a00:20ff:feb5:4137

● Eight 16-bit hexadecimal numbers in which 0s (zeros) arerepresented by a single leading 0, for example:

fe80:0:0:0:a00:20ff:feb5:4137

IPv6 permits address compression. You can compress leading orembedded 0s (zeros) with a double colon (:: ). To compress an address,you can represent consecutive 16-bit 0 numbers with double colons (:: ).You can only do this once in any address, for example:

fe80::a00:20ff:feb5:4137

Format Prefixes

The format prefix (FP) in the address indicates the type of IPv6 addressthat is used. For example:

● Link-local addresses are intended to identify hosts on a singlenetwork link. They are similar to the way Ethernet addresses areused to communicate on an Ethernet segment or subnet.

● Site-local addresses are valid across an intranet. They are similar toan organization choosing a random IPv4 address class for theorganization, but not connecting to the Internet.



● Aggregatable global addresses are valid across the Internet. They aresimilar to an officially registered IPv4 address class for organizationsconnected to the Internet.

● A multicast address is an identifier for a group of systems. A nodecan belong to any number of multicast groups.

Table 8-1 shows several common types of IPv6 addresses.

Note – Refer to RFC 2373 for information about FPs that are not related tothe Solaris OS. The FP byte is binary. As defined in RFC 2373, unusedtrailing bits in the byte are not shown. For example, the FP represented by001 is 0x2 or 0x3, because the two binary values are 0010 and 0011. The FPrepresented by 001 should not be confused with 0001, which is equal to0x1.

Table 8-1 Initial Allocation of Format Prefixes From RFC 2373

Allocation FP (Binary) FP (Hexadecimal)

Link-local unicast addresses 1111 1110 10 FE8

Site-local unicast addresses 1111 1110 11 FEC

Aggregatable global-unicastaddresses

001 2 or 3

Multicast addresses 1111 1111 FF

Introducing IPv6 Autoconfiguration



IPv6 address autoconfiguration includes:

● Determining what information should be autoconfigured, such asaddresses and routing prefixes

● Verifying the uniqueness of link-local addresses on the link

Stateful Autoconfiguration

Stateful autoconfiguration requires the additional setup of a DHCP server.For this reason, stateful autoconfiguration is not a preferred configurationmethod. Stateful autoconfiguration and stateless autoconfiguration, asdefined in IPv6, can coexist and operate together. Statefulautoconfiguration supplies address and service information similar to theway that DHCP provides information in IPv4.

Stateless Autoconfiguration

The stateless mechanism permits a host to generate its own addresses byusing a combination of information this is available locally andinformation that is advertised by routers. Routers advertise prefixes thatidentify the subnets associated with a link, while hosts generate aninterface identifier that uniquely identifies an interface on a subnet.

An address is formed by combining the advertised prefix and theinterface identifier. In the absence of routers, a host can generate onlylink-local addresses. However, link-local addresses are sufficient forpermitting communication among systems that are attached to the samelink.



Interface Identifier Calculation

Appendix A of RFC 2373 describes the process of automaticallycalculating an IPv6 interface identifier address. The following is anexample of how a Sun Microsystems workstation computes an IPv6interface identifier address from its MAC address.

The initial MAC address is 08:00:20:b5:41:37 , where:

● 08:00:20 is the company identifier (CID)

● b5:41:37 is the vendor-supplied identifier (VID)

To build an interface identifier, perform the following steps:

1. Obtain the MAC address.

Figure 8-2 shows this address.

Figure 8-2 MAC Address

2. Convert the address to binary format.

Figure 8-3 shows the address in binary format.

Figure 8-3 Binary Representation of the MAC Address

08:00:20:b5:41:37

CID VID

0 8 0 0 2 0 B 5 4 1 3 7

0000 1000 0000 0000 0010 0000 1011 0101 0100 0001 0011 0111

CID VID



3. Toggle bit 7, the universal/local bit, which is the seventh bit from theleft.

Figure 8-4 shows the address after conversion.

Figure 8-4 MAC Address Conversion to an Interface Identifier

4. Insert two additional octets, 0xFF and 0xFE, between the CID andthe VID. This converts the MAC address to an interface identifier.

Figure 8-5 shows the resulting interface identifier.

Figure 8-5 MAC Address With 0xFF and 0xFE Octets

5. Convert the binary address to hexadecimal format, and includecolons to show the IPv6-autoconfigured interface identifier addressof 0a00:20ff:feb5:4137 .

This unique interface identifier is the basis of autoconfigured IPv6addresses on the system. This unique interface identifier is only64 bits of the 128-bit address and is called an end-unit identifier-64(EUI-64).

Duplicate Address Detection

Systems run a duplicate address detection algorithm on an address beforethat address is assigned to an interface. This is done without regard to themanner in which the address was obtained. The duplicate addressdetection algorithm works by sending a neighbor solicitation message tothe network that contains the address in question. The system receives aneighbor advertisement from any device that is currently using theaddress. Therefore, if no response is received, the systems assume that theaddress is available for use and is assigned to the interface. If the addressin question is not unique, a unique address must be configured manually.

0 A 0 0 2 0 B 5 4 1 3 7

0000 1010 0000 0000 0010 0000 1011 0101 0100 0001 0011 0111

CID VID

0 A 0 0 2 0 F F F E B 5 4 1 3 7

0000 1010 0000 0000 0010 0000 1111 1111 1111 1110 1011 0101 0100 0001 0011 0111

CID VID

Introducing Unicast Address Types



IPv6, like IPv4, supports the concept of unicast addressing.

Unicast addresses direct datagrams to a single interface or system. Theability to transmit network data in this way enables systems that are notincluded in the communication to efficiently ignore network data that isnot addressed to them.

Link-Local Addresses

Link-local addresses are valid on a local network link only. Link-localaddresses are not forwarded by routers. The first 10 bits of the addressprefix identify an address as a link-local address. The link-local addressformat prefix is 1111 1110 10 in binary, or FE8 in hexadecimal, as shown inFigure 8-6.

Figure 8-6 Link-Local Address Format

10 Bits

1111111010

54 Bits

All Zeros (0)

64 Bits

Interface ID

fe80::a00:20ff:feb5:4137



Site-Local Addresses

Site-local addresses are similar to link-local addresses but can be routedthrough an intranet. Intranet routers can forward site-local addressesthrough the intranet but not outside of the intranet. The first 10 bits of theaddress prefix identify an address as a site-local address.The site-localaddress format prefix is 1111 1110 11 in binary, or FEC in hexadecimalformat, as shown in Figure 8-7.

Figure 8-7 Site-Local Address Format

Aggregatable Global-Unicast Addresses

Aggregatable global addresses can be routed through the Internet. Anaggregatable global address always starts with 2 or 3 in hexadecimalformat. The first three bits are always set to 001 , and they designate thatthis address is a routable global-unicast address. Figure 8-8 shows theframe format of an aggregatable global-unicast address.

Figure 8-8 Aggregatable Global-Unicast Address Format

The frame format of an aggregatable global-unicast address includes:

● A prefix – The assigned prefix for aggregatable global addresses(001).

● The top-level aggregator (TLA) – The identifying number of theInternet authority that assigned the provider portion of the address,for example, the IANA.

● The next level aggregator (NLA) – The address identifier that isassigned to a company or organization by its ISP.

10 Bits

1111111011

38 Bits

All Zeros (0)

16 Bits

Subnet ID

64 Bits

Interface ID

fec0::0003:a00:20ff:feb5:4137

3 Bits

001

13 Bits

TLA

32 Bits

NLA

16 Bits

SLA

64 Bits

Interface ID



● The site-level aggregator (SLA) – The subnet address assigned tonetworks in the company or organization.

● Interface ID – The portion of the IP address that derives from theMAC address, that is, the EUI-64 address.

Prefix Notation

RFC 2373 describes how IPv6 addresses use prefix notation. IPv6addresses have two parts. The first part is the format prefix. The secondpart is the interface identifier and is analogous to the IPv4 host portion.

An example of a subnet prefix address is:

fec0::0003:a00:20ff:feb5:4137/64

The /64 indicates that the subnet prefix is 64 bits in length. The first64 bits of the address contain a subnet mask. The address can be brokeninto a subnet prefix and a node address or into an interface identifier.

● fec0::0003 – The subnet prefix

● a00:20ff:feb5:4137 – The interface identifier

Embedded IPv4 Addresses

The IPv6 transition mechanisms include a technique for systems androuters to tunnel IPv6 datagrams dynamically under the IPv4 routinginfrastructure. IPv6 systems that use this technique have special IPv6unicast addresses assigned that carry an IPv4 address in the low-order32 bits. This type of address is an IPv4-compatible IPv6 address. Anexample of an embedded IPv4 address in an IPv6 address is:

0000:0000:0000:0000:0000:FFFF: yyyy : yyyy

where FFFF indicates that an embedded IPv4 address is present, andyyyy : yyyy represents the 32 bits of the IPv4 address in hexadecimalformat.



Unspecified Address Types

The source address of a system that has not had an address assigned willbe all zeros, for example: 0000:0000:0000:0000:0000:0000:0000:0000 ,0:0:0:0:0:0:0:0 , or :: in compressed format.

Loopback Address Types

IPv6 systems use the loopback address of0000:0000:0000:0000:0000:0000:0000:0001 , 0:0:0:0:0:0:0:1 , or::1 to send datagrams to themselves. This address is analogous to the127.0.0.1 local address used by IPv4 systems.

Introducing Multicast Address Types



A datagram addressed to a multicast address is delivered to all systemsthat are part of the multicast group. An IPv6 multicast address can bethought of as a single identifier for a group of IPv6 systems that belong tothe multicast group.

Purpose of Multicast Addresses

The low-order 112 bits in an IPv6 address identify the multicast group towhich the datagram belongs.

A single interface can have multiple IPv6 addresses assigned to it,including multicast addresses.

The FP of 11111111 or FF in hexadecimal format in an address identifiesthe datagram as being a multicast datagram.

Multicast addresses include 4 bits of flags after the initial FF in the formatprefix. Three of the flag bits are reserved and are always set to 0. Thefourth flag bit is set to 0 if a well-known IANA-assigned multicastaddress is used; the fourth bit is set to 1 if a temporary multicast addressis used. Figure 8-9 shows the multicast address types.

Figure 8-9 Multicast Address Types

FP

8 Bits

11111111

Flags

4 Bits

000X

Scope

4 Bits

XXXX

Multicast Group ID

112 Bits

ff02:0:0:0:0:0:0:1



Scope Bits

Multicast addresses include four scope bits after the flag bits. The scopebits determine how far the multicast datagram is routed:

● Node-local – FF01.

Route to all members of the group on the same node as the sender.

● Link-local – FF02.

Route to all members of the group on the same link as the sender.

● Site-local – FF05.

Route to all members of the group at the same site as the sender.

● Organization-local – FF08.

Route to all members of the same organization as the sender.

● Global – FF0E.

Route to all members of the group on the Internet.

For example, the multicast addresses for all routers are:

● FF01:0:0:0:0:0:0:2 – Node-local routers

● FF02:0:0:0:0:0:0:2 – Link-local routers

● FF05:0:0:0:0:0:0:2 – Site-local routers

● FF02:0:0:0:0:0:0:9 – Link-local, RIPv2 routers

The multicast addresses for all systems are:

● FF01:0:0:0:0:0:0:1 – Node-local systems

● FF02:0:0:0:0:0:0:1 – Link-local systems

Refer to RFC 2373 for additional IPv6 multicast information.



ICMPv6 Group Membership

RFC 2236 describes IGMP version 2 for IPv4. Hosts that join, belong to, orleave multicast groups use IGMP version 2 to report this information tolocal multicast routers. The following three IGMP version 2 messages arerelevant to this introduction:

● Membership query – Determines which groups have members on anetwork

● Membership report – Reports if a system is part of a multicastgroup

● Leave group – Determines when a system leaves a multicast group

All of the IGMP functionality has moved to ICMP version 6, which isdefined in RFC 1885.

Enabling IPv6


Enabling IPv6

You can enable IPv6 from the command line or by creating specific filesthat are read by the /lib/svc/method/net-init and/lib/svc/method/net-physical SMF methods at boot time.

Note – You can also enable IPv6 during initial installation of theSolaris 10 OS.

The in.ndpd Daemon on a Non-Router

The in.ndpd daemon implements the Neighbor Discovery Protocol (ND).Systems on the same network link use ND for IPv6 to:

● Perform address autoconfiguration – Systems configure an addressfor an interface automatically. This eliminates the common duplicateIP address problem experienced on IPv4 networks.

● Obtain MAC addresses – Neighbor solicitation messages are sent bya node to determine the link-layer address of a neighbor or to verifythat a neighbor is still reachable by a cached link-layer address. Asolicitation can be sent if a node does not have an entry for a systemin its neighbor cache. This is similar to the ARP in IPv4. Neighborsolicitations are also used for duplicate address detection.

● Gather reachability information about paths to active neighbors –The in.ndpd daemon sends unsolicited neighbor advertisements todiscover newly available systems. The in.ndpd daemon can alsosend unsolicited neighbor advertisements to announce a link-layeraddress change. Systems use received neighbor advertisements toupdate their neighbor cache with the MAC address of the sender.

● Discover routers – In IPv4, hosts had no way of knowing how tolocate routers unless the host had a static route defined or it wasrunning a type of routing protocol. IPv6 neighbor discovery replacedthe function that the IPv4’s RDISC protocol provided. Systems sendrouter solicitations to prompt routers to send router advertisements.

Enabling IPv6


Routers advertise their presence with various link and Internetparameters, either periodically or in response to a router solicitationmessage.

● Router advertisements contain prefixes used for on-linkdetermination or address configuration, a suggested hop limitvalue, and other information.

● Systems use router advertisements to populate their neighborcache with the MAC address of the router. When an interfacebecomes enabled, hosts can send router solicitations thatrequest routers to generate router advertisements immediately,rather than at their next scheduled time. This enables the host tobecome part of a network more quickly than it would have if itwaited for a normal router advertisement.

● Provide router redirects – A router informs a host of a betterfirst-hop node to reach a particular destination.

Refer to RFC 2461 for more information about neighbor discovery.

Configuring IPv6 on Non-Routers

You configure a system to support both IPv4 and IPv6. This configuredsystem is known as a dual-stack system.

IPv6 introduces new files, including:

● /etc/hostname6. interface – This file has similar functionality tothe /etc/ hostname. interface file but contains no IP address orhost name information.

Note – The /etc/hostname6. interface file can still contain an IPv6address or a resolvable host name to disable autoconfiguration andenforce a given IPv6 address.

● /etc/inet/ipnodes – This file has similar functionality to the/etc/inet/hosts file. There is no link from the /etc/ipnodes file.The /etc/inet/ipnodes file can contain both IPv6 and IPv4addresses.

Enabling IPv6


Note – If an application is IPv6-capable, the /etc/inet/ipnodes file isconsulted first, and then the /etc/inet/hosts file is consulted. The/etc/inet/hosts file is the only file that is contacted for IPv4applications, and it can only contain IPv4 addresses.

Configuring an Interface for IPv6

To configure an IPv6 interface on a system, create a/etc/hostname6. interface file and reboot the system, or use theifconfig command to configure the interface manually. For example, toconfigure IPv6 on a system’s hme0 interface, complete the following steps:

1. View the configuration of the system’s interfaces before making anychanges.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:90:b5:c7#

2. Create the /etc/hostname6.hme0 file to cause the interface toconfigure with IPv6, and then reboot the system.

# touch /etc/hostname6.hme0# init 6#INIT: New run level: 6

Enabling IPv6


3. View the system’s interface configuration after the boot.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 823 2 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:90:b5:c7lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 825 2 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:90:b5:c7 inet6 fe80::a00:20ff:fe90:b5c7/10#

Notice how both the lo0 and hme0 interfaces have inet6components and that each interface has an inet6 address. Recallfrom a previous step that an IPv6 address was not defined.

4. View the startup log files in the /var/svc/log directory.

Configuring IPv6 Name Service Lookup

Like IPv4, you can apply names to IPv6 addresses so that you can moreeasily refer to a system. For example, to name this system’s IPv6 hme0interface sys12-v6 , you can add an entry to the /etc/inet/ipnodes fileto make it look similar to the following:

# tail -2 /etc/inet/ipnodes# added for ipnode examplefec0::a00:20ff:fe90:b5c7 sys12-v6#

The /etc/inet/ipnodes file on each system on the local link that isrunning IPv6 can be configured with a similar entry.

You can now address a system by its IPv6 interface by using the sys12-v6host name. For example:

# uname -nsys11# ping sys12-v6sys12-v6 is alive#

Enabling IPv6


Name service lookup configuration for IPv6 is similar to name servicelookup configuration for IPv4.

The following are additional files:

● Two new NIS IPv6 maps are the ipnodes.byname andipnodes.byaddr maps. These maps have similar functionality to thehosts.byname and hosts.byaddr files in IPv4.

● An additional NIS+ IPv6 table is created: ipnodes.org_dir . Thistable has similar functionality to the hosts.org_dir . table in IPv4.

● A new DNS record type, AAAA(quad A) is available. The reverse issimilar to a normal PTR record but is much longer. Following is anexample of an AAAArecord and a PTRrecord:

sys22.two.edu. IN AAAA fec0::a00:20ff:feb5:4137

7.3.1.4.5.b.e.f.f.f.0.2.0.0.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.e.f.ip6.int. IN PTR sys22.two.edu .

● The ipnodes line is used in the nsswitch.conf file for IPv6 systemname resolution.

hosts: files nisplus dnsipnodes: files nisplus dns

Troubleshooting a Non-Router Configuration

You can use the netstat command with the address-family -f inet6option to display only IPv6-specific information when you troubleshoot.The netstat command has multiple forms and produces different typesand levels of output depending on the options that are used with thecommand. To view only the IPv6 routing table, perform the command:

# netstat -f inet6 -r

Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----fe80::/10 sys12-v6 U 1 0 hme0ff00::/8 sys12-v6 U 1 0 hme0default sys12-v6 U 1 0 hme0localhost localhost UH 1 0 lo0#

To view multicast group information for IPv6 interfaces, perform thefollowing command, which uses the g option for groups:

# netstat -f inet6 -gGroup Memberships: IPv6

Enabling IPv6


If Group RefCnt----- --------------------------- ------lo0 ff02::1:ff00:1 1lo0 ff02::1 1hme0 ff02::202 1hme0 ff02::1:ff90:b5c7 1hme0 ff02::1 2

#

You can use the ifconfig command to obtain IPv6-specific informationby using the inet6 address family parameter. For example, to view theconfiguration of all IPv6 interfaces, perform the command:

# ifconfig -a inet6lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 825 2 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:fe90:b5c7/10#

The in.ndpd Daemon on the Router

The IPv6 ND is implemented by the in.ndpd daemon. The in.ndpddaemon implements IPv6 functions, including:

● Router discovery

● Prefix discovery

● Address autoconfiguration

● Address resolution

● Neighbor unreachability detection

IPv6 Routing Information Protocol

Routing in IPv6 is almost identical to IPv4 routing in CIDR, except thatthe IPv6 addresses are 128 bits instead of 32 bits. The in.ripngd daemonis the IPv6 routing daemon for the Solaris OS.

Enabling IPv6


The in.ripngd Daemon

In normal operation, the in.ripngd process listens on UDP port 521 forrouting information datagrams. If the host is a router, it supplies copies ofits routing table periodically to any directly connected host and network.

Configuring an IPv6 Router

You can use the command line to configure an IPv4 router to supportIPv6. You can activate IPv6 by starting specific processes or by rebootingthe system.

Configuring Interfaces for IPv6

To designate which interfaces are configured with IPv6 at boot time, usethe touch command to create a /etc/hostname6. interface file for eachIPv6 interface. For example, to configure the system to configure the hme0and hme0 interfaces with IPv6 at boot time, type the following:

# touch /etc/hostname6.hme0 /etc/hostname6.qfe0#

Alternatively, configure the hme0 and hme0 interfaces from thecommand line as follows:

1. View the configuration of the interfaces.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 823 2 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:ac:9b:20qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:b9:72:23#

2. Use the ifconfig command to configure the hme0 interface.

# ifconfig hme0 inet6 plumb up#

Enabling IPv6


3. Use the ifconfig command to configure the qfe0 interface.

# ifconfig qfe0 inet6 plumb up#

4. View the configuration of the interfaces.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTUAL> mtu 8232 index 1

inet 127.0.0.1 netmask ff000000

hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2

inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255

ether 8:0:20:ac:9b:20

qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3

inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255

ether 8:0:20:b9:72:23

hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2

ether 8:0:20:ac:9b:20

inet6 fe80::a00:20ff:feac:9b20/10

qfe0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 3

ether 8:0:20:b9:72:23

inet6 fe80::a00:20ff:feb9:7223/10

#

Configuring IPv6 Name Service Lookup in/etc/nsswitch.conf

The IPv6 name service lookup mechanism is controlled in the same wayas IPv4. Verify that the ipnodes database is defined correctly for yoursite’s name-service lookup mechanism. For example, make sure that thefollowing entry exists if the ipnodes database uses the system’s local file:

# grep ipnodes /etc/nsswitch.confipnodes: files#

Configuring the /etc/inet/ndpd.conf File

Configure the /etc/inet/ndpd.conf file to contain the subnet’s prefixconfiguration information on the routers. You do not advertise link-localaddresses on a router because a link-local address cannot be routed. Recallthat:

● A link-local address starts with FE8.

● A site-local address starts with FEC.

● An aggregatable global-unicast address starts with 2 or 3.

Enabling IPv6


The following example demonstrates how to configure this information:

● Router advertisements are to be sent out to all interfaces.

● A site-local address on which the hme0 interface has a prefix offec0:0:0:9255::0/64 .

● An aggregatable global-unicast address on which the hme0 interfacehas a prefix of 2000:0:0:9255::0/64 .

● A site-local address on which the qfe0 interface has a prefix offec0:0:0:9256::0/64 .

● An aggregatable global-unicast address on which the qfe0 interfacehas a prefix of 2000:0:0:9256::0/64 .


1. Define the /etc/inet/ndpd.conf file to have the followingcontents:

# cat /etc/inet/ndpd.conf# Send router advertisements out all interfacesifdefault AdvSendAdvertisements on## Advertise an unregistered (bogus) site local prefix and global# prefix using the default lifetimesprefix fec0:0:0:9255::0/64 hme0prefix 2000:0:0:9255::0/64 hme0#prefix fec0:0:0:9256::0/64 qfe0prefix 2000:0:0:9256::0/64 qfe0#

Enabling IPv6


2. Do one of the following:

● Reboot the system.

● Proceed to the Step 3 to configure the system from thecommand line.

# init 6#INIT: New run level: 6......

a. View the IPv6 configuration of the interfaces.

# ifconfig -a inet6lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 3 inet6 fe80::a00:20ff:feb9:7223/10hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 2000::9255:a00:20ff:feb9:7223/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 fec0::9255:a00:20ff:feb9:7223/64qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:feac:9b20/10qfe0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2000::9256:a00:20ff:feac:9b20/64qfe0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::9256:a00:20ff:feac:9b20/64#

b. Observe how the site-local and aggregatable global-unicastaddresses are assigned to logical interfaces.

3. To configure your system without rebooting it, complete thefollowing steps:

a. Switch IPv6 IP forwarding on.

# routeadm -u -e ipv6-forwarding

or

# /usr/sbin/ndd -set /dev/ip ip6_forwarding 1#

b. Configure the system to send routing redirects.

# /usr/sbin/ndd -set /dev/ip ip6_send_redirects 1#

c. Configure the system to ignore routing redirects for IPv6.

# /usr/sbin/ndd -set /dev/ip ip6_ignore_redirect 1#

Enabling IPv6


d. Start the in.ndpd daemon that reads the/etc/inet/ndpd.conf file. Restart it if it is already running.

# /usr/lib/inet/in.ndpd#

e. Start the in.ripngd daemon, and force it to supply routinginformation to the network.

# /usr/lib/inet/in.ripngd -s#

f. View the interface configuration.


Enabling IPv6


Figure 8-10 shows how the /lib/svc/method/net-init methodconfigures a system for IPv6 forwarding and routing.

Figure 8-10 IPv6 Router Initialization

Start

End

IPv6 routingenabled by

routeadm and/etc/inet/ndpd.conf

exists?

DisableIPv6-forwarding

EnableIPv6-routing

DisableIPv6 forwarding

EnableIPv6 forwarding

DisableIPv6-routing

Yes

Yes

No

No

IPv6forwardingenabled byrouteadm?

Enabling IPv6


Configuring an IPv6 6to4 Router

The 6to4 router mechanism is designed to support the transition fromIPv4 to IPv6 addressing. Using the 6to4 mechanism, two IPv6 networkscan communicate with each other over an intermediate IPv4 network. A6to4 tunnel is created and the intermediate network does not need to beIPv6 aware.

Use of the 6to4 mechanism requires a boundary router on each IPv6network. The boundary router is configured with one interface runningIPv4 and connected to the public internet by using a public IPv4 address,as shown in Figure 8-11.

Figure 8-11 Connecting IPv6 Networks Over an IPv4 Network

Implementing the 6to4 mechanism requires the use of a particular IPv6address prefix. The 2002 prefix, part of the aggregatable global-unicastaddress space, is reserved for 6to4 addresses. The 2002 prefix is combinedwith the IPv4 address used on the boundary router to generate the formatprefix for all networks served by a particular boundary router.

The IPv4 address of the boundary router needs to be converted tohexadecimal notation as part of the process. For example, if the boundaryrouter’s IPv4 address 192.168.30.31 , 192 is c0 in hexadecimal, 168 isa8 in hexadecimal, 30 is 1e in hexadecimal, and 31 is 1f in hexadecimal,giving the representation c0a8:1e1f .

IPv6Network

IPv6Network

IPv4Network

GatewaySystem

GatewaySystem

Enabling IPv6


Configuring a 6to4 Boundary Router

To configure a system as a 6to4 boundary router, perform the followingtasks:

1. Configure a 6to4 tunnel. The 6to4 tunnel bridges between the localIPv6 networks and the public IPv4 network.

2. Configure the /etc/inet/ndpd.conf file to advertise 6to4prefixes to the local IPv6 networks. The tunnel has a unique networknumber in its prefix.

Calculating 6to4 Network Addresses

The 6to4 addresses have a defined format for the network portion of theaddress:

● A 16-bit prefix that denotes the address as a 6to4 address (2002 )

● A 32-bit, public IPv4 address on the boundary router in hexadecimalnotation

● A 16-bit subnet ID unique to each subnet – One subnet ID is used bythe end point of the tunnel

Configuring a 6to4 Tunnel

Configuring a 6to4 tunnel is a two-part process:

1. Plumb the 6to4 tunnel:

# ifconfig ip.6to4tun0 inet6 plumb

2. Configure the tunnel end points.

The tunnel end points are the global IPv4 address and an IPv6 hostaddress on a unique subnet within the 6to4 address range. A 6to4tunnel can be configured without specifying explicitly an IPv6 hostaddress. If no IPv6 host address is specified, the tunnel is configuredwith a subnet ID of 0 (zero) and a host ID of 1 (one).

To configure a 6to4 tunnel with no IPv6 host address, use the syntax:

ifconfig ip.6to4tun0 inet6 tsrc IPv4_Address up

For example, to configure a 6to4 tunnel with no IPv6 host addressand a public IPv4 address of 192.168.30.31, type the command:

# ifconfig ip.6to4tun0 inet6 tsrc 192.168.30.31 up#

Enabling IPv6


This configures the tunnel endpoint with a subnet number of zero (0)and a host number of one (1).

The tunnel configuration can be seen in the output from theifconfig -a command:

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:f8:b7:23qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:f8:b7:23lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:fef8:b723/10 ether 8:0:20:f8:b7:23hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2002:c0a8:1e1f:1:a00:20ff:fef8:b723/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fef8:b723/64ip.6to4tun0: flags=2300041<UP,RUNNING,ROUTER,NONUD,IPv6> mtu 8212 index 4 inet tunnel src 192.168.30.31 tunnel hop limit 60 inet6 2002:c0a8:1e1f::1/64#

To configure a 6to4 tunnel with an explicit IPv6 host address as thetunnel end point, use the syntax:

ifconfig ip.6to4tun0 inet6 tsrc IPv4_Address IPv6_Address up

Note – The 6to4 tunnel end point resides on its own IPv6 subnet. Thesubnet ID used for the 6to4 tunnel must not be used on any of the localIPv6 networks.

For example, to configure the tunnel end point as host ID 1 (one) onsubnet ffff :

# ifconfig ip.6to4tun0 inet6 tsrc 192.168.30.31 2002:c0a8:1e1f:ffff::1/64 up

#

The 6to4 tunnels can be configured at system boot by creating an/etc/hostname.ip.6to4tun0 file. The contents of the file are thearguments that follow the inet6 keyword on the command line. Forexample:

# cat /etc/hostname6.ip.6to4tun0tsrc 192.168.30.31 2002:c0a8:1e1f:ffff::1/64 up

Enabling IPv6


Troubleshooting a Router Configuration

To perform basic troubleshooting of an IPv6 router, confirm that processesare running by examining the routing table, as shown in the followingexamples:

● Determine if the ND daemon is running on each of the routers inquestion.

# uname -nsys11# pgrep -lf ndpd 108 /usr/lib/inet/in.ndpd#

# uname -nsys21# pgrep -lf ndpd 1497 /usr/lib/inet/in.ndpd

● View the IPv6 routing table on each router in question.

# uname -nsys11# netstat -rn -f inet6Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----2000:0:0:9255::/64 2000::9256:a00:20ff:feac:9b20 U 1 0 hme0:1fec0:0:0:9255::/64 fec0::9256:a00:20ff:feac:9b20 U 1 0 hme0:22000:0:0:9256::/64 2000::9255:a00:20ff:feb9:7223 U 1 0 qfe0:1fec0:0:0:9256::/64 fec0::9255:a00:20ff:feb9:7223 U 1 0 qfe0:22000:0:0:9257::/64 fe80::a00:20ff:fec0:449d UG 1 0 qfe0fec0:0:0:9257::/64 fe80::a00:20ff:fec0:449d UG 1 0 qfe0fe80::/10 fe80::a00:20ff:feac:9b20 U 1 0 hme0fe80::/10 fe80::a00:20ff:feb9:7223 U 1 2 qfe0ff00::/8 fe80::a00:20ff:feb9:7223 U 1 0 hme0::1 ::1 UH 1 0 lo0#

# uname -n#sys21#

Enabling IPv6


# netstat -rn -f inet6Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----2000:0:0:9257::/64 2000::9257:a00:20ff:fec0:449d U 1 0 hme0:1fec0:0:0:9257::/64 fec0::9257:a00:20ff:fec0:449d U 1 0 hme0:22000:0:0:9256::/64 2000::9256:a00:20ff:feb8:2b08 U 1 0 qfe0:1fec0:0:0:9256::/64 fec0::9256:a00:20ff:feb8:2b08 U 1 0 qfe0:22000:0:0:9255::/64 fe80::a00:20ff:feb9:7223 UG 1 0 qfe0fec0:0:0:9255::/64 fe80::a00:20ff:feb9:7223 UG 1 0 qfe0fe80::/10 fe80::a00:20ff:feb8:2b08 U 1 0 qfe0fe80::/10 fe80::a00:20ff:fec0:449d U 1 1 hme0#

● Send an ICMP echo request to a remote system to determine if youreceive an ICMP echo response from the remote system. Do notattempt to communicate with the link-local address of a systemacross a router because routers do not forward link-local addresses.

# ping fec0::9255:a00:20ff:fec0:449dfec0::9255:a00:20ff:fec0:449d is alive## ping 2000::9255:a00:20ff:fec0:449d2000::9255:a00:20ff:fec0:449d is alive#

Managing IPv6


Managing IPv6

The tasks you use to manage IPv6 interfaces are similar to the tasks youuse to manage IPv4 interfaces.

Displaying the State of IPv6 Interfaces

Use the ifconfig command with the inet6 option to display the state ofthe IPv6 interfaces, for example:


Modifying the Configuration of an IPv6 Interface

Use the ifconfig command to modify IPv6 interface configuration in asimilar manner to IPv4 interfaces. The family type of IPv6 must bedefined in the command after the interface option, for example:

ifconfig hme0 inet6 configuration options

Caution – Be sure to specify the inet6 family, or the command changesthe configuration of an IPv4 interface.

Managing IPv6


Configuring Logical Interfaces

You can configure logical IPv6 interfaces by using the ifconfigcommand with the inet6 parameter in a similar way as for IPv4, forexample:

ifconfig qfe0:3 inet6 plumb configuration options

To remove the logical interface, disable the interface, and then use theunplumb parameter, for example:

# ifconfig qfe0:3 inet6 down unplumb#

Troubleshooting IPv6 Interfaces

You troubleshoot IPv6 interfaces like you troubleshoot IPv4 interfaces.Recall that different FPs are required on addresses destined beyond thelocal subnet. Therefore, do not spend time attempting to determine whyyou cannot access a system on another subnet with an IPv6 address thatstarts with fe8 .

Displaying the IPv6 Routing Table

You use the netstat command with the address-family -f inet6 optionto display the IPv6 routing table, for example:

# netstat -f inet6 -r

Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----fe80::/10 sys11-v6 U 1 0 hme0ff00::/8 sys11-v6 U 1 0 hme0default sys11-v6 U 1 0 hme0localhost localhost UH 1 0 lo0#

Exercise 1: Configuring IPv6



In this exercise, you configure IPv6 on a router and on a non-router.

The exercise consists of the following tasks:

● Configure IPv6 on your local subnet

● Configure 6to4 routing so that you can contact IPv6 systems on othersubnets

● Configure the whole classroom network to use IPv6

Preparation


Work with another group for these tasks if your system functions as arouter in the classroom.

Task 1 – Configuring IPv6 on the Local Subnet

To configure IPv6 on the local subnet, complete the following sections.

Working on All Non-Router Systems (sys X2, sys X3, sys X4)

To configure IPv6 on a non-router, complete the following steps:

1. Display the configuration of the system’s interfaces before you makeany changes.

______________________________________________

2. Create the relevant file to cause your system’s primary interface to beconfigured with both IPv4 and IPv6.

______________________________________________


______________________________________________




______________________________________________

Write your system’s IPv6 IP address:

______________________________________________

Can this IPv6 IP address be used by systems on other subnets tocontact your system? Why or why not?

______________________________________________

______________________________________________

______________________________________________

5. Ask another group on your subnet for its link-local IPv6 IP address.

Write the IP address:

______________________________________________

6. Use the ping command to verify that your system can send andreceive ICMP echo messages with another local IPv6 system.

______________________________________________

7. View the current routing table so that you will be able to see thedifference after the router is reconfigured later.

______________________________________________

8. Use the ps command to determine which routing daemons arecurrently running on the system.

______________________________________________

Describe why the process or processes are running.

______________________________________________

______________________________________________

______________________________________________

______________________________________________



Task 2 – Configuring 6to4 Routing

Complete the steps in the following sections.

Working on Your Subnet’s Router


1. From the command line, configure IPv6 on the network interfaceconnected to the local subnet. Also create the necessary file to enablethis same configuration at any subsequent boot.

______________________________________________

2. Enable IPv6 routing.

______________________________________________

3. Enable IPv6 forwarding.

______________________________________________

4. Plumb an IPv6 6to4 tunnel.

______________________________________________

5. Configure the IPv6 tunnel using the router’s IPv4 address on the30.X network (for example 192.168.30.31 ), and use networknumber 0 (zero) and host number 1 (one) for the tunnel end point.

______________________________________________

6. Create an /etc/hostname6.ip.6to4tun0 file so that the 6to4tunnel is created automatically with the appropriate source when thesystem boots.

______________________________________________



7. Create an /etc/inet/ndpd.conf file to advertise a 6to4 addressprefix and a site-local address prefix to your local subnet. Make thesubnet ID for both prefixes the same as the subnet ID used in yourIPv4 addresses. (For example, if you are on subnet 192.168.1.0 ,use 1 (one) as your subnet ID). Use the following prefix lines:

● For sys11 :

prefix fec0:0:0: 1::0/64 hme0prefix 2002:c0a8:1e 1f : 1::0/64 hme0

● For sys21 :

prefix fec0:0:0: 2::0/64 hme0prefix 2002:c0a8:1e 20 : 2::0/64 hme0

● For sys31 :



______________________________________________

9. Log in to the router and view the configuration of its networkinterfaces.

______________________________________________

10. View the routing table on the router.

______________________________________________

11. View the daemons running on the router.

______________________________________________

Working on all Non-Router Systems (sys X2, sys X3, sys X4)

Continue as follows:

12. Obtain the IPv6 6to4 address of a system on a different subnet.

______________________________________________

13. Attempt to contact a system on a different subnet by using its IPv66to4 address.

______________________________________________

Caution – Do not proceed beyond this point until everyone in the classcompletes this step.



Task 3 – Configuring IPv6 Across the Whole Network

In this section you will remove the 6to4 tunnel just constructed so thatyou can enable IPv6 across the whole network. Complete the steps in thefollowing sections.


Work with another teammate’s group for this task if your systemfunctions as a non-router in the classroom.

To configure IPv6 on a router, complete the following steps:

1. Display the router’s interface configuration so that you can back outof the configuration at any stage.

______________________________________________

2. Unconfigure the 6to4 tunnel interface.

______________________________________________

______________________________________________

3. Determine which, if any, processes related to IPv6 routing arerunning and, if so, with what options. Why are the processesrunning with these options?

______________________________________________

______________________________________________

______________________________________________

______________________________________________

4. Verify that the files that you use to configure the router’s interfaceswith IPv6 at boot time exist. If they do not, create them.

______________________________________________

______________________________________________



5. Edit the correct file on your router to cause it to use a site-local andan aggregated global-unicast address for each interface on the router.Use the following addresses:

● 192.168.1.0 uses fec0:0:0:1::0/64 and2000:0:0:1::0/64

● 192.168.2.0 uses fec0:0:0:2::0/64 and 2000:0:0:2::0/64

● 192.168.3.0 uses fec0:0:0:3::0/64 and 2000:0:0:3::0/64

● 192.168.30.0 uses fec0:0:0:30::0/64 and2000:0:0:30::0/64

Configure the file to cause the routing daemon to advertise IPv6 outof all interfaces.

Be sure to remove an existing prefix 2002 lines.

Document your work.

6. Reboot the router systems.

______________________________________________

7. Verify that each router is configured correctly. Display theconfiguration of each network interface.

______________________________________________

8. View your router’s IPv6 routing table. What routes are available?

______________________________________________

9. Determine which routing daemons are running on the router. Whichoptions are running with each routing daemon, and why?

______________________________________________

______________________________________________

______________________________________________

______________________________________________

______________________________________________

______________________________________________





10. Either reboot the non-router systems, or wait a few minutes for theroute information to propagate the network.

______________________________________________

11. Use the ping command to send ICMP echo requests from a non-router system to the site-local address of another non-router systemon another subnet to verify that the routing is functioning asexpected. (You may have to wait enough time for the routinginformation to be updated after the prior step’s system boot)

______________________________________________

12. Determine which routing daemons are running on each non-routersystem. Which options are running with each routing daemon, andwhy?

______________________________________________

______________________________________________

13. Display the system’s routing table. What type of routes are in therouting table (link-local, site-local, or global)?

______________________________________________

14. Display the system’s interface configuration. Notice the logicaladdresses that provide access to the different networks based onthe FP.

______________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise 1 Solutions



The following solution is specific to an individual system. Your resultswill be different if you are working on different systems.

Task 1 – Configuring IPv6 on the Local Subnet

To configure IPv6 on the local subnet, complete the following sections.

Working on All Non-Router Systems (sys X2, sys X3, sys X4)

To configure IPv6 on a non-router, complete the following steps:

1. Display the configuration of the system’s interfaces before you makeany changes.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTIAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:c1:4b:44

#

2. Create the relevant file to cause your system’s primary interface to beconfigured with both IPv4 and IPv6.

# touch /etc/hostname6.hme0


# init 6#INIT: New run level: 6svc.startd: The system is coming down. Please wait.......




# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:c1:4b:44lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10

#

The system’s primary interface is now configured with both the IPv4 andIPv6 protocol stacks.

Write your system’s IPv6 IP address:

fe80::a00:20ff:fec1:4b44/10

Can this IPv6 IP address be used by systems on other subnets tocontact your system? Why or why not?

No, other systems cannot contact this IPv6 IP address because the addresshas an FP of fe8 , which is a link-local address and is limited to the localsubnet. The FP defines the scope that an IPv6 datagram is able to travel.

5. Ask another group on your subnet for its link-local IPv6 IP address.

Write the IP address:

fe80::a00:20ff:fe90:b5c7/10

6. Use the ping command to verify that your system can send andreceive ICMP echo messages with another local IPv6 system.

# ping fe80::a00:20ff:fe90:b5c7fe80::a00:20ff:fe90:b5c7 is alive#



7. View the current routing table so that you will be able to see thedifference after the router is reconfigured later.

netstat -rnRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.3 U 1 2 hme0224.0.0.0 192.168.1.3 U 1 0 hme0default 192.168.1.1 UG 1 0 hme0127.0.0.1 127.0.0.1 UH 2 6 lo0

Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----fe80::/10 fe80::a00:20ff:fec1:4b44 U 1 0 hme0ff00::/8 fe80::a00:20ff:fec1:4b44 U 1 0 hme0default fe80::a00:20ff:fec1:4b44 U 1 0 hme0::1 ::1 UH 1 0 lo0

#

8. Use the ps command to determine which routing daemons arecurrently running on the system.

# ps -ef | grep in[.] root 102 1 0 12:10:10 ? 0:00 /usr/sbin/in.routed root 109 1 0 12:10:10 ? 0:00 /usr/lib/inet/in.ndpd#

Describe why the process or processes are running.

The in.routed daemon is attempting to locate routers by sendingsolicitation, and is listening for IPv4 routing messages after it boots.

The in.ndpd daemon provides the autoconfiguration components ofneighbor discovery and is not really considered to be a routing daemon.



Task 2 – Configuring 6to4 Routing

Complete the steps in the following sections.


1. From the command line, configure IPv6 on the network interfaceconnected to the local subnet. Also create the necessary file to enablethis same configuration at any subsequent boot.

# ifconfig hme0 inet6 plumb up# touch /etc/hostname6.hme0#

2. Enable IPv6 routing.

# routeadm -u -e ipv6-routing# routeadm Configuration Current Current Option Configuration System State--------------------------------------------------------------- IPv4 forwarding enabled enabled IPv4 routing enabled enabled IPv6 forwarding enabled enabled IPv6 routing enabled enabled

IPv4 routing daemon "/usr/sbin/in.routed" IPv4 routing daemon args "" IPv4 routing daemon stop "kill -TERM ‘cat /var/tmp/in.routed.pid‘" IPv6 routing daemon "/usr/lib/inet/in.ripngd" IPv6 routing daemon args "-s" IPv6 routing daemon stop "kill -TERM ‘cat /var/tmp/in.ripngd.pid‘"#

3. Enable IPv6 forwarding.

# routeadm -u -e ipv6-forwarding#



4. Plumb an IPv6 6to4 tunnel.

# ifconfig ip.6to4tun0 inet6 plumb# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23qfe2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:ac:9b:22hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:feb9:7223/10 ether 8:0:20:b9:72:23ip.6to4tun0: flags=2300040<RUNNING,ROUTER,NONUD,IPv6> mtu 65515 index 4 inet tunnel src 0.0.0.0 tunnel hop limit 60 inet6 fe80::32:0:10/10

5. Configure the IPv6 tunnel using the router’s IPv4 address on the30.X network (for example 192.168.30.31 ), and use networknumber 0 (zero) and host number 1 (one) for the tunnel end point.

# ifconfig ip.6to4tun0 inet6 tsrc 192.168.30. 31 up# cat /etc/hostname6.ip.6to4tun0tsrc 192.168.30.31 up

6. Create an /etc/hostname6.ip.6to4tun0 file so that the 6to4tunnel is created automatically with the appropriate source when thesystem boots.

# echo tsrc 192.168.30.31 up > /etc/hostname6.ip.6to4tun0# cat /etc/hostname6.ip.6to4tun0tsrc 192.168.30.31 up

______________________________________________

7. Create an /etc/inet/ndpd.conf file to advertise a 6to4 addressprefix and a site-local address prefix to your local subnet. Make thesubnet ID for both prefixes the same as the subnet ID used in yourIPv4 addresses. (For example, if you are on subnet 192.168.1.0 ,use 1 (one) as your subnet ID). Use the following prefix lines:

● For sys11 :

prefix fec0:0:0: 1::0/64 hme0prefix 2002:c0a8:1e 1f : 1::0/64 hme0

● For sys21 :




● For sys31 :


# cat /etc/inet/ndpd.conf# Send router advertisements out all interfacesifdefault AdvSendAdvertisements on# Advertise an unregistered (bogus) global prefix and a site# local prefix using the default lifetimes# Site-local addressprefix fec0:0:0: 1::0/64 hme0# 6to4 addressprefix 2002:c0a8:1e 1f : 1::0/64 hme0#


# init 6

9. Log in to the router and view the configuration of its networkinterfaces.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:f8:b7:23qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:f8:b7:23lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:fef8:b723/10 ether 8:0:20:f8:b7:23hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2002:c0a8:1e1f:1:a00:20ff:fef8:b723/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fef8:b723/64ip.6to4tun0: flags=2300041<UP,RUNNING,ROUTER,NONUD,IPv6> mtu 8212 index 4 inet tunnel src 192.168.30.31 tunnel hop limit 60 inet6 2002:c0a8:1e1f::1/64#



10. View the routing table on the router.

# netstat -rn

Routing Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.3 U 1 38 hme0192.168.2.0 192.168.30.32 UG 1 0 qfe0192.168.30.0 192.168.30.31 U 1 34 qfe0224.0.0.0 192.168.1.3 U 1 0 hme0127.0.0.1 127.0.0.1 UH 9 152065 lo0

Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----2002:c0a8:1e1f:1::/64 2002:c0a8:1e1f:1:a00:20ff:fef8:b723 U 1 6 hme0:1fec0:0:0:1::/64 fec0::1:a00:20ff:fef8:b723 U 1 0 hme0:22002:c0a8:1e1f::/64 2002:c0a8:1e1f::1 U 1 0 ip.6to4tun02002::/16 2002:c0a8:1e1f::1 U 1 1 ip.6to4tun0fe80::/10 fe80::a00:20ff:fef8:b723 U 1 18 hme0ff00::/8 fe80::a00:20ff:fef8:b723 U 1 0 hme0::1 ::1 UH 30 494 lo0#

11. View the daemons running on the router.

# ps -ef | grep in[.] root 147 1 0 15:42:56 ? 0:32 /usr/sbin/in.routed root 149 1 0 15:42:56 ? 0:00 /usr/lib/inet/in.ndpd root 151 1 0 15:42:56 ? 0:02 /usr/lib/inet/in.ripngd -s#



12. Obtain the IPv6 6to4 address of a system on a different subnet.

2002: c0a8 : 1e20 : 2: a00: 20ff : feb6 : c5de

13. Attempt to contact a system on a different subnet by using its IPv66to4 address.

# ping 2002:c0a8:1e20:2:a00:20ff:feb6:c5de2002:c0a8:1e20:2:a00:20ff:feb6:c5de is alive#

Caution – Do not proceed beyond this point until everyone in the classcompletes this step.



Task 3 – Configuring IPv6 Across the Whole Network

In this section you will remove the 6to4 tunnel just constructed so thatyou can enable IPv6 across the whole network. Complete the steps in thefollowing sections.


Work with another teammate’s group for this task if your systemfunctions as a non-router in the classroom.

To configure IPv6 on a router, complete the following steps:

1. Display the router’s interface configuration so that you can back outof the configuration at any stage.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:f8:b7:23qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:f8:b7:23lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 inet6 fe80::a00:20ff:fef8:b723/10 ether 8:0:20:f8:b7:23hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2002:c0a8:1e1f:1:a00:20ff:fef8:b723/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fef8:b723/64ip.6to4tun0: flags=2300041<UP,RUNNING,ROUTER,NONUD,IPv6> mtu 8212 index 4 inet tunnel src 192.168.30.31 tunnel hop limit 60 inet6 2002:c0a8:1e1f::1/64

#

2. Unconfigure the 6to4 tunnel interface

# ifconfig ip.6to4tun0 inet6 down unplumb# rm /etc/hostname6.ip.6to4tun0#

3. Determine which, if any, processes related to IPv6 routing arerunning and, if so, with what options. Why are the processesrunning with these options?

# ps -ef | grep in[.]



root 161 1 0 14:25:20 ? 0:00 /usr/lib/inet/in.ndpd root 158 1 0 14:25:20 ? 0:01 /usr/sbin/in.routed root 163 1 0 14:25:20 ? 0:00 /usr/lib/inet/in.ripngd -s

The in.routed daemon runs to supply routing information to the localnetworks. This is possible even if this system is not configured as a router.

4. Verify that the files that you use to configure the router’s interfaceswith IPv6 at boot time exist. If they do not, create them.

# touch /etc/hostname6.hme0# touch /etc/hostname6.qfe0#

5. Edit the correct file on your router to cause it to use a site-local andan aggregated global unicast address for each interface on the router.Use the following addresses:

● 192.168.1.0 uses fec0:0:0:1::0/64 and2000:0:0:1::0/64

● 192.168.2.0 uses fec0:0:0:2::0/64 and 2000:0:0:2::0/64

● 192.168.3.0 uses fec0:0:0:3::0/64 and 2000:0:0:3::0/64

● 192.168.30.0 uses fec0:0:0:30::0/64 and2000:0:0:30::0/64

Configure the file to cause the routing daemon to advertise IPv6 outof all interfaces.

Be sure to remove existing prefix 2002 lines.

Document your work.

Edit the sys11 router’s /etc/inet/ndpd.conf file to contain contentssimilar to the following:

sys11# cat /etc/inet/ndpd.conf# Send router advertisements out all interfacesifdefault AdvSendAdvertisements on# Advertise an unregistered (bogus) global prefix and a site# local prefix using the default lifetimes# Site-local addresses:prefix fec0:0:0:2::0/64 qfe0prefix fec0:0:0:30::0/64 hme0# Aggregatable global unicast addressesprefix 2000:0:0:2::0/64 qfe0prefix 2000:0:0:30::0/64 hme0

Edit the sys21 router’s /etc/inet/ndpd.conf file to contain contentssimilar to the following:

sys21# cat /etc/inet/ndpd.conf



# Send router advertisements out all interfacesifdefault AdvSendAdvertisements on# Advertise an unregistered (bogus) global prefix and a site# local prefix using the default lifetimes# Site-local addresses:prefix fec0:0:0:2::0/64 qfe0prefix fec0:0:0:30::0/64 hme0# Aggregatable global unicast addressesprefix 2000:0:0:2::0/64 qfe0prefix 2000:0:0:30::0/64 hme0



6. Reboot the router systems.

# init 6#svc.startd: The system is coming down. Please wait.......

7. Verify that each router is configured correctly. Display theconfiguration of each network interface.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:ac:9b:20lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 ether 8:0:20:b9:72:23 inet6 fe80::a00:20ff:feb9:7223/10hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:feb9:7223/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:feb9:7223/64qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 3 ether 8:0:20:ac:9b:20 inet6 fe80::a00:20ff:feac:9b20/10qfe0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 2000::30:a00:20ff:feac:9b20/64qfe0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 fec0::30:a00:20ff:feac:9b20/64

8. View your router’s IPv6 routing table. What routes are available?

# netstat -f inet6 -rnRouting Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----2000:0:0:30::/64 2000::30:a00:20ff:feb9:7223 U 1 0 hme0:1fec0:0:0:30::/64 fec0::30:a00:20ff:feb9:7223 U 1 0 hme0:22000:0:0:1::/64 2000::1:a00:20ff:feac:9b20 U 1 0 qfe0:1fec0:0:0:1::/64 fec0::1:a00:20ff:feac:9b20 U 1 0 qfe0:22000:0:0:2::/64 fe80::203:baff:fe6b:5d34 UG 1 0 hme0fec0:0:0:2::/64 fe80::203:baff:fe6b:5d34 UG 1 0 hme0fe80::/10 fe80::a00:20ff:feb9:7223 U 1 0 hme0fe80::/10 fe80::a00:20ff:feac:9b20 U 1 0 qfe0ff00::/8 fe80::a00:20ff:feb9:7223 U 1 0 hme0::1 ::1 UH 1 0 lo0



9. Determine which routing daemons are running on the router. Whichoptions are running with each routing daemon, and why?

# ps -ef | grep in[.] root 107 1 0 12:36:01 ? 0:00 /usr/sbin/in.routed root 116 1 0 12:36:02 ? 0:00 /usr/lib/inet/in.ndpd root 118 1 0 12:36:02 ? 0:00 /usr/lib/inet/in.ripngd -s#

The in.routed process runs to supply routing information to the localnetworks. This is possible even if this system is not configured as a router.

The in.ndpd process provides the autoconfiguration components ofneighbor discovery and is not really considered to be a routing daemon.

The in.ripngd process runs with the -s option to force the process tosupply routing information. This is possible even if this system is notconfigured as a router.



10. Either reboot the non-router systems, or wait a few minutes for theroute information to propagate the network.

# init 6svc.startd: The system is coming down. Please wait.......

11. Use the ping command to send ICMP echo requests from a non-router system to the site-local address of another non-router systemon another subnet to verify that the routing is functioning asexpected. (You may have to wait enough time for the routinginformation to be updated after the prior step’s system boot).

# ping fec0::2:a00:20ff:feb8:30c8ICMPv6 Address Unreachable from gateway .......# ping fec0::2:a00:20ff:feb8:30c8fec0::2:a00:20ff:feb8:30c8 is alive#



12. Determine which routing daemons are running on each non-routersystem. Which options are running with each routing daemon, andwhy?

# ps -ef | grep in[.] root 102 1 0 12:51:52 ? 0:00 /usr/sbin/in.routed root 109 1 0 12:51:52 ? 0:00 /usr/lib/inet/in.ndpd#

The in.routed daemon is listening for IPv4 routing information.

13. Display the system’s routing table. What type of routes are in therouting table (link-local, site-local, or global)?

# netstat -rn -f inet6Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If--------------------------- --------------------------- ----- --- ------ -----2000:0:0:1::/64 2000::1:a00:20ff:fec1:4b44 U 1 0 hme0:1fec0:0:0:1::/64 fec0::1:a00:20ff:fec1:4b44 U 1 0 hme0:2fe80::/10 fe80::a00:20ff:fec1:4b44 U 1 0 hme0ff00::/8 fe80::a00:20ff:fec1:4b44 U 1 0 hme0default fe80::a00:20ff:feac:9b20 UG 1 0 hme0::1 ::1 UH 1 0 lo0#

The fe8 , fec , and 200 FPs indicate that the system is aware of link-local,site-local, and global networks.

14. Display the system’s interface configuration. Notice the logicaladdresses that provide access to the different networks based onthe FP.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:c1:4b:44lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10hme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2 : flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64#

Configuring IPv6 Multipathing



You can configure IPv6 multipathing either from the command line or byediting a file to cause multipathing to be configured at boot time. IPv6multipathing is similar in operation to the multipathing operation in IPv4,but it has a significantly different configuration procedure.

Configuring IPMP Manually

You can configure a production server for IPv6 IPMP without rebooting ifyour system was configured previously to support local MAC addresses.This example shows how to configure IPMP on an existingIPv6-configured hme0 interface and on an existing, but unconfigured,qfe1 interface, in which the multipath group is called mpgrp6-one .

To configure IPMP at the command-line prompt by using the ifconfigcommand, complete the following steps, which are described in greaterdetail in the next sections:


2. Confirm that the system recognizes unique MAC addresses.

3. Configure the hme0 interface as part of a multipath group.

4. Configure a test address for the hme0 interface.

5. Configure the qfe1 interface as part of the hme0 interface multipathgroup.

6. Configure a test address for the qfe1 interface.


8. Observe the IPMP failover.



View your system’s interface configuration to have a baseline before youmake any changes to the system, so that you know the state of the systemif you need to restore the system for any reason.

Perform the command:

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4, VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:c1:4b:44lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10hme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64#

Verifying the Solaris OS Release





# cat /etc/release Solaris 10 s10_67 SPARC Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 09 September 2004#



Configuring Unique MAC Addresses

To determine if unique MAC addresses are enabled, use the eepromcommand to view the contents of the EEPROM:


The preceding output indicates that the system is still in its default modeand uses the same MAC address for each interface. This is indicated bythe setting of the local-mac-address? variable to false . You now usethe eeprom command to change the EEPROM’s local-mac-address?variable to true .


Verify that the EEPROM’s local-mac-address? variable is set to true :

# eeprom local-mac-address?local-mac-address?=true#

Note – You must reboot the system for EEPROM changes to take place.

You can also set the EEPROM’s local-mac-address? variable from theOpenBoot PROM.

Configuring the hme0Interface as Part of a Multipath Group

To configure the hme0 interface as part of a multipath group, specify thename of the group, mpgrp6-one , of which the hme0 interface will be apart:

# ifconfig hme0 group mpgrp6-one# Dec 19 12:49:04 sys13 in.mpathd[309]: Failures cannot be detected onhme0 as no IFF_NOFAILOVER address is available

Note – You only see this and subsequent failure messages if you areviewing the console.



You can ignore the preceding message because the interface is still beingconfigured.

View the changes to the interface:

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255

groupname mpgrp6-one ether 8:0:20:c1:4b:44lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10

groupname mpgrp6-onehme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64#

Observe the additional information in the preceding ifconfig output forthe inet6 hme0 interface output that indicates the new multipath groupinformation:

groupname mpgrp6-one

Configuring a Test Address for the hme0Interface

Next, you configure a test address for the hme0 interface. To configure anIPv6 test address, you use the link-local address.

When you configure the address, mark it so that the in.mpathd daemonrecognizes it as a test address that must not fail over (-failover ). Enterthe following:

# ifconfig hme0 inet6 -failover#




# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp6-one ether 8:0:20:c1:4b:44lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6, NOFAILOVER> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10 groupname mpgrp6-onehme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64#

Observe the additional information that is reported by the precedingifconfig command for the hme0 interface:

hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6, NOFAILOVER> mtu 1500 index2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10 groupname mpgrp6-one


● The NOFAILOVERflag indicates that the interface must not be used asa failover interface if another interface in the group fails. You do notneed to mark IPv6 test addresses as deprecated.

● The RUNNINGflag is monitored by the in.mpathd daemon to ensurethat communications are functioning as expected.

Be aware that the logical interface cannot function if the physical interfacefails.



Configuring the qfe1 Interface as Part of the hme0InterfaceMultipath Group

Half of the interface configuration is complete. Now, you configure theqfe1 interface with IPv4, netmask, and broadcast addresses. You mustalso configure it as part of the same IPMP group as the hme0 interface.Type the following:

# ifconfig qfe1 plumb 192.168.1.200 netmask + broadcast + group \> mpgrp6-one up#

Configure the new interface to also support IPv6. You do not need toassign the interface to group because the IPv6 interface assumes the samegroup membership as the IPv4 interface. Type the following:

# ifconfig qfe1 inet6 plumb up


# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp6-one ether 8:0:20:c1:4b:44qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.200 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp6-one ether 8:0:20:b7:4e:5dlo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10 groupname mpgrp6-onehme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64qfe1: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 3 ether 8:0:20:b7:4e:5d inet6 fe80::a00:20ff:feb7:4e5d/10 groupname mpgrp6-oneqfe1:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 2000::1:a00:20ff:feb7:4e5d/64qfe1:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 fec0::1:a00:20ff:feb7:4e5d/64#



Observe the additional information that is reported by the precedingifconfig command for the qfe1 interface:

qfe1: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 3 ether 8:0:20:b7:4e:5d inet6 fe80::a00:20ff:feb7:4e5d/10 groupname mpgrp6-one

The interface index number is incremented to 3 because every physicalinterface obtains its own index number (which is identical for a physicalinterface’s different virtual interfaces): 1 for lo0 , 2 for hme0, and 3 forqfe1 .

Configuring an IPv6 Test Address for the qfe1 Interface

Now you configure an IPv6 test address for the qfe1 interface. When youconfigure the address, mark it so that the in.mpathd daemon recognizesit as a test address that must not be used as a failover interface(-failover ) if another interface in the group fails. Perform the command:

# ifconfig qfe1 inet6 -failover# Dec 19 14:47:47 sys13 in.mpathd[309]: Failure detection restored onqfe1 as an IFF_NOFAILOVER address is available




# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp6-one ether 8:0:20:c1:4b:44qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.200 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp6-one ether 8:0:20:b7:4e:5dlo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10 groupname mpgrp6-onehme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64qfe1: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 3 ether 8:0:20:b7:4e:5d inet6 fe80::a00:20ff:feb7:4e5d/10 groupname mpgrp6-oneqfe1:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 2000::1:a00:20ff:feb7:4e5d/64qfe1:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 fec0::1:a00:20ff:feb7:4e5d/64#



Starting the in.mpathd Daemon to Monitor the Interfaces

The start process of the in.mpathd daemon is controlled by theTRACK_INTERFACES_ONLY_WITH_GROUPSparameter in the/etc/default/mpathd file. The contents of this file are:

# cat /etc/default/mpathd##pragma ident "@(#)mpathd.dfl 1.2 00/07/17 SMI"## Time taken by mpathd to detect a NIC failure in ms. The minimum time# that can be specified is 100 ms.#FAILURE_DETECTION_TIME=10000## Failback is enabled by default. To disable failback turn off this option#FAILBACK=yes## By default only interfaces configured as part of multipathing groups# are tracked. Turn off this option to track all network interfaces# on the system#TRACK_INTERFACES_ONLY_WITH_GROUPS=yes#

If the TRACK_INTERFACES_ONLY_WITH_GROUPSvariable is set to yes , theifconfig command’s group option starts the in.mpathd daemonautomatically. If the TRACK_INTERFACES_ONLY_WITH_GROUPSvariable isset to no, then the /lib/svc/method/net-init SMF method starts thein.mpathd daemon at boot time.

If you need to start the in.mpathd daemon from the command line, usethe following command as the root user:

# /sbin/in.mpathd#



Viewing the Interface Configuration

To view the configuration of the interfaces, now that multipathing iscompletely configured, use the ifconfig command:


The system now remains available to users even if either of the multipathnetwork interfaces fail or become unusable for any reason.



Configuring IPMP at Boot Time

This example shows IPMP configuration on an existing IPv6-configuredhme0 interface and on an existing, but unconfigured, qfe1 interface on thesys13 (192.168.1.3 ) system. The multipath group is called mpgrp6-one .

To configure IPMP, complete the following steps, which are described ingreater detail in the next sections.






6. Observe the IPMP failover.

View your system’s interface configuration to have a baseline before youmake any changes to the system, so that you know the state of the systemif you need to restore the system for any reason.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:c1:4b:44lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10#



Verifying the Solaris OS Release





# cat /etc/release Solaris 10 s10_67 SPARC Copyright 2004 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 09 September 2004#



Configuring Unique MAC Addresses

Before attempting to configure MAC addresses, determine if the code inyour system’s EEPROM supports unique MAC addresses.

To determine if unique MAC addresses are permitted, use the eepromcommand to view the current value of the local-mac-address?variable:


The preceding output indicates that the system is still in its default modeand uses the same MAC address for each interface. You now use theeeprom command to change the EEPROM’s local-mac-address?variable to true .


Verify that the EEPROM’s local-mac-address? variable is set to true :



You can also set the EEPROM’s local-mac-address? variable from theOpenBoot PROM level.



Configuring the Interfaces

Multipath information is placed in the /etc/hostname6.hme0 and/etc/hostname6.qfe1 files. Modify the /etc/hostname6.hme0 file tocontain contents similar to the following:

# cat /etc/hostname6.hme0-failover group mpgrp6-one up#

where:

Configure the /etc/hostname.qfe1 file to permit the IPv4 stack to beconfigured on the qfe1 interface at boot time. Create the/etc/hostname.qfe1 file to contain contents similar to the following:

# cat /etc/hostname.qfe1192.168.1.200#

Create the /etc/hostname6.qfe1 file to contain contents similar to thefollowing:

# cat /etc/hostname6.qfe1-failover group mpgrp6-one up#

hme0 Assigns an interface.

hostname6 Forces the ifconfig command to configure theinterface as an IPv6 interface.

-failover Marks the interface as a non-failover interface.Interfaces that are marked in this way do not failover to another physical interface in themultipath group in a failover scenario.

group mpgrp6-one Assigns mpgrp6-one as the name for an IPMPgroup.

up Marks the interface as up, and initializes thehardware.



Rebooting the System

Reboot system to enable IPMP.

# init 6#

Viewing the Interface Configuration



The system remains available to users, even if either of the multipathnetwork interfaces fail or become unusable for any reason.



Configure a Singleton IPMP Group in IPv6

It is possible to configure an IPMP group that contains only oneIPv6-enabled interface. This enables you to monitor the status of theinterface by using IPMP and to receive notifications about the interface’sstatus, although it is not possible to fail the IPv6 addresses over on toanother network interface.

With a single interface in the group, data addresses can never move to adifferent interface, and so are always associated with the monitoredinterface.

Configuring a Singleton IPMP Group in IPv6 on the CommandLine

To create a singleton IPMP group, assign a multipath group name to theinterface:

# ifconfig hme0 inet6 group singleton# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu8232 index 1 inet 128.0.0.1 netmask ff000000hme0 flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname singleton ether 8:0:20:b9:72:23hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:c1:4b:44 inet6 fe80::a00:20ff:fec1:4b44/10 groupname singletonhme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:fec1:4b44/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:fec1:4b44/64#

If the single interface will be included in an IPMP group with multipleinterfaces in the future, you should also set the NOFAILOVERflag on thelink local by using the -failover option.

Configuring a Singleton IPMP Group in IPv6 at System Boot

To create a singleton IPMP group at system boot, ensure that the interfaceconfiguration file contains the group option and the IPMP group name:

# cat /etc/hostname6.hme0group singleton#

Exercise 2: Configuring IPv6 Multipathing



In this exercise, you configure IPv6 multipathing.

Preparation

Unplumb any secondary interfaces that might be configured beforebeginning this exercise.


Tasks

Complete the following steps.

Working on Any System

In this section of the exercise, you configure IPv6 multipathing on twointerfaces on your systems. You use both interfaces for regular networktraffic. That is, your system runs at half of its potential capacity in theevent of a network failure on any of the two NICs. You can use any namethat you choose for your multipath group.

1. View your system’s interface configuration to have a baseline beforeyou make any changes to the system, so that you know the state ofthe system if you need to restore the system for any reason.


_____________________________________________________________

2. Verify that your operating system release can support multipathing.


_____________________________________________________________



3. Verify that your system is configured to use unique MAC addresses.


_____________________________________________________________

What command do you use to cause your system to use uniqueMAC addresses?

_____________________________________________________________


Write the name that you are going to assign to your multipath group:

_____________________________________________________________

4. Check your system for interfaces, and decide which interfaces thatyou will use for multipathing.

Complete the following fields:

Multipath group name: _________________________

First interface: _______________________________

Second interface: _____________________________

IPv4 address for second interface: __________________

5. Configure your first interface as part of the multipath group that youwill use.


_____________________________________________________________

6. Use the ifconfig command to verify that the interfaces wereconfigured as expected.

7. Configure a test address for your system’s first multipath interface,and set the failover option appropriately for a multipathing testaddress.


_____________________________________________________________


Caution – Before performing the next step, bring down and unplumb anysecondary interfaces that might be configured, as described in thepreparation section at the beginning of this exercise.



9. Configure the IPv4 component of your system’s second interface. Besure to use the plumb option to enable the interface. Assign an IP,netmask, and broadcast address; and assign it a status of up.


_____________________________________________________________

10. Configure IPv6 on your system’s second multipathing interface. Besure to use the plumb option to enable the interface, assign it to themultipath group, set an appropriate failover option to cause it tofunction properly as a multipathing test address, and assign it astatus of up.


_____________________________________________________________


12. Verify that the multipathing daemon is running.

13. Verify that the multipathing is working as expected. Use the pingcommand to send an echo request every second from any other IPv6system to a site-local address on your system. While the pingcommand is running, simulate a network failure and disconnect thenetwork interface cable connected to the interface that you are usingthe ping command to detect.

14. Plug in the cable, and notice that the output from the pingcommand continues without interruption when the interfaces failback.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications




The output in the following solution is specific to an individual system.Your results will be different depending upon the system on which youare working.

Task Solutions

This section provides solutions to the exercise tasks.


In this section of the exercise, you configure IPv6 multipathing on twointerfaces on your systems. You use both interfaces for standard networktraffic. That is, your system runs at half of its potential capacity in theevent of a network failure on any of the two NICs. You can use any namethat you choose for your multipath group.

1. View your system’s interface configuration to have a baseline beforeyou make any changes to the system, so that you know the state ofthe system if you need to restore the system for any reason.

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255 ether 8:0:20:b8:30:c8lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:b8:30:c8 inet6 fe80::a00:20ff:feb8:30c8/10hme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64#



2. Verify that your operating system release can support multipathing.

# cat /etc/release Solaris 10 3/05 s10_74L2 SPARC Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 12 January 2005

This system can support multipathing because it is more recent than theSolaris 8 10/00 OS.

3. Verify that your system is configured to use unique MAC addresses.


This system assigns unique MAC addresses to each interface.

What command do you use to cause your system to use uniqueMAC addresses?



Write the name that you are going to assign to your multipath group:

This solution uses a multipath group name of mp-demo.

4. Check your system for interfaces, and decide which interfaces thatyou will use for multipathing.

Complete the following fields:

Multipath group name: _________________________

First interface: _______________________________

Second interface: _____________________________

IPv4 address for second interface: __________________

# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255 ether 8:0:20:b8:30:c8lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:b8:30:c8



inet6 fe80::a00:20ff:feb8:30c8/10hme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64#

This solution demonstrates use of the hme0and qfe1 interfaces. The qfe1interface is not configured for any network traffic at this stage.

● Multipath group name – mp-demo

● First interface – hme0

● Second interface – qfe1

The IPv4 address used for the secondary will be the primary interface’saddress plus 200. For example, 192.168.2.3 uses 192.168.2.203 forthe secondary interface.

5. Configure your first interface as part of the multipath group that youwill use.

# ifconfig hme0 inet6 group mp-demo#


# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255

groupname mp-demo ether 8:0:20:b8:30:c8lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2 ether 8:0:20:b8:30:c8 inet6 fe80::a00:20ff:feb8:30c8/10

groupname mp-demohme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64#

Observe that the IPv4 interface has also joined the multipath group.

7. Configure a test address for your system’s first multipath interface,and set the failover option appropriately for a multipathing testaddress.

# ifconfig hme0 inet6 -failover#




# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255 groupname mp-demo ether 8:0:20:b8:30:c8lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6, NOFAILOVER> mtu 1500 index 2 ether 8:0:20:b8:30:c8 inet6 fe80::a00:20ff:feb8:30c8/10 groupname mp-demohme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64#

Observe that only the IPv6 interface has a test address assigned to it.

Caution – Before performing the next step, bring down and unplumb anysecondary interfaces that might be configured, as described in thepreparation section at the beginning of this exercise.

9. Configure the IPv4 component of your system’s second interface. Besure to use the plumb option to enable the interface. Assign an IP,netmask, and broadcast address; and assign it a status of up.


# ifconfig qfe1 plumb 192.168.2.203 netmask 255.255.255.0 + broadcast + up# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255 groupname mp-demo ether 8:0:20:b8:30:c8qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.2.203 netmask ffffff00 broadcast 192.168.2.255 ether 8:0:20:b8:30:c9lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 2 ether 8:0:20:b8:30:c8 inet6 fe80::a00:20ff:feb8:30c8/10 groupname mp-demohme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64



hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64

10. Configure the new IPv6 multipathing interface to be part of themultipathing group. Set an appropriate failover option to cause it tofunction properly as a multipathing test address and assign it astatus of up.

# ifconfig qfe1 inet6 plumb group mp-demo -failover up#


# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.2.3 netmask ffffff00 broadcast 192.168.2.255 groupname mp-demo ether 8:0:20:b8:30:c8qfe1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.2.203 netmask ffffff00 broadcast 192.168.2.255

groupname mp-demo ether 8:0:20:b8:30:c9lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128hme0: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 2 ether 8:0:20:b8:30:c8 inet6 fe80::a00:20ff:feb8:30c8/10 groupname mp-demohme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 2000::2:a00:20ff:feb8:30c8/64hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2 inet6 fec0::2:a00:20ff:feb8:30c8/64qfe1: flags=a000841<UP,RUNNING,MULTICAST,IPv6,NOFAILOVER> mtu 1500 index 3 ether 8:0:20:b8:30:c9 inet6 fe80::a00:20ff:feb8:30c9/10 groupname mp-demoqfe1:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 2000::2:a00:20ff:feb8:30c9/64qfe1:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 3 inet6 fec0::2:a00:20ff:feb8:30c9/64#



12. Verify that the multipathing daemon is running.

# ps -ef | grep mpath root 480 273 0 12:34:29 console 0:00 grep mpath root 457 1 0 11:46:17 ? 0:00 # /usr/lib/inet/in.mpathd#

Yes, the multipathing process is running as expected.

13. Verify that the multipathing is working as expected. Use the pingcommand to send an echo request every second from any other IPv6system to a site-local address on your system. While the pingcommand is running, simulate a network failure, and disconnect thenetwork interface cable connected to the interface that you are usingthe ping command to detect.

# ping -s fec0::2:a00:20ff:feb8:30c8PING fec0::2:a00:20ff:feb8:30c8: 56 data bytes64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=0. time=1. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=1. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=2. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=3. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=4. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=5. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=14. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=15. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=16. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=17. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=18. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=19. time=0. ms64 bytes from fec0::2:a00:20ff:feb8:30c8: icmp_seq=20. time=0. ms<Control>-C#

Notice how nine seconds worth of data from the ping command was lost, ascan be seen by looking at the ICMP sequence numbers.

14. Plug in the cable, and notice that the output from the pingcommand continues without interruption when the interfaces failback.


Module 9

Describing the Transport Layer

Objectives

This module describes Transport layer fundamentals, including thedifferent characteristics of UDP and TCP. In addition, this moduleexplains TCP flow control.

Upon completion of this module you should be able to:

● Describe Transport layer fundamentals

● Describe UDP

● Describe TCP

● Describe TCP flow control




ConfiguringIP


Multipathing

ConfiguringRouting

ConfiguringIPv6


Layer

Introducing Transport Layer Fundamentals



The Transport layer transports data to and from the correct application.This process is known as end-to-end communication. The Transport layerprovides a transport service for application data. Figure 9-2 shows theposition of the Transport layer in the TCP/IP network model.

Figure 9-2 Position of the Transport Layer in the TCP/IP NetworkModel

Protocol Characteristics

There are two main protocols that operate at the Transport layer, TCP andUDP. To understand the differences between TCP and UDP, you must befamiliar with the different characteristics of network protocols. The twoprotocols associated with the Transport layer, TCP and UDP, are providedby a kernel-loadable module. Application designers decide whichtransport protocol to use for their application.

Hardware Layer

TCP/IP Layers

Application Layer

Transport Layer

Internet Layer



Describing the Transport Layer 9-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Connection-Oriented Protocols

With connection-oriented protocols, you must establish a logicalconnection with the communication partner before exchanging data.Figure 9-3 illustrates how a connection-oriented protocol could work.

Figure 9-3 Connection-Oriented Protocol Logical Connection

This method of connection:

● Is highly reliable because of acknowledgements

● Requires more computational processing than connectionlessprotocols

● Has more overhead because of connection establishment andtermination

1

2



Connectionless Protocols

Figure 9-4 illustrates how a connectionless protocol could work.

Figure 9-4 Connectionless Protocol

With connectionless protocols, establishing a connection before sendingdata is not necessary. Connectionless protocols transmit self-containedmessages. Self-contained messages:

● Include the full message

● Do not require any response

The connectionless protocol method has virtually no reliability features,and therefore is best suited for use in highly reliable networks. Thismethod also requires lower overhead because it has no connection and nosetup requirements. This method is also suited to protocols that use abroadcast approach to transmit information. This avoids the protocolhaving to wait for multiple acknowledgements and having to know howmany acknowledgements to expect.

Mail



Stateful Protocols

A stateful protocol is a protocol in which part of the data that isexchanged between the client and the server systems includes stateinformation. Both systems keep track of the state of the communicationsession. Figure 9-5 illustrates how interaction in a stateful protocol couldwork.

Figure 9-5 Stateful Protocol

Stateless Protocols

A stateless protocol is a protocol in which neither the client nor the serversystem has an obligation to keep track of the state of the communicationsession. A stateless protocol does not support most reliability features;therefore, data that is sent can be lost or delivered out-of-sequence.Figure 9-6 illustrates how interaction in a stateless protocol could work.

Figure 9-6 Stateless Protocol

The advantages of a stateless protocol are that it has lower overheads andit has a degree of isolation between the client and the server.Connectionless protocols are typically stateless.

Client Server

Client Server



Reliable Protocols

A reliable protocol requires that each transmission is acknowledged bythe receiving host. The sender retransmits, if necessary. Figure 9-7 showshow a reliable protocol could work.

Figure 9-7 Reliable Protocol

1

2

Send Packet 1

3

Receive ACK

Send Packet 2

Receive ACK

Send Packet 3

Receive Packet 1Send Acknowledgement (ACK)

4

Receive Packet 2Send ACK

7 Receive Packet 3

Packet Lost

Sender Receiver

Time

5

Timeout

Resend Packet 3

6



Unreliable Protocols

An unreliable protocol does not require that each transmission isacknowledged by the receiving host. Figure 9-8 shows how an unreliableprotocol could work.

Figure 9-8 Unreliable Protocol

1

2

Send Packet 1

Send Packet 2

Packet Lost

Sender Receiver

Time

Send Packet 3

3

Send Packet 4

4



Transport Protocols in TCP/IP

The Transport layer header includes a destination port number thatidentifies the destination application program on the remote machine anda source port number that identifies the application on the originatingmachine.

In addition, the Transport layer handles error detection, can handlerecovery problems, and can regulate the flow of information. The way inwhich the Transport layer handles error detection, the sequence of data,and flow regulation depends on which protocol is used.

The TCP/IP protocol stack features two Transport layer protocols, TCPand UDP. Figure 9-9 shows an analogy that compares TCP and UDP.

Figure 9-9 TCP and UDP Analogy

Certified

Uncertified

UDP

TCP

Introducing UDP


Introducing UDP

UDP is a connectionless, stateless, and unreliable protocol. UDP isdesigned for applications that do not require a reliable Transport layermechanism. UDP packets can be lost, duplicated, or deliveredout-of-order. The application program that uses UDP is responsible forreliability, sequencing, and flow control, if required.

Purpose of UDP

UDP gives an application direct access to the Internet layer and includesthe source and the destination port numbers. UDP does not require thatthe receiving host acknowledge transmissions. UDP has low overhead,and it is designed for high-speed applications that run on reliablenetworks. UDP is also used by Application layer protocols that transmitinformation by broadcast mechanisms.

UDP Datagram Header

UDP receives incoming data from the application and encapsulates thedata in UDP datagrams. UDP datagrams have a leading header section,shown in Figure 9-10, that contains the source and destination portnumbers, followed by the data section. UDP datagrams are sent to theInternet layer for encapsulation and delivery. Large UDP datagrams canbe fragmented by IP.

Figure 9-10 UDP Header

Type Source Port Destination Port

Length Checksum

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Introducing TCP


Introducing TCP

TCP is a connection-oriented, stateful, and reliable protocol.

TCP is suited for situations where large volumes of data must travelbetween systems, particularly across multiple routers and gateways. TCPhas four main features:

● Virtual circuit connection

● Full-duplex connection

● Unstructured stream orientation

● Buffered transfer

TCP Segment Header

The TCP segment header has many fields. Figure 9-11 shows the segmentheader with its fields.

Figure 9-11 TCP Segment Header

Notice that the segment header includes sequence and acknowledgmentnumbers that are used for connection-oriented and stateful connections.Refer to RFC 793 and RFC 3168 for additional information.

Introducing TCP


Virtual Circuit Connection

TCP must establish a connection between the sender and receiver beforethe transmission can start. This is similar to making a phone call: the linemust be established before you can begin to talk.

Full-Duplex Connection

TCP connections provide concurrent transfer in both directions. Afull-duplex connection consists of two independent streams of data thatflow in opposite directions. The TCP protocol software sends controlinformation for one stream back to the source in the segments that carrydata in the opposite direction. This process is called piggybacking, and itreduces network traffic.

Unstructured Stream Orientation

Data originating from the Application layer flows to TCP as a stream ofbytes. This stream of bytes is divided into packets called segments. Asseen previously, TCP segments have a leading header section thatcontains control information, source and destination port numbers, and adata section. The content in the data section is not read or translated byTCP. TCP then sends the segments to the Internet layer for encapsulationand delivery.

Buffered Transfer

Data that comes from the application is a flowing stream. Data can flowfast or slow. To ensure the efficient flow of data to and from theapplication, TCP provides both input and output buffers to regulate theflow of data. The input and output buffers also enable the application tosee TCP as a full-duplex connection.

Introducing TCP Flow Control



TCP is more than a basic send-receive-acknowledge-send progression.TCP has sophisticated algorithms to optimize flow control on both thesender side and the receiver side. The algorithm that implements flowcontrol on both the sender side and the receiver side follows what isknown as the sliding window principle.

Receiver-Side Window Advertisements

A TCP window advertisement determines the maximum amount of datathat can be sent before the sender must wait for an acknowledgementfrom the receiver. By advertising its window size, the receiving sidemanages flow control. With window advertisements, the receiving hostcontinually informs the sending host of how much data it is prepared toreceive.

Each TCP segment from the receiving side carries an acknowledgementand a window advertisement. Each acknowledgement specifies that aparticular segment was received, and each window advertisementspecifies how many additional bytes the receiver is prepared to accept.The size contained in the window advertisements varies over time;therefore, it is considered a sliding window.

Sender-Side Congestion Window

To avoid network congestion, TCP maintains a congestion window on thesending side. The congestion window adjusts the amount of data that canbe sent according to the number of segments that were recently lost oracknowledged in transit. Lost segments are detected if a transmissiontimeout occurs before an acknowledgement for the segment is received.

As acknowledgements begin to be received, TCP doubles the size of thecongestion window. If congestion is detected, TCP reduces the congestionwindow size by one-half. If congestion continues, the congestion windowcan be reduced in size by one-half multiple times.

Depending upon the severity of the congestion, TCP can use either aslow-start or congestion-avoidance algorithm to begin to increase the sizeof the congestion window. The slow-start algorithm quickly increaseswindow size by doubling it for each successful transmission. Thecongestion-avoidance algorithm slowly increases the window’s size byincreasing it only one segment at a time for each successful transmission.



TCP Large Window

The Solaris 10 OS implements RFC 1323, which permits larger TCPwindow advertisement sizes to enhance performance over high-delay,high-bandwidth networks, such as satellite networks.

A standard TCP header uses a 16-bit field to report the receiver windowsize to the sender. Therefore, the largest window that can be used is 216 or64 kilobytes (Kbyte). RFC 1323 introduces a mechanism to increase thewindow size to 230 or 1 gigabyte (Gbyte).

Exercise: Describing the Transport Layer


Exercise: Describing the Transport Layer

In this exercise, you:

● Define Transport layer terms

● Describe why an application programmer uses an unacknowledgedtransmission protocol

● Review the differences between TCP and UDP

Preparation


Tasks



2. Why would an application programmer use an unacknowledgedtransmission protocol?

____________________________________________________________

____________________________________________________________

_____ Sliding window a. A protocol that establishes acommunication session beforesending data

_____ UDP b. A reliable, stateful, andconnection-oriented Transportlayer protocol

_____ Connection-orientedprotocol

c. An unacknowledged Transportlayer protocol

_____ TCP d. A principle that optimizes TCPflow control

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions



2. Why would an application programmer use an unacknowledgedtransmission protocol?

UDP has less overhead than TCP. UDP is best suited for short bursts ofcommunication or broadcast communication.

d Sliding window a. A protocol that establishes acommunication session beforesending data

c UDP b. A reliable, stateful, andconnection-oriented Transportlayer protocol

a Connection-orientedprotocol

c. An unacknowledged Transportlayer protocol

b TCP d. A principle that optimizes TCPflow control


Module 10

Configuring DNS

Objectives

This module describes the basic components of DNS, including theBerkeley Internet name domain (BIND), top-level domains, zones ofauthority, server types, the name resolution process, and resource records.This module also describes DNS configuration, including gatheringneeded information, editing the BIND configuration file and otherrelevant files, and performing basic troubleshooting procedures.


● Describe the basics of DNS

● Configure a DNS server

● Troubleshoot a DNS server by using basic utilities

The course map in Figure 10-1 shows how this module fits into thecurrent instructional goal.




Filter Firewall

ConfiguringDNS

ConfiguringDHCP

ConfiguringNTP

Introducing DNS Basics



The DNS name space is composed of a set of hierarchical domainsarranged in a manner similar to the branches of an inverted tree.

BIND

BIND is the most frequently used implementation of DNS in the UNIXenvironment. The Solaris 10 OS implements the BIND 9, version 9.2.4software.

Note – Earlier versions of the Solaris OS implemented the BIND 8software. In BIND 8 the daemon is /usr/sbin/in.named . In BIND 9 thedaemon is /usr/sbin/named .

The latest versions of the BIND software are available from the InternetSystems Consortium’s (ISC) Web site, http://www.isc.org/ . You candownload and compile the latest version; however, Sun Microsystems,Inc. does not support this action.

Top-Level Domains

A domain:

● Is a collection of names that identifies network hosts and is a logical,not physical entity. A domain is maintained by a group ofadministrators. A single network can consist of hosts that belong tomany different domains.

● Is an index for looking up information in the DNS distributeddatabase.

● Can be branches or leaves in the DNS tree. Branches representcollections of names in a common domain. Leaves representindividual nodes and are considered domains unto themselves.

● Represents nodes or systems by name in the DNS naming tree,which might not be in physical proximity. In other words, a domaincan span a large physical area.

● Can be broken into subdomains and can delegate authority for thosesubdomains to another group of administrators.


Configuring DNS 10-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

The top of the DNS hierarchy contains a nameless root domain. Thisdomain is a place holder containing names and servers for the top-leveldomains. The IANA controls the root domain. The ICANN non-profitgroup is the governing body of all IP address assignments and domainnames and controls the root domain.

Top-level domains are below the root domain. Top-level domains (TLDs)include currently domains such as com, edu , gov, org and arpa . Alltop-level domains are controlled currently by the ICANN. The proposalsfor new TLDs are available at the http://www.icann.org/tlds URL.Table 10-1 shows top-level domains and their descriptions.

Top-level domains have two main categories: organizational domains andgeographical domains. Organizational domains are based on the functionor the purpose of the domain. Geographical domains are based on thephysical location of the domain.

Second-level domains are below the top-level domains. The second level isusually the first place that the ICANN delegates authority for a domain tosome other local organization. The ICANN, available at thehttp://www.icann.org Web site, authorizes domain registrars to selldomain names. The second-level domain, sun.com , for example, iscontrolled by administrators of Sun Microsystems, not ICANN.

Table 10-1 DNS Top-Level Domain Examples

Domain Description

com Commercial organizations (predominately in theUnited States (U.S.))

edu Educational organizations

gov Governmental organizations (U.S.)

mil Military organizations (U.S.)

net Networking organizations and ISPs

org Non-profit and other organizations

arpa Reverse address lookups

ca Country-based domains, Canada in this example



An organization can break up their second-level domains into lower-leveldomains. This is usually done on an organizational, political, or as-neededbasis. For example, a large, multinational corporation might divide itsdomain into country-based domains. A university might divide itsdomain into department-based domains.

Lower-level domains can be split into more lower-level domains asneeded. All domains are subject to naming length restrictions. There is a255-character maximum for a fully qualified domain name (FQDN), and a63-character limit for an individual domain name. Fully qualified isanalogous to an absolute path in a file name.

Zones of Authority

In addition to dividing the name space into administrative domains, thename space also divides into various zones of authority. These zones:

● Are the portion of the name space for which a server is authoritative(that is, contains information for domains over which the server hasnaming control in the form of resource records in the servers’configuration files)

● Consist of at least one domain and its associated data

● Can span one or more domains

Server Types

DNS implements name resolution. The following are some of the morecommon server types, which are described in more detail in this section.Note that a single system can fulfill more than one role. For example, asystem might be a primary server for one zone and a secondary server fora different zone. All servers also cache information.

The types of server are:

● Root servers

● Primary servers

● Secondary servers

● Caching-only servers

● Forwarding servers



Root Servers

Root servers maintain data about each of the top-level zones. There are (asof September, 2004) 13 root servers. Of these servers, nine serve the rootand top-level domains, and four serve the root domain only. ICANNmaintains the root servers, and the servers are moved to a commondomain for consistent naming purposes. The root servers are currentlynamed A.root-servers.net ., B.root-servers.net. , and so on.

You can download a current copy of the named.root file, which containsa list of the current root servers, from theftp://ftp.rs.internic.net/domain/named.root URL.

Primary Servers

Each DNS zone must have a primary server. Although DNS does notprohibit having more than one primary server, maintaining multipleprimary servers is difficult and is prone to having errors occur; therefore,it is not frequently done. In the /etc/named.conf file, the keywordmaster indicates the primary server.

Primary servers have the following features:

● They are the system on which all changes are made to the zone.

● They are authoritative servers for all zones that they serve. (See thefollowing sections for definitions of authoritative andnon-authoritative servers.)

● They provide update information and synchronize secondary serverswhen the secondary servers request information.

● They can specify the delegation of authority for subdomains.

Secondary Servers

Each domain should have at least one secondary server. The ICANN doesnot permit a domain to be registered officially as a subdomain of atop-level domain until a site demonstrates two working DNS servers.



Secondary servers have the following features:

● There can be one or more secondary servers per zone.

● They obtain a copy of the zone information through zone transfersfor all domains that they serve from the appropriate primary serveror from another secondary server for the zone.

● They are authoritative for all of the zones that they serve; that is,their answers to queries are considered highly accurate.

Caching-Only Servers

All DNS servers cache information for any domain for which they are notauthoritative. Caching-only servers are servers that are not authoritativefor any zone, but instead caches responses from other, authoritative, nameservers. Over time, the size of the cache grows.

Caching-only servers have the following features:

● They provide a rich cache of the most commonly accessednamespace information.

● They are never authoritative for any domain, with the exception ofthe loopback address.

● They reduce overhead that is associated with secondary servers thatperform zone transfers from primary servers.

● They permit DNS client access to naming information that is locallycached without the expense of setting up a primary or a secondaryDNS server.

Forwarding Servers

Forwarding servers are DNS servers intended to act as focal points for alloff-site DNS queries. Off-site queries are queries for remote information.Designating a server as a forwarding server causes all off-site requests toconsult initially the forwarding server or servers, and to wait for a reply. Ifno reply is received from the forwarders, the name server resumes normaloperations and contacts the remote name servers itself.

Forwarding servers have the following features:

● All off-site queries go through forwarders first.

● The server that is used as a forwarder builds up a rich cache ofinformation, which reduces the number of redundant off-siterequests.



● Special setup on forwarders is not required.

● Servers using forwarders are configured by adding a forwarderdirective to the /etc/named.conf file on the local servers.

● The local server can still contact the remote site if forwarders fail torespond to queries.

Note – If a name server uses the directive forward only in addition tothe forwarders directive, then the name server may not contact remotename servers on its own.

Answer Types

Answers that are returned from DNS servers can be described asauthoritative or non-authoritative.

Answers from authoritative DNS servers are:

● Sourced from a disk-based file.

● Usually correct. Because humans administer the DNS, it is possiblefor incorrect data to enter the DNS database.

Answers from non-authoritative DNS servers are:

● Sourced from a server cache

● Usually correct

● Can be incorrect if the server’s cache contains stale data

Name-Resolution Process

DNS name resolution is the process of translating a domain name to an IPaddress or translating an IP address to a domain name.

Name resolution begins with client-side resolver code. Resolver code isbuilt into the operating system libraries and is available to programs thatuse system interface calls.



Client-resolver code:

● Does not cache any information

● Queries the DNS servers that are specified in the /etc/resolv.conffile

● Is activated by a reference to DNS in the /etc/nsswitch.conf filehosts entry



A DNS client uses the following steps to query a name server to resolvename-to-address or address-to-name requests. Figure 10-2 shows a clientattempting to resolve the ftp.internic.net name to an IP address.

Figure 10-2 DNS Name Resolution Process

/etc/nsswitch.conf File

/etc/inet/hosts File

/etc/resolv.conf File

Local Name Server

Local Name Server

Local Name Server

Local Name Server

root Name Server

net. Name Server

internic.net. Name Server

Cache

LDAP Hosts Database

1

2

3

4

5

7 8

9 10

11 12

6



The following describes the DNS name-resolution process where the/etc/nsswitch.conf file has the following contents:

# cat /etc/nsswitch.conf...hosts: files ldap dns...#

The /etc/inet/hosts file has the following contents:

# cat /etc/inet/hosts# Internet host table127.0.0.1 localhost loghost192.168.30.31 sys11ext # router to get to instructor192.168.1.1 sys11#

The following steps describe the DNS name-resolution process.

1. The client system consults the /etc/nsswitch.conf file todetermine the name resolution order. In this example, the order isthe local file, the Lightweight Directory Access Protocol (LDAP)server, and then the DNS server.

2. The client system consults the local /etc/inet/hosts file and doesnot find an entry.

3. The client system sends a query asking for the IP address of theInternet name, ftp.internic.net. , to the LDAP server and findsno address.

4. The client system consults the /etc/resolv.conf file to determinethe name resolution search list and the address of the DNS servers.

5. The client system resolver routine sends a recursive DNS queryasking for the IP address for the Internet name,ftp.internic.net. , to the local DNS server. A recursive querystates: “I will wait for the answer, and you do all of the work.” Theclient waits until the local server completes name resolution.

6. The local DNS server consults the contents of its cached informationin case this query has been recently resolved. If the address is in thelocal cache, it is returned to the client as a non-authoritative answer.



7. If the local DNS server does not have cached information about thenet or internic domains, it contacts one of the root servers andsends an iterative query. An iterative query states: “Send me the bestanswer you have, and I will do all of the work.” In this example, theassumption is that the answer is not cached and that a root servermust be contacted.

8. The root server returns the best information it has. In this case, theonly information you are guaranteed is that the root server has thenames and addresses of all the net domain servers. The root serverreturns these names and addresses along with a TTL value thatspecifies how long the local DNS server can cache this information.

9. The local DNS server contacts one of the net domain serversreturned from the previous query and transmits the same iterativequery that was previously sent to a root server.

10. The net domain server that is contacted returns the best informationit has, which are the names and addresses of the internic.netservers and a TTL value.

11. The local DNS server contacts one of the internic.net domainservers and makes the same query for the IP address for the Internetname, ftp.internic.net .

12. An internic.net server returns the IP addresses of the Internetname, ftp.internic.net , along with a TTL value.

The local DNS server returns the requested address to the client system,and the client can proceed.

Resource Records

Resource records are entries contained in the name server zone files andare not case sensitive. A resource record can contain information thatpertains to a particular domain, including the server addresses, cachetime-out values, and the email address of the DNS administrator.Resource records can also include information about a particular systemincluding its IP address, its domain name, and its contact information.

Although each type of resource record has specific syntax, the generalformat of any resource record is:

[ name] [ ttl ] class type data



Resource records have the fields shown in Table 10-2.

Depending on the record type and other shortcuts being taken, not all ofthe fields are always required.

Record Types

DNS zone files can contain blank lines and comments. Comments beginwith a semicolon.

Table 10-2 Resource Record Fields

Field Description

name Specifies the domain name for which the resource record isdefining information. Because DNS is a distributed database,this record also defines the possible key values that are usedin DNS queries. The sys12.one.edu and one.edu namesare examples of domain names.

ttl Specifies the cache TTL value that is given to remote DNSservers when they query the information specified by thisrecord. This value is expressed in seconds, days, hours, andso on. An example is 86400 , which represents one day inseconds, which can also be expressed as 1d.

class Specifies the type of network. The examples in this moduleonly use the IN or Internet class.

type Specifies the type of information that is defined for thedomain in field 1. Table 10-3 on page 10-13 shows commonlyused resource record types.

data Defines the appropriate data for this resource record anddepends on the record type specified in field 4, the typefield. Some record types specify a single argument in thisfield, and other record types specify multiple arguments inthis field. Examples of a record type with multiplearguments include a host name, an IP address, and an emailaddress.



Table 10-3 shows examples of record types and their purposes.

Following are examples of resource record types:

● The SOAresource record type:

$TTL 8h. IN SOA instructor.thirty.edu. root.instructor.thirty.edu. ( 20040923 ; version number 10800 ; refresh (3hrs.) 3600 ; retry (1hr.) 691200 ; expire (8days) 3600 ) ; negative caching info. kept for 1 hour

● The NSresource record type:

one.edu. IN NS sys12.one.edu.

● The A resource record type:

sys12.one.edu. IN A 192.168.1.2

Table 10-3 Examples of Resource Record Types

Record Type Purpose

$TTL The $TTL record identifies the cache TTL value thatremote DNS servers receive when they query theinformation specified by this record.

SOA The start of authority (SOA) record identifies theprimary name server, contact information, and defaultcache TTL values for all resource records in the domain.

NS The name server (NS) record specifies the name serverfor a domain.

A The address (A) record specifies an IP address for a hostname.

PTR The pointer (PTR) record specifies a host name for an IPaddress (used for inverse lookups and IPaddress-to-host names).

CNAME The canonical name (CNAME) record defines a host namealias (www can substitute for a specific host name).

AAAA The quad-A (AAAA) record specifies an IPv6 address fora host name.



● The PTRresource record type:

2.1.168.192 IN PTR sys12.one.edu.

● The CNAMEresource record type:

www.one.edu. IN CNAME sys12.one.edu.

The $TTL directive identifies the cache TTL value that remote DNS serversreceive when they query the information specified by this directive. Thisdirective, or control statement, was not available for use until BIND 8.2.xversions.

Configuring a DNS Server



The DNS server daemon is the /usr/sbin/named process. This daemonprovides a service in the SMF. The named daemon is started at boot timeonly if the /etc/named.conf file exists and the appropriate SMF serviceis enabled.

The following svcs command is used to determine the status of theDNS-related services:

# svcs -a | grep dnsdisabled Oct_22 svc:/network/dns/client:defaultdisabled Oct_22 svc:/network/dns/server:default

The following svcadm commands enable the DNS naming service and thedefault client service:

# svcadm enable svc:/network/dns/server:default# svcadm enable svc:/network/dns/client:default

# svcs -a | grep dnsonline 23:02:34 svc:/network/dns/client:defaultonline 23:08:27 svc:/network/dns/server:default

Note – The DNS client service will not start any new processes, but whenenabled, checks that the system is configured as a DNS client with an/etc/resolv.conf file. Other services used for managing applicationand daemons that require DNS, such as LDAP, will have a dependency onthe DNS client service to ensure that the system is a DNS client.

Gathering Information

When you configure a DNS server, supply the server with the followingtypes of information:

● The names and addresses of root servers.

● The information required to resolve all domains for which the serveris authoritative. This information consists of name-to-addresstranslations.



● The information needed to resolve all reverse domains for which theserver is authoritative. This information consists of address-to-nametranslations.

● The names and addresses of servers for all domains that are onelevel below the domains being served by this server. Thisinformation is sometimes referred to as parenting or delegating.

Editing the BIND Configuration File

BIND version 8.x.x and later versions use a new configuration file,/etc/named.conf , that replaced the /etc/named.boot file used inversions 4.9.x and earlier. A BIND version 4.9.x named.boot file can beconverted to a named.conf file by running the/usr/sbin/named-bootconf script.

The /etc/named.conf file contains statements that:

● Indicate the location of the file that includes the root servers

● Establish the server as a primary, a secondary, or a caching-onlyserver

● Specify the server’s zones of authority

● Indicate the location of the server’s data files

● Apply security selectively for specific zones

● Define logging specifications

● Apply options selectively for a set of zones

The named daemon reads the /etc/named.conf file when the daemon isstarted by the SMF. The configuration file directs the named daemon eitherto other servers or to local data files for a specified domain.

The /etc/named.conf file contains statements and can containcomments. Statements end with a semicolon (; ), they can contain a blockof statements enclosed within curly braces ({} ), and each statement in theblock is terminated with a semicolon (; ). Comments can start with /* andend with */ , can follow either # or // , and can extend to the end of theline.



Table 10-4 shows /etc/named.conf statements and their definitions.

Table 10-4 Statement Definitions for the /etc/named.conf File

Statement Definition

acl Defines a named IP address match list used for accesscontrol. The address match list designates one or moreIP addresses or IP prefixes. The named IP addressmatch list must be defined by an acl statement beforeit can be used elsewhere. No forward references arepermitted.

options Controls global server configuration options, and setsdefault values for other statements.

zone Defines a zone. It applies options selectively on aper-zone basis, rather than to all zones.



Figure 10-3 shows the contents of the /etc/named.conf file.

Figure 10-3 The /etc/named.conf File

/var/named

named.root

forward.zone

reverse.rzone

loop.back

/etc/named.conf

options { DIRECTORY "/var/named";};acl "nets"{ {192.168.1.0/24;};};zone "." in { type hint; file "named.root";};zone "one.edu" in { type master; file "forward.zone";

allow-transfer {"nets";};};zone "1.168.192.in-addr.arpa" in { type master; file "reverse.rzone";};zone "0.0.127.in-addr.arpa" in { type master; file "loop.back";};/* This is a comment */// This is a comment # This is a comment



Editing the named.root File

The /var/named/named.root file specifies name-to-address mappingsfor the root servers.

The information in this file is described as hints to the named daemonbecause the daemon attempts to contact one of the root servers listed untilone of the servers responds. The responding root server returns a list ofroot servers. The name daemon uses this list that is returned from the rootserver and does not use the servers that are specified in the hints fileagain until the TTL value expires on the cached root-server information.

Accordingly, it is not imperative that this file be precisely up-to-date, butit should be checked every few months because root servers change fromtime to time.

The following is a modified (the IN entries for servers D–L have beenremoved in order to conserve space on this page) excerpt taken from thenamed.root file available at the ftp://ftp.rs.internic.net/domain/named.root URL:

; formerly NS.INTERNIC.NET;. 3600000 IN NS A.ROOT-SERVERS.NET.A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4;; formerly NS1.ISI.EDU;. 3600000 IN NS B.ROOT-SERVERS.NET.B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107;; formerly C.PSI.NET;. 3600000 IN NS C.ROOT-SERVERS.NET.C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12< Part of file truncated>; housed in Japan, operated by WIDE;. 3600000 IN NS M.ROOT-SERVERS.NET.M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33; End of File



In the first record:

● The dot (. ) in the first field denotes the root domain.

● The TTL field is 3600000 seconds. This field is historic and is notused in this file.

● The IN class stands for Internet.

● The NSrecord type indicates that a name server is being defined forthe root domain.

● The fifth field of the first record (the data field) is the FQDN of aroot server. Note the trailing dot associated with this field.

In the second record:

● The first (domain) field contains the FQDN of the root server that isdefined in the previous record.

● The TTL field is 3600000 seconds. This field is historic and is notused in this file.

● The record type, A, contains an IP address.

● For A records, the fourth data field contains the IP address of the rootserver that is specified in the first field.

The NSand A records combine to define the name and address of a singleroot server. This file specifies additional pairs of records, as appropriate.



Editing the Forward Domain File

The forward domain file (db.one.edu , in this example) contains themappings of host names to IP addresses for all systems in the domain thatare being served by this name server. In addition, this file must specify anSOArecord and NSrecords for all name servers for this domain. SeeFigure 10-3 on page 10-18 for more information on this example.

$TTL 86400

;{name} {ttl} Class SOA Origin Postmaster;----------------------------------------------------------------------------------@ IN SOA sys12.one.edu. root.sys12.one.edu. ( 2005010101 ; Serial 3600 ; Refresh (1 Hour) 1800 ; Retry (30 Minutes) 6048000 ; Expire (1 Week) 86400 ) ; Minimum (24 Hours)

;;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu. IN NS sys13.one.edu.

;;{name} {ttl} Class A IP Address;-------------------------------------------------sys11 IN A 192.168.1.1sys12 IN A 192.168.1.2sys13 IN A 192.168.1.3sys14 IN A 192.168.1.4

localhost IN A 127.0.0.1

;;{name} {ttl} Class CNAME Canonical Name;-------------------------------------------------------router IN CNAME sys11dns IN CNAME sys12

The $TTL directive sets the default time to live for the zone’s informationto eight hours.



The SOArecord is mandatory and has the following items:

● An at sign (@) in the name field – This is a shortcut for the domainthat is being served (one.edu. in this case). The actual value for the@comes from the second field of the appropriate record in thenamed.conf file that references this file. The @also defines thedefault origin that determines the domain appended to any partiallyqualified domain name in the configuration file’s resource records.

● Data field argument 1 (sys12.one.edu. ) – This is the name of theprimary master server for this domain in FQDN format.

● Data field argument 2 (root.sys12.one.edu ) – This is an emailaddress, in the format of DNS_admin_name.domain_name , that youcan use to report problems with the domain. The administrator isusually the root user, as shown in this example. Note that the @isreplaced with a dot in the SOArecord because the @has specialmeaning in this file.

● Data field argument 3 – This is the version (Serial ) number that thesecondary slave servers use to determine if they need to perform azone transfer to get a fresh copy of zone data. Any time you makechanges to this file, remember to update this number in such a waythat it gets larger. It is always safe to start at 1 and add 1 with eachchange, or to use today’s date.

● Data field argument 4 – The refresh timer is the time interval, inseconds, after which the secondary servers should check todetermine if the serial number has changed, and, if it has, a zonetransfer needs to occur.

● Data field argument 5 – The retry timer is the time interval, inseconds, after which the secondary servers check back if a normalrefresh failed. This timer is usually set to a smaller value than therefresh timer.

● Data field argument 6 – The expire timer is the time interval inseconds after which, if a secondary server cannot contact the primaryserver or another secondary server, the entire zone data should bediscarded. This prevents the secondary servers that have lost contactwith the rest of the name servers from continuing to give outpotentially stale information.

● Data field argument 7 – The negative caching timer (Minimum) is thedefault value of time that the server keeps negative responses fromother authoritative servers.

You should define an NSrecord for all name servers in this domain thatyou want to be recognized by DNS servers.



Most of the remaining resource records are address records for eachsystem in the domain. Most of the host names are not fully qualified. Thenames that are not fully qualified have the domain name origin (the valueof the @in the SOArecord by default) appended to them. This shorthandmethod can save typing and improve the readability and maintainabilityof the file.

The CNAMErecord defines host aliases, or nicknames for hosts. The CNAMErecord in this instance is similar to the following entry in a/etc/inet/hosts file:

192.168.1.1 sys11 router

The localhost entry specifies the loopback address for all hosts.



Editing the Reverse Domain File

Reverse domain files (db.192.168.1 , in this example) contain mappingsfor address-to-name translation. Address-to-name translation is importantand is used by various utilities, such as NFS, web servers, BIND, andsendmail .

The following is an example of a reverse domain file:

; Information for the "reverse" domain 1.168.192.in-addr.arpa.$TTL 86400

;;{name} {ttl} Class SOA Origin Postmaster;----------------------------------------------------------------------------------@ IN SOA sys12.one.edu. root.sys12.one.edu. ( 2005010101 ; Serial 3600 ; Refresh (1 Hour) 1800 ; Retry (30 Minutes) 6048000 ; Expire (1 Week) 86400 ) ; Minimum (24 Hours)


;;{name} {ttl} Class PTR Real Name;------------------------------------------------1 IN PTR sys11.one.edu.2 IN PTR sys12.one.edu.3 IN PTR sys13.one.edu.4 IN PTR sys14.one.edu.

Observe the following about this file:

● The @(at the top of this resource record) in this example refers to the1.168.192.in-addr.arpa. reverse domain, as indicated in the/etc/named.conf file in which this reverse file is referenced.

● The address-to-name mappings are defined with the PTRrecord type.The domain field in the PTRrecord contains the host portion of the IPaddress. Because these resource records do not end with a . (dot), thevalue of the @is appended to each record. The argument field of thePTRrecord should contain the FQDN of the name of the system atwhich the record points. This completes the reverse address-to-namemapping.



Editing the Reverse Loopback Domain File

Reverse loopback domain files specify the reverse loopback domainaddress-to-name translation. The contents are hard-coded, with theexception that the server name changes depending upon on which serverthe file is installed. This file is required on all DNS servers. Every nameserver is the master for its own loopback address.

Here is an example (db.127.0.0 ) of a reverse loopback domain file:

$TTL 86400



;;{name} {ttl} Class PTR Real Name;------------------------------------------------1 IN PTR localhost.


● You can use the @when the domain name is the same as the origin,127.in-addr.arpa. in this example.

● The only items that you change from domain to domain in the SOArecord are the host name (first) argument and the email address usedto report problems.

● You must specify the name of the system being configured on the NSline.

● Use all other lines as shown in this example.



Configuring Dynamic Updates

Dynamic updates cause a DNS server to be updated automatically withDHCP host information from a DHCP server. This enables nomadicDHCP users to have access to systems and services without manualadministration.

To configure a server to permit dynamic updates to occur, complete thefollowing steps:

1. Log in as root on the DNS primary server, edit the/etc/named.conf file, and add allow-update statements to boththe forward and reverse zones. For example:

zone "one.edu" in { type master; file "db.one.edu";

allow-update { 127.0.0.1; 192.168.1.2; };};

zone "1.168.192.in-addr.arpa" in { type master; file "db.192.168.1";

allow-update { 127.0.0.1; 192.168.1.2; };};

2. Restart the named process by using the svcadm commands. Forexample:

# svcadm restart svc:/network/dns/server:default#or# svcadm disable svc:/network/dns/server:default# svcadm enable svc:/network/dns/server:default



Configuring Security

Because of the nature of the Internet, DNS can be vulnerable tounauthorized access.

Beginning with BIND version 8.x.x, security features are implementedthrough the /etc/named.conf configuration file. Two important securityconsiderations are the control of name queries and the control of zonetransfers. By default, servers respond to any query or request for a zonetransfer. You can modify this behavior by using the allow-query andallow-transfer keywords.

The allow-query statement enables you to establish an IP address-basedaccess list for queries. You can apply this access list to a specific zone or toall queries that are received by the server. The IP address list determineswhich systems receive responses from the server.

You can restrict queries to all zones by using the allow-query keywordas an argument to the options statement for the zone.

For example:

options { allow-query { 192.168.1/24; 192.168.3/24; };};

In this case, only systems with the IP addresses 192.168.1. xxx and192.168.3. xxx receive responses from the name server.

You can restrict queries for a specific zone by using the allow-querykeyword as an argument to the zone statement. For example:

zone "one.edu" in { type master; file "forward.zone"; allow-query { 192.168.3/24; };};

In this case, only subnet 192.168.3.0 has access to the resource recordsfor this zone.



In the same manner, the allow-transfer keyword can limit whichsystems may receive a zone transfer from a name server. You can restrictzone transfers from a name server by using allow-transfer in theoptions statement. For example:

options { allow-transfer { 192.168.1.3/32; };};

The allow-transfer keyword can also be applied to a specific zone, ifyou want. Another feature that often is associated with restricting queriesand transfers is access control lists (ACLs). The list of IP addresses used inthe previous examples could be replaced by an ACL.

You can configure ACLs by using the acl keyword to build an ACL listthat can be used as an argument to the allow-query andallow-transfer keywords.

For example:

acl "local" { 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; };

zone "one.edu" in { type master; allow-query { "local"; }; allow-transfer { "local"; };};



Configuring Secondary DNS Servers

The contents of the /etc/named.conf file on the secondary DNS servercan be less complex than that of the primary server. If a server is to act asboth a primary server for some domains and a secondary server for otherdomains, the /etc/named.conf file must contain keywords that areappropriate to both functions. The master keyword denotes a primaryserver for a domain, and the slave keyword denotes a secondary serverfor a domain when used as arguments to the type directive.

An example of an /etc/named.conf file for a secondary server is:

options{ directory "/var/named";};zone "."{ type hint; file "db.root";};zone "one.edu"{ type slave; file "db.one.edu.slave"; masters { 192.168.1.2; };};zone "1.168.192.in-addr.arpa"{ type slave; file "db.192.168.1.slave"; masters { 192.168.1.2; };};zone "0.0.127.in-addr.arpa" in{ type slave; file "db.127.0.0.slave"; masters { 192.168.1.2; };};




● Secondary servers are configured with and use the same root serverhints file as the primary name server.

● Secondary servers are configured with and use the same syntax for areverse loopback domain file as the primary name server uses,except that the secondary name server is always listed as theprimary for the loopback address.

● The reverse.backup and reverse.rbackup files and their contentsare created automatically by the secondary server’s named daemonafter the primary name server is contacted successfully.

● The IP address from which the secondary server should downloadits zone files is listed following the masters keyword. Up to 10 IPaddresses can be listed. The server or servers listed can be theprimary server or secondary servers.

Secondary servers start the named daemon during the boot process if the/etc/named.conf file exists. The daemon is started by SMF.



Checking Configuration and Database Files

The named-checkconf and named-checkzone commands can be used tocheck the integrity of the named.conf and database files. These commandsreport syntax errors.

The named-checkconf command is used to check the /etc/named.conffile.

Missing punctuation can be detected:

sys12# named-checkconf/etc/named.conf:32: missing ’;’ before ’zone’

Misspelled keywords are exposed:

sys12# named-checkconf/etc/named.conf:32: unknown option ’zonee’

Missing required keywords are reported:

sys12# named-checkconf/etc/named.conf:38: zone ’one.edu’: type not present

The named-checkzone command is used to check the any of the zonefiles.

A clean one.edu zone in the db.192.168.1 file is reported:

# named-checkzone one.edu db.192.168.1zone one.edu/IN: loaded serial 2005010101OK

Typographical errors in the SOArecord are detected:

sys12# named-checkzone one.edu db.192.168.1dns_master_load: db.192.168.1:10: unknown RR type 'SA0'zone one.edu/IN: loading master file db.192.168.1: unknown class/type

Missing NSrecords are reported:

sys12# named-checkzone one.edu db.192.168.1zone one.edu/IN: has no NS records



Configuring DNS Clients

All DNS clients require the presence of the /etc/ nsswitch.conf and/etc/resolv.conf files. Note that the DNS server must also beconfigured as a DNS client if it intends to use its own DNS services.

The /etc/nsswitch.conf file specifies the resolver library routines to beused for resolving host names and addresses. Modify the/etc/nsswitch.conf file by editing the hosts entry and adding the dnskeyword. To ensure proper network interface configuration during theboot process, make sure that the files keyword is listed first. Thefollowing example shows a hosts entry configured for DNS:

hosts: files dns

The /etc/resolv.conf file specifies the name servers that the client mustuse, the client’s domain name, and the search path to use for queries.

; resolv.conf file for DNS clients of the one.edu domainsearch one.edu two.edu three.edunameserver 192.168.1.2nameserver 192.168.1.3

Observe that the search keyword specifies domain names to append toqueries that were not specified in the FQDN format. The first domainlisted following the search keyword designates the client’s domain. Ifboth "domain" and "search" keywords are present, then the last one in thefile is used and the other one(s) are ignored.

The nameserver keyword specifies the IP address of the DNS servers toquery. Do not specify host names. You can use up to three nameserverkeywords to increase your chances of finding a responsive server. Ingeneral, list the name servers that are nearer to the local network first. Theclient attempts to use the loopback address if there is no nameserverkeyword or if the /etc/resolv.conf file does not exists.

Starting the Client Service

The following svcadm command enables the DNS default client service:

# svcadm enable svc:/network/dns/client:default

# svcs -a | grep dnsonline 23:02:34 svc:/network/dns/client:default

Troubleshooting the DNS Server by Using Basic Utilities



Usually, you cannot test every record in your domain files. Testrepresentative samples, and test several servers in other domains toensure that you have correctly identified the root servers.

Implementing namedLogging

Use logging (named.conf(4) ) to cause the named process to write to a logfile that you specify. Add the following to the top of the primary DNSsystem's /etc/named.conf file and restart the named daemon:

logging { channel logfile { file "/var/named/bind-log"; print-time yes; severity debug 9; print-category yes; print-severity yes; }; category default { default_syslog; logfile; }; category queries { logfile; };};

Logging starts as soon as the logging statement in the /etc/named.conffile is parsed, so the logging statement should be the first entry in that file.

A logging channel controls the destination of the logged data. Followingis a description of each of the example entries:

● /var/named/bind-log – File to hold logged data

● print-time yes – Print time of the event

● severity debug 9 – Debug output of level 9 and below to belogged

● print-category yes – Log category information

● print-severity yes – Log severity information



The category section describes how the channel information is used.Following is a description of each of the example entries:

● category default { default_syslog; logfile; } – Log tosyslog and logfile

● category queries { logfile; } – Log queries

Following is an example of logged information during query using thedig command:

sys12# tail -f /var/named/bind-logJan 12 16:02:19.918 client: debug 3: client 192.168.1.1#32810: UDP requestJan 12 16:02:19.918 client: debug 5: client 192.168.1.1#32810: using view '_default'Jan 12 16:02:19.918 security: debug 3: client 192.168.1.1#32810: request is not signedJan 12 16:02:19.918 security: debug 3: client 192.168.1.1#32810: recursion available:approvedJan 12 16:02:19.918 client: debug 3: client 192.168.1.1#32810: queryJan 12 16:02:19.918 queries: info: client 192.168.1.1#32810: query: one.edu IN AJan 12 16:02:19.918 security: debug 3: client 192.168.1.1#32810: query 'one.edu/IN'approvedJan 12 16:02:19.919 client: debug 3: client 192.168.1.1#32810: sendJan 12 16:02:19.919 client: debug 3: client 192.168.1.1#32810: sendtoJan 12 16:02:19.919 client: debug 3: client 192.168.1.1#32810: senddoneJan 12 16:02:19.919 client: debug 3: client 192.168.1.1#32810: nextJan 12 16:02:19.919 client: debug 3: client 192.168.1.1#32810: endrequestJan 12 16:02:19.920 client: debug 3: client @94f88: udprecvJan 12 16:02:19.923 client: debug 3: client 192.168.1.1#32811: UDP requestJan 12 16:02:19.924 client: debug 5: client 192.168.1.1#32811: using view '_default'Jan 12 16:02:19.924 security: debug 3: client 192.168.1.1#32811: request is not signedJan 12 16:02:19.924 security: debug 3: client 192.168.1.1#32811: recursion available:approvedJan 12 16:02:19.924 client: debug 3: client 192.168.1.1#32811: queryJan 12 16:02:19.924 queries: info: client 192.168.1.1#32811: query: 4.1.168.192.in-addr.arpa IN PTRJan 12 16:02:19.924 security: debug 9: client 192.168.1.1#32811: v6 synthesis deniedJan 12 16:02:19.924 security: debug 3: client 192.168.1.1#32811: query '4.1.168.192.in-addr.arpa/IN' approvedJan 12 16:02:19.924 client: debug 3: client 192.168.1.1#32811: sendJan 12 16:02:19.924 client: debug 3: client 192.168.1.1#32811: sendtoJan 12 16:02:19.925 client: debug 3: client 192.168.1.1#32811: senddoneJan 12 16:02:19.925 client: debug 3: client 192.168.1.1#32811: nextJan 12 16:02:19.925 client: debug 3: client 192.168.1.1#32811: endrequestJan 12 16:02:19.925 client: debug 3: client @94f88: udprecv



Examining the/var/adm/messages File

The named daemon sends messages to the syslogd daemon by using thedaemon facility. Messages that are sent with level notice or higher arewritten to the /var/adm/messages file by default. The contents of thisfile often show where configuration errors were made. For example, thefollowing highlighted entry shows that zone files without TTLs are nowrejected:

Jan 11 12:04:31 sys12 named[634]: [ID 873579 daemon.notice] starting BIND9.2.4Jan 11 12:04:32 sys12 named[634]: [ID 873579 daemon.warning]named.root:5: no TTL specified; zone rejectedJan 11 12:04:33 sys12 named[669]: [ID 873579 daemon.notice] couldn't addcommand channel ::1#953: address not availableJan 11 12:04:33 sys12 named[669]: [ID 873579 daemon.error] zone1.168.192.in-addr.arpa/IN: loadingmaster file one.rzone: file not foundJan 11 12:04:35 sys12 named[634]: [ID 873579 daemon.crit] exiting (due tofatal error)



Using the dig Utility

Before the Solaris 9 OS, the primary test tool bundled with BIND was thenslookup utility. As of the Solaris 9 OS, the domain information groper(dig ) utility was also bundled with the Solaris OS. In the Solaris 10 OS,the nslookup utility is included, but is marked as obsolete with anotification that it might be removed in a future release. The dig utility isnow preferred and does the following:

● Sends queries and displays replies for any of the valid resourcerecord types

● Queries the DNS server of your choice

● Debugs almost any domain that is not protected by a firewall

Executing Forward Queries

The syntax used for forward queries is as follows:

dig @ DNS_server domain_name system_name

A typical debug query testing forward resolution might look like thefollowing:

# dig @192.168.1.2 one.edu sys11.one.edu

; <<>> DiG 9.2.4 <<>> @192.168.1.2 one.edu sys11.one.edu;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1334;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:;one.edu. IN A

;; AUTHORITY SECTION:one.edu. 86400 IN SOA sys12.one.edu.root.sys12.one.edu. 2005010101 3600 1800 6048000 86400

;; Query time: 4 msec;; SERVER: 192.168.1.2#53(192.168.1.2);; WHEN: Wed Jan 12 16:56:12 2005;; MSG SIZE rcvd: 72

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1440



;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:;sys11.one.edu. IN A

;; ANSWER SECTION:sys11.one.edu. 86400 IN A 192.168.1.1

;; AUTHORITY SECTION:one.edu. 86400 IN NS sys12.one.edu.one.edu. 86400 IN NS sys13.one.edu.

;; ADDITIONAL SECTION:sys12.one.edu. 86400 IN A 192.168.1.2sys13.one.edu. 86400 IN A 192.168.1.3


The ANSWER SECTIONlists the answer retrieved from the DNS server. Ananswer number (on the flags line) greater than zero usually indicatessuccess.

Executing Reverse Queries

The syntax used for reverse queries is as follows:

dig @ DNS_server domain_name -x IP_address

A typical debug query testing reverse resolution might look like thefollowing:

# dig @192.168.1.2 one.edu -x 192.168.1.1

; <<>> DiG 9.2.4 <<>> @192.168.1.2 one.edu -x 192.168.1.1;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1881;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


;; AUTHORITY SECTION:



one.edu. 86400 IN SOA sys12.one.edu.root.sys12.one.edu. 2005010101 3600 1800 6048000 86400


;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1932;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:;1.1.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:1.1.168.192.in-addr.arpa. 86400 IN PTR sys11.one.edu.

;; AUTHORITY SECTION:1.168.192.in-addr.arpa. 86400 IN NS sys13.one.edu.1.168.192.in-addr.arpa. 86400 IN NS sys12.one.edu.





Dumping a Snapshot of the DNS Database by Usingthe rndc Utility

The remote name daemon controller command, rndc , is used to dump thecurrently cached contents of the server.

sys12# rndc dumpdb

All of the options for the rndc utility are listed when it is invoked withoutany as follows:

# rndcUsage: rndc [-c config] [-s server] [-p port] [-k key-file ] [-y key] [-V] command

command is one of the following:

reload Reload configuration file and zones. reload zone [class [view]] Reload a single zone. refresh zone [class [view]] Schedule immediate maintenance for a zone. reconfig Reload configuration file and new zones only. stats Write server statistics to the statistics file. querylog Toggle query logging. dumpdb Dump cache(s) to the dump file (named_dump.db). stop Save pending updates to master files and stop the server. halt Stop the server without saving pending updates. trace Increment debugging level by one. trace level Change the debugging level. notrace Set debugging level to 0. flush Flushes all of the server's caches. flush [view] Flushes the server's cache for a view. status Display status of the server. *restart Restart the server.

* == not yet implementedVersion: 9.2.4

Clearing the Cache

Clear the server’s cached data by restarting the named daemon. Forexample:

sys12# svcs -a | grep dnsonline 5:09:02 svc:/network/dns/client:default



online 5:09:25 svc:/network/dns/server:defaultsys12# svcadm disable svc:/network/dns/server:defaultsys12# svcs -a | grep dnsdisabled 6:54:30 svc:/network/dns/server:defaultonline 5:09:02 svc:/network/dns/client:defaultsys12# svcadm enable svc:/network/dns/server:defaultsys12# svcs -a | grep dnsonline 5:09:02 svc:/network/dns/client:defaultonline 6:54:45 svc:/network/dns/server:default

Verify that the cache has been cleared using the rndc command:

sys12# rndc dumpdbsys12# cat /var/named/named_dump.db;; Cache dump of view '_default';$DATE 20050112135516

Dump Examples

Examining dumped caches is often a very productive way to troubleshooterrors.

The following example shows an improper use of the dig commandattempting a reverse query:

sys13# dig @192.168.1.2 one.edu 192.168.1.1

; <<>> DiG 9.2.4 <<>> @192.168.1.2 one.edu 192.168.1.1;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1328;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0






;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1204;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:;192.168.1.1. IN A

;; AUTHORITY SECTION:. 10800 IN SOA instructor.thirty.edu.root.instructor.thirty.edu. 2005010101 3600 1800 6048000 86400


The highlighted entries shown above indicate an unsuccessful reverseresolution request. Dumping the cached data provides insights.

sys12# rndc dumpdbsys12# cat /var/named/named_dump.db;; Cache dump of view '_default';$DATE 20050112135930; authanswer. 86381 IN NS instructor.thirty.edu.; authauthority192.168.1.1. 10781 \-ANY ;-$NXDOMAIN; additionalinstructor.thirty.edu. 86381 A 192.168.30.30sys12#

The NXDOMAINin the dumped data indicates that a non existent (NX)domain was requested. Because the incorrect syntax was used (missing -xoption, needed for reverse queries), the IP address was mistaken for adomain.

The following example shows a successful reverse query:

sys13# dig @192.168.1.2 two.edu -x 192.168.2.1

; <<>> DiG 9.2.4 <<>> @192.168.1.2 two.edu -x 192.168.2.1;; global options: printcmd



;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1174;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:;two.edu. IN A

;; AUTHORITY SECTION:two.edu. 10800 IN SOA sys22.two.edu.root.sys22.two.edu. 2005010101 3600 1800 6048000 86400


;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1982;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0


;; ANSWER SECTION:1.2.168.192.in-addr.arpa. 86400 IN PTR sys21.two.edu.

;; AUTHORITY SECTION:2.168.192.in-addr.arpa. 86400 IN NS sys23.two.edu.2.168.192.in-addr.arpa. 86400 IN NS sys22.two.edu.


The first highlighted QUESTIONsection indicates that the query isrequesting data that is not locally authoritative. A forwarding of therequest is required for information about the two.edu domain. Thesecond highlighted QUESTIONand ANSWERsections are for the specifiedrequest for information about the 192.168.2.1 address.

Examining the cached data details the resolution process.

sys12# rndc dumpdbsys12# cat /var/named/named_dump.db;



; Cache dump of view '_default';$DATE 20050112150759; authanswer. 86353 IN NS instructor.thirty.edu.; authauthority2.168.192.in-addr.arpa. 86353 NS sys22.two.edu. 86353 NS sys23.two.edu.; authanswer1.2.168.192.in-addr.arpa. 86353 PTR sys21.two.edu.; additionalinstructor.thirty.edu. 86353 A 192.168.30.30; gluetwo.edu. 86353 NS sys22.two.edu. 86353 NS sys23.two.edu.; authauthority 10753 \-A ;-$NXRRSET; gluesys22.two.edu. 86353 A 192.168.2.2; gluesys23.two.edu. 86353 A 192.168.2.3

The first three entries in the cached data show the resolution process. Thefirst highlight entry shows the forwarding of the request to theinstructor.thirty.edu . The second highlighted entry shows thatserver supplying the and of the authoritative server for the2.168.192.in-addr.arpa zone (sys22.two.edu ). The last highlightedentry shows the pointer information cached for the requested IP address.



This next example cache dump shows a similar resolution for a forwardquery:

sys13# dig @192.168.1.2 two.edu sys21.two.edu<dig output omitted>

sys12# rndc dumpdbsys12# cat /var/named/named_dump.db;; Cache dump of view '_default';$DATE 20050112151434; authanswer. 86357 IN NS instructor.thirty.edu.; additionalinstructor.thirty.edu. 86357 A 192.168.30.30; authauthoritytwo.edu. 86357 NS sys22.two.edu. 86357 NS sys23.two.edu.; authauthority 10757 \-A ;-$NXRRSET; authanswersys21.two.edu. 86357 A 192.168.2.1; gluesys22.two.edu. 86357 A 192.168.2.2; gluesys23.two.edu. 86357 A 192.168.2.3

Forcing the namedDaemon to Reread theConfiguration and Changed Zone Files

You can use the rndc utility with the reconfig command to cause thenamed process to reload its configuration file and implement any changesto the zone files as follows:

sys12# rndc reconfig



Managing a DNS Server by Using the rndc Utility

Administrators use the remote name daemon control program (rndc ) tocontrol the operation of a name server. Name servers have always beencontrolled by administrators sending signals, such as SIGHUPand SIGINT .The rndc utility provides a finer granularity of control, and it can be usedboth interactively and non-interactively.

As of the Solaris 10 OS, the rndc utility replaces the ndc utility as thename daemon control application. A significant difference between ndcin BIND 8 and rndc in BIND 9 is that rndc uses its own configuration file,rndc.conf .

Securing Control Sessions

The rndc utility supports security using key-based authentication.Remote clients are authorized specifically to control the daemon byestablishing, configuring and using secret keys. Implementing thissecurity requires an rndc-key reference entry in the /etc/name.conf fileand the appropriate key information in the rndc.conf file.

Without a rndc-key reference in the /etc/named.conf file, the followingmessages appear in the /var/adm/messages file:

Jan 12 08:22:12 sys12 named[1346]: [ID 873579 daemon.notice] commandchannel listening on 127.0.0.1#953Jan 12 08:22:12 sys12 named[1346]: [ID 873579 daemon.notice] couldn't addcommand channel ::1#953: address not availableYou can continue to use the rndc utility, albeit in a non-secure manner.

Use the rndc-confgen utility to generate the proper contents for therndc.conf and /etc/named.conf files. The rndc.conf file specifieswhich server controls and algorithm the server should use. You need onlya rndc.conf file in place if the named.conf file has an entry for arndc-key .

sys12# /usr/sbin/rndc-confgen# Start of rndc.confkey "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA==";};

options { default-key "rndc-key";



default-server 127.0.0.1; default-port 953;};# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list asneeded:# key "rndc-key" {# algorithm hmac-md5;# secret "jZOP5nh//i9t7BwHivvNzA==";# };## controls {# inet 127.0.0.1 port 953# allow { 127.0.0.1; } keys { "rndc-key"; };# };# End of named.confsys12#

Copy the rndc-key section into a new file called /etc/rndc.conf .

sys12# cat /etc/rndc.confkey "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA==";};

options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953;};

Add the named.conf section to the /etc/named.conf file. Be sure toremove the comment indentifiers (#). The following is an example of afinished /etc/named.conf file:

sys12# cat /etc/named.confoptions{ directory "/var/named";};

// added to stop couldn't add command channel ::1#953 messages// from showing up in /var/adm/messages// following is output from /usr/sbin/rndc-confgen



key "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA==";};

controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};// end of rndc.key addition

...

Test the rndc.key by stopping and starting the named process, using therndc utility, and examining the resulting /var/adm/messages file entries:

sys12# svcadm disable svc:/network/dns/server:defaultsys12# svcadm enable svc:/network/dns/server:defaultsys12# tail -4 /var/adm/messagesJan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] startingBIND 9.2.4Jan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] commandchannel listening on 127.0.0.1#953Jan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] running

The daemon starting without the command channel message implies asuccessful key configuration The rndc command can now be usedsecurely.

You will see an error message similar to the following if either there is aproblem with the contents of the rndc.conf file:

sys12# rndc dumpdbJan 12 10:13:40 sys12 named[1431]: invalid command from 127.0.0.1#32839:bad authrndc: connection to remote host closedThis may indicate that the remote server is using an older version ofthe command protocol, this host is not authorized to connect,or the key is invalid.sys12#



Server Status

The rndc utility can be used to query server status and report statistics.

Now test to verify that the rndc utility works as expected:

sys12# rndc statusnumber of zones: 5debug level: 0xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is ONserver is up and running

Flushing the Memory Cache

You can use the rndc utility to flush the memory cache.

sys12# rndc flushsys12# rndc dumpdbsys12# cat /var/named/named_dump.db;; Cache dump of view '_default';$DATE 20050113141237sys12#

Changing the Debug Level of the Daemon

Use the rndc utility to change the debug level of the server. Beforemaking any changes, determine the current debug level of the daemon.

sys12# rndc statusnumber of zones: 5debug level: 0xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is ONserver is up and running



Increment the debug level by one.

sys12# rndc tracesys12# rndc statusnumber of zones: 5debug level: 1xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is ONserver is up and running

Assign the debug level to a specific level.

sys12# rndc trace 8sys12# rndc statusnumber of zones: 5debug level: 8xfers running: 0xfers deferred: 0soa queries in progress: 0query logging is ONserver is up and runningsys12#

If logging is enabled, the debug level is shown along with the loggedmessages:

sys12# tail -f /var/named/bind-logJan 13 07:12:37.548 general: debug 1: received control channel command'dumpdb'Jan 13 07:17:02.598 general: debug 1: received control channel command'status'Jan 13 07:17:15.249 general: debug 1: received control channel command'trace'Jan 13 07:17:17.929 general: debug 1: received control channel command'status'Jan 13 07:17:34.838 general: debug 1: received control channel command'trace 8'Jan 13 07:17:37.149 general: debug 1: received control channel command'status'

Exercise: Configuring DNS



In this exercise, you configure DNS.

Preparation


Before starting this lab; make sure that:

● The classroom network is not connected to the public Internetbecause the names and addresses used are not registered with theICANN.

● The instructor has set up a root domain server for use in this lab.

● The domains to be set up are named one.edu. , two.edu. , andthree.edu. , respectively.

The self-contained root server (instructor ) serves the .( root) , edu. ,30.168.192.in-addr.arpa. , and 127.in-addr.arpa.loopbackdomains. The system and server-client functions for these exercises arelisted in Table 10-5.

Table 10-5 Exercise Host Functions

Host Function

instructor Root DNS name server

sysX1 Router

sysX2 Primary DNS name server, DNS client

sysX3 Secondary DNS name server, DNS client

sysX4 DNS client



Task Summary

In this exercise, team up with the other students on your subnet, andconfigure a DNS primary server, a DNS secondary server, and clients onyour subnet. You practice using troubleshooting tools, such as thenslookup utility. Work as a team, and move as a team to each system thatis to be configured. In this way, you experience most of the aspects ofconfiguring DNS.

Tasks

To configure DNS, complete the following steps.

Your first task is to configure your domain’s primary DNS server.

Working on the Primary DNS Server

To configure your domain’s primary DNS server, perform the following:

1. Set up the /etc/named.conf file for your domain on the system thatwill be your domain’s primary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

● What is the purpose of the /etc/named.conf file?

______________________________________________________

______________________________________________________

______________________________________________________

● What is the purpose of the following /etc/named.conf filekeywords?

● zone

___________________________________________________

___________________________________________________

● options

___________________________________________________

___________________________________________________

2. Create the /var/named directory.

______________________________________________________



3. Set up the /var/named/db.root file for your domain on the systemthat will be your domain’s primary DNS server. You can create thefile yourself, or you can use the template file that your instructormakes available to you.

● What is the purpose of the db.root file?

___________________________________________________

___________________________________________________

___________________________________________________

● Where can you obtain a current copy of the current root nameservers?

___________________________________________________

___________________________________________________

___________________________________________________

___________________________________________________

● What is the purpose of the following resource record types?

● NS

___________________________________________________

● A

___________________________________________________

4. Set up the zone file for your domain on the system that will be yourdomain’s primary DNS server. You can create the file yourself, oryou can use the template file that your instructor makes available toyou.

● What is the purpose of a domain’s zone file?

___________________________________________________

___________________________________________________

___________________________________________________

● What is the purpose of the SOAresource record?

___________________________________________________

___________________________________________________

● What is the purpose of the CNAMEresource record?

___________________________________________________

___________________________________________________

___________________________________________________



5. Set up the reverse lookup file for your domain on the system thatwill be your domain’s primary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

● What is the purpose of the reverse lookup zone file?

___________________________________________________

● What is the purpose of the PTRresource record?

___________________________________________________

6. Set up the loopback file for your domain on the system that will beyour domain’s primary DNS server. You can create the file yourself,or you can use the template file that your instructor makes availableto you.

Your next task is to configure name resolution on all of your systems.

Working on All Systems

To configure name resolution on all systems, perform the following:

7. Working on all of your DNS clients and DNS servers, copy the/etc/nsswitch.dns file to the /etc/nsswitch.conf file.


___________________________________________________

● What is the purpose of the /etc/nsswitch.conf file?

___________________________________________________

___________________________________________________

● What effect does the dns keyword have on this file?

___________________________________________________

___________________________________________________

___________________________________________________

8. Set up the /etc/resolv.conf file on your DNS server and DNSclients.

● What is the purpose of the /etc/resolv.conf file?

___________________________________________________

___________________________________________________

___________________________________________________



● What is the purpose of the domain keyword?

___________________________________________________

___________________________________________________

● What is the purpose of the namesserver keyword?

___________________________________________________

___________________________________________________



9. Start the name server daemon on your DNS server:

a. Use the svcadm command to enable both the name serverdaemon and the DNS client.

___________________________________________________

___________________________________________________

b. Use the svcs command to verify that the services are online.

___________________________________________________

c. Check that the server daemon is running.

___________________________________________________

10. Check the /var/adm/messages file for DNS error messages.

Before continuing, troubleshoot to eliminate any DNS-related errormessages that appear in the /var/adm/messages file.

Working on the Client Systems

Note – Since the client service was just enabled on the primary nameserver, this step does not have to be done on those systems.

11. Use the svcadm command to enable the default client service andverify that it is enabled.

___________________________________________________

___________________________________________________




Troubleshoot DNS-related errors as follows:

12. Test and debug as required. For example, list the contents of thedomain by querying the primary name server for its resourcerecords.

13. Use the techniques that are described in the lecture part of themodule, testing both your local domain and your remote domainservers as they become available.

Test and debug your setup by using the dig utility.



14. Test your DNS server. Use the techniques that are described in thelecture part of the module.

a. Take a snapshot of the DNS information in memory.

Use the following command:

sys12# rndc dumpdb

b. View the dumped DNS data to look for errors.

Your final task is to configure a secondary DNS server.

Working on the Secondary DNS Server

To configure a secondary DNS server:




16. Update both the forward and reverse zone files on the primaryserver to support the secondary name server. Write the updates thatyou use in each file.

_________________________________________________________

_________________________________________________________

_________________________________________________________





17. Add the secondary name server to the /etc/resolv.conf file on theDNS clients and servers in your domain.

Write the updates that you put in the file:

_________________________________________________________

_________________________________________________________



18. Set up the /etc/named.conf file for your domain on the system thatwill be your domain’s secondary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

19. Set up the /var/named/db.root file for your domain on the systemthat will be your domain’s secondary DNS server. You can create thefile yourself, or you can use the template file that your instructormakes available to you.



_____________________________________________________

_____________________________________________________


_____________________________________________________


_____________________________________________________

21. Verify that the new zone files have been created in the /var/nameddirectory.

__________________________________________________________

22. Verify that the secondary name server performs forward lookuprequests as expected.

__________________________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Solutions to this exercise are provided in the following section.

Task Solutions

To configure DNS, complete the following steps.

Your first task is to configure your domain’s primary DNS server.


To configure your domain’s primary DNS server, perform the following:

1. Set up the /etc/named.conf file for your domain on the system thatwill be your domain’s primary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

Your /etc/named.conf file should be similar to the following:


zone "."{ type hint; file "db.root";};

zone "one.edu"{ type master; file "db.one.edu";};

zone "1.168.192.in-addr.arpa"{ type master; file "db.192.168.1";};

Exercise Solutions


zone "0.0.127.in-addr.arpa" in{ type master; file "db.127.0.0";};

● What is the purpose of the /etc/named.conf file?

The /etc/named.conf file is the configuration file read by thenamed daemon at system start up. The named.conf file specifies thedirectory that contains the other configuration files, the root servers,the domains served by this server, and the type of server that thissystem will be for each of those domains.

● What is the purpose of the following /etc/named.conf filekeywords?

● zone

It defines a zone of authority and applies options selectively on aper-zone basis, rather than to all zones.

● options

It controls global server configuration options and sets defaultvalues for other statements.


sys12# mkdir /var/named

3. Set up the /var/named/db.root file for your domain on the systemthat will be your domain’s primary DNS server. You can create thefile yourself, or you can use the template file that your instructormakes available to you.

Your /var/named/db.root file should be similar to the following:

sys12# cat /var/named/db.root;; db.root;;{name} {ttl} Class NS Nameserver Name;--------------------------------------------------------------. 604800 IN NS instructor.thirty.edu.;;{name} {ttl} Class A IP Address;---------------------------------------------------------instructor.thirty.edu. 604800 IN A 192.168.30.30#

Exercise Solutions


● What is the purpose of the db.root file?

Root servers are positioned at the top, or the root, of the DNShierarchy, and they maintain data about each of the top-level zones.Non-root servers can begin queries at the root level if no otherinformation is available. This file’s contents directs non-root servers toroot servers.

● Where can you obtain a current copy of the current root nameservers?

You can retrieve them from theftp://ftp.rs.internic.net/domain/named.root URL. Besure to check that the file’s syntax is correct.

● What is the purpose of the following resource record types?

● NS

The NSrecord (name server record) identifies the name server of adomain.

● A

The A record (address record) yields an IP address thatcorresponds to a host name.

4. Set up the zone file for your domain on the system that will be yourdomain’s primary DNS server. You can create the file yourself, oryou can use the template file that your instructor makes available toyou.

Your /var/named/db.one.edu file should be similar to the following:sys12 # cat /var/named/db.one.edu; db.one.edu$TTL 86400;;{name} {ttl} Class SOA Origin Postmaster;----------------------------------------------------------------------------------@ IN SOA sys12.one.edu. root.sys12.one.edu. ( 2005010101 ; Serial 3600 ; Refresh (1 Hour) 1800 ; Retry (30 Minutes) 6048000 ; Expire (1 Week) 86400 ) ; Minimum (24 Hours)

;;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu.

;

Exercise Solutions


;{name} {ttl} Class A IP Address;-------------------------------------------------sys11 IN A 192.168.1.1sys12 IN A 192.168.1.2sys13 IN A 192.168.1.3sys14 IN A 192.168.1.4

localhost IN A 127.0.0.1

;;{name} {ttl} Class CNAME Canonical Name;-------------------------------------------------------router IN CNAME sys11dns IN CNAME sys12

● What is the purpose of a domain’s zone file?

This file contains the mappings of names to IP addresses for allsystems in the domain being served by this name server. In addition,this file must specify an SOArecord and NSrecords for all nameservers for this domain.

● What is the purpose of the SOAresource record?

The SOArecord identifies the primary server, contact information, andcache time-out values for the entries in the domain.

● What is the purpose of the CNAMEresource record?

The CNAMErecord defines an alias for a host name.

5. Set up the reverse lookup file for your domain on the system thatwill be your domain’s primary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

Your /var/named/db.192.168.1 file should be similar to the following:

sys12# cat /var/named/db.192.168.1; db.192.168.1;

$TTL 86400


;

Exercise Solutions


;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu.

;;{name} {ttl} Class PTR Real Name;------------------------------------------------1 IN PTR sys11.one.edu.2 IN PTR sys12.one.edu.3 IN PTR sys13.one.edu.4 IN PTR sys14.one.edu.

● What is the purpose of the reverse lookup zone file?

This file contains mappings for address-to-name translation.

● What is the purpose of the PTRresource record?

The PTRrecord specifies a host name for an IP address.

6. Set up the loopback file for your domain on the system that will beyour domains primary DNS server. You can create the file yourself,or you can use the template file that your instructor makes availableto you.

Your /var/named/db.127.0.0 file should be similar to the following:

sys12# cat /var/named/db.127.0.0; db.127.0.0;

$TTL 86400


;;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu.

;;{name} {ttl} Class PTR Real Name;------------------------------------------------1 IN PTR localhost.

Your next task is to configure name resolution on all of your systems.

Exercise Solutions



To configure name resolution on all systems, perform the following:

7. Working on all of your DNS clients and DNS servers, copy the/etc/nsswitch.dns file to the /etc/nsswitch.conf file.


# cp /etc/nsswitch.dns /etc/nsswitch.conf

● What is the purpose of the /etc/nsswitch.conf file?

The etc/nsswitch.conf file specifies which resolver libraryroutines are to be used in resolving host names and addresses.

● What effect does the dns keyword have on this file?

The dns keyword causes the dns resolver library routine to beadded when resolving host names and addresses. Its position in thehosts line determines the order in which it is used.

8. Set up the /etc/resolv.conf file on your DNS server and DNSclients.

Your system’s /etc/resolv.conf file should have contents similar to thefollowing:

# cat /etc/resolv.confdomain one.edunameserver 192.168.1.2

● What is the purpose of the /etc/resolv.conf file?

This file specifies the resolver library routines that the domain searchlist applies to any names that are not specified in the FQDN form andspecifies the IP addresses of DNS servers to query.

● What is the purpose of the domain keyword?

The domain keyword specifies domain names to append to names thatwere not specified in the FQDN format and in what order to appendthem.

● What is the purpose of the namesserver keyword?

The nameserver keyword specifies DNS servers to query by IPaddress.

Exercise Solutions






sys12# svcadm enable svc:/network/dns/server:defaultsys12# svcadm enable svc:/network/dns/client:default


sys12# svcs -a | grep dnsonline 14:53:08 svc:/network/dns/server:defaultonline 14:56:04 svc:/network/dns/client:default


sys12# pgrep named97

10. Check the /var/adm/messages file for DNS error messages.

sys12# tail -4 /var/adm/messagesJan 12 13:23:18 sys12 named[1516]: [ID 873579 daemon.notice] starting BIND 9.2.4Jan 12 13:23:18 sys12 named[1516]: [ID 873579 daemon.notice] command channel listeningon 127.0.0.1#953Jan 12 13:23:18 sys12 named[1516]: [ID 873579 daemon.notice] command channel listeningon ::1#953Jan 12 13:23:18 sys12 named[1516]: [ID 873579 daemon.notice] running

Before continuing, troubleshoot to eliminate any DNS-related errormessages that appear in the /var/adm/messages file.

Working on the Client Systems

Note – Since the client service was just enabled on the primary nameservers, this step does not have to be done on those systems.

11. Use the svcadm command to enable the default client service andverify that it is enabled.

# svcadm enable svc:/network/dns/client:default# svcs -a | grep dnsonline 15:02:34 svc:/network/dns/client:default...

Exercise Solutions



Troubleshoot DNS-related errors as follows:

12. Test and debug as required. For example, list the contents of thedomain by querying the primary name server for its resourcerecords.

13. Use the techniques that are described in the lecture part of themodule, testing both your local domain and your remote domainservers as they become available.

Test and debug your setup by using the dig utility.

# dig @192.168.1.2 one.edu sys11.one.edu

; <<>> DiG 9.2.4 <<>> @192.168.1.2 one.edu sys11.one.edu;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 106;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0





;; QUESTION SECTION:;sys11.one.edu. IN A

;; ANSWER SECTION:sys11.one.edu. 86400 IN A 192.168.1.1

;; AUTHORITY SECTION:one.edu. 86400 IN NS sys12.one.edu.

;; ADDITIONAL SECTION:

Exercise Solutions


sys12.one.edu. 86400 IN A 192.168.1.2


The preceding output indicates that the 192.168.1.2 DNS serverdetermined that the sys11.one.edu system has an IP address of192.168.1.1 .

Exercise Solutions




14. Test your DNS server. Use the techniques that are described in thelecture part of the module.

a. Take a snapshot of the DNS information in memory.

Use the following command:

sys12# rndc dumpdb

b. View the dumped DNS data to look for errors.

sys12# view /var/named/named_dump.db;; Cache dump of view '_default';$DATE 20050112203358

The dumped cache file is currently empty because the server has beenstarted recently and no queries have been cached at this time.

Your final task is to configure a secondary DNS server.


To configure a secondary DNS server:


sys13# mkdir /var/named



16. Update both the forward and reverse zone files on the primaryserver to support the secondary name server. Write the updates thatyou use in each file.

The addition to the forward zone file should be similar to the following,added under the existing name server configuration:

;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu. IN NS sys13.one.edu.

Exercise Solutions


The addition to the reverse zone file should be similar to the following,added under the existing name server configuration:

;{name} {ttl} Class NS Nameserver Name;------------------------------------------------------ IN NS sys12.one.edu. IN NS sys13.one.edu.



17. Add the secondary name server to the /etc/resolv.conf file on theDNS clients and servers in your domain.

Write the updates that you put in the file:

Your /etc/resolv.conf file should be similar to the following:

# cat /etc/resolv.confdomain one.edunameserver 192.168.1.2nameserver 192.168.1.3



18. Set up the /etc/named.conf file for your domain on the system thatwill be your domain’s secondary DNS server. You can create the fileyourself, or you can use the template file that your instructor makesavailable to you.

Your /etc/named.conf file should be similar to the following:


zone "."{ type hint; file "db.root";};

Exercise Solutions


zone "one.edu"{ type slave; file "db.one.edu.slave"; masters { 192.168.1.2; };};

zone "1.168.192.in-addr.arpa"{ type slave; file "db.192.168.1.slave"; masters { 192.168.1.2; };};

zone "0.0.127.in-addr.arpa" in{ type slave; file "db.127.0.0.slave"; masters { 192.168.1.2; };};

19. Set up the /var/named/db.root file for your domain on the systemthat will be your domain’s secondary DNS server. You can create thefile yourself, or you can use the template file that your instructormakes available to you.

Your /var/named/db.root file should be similar to the following:

sys13# cat /var/named/db.root; db.root;;{name} {ttl} Class NS Nameserver Name;--------------------------------------------------------------. 604800 IN NS instructor.thirty.edu.

;;{name} {ttl} Class A IP Address;---------------------------------------------------------instructor.thirty.edu. 604800 IN A 192.168.30.30sys13#

Exercise Solutions




sys13# svcadm enable svc:/network/dns/server:defaultsys13# svcadm enable svc:/network/dns/client:default


sys13# svcs -a | grep dnsonline 14:53:08 svc:/network/dns/server:defaultonline 14:56:04 svc:/network/dns/client:default


sys13# pgrep in.named853

21. Verify that the new zone files have been created in the /var/nameddirectory.

sys13# ls -altotal 20drwxr-xr-x 3 root root 512 Jan 12 05:14 .drwxr-xr-x 45 root sys 1024 Jan 11 16:50 ..-rw------- 1 root root 353 Jan 12 13:36 db.127.0.0.slave-rw------- 1 root root 430 Jan 12 13:56 db.192.168.1.slave-rw------- 1 root root 460 Jan 12 13:46 db.one.edu.slave-rw-r--r-- 1 root root 405 Jan 12 05:13 db.root

22. Verify that the secondary name server performs forward lookuprequests as expected.

You could use one of a few tools to test DNS lookup requests. This exampledemonstrates using the dig utility where:

● @192.168.1.3 – Designates which DNS server to use

● one.edu – Designates the domain of interest

● sys14.one.edu – Designates the name to query

sys11# dig @192.168.1.3 one.edu -x 192.168.1.4

; <<>> DiG 9.2.4 <<>> @192.168.1.3 one.edu -x 192.168.1.4;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2032;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0


Exercise Solutions






;; ANSWER SECTION:4.1.168.192.in-addr.arpa. 86400 IN PTR sys14.one.edu.

;; AUTHORITY SECTION:1.168.192.in-addr.arpa. 86400 IN NS sys13.one.edu.1.168.192.in-addr.arpa. 86400 IN NS sys12.one.edu.




Module 11

Configuring DHCP

Objectives

This module explains the fundamentals of DHCP, including the purposeof DHCP and client and server functions. This module explains how toconfigure DHCP and how to troubleshoot a DCHP server.


● Describe the fundamentals of DHCP

● Configure a DHCP server

● Configure and manage DHCP clients

● Troubleshoot a DHCP server

● Troubleshoot a DHCP client





Filter Firewall

ConfiguringDNS

ConfiguringDHCP

ConfiguringNTP

Introducing the Fundamentals of DHCP



DHCP enables you to provide network-related information to clientsystems through a centrally located server system.

DHCP evolved from the bootstrap protocol (BOOTP). DHCP provides thefollowing enhanced functionality:

● Messages include network configuration for clients, such as:

● IP address

● Boot server IP address

● DNS domain, DNS server, and default router

● Lease periods are provided for IP address assignments.

● Routers can be configured to act as a BOOTP relay agent.

● Support is available for clients that need to boot over a network,which, in effect, replaces the need for using RARP and the/etc/bootparams file.

● Support is available for DHCP clients in the Solaris 10 OS.

Purpose of DHCP

DHCP reduces the cost of managing networks by eliminating the need tomanually assign or change IP addresses repeatedly. DHCP also reclaimsIP addresses that are no longer needed or if the time period for their usehas expired. These IP addresses can then be used by other clients. DHCPalso makes it easier to renumber the network if the ISP is changed. TheDHCP server would be reconfigured to provide the new IP addressesoffered from this new ISP.

IP addresses are assigned to each system when an organization sets up itscomputer network.

● Without DHCP, you assign an IP address to each computer manually.If a computer moves to another location in a different part of thenetwork, you assign a new IP address to that computer manually.

● With DHCP, you configure the DHCP server to distribute IPaddresses from a central point. You configure the DHCP server tosend a new IP address automatically when a computer is moved to adifferent place on the network and requests a new IP address at boottime.


Configuring DHCP 11-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

DHCP Client Functions

DHCP has two client functions. DHCP supplies:

● Sufficient information to properly configure the network interface

● Parameters needed by system-level and application-level software

Figure 11-2 shows the DHCP client functions.

Figure 11-2 DHCP Client Functions

To perform the first function, the dhcpagent daemon acquires an IPaddress that is valid for the network attached to the client’s hardwareinterface.

The client’s dhcpagent daemon:

● Constructs and sends packets

● Listens for responses from servers

● Caches the configuration information received

● Releases or renews leases

● Configures the interfaces with sufficient information to enablecommunications with the network through the interface

DHCP

Configure

Network

Interfaces

Parameters

(System and

Application)

• IP Address

• Netmask

• Router

• NIS Server

• WWW Server

• NTP Server



DHCP Server Functions

The DHCP server manages the IP address space of networks connecteddirectly to that server and also manages remote networks connected byBOOTP relay agents. The in.dhcpd daemon runs on the DHCP server.Figure 11-3 shows the interaction between a DHCP client and server.

Figure 11-3 DHCP Client-Server Interaction

1

3

2

DHCPDISCOVER

All DHCP offers are

evaluated and

DHCPREQUEST is sent

DHCPOFFER

4

DHCPACK

Client

DHCP

Server

Tim

e



Figure 11-4 shows the difference that a BOOTP relay makes for a clientthat is attempting to contact a server.

Figure 11-4 DHCP Client-Server BOOTP

The BOOTP relay picks up incoming requests from clients and forwardsthem to the DHCP server. The DHCP server replies to the BOOTP relay,which then forwards the response on to the client.

DHCP servers can be primary or secondary servers. A primary DHCPserver passes IP addresses to clients. The IP address is defined during theinstallation and configuration of the software on the server. A primaryDHCP server can give an IP address to a client that is requesting a newconfiguration from the range of IP addresses for which it is responsible.Multiple primary-DHCP servers can exist on the same network, as long aseach server is responsible for a different IP address range.

A secondary DHCP server confirms existing configurations suppliedpreviously by a primary DHCP server when the primary DHCP servercannot respond to requests for confirmation. Every primary DHCP serveralso acts as a secondary server. Primary and secondary DHCP serversmust have access to the exact same data source that contains the IPaddresses being served to clients. Copies cannot be used. This commondata access can be achieved by using NIS+ tables or by using NFS to sharethe DHCP network tables.

2

3

Client

DHCP

Server

BOOTP

Relay

1

TimeDHCPDISCOVER

DHCPDISCOVER

DHCPOFFER

5

DHCPACK

4

All DHCP requests are evaluated and

DHCPREQUEST is sent



The dhcpconfig command and the dhcpmgr utility are available for useto configure DHCP servers and BOOTP relay servers. These utilitiesenable you to set startup options, configure the DHCP service databasetype and location, and initialize the dhcptab file and DHCP networktables for any networks.

Configuring a DHCP Server



Configuring a DHCP server on the network consists mainly ofconfiguring and starting the DHCP server daemon.

The DHCP server’s configuration information is stored in the/etc/inet/dhcpsvc.conf file. This file is created when the configurationcommands are run and should never be edited manually. This file was the/etc/default/dhcp file prior to the Solaris 9 OS.

To view the configuration information, type the command:

# cat /etc/inet/dhcpsvc.confDAEMON_ENABLED=TRUERUN_MODE=serverRESOURCE=SUNWfilesPATH=/var/dhcpCONVER=1VERBOSE=TRUEICMP_VERIFY=TRUEINTERFACES=hme0,qfe0UPDATE_TIMEOUT=15LOGGING_FACILITY=7BOOTP_COMPAT=automatic#



Configuring DHCP by Using Different Methods

Use the graphical dhcpmgr (DHCP Manager) utility or the command-linedhcpconfig (DHCP configuration) command to configure a DHCPserver. Select options and enter data to create the dhcptab and DHCPnetwork tables that the DHCP server uses. Comparisons of how thesetwo methods work is as follows:

● The dhcpmgr utility enables you to view the information gatheredfrom system files and to change the information if needed. Thedhcpconfig command enables you to specify the networkinformation using command-line options.

● The dhcpmgr utility speeds up the configuration process by omittingprompts for non-essential server options by using default values forthem. You can change non-essential options after the initialconfiguration. The dhcpconfig command is faster, but you mustspecify values for many options. Use this process if you are anadvanced user and want to use scripts.

● The dhcpmgr utility checks the validity of user input as it is entered.The dhcpconfig command does not check the validity of user inputas it is entered.



Performing Initial DHCP Server Configuration by Usingthe dhcpmgr Utility

Use the dhcpmgr utility to configure, define, edit, and manage DHCPservices, such as macros, networks, addresses, and policies. The DHCPManager runs in an X-window system, such as the Common DesktopEnvironment (CDE), GNOME, or the Sun Java Desktop System.

Note – If the server is already configured, the windows in this section donot appear.

To configure the server, complete the following steps:

1. To start the dhcpmgr utility, type the command:

# /usr/sadm/admin/bin/dhcpmgr &

This example uses the sys12 system to demonstrate how toconfigure a basic DHCP server by using the dhcpmgr utility.

If the system is not configured as a DHCP server or a BOOTP relay,the Choose Server Configuration window appears. Figure 11-5enables you to configure the server as a DHCP server. This exampleuses the default Configure as the DHCP server.

Figure 11-5 Choose Server Configuration Window



2. Click OK.

The DHCP Configuration Wizard – Step 1 window appears.Figure 11-6 shows you where to select the data storage format.

Figure 11-6 DHCP Configuration Wizard – Step 1 Window

3. Select Text files, and click >.



The DHCP Configuration Wizard – Step 2 window appears.Figure 11-7 shows you where to enter a path for the data store. Thisexample uses the default directory.


4. Accept the default path name, and click >.



The DHCP Configuration Wizard – Step 3 window appears.Figure 11-8 enables you to specify the name service in which to storehost records.


5. Select /etc/hosts , and click >.



The DHCP Configuration Wizard – Step 4 window appears.Figure 11-9 shows you where to specify the length of the lease. Thisexample uses the defaults 1 and days.


6. Accept the defaults of 1 and days, and click >.



The DHCP Configuration Wizard – Step 5 window appears.Figure 11-10 shows you where to specify the DNS domain and DNSservers. This example uses the default of no DNS.


7. Do not accept a DNS domain or DNS server, and click >.



The DHCP Configuration Wizard – Step 6 window appears.Figure 11-11 shows you where to specify the network address and asubnet mask. This example uses the 192.168.1.0 network.


8. Specify a network address by either selecting one or typing one, typea subnet mask, and click >.



The DHCP Configuration Wizard – Step 7 window appears.Figure 11-12 shows you where to specify information about thenetwork. This example uses the defaults Local-Area (LAN) and Userouter discovery protocol.


9. Select either Local-Area (LAN) or Point-to-Point.

10. Select either Use router discovery protocol or type the routerinformation in the Use router field.

11. Click >.



The DHCP Configuration Wizard – Step 8 window appears.Figure 11-13 shows you where to specify the NIS domain andservers. This example uses the defaults of no NIS domain and noNIS server.


12. If appropriate, type the NIS domain configuration in the NIS Domainfield.

13. If appropriate, type the NIS server IP address in the NIS Serversfield, and click Add for each NIS server that you are specifying.

14. Click >.



The DHCP Configuration Wizard – Step 9 window appears.Figure 11-14 shows you where to specify the NIS+ domain andservers. This example uses the defaults of no NIS+ domain and noNIS+ server.


15. If appropriate, type the NIS+ domain configuration in the NIS+Domain field.

16. If appropriate, type the NIS+ server IP address in the NIS+ Serversfield, and click Add for each NIS+ server that you are specifying.

17. Click >.



The DHCP Configuration Wizard – Step 10 window appears.Figure 11-15 shows you a summary of the information you enteredpreviously. This example uses the sample information indicatedpreviously.


18. Review the information and, if the information is correct, clickFinish.



The DHCP Configuration Manager Window closes, the main DHCPManager Window appears, and the Start Address Wizard windowappears. Figure 11-16 shows you where to indicate that you want toconfigure addresses for the server.

Figure 11-16 Start Address Wizard Window

19. Click Yes to proceed with address configuration.

The DHCP network file will now be populated.



Adding Addresses by Using the dhcpmgr Utility

Use the procedures described in this section to add addresses by using thedhcpmgr utility.

Note – The following steps are a continuation of initial serverconfiguration.

The DHCP Address Configuration Wizard – Step 1 window appears asshown in Figure 11-17. This figure shows you where to specify thenumber of IP addresses to configure. This example uses five addressesand a comment of net1 .

Figure 11-17 DHCP Address Configuration Wizard – Step 1 Window

1. Modify the number of IP addresses to use.

2. Add a comment if necessary.

3. Click >.



The DHCP Address Configuration Wizard – Step 2 window appears.Figure 11-18 shows you where to specify the DHCP server andstarting IP address. In this example, the Managed by Server field isset to the default, and the starting IP address is changed to192.168.1.10 . This example uses sys12-dhcp for the root name.


4. Verify that Managed by Server and Starting IP Address display thecorrect information.

5. If appropriate, select Generate Client Names.

6. Click >.



The DHCP Address Configuration Wizard – Step 3 window appears.Figure 11-19 shows you the IP addresses that you specified in theprevious step.


7. Verify that the address information is correct, and click >.



The DHCP Address Configuration Wizard – Step 4 window appears.Figure 11-20 shows you the name of the macro to be associated withthe DHCP interface.


8. Select Configuration Macro from the drop-down list box and verifythat Addresses are unusable is unchecked.

9. If you want to view the contents of the selected macro, click View. Toexit the contents window, click OK.

10. Click >.



The DHCP Address Configuration Wizard – Step 5 window appears.Figure 11-21 shows you where to specify the type of lease. Thisexample uses the default of Dynamic.


Note – Normally, routers, mail servers, and systems that provide servicesuse permanent lease types.

11. Select either Dynamic or Permanent, and click >.



The DHCP Address Configuration Wizard – Step 6 window appears.Figure 11-22 shows the information that you entered in previoussteps.


12. Review the information, and click Finish.



The DHCP Manager Window appears. Figure 11-23 shows theinformation that you have provided.

Figure 11-23 DHCP Manager Window

13. Choose Exit from the File menu to close the DHCP Managerwindow.

14. To view the information that the dhcpmgr utility added to the/etc/inet/hosts file, use the grep command:

# grep dhcp /etc/inet/hosts192.168.1.10 sys13-dhcp-10 #net1192.168.1.11 sys13-dhcp-11 #net1192.168.1.12 sys13-dhcp-12 #net1192.168.1.13 sys13-dhcp-13 #net1192.168.1.14 sys13-dhcp-14 #net1192.168.1.15 sys13-dhcp-15 #net1192.168.1.16 sys13-dhcp-16 #net1192.168.1.17 sys13-dhcp-17 #net1192.168.1.18 sys13-dhcp-18 #net1192.168.1.19 sys13-dhcp-19 #net1#



Using the dhcpconfig Command

Use the dhcpconfig command when you configure a DHCP server withscripts. This command has options that enable you to:

● Configure and unconfigure a DHCP server

● Convert to a new data store

● Import data to and export data from other DHCP servers

Note – The dhcpconfig command is no longer menu-driven as it was inprevious versions of the Solaris OS.


To configure a DHCP server for the first time, type the command by usingthe following format:

/usr/sbin/dhcpconfig -D -r datastore -p location

where:

The dhcpconfig command uses the appropriate system and networkconfiguration files, such as /etc/inet/hosts , /etc/inet/netmasksor others, on the DHCP server to determine values that are not providedon the command line.

-D This option specifies to configure the DHCPservice.

-r datastore This option is a data resource, which is one of thefollowing: SUNWfiles , SUNWbinfiles , orSUNWnisplus .

-p location This option is the data-store-dependent locationwhere the DHCP data is maintained. ForSUNWfiles and SUNWbinfiles , this is an absolutepath name; for example, /var/dhcp . ForSUNWnisplus , this is an NIS+ table name.



To configure (-D) a system for DHCP services using ASCII files fordatastore (-r ) and locate (-p) the datastore files in the /var/dhcpdirectory, enter the following:

# /usr/sbin/dhcpconfig -D -r SUNWfiles -p /var/dhcpCreated DHCP configuration file.Created dhcptab.Added "Locale" macro to dhcptab.Added server macro to dhcptab - sys12.DHCP server started.#

Note – Using the ASCII datastore format (SUNWfiles ) is much slowerthan storing the files in the binary datastore format (SUNWbinfiles ). Theexamples use the ASCII datastore format because the resulting files areviewed more easily.

After the datastore location and type are established, you must configurethe appropriate files to function as a DHCP server.

To configure the system to provide DHCP services for the 192.168.1.0network (-N) and the 192.168.1.1 router (-t ), type the command:

# / usr/sbin/dhcpconfig -N 192.168.1.0 -t 192.168.1.1Added network macro to dhcptab - 192.168.1.0.Created network table.#



Introducing DHCP Network Files

DHCP network files contain the ranges of IP addresses that the DHCPserver assigns and controls for networks. These files map the clientidentifiers of DHCP clients to IP addresses and the associatedconfiguration parameters of each IP address assigned to these clients.Figure 11-24 shows the interaction between the client ID and the clientand the server addresses.

Figure 11-24 The DHCP Network File

One DHCP network file exists for each network that is served by theDHCP server. The name of each file is determined from the datastoreformat and the network address of the network that it supports, such asSUNWfiles1_192_168_1_0 . There is no table or file with the nameSUNWfiles . The name always includes an IP address and an identifierabout the file type (SUNWbinfiles , SUNWfiles , or SUNWnisplus ).

192.168.1.0

DHCP

Network

Client ID IP Address and

Configuration Parameters

Client Address:

192.168.30.1

Server Address:

192.168.30.30

00



To view the initial contents of the DHCP network file, type the command:

# cat SUNWfiles1_192_168_1_0# SUNWfiles1_192_168_1_0## Do NOT edit this file by hand -- use pntadm(1M) or dhcpmgr(1M) instead#

The DHCP network tables can exist as ASCII text files, binary files, orNIS+ tables, depending on the datastore used. Binary files are faster andmore efficient and are recommended for networks with a DHCP clientbase of many thousands of systems.

Using the pntadm Command

Use the pntadm command to manage DHCP network tables to:

● Add and remove networks under DHCP management

● Add, delete, and modify IP address records within network tables

● View tables

You can use any one of the following option flags with the pntadmcommand:

Creating a Table for the 192.168.30.0 DHCP Network

To create a table for the 192.168.30.0 network, type the command:

# pntadm -C 192.168.30.0

-C Creates a DHCP network table

-A Adds an entry to a DHCP network table

-M Modifies an entry made to a DHCP network table

-P Views changes made to a DHCP network table

-D Deletes an entry from a DHCP network table

-r Uses the supplied datastore resource, not the default database

-p Uses the supplied path, not the default path



Note – You can use an alias name for this network in place of the networknumber if the alias is defined in the /etc/inet/networks file.

To verify that the network table was created, type the command:

# ls /var/dhcp | grep 30SUNWfiles1_192_168_30_0#

To view the initial contents of the new table, use the cat command:

# cat /var/dhcp/SUNWfiles1_192_168_30_0# SUNWfiles1_192_168_30_0## Do NOT edit this file by hand -- use pntadm(1M) or dhcpmgr(1M) instead#

Adding an Entry to the SUNWfiles1_192.168.30.0 Table

To add an entry to the SUNWfiles1_192.168.30.0 table located in the/var/dhcp directory, type the command:

# pntadm -r SUNWfiles -p /var/dhcp -A 192.168.30.1 192.168.30.0

To view the table and observe the changes made by the pntadm command,type the command:

# cat /var/dhcp/SUNWfiles1_192_168_30_0# SUNWfiles1_192_168_30_0## Do NOT edit this file by hand -- use pntadm(1M) or dhcpmgr(1M) instead192.168.30.1|00|00|192.168.1.2|0|8214847195300495361|UNKNOWN|#



Modifying an Entry to the SUNWfiles1_192.168.30.0 Table

To modify the 192.168.30.1 entry of the SUNWfiles1_192.168.30.0table to change the macro name (-m) to mymacro, and to set the flagsfield to MANUALand PERMANENT, type the command:

# pntadm -M 192.168.30.1 -m mymacro -f ’PERMANENT+MANUAL’ 192.168.30.0#

To view the changes, type the following:

# pntadm -P 192.168.30.0Client ID Flags Client IP Server IP Lease Expiration Macro Comment00 03 192.168.30.1 192.168.1.2 Zero mymacro

#

Note – Observe that the Flags value is 03, which represents the sum of 2and 1, where MANUALis represented by 2 and PERMANENTis representedby 1. Refer to the DHCP network man page for more information.

To view the changes by using the table, type the command:

# cat /var/dhcp/SUNWfiles1_192_168_30_0# SUNWfiles1_192_168_30_0## Do NOT edit this file by hand -- use pntadm(1M) or dhcpmgr(1M) instead#192.168.30.1|00|03|192.168.1.2|0|8214847195300495362|mymacro|#

To change the 192.168.30.1 entry to 192.168.30.2 (-n) , type thecommand:

# pntadm -M 192.168.30.1 -n 192.168.30.2 192.168.30.0

To verify the changes, type the command:

# pntadm -P 192.168.30.0Client ID Flags Client IP Server IP Lease Expiration Macro Comment00 03 192.168.30.2 192.168.1.2 Zero mymacro

#

To delete the 192.168.30.2 entry from the 192.168.30.0 table, type thecommand:

# pntadm -D 192.168.30.2 192.168.30.0




# pntadm -P 192.168.30.0Client ID Flags Client IP Server IP Lease Expiration Macro Comment

#

Removing DHCP Network Tables

To list the existing DHCP tables, type the command:

# pntadm -L192.168.1.0192.168.30.0#

To remove the 192.168.30.0 table, type the command:

# pntadm -R 192.168.30.0#

To list the remaining DHCP tables, type the command:

# pntadm -L192.168.1.0#

Introducing the dhcptab Table

Use the dhcptab configuration table to organize groups of configurationparameters as macro definitions. You can reference one macro in thedefinition of other macros. The DHCP server uses these macros to returngroups of configuration parameters to DHCP and BOOTP clients.

The preferred methods of managing the dhcptab table are through theuse of the dhcpmgr utility or dhtadm command.

View the contents of the dhcptab table by using the Macros and Optionstabs in the DHCP Manager, or by using the dhtadm -P command on thecommand line.



Using the dhtadm Command

Use the dhtadm command to manage the DHCP service configurationtable, dhcptab . You can specify one of the following option flags:

Symbols are individual parameters to which values can be assigned.Macros are collections of symbols that are associated with an IP addressand are used to define the set of information that is given to a DHCPclient system

To create the DHCP service configuration table, dhcptab , type thecommand:

# dhtadm -C

To add a symbol called NewSymto the dhcptab table, type the command:

# dhtadm -A -s NewSym -d ’Vendor=SUNW.PCW.LAN,20,IP,1,0’ -r SUNWfiles -p/var/dhcp

To add a macro called NewMacro to the dhcptab table, type the command:

# dhtadm -A -m NewMacro’:Timeserv=192.168.1.1:DNSserv=192.168.1.1:’#

To view the changes, type the command:

# dhtadm -PName Type Value==================================================NewMacro Macro :Timeserv=192.168.1.1:DNSserv=192.168.1.1:192.168.1.0 Macro :Subnet=255.255.255.0:Router=192.168.1.1:Broadcst=192.168.1.255:sys12 Macro :Include=Locale:Timeserv=192.168.1.1:LeaseTim=86400:LeaseNeg:Locale Macro :UTCoffst=-25200:NewSym Symbol Vendor=SUNW.PCW.LAN,20,IP,1,0#

-C Creates the DHCP table

-A Adds a symbol or macro definition to the DHCP table

-M Modifies an existing symbol or macro definition

-D Deletes a symbol or macro definition



You can modify an existing symbol or macro definition. In this example,to remove the Timeserv symbol from the NewMacro macro, type thecommand:

# dhtadm -M -m NewMacro -e ’Timeserv=’


# dhtadm -PName Type Value==================================================NewMacro Macro :DNSserv=192.168.1.1:192.168.1.0 Macro :Subnet=255.255.255.0:Router=192.168.1.1:Broadcst=192.168.1.255:sys12 Macro :Include=Locale:Timeserv=192.168.1.1:LeaseTim=86400:LeaseNeg:Locale Macro :UTCoffst=-25200:NewSym Symbol Vendor=SUNW.PCW.LAN,20,IP,1,0#

To define a value for the LeaseTim symbol, type the command:

# dhtadm -M -m NewMacro -e ’LeaseTim=3600’#


# dhtadm -PName Type Value==================================================NewMacro Macro :DNSserv=192.168.1.1:LeaseTim=3600:192.168.1.0 Macro :Subnet=255.255.255.0:Router=192.168.1.1:Broadcst=192.168.1.255:sys12 Macro :Include=Locale:Timeserv=192.168.1.1:LeaseTim=86400:LeaseNeg:Locale Macro :UTCoffst=-25200:NewSym Symbol Vendor=SUNW.PCW.LAN,20,IP,1,0#

To delete the NewSymsymbol from the dhcptab table, type the command:

# dhtadm -D -s NewSym#


# dhtadm -PName Type Value==================================================NewMacro Macro :DNSserv=192.168.1.1:LeaseTim=3600:192.168.1.0 Macro :Subnet=255.255.255.0:Router=192.168.1.1:Broadcst=192.168.1.255:sys12 Macro :Include=Locale:Timeserv=192.168.1.1:LeaseTim=86400:LeaseNeg:Locale Macro :UTCoffst=-25200:#



To delete the NewMacro macro from the dhcptab table, type the command:

# dhtadm -D -m NewMacro


# dhtadm -PName Type Value==================================================192.168.1.0 Macro :Subnet=255.255.255.0:Router=192.168.1.1:Broadcst=192.168.1.255:sys12 Macro :Include=Locale:Timeserv=192.168.1.1:LeaseTim=86400:LeaseNeg:Locale Macro :UTCoffst=-25200:#

Table 11-1 shows the items that are created during DHCP configuration.

Table 11-1 Items Created During DHCP Server Configuration

Item Description Contents

The service configurationfile,/etc/inet/dhcpsvc.conf

Records keywords andvalues for serverconfiguration options.

Data store type andlocation. Options used withthe in.dhcpd daemon tostart the DHCP daemonwhen the system boots.

The dhcptab table Creates a dhcptab table if itdoes not already exist.

Macros and options withassigned values.

The Locale macro(optional)

Contains the local timezone’s offset in secondsfrom Coordinated UniversalTime.

The UTCoffst option.

The server macro, named tomatch the server’s nodename

Contains options withvalues determined by inputfrom the administrator whoconfigured the DHCPserver. The options apply toall clients that use addressesowned by the server.

The Locale macro. Theoptions: Palatinoerv ,which is set to point to theserver’s primary IP address;LeaseTim and LeaseNeg , ifyou select negotiable leases;and DNSdmainand DNSserv,if DNS is configured.



The network address macro,which is named the same asthe network address of theclient’s network

Contains options withvalues determined by inputfrom the administrator whoconfigured the DHCPserver. The options apply toall clients that are located onthe network specified by themacro name.

The options: SubnetRouter or RDiscvyFBroadcst , if the network isa LAN, maximum transferunit (MTU); NISdmain andNISservs , if NIS isconfigured; andNIS+dom and NIS+serv , ifNIS+ is configured.

The DHCP network tablefor the network

Creates an empty table untilyou create the IP addressesfor the network.

None, until you add the IPaddresses.

Table 11-1 Items Created During DHCP Server Configuration (Continued)

Item Description Contents

Configuring and Managing DHCP Clients



Configuring DHCP clients is an easy process. Most management isperformed on the DHCP server side.

Configuring a DHCP Client

When you install the Solaris 10 OS from the installation compact disc,read-only memory (CD-ROM), you are prompted to use DHCP toconfigure network interfaces. If you select yes in the installation script,the DHCP client software is enabled on your system during Solaris 10 OSinstallation. You do not need to do anything else on the Solaris 10 OSclient to use DHCP.

If your client is not a Solaris 10 OS client, consult the client’sdocumentation for configuration instructions.

Configuring a DHCP Client to Request a Dynamic Host Name

If a client system is already running the Solaris 10 OS and is not usingDHCP, complete the following steps to configure the DHCP client torequest dynamic host names:

1. Log in as the root user on the DHCP client system.

2. Enable DHCP on the client by creating the appropriate file for theexternal interface, which is hme0 in this example.

# touch /etc/dhcp.hme0

Note – Verify that the /etc/hostname. interface file exists for theinterface being configured using DHCP; otherwise, the interface will notbe plumbed. This is a requirement for a successful DHCP configuration ofthe client.

3. Configure the /etc/default/dhcpagent file on the DHCP client sothat it releases its IP address if it is rebooted or shut down.

4. Edit the /etc/default/dhcpagent file, and remove the # in front ofthe RELEASE_ON_SIGTERM=yesparameter. This causes the DHCPclient to relinquish its address when it reboots or is shut downproperly.



5. Reboot the client, and watch the system console as the system boots.

6. Observe the hostname, for example:

Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: sys13-dhcp-14

Configuring a DHCP Client to Use its Own Host Name

DHCP clients running the Solaris 10 OS can be configured to use theirown hostname instead of a hostname supplied by the DHCP server.

If a client system is already running the Solaris 10 OS and is not usingDHCP, complete the following steps to configure the DHCP client to useits own host name:

1. Log in as the root user on the DHCP client system.

2. Edit the /etc/default/dhcpagent file.

3. Find the keyword REQUEST_HOSTNAMEin the/etc/default/dhcpagent file, and verify that the entry is notformatted as a comment and is set to yes :

REQUEST_HOSTNAME=yes

4. Edit the /etc/hostname. interface file on the client system, andenter the following:

inet hostname

where hostname is the name you want the client to use. For example,the file contents in this example are:

# cat /etc/hostname.qfe0inet dhcp-hostname-test#

5. To have the client perform a full DHCP negotiation upon rebooting,type the commands:

# pkill dhcpagent# rm /etc/dhcp/ interface .dhc# init 6

Note – The state file is written only when the dhcpagent process isterminated and the dhcpagent program is not configured to release its IPaddress on termination.



The DHCP server makes sure that the host name is not in use by anothersystem on the network before the server assigns it to the client.Depending on how the DHCP server is configured, it can also updatenaming services with the client’s host name.

If your client is not a Solaris 10 OS client, consult the client’sdocumentation for configuration instructions.

Troubleshooting a DHCP Server



IP address allocation errors are reported using the syslog facility or asserver debug output. This type of problem can occur when a clientattempts to obtain or verify an IP address.

The following are possible IP address allocation errors and solutions:

● There is no n. n. n. n dhcp-network table for DHCPclient’s network

This error message means that a client requests a specific IP addressor seeks to extend a lease on its current IP address, but the DHCPserver cannot find the DHCP network table for that address.

The DHCP network table might have been deleted by mistake.Recreate the DHCP network table by adding the network againusing the dhcpmgr utility or the pntadm command.

● ICMP ECHO reply to the OFFER candidate is n. n. n. n,disabling

The IP address considered for a DHCP client is already in use. Thismight occur if more than one DHCP server owns the address or if anaddress is manually configured for a non-DHCP network client.

Determine the correct ownership of the address, and correct eitherthe DHCP server database or the host’s network configuration.

● ICMP ECHO reply to OFFER candidate n.n.n.n . Nocorresponding dhcp network record

The IP address considered for a DHCP client does not have a recordin a network table. This might occur if the IP address record isdeleted from the DHCP network table after the address is selected,but before the duplicate address check is complete.

Use the dhcpmgr utility or the pntadm command to view the DHCPnetwork table. If the IP address is missing, create it with the DHCPManager (select Create from the Edit menu on the Address tab) oruse the pntadm command.



● DHCP network record for n.n.n.n is unavailable,ignoring request

The record for the requested IP address is not in the DHCP networktable; therefore, the server drops the request.

Use the dhcpmgr utility or the pntadm command to view the DHCPnetwork table and, if the IP address is missing, create it with thedhcpmgr utility (select Create from the Edit menu on the Addresstab) or use the pntadm command.

● n.n.n.n currently marked as unusable

The requested IP address cannot be offered because it is markedunusable in the network table.

Use the DHCP Manager or the pntadm command to make theaddress usable.

● n.n.n.n was manually allocated. No dynamic address willbe allocated.

The client’s ID is assigned a manually allocated address, and thataddress is marked “unusable.” The server cannot allocate a differentaddress to this client.

Use the DHCP Manager or the pntadm command to make theaddress usable, or manually allocate a different address to the client.

● Manual allocation ( n.n.n.n , client ID has n otherrecords). Should have 0.

The client that has the specified client ID is manually assigned morethan one IP address. There should be only one address. The serverselects the last manually assigned address it finds in the networktable.

Use the DHCP Manager or the pntadm command to modify IPaddresses to remove the additional manual allocations.

● No more IP addresses on n.n.n.n network.

All IP addresses that are currently managed by DHCP on thespecified network are allocated.

Use the DHCP Manager or the pntadm command to create new IPaddresses for this network.



● Client: clientID lease for n.n.n.n expired.

The lease was not negotiable, and it has timed out.

The client restarts the protocol to obtain a new lease.

● Offer expired for client: n.n.n.n

The server made an IP address offer to the client, but the client tooktoo long to respond, and the offer expired.

The client issues another discover message. If this request times out,increase the cache-offer timeout for the DHCP server. In the DHCPManager, select Modify from the Service menu.

● Client: clientID REQUEST is missing requested IPoption.

The client’s request did not specify the offered IP address, so theDHCP server ignores the request. This problem might occur if theclient is not compliant with the updated DHCP, RFC 2131.

Update the client software.

● Client: clientID is trying to renew n. n. n. n, an IPaddress it has not leased.

The IP address recorded in the DHCP network table for this clientdoes not match the IP address that the client specified in its renewalrequest. The DHCP server does not renew the lease.

This problem occurs if you delete a client’s record while the client isstill using the IP address.

Use the DHCP Manager or the pntadm command to examine thenetwork table, and correct if necessary. The client’s ID should bebound to the specified IP address. If it is not, edit the addressproperties to add the client ID.

To enable the client to receive a new lease immediately, restart theDHCP agent on the client by typing the commands:

# ifconfig interface dhcp release# ifconfig interface dhcp start

Troubleshooting DHCP Clients


Troubleshooting DHCP Clients

The problems you might encounter with a DHCP client fall into thefollowing categories:

● Problems communicating with the DHCP server

● Problems with inaccurate DHCP configuration information

After you enable the client software and reboot the system, the client triesto reach the DHCP server to obtain its network configuration. If the clientfails to reach the server or if the client does not receive correctinformation, you can see error messages, such as:

DHCP or BOOTP server not respondingNeed router-ip to communicate with TFTP serverTFTP server’s IP address not known!

Before you determine the problem, you must gather diagnosticinformation from both the client and the server, and analyze thisinformation. To gather information, you can:

● Run the client in debug mode.

● Run the server in debug mode.

● Start the snoop utility to monitor network traffic.

You can perform these tasks separately or concurrently.

The information you gather can help you determine if the problem is withthe client, server, or a relay agent.

Exercise: Configuring a DHCP Server and Client



In this exercise, you configure a basic DHCP server and clientconfiguration.

Preparation

Before performing this exercise, do the following:

● Refer to your network diagram to determine the function of eachsystem on your subnet.

● Refer to the lecture notes as necessary to perform the tasks listed.

Note – Use the default configuration parameters in these exercises unlessotherwise specified.

The exercise examples show the DHCP server as 192.168. X.3 and theDHCP client as 192.168. X.4 . The complete system and server-clientfunctions for these exercises are shown in Table 11-2.

Table 11-2 Exercise Host Functions

Host Function

Instructor Root DNS name server

sysX1 Router

sysX2 Primary DNS name server, DNS client

sysX3 Secondary DNS name server, DNS client, DHCP server

sysX4 DNS client, DHCP client



Task Summary

In this exercise, you accomplish the following tasks:

● Configure a DHCP server.

● Configure a DHCP client.

● Use the snoop utility to view DHCP client server interaction.

Task 1 – Configuring the DHCP Server

Complete the steps in this section.

Working on the sys X3 System

In this part of the exercise, use the DHCP Manager graphical userinterface (GUI) utility (dhcpmgr utility) to configure a DHCP server onyour subnet. Permit the network wizard to start and configure at least fivehosts with the address range starting at 192.168 .xxx.xxx , wherexxx.xxx is provided by the instructor depending on the classroom setup.

Note – Use the default configuration parameters in this task unlessotherwise specified.

This example uses the sys13 system to demonstrate configuring a basicDHCP server with the dhcpmgr GUI utility.

To configure the DHCP server, complete the following steps:

1. Start the dhcpmgr utility.

2. Initially configure the DHCP server.

3. Add at least five addresses.

4. To view the information that the dhcpmgr utility added to the/etc/inet/hosts file, use the grep command.



Task 2 – Configuring the DHCP Client



This example uses the sys14 system as the DHCP client. To configure theDHCP client, complete the following steps:

1. Log in as the root user on the DHCP client.

2. Enable DHCP on the client.

3. Configure the /etc/default/dhcpagent file on the DHCP client sothat it releases its IP address if it is rebooted or is shut down.


Task 3 – Using the snoop Utility to View DHCPClient-Server Interaction

An important part of troubleshooting DHCP issues is using the snooputility to observe the network interaction between the server and theclient.

To view DHCP client-server interaction, complete the following steps:

1. Start the snoop utility on any system on the subnet other than theDHCP client. Be sure to use the snoop utility on an interface that ison the same subnet as the DHCP client, which is hme0 in thisexample. Have the snoop utility write to the /tmp/dhcp-snoop.snpfile.

2. Reboot the DHCP client system.

3. After the DHCP client is booted, stop the snoop utility by pressingthe Control+C key sequence.

4. View the summary of the captured information.



5. Use the snoop utility to convert the trace data to ASCII text, andoutput that text to the /tmp/dhcp-snoop.txt file for viewing withany text editor that provides easy navigation and searching of thedata.

6. Use the view utility to view the trace data in the/tmp/dhcp-snoop.txt file. Look for messages, such asDHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK, in the trace.Observe the ETHERdestination addresses, the source and destinationIP addresses, and the DHCP messages.

7. Prevent the client system from continuing to act as a DHCP byremoving the /etc/dhcp.* files and rebooting the system.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Solutions to the exercise are provided in this section.

Task 1 – Configuring the DHCP Server



In this part of the exercise, use the DHCP Manager GUI utility(dhcpmgr utility) to configure a DHCP server on your subnet. Permit thenetwork wizard to start and configure at least five hosts with the addressrange starting at 192.168 .xxx.xxx , where xxx.xxx is provided by theinstructor depending on the classroom setup.

Note – Use the default configuration parameters in this task unlessotherwise specified.

This example uses the sys13 system to demonstrate configuring a basicDHCP server with the dhcpmgr GUI utility.

To configure the DHCP server, complete the following steps:

1. Start the dhcpmgr utility.

# /usr/sadm/admin/bin/dhcpmgr &

2. Initially configure the DHCP server.

Exercise Solutions


If the system is not configured as a DHCP server or BOOTP relay,Figure 11-25 appears.

Figure 11-25 Choose Server Configuration Window

Perform the following:

a. Click OK.

The DHCP Configuration Wizard – Step 1 window in Figure 11-26appears.


Exercise Solutions


b. Select Text files, and click >.

The DHCP Configuration Wizard – Step 2 window in Figure 11-27appears. This example uses the default directory.


c. Accept the default path name, and click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 3 window in Figure 11-28appears.


d. Select /etc/hosts , and click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 4 window in Figure 11-29appears. This example uses the defaults 1 and days.


e. Accept the defaults of 1, days, and Clients can renew their leases,then click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 5 window in Figure 11-30appears. This example uses the default DNS information.


f. Accept the default DNS domain and DNS servers, and click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 6 window in Figure 11-31appears. This example uses the 192.168.1.0 network.


g. Specify a network address by either selecting one or typing one, type asubnet mask, and click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 7 window in Figure 11-32appears. This example uses the defaults of Local-Area (LAN) and Userouter discovery protocol.


h. Select Local-Area (LAN).

i. Select Use router discovery protocol.

j. Click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 8 window in Figure 11-33appears. This example uses the defaults of no NIS Domain and no NISServers.


k. Accept the defaults, no entries, as shown.

l. Click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 9 window in Figure 11-34appears. This example uses the defaults of no NIS+ domain and noNIS+ servers.


m. Accept the default of no entries, as shown.

n. Click >.

Exercise Solutions


The DHCP Configuration Wizard – Step 10 window in Figure 11-35appears. This example uses the sample information indicatedpreviously.


o. Review the information and, if the information is correct, click Finish.

Exercise Solutions


The DHCP Configuration Manager Window closes, the main DHCPManager Window appears, and the Start Address Wizard window inFigure 11-36 appears.

Figure 11-36 Start Address Wizard Window

p. Click Yes to proceed with address configuration.

Exercise Solutions


The DHCP Address Configuration Wizard – Step 1 window inFigure 11-37 appears. This example uses five addresses and a commentof net1 .


3. Add at least five addresses.


a. Enter 5 in the Number of IP Addresses field.

b. Add the comment net1 in this example. (This is the commentappended to the end of each DHCP-managed IP address line added tothe /etc/inet/hosts file).

c. Click >.

Exercise Solutions


The DHCP Address Configuration Wizard – Step 2 window inFigure 11-38 appears. In this example, the Managed by Server field isset to the default, and the starting IP address must be changed to192.168.1.10. This example allows client name generation anduses sys13-dhcp for the root name.


d. Verify that Managed by Server and Starting IP Address fields displaythe correct information.

e. Select Generate Client Names.

f. Type a name in the Root Name field.

g. Click >.

Exercise Solutions


The DHCP Address Configuration Wizard – Step 3 window inFigure 11-39 appears.


h. Verify that the address information is correct, and click >.

Exercise Solutions




i. Use the default Configuration Macro and verify that Addresses areunusable is checked.

j. Click >.

Exercise Solutions


The DHCP Address Configuration Wizard – Step 5 window inFigure 11-41 appears. This example uses the default Dynamic.


k. Select Dynamic, and click >.

Exercise Solutions




l. Review the information, and click Finish.

Note – You can continue without problems if one or two addresses arealready in use from earlier exercises.

Exercise Solutions


The DHCP Manager window in Figure 11-43 appears.

Figure 11-43 DHCP Manager Window

m. Select Exit from the File menu to close the DHCP Manager window.

4. To view the information that the dhcpmgr utility added tothe/etc/inet/hosts file, use the grep command:

# grep dhcp /etc/inet/hosts192.168.1.10 sys13-dhcp-10 #net1192.168.1.11 sys13-dhcp-11 #net1192.168.1.12 sys13-dhcp-12 #net1192.168.1.13 sys13-dhcp-13 #net1192.168.1.14 sys13-dhcp-14 #net1#

Task 2 – Configuring the DHCP Client



This example uses the sys14 system as the DHCP client. To configure theDHCP client, complete the following steps:

1. Log in as the root user on the DHCP client.

2. Enable DHCP on the client.

Create the appropriate file for the external interface, which is hme0 in thisexample.

The command syntax used to enable the DHCP client is:

# touch /etc/dhcp.hme0

Exercise Solutions


Note – Verify that the /etc/hostname. interface file exists for theinterface being configured using DHCP; otherwise, the interface is notplumbed. This is a requirement for a successful DHCP configuration ofthe client.

3. Configure the /etc/default/dhcpagent file on the DHCP client sothat it releases its IP address if it is rebooted or is shut down.

Edit the /etc/default/dhcpagent file, and remove the # in front of theRELEASE_ON_SIGTERM=yesparameter.


You should see something similar to the following:

SunOS Release 5.10 Version Generic 64-bitCopyright 1983-2005 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: sys13-dhcp-14

Task 3 – Using the snoop Utility to View DHCPClient-Server Interaction

An important part of troubleshooting DHCP issues is using the snooputility to observe the network interaction between the server and theclient.

To view DHCP client-server interaction, complete the following steps:

1. Start the snoop utility on any system on the subnet other than theDHCP client. Be sure to use the snoop utility on an interface that ison the same subnet as the DHCP client, which is hme0 in thisexample. Have the snoop utility write to the /tmp/dhcp-snoop.snpfile.

# snoop -d hme0 -o /tmp/dhcp-snoop.snpUsing device /dev/hme (promiscuous mode)

2. Reboot the DHCP client system.

# init 6

3. After the DHCP client has booted, stop the snoop utility by pressingthe Control+C key sequence.

Exercise Solutions


4. View the summary of the captured information.

# snoop -i /tmp/dhcp-snoop.snp | more 1 0.96445 192.168.1.1 -> 192.168.1.255 RIP R (3 destinations) 2 1.02589 fe80::203:baff:fe6b:5e06 -> ff02::9 RIPng R (6 destinations)......24 1.51914 192.168.1.14 -> sys13.one.edu DHCP/BOOTP DHCPRELEASE......105 0.61469 OLD-BROADCAST -> BROADCAST DHCP/BOOTP DHCPDISCOVER106 0.00254 sys13.one.edu -> 192.168.1.14 ICMP Echo request (ID: 4 Sequence number: 0)107 1.00656 sys13.one.edu -> 192.168.1.14 DHCP/BOOTP DHCPOFFER108 0.37637 ? -> (multicast) ETHER Type=0001 (LLC/802.3), size = 52 bytes109 0.79455 OLD-BROADCAST -> BROADCAST DHCP/BOOTP DHCPREQUEST110 0.01810 sys13.one.edu -> 192.168.1.14 DHCP/BOOTP DHCPACK111 0.00096 OLD-BROADCAST -> (broadcast) ARP C Who is 192.168.1.14, 192.168.1.14 ?112 1.00432 192.168.1.14 -> (broadcast) ARP C Who is 192.168.1.14, 192.168.1.14 ?...

5. Use the snoop utility to convert the trace data to ASCII text, andoutput that text to the /tmp/dhcp-snoop.txt file for viewing withany text editor that provides easy navigation and searching of thedata.

# snoop -v -i /tmp/dhcp-snoop.snp > /tmp/dhcp-snoop.txt

6. Use the view utility to view the trace data in the/tmp/dhcp-snoop.txt file. Look for messages, such asDHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK, in the trace.Observe the ETHERdestination addresses, the source and destinationIP addresses, and the DHCP messages.

DHCPRELEASE:ETHER: ----- Ether Header -----ETHER:ETHER: Packet 24 arrived at 9:31:56.83990ETHER: Packet size = 342 bytesETHER: Destination = 0:3:ba:68:45:39,ETHER: Source = 0:3:ba:68:44:d3,ETHER: Ethertype = 0800 (IP)ETHER:IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00IP: xxx. .... = 0 (precedence)IP: ...0 .... = normal delayIP: .... 0... = normal throughputIP: .... .0.. = normal reliability

Exercise Solutions


IP: .... ..0. = not ECN capable transportIP: .... ...0 = no ECN congestion experiencedIP: Total length = 328 bytesIP: Identification = 55877IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 17 (UDP)IP: Header checksum = 1cfdIP: Source address = 192.168.1.14, 192.168.1.14IP: Destination address = 192.168.1.3, sys13.one.eduIP: No optionsIP:UDP: ----- UDP Header -----UDP:UDP: Source port = 68UDP: Destination port = 67 (BOOTPS)UDP: Length = 308UDP: Checksum = B341UDP:DHCP: ----- Dynamic Host Configuration Protocol -----DHCP:DHCP: Hardware address type (htype) = 1 (Ethernet (10Mb))DHCP: Hardware address length (hlen) = 6 octetsDHCP: Relay agent hops = 0DHCP: Transaction ID = 0x6fdf1bbfDHCP: Time since boot = 0 secondsDHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 192.168.1.14DHCP: Your client address (yiaddr) = 0.0.0.0DHCP: Next server address (siaddr) = 0.0.0.0DHCP: Relay agent address (giaddr) = 0.0.0.0DHCP: Client hardware address (chaddr) = 00:03:BA:68:44:D3DHCP:DHCP: ----- (Options) field options -----DHCP:DHCP: Message type = DHCPRELEASEDHCP: Error Message = DHCP agent is exitingDHCP: DHCP Server Identifier = 192.168.1.3

DHCPDISCOVER:

Exercise Solutions


ETHER: ----- Ether Header -----ETHER:ETHER: Packet 105 arrived at 9:34:5.95251ETHER: Packet size = 342 bytesETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)ETHER: Source = 0:3:ba:68:44:d3,ETHER: Ethertype = 0800 (IP)ETHER:IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00IP: xxx. .... = 0 (precedence)IP: ...0 .... = normal delayIP: .... 0... = normal throughputIP: .... .0.. = normal reliabilityIP: .... ..0. = not ECN capable transportIP: .... ...0 = no ECN congestion experiencedIP: Total length = 328 bytesIP: Identification = 4IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 17 (UDP)IP: Header checksum = 7aa1IP: Source address = 0.0.0.0, OLD-BROADCASTIP: Destination address = 255.255.255.255, BROADCASTIP: No optionsIP:UDP: ----- UDP Header -----UDP:UDP: Source port = 68UDP: Destination port = 67 (BOOTPS)UDP: Length = 308UDP: Checksum = E7ECUDP:DHCP: ----- Dynamic Host Configuration Protocol -----DHCP:DHCP: Hardware address type (htype) = 1 (Ethernet (10Mb))DHCP: Hardware address length (hlen) = 6 octetsDHCP: Relay agent hops = 0DHCP: Transaction ID = 0x926aa722DHCP: Time since boot = 48 seconds

Exercise Solutions


DHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 0.0.0.0DHCP: Your client address (yiaddr) = 0.0.0.0DHCP: Next server address (siaddr) = 0.0.0.0DHCP: Relay agent address (giaddr) = 0.0.0.0DHCP: Client hardware address (chaddr) = 00:03:BA:68:44:D3DHCP:DHCP: ----- (Options) field options -----DHCP:DHCP: Message type = DHCPDISCOVERDHCP: Maximum DHCP Message Size = 1472 bytesDHCP: IP Address Lease Time = -1 secondsDHCP: Client Class Identifier = "SUNW.UltraAX-i2"DHCP: Requested Options:DHCP: 1 (Subnet Mask)DHCP: 3 (Router)DHCP: 6 (DNS Servers)DHCP: 12 (Client Hostname)DHCP: 15 (DNS Domain Name)DHCP: 28 (Broadcast Address)DHCP: 43 (Vendor Specific Options)

DHCPOFFER:

Exercise Solutions


ETHER: ----- Ether Header -----ETHER:ETHER: Packet 107 arrived at 9:34:6.96163ETHER: Packet size = 359 bytesETHER: Destination = 0:3:ba:68:44:d3,ETHER: Source = 0:3:ba:68:45:39,ETHER: Ethertype = 0800 (IP)ETHER:IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00IP: xxx. .... = 0 (precedence)IP: ...0 .... = normal delayIP: .... 0... = normal throughputIP: .... .0.. = normal reliabilityIP: .... ..0. = not ECN capable transportIP: .... ...0 = no ECN congestion experiencedIP: Total length = 345 bytesIP: Identification = 42935IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 17 (UDP)IP: Header checksum = 4f7aIP: Source address = 192.168.1.3, sys13.one.eduIP: Destination address = 192.168.1.14, 192.168.1.14IP: No optionsIP:UDP: ----- UDP Header -----UDP:UDP: Source port = 67UDP: Destination port = 68 (BOOTPC)UDP: Length = 325UDP: Checksum = 84B8UDP:DHCP: ----- Dynamic Host Configuration Protocol -----DHCP:DHCP: Hardware address type (htype) = 1 (Ethernet (10Mb))DHCP: Hardware address length (hlen) = 6 octetsDHCP: Relay agent hops = 0DHCP: Transaction ID = 0x926aa722DHCP: Time since boot = 48 seconds

Exercise Solutions


DHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 0.0.0.0DHCP: Your client address (yiaddr) = 192.168.1.14DHCP: Next server address (siaddr) = 0.0.0.0DHCP: Relay agent address (giaddr) = 0.0.0.0DHCP: Client hardware address (chaddr) = 00:03:BA:68:44:D3DHCP:DHCP: ----- (Options) field options -----DHCP:DHCP: Message type = DHCPOFFERDHCP: DHCP Server Identifier = 192.168.1.3DHCP: UTC Time Offset = -25200 secondsDHCP: RFC868 Time Servers at = 192.168.1.3DHCP: IP Address Lease Time = 86400 secondsDHCP: DNS Domain Name = one.eduDHCP: DNS Servers at = 192.168.1.2DHCP: DNS Servers at = 192.168.1.3DHCP: Broadcast Address = 192.168.1.255DHCP: Perform Router Discovery Flag flag = 0x1DHCP: Subnet Mask = 255.255.255.0DHCP: Client Hostname = sys13-dhcp-14

DHCPREQUEST:

Exercise Solutions


ETHER: ----- Ether Header -----ETHER:ETHER: Packet 109 arrived at 9:34:8.13256ETHER: Packet size = 342 bytesETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)ETHER: Source = 0:3:ba:68:44:d3,ETHER: Ethertype = 0800 (IP)ETHER:IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00IP: xxx. .... = 0 (precedence)IP: ...0 .... = normal delayIP: .... 0... = normal throughputIP: .... .0.. = normal reliabilityIP: .... ..0. = not ECN capable transportIP: .... ...0 = no ECN congestion experiencedIP: Total length = 328 bytesIP: Identification = 5IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 17 (UDP)IP: Header checksum = 7aa0IP: Source address = 0.0.0.0, OLD-BROADCASTIP: Destination address = 255.255.255.255, BROADCASTIP: No optionsIP:UDP: ----- UDP Header -----UDP:UDP: Source port = 68UDP: Destination port = 67 (BOOTPS)UDP: Length = 308UDP: Checksum = 9B2CUDP:DHCP: ----- Dynamic Host Configuration Protocol -----DHCP:DHCP: Hardware address type (htype) = 1 (Ethernet (10Mb))DHCP: Hardware address length (hlen) = 6 octetsDHCP: Relay agent hops = 0DHCP: Transaction ID = 0x21a95f6DHCP: Time since boot = 48 seconds

Exercise Solutions


DHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 0.0.0.0DHCP: Your client address (yiaddr) = 0.0.0.0DHCP: Next server address (siaddr) = 0.0.0.0DHCP: Relay agent address (giaddr) = 0.0.0.0DHCP: Client hardware address (chaddr) = 00:03:BA:68:44:D3DHCP:DHCP: ----- (Options) field options -----DHCP:DHCP: Message type = DHCPREQUESTDHCP: IP Address Lease Time = 86400 secondsDHCP: Maximum DHCP Message Size = 1472 bytesDHCP: Requested IP Address = 192.168.1.14DHCP: DHCP Server Identifier = 192.168.1.3DHCP: Client Class Identifier = "SUNW.UltraAX-i2"DHCP: Requested Options:DHCP: 1 (Subnet Mask)DHCP: 3 (Router)DHCP: 6 (DNS Servers)DHCP: 12 (Client Hostname)DHCP: 15 (DNS Domain Name)DHCP: 28 (Broadcast Address)DHCP: 43 (Vendor Specific Options)

DHCPACK:

Exercise Solutions


ETHER: ----- Ether Header -----ETHER:ETHER: Packet 110 arrived at 9:34:8.15066ETHER: Packet size = 359 bytesETHER: Destination = 0:3:ba:68:44:d3,ETHER: Source = 0:3:ba:68:45:39,ETHER: Ethertype = 0800 (IP)ETHER:IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00IP: xxx. .... = 0 (precedence)IP: ...0 .... = normal delayIP: .... 0... = normal throughputIP: .... .0.. = normal reliabilityIP: .... ..0. = not ECN capable transportIP: .... ...0 = no ECN congestion experiencedIP: Total length = 345 bytesIP: Identification = 44125IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 17 (UDP)IP: Header checksum = 4ad4IP: Source address = 192.168.1.3, sys13.one.eduIP: Destination address = 192.168.1.14, 192.168.1.14IP: No optionsIP:UDP: ----- UDP Header -----UDP:UDP: Source port = 67UDP: Destination port = 68 (BOOTPC)UDP: Length = 325UDP: Checksum = 84B8UDP:DHCP: ----- Dynamic Host Configuration Protocol -----DHCP:DHCP: Hardware address type (htype) = 1 (Ethernet (10Mb))DHCP: Hardware address length (hlen) = 6 octetsDHCP: Relay agent hops = 0DHCP: Transaction ID = 0x21a95f6DHCP: Time since boot = 48 seconds

Exercise Solutions


DHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 0.0.0.0DHCP: Flags = 0x0000DHCP: Client address (ciaddr) = 0.0.0.0DHCP: Your client address (yiaddr) = 192.168.1.14DHCP: Next server address (siaddr) = 0.0.0.0DHCP: Relay agent address (giaddr) = 0.0.0.0DHCP: Client hardware address (chaddr) = 00:03:BA:68:44:D3DHCP:DHCP: ----- (Options) field options -----DHCP:DHCP: Message type = DHCPACKDHCP: DHCP Server Identifier = 192.168.1.3DHCP: UTC Time Offset = -25200 secondsDHCP: RFC868 Time Servers at = 192.168.1.3DHCP: IP Address Lease Time = 86400 secondsDHCP: DNS Domain Name = one.eduDHCP: DNS Servers at = 192.168.1.2DHCP: DNS Servers at = 192.168.1.3DHCP: Broadcast Address = 192.168.1.255DHCP: Perform Router Discovery Flag flag = 0x1DHCP: Subnet Mask = 255.255.255.0DHCP: Client Hostname = sys13-dhcp-14

7. Prevent the client system from continuing to act as a DHCP byremoving the /etc/dhcp.* files and rebooting the system.

# rm /etc/dhcp.*# init 6


Module 12

Configuring NTP

Objectives

This module introduces how to configure the Network Time Protocol(NTP). This module also introduces NTP basics, including how computerskeep time, the uses of NTP, and NTP terms. This module also describeshow to configure an NTP server and an NTP client. In addition, thismodule describes how to troubleshoot NTP, including how to view logsand how to use the snoop utility.


● Identify NTP basics

● Configure an NTP server

● Configure an NTP client

● Troubleshoot NTP





Filter Firewall

ConfiguringDNS

ConfiguringDHCP

ConfiguringNTP

Identifying NTP Basics



Before you configure NTP, you must be aware of some basic computerclock and NTP-related concepts.

How Computers Keep Time

This section describes how computers keep time. This is a high-levelintroduction and is not meant to be all inclusive.

When the system is not running the Solaris OS, the time-of-day chipmaintains basic 24-hour time. This time is copied into a 64-bit counterused by the kernel to maintain 24-hour time for a running system.

Sun systems use a combination of an oscillator and a 64-bit counter tokeep track of time. A specific number of oscillations cause an interruptthat, if processed, will cause the counter to increment.

The Sun system central processing units (CPUs) generate the regularinterrupts. By default, 100 interrupts are generated per second. For thesystem’s counter to increment, the CPUs interrupt must be processed bythe kernel . Each interrupt that gets processed is known as a clock tick.However, not all interrupts get processed. This is often due to high systemloads and higher priority tasks that take precedence within the kernel .Therefore, gradually, a clock will fall slightly behind because not all timeinterrupts are processed. However, the controller boards in Sun FIre™ 12kto 25k high-end servers use a real-time clock, not the normal 100interrupts per second method. This makes them excellent NTP servers,since the clock does not drift as it does on a regular server or workstation.However, making them an NTP client can cause issues with the SMSsoftware.

Note – The 32-bit time counter would reach its limit in the year 2038. The64-bit time counter was started at 0 at midnight, January 1, 1970Greenwich Mean Time (GMT). The counter will reach its limit in about290 million years.

Variation in the frequency of the oscillator and delays to the kernelinterrupt routine cause clock drifts. NTP disciplines the system clockfrequency and time, producing more accurate timing mechanisms for thesystem.


Configuring NTP 12-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Uses of NTP

Many network applications need synchronized clocks to properlyfunction. For example:

● Encryption – This application often uses time as a component ofencryption keys.

● Network management – This application uses time to determineexactly when something took place.

● Logging – The syslog facility uses time to display system events.

● File systems – Applications time stamp files when they are created ormodified. Many backup applications are configured to use time as acriteria for determining backups, so that clock synchronizationbetween the backup server and other systems is important.

● Cluster Nodes – Individual nodes in a Sun Cluster configuration useNTP to ensure that they all agree on the time.

NTP Terms

Several terms are used when describing time-related topics. These termsare described in Table 12-1.

Table 12-1 NTP Terms

Term Description

Referenceclock

A clock that provides current time by accuratelyfollowing a time standard, such as CoordinatedUniversal Time (UTC).

Strata NTP servers are arranged in a hierarchy of levels, calledstrata. A stratum-1 server is more accurate than astratum-10 server. There are 16 strata.

Stratum-1server

A highly available NTP server that has its ownreference clock.

Resolution The smallest increment in time that a clock offers. Forexample, a wristwatch usually has a resolution of onesecond.

Precision The smallest increase in time that a computer programcan use.



Jitter The difference of the differences experienced whenrepeatedly measuring time.

Accuracy How close a clock follows an official time reference,such as UTC.

Reliability The length of time that a clock can remain accuratewithin a specified range.

Wander All clocks suffer from frequency variations. Thisvariation is called wander.

Drift file A file that contains the frequency offset of the localsystem’s clock oscillator. Drift file contents can be usedby protocols, like NTP, to cause a system’s clock to bemore accurate. The default location for Sun’s NTP driftfile is /var/ntp/ntp.drift .

xntpd The NTP daemon.

The ntp.conffile

A file that causes the xntpd daemon to start in eitherthe client or the server mode and providesconfiguration statements that control the behavior ofthe xntpd daemon.

The fudgecommand

You can use the fudge command in the ntp.conf fileas a keyword to configure reference clocks in specialways, such as defining calibration constants to force atime offset to a particular external-time standard.

Discipline A general term used for various actions carried out bysome protocol, which helps keep a local clock bettersynchronized to an official time source, such as UTC.

Table 12-1 NTP Terms (Continued)

Term Description

Configuring an NTP Server



The /etc/inet/ntp.server file is a template for configuring an NTPserver. Copy this file to /etc/inet/ntp.conf , and edit it to meet yournetwork’s requirements. When viewing contents of the/etc/inet/ntp.server file, remember that an NTP server is also an NTPclient.

The xntpd daemon is started at system boot if the /etc/inet/ntp.conffile exists and the NTP service is enabled by the SMF. The xntpd daemonstarts in either the client or the server mode, depending on the contents ofthe ntp.conf file.

The following steps describe the behavior of the xntpd daemon:

1. Broadcast NTP servers advertise every 64 seconds, by means of amulticast address (224.0.1.1 ), that they are NTP servers. Any NTPclient that is not configured with the unicast address of an NTPserver multicasts to this same address when the xntpd daemon isstarted. View the line that causes the system to act as an NTP serverby typing the following:

# grep broadcast /etc/inet/ntp.serverbroadcast 224.0.1.1 ttl 4#

2. Local NTP servers answer the multicast advertisements.

3. The NTP client sends time request packets to all of the NTP serversby using the servers’ unicast addresses. Included in the time requestpacket is the client’s local time.

4. The NTP server replies by inserting UTC time into the packet andthen returns the packet to the client.

5. The client compares its original request time with its own time whenit receives the response from the server. This enables the client todetermine how long the packet was in transit on the network.

6. The client uses the UTC time value from the NTP server after itreceives several responses from the NTP server. It can take up to fiveminutes for an NTP client to synchronize with an NTP server.



Table 12-2 shows the parts of an NTP server’s configuration file and theirdescriptions.

Note – Different types of facilities, such as loopstats or clockstats , canalso be enabled (refer to the xntpd man page for more details).

Table 12-2 NTP Configuration File Parts

Part Description

server 127.127.1.0 prefer The IP address of the preferred NTP server. In thiscase, the loopback network is used, indicating theuse of a local clock. The server keyword indicatesan IP address of an NTP server from which timewill be received.If the system is a stratum-1 server, then you use Xin the 127.127. X.0 syntax to identify a referenceclock source. If X is set to 1, the system uses itslocal clock as the reference clock source.If the server is a stratum-2 (or higher), this entry isan IP address of another NTP server to contact fortime information. The prefer keyword meansthat if multiple systems of the same strata are usedto getting clock information, a preferred server isthe one that is always used when performingcalculations.

fudge 127.127.1.0 stratum 0 The fudge entry is available to change (fudge) thestratum that the server advertises.

broadcast 224.0.1.1 ttl 4 The address the server uses to advertise to thenetwork along with the TTL value to use in IPdatagrams.

enable auth monitor The configuration entry that enablesauthentication and the monitoring facility.

driftfile /var/ntp/ntp.drift The location of the drift file.

statsdir /var/ntp/ntpstats/ The location of NTP statistics.

keys /etc/inet/ntp.keys The conventional name of the key file used forauthentication.

trustedkey 0 The encryption identifier. (Refer to RFC 1305 formore information.)

controlkey 0 The key identifier. (Refer to RFC 1305 for moreinformation.)



Using an Undisciplined Local Clock

NTP servers can, but should not, use their own undisciplined local clockas an official, reliable time source.

To use an undisciplined local clock, complete the following steps:

1. Copy the /etc/inet/ntp.server file to the /etc/inet/ntp.conffile.

# cp /etc/inet/ntp.server /etc/inet/ntp.conf#

2. Open the /etc/inet/ntp.conf file for editing, and change theserver IP address to 127.127.1.0 , where the number 1 representsthe undisciplined local clock. Comment out the fudge keywordbecause special configuration is not needed for the local referenceclock.

# vi /etc/inet/ntp.conf

Change:

server 127.127.XType.0fudge 127.127.XType.0 stratum 0

to:

server 127.127. 1.0 prefer# fudge 127.127.XType.0 stratum 0

Note – Choices for XType are listed in the comments of the/etc/inet/ntp.server file.

3. Create a drift file as specified by the driftfile/var/ntp/ntp.drift entry in the /etc/inet/ntp.conf file.

# touch /var/ntp/ntp.drift#

Note – The xntpd daemon creates the contents of the drift filedynamically.

4. Verify that the file exists.

# ls -al /var/ntp/ntp.drift-rw-r--r-- 1 root root 0 Aug 16 11:06 /var/ntp/ntp.drift#



5. Start the NTP daemon by using the svcadm command.

# svcadm -v enable svc:/network/ntpnetwork/ntp enabled.#

6. Verify that the NTP daemon is running.

# pgrep -lf ntp 1585 /usr/lib/inet/xntpd#

7. Use the snoop utility to view NTP server multicast advertisements.

# snoop | grep -i ntpUsing device /dev/hme (promiscuous mode) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:11:52.98017) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:12:56.98017) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:14:00.98016) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:15:04.98016)......

Note – Notice the 64-second interval between NTP advertisements sentout. This is due to the NTP polling value of 6; 26 is 64. The polling valuecan be seen by using the snoop -v command.

Configure the Stratum

You can configure the stratum of an NTP server manually by editing thefudge entry in the /etc/inet/ntp.conf file. This is useful when you donot have access to an external NTP server and you have to synchronizewith another system manually.

When a local clock is configured to act as an accurate source of time, NTPdetects this. Systems that use their own clock as a time source advertisethemselves as a stratum-4 server by default. However, the fudge keywordcan be used to alter this behavior. The fudge configuration entry can usethe stratum option to override the stratum level sent out with the NTPserver’s time advertisements.

Note – The snoop utility output includes the stratum level of the server.NTP servers and clients that are in the process of synchronization have astratum level of 0 (zero) initially, until they establish their correct stratumlevel.



Using External NTP Reference Servers

Determine which NTP servers are reachable by your NTP server. Refer tohttp://www.eecis.udel.edu/~mills/ntp/servers.html for links tolists of public NTP servers. You must notify the NTP server’sadministrators of your intention to use their NTP server as a referenceserver so that the administrator can properly size NTP servers for theadditional NTP load.

To use external NTP reference servers, complete the following steps:

1. Copy the /etc/inet/ntp.server file to the /etc/inet/ntp.conffile.

# cp /etc/inet/ntp.server /etc/inet/ntp.conf#

2. Open the /etc/inet/ntp.conf file for editing, and change theserver entry. Comment out the fudge keyword because specialconfiguration is not needed for an external reference clock.


Change:

server 127.127.XType.0fudge 127.127.XType.0 stratum 0

to:

server external-time-server-aserver external-time-server-bserver external-time-server-c# fudge 127.127.XType.0 stratum 0

3. Create a drift file as specified by the driftfile/var/ntp/ntp.drift entry in the /etc/inet/ntp.conf file.

# touch /var/ntp/ntp.drift#

4. Verify that the file exists.

# ls -al /var/ntp/ntp.drift-rw-r--r-- 1 root root 0 Aug 16 14:41 /var/ntp/ntp.drift#




# svcadm -v svc:/enable network/ntpnetwork/ntp enabled.

6. Check to see if the NTP daemon is running.

# pgrep -lf ntp 1595 /usr/lib/inet/xntpd#

Note – NTP servers and client that are synchronizing with specific serversdefined in the /etc/inet/ntp.conf file use a 64-second pollinginterval initially. When time synchronization is established, the pollinginterval increases to 17 minutes and 4 seconds (that is, 1024 seconds, or 210

seconds).

Managing Daemons

By default, all NTP messages are sent to the syslog facility.

To view the logged information in pseudo real-time, use the tailcommand with the follow (-f ) option. For example:

# tail -f /var/adm/messagesAug 16 14:25:37 sys11 xntpd[1614]: [ID 450285 daemon.error] 0 makes apoor control keyid...

You can query or configure a running xntpd daemon by using the xntpdcutility, which was introduced in the Solaris 8 OS. The xntpdc commandprovides an extensive view of the state of the xntpd daemon. You canview statistical information interactively or on the command-line. Use the? command to view a list of commands available inside xntpdc .

# xntpdcxntpdc> ?Commands available:addpeer addrefclock addserver addtrap authinfobroadcast clkbug clockstat clrtrap controlkeyctlstats debug delay delrestrict disabledmpeers enable exit fudge helphost hostnames iostats kerninfo keyidkeytype leapinfo listpeers loopinfo memstatsmonlist passwd peers preset pstats



quit readkeys requestkey reset reslistrestrict showpeer sysinfo sysstats timeouttimerstats traps trustedkey unconfig unrestrictuntrustedkey versionxntpdc>

The commands can be used to display and configure the NTP setup. Forexample, the sysinfo command displays information about the currentconfiguration:

xntpdc> sysinfosystem peer: instructorsystem peer mode: clientleap indicator: 00stratum: 2precision: -14root distance: 0.00081 sroot dispersion: 0.31441 sreference ID: [192.168.30.30]reference time: c4cc99b1.2ce5f000 Tue, Aug 17 2004 15:50:25.175system flags: auth monitor pll stats kernel_syncfrequency: -16.000 ppmstability: 38.345 ppmbroadcastdelay: 0.003906 sauthdelay: 0.000122 sxntpdc> quit#

The NTP service is started automatically at boot time if the/etc/inet/ntp.conf file exists and the NTP service was enabled bySMF. You can stop the service manually by using the svcadm command.

To stop the daemon, perform the command:

# svcadm -v disable svc:/network/ntpnetwork/ntp disabled.#

To start the daemon, perform the command:




Determining NTP Peers

The ntpq utility is the standard NTP query program. Use the ntpq utilityto identify NTP peers on the network. For example:

# ntpqntpq> peers remote refid st t when poll reach delay offset disp==============================================================================*instructor .LCL. 1 u 29 64 377 0.69 0.000 0.06 224.0.1.1 0.0.0.0 16 - - 64 0 0.00 0.000 16000.0ntpq> exit#

Configuring an NTP Client



Configuration of an NTP client also requires the /etc/inet/ntp.conffile to be created, as it does with NTP servers.

Establishing Basic Configuration

To initialize the file configuration, complete the following step:

Copy the /etc/inet/ntp .client file to the /etc/inet/ntp.conffile.

# cp /etc/inet/ntp.client /etc/inet/ntp.conf#

The /etc/inet/ntp.client file contains only one entry, whichconfigures the client to use the default multicast address to solicit forservers.

# tail -1 /etc/inet/ntp.clientmulticastclient 224.0.1.1

Starting the NTP Client Daemon

To start the NTP client daemon, perform the following:

1. Check to determine if the NTP daemon is running.

# pgrep -lf ntp#



The SMF NTP method, /lib/svc/method/xntp , uses the ntpdatecommand to synchronize the client’s clock to UTC. After thentpdate command is executed, the xntpd daemon is started by theSMF method to maintain synchronization.

# pgrep -lf ntp 1680 /usr/sbin/ntpdate -s -m 224.0.1.1 1679 /sbin/sh /etc/init.d/xntpd start 1676 /sbin/sh /etc/init.d/xntpd start#



Note – The ntpdate command runs automatically to gather NTP inputsand to set the initial time on this system. The ntpdate command mightperform this initial setting by means of a step or a slew. Refer to thentpdate(1M) man page for further details.

Stopping the NTP Client Daemon

Stop the NTP client daemon by using the svcadm command.

# svcadm -v disable network/ntpnetwork/ntp disabled.#

The xntpd daemon is no longer running.

# pgrep -lf ntp#

Troubleshooting NTP


Troubleshooting NTP

Use a combination of tools, such as viewing system error logs and usingthe snoop utility, to troubleshoot NTP.

Viewing Messages

Log messages result from setting the time forward on the system. Thesystem sends out its periodic (every 64 seconds) NTP requests with theincorrect time. The NTP servers respond with the correct time. Afterreceiving multiple updates from the NTP servers, the client changes itstime and writes a message to the /var/adm/messages file.

# tail -50 /var/adm/messages | grep -i ntpAug 17 15:21:46 sys11 ntpdate[1680]: [ID 318594 daemon.notice] no serversuitable for synchronisation found yetAug 17 15:21:46 sys11 ntpdate[1680]: [ID 147394 daemon.notice] trying ttl 1 for multicast server synchronisationAug 17 15:21:46 sys11 ntpdate[1680]: [ID 558725 daemon.notice] adjust time server 192.168.30.30 offset 0.004158 secAug 17 15:22:48 sys11 xntpd[1676]: [ID 702911 daemon.notice] xntpd 3-5.93e+sun 03/08/29 16:23:05 (1.4)Aug 17 15:22:48 sys11 xntpd[1676]: [ID 301315 daemon.notice] tickadj = 5, tick = 10000, tvu_maxslew = 495, est. hz = 100Aug 17 15:22:48 sys11 xntpd[1676]: [ID 266339 daemon.notice] using kernel phase-lock loop 0041, drift correction 0.00000#

Troubleshooting NTP


Using the snoop Utility

To view NTP server multicast advertisements, use the snoop utility.

# snoop port ntpUsing device /dev/hme (promiscuous mode) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:11:52.98017) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:12:56.98017) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:14:00.98016) sys11 -> 224.0.1.1 NTP broadcast [st=1] (2004-08-16 11:15:04.98016)<Control>-C #

Clients synchronize with servers using unicast packets, as follows:

1. The NTP client sends a message to an NTP server with its idea of thelocal time.

sys12 -> sys11 NTP client [st=0] (2004-08-17 15:24:17.32955)

Note that the client is at stratum 0 initially. It sets the correct stratumlevel after synchronization is established.

2. The NTP server responds with the correct time.

sys11 -> sys12 NTP server [st=1] (2004-08-17 15:24:17.32834)

3. This exchange between the NTP server and the NTP client repeatsmany times. Eventually, the NTP client acknowledges that its time isincorrect. The client then takes action to change its own time, basedon NTP time advertisements received from one or more NTP servers.Information about the actions taken by the NTP client is sent to thesyslog facility for proper processing.

sys12 -> sys11 NTP client [st=0] (2004-08-17 15:25:21.32958)

4. The NTP server responds again with the correct time.

sys11 -> sys12 NTP server [st=1] (2004-08-17 15:25:21.32839)

Exercise: Configuring NTP



In this exercise, you configure NTP.

Preparation

Refer to the lecture notes as necessary to perform the tasks listed. Theinstructor’s system must be configured as a stratum-0 server even thoughthe system might be using its local clock. This configuration must becompleted at least five minutes before this exercise starts so that the NTPserver has an opportunity to initialize itself properly.

Task Summary

In this exercise, you configure an NTP server and an NTP client on yoursubnet. Your NTP server uses the instructor system as an external NTPserver. After the NTP server is configured, it broadcasts NTP updates toyour local subnet.

Team up with other students in your subnet group so that you canexperience most aspects of NTP configuration.



Tasks

Your first task is to configure your subnet’s router as an NTP server.

Working on Your Subnet Group’s Router

To configure your subnet’s router as an NTP server, perform thefollowing:

1. Verify that your router is receiving NTP updates from the instructorsystem. (Either use the -c 1 option to the snoop command so thatonly one NTP broadcast packet is captured or remember to terminatethe snoop session when you are finished with this step. Be sure notto let snoop run continually).


_____________________________________________________________

2. Copy and rename the NTP configuration template in preparation forspecifying configurations in that file the next time the NTP service isenabled.


_____________________________________________________________

3. Edit the NTP configuration file, and modify the server entry so thatyour system looks to the instructor system for NTP updates. Ensurethat the instructor system is your preferred server. While you editthe file, comment out the fudge and keys entries and modify thebroadcast entry.

4. Create a drift file as specified by the drift file entry in theconfiguration file.


_____________________________________________________________

5. Start the snoop utility on your router system’s to observe NTP trafficbetween the router and the instructor system.


_____________________________________________________________

6. In another window, determine if the NTP daemon is running onyour system.

Write the command that you use, and write the output of thecommand:

_____________________________________________________________



7. Start the NTP daemon, and view the NTP transactions that can beseen on the snoop trace that is running. Watch the transactions for afew minutes to see your system’s time becoming synchronized withthe instructor’s stratum-0 NTP server. When you are finished,terminate the snoop session.


_____________________________________________________________

Your second task is to configure an NTP client on any of the remainingsystems on your subnet.

Working on a Non-Router System

To configure an NTP client on remaining systems on your subnet,continue as follows:

8. Use the snoop utility to verify that your system is receiving the NTPbroadcasts from your subnet’s NTP server. When you are finished,terminate the snoop session.


_____________________________________________________________

9. Copy and rename the NTP client configuration template to specifythe configuation of the NTP service when it is enabled.


_____________________________________________________________

10. Determine if the NTP daemon is running.

Write the command that you use, and write your answer:

_____________________________________________________________

_____________________________________________________________

11. Start a snoop session on the appropriate interface on the client. In thewindow running the snoop trace on the NTP client. After you startthe NTP service in the next step, be prepared to examine the tracecarefully.


_________________________________________________



12. Start the NTP daemon and verify that it is running.


_____________________________________________________________

13. Examine the snoop trace and locate the part of the snoop trace wherethe client time changed to match the server’s time. (Hint: Use X-Off(Control+S key sequence) to stop the snoop trace from scrolling anduse X-On (Control+Q key sequence) to enable scrolling again.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Solutions to this exercise are provided in the following section.

Task Solutions

Your first task is to configure your subnet’s router as an NTP server.

Working on Your Subnet Group’s Router

To configure your subnet’s router as an NTP server, perform thefollowing:

1. Verify that your router is receiving NTP updates from the instructorsystem. (Either use the -c 1 option to the snoop command so thatonly one NTP broadcast packet is captured or remember to terminatethe snoop session when you are finished with this step. Be sure notto let snoop run continually).


First, determine which interface is on the instructor system’s192.168.30.0 network.

# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8:0:20:b9:72:23qfe0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255 ether 8:0:20:ac:9b:20lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1 inet6 ::1/128hme0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 2 ether 8:0:20:b9:72:23 inet6 fe80::a00:20ff:feb9:7223/10hme0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 2000::1:a00:20ff:feb9:7223/64hme0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 2 inet6 fec0::1:a00:20ff:feb9:7223/64qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index 3 ether 8:0:20:ac:9b:20 inet6 fe80::a00:20ff:feac:9b20/10qfe0:1: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 2000::30:a00:20ff:feac:9b20/64qfe0:2: flags=2180841<UP,RUNNING,MULTICAST,ADDRCONF,ROUTER,IPv6> mtu 1500 index 3 inet6 fec0::30:a00:20ff:feac:9b20/64

Exercise Solutions


Use a combination of the snoop and grep utilities to look for NTP updateson the interface (qfe0 ) closest to the instructor system as follows:

# snoop -d qfe0 -c 1 port ntpUsing device /dev/qfe (promiscuous mode)instructor.thirty.edu -> 192.168.30.255 NTP broadcast [st=1](2004-11-05 09:41:20.83034)1 packets captured#

You can continue to configure your system as an NTP server because it isreceiving NTP updates from the instructor system that is acting as astratum-0 server.

2. Copy and rename the NTP configuration template in preparation forspecifying configurations in that file for the next time the NTPservice is enable.


Copy the /etc/inet/ntp.server file to the /etc/inet/ntp.conf file.

# cp /etc/inet/ntp.server /etc/inet/ntp.conf

3. Edit the NTP configuration file, and modify the server entry so thatyour system looks to the instructor system for NTP updates. Ensurethat the instructor system is your preferred server. While you editthe file, comment out the fudge and keys entries and modify thebroadcast entry.

Edit the /etc/inet/ntp.conf file.


Change the server and fudge entries to be similar to the following:

server 192.168.30.30 prefer# fudge 127.127.XType.0 stratum 0

Change the keys entries to be similar to the following:

#keys /etc/inet/ntp.keys#trustedkey 0#requestkey 0#controlkey 0

Change the broadcast entry to be similar to the following:

broadcast 192.168. 1.255 ttl 4

4. Create a drift file as specified by the drift file entry in theconfiguration file.


# touch /var/ntp/ntp.drift

Exercise Solutions


5. Start the snoop utility on your router system’s to observe NTP trafficbetween the router and the instructor system.


Start the snoop utility on the 192.168.30.0 network.

# snoop -d qfe0 port ntpUsing device /dev/qfe (promiscuous mode) instructor -> 192.168.30.255 NTP broadcast [st=1] (2004-11-05 10:04:48.83026)...

6. In another window, determine if the NTP daemon is running onyour system.

Write the command that you use, and write the output of thecommand:

# pgrep -lf ntp 1142 snoop -d qfe0 port ntp

No, the NTP daemon is not running, as expected.

7. Start the NTP daemon, and view the NTP transactions that can beseen on the snoop trace that is running. Watch the transactions for afew minutes to see your system’s time becoming synchronized withthe instructor’s stratum-0 NTP server.


# svcadm enable svc:/network/ntp:defaultsvc:/network/ntp:default enabled## snoop -d qfe2 port ntpUsing device /dev/qfe (promiscuous mode) sys11ext -> instructor NTP client [st=0] (2004-11-05 10:05:14.45062) instructor -> sys11ext NTP server [st=1] (2004-11-05 10:09:39.79242)...

Your second task is to configure an NTP client on any of the remainingsystems on your subnet.

Exercise Solutions


Working on a Non-Router System

To configure an NTP client on remaining systems on your subnet,continue as follows:

8. Use the snoop utility to verify that your system is receiving the NTPbroadcasts from your subnet’s NTP server. When you are finished,terminate the snoop session.


# snoop -d hme0 port ntpUsing device /dev/hme (promiscuous mode)sys11.one.edu -> 192.168.1.255 NTP broadcast [st=2] (2004-11-05 10:18:16.08248)

You can continue with configuring your system as an NTP client because itis receiving NTP updates from your router system, which acts as astratum-2 server.

9. Copy and rename the NTP client configuration template to specifythe configuation of the NTP service when it is enabled.


# cp /etc/inet/ntp.client /etc/inet/ntp.conf

10. Determine if the NTP daemon is running.

Write the command that you use, and write your answer:

# pgrep -lf ntp

No, the NTP daemon is not running, as expected.

11. Start a snoop session on the appropriate interface on the client. In thewindow running the snoop trace on the NTP client. After you startthe NTP service in the next step, be prepared to examine the tracecarefully.

# snoop -d hme0 port ntp...

12. Start the NTP daemon and verify that it is running.


# svcadm -v enable svc:/network/ntpsvc:/network/ntp:default enabled.## pgrep -lf ntp 1528 /usr/lib/inet/xntpd

Exercise Solutions


13. Examine the snoop trace and locate the part of the snoop trace wherethe client time changed to match the server’s time. (Hint: Use X-Off(Control+S key sequence) to stop the snoop trace from scrolling anduse X-On (Control+Q key sequence) to enable scrolling again.

...sys12.one.edu -> 224.0.1.1 NTP client [st=0] (2005-02-02 15:58:11.61034)sys12.one.edu -> 224.0.1.1 NTP client [st=0] (2005-02-02 15:58:12.61016)sys12.one.edu -> 224.0.1.1 NTP client [st=0] (2005-02-02 15:58:13.61026)sys12.one.edu -> 224.0.1.1 NTP client [st=0] (2005-02-02 15:58:14.61010)sys11.one.edu -> 192.168.1.255 NTP broadcast [st=2] (2005-02-02 15:57:47.06304)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 15:58:38.02497)

{observe that server’s time is 15:57 while client’s time is 15:58}

sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 15:57:47.06425)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 15:58:38.02556)sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 15:57:47.06474)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 15:58:38.02602)sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 15:57:47.06518)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 15:58:38.02645)sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 15:57:47.06560)sys11.one.edu -> 192.168.1.255 NTP broadcast [st=2] (2005-02-02 15:58:51.06343)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 15:59:22.72971)

{observe that the client has updated its time to that of the server}

sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 15:59:22.72968)sys11.one.edu -> 192.168.1.255 NTP broadcast [st=2] (2005-02-02 15:59:55.06379)sys12.one.edu -> sys11.one.edu NTP client [st=0] (2005-02-02 16:00:26.72968)sys11.one.edu -> sys12.one.edu NTP server [st=2] (2005-02-02 16:00:26.72945)sys11.one.edu -> 192.168.1.255 NTP broadcast [st=2] (2005-02-02 16:00:59.064


Module 13

Configuring the Solaris™ IP Filter Firewall

Objectives

This module introduces how to configure the Solaris IP Filter host-basedfirewall. This module also introduces the basics of the Solaris IP Filterfirewall, including how the firewall decides whether or not to pass apacket and how rules for the firewall can be defined based on variouscriteria.


● Identify Solaris IP Filter firewall basics

● Configure the Solaris IP Filter firewall behavior





Filter Firewall

ConfiguringDNS

ConfiguringDHCP

ConfiguringNTP

Identifying Firewall Basics


Identifying Firewall Basics

IP routers are used to connect networks together and to pass trafficbetween the networks. An IP router will, by default, forward all trafficthat arrives at one of its interfaces to another network. An IP router can beconsidered to be an open door between networks, permitting free access.

In a controlled or constrained environment, free access between networkswhere all the systems are known is not necessarily a problem. Whenconnecting a network to external networks, unrestricted access is typicallynot desirable.

An unprotected network connected to the Internet by an IP router exposesall of the systems on the network to the whole Internet. Anyone on theInternet can attempt to access any of the systems in any manner. To avoidthis situation, the network can be connected by using some form of devicethat is more restrictive in the access it permits. Access restrictions can beapplied to systems outside the network looking to access systems insidethe network, and to control the access that systems inside the networkhave to the rest of the Internet. This is the purpose of a firewall.

A firewall is a device which runs some software designed to control trafficbetween networks, similar to an IP router. Unlike an IP router, a firewall isselective about the traffic that it forwards, and can decide not to permitcertain traffic to be forwarded. The decision to forward or not to forwardtraffic is controlled by a set of rules defined on the firewall.

The rules in the firewall can be based on characteristics of traffic suchsource and destination IP addresses for both individual hosts andnetworks, on port numbers and payload types.

Solaris IP Filter firewall is a utility that enables a Solaris 10 OS system toact as a firewall. The behavior of the Solaris IP Filter firewall is controlledby a configuration file, the /etc/ipf/ipf.conf file. The Solaris IP Filterfirewall is an integral part of the Solaris 10 OS and can be configured onSolaris 10 OS systems acting as routers and on individual hosts.

Configuring the Behavior of the Solaris IP Filter Firewall

Configuring the Solaris™ IP Filter Firewall 13-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1


When defining packet filtering rules in the /etc/ipf/ipf.conf file, itis necessary to understand how the Solaris IP Filter firewall reads this fileand compares any packet against the rules in the file. Each rule in the filecontains:

● An action

● A direction

● Criteria which are compared against the packet to determinewhether the packet matches the rule

The default behavior of the Solaris IP Filter firewall is to read every rule inthe /etc/ipf/ipf.conf file. Each rule in the file tells the Solaris IPFilter firewall to either permit or deny the packet to be sent or received.When processing a packet, the Solaris IP Filter firewall performs thefollowing tasks:

1. Compare the packet against the direction and criteria in the rule.

2. If the packet matches, remember the action specified in the rule.

3. Discard any action remembered previously.

4. If the end of the rules is reached or the matched rule contains thequick keyword, stop matching and perform the action.

5. If no rules match, pass the packet.

Enabling Packet Filtering With the Solaris IP FilterFirewall

For the Solaris IP Filter firewall to function, the pfil kernel module mustbe loaded on each network interface on the system on which packetfiltering is to be applied. The pfil kernel module is loaded on anindividual network interface when the interface is plumbed if packetfiltering has been enabled for that type of interface (hme, qfe , and so on).

The default configuration in the Solaris 10 OS is that packet filtering is notenabled for any network interface. Packet filtering is enabled on aparticular network interface type by uncommenting the line relating tothe network interface type in the /etc/ipf/pfil.ap file.



The /etc/ipf/pfil.ap file contains a list of network interfaces. Removethe leading comment character from the appropriate lines for the interfacefor which filtering is to be configured.

# cat /etc/ipf/pfil.ap# IP Filter pfil autopush setup## See autopush(1M) manpage for more information.## Format of the entries in this file is:##major minor lastminor modules

#le -1 0 pfil#qe -1 0 pfil#hme -1 0 pfil#qfe -1 0 pfil#eri -1 0 pfil#ce -1 0 pfil#bge -1 0 pfil#be -1 0 pfil#vge -1 0 pfil#ge -1 0 pfil#nf -1 0 pfil#fa -1 0 pfil#ci -1 0 pfil#el -1 0 pfil#ipdptp -1 0 pfil#lane -1 0 pfil#dmfe -1 0 pfil#

Any existing, plumbed network interfaces to which you choose to applyfiltering must be unplumbed and plumbed. For example, you can use theautopush command to read changes to the /etc/ipf/pfil.ap file beforeyou unplumb and plumb the interfaces.

# autopush -f /etc/ipf/pfil.ap

Solaris IP Filter Services

The svc:/network/pfil and the svc:/network/ipfilter SMF servicescontrol the pfild daemon process. Like other SMF services, use the svcsand svcadm commands to manage these filtering services.



Configuring the Solaris IP Filter Firewall Actions

Every rule in the /etc/ipf/ipf.conf file starts with an action. Theaction states whether the Solaris IP Filter firewall will permit or deny thepacket if the rule is matched. There are two action keywords: block andpass .

Figure 13-2 shows how filtering works when based upon traffic direction.

Figure 13-2 Filtering Based Upon Traffic Direction

Using the block keyword

The block keyword is an action keyword which tells the Solaris IP Filterfirewall that the packet should be blocked (dropped) if the packet matchesthe rule.

All rules to block packets use this keyword:

block ...

hme0

TrafficFlow

Internet

CorporateNetwork

Block/pass inon hme0

Block/pass outon hme1

hme1

hme0

TrafficFlow

Block/pass outon hme0

Block/pass inon hme1

hme1



Using the pass keyword

The pass keyword is the action keyword that tells the Solaris IP Filterfirewall that the packet should be accepted or sent if the packet matchesthe rule.

All rules to permit packets to pass use this keyword:

pass ...

Configuring Packet Direction

The second keyword in all packet filtering rules is a direction keyword.The direction keyword relates to the movement of the packet in relation tothe system on which the Solaris IP Filter firewall is running. There are twodirection keywords in the Solaris IP Filter firewall: in and out .

Using the in Keyword

The in keyword is used for rules that relate to packets arriving at thesystem from the network. Any rule that contains the in keyword isapplied only to packets arriving at the system from the network.

All rules that are intended to block packets arriving at a system start withthe following:

block in ...

All rules that are intended to pass packets arriving at a system start withthe following:

pass in ...



Using the out Keyword

The out keyword is used for rules that relate to packets leaving thesystem to go out on to the network. Any rule containing the out keywordis applied only to packets leaving the system.

All rules that are intended to block packets leaving a system start with thefollowing:

block out ...

All rules that are intended to pass packets leaving a system start with thefollowing:

pass out ...

Configuring Filter Rules

This section describes how to configure filter rules. The/usr/share/ipfilter/examples directory contains IPFilter examples tohelp you define rules.

# ls /usr/share/ipfilter/examplesBASIC.NAT example.1 example.12 example.3 example.6 example.9ftp-proxy mkfilters pool.confBASIC_1.FW example.10 example.13 example.4 example.7 example.srftppxy nat-setup serverBASIC_2.FW example.11 example.2 example.5 example.8 firewallip_rules nat.eg tcpstate

Using the quick keyword

Recall that the default behavior of the Solaris IP Filter firewall is to findevery rule that matches and remember the action from the last rulematched. The quick keyword is used to change this behavior.

If a packet matches a rule containing the quick keyword, then the SolarisIP Filter firewall stops matching at that rule and applies the actioncontained in the rule. The remaining rules are not processed against thepacket for matches.

The quick keyword, if present, is found between the direction keywordand the matching keywords in the rule.



To define a rule that will block any incoming packet matching the ruleand will stop the Solaris IP Filter firewall from processing any furtherrules, start the rule with:

block in quick ...

To define a rule that will permit any outgoing packet matching the ruleand will stop the Solaris IP Filter firewall from processing any furtherrules, start the rule with:

pass out quick ...

Matching All Packets

The all keyword is used to match every packet either arriving or leavingat a system.

For example, to block every packet arriving at a system, use the rule:

block in all

To block every packet arriving at a system and stop processing rules atthis point, use the rule:

block in quick all

To permit all packets arriving at a system to be passed, use the rule:

pass in all

To permit all packets arriving at a system to be passed and to stopprocessing rules at this point use the rule:

pass in quick all

Configuring Specific Matching

This section describes how to configure specific matching for filters.

Configuring Filtering on a Specific Network Interface

The Solaris IP Filter firewall applies each rule to every network interfaceon the system by default. Use of the on keyword enables you to apply arule to a particular network interface only.



Note – The Solaris IP Filter firewall does not filter the loopback interface.You should not use the interface identifier lo0 in the/etc/ipf/ipf.conf file. Note that the lo identifier does not appear inthe /etc/ipf/pfil.ap file.

To apply a rule to a specific interface, use the on keyword followed by thename of the interface. For example, to permit all packets arriving andleaving the hme0 interface and to stop further processing rules at thispoint, use the rules:

pass in quick on hme0 allpass out quick on hme0 all

Configuring Filtering on IP Address

The Solaris IP Filter firewall can filter packets based on their source anddestination IP addresses. To filter packets based on the source IP address,the from keyword is used. To filter packets based on the destination IPaddress, the to keyword is used.

The from and to keywords take IP addresses as arguments. IP addressesare suffixed by a netmask value specified by using prefix notation. Tospecify an IP address for a single host, use the suffix /32 or/255.255.255.255 . To specify a Class C network, use the suffix /24 or/255.255.255.0 . To specify a Class B network, use the suffix /16 or/255.255.0.0 . To match any IP address, use the keyword any .

For example, the rule:

pass in from 192.168.1.0/24 to any

will permit any packets originating from the Class C network192.168.1.0 and intended for any destination to enter the system fromthe network on any network interface.

The rule:

block out from any to 192.168.30.30/32

will block any packets leaving the current system which have the host192.168.30.30 as their destination.



Network interfaces and IP addresses can be combined in rules. Forexample, the rule:

block in on qfe0 from any to 192.168.1.0/24

will block any packets arriving at the qfe0 network interface from anysource IP address which are intended for the 192.168.1.0 network.

IP addresses can be used as both source and destination addresses. Forexample, the rule

block out on qfe0 from 192.168.1.2/32 to 192.168.3.0/24

will block any packet leaving the qfe0 interface which originated fromthe host 192.168.1.2 and is intended for the 192.168.3.0 network.



Configuring Filtering on Protocol Type and Port Number

The Solaris IP Filter firewall is also capable of filtering traffic based on thenetwork protocol contained in a packet. The protocols which can befiltered are TCP, UDP and ICMP.

The proto keyword is used to filter on protocol type. The proto keywordis followed by a second keyword that identifies the protocol or protocolsto be filtered. Table 13-1 shows the keywords and the protocols to whichthey relate.

For example, to block all ICMP packets arriving on the hme0 interface, usethe rule:

block in on hme0 proto icmp from any to any

In this form, this rule blocks all ICMP packets. The icmp-type keywordcan be used to specify a single ICMP type value for the rule. All ICMPpackets contain a type value in the ICMP header. Some common ICMPtypes are shown in Table 13-2.

Table 13-1 Protocol Keywords

Keyword Protocols Filtered

icmp ICMP

tcp TCP

udp UDP

tcp/udp Both TCP and UDP

Table 13-2 ICMP Type Values and Keywords

ICMP Type Value Keyword

Echo reply 0 echorep

Echo request 8 echo

Router advertisement 9 routerad

Router solicitation 10 routersol



Note – A complete list of ICMP type values can be found in the/usr/include/netinet/ip_icmp.h file.

The icmp-typ e keyword is appended to the end of a rule to make therule apply to a specific type of ICMP packet. The type value can bespecified numerically or textually. For example, to permit a system toreceive ICMP router discovery solicitations on the hme0 interfaceconnected to the 192.168.1.0 network and to send routeradvertisements on the same interface, but to block all other ICMP trafficon the hme0 interface, use the rules:

pass in quick on hme0 proto icmp from 192.168.1.0/24 to any icmp-type 10pass out quick on hme0 proto icmp from any to 192.168.1.0/24 icmp-type 9block in quick on hme0 proto icmp from any to anyblock out quick on hme0 proto icmp from any to any

To block outgoing ICMP echo replies (responses to the ping command) onthe qfe0 interface, use the rule:

block out quick on qfe0 proto icmp from any to any icmp-type echorep

Filtering of TCP and UDP packets can be restricted to a particular port byusing the port = keywords. The port to which the rule is to apply isspecified after the equal sign (=). For example, to block the default telnetserver port (23) the keywords port = 23 are appended to the rule.

Port-based filtering can be applied to the source address or the destinationaddress. Note that the spaces on either sides of the equals sign arerequired.

Note – When configuring filtering based upon port number, it isimportant to understand the manner in which the applications you arefiltering uses ports. Some applications, for example, routing protocols, usethe same port on the server and the client. Other applications, forexample, FTP and telnet , use a well-known port on the server side andan anonymous port for the client.

When writing rules for protocols like Telnet and FTP, the keep statekeywords are a convenient way to avoid having to know the per-session,anonymous-client port assignments. See the ipf.conf(4) man page fordetails.



To block all incoming packets intended for the telnet server port (port23), use the rule:

block in quick proto tcp from any to any port = 23

To block all incoming telnet packets except those originating from the192.168.1.0 network, use the rules:

pass in quick proto tcp from 192.168.1.0/24 to any port = 23block in quick proto tcp from any to any port = 23

To permit incoming RPC requests to the rpcbind daemon from the192.168.1.0 network on the hme0 interface only, use the rules:

pass in quick on hme0 proto tcp/udp from 192.168.1.0 to any port = 111block in quick on hme0 proto tcp/udp from any to any port = 111

To permit packets to leave the telnet server port if they are intended forthe local subnet, use the rule:

pass out quick proto tcp from 192.168.1.1/32 port = 23 to 192.168.1.0/24



Changing and Updating the Solaris IP Filter FirewallConfiguration

The ipf command is used to update the set of filtering rules in place on asystem.

The -f option is used to add filtering rules. The -f option takes the nameof a file containing the new rules as an argument. The rules found in thefile are appended to any existing rules:

# ipf -f /etc/ipf/ipf.conf#

The ipf command can also be used to remove rules from the currentconfiguration. The -F (flush) option is used to clear rules. The -F option iscombined with one of three choices of the rules to clear:

For example, to clear all of the input rules, type the command:

# ipf -Fi#

If you have made changes to the rule set in the /etc/ipf/ipf.conffile, you can load the new rules by combining a flush operation and anadd operation in one command:

# ipf -Fa -f /etc/ipf/ipf.conf#

Note – Options to the ipf command are executed in the order in whichthey are specified on the command line. If a flush option is specified afteran add rules option, the new rules will be added, then flushed along withthe old rules. To clear the existing rules and load a new or updated set, theflush option must be specified first.

-Fa Flush all rules (both input and output)

-Fi Flush input rules only

-Fo Flush output rules only



Viewing the Solaris IP Filter Firewall Configuration

The ipfstat command is used to display information about thebehavior and configuration of the Solaris IP Filter firewall.

Running the ipfstat command with no arguments displays statisticsabout the Solaris IP Filter firewall:

# ipfstatbad packets: in 0 out 0 input packets: blocked 37 passed 71 nomatch 71 counted 0 short 0output packets: blocked 0 passed 77 nomatch 50 counted 0 short 0 input packets logged: blocked 0 passed 0output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0fragment state(in): kept 0 lost 0fragment state(out): kept 0 lost 0packet state(in): kept 0 lost 0packet state(out): kept 0 lost 0ICMP replies: 0 TCP RSTs sent: 0Invalid source(in): 0Result cache hits(in): 13 (out): 27IN Pullups succeeded: 0 failed: 0OUT Pullups succeeded: 10 failed: 0Fastroute successes: 0 failures: 0TCP cksum fails(in): 0 (out): 0IPF Ticks: 1426Packet log flags set: (0) none#

The ipfstat command can also be used to display the rules being usedcurrently by using the -io option:

# ipfstat -ioempty list for ipfilter(out)block in proto tcp from any to 192.168.2.0/24 port = telnet#

Note – The ipfstat -io command does not display the rules in thesame sequence as they are listed in the /etc/ipf/ipf.conf file. Theout rules are listed in order first, and then the in rules are listed.



Configuring Logging in the Solaris IP Filter Firewall

The Solaris IP Filter firewall includes the ability to log its actions.

Logged information is sent to the /dev/ipl device. The /dev/ipldevice can be monitored by running the ipmon command. The ipmoncommand can log information to standard output, to a file, or send theinformation to the syslogd daemon.

Configuring Logging of a Rule Match

To configure a rule match to be logged by the Solaris IP Filter firewall, thelog keyword is used. The log keyword is placed immediately after thedirection keyword in a rule, and any matches of that rule are sent to the/dev/ipl device.

For example, to log any packets which are received on the hme0 interfaceand intended for the rpcbind daemon, but which do not originate fromthe 192.168.1.0 network, add the log keyword to the block rule inthe following example:

pass in quick on hme0 proto tcp/udp from 192.168.1.0 to any port = 111block in log quick on hme0 proto tcp/udp from any to any port = 111

Configuring the Solaris IP Filter Firewall to Log to StandardOutput

To display logged information on standard output, use the ipmoncommand:

# ipmon23/07/2004 15:27:35.607407 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tcp len 20 52 -S IN23/07/2004 15:27:38.978075 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tcp len 20 52 -S IN23/07/2004 15:27:45.738002 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tcp len 20 52 -S IN23/07/2004 15:27:59.248572 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tcp len 20 52 -S IN23/07/2004 15:28:03.121993 hme0 @0:1 b 192.168.2.2,32861 -> 192.168.2.1,23 PR tcp len 20 40 -R INControl-C #



Configuring the Solaris IP Filter Firewall to Log to a File

To capture logged information to a file, supply the name of the file to logto as an argument to the ipmon command:

# ipmon /var/tmp/filterlog.txt<Control>-C#

The ipmon process can be instructed to run as a daemon by using the -Doption:

# ipmon -D /var/tmp/filterlog2.txt#

Configuring the Solaris IP Filter Firewall to Log by Using Syslog

The -s option to the ipmon command causes log information to be sentto the syslogd daemon.

The Solaris IP Filter firewall sends packets by using the local0 facility,and so the /etc/syslog.conf file must be configured appropriately torecord logging information sent to it by the ipmon command.

The Solaris IP Filter firewall generates messages at four levels, as show inTable 13-3.

Table 13-3 Solaris IP Filter Firewall Message Levels

Message Level Meaning

local0.error Packets that are logged and are short.

local0.warning Packets blocked by Solaris IP Filter firewall.

local0.notice Packets passed by Solaris IP Filter firewall.

local0.info Packets matching a logged rule, but that do nothave the action associated with the rule applied.This information tells you that the packet matchesthe rule, but has been matched by a later rule inthe /etc/ipf/ipf.conf file subsequently.



To configure the ipmon command to run as a daemon and to sendlogging information by using the syslogd daemon to the/var/adm/ipflog file:

# cat /etc/syslog.conflocal0.notice /var/adm/ipflog# touch /var/adm/ipflog# pkill -HUP syslogd# ipmon -D -s# ...

Exercise: Configuring the Solaris IP Filter Firewall



In this exercise, you configure the Solaris OS IP filter, the Solaris IP Filterfirewall, by performing the following:

● Configuring packet filtering rules

● Restricting access to a subnet

Preparation

Caution – Before beginning this exercise, check that DNS services arerunning as they were in the prior DNS exercise. If the services are notrunning, issue the appropropriate svcadm commands on the appropriatesystems to once again enable them.

There is no preparation for this exercise.

Team up with other students in your subnet group so that you canexperience most aspects of the Solaris IP Filter firewall configuration.

Also, be aware of what other subnet groups are doing. Configurations onother group’s router firewall, for example, can influence behavior that youobserve locally.

Task Summary

In this exercise, you configure packet filtering on your subnet’s router andon client systems in your subnet.



Task 1 – Configuring Firewall Rules

In the first part of the lab you will configure the Solaris IP Filter firewall’srules to show how to enable and disable access to services on a host and anetwork.

The first set of exercise steps is to configure packet filtering in order toprevent any telnet requests from reaching your system.

Working on a Non-Router System on Your Subnet

To enable the packet filter to block all incoming telnet requests to yoursystem, perform the following:

1. Use another system to verify that your network is functioningproperly and that your system can be accessed with the telnetutility. After you verify that telnet access is permitted, terminatethe telnet session.

_____________________________________________________________

2. Determine the current status of the svc:/network/ipfilter andsvc:/network/pfil services by using the svcs command.

_____________________________________________________________

3. Use the ifconfig command to determine to which interface toapply filter rules.

_____________________________________________________________

4. Edit the Solaris IP Filter firewall’s autopush configuration file tospecify the network interface for packet filtering on your system. Dothis by removing the comment from the appropriate interfacelearned in the previous step.

Which file do you edit?

_____________________________________________________________



5. Edit the /etc/ipf/ipf.conf file and add the relevant rules to blockall incoming telnet requests to your system. Your file should havecontents similar to the following:

sys12# cat /etc/ipf/ipf.conf## ipf.conf## IP Filter rules to be loaded during startup## See ipf(4) manpage for more information on# IP Filter rules syntax.block in proto tcp from any to 192.168.1.2/32 port = 23#

6. Enable the packet filter.

a. Start the service, and write the command that you use.

________________________________________________________

b. Verify that the service started, and write the command that youuse.

________________________________________________________

7. Verify that, although a rule to block telnet access was establishedand the ipfilter service enabled, it is possible to use the telnetutility to access from another system to your system. After youverify that telnet access is permitted, terminate the telnet session.

_____________________________________________________________

Caution – Although you added a blocking rule in the /etc/ipf/ip.conffile, filtering rules do not take effect when the service is enabled. Thesystem is not secure at this point.



8. From the command line force the pfild daemon to read the rule fileby performing the following steps. (You can also reboot the systemto accomplish the same effect.)

a. Use the ifconfig command to determine the configuration ofyour system’s interfaces. Document the relevant interfaceinformation, such as IP address, mask, and broadcast address.

________________________________________________________

b. Force the autopush configuration file to be read by using thefollowing command:

sys12# autopush -f /etc/ipf/pfil.ap

c. Unplumb your system’s interface.

________________________________________________________

d. Plumb your system’s interface to load the packet filter into theinterface’s IP stack.

________________________________________________________

9. As done previously, use another system and attempt to use thetelnet utility to determine if your system permits a telnetconnection.

_____________________________________________________________

The next steps are to configure your system to permit incoming telnetrequests from the local subnet, but block telnet requests from all othernetworks and not process any other rules.

10. Edit the Solaris IP Filter firewall configuration file by adding a newrule that:

● Permits incoming telnet access only from other hosts on yourlocal subnet

● Stops processing of subsequent rules by using the quickkeyword.

Write the rule that you entered in the /etc/ipf/ipf.conf file:

_____________________________________________________________

Did you put the new rule before or after the existing rule? Why?

_____________________________________________________________

_____________________________________________________________



11. Update the Solaris IP Filter firewall configuration to include the newrule by using the following ipf command:

sys12# ipf -Fa -f /etc/ipf/ipf.conf

12. Display the new rule set by using the ipfstat command.

_____________________________________________________________

13. Validate that the new configuration is working. Attempt to establisha telnet session to your system from a host on the local subnet andfrom a host on another subnet.

_____________________________________________________________

Working on the Router on Your Subnet

The next steps configure your router to block all telnet requests fromoutside your subnet to any system on your subnet.

14. Verify that the systems can properly communicate across subnets byestablishing an appropriate telnet session that passes through yourrouter system. Terminate the telnet session after you verifysuccessful communication.

_____________________________________________________________

15. Edit the Solaris IP Filter firewall’s autopush configuration file tospecify the network interfaces for packet filtering on your routersystem. Do this by removing the comments from the appropriateinterfaces. (The ifconfig command shows the interfaces.)


_____________________________________________________________

16. Edit the relevant file on your router system and add rules to block allincoming telnet requests to your local subnet that do not originatefrom the local subnet. Document the file that you edit and yourrules.

_____________________________________________________________



17. Enable the packet filter by performing the following steps:

a. Verify the status of the svc:/network/ipfilter service, andwrite the command that you use.

________________________________________________________

b. Start the service, and write the command that you use.

________________________________________________________

c. Verify that the service started, and write the command that youuse.

________________________________________________________


a. Force the autopush configuration file to be read by using thefollowing command:


b. Determine the configuration of your system’s interfaces.Document the relevant interface information, such as IPaddress, mask, broadcast address, and routing information.

________________________________________________________

c. Unplumb your system’s interfaces.

________________________________________________________

d. Plumb and restore your system’s interface configurations toload the packet filter into the interface’s IP stack.

________________________________________________________

e. Verify that the rule functions as expected by using the telnetcommand.

________________________________________________________

The next steps block your non-router system from sending any outgoingICMP echo replies.




Continue as follows on the same non-router system on which you havebeen working:

19. Before establishing a blocking rule, verify that you are now able tocontact your system from another system on your local subnet byusing the ping command.

_____________________________________________________________

20. Update the Solaris IP Filter firewall’s configuration file to include arule on the last line that blocks outgoing ICMP echo replies from thehost.


_____________________________________________________________

21. Update the Solaris IP Filter firewall configuration to include the newrule by using the ipf command.


22. Verify the rules by using the ipfstat command.

_____________________________________________________________

23. Test that the new rule is functioning correctly by using the pingcommand from the test system again.

_____________________________________________________________

24. Verify that a local system can successfully perform DNS lookupsacross routers. Use the dig command to find the IP address of asystem on another network. (Successful completion of this step willaide you in later steps when you write rules to specifically allowDNS through firewalls.)

_____________________________________________________________



Task 2 – Disabling Services

In the second part of the lab you restrict access to your subnet bydisabling all services except a defined set.



1. Edit the Solaris IP Filter firewall’s rules to block all traffic on therouter.

Remove all existing rules currently in the configuration file, andwrite and document the new rules that you entered in the/etc/ipf/ipf.conf file.

_____________________________________________________________

_____________________________________________________________

2. Update the Solaris IP Filter firewall configuration to include the newrules by using the ipf command.

_____________________________________________________________


_____________________________________________________________

Working on Each Non-Router System on Your Subnet


4. Remove all of the rules in the /etc/ipf/ipf.conf file.

5. Reboot all of the non-router systems.

_____________________________________________________________

The reboot is performed as an easy way to flush cached informationon the non-router systems. It is not a necessary part of the Solaris IPFilter firewall’s configuration.




Continue as follows on the same router system on which you have beenworking:

6. Update the Solaris IP Filter firewall configuration to permit routinginformation traffic to be sent and received.

Before the existing block out all and block in all rules, writethe rules that you entered in the /etc/ipf/ipf.conf file:

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

7. Update the Solaris IP Filter firewall configuration to use the newrules by using the ipf command.

_____________________________________________________________


_____________________________________________________________


Continue as follows on the non-router system on which you have beenworking:

9. Test that the new rules function correctly by checking theconfiguration of the routing tables on the non-router hosts and bysnooping the network to look for routing packets.

_____________________________________________________________

_____________________________________________________________





10. Update the Solaris IP Filter firewall configuration to permit DNStraffic to be sent and received.

At the beginning of the configuration file, write the rules that youentered in the /etc/ipf/ipf.conf file.

_____________________________________________________________

_____________________________________________________________


_____________________________________________________________


_____________________________________________________________


Continue as follows on a non-router system on the same subnet on whichyou have been working:

13. Use the dig command to find the IP address of a system on anothernetwork. Be sure to query a DNS server on that other network.

_____________________________________________________________





14. Even though this group of steps is to be performed on your routersystem, before configuring rules for FTP, verify that your firewallsare functioning properly by insuring that you cannot initiate an FTPsession from your non-router system to the instructor machine.Once you verify this, you can proceed with writing rules to allowFTP through the router firewall system.

_____________________________________________________________

15. Update the Solaris IP Filter firewall configuration to permit FTPtraffic to pass from the local subnet to the instructor system only. Logany traffic that matches one of the rules that you define.

Assume that your system will get more DNS traffic than FTP traffic.Placing the new FTP rules after the DNS rules would recognize thisand, appropriately, be more responsive to the DNS traffic.

Hint: Use the keep state keywords in your rules.

Write the rules that you entered in the /etc/ipf/ipf.conf file.

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________

_____________________________________________________________


_____________________________________________________________


_____________________________________________________________



18. Use the ipmon command as a daemon to log information to the/var/tmp/ipfilter.log file.

_____________________________________________________________


Continue as follows on any non-router system on your subnet. You willnow be using FTP to connect to another system on another subnet acrossyour firewall router.

19. Use FTP to access a system on another subnet.

_____________________________________________________________

What behavior do you see?

_____________________________________________________________

20. Use FTP to access the instructor system.

_____________________________________________________________


_____________________________________________________________


Complete as follows on the same router system on which you have beenworking:

21. View the log file created by the ipmon command.

_____________________________________________________________

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Solutions to this exercise are provided in the following sections.

These solutions use sys12 as the example non-router system and sys11as the example router system. Solution results vary accordingly.

Task 1 Solutions

In the first part of the lab you will configure the Solaris IP Filter firewall’srules to show how to enable and disable access to services on a host and anetwork.

The first set of exercise steps is to configure packet filtering in order toprevent any telnet requests from reaching your system.


To enable the packet filter to block all incoming telnet requests to yoursystem, perform the following:

1. Use another system to verify that your network is functioningproperly and that your system can be accessed with the telnetutility. After you verify that telnet access is permitted, terminatethe telnet session.

sys13# telnet sys12Trying 192.168.1.2...Connected to sys12.one.eduEscape character is '̂ ]'.login: rootPassword:Last login: Mon Dec 20 03:46:26 from sys13.one.eduSun Microsystems Inc. SunOS 5.10 Generic January 2005Welcome to SA300-S10_A on sys12sys12# exitConnection to sys12.one.edu closed by foreign host.sys13#

This proves that your system responds to the telnet request as expected.Now you can proceed with configuring the firewall and have confidence thatyour working blocking rule will be responsible for blocking telnetrequests and not some other networking issue.

Exercise Solutions


2. Determine the current status of the svc:/network/ipfilter andsvc:/network/pfil services by using the svcs command.

sys12# svcs -a | grep network | egrep "pfil|ipf"disabled 8:31:38 svc:/network/ipfilter:defaultonline 8:31:42 svc:/network/pfil:default

3. Use the ifconfig command to determine to which interface toapply filter rules.

sys12# ifconfig -a inetlo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255

4. Edit the Solaris IP Filter firewall’s autopush configuration file tospecify the network interface for packet filtering on your system. Dothis by removing the comment from the appropriate interfacelearned in the previous step.


The /etc/ipf/pfil.ap file.

Your configuration file should look similar to the following:

sys12# cat /etc/ipf/pfil.ap...#qehme#qfe...

5. Edit the /etc/ipf/ipf.conf file and add the relevant rules to blockall incoming telnet requests to your system. Your file should havecontents similar to the following:

sys12# cat /etc/ipf/ipf.conf## ipf.conf## IP Filter rules to be loaded during startup## See ipf(4) manpage for more information on# IP Filter rules syntax.block in proto tcp from any to 192.168.1.2/32 port = 23#

Exercise Solutions


6. Enable the packet filter.

a. Start the service, and write the command that you use.

sys12# svcadm enable svc:/network/ipfilter:default

Note that when enabled in this manner, the service is configured torun automatically on subsequent system boots.

b. Verify that the service started, and write the command that youuse.

sys12# svcs -a | grep -i ipfonline 3:48:09 svc:/network/ipfilter:default

7. Verify that, although a rule to block telnet access was establishedand the ipfilter service enabled, it is possible to use the telnetutility to access from another system to your system. After youverify that telnet access is permitted, terminate the telnet session.

sys13# telnet sys12Trying 192.168.1.2...Connected to sys12.one.edu.Escape character is '̂ ]'.login: rootPassword:Last login: Mon Dec 20 03:46:26 from sys13.one.eduSun Microsystems Inc. SunOS 5.10 Generic January 2005Welcome to SA300-S10_A on sys12sys12# exitConnection to sys12.one.edu closed by foreign host.sys13#

Caution – Although you added a blocking rule in the /etc/ipf/ip.conffile, filtering rules do not take effect when the service is enabled. Thesystem is not secure at this point.

Exercise Solutions



a. Use the ifconfig command to determine the configuration ofyour system’s interfaces. Document the relevant interfaceinformation, such as IP address, mask, and broadcast address.

sys12# ifconfig -a inetlo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 inet 192.168.1.2 netmask ffffff00 broadcast 192.168.1.255

b. Force the autopush configuration file to be read by using thefollowing command:


c. Unplumb your system’s interface.

sys12# ifconfig hme0 down unplumb

d. Plumb your system’s interface to load the packet filter into theinterface’s IP stack.

sys12# ifconfig hme0 plumb 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 up

9. As done previously, use another system and attempt to use thetelnet utility to determine if your system permits a telnetconnection.

sys13# telnet sys12Trying 192.168.1.2...telnet: Unable to connect to remote host: Connection timed outsys13#

You should observe that telnet access is now blocked.

Exercise Solutions


The next steps are to configure your system to permit incoming telnetrequests from the local subnet, but block telnet requests from all othernetworks and not process any other rules.

10. Edit the Solaris IP Filter firewall configuration file by adding a newrule that:

● Permits incoming telnet access only from other hosts on yourlocal subnet

● Stops processing of subsequent rules by using the quickkeyword.


pass in quick proto tcp from 192.168.1.0 /24 to 192.168.1.2 /32 port = 23

Did you put the new rule before or after the existing rule? Why?

Because you used the quick keyword in the new rule, it should be placedbefore the old rule to permit local telnet access only.

If you place it after the old the rule, the old rule attempts to block thetelnet requests and then the new rule permits telnet access from thelocal subnet.

11. Update the Solaris IP Filter firewall configuration to include the newrule by using the following ipf command:


12. Display the new rule set by using the ipfstat command.

sys12# ipfstat -ioempty list for ipfilter(out)pass in quick proto tcp from 192.168.1.0/24 to 192.168.1.2/32 port = telnetblock in proto tcp from any to 192.168.1.2/32 port = telnet

13. Validate that the new configuration is working. Attempt to establisha telnet session to your system from a host on the local subnet andfrom a host on another subnet.

sys13# telnet 192.168.1.2Trying 192.168.1.2 ...Connected to sys12 .Escape character is ’̂ ]’.login:

sys22# telnet 192.168.1.2Trying 192.168.1.2 ...

You should observe that telnet access succeeds on the local subnet only.

Exercise Solutions



The next steps configure your router to block all telnet requests fromoutside your subnet to any system on your subnet.

14. Verify that the systems can properly communicate across subnets byestablishing an appropriate telnet session that passes through yourrouter system. Terminate the telnet session after you verifysuccessful communication.

sys21# telnet 192.168.1.1Trying 192.168.1.1...Connected to 192.168.1.1.Escape character is '̂ ]'.login: rootPassword:Last login: Mon Dec 20 05:54:27 from sys21ext.thirtySun Microsystems Inc. SunOS 5.10 Generic January 2005Welcome to SA300-S10_A on sys11sys11# exitConnection to 192.168.1.1 closed by foreign host.

Now that you have established successful communication you can haveconfidence that subsequent failed sessions will be the result of a firewallconfigured properly, and not some other networking issue.

15. Edit the Solaris IP Filter firewall’s autopush configuration file tospecify the network interfaces for packet filtering on your routersystem. Do this by removing the comments from the appropriateinterfaces. (The ifconfig command shows the interfaces.)


The /etc/ipf/pfil.ap file.

Your configuration file should look similar to the following:

sys11# cat /etc/ipf/pfil.ap...#qehmeqfe#eri...

Exercise Solutions


16. Edit the relevant file on your router system and add rules to block allincoming telnet requests to your local subnet that do not originatefrom the local subnet. Document the file that you edit and yourrules.

sys11# cat /etc/ipf/ipf.confblock in on qfe2 proto tcp from any to 192.168.1.0/24 port = 23

17. Enable the packet filter by performing the following steps:

a. Verify the status of the svc:/network/ipfilter service, andwrite the command that you use.

sys11# svcs -a | grep ipfilterdisabled 8:31:38 svc:/network/ipfilter:default

b. Start the service, and write the command that you use.

sys11# svcadm enable svc:/network/ipfilter:default

c. Verify that the service started, and write the command that youuse.

sys11# svcs -a | grep ipfilteronline 5:56:23 svc:/network/ipfilter:default


a. Force the autopush configuration file to be read by using thefollowing command:


b. Determine the configuration of your system’s interfaces.Document the relevant interface information, such as IPaddress, mask, broadcast address, and routing information.

sys11# ifconfig -a inet

lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255qfe2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 3 inet 192.168.30.31 netmask ffffff00 broadcast 192.168.30.255

c. Unplumb your system’s interfaces.

sys11# ifconfig hme0 down unplumbsys11# ifconfig qfe2 down unplumb

Exercise Solutions


d. Plumb and restore your system’s interface configurations toload the packet filter into the interface’s IP stack.

sys11# ifconfig hme0 plumb 192.168.1.1 netmask 0xffffff00 broadcast + upsys11# ifconfig qfe2 plumb 192.168.30.31 netmask 0xffffff00 broadcast + up

e. Verify that the rule functions as expected by using the telnetcommand.

sys21# telnet 192.168.1.1Trying 192.168.1.1...telnet: Unable to connect to remote host: Connection timed outsys21#

You should observe that local telnet traffic is permitted but trafficinitiated from another subnet is not.

The next steps block your non-router system from sending any outgoingICMP echo replies.



19. Before establishing a blocking rule, verify that you are now able tocontact your system from another system on your local subnet byusing the ping command.

sys13# ping sys12sys12 is alivesys13#

20. Update the Solaris IP Filter firewall’s configuration file to include arule on the last line that blocks outgoing ICMP echo replies from thehost.


block out quick proto icmp from any to any icmp-type 0

Note that even though the first rule uses the quick keyword, ping trafficwill reach this new, third rule because the first rule will not match ICMPtraffic and therefore the quick keyword will not apply.

Exercise Solutions





sys12# ipfstat -ioblock out quick proto icmp from any to any icmp-type echoreppass in quick proto tcp from 192.168.1.0/24 to 192.168.1.2/32 port = telnetblock in proto tcp from any to 192.168.1.2/32 port = telnet#

23. Test that the new rule is functioning correctly by using the pingcommand from the test system again.

sys13# ping sys12no answer from sys12

24. Verify that a local system can successfully perform DNS lookupsacross routers. Use the dig command to find the IP address of asystem on another network. (Successful completion of this step willaid you in later steps when you write rules to specifically allow DNSthrough firewalls.)

sys13# dig @192.168.2.2 two.edu -x 192.168.2.4; <<>> DiG 9.2.4 <<>> @192.168.2.2 two.edu -x 192.168.2.4;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1914;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0;; QUESTION SECTION:;two.edu. IN A;; AUTHORITY SECTION:two.edu. 86400 IN SOA sys22.two.edu.root.sys22.two.edu. 2005010101 3600 1800 6048000 86400;; Query time: 4 msec;; SERVER: 192.168.2.2#53(192.168.2.2);; WHEN: Wed Jan 12 08:19:05 2005;; MSG SIZE rcvd: 72;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1194;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;4.2.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:4.2.168.192.in-addr.arpa. 86400 IN PTR sys24.two.edu.;; AUTHORITY SECTION:2.168.192.in-addr.arpa. 86400 IN NS sys22.two.edu.2.168.192.in-addr.arpa. 86400 IN NS sys23.two.edu.;; ADDITIONAL SECTION:

Exercise Solutions


sys22.two.edu. 86400 IN A 192.168.2.2sys23.two.edu. 86400 IN A 192.168.2.3;; Query time: 1 msec;; SERVER: 192.168.2.2#53(192.168.2.2);; WHEN: Wed Jan 12 08:19:05 2005;; MSG SIZE rcvd: 141

Task 2 Solutions

In the second part of the lab you restrict access to your subnet bydisabling all services except a defined set.



1. Edit the Solaris IP Filter firewall’s rules to block all traffic on therouter.

Remove all existing rules currently in the configuration file, andwrite and document the new rules that you entered in the/etc/ipf/ipf.conf file.

block in allblock out all

2. Update the Solaris IP Filter firewall configuration to include the newrules by using the ipf command.



sys11# ipfstat -ioblock out allblock in all#

Working on Each Non-Router System on Your Subnet


4. Remove all of the rules in the /etc/ipf/ipf.conf file.

The /etc/ipf/ipf.conf file should be empty.

5. Reboot all of the non-router systems.

sys12# init 6

Exercise Solutions


The reboot is performed as an easy way to flush cached informationon the non-router systems. It is not a necessary part of the Solaris IPFilter firewall’s configuration.



6. Update the Solaris IP Filter firewall configuration to permit routinginformation traffic to be sent and received.

Before the existing block out all and block in all rules, writethe rules that you entered in the /etc/ipf/ipf.conf file:

pass in quick proto udp from any to any port = 520pass out quick proto udp from any to any port = 520pass in quick proto udp from any to any port = 521pass out quick proto udp from any to any port = 521pass in quick proto icmp from any to any icmp-type 10pass out quick proto icmp from any to any icmp-type 9

7. Update the Solaris IP Filter firewall configuration to use the newrules by using the ipf command.



sys11# ipfstat -iopass out quick proto udp from any to any port = routepass out quick proto udp from any to any port = ripngdpass out quick proto icmp from any to any icmp-type routeradblock out allpass in quick proto udp from any to any port = routepass in quick proto udp from any to any port = ripngdpass in quick proto icmp from any to any icmp-type routersolblock in all

Exercise Solutions



Continue as follows on the non-router system on which you have beenworking:

9. Test that the new rules function correctly by checking theconfiguration of the routing tables on the non-router hosts and bysnooping the network to look for routing packets.

sys12# netstat -rn -f inetRouting Table: IPv4 Destination Gateway Flags Ref Use Interface-------------------- -------------------- ----- ----- ------ ---------192.168.1.0 192.168.1.2 U 1 0 hme0224.0.0.0 192.168.1.2 U 1 0 hme0default 192.168.1.1 UG 1 0 hme0127.0.0.1 127.0.0.1 UH 4 77 lo0sys12#sys12# snoop... sys11 -> 192.168.1.255 RIP R (3 destinations) sys11 -> 192.168.1.255 RIP R (3 destinations)...

You should see evidence of routing information in the routing table (adefault route, for example) or in the snoop trace (router advertisements forexample, but no other non-routing services.)



10. Update the Solaris IP Filter firewall configuration to permit DNStraffic to be sent and received.

At the beginning of the configuration file, write the rules that youentered in the /etc/ipf/ipf.conf file.

pass in quick proto udp from any to any port = 53 keep statepass out quick proto udp from any to any port = 53 keep state




sys11# ipfstat -iopass out quick proto udp from any to any port = domain keep state

Exercise Solutions


pass out quick proto udp from any to any port = routepass out quick proto udp from any to any port = ripngpass out quick proto icmp from any to any icmp-type routeradblock out allpass in quick proto udp from any to any port = domain keep statepass in quick proto udp from any to any port = routepass in quick proto udp from any to any port = ripngpass in quick proto icmp from any to any icmp-type routersolblock in all


Continue as follows on a non-router system on the same subnet on whichyou have been working:

13. Use the dig command to find the IP address of a system on anothernetwork. Be sure to query a DNS server on that other network.

sys13# dig @192.168.2.2 two.edu -x 192.168.2.4; <<>> DiG 9.2.4 <<>> @192.168.2.2 two.edu -x 192.168.2.4;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1914;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0;; QUESTION SECTION:;two.edu. IN A;; AUTHORITY SECTION:two.edu. 86400 IN SOA sys22.two.edu.root.sys22.two.edu. 2005010101 3600 1800 6048000 86400;; Query time: 4 msec;; SERVER: 192.168.2.2#53(192.168.2.2);; WHEN: Wed Jan 12 08:19:05 2005;; MSG SIZE rcvd: 72;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1194;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2;; QUESTION SECTION:;4.2.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:4.2.168.192.in-addr.arpa. 86400 IN PTR sys24.two.edu.;; AUTHORITY SECTION:2.168.192.in-addr.arpa. 86400 IN NS sys22.two.edu.2.168.192.in-addr.arpa. 86400 IN NS sys23.two.edu.;; ADDITIONAL SECTION:sys22.two.edu. 86400 IN A 192.168.2.2sys23.two.edu. 86400 IN A 192.168.2.3

Exercise Solutions





14. Even though this group of steps is to be performed on your routersystem, before configuring rules for FTP, verify that your firewallsare functioning properly by ensuring that you cannot initiate an FTPsession from your non-router system to the instructor machine.Once you verify this, you can proceed with writing rules to allowFTP through the router firewall system.

sys12# ftp 192.168.30.30ftp: connect: Connection timed outftp> byesys12#

Exercise Solutions


15. Update the Solaris IP Filter firewall configuration to permit FTPtraffic to pass from the local subnet to the instructor system only. Logany traffic that matches one of the rules that you define.

Assume that your system will get more DNS traffic than FTP traffic.Placing the new FTP rules after the DNS rules would recognize thisand, appropriately, be more responsive to the DNS traffic.

Hint: Use the keep state keywords in your rules.

Write the rules that you entered in the /etc/ipf/ipf.conf file.

pass in log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass out log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass in log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass out log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass in log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass out log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass in log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass out log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep state




sys11# ipfstat -iopass out quick proto udp from any to any port = domain keep statepass out log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass out log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass out log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass out log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass out quick proto udp from any to any port = routepass out quick proto udp from any to any port = ripngpass out quick proto icmp from any to any icmp-type routeradblock out allpass in quick proto udp from any to any port = domain keep statepass in log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass in log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 21 keep statepass in log quick on hme0 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass in log quick on qfe2 from 192.168.1.0/24 to 192.168.30.30/32 port = 20 keep statepass in quick proto udp from any to any port = routepass in quick proto udp from any to any port = ripngpass in quick proto icmp from any to any icmp-type routersolblock in all

18. Use the ipmon command as a daemon to log information to the/var/tmp/ipfilter.log file.

# ipmon -D /var/tmp/ipfilter.log

Exercise Solutions



Continue as follows on any non-router system on your subnet. You willnow be using FTP to connect to another system on another subnet acrossyour firewall router.

19. Use FTP to access a system on another subnet.

sys13# ftp 192.168.2.3ftp: connect: Connection timed outftp>


The attempt to connect fails.

20. Use FTP to access the instructor system.

sys13# ftp 192.168.30.30Connected to 192.168.30.30.220 instructor.thirty.edu FTP server ready.Name (192.168.30.30:root):


The attempt to connect succeeds.

Exercise Solutions



Complete as follows on the same router system on which you have beenworking:

21. View the log file created by the ipmon command.

sys11# cat /var/tmp/ipfilter.log03/02/2005 14:13:12.223769 hme0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 52 -S K-S IN03/02/2005 14:13:12.223821 qfe0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 52 -S K-S OUT03/02/2005 14:13:12.224270 qfe0 @0:2 p 192.168.30.30,21 -> 192.168.1.3,32788 PR tcplen 20 52 -AS K-S IN03/02/2005 14:13:12.224486 hme0 @0:2 p 192.168.30.30,21 -> 192.168.1.3,32788 PR tcplen 20 52 -AS K-S OUT03/02/2005 14:13:12.224930 hme0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 40 -A K-S IN03/02/2005 14:13:12.224950 qfe0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 40 -A K-S OUT03/02/2005 14:13:12.274058 qfe0 @0:2 p 192.168.30.30,21 -> 192.168.1.3,32788 PR tcplen 20 85 -AP K-S IN03/02/2005 14:13:12.274078 hme0 @0:2 p 192.168.30.30,21 -> 192.168.1.3,32788 PR tcplen 20 85 -AP K-S OUT03/02/2005 14:13:12.274309 hme0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 40 -A K-S IN03/02/2005 14:13:12.274326 qfe0 @0:2 p 192.168.1.3,32788 -> 192.168.30.30,21 PR tcplen 20 40 -A K-S OUT

Bibliography1-1Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Bibliography

Sun Microsystems Publications

The following publications are available from Sun Microsystems:

● Sun Microsystems, Inc. Solaris Tunable Parameters Reference Manual,part number 806-7009-10.

● Sun Microsystems, Inc. System Administration Guide: AdvancedAdministration, part number 806-4074-10.

● Sun Microsystems, Inc. System Administration Guide: IP Services, partnumber 806-4075-11.

● Sun Microsystems, Inc. System Administration Guide: Naming andDirectory Services (DNS, NIS, and LDAP), part number 806-4077-10.

● Sun Microsystems, Inc. System Administration Guide: Security Services,part number 806-4078-10.

● Sun Microsystems, Inc. Using NTP to Control and Synchronize SystemClocks – Part I: Introduction to NTP, Sun BluePrints OnLine partnumber 816-1475-10.

● Sun Microsystems, Inc. Using NTP to Control and Synchronize SystemClocks – Part II: Basic NTP Administration and Architecture, SunBluePrints OnLine part number 816-0092-10.

● Sun Microsystems, Inc. Using NTP to Control and Synchronize SystemClocks – Part III: NTP Monitoring and Troubleshooting, Sun BluePrintsOnLine part number 816-2353-10.

Bibliography-2 Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Books

Books

The following books were used to create this course:

● Albitz, Paul, and Cricket Liu. DNS & BIND, Fourth Edition.Sebastopol, CA: O’Reilly & Associates, Inc., 2001.

● Comer, Douglas. Internetworking with TCP/IP, Second Edition.Englewood Cliffs, NJ: Prentice Hall, 1991.

● Comer, Douglas E. Internetworking With TCP/IP, Vol. 1, Third Edition.Upper Saddle River, NJ: Prentice Hall, Inc. 1995.

● Huitema, Christian. IPv6 The New Internet Protocol, Second Edition.Upper Saddle River, NJ: Prentice Hall, Inc. 1998.

● Huitema, Christian. Routing in the Internet. Upper Saddle River, NJ:Prentice-Hall. 1995.

● Huitema, Christian. Routing in the Internet, Second Edition. UpperSaddle River, NJ: Prentice Hall, Inc., 1999.

● Loshin, Pete. IPv6 Clearly Explained. San Francisco: MorganKaufmann, 1999.

● Perlman, Radia. Interconnections, Second Edition. Menlo Park, CA:Addison-Wesley, 1999.

● Spurgeon, Charles E. Ethernet: The Definitive Guide. Sebastopol, CA:O’Reilly & Associates, Inc., 2000.

The following book can be used when studying for the Solaris 8 NetworkCertification Exam:

Bushnell, Rick. Sun Certified Net Administration for Solaris 8 StudyGuide. Upper Saddle River, NJ: Prentice Hall, Inc., 2002.

Bibliography Bibliography-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Online References

Online References

Many online references were used to create this course, including:

● Mills, David. Information on Time and Frequency Services. [Online].Available: http://www.eecis.udel.edu/~mills/ntp/ , lastaccessed: 2000.

● Windl, U. and D. Dalton. What about NTP?: Understanding and Usingthe Network Time Protocol (A First Try on a Non-Technical Mini-HOWTOand FAQ on NTP). [Online]. Available:www.ntp.org/ntpfaq/NTP-a-faq.htm . Last accessed: 03/04/2000.

● The Solaris OS online manual pages.

● The http://docs.sun.com Web site.

● The http://www.sun.com/solutions/blueprints/ SunBluePrints Web site.

Bibliography-4 Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

RFCs

RFCs

Many RFCs were used to create this course, including:

● RFC 1323: TCP Extensions for High Performance.

● Conta, A., and S. Deering. RFC 2463: Internet Control Message Protocol(ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification.Network Working Group Request for Comments: 2463, 1998.

● Fenner, W. RFC 2236: Internet Group Management Protocol, Version 2.Network Working Group Request for Comments: 2236, 1997.

● Hinden, R., and S. Deering. RFC 2373: IP Version 6 AddressingArchitecture. Network Working Group Request for Comments: 2373,1998.

● Hinden, R., and S. Deering. RFC 2460: Internet Protocol, Version 6(IPv6) Specification. Network Working Group Request for Comments:2460, 1998.

● Mills, David. RFC 1305: Network Time Protocol (Version 3) Specification,Implementation and Analysis. Network Working Group Request forComments: 1305, 1992.

● Narten, T., E. Nordmark, and W. Simpson. RFC 2461: NeighborDiscovery for IP Version 6 (IPv6). Network Working Group Request forComments: 2461, 1998.

● Rekhter, Y., B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear.RFC 1918: Address Allocation for Private Internets. Network WorkingGroup Request for Comments: 1918, 1996.

● Thomson, S., and T. Narten. RFC: 2462: IPv6 Stateless AddressAutoconfiguration. Network Working Group Request for Comments:2462, 1998.

Glossary-1Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Glossary/Acronyms

Numerals10BASE-T

An evolution of Ethernet technology that succeeded 10BASE-5 and10BASE-2 as the most popular method of physical networkimplementation. A 10BASE-T network has a data transfer rate of10 megabits per second and uses unshielded twisted-pair wiring.

AACL

(access control list) ACLs provide a higher level of file security than thestandard UNIX file permissions. ACLs give a file owner the ability topermit access to that file or directory to one or more specific users orgroups and to set the default permissions for specific users or groups.

AHAuthentication header.

ANSIAmerican National Standards Institute.

applicationA program that combines all the functions necessary for the user toaccomplish a particular set of tasks (for example, word processing orinventory tracking).

Application layerIn the International Standards Organization/Open SystemsInterconnection (ISO/OSI) model of network standards, the seventhlayer, which handles services, such as login procedures, file and printserver operation, and other basic functions.

Glossary-2 Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

ARP(Address Resolution Protocol) The Internet protocol that dynamicallymaps Internet addresses to physical (hardware) addresses on local areanetworks. ARP is limited to networks that support hardware broadcast.

ASAutonomous system.

ASCII(American Standard Code for Information Interchange) A standardassignment of 7-bit numeric codes to characters.

BBCC

Block-check character.

BINDBerkeley Internet Name Domain.

boot(bootstrap) To load the system software into memory and start it.

Bourne shellThe Bourne shell is the default shell for the Solaris OperatingEnvironment. It does not have aliasing or history capabilities.

broadcast addressOne of three types of Ethernet addresses, the broadcast addressrepresents broadcasts to the network. A host sends a message to allhosts on the local Ethernet using a broadcast address. The Ethernetbroadcast address is all 1s (ff:ff:ff:ff:ff:ff in hexadecimal).

Ccache

A buffer of high-speed memory filled at medium speed from mainmemory, often with instructions or the most frequently accessedinformation. A cache increases effective memory transfer rates andprocessor speed.

caching-only serverA domain name server that is not authoritative for any domain. Thisserver queries servers that have authority for the information neededand caches that data.

Glossary/Acronyms Glossary-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

canonicalCharacteristic of adhering to standard, accepted, or authoritativeprocedures or principles.

Category 3Category 3 twisted-pair cabling is a voice-grade cable. It features two tothree twists per foot and is used in 10BASE-T and 100BASE-T4networks.

Category 5Category 5 twisted-pair cable is a data-grade cable. It features two tothree twists per inch used in 10BASE-T and 100BASE-TX networks.

CCITTComite Consultatif Internationale de Telegraphie et Telephonie.

CDE(Common Desktop Environment) This is a graphical user interfacebetween the user and the operating system. It provides built-in menusfor users to select and run utilities and programs without using theSolaris 2.x OE commands. It enables users to control multiple workingdocuments or applications on the screen at the same time.

checksumA checksum is a number that is calculated from the binary bytes of thefile. It is used to determine if the file contents have changed.

CIDR(classless inter-domain routing) This type of routing was introduced as astop-gap solution to the Class B IPv4 address exhaustion and routingtable explosion. CIDR enables more efficient allocation of IP addressspace, and it enables routing information to be aggregated to reduce thesize of routing tables on backbone routers.

client-server modelA client-server environment is a network environment that contains atleast one of each of the following:

● Server – A host or a process that provides services to othersystems on the network.

● Client – A host or a process that uses services provided byservers.

CNAME

Canonical name.


connectionlessA type of data transfer in which self-contained messages are deliveredwithout acknowledgement of receipt. User Datagram Protocol (UDP) isan example of a protocol in which a connection is not necessary.

connection-orientedA type of data transfer in which a connection with another system mustbe established before exchanging data. Transmission Control Protocol(TCP) is an example of a connection-oriented protocol.

CRC(cyclical redundancy check) A system of error checking performed atboth the sending and receiving station after a block-check character(BCC) has been accumulated.

CSMA/CD(carrier sense multiple access/collision detection) The Ethernet accessmethod protocol used to control packet transmission and flow over theEthernet hardware.

Ddaemon

A process that performs a particular system task.

datagramThe Internet Protocol (IP) datagram is the basic unit of information thatis passed on a Transmission Control Protocol/Internet Protocol(TCP/IP) network. Datagrams contain at least data and destinationaddresses.

Data Link layerIn the International Standards Organization/Open SystemsInterconnection (ISO/OSI) model, the second layer, which enablesestablishing, maintaining, and releasing services between networkentities.

decryptionThe process of converting coded data to plain text.

de-encapsulationThe process of removing a header from a segment of data when systemsare communicating with each other.


DHCP(Dynamic Host Configuration Protocol) This automatically assignsInternet Protocol (IP) addresses to Transmission ControlProtocol/Internet Protocol (TCP/IP) client computers when the clientjoins the network. This eliminates the need to maintain a static list ofaddresses for each client. DHCP selects an IP address from apreconfigured pool.

DNS(Domain Name System) DNS provides translations of host names intoInternet Protocol (IP) addresses. This enables Internet communicationsusing only host names.

domainThe name assigned to a group of systems on a local network that shareadministrative files. It is required for the Network Information Service(NIS) database to work properly.

EEBCDIC

Extended Binary Coded Decimal Interchange Code.

EEPROM(electrically erasable programmable read-only memory) A nonvolatilePROM that can be written to as well as read from. In Sun workstations,an EEPROM holds information about the current system configuration,alternate boot paths, and so on.

EGPsExterior gateway protocols.

encapsulationThe process of adding a header to a segment of data when systems arecommunicating with each other.

encryptionThe process of protecting information from unauthorized use by makingthe information unintelligible. Encryption is based on a code, called akey, which is used to decrypt the information.

ESPEncapsulation security payload.

EthernetA type of local area network that enables real-time communicationbetween machines connected directly through cables.


Ethernet addressThe physical address of an individual Ethernet controller board. It iscalled the hardware address or media access control (MAC) address.The Ethernet address of every Sun workstation is unique and coded intoa chip on the motherboard. Additional Ethernet interfaces are assigneddifferent Ethernet addresses.

Ethernet MAC addressThe physical address also known as the media access controller (MAC)or Ethernet address. An Ethernet address is a unique hardware address.It is 48 bits long. An example of a complete Ethernet address is8:0:20:le:56:7:d .

EUIEnd-unit identifier.

FFCS

Frame check sequence.

FPFormat prefix.

FQDN(fully qualified domain name) A domain name that ends with a dotfollowed by a domain label of length zero (the root). For example,andy.sun.com , where andy is the name of a host.

frameA series of bits with a well-defined beginning and a well-defined end.

Hhierarchal domains

A tree of domains or namespaces, each one of them having their ownauthority.

hierarchyA classification of relationships in which each item except the top one(called the root) is a specialized form of the item above it. Each item canhave one or more items below it in the hierarchy.


host nameA unique name identifying a host machine connected to a network. Thename must be unique on the network. The hostname commanddetermines a system’s host.

hubThe central device through which all hosts in a twisted-pair Ethernetinstallation are connected.

IIAB

Internet Architecture Board.

IANAInternet Assigned Numbers Authority.

ICANNInternet Corporation for Assigned Names and Numbers.

ICMP(Internet Control Message Protocol) A network layer protocol thatprovides for routing, reliability, flow control, and sequencing of data.

IEEE(Institute of Electrical and Electronics Engineers) The standardsorganization that is responsible for developing networking standardsrelating to Ethernet, token bus, token ring, and metropolitan areanetworks.

IGMPInternet Group Management Protocol.

IGP(Interior Gateway Protocol) The protocol that enables the exchange orrouting information between collaborating routers on the Internet.Examples of IGPs include Routing Information Protocol (RIP) and OpenShortest Path First (OSPF).

IP(Internet Protocol) The basic protocol of the Internet. It enables theunreliable delivery of individual packets from one host to another. TheIP does not determine whether the packet will be delivered, how long itwill take, or if multiple packets will arrive in the order they were sent.Protocols built on top of this protocol add the functions of connectionand reliability.


IP addressIn Transmission Control Protocol/Internet Protocol (TCP/IP), a unique32-bit number that identifies each host in a network.

IPGInternet Gateway Protocol.

IPMPInternet Protocol Messaging Protocol.

IP network numberThe first octet or octets of an Internet Protocol (IP) address that uniquelyidentify an IP network within an organization, and on the Internet, ifthat network has been registered with the Internet governingorganization.

IPsecInternet Protocol Security Architecture.

IPv4(Internet Protocol version 4) One of two versions of IP addressing. It is a32-bit addressing scheme currently used as the dominant scheme. AnIPv4 address is a unique number assigned to a host on a network. IPv4addresses are 32 bits divided into four 8-bit fields. Each 8-bit field, oroctet, is represented by a decimal number between 0 and 255, separatedby periods; for example, 129.150.182.31 .

IPv6(Internet Protocol version 6) A new version designed to be anevolutionary step from the current version, Internet Protocol version 4(IPv4). IPv6 is an increment to IPv4. Deploying IPv6, using definedtransition mechanisms, does not disrupt current operations. In addition,IPv6 provides a platform for new Internet functionality.

ISO(International Organization for Standardization) An internationalstandards body that reviews and approves independently designedproducts for use within specific industries. ISO also develops standardsfor information exchange, such as the ISO/OSI model for computernetworks.

ISP(Internet service provider) A company providing an Internet package.This often includes a phone number access code, user name, andsoftware, all for a provider fee.


JJPEG

Joint Pictures Expert Group.

JPGJoint Pictures Group.

JumpStart processAn automatic installation process available in a network environmentthat enables system administrators to categorize machines andautomatically install systems based on the machine’s category.

Kkernel

The master program (core) of the Solaris Operating Environment. Itmanages devices, memory, swap, processes, and daemons. The kernelalso controls the functions between the system programs and the systemhardware.

LLAN

(local area network) A group of computer systems in close proximitythat can communicate by way of some connecting hardware andsoftware.

layerOne of a set of services, functions, and protocols that span all opensystems.

MMAC

Media access control.

master serverThe server that maintains the master copy of the network informationservice database. It has a disk and a complete copy of the operatingsystem.

mirrorDisk mirroring is a feature that guards against component failure bywriting the same data to two or more disk drives at the same time.

MMFMultimode fiber.


MTU(maximum transmission unit) An MTU is the largest amount of datathat can be transferred across a given physical network. The MTU ishardware specific. For example, the MTU for a physical Ethernetinterface is 1500 bytes.

multicast addressOne of three types of Ethernet address, the multicast address is used tosend a message to a subset of hosts on a network. In Ethernet multicastaddressing, the first three octets must contain a value of 01.00.5E . Thelast three octets are used to assign host group identity.

Nname service

A name service provides a means of identifying and locating resources(traditionally host names and Internet Protocol [IP] addresses) availableto a network. The default name service product available in theSolaris 2.x Operating Environment is Network Information Service Plus(NIS+).

NDPNeighbor Discovery Protocol.

networkTechnically, the hardware connecting various systems, enabling them tocommunicate. Informally, the systems so connected.

network addressThe address, consisting of up to 20 octets, used to locate an OpenSystems Interconnection (OSI) transport entity. The address is formattedinto an initial domain part that is standardized for each of severaladdressing domains, and a domain-specific part that is the responsibilityof the addressing authority for that domain.

Network layerIn the International Standards Organization/Open SystemsInterconnection (ISO/OSI) model of network standards, the third layer,which enables routing and switching blocks of data between twodevices that support Transport layer protocols over a connection.

network segmentIn Integrated Services Digital Network (ISDN), when the TCP adds aninformation header to a packet of data for decoding by the TCP on theremote machine, the expanded packet is referred to as a segment. It isthen passed to the Network layer, which converts it to a datagram. Itthen goes to the Data Link layer, which converts it to a frame.


NFS(Network File System) A file system distributed by Sun that providestransparent access to remote file systems on heterogeneous networks.

NICNetwork interface card.

NIS(Network Information Service) The Sun Operating System 4.0(minimum) network information service. A distributed networkdatabase containing key information about the systems and the users onthe network. The NIS database is stored on the master server and all theslave servers. See also NIS+.

NIS+(Network Information Service Plus) The Sun Operating System 5.0(minimum) network information service. NIS+ replaces NIS, the Sun OS4.0 (minimum) NIS.

NLANext level aggregator.

nodeA node is an addressable point on a network. Each node in a Sunnetwork has a different name. A node can connect a computing system,a terminal, or various other peripheral devices to the network.

NSName server.

NSCDName service cache daemon.

NTPNetwork Time Protocol.

NVRAMNonvolatile random access memory.

OOpenBoot PROM

OpenBoot programmable read-only memory.

OS(operating system) A collection of programs that monitor the use of thesystem and supervise the other programs executed by it.


OSI(Open Systems Interconnection) OSI is an international standardizationprogram that was developed to facilitate communications amongcomputers from different manufacturers.

OSPFOpen Shortest Path First.

PPDU

Packet data unit.

peer-to-peer communicationThe communications between peer devices.

Physical layerIn the International Standards Organization/Open SystemsInterconnection (ISO/OSI) model of network standards, the first layer,which supplies the mechanical, electrical, and procedural means ofestablishing, maintaining, and releasing physical connections.

PID(process identification number) A unique, system-wide, identificationnumber assigned to a process. Also called process ID, process number.

PLMPhysical layer medium.

PPP(Point-to-Point Protocol) A way to connect to the Internet; PPP alsoprovides error-checking features.

PROM(programmable read-only memory) A permanent memory chipprogrammed by the user rather than at the chip manufacturer, as is truewith a read-only memory (ROM). You need a PROM programmer orburner to write data onto a PROM. PROM has been mostly replaced byerasable programmable read-only memory (EPROM), a type of PROMthat can be erased by ultraviolet light and reprogrammed.

protocolA way to transmit data between devices. A computer or device musthave a correct protocol to be able to communicate successfully withother computers or devices.

PTRDNS pointer record.


RRARP

(Reverse Address Resolution Protocol) RARP is an Internet Protocol thatmaps a physical (hardware) address to an Internet address. Disklessclients use RARP to find its Internet address at startup.

RDISCRouter discovery.

RFCRequest for Comment.

RIP(Routing Information Protocol) RIP provides for automated distributionof routing information between systems.

RPC(remote procedure call) This is an easy and popular paradigm forimplementing the client-server model of distributed computing. Arequest is sent to a remote system to execute a designated procedure,using supplied arguments. The result is returned to the caller. There aremany variations of this, resulting in a variety of different RPC protocols.

run levelOne of the eight initialization states in which a system can run. Asystem can run in only one initialization state at a time. The default runlevel for each system is specified in the /etc/inittab file.

run level 2A multiuser mode without remote resources available. All daemons arerunning except for remote file-sharing daemons.

run level SA single-user mode in which the operating system is running, but allusers are logged out and most system processes, such as print and mail,are not running. Only one user (the superuser) is logged in to thesystem. Run level S is convenient for doing backups because, because nousers are logged in, all data is stable.

SSLA

Site-level aggregator.


slave serverA server system that maintains a copy of the Network InformationService (NIS) database. It has a disk and a complete copy of theoperating system.

SLIP(Serial-Line Internet Protocol) An Internet protocol used to run InternetProtocol (IP) over serial lines such as telephone circuits or RS-232 cablesinterconnecting two systems. The Point-to-Point Protocol (PPP) is thepreferred protocol.

SMFService Management Framework.

SNMP(Simple Network Management Protocol) The network management ofchoice for Transmission Control Protocol/Internet Protocol-based(TCP/IP-based) Internets.

snoop

This command captures network packets and displays their contents.The command can be run only by the superuser.

SOA

(start of authority) An SOArecord marks the beginning of a zone’sauthority and defines parameters that affect an entire zone.

statefulA type of data transfer where part of the data sent from the client to theserver includes the status of the client. Transmission Control Protocol(TCP) is an example of a stateful protocol.

statelessA type of data transfer where the server has no obligation to keep trackof the state of the client. User Datagram Protocol (UDP) is an example ofa stateless protocol.

subnetworkA collection of International Standards Organization/Open SystemsInterconnection (ISO/OSI) end systems and intermediate systems underthe control of a single administrative domain and using a singlenetwork access protocol; for example, private X.25 networks and acollection of bridged LANs.


TTCP

(Transmission Control Protocol) A communications protocol thatensures data is sent between computers on the Internet.

TCP/IP(Transmission Control Protocol/Internet Protocol) An Internet protocolthat provides for the reliable delivery of data streams from one host toanother. SunOS networks run on TCP/IP by default. Also called InternetProtocol suite. See also IP.

TLATop-level aggregator.

TPTwisted pair.

TP-PLMTwisted-pair physical layer medium.

Transport layerIn the International Standards Organization/Open SystemsInterconnection (ISO/OSI) model of network standards, the fourth layer,which controls the transfer of data between session layer entities.

TTL(time-to-live) Complete entries in the Address Resolution Protocol(ARP) table have a TTL value and a period during which they areconsidered to be valid entries (normally 30 minutes). TTL is also used inDomain Name System (DNS) zone files.

UUDP

(User Datagram Protocol) This protocol is a transport protocol in theInternet suite of protocols. It uses Internet Protocol (IP) for delivery, andprovides for exchange of datagrams without acknowledgements orguaranteed delivery.

UTCCoordinated Universal Time. This is the official standard for currenttime. Several institutions contribute their calculations of the currenttime, and UTC is a combination of these estimates.

UTPUnshielded twisted-pair.


VVLAN

Virtual local area network.

VLSMVariable length subnet mask.

WWAN

(wide area network) WANs are slower-speed networks typically used byorganizations to connect their local area networks. WANs are often builtfrom leased telephone lines capable of moving data at speeds of56 kilobits per second to 1.55 megabits per second. A WAN might beused to bridge a company’s office on two opposite ends of town or onopposite ends of a continent.

Index-1Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

Numerics1000BASE-CX media

system 2-111000BASE-LX media

system 2-111000BASE-SX media

system 2-111000BASE-T media system 2-11100BASE-FX media system 2-10100BASE-T4 media system 2-10100BASE-TX media system 2-910BASE-T media system 2-9

Aaccess list 10-27access method, Ethernet 3-2addif option 5-27address

aggregatable global 8-7broadcast 3-7, 5-11Class A 5-9Class B 5-10Class C 5-10classful 5-9define test 8-61detecting duplicates 8-10embedded IPv4 8-13Ethernet 3-6host number 5-9IP 5-9IPv4 5-9

IPv6anycast 8-6multicast 8-5representation 8-6types 8-5unicast 8-5

link-local 8-6loopback type 8-14multicast 3-7, 5-11, 8-7network number 5-9scope bits 8-16site-local 8-6test 6-5unicast 3-7, 5-9unspecified type 8-14

address-to-nametranslation 10-24, 10-25

aggregatable global address 8-7,8-12

anycast address 8-6Application layer

common protocols 1-9description 1-4, 1-8formatting data 1-9functions 1-9presenting data 1-9transporting data 1-9

ARPadding entries from a file 4-6adding permanent table

entries 4-6adding table entries 4-6cache 4-4

Index

Index-2 Network Administration for the Solaris™ 10 Operating SystemCopyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

cache management 4-5cache times 4-4control table entries 4-5deleting table entries 4-7description 1-13, 4-2display table entries 4-5Ethernet frame 4-2operation 4-2process 4-3removing static entries 4-7removing table entries 4-6searching for new cache entries 4-6table entries 4-5TCP/IP model 4-2time to live 4-6

arp utility 4-5ASCII 1-9autonomous system 7-8

Bbanner command 3-8BASE 2-8baseband 2-8BIND 10-24bridges 2-12bridging devices 2-12broadcast addresses 3-7, 5-11buffered transfer 9-11bus configurations 2-2

Ccapture network packets 3-14carrier sense 3-2carrier sense multiple access/collision

detection. See CSMA/CDchanging host name 5-23CIDR

block 7-35operation 7-33purpose 7-33

Class A address 5-9Class B address 5-10Class C address 5-10

classful address 5-9classless inter-domain routing. See CIDRCNAME record 10-23coaxial cable 2-8collision

detection 3-2rates 3-4

collision rates 3-4commands

banner 3-8eeprom 3-8ndd 4-4route 7-24

communication architecture 1-2computers

keeping time 12-2networking fundamentals 1-2

configuration errors file 10-35configuring

default route 7-19DHCP

address 11-21 to 11-38initial 11-9, 11-20server 11-28

DHCP client 11-39DNS

client 10-32dynamic routing 7-25interface for IPv6 8-20IPMP

at boot time 8-68manually 8-58

IPv6autoconfiguration 8-3, 8-8interfaces 8-24multipathing 8-58name service lookup 8-21, 8-25on non-router 8-19router 8-24

logical interfaces 5-26, 8-36multipathing 6-6, 6-21ndpd.conf file 8-25NTP client 12-13NTP server 12-5router troubleshooting 7-42routing

Index Index-3Copyright 2005 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.1

at boot time 7-38without rebooting 7-40

secondary DNS server 10-29static route 7-18static route manually 7-21stratum of a NTP server 12-8troubleshooting routers 8-33

connectionless communication 1-8connection-oriented communication 1-8connection-oriented protocol 9-3connections, full-duplex and virtual

circuit 9-11contiguous netmask 5-15contiguous subnet masks 5-15CRC 1-5creating DHCP tables 11-31CSMA/CD

Ethernet access method 3-2structure 3-3

cyclical redundancy check (CRC) 1-5

Ddaemons

/usr/sbin/in.routed 7-28in.dhcpd 11-4in.mpathd 6-4, 6-18, 8-66in.ndpd 8-18, 8-23in.rarpd 4-9, 4-11in.ripngd 8-24in.routed 7-20xntpd 12-7

data communication 1-2data encapsulation 1-11, 4-2data format 1-2data transfer 1-2datagram

connectionless delivery of 5-3header fields 5-6IP 5-6IP fields 5-6payload 5-8

default route 7-6, 7-19define test address 8-61destination

IP address 7-15

network 7-17network number 7-15

DHCPadding table entries 11-32address configuration 11-21, 11-38client functions 11-3configuration file 11-7configuring

client 11-39servers 11-7, 11-28

creating tables 11-31description 1-14dhcptab table 11-34functionality 11-2fundamentals 11-2graphical manager 11-8initial configuration 11-9 to 11-20managing tables 11-31server 10-26server functions 11-4troubleshooting

clients 11-45dhcp_network file 11-30dhcpconfig utility 11-8, 11-28dhcpmgr utility 11-8dhcptab table 11-34dhtadm utility 11-34direct route 7-4directory, /tftpboot 4-11discover routers 8-18diskless clients 4-9displaying

ARP data 4-4ARP table entries 4-6IPv6 route table 8-36route table 7-12state of IPv6 interfaces 8-35

distance-vector algorithms 7-11, 7-25DNS

access list 10-27allow-query BIND file 10-27allow-transfer BIND file 10-27configuring server 10-29configuring the client 10-32description 1-14dynamic updates 10-26


restricting queries 10-28reverse-domain file 10-24security 10-27server 10-25troubleshooting the server 10-33

Domain Name System. See DNSdrift file 12-7duplicate address detection 8-10Dynamic Host Configuration Protocol.

See DHCPdynamic route 7-7dynamic routing, configuring 7-25

EEBCDIC 1-9EEPROM 3-8eeprom command 3-8EGP 7-10electrically erasable programmable

read-only memory (EEPROM) 3-8embedded IPv4 address 8-13enabling IPv6 8-18Ethernet

access method 3-2address mapping 4-5addresses 3-6ARP 4-2changing the address 3-9displaying the address 3-8displaying the state 3-4elements 3-2frame header information 3-14frames 3-2, 3-6, 3-10permanent change to address 3-9statistics 3-4switches 2-13topology 3-3viewing the address 3-8

Ethernet framesbad CRC 3-13error conditions 3-13giant 3-13jabbers 3-13long 3-13runts 3-13

Ethernet-II frames 3-10Exterior Gateway Protocol (EGP) 7-10

Ffailover 6-2FAILURE_DETECTION_TIME variable 6-5features of a protocol stack 1-3File Transfer Protocol (FTP) 1-9, 1-14files

/etc/default/dhcp 11-7/etc/default/mpathd 6-3, 6-5, 6-18,

8-66/etc/defaultrouter 7-6, 7-19/etc/ethers 4-11/etc/gateways 7-20/etc/hostname.hme0 5-27/etc/hostname.interface 5-22,

5-23/etc/inet/dhcpsvc.conf 11-7/etc/inet/hosts 3-17, 4-11, 5-23/etc/inet/netmasks 5-18/etc/inet/networks 7-16/etc/inet/ntp.conf 12-7, 12-11/etc/inet/ntp.server 12-5/etc/named.conf 10-27/etc/net/hosts 5-22/etc/netmask 5-18/etc/nodename 5-23/etc/nsswitch.conf 4-11/usr/include/netinet/ip_icmp.h

5-4/var/adm/messages 10-35/var/ntp/ntp.drift 12-7dhcp_network 11-30interface configuration 5-22ndpd.conf 8-25ntp.conf 12-8one-backup 10-30one-rbackup 10-30

flow control 9-12flushing route table 7-23format prefix 8-6formatting data, Application layer

functions 1-9fragmentation 5-3


frame check sequence 3-13frames, Ethernet 3-2framing packets 1-5FTP 1-9, 1-14fudge entry 12-8full-duplex

connection 9-11transmission 3-4

full-duplex transmission 3-4function, \? 3-19

Ggroup membership 8-17

Hhalf-duplex transmission 3-4hardware address 4-5header fields, IP 5-7hme driver 3-18hme interfaces 3-19hme0 interface 3-19, 5-22hold-down state 7-26hop count 7-25hop-count limit 7-26host alias 10-23host name, changing 5-23host nickname 10-23host-based addressing media 3-6host-based approach, Ethernet

addresses 3-6HTTP 1-15http 1-4, 12-9hubs

intelligent 2-3non-intelligent 2-3shared 2-12

Hypertext Transfer Protocol (HTTP) 1-15

IIANA 5-9ICMP

definition 5-3

description 1-13error detection 1-7functions 5-3message types 5-4message-type file 5-4purpose 5-3, 5-4redirect 7-31routing data 1-7

ICMPv6 group membership 8-17IEEE 802.3 standard 2-9, 3-2IEEE identifiers 2-8if_mpadm utility 6-28ifconfig utility

addif option 5-27configuring logical interfaces 5-26unconfiguring logical interfaces 5-28viewing the MTU of an interface 5-3

IGP 7-9IMAP4 1-14in.dhcpd daemon 11-4in.mpathd daemon

failure detection 6-5multipath group 6-4repair detection 6-5starting 6-18, 8-66

in.ndpd daemon 8-18, 8-23in.rarpd daemon 4-9, 4-11in.rdisc process 7-30in.ripngd daemon 8-24in.routed daemon 7-20incrementing interface number 5-27indirect route 7-4initializing

multihomed host 7-40non-router 7-41

input errors, network system 3-5instance of hme interface 3-19instance parameter 3-19Institute of Electrical and Electronics

Engineers, Inc. (IEEE) identifiers 2-8intelligent hubs 2-3interface configuration files 5-22interface failure definition 6-5interface identifier 8-8interface identifier calculation 8-9interface repair definition 6-6


interfaceshme 3-19hme0 3-19logical 5-24virtual 5-24

Internet Assigned Numbers Authority(IANA) 5-9

Internet Control Message Protocol. SeeICMP

Internet Gateway Protocol (IGP) 7-9Internet layer

description 1-4, 1-6functions 1-6ICMP 1-7IP 1-7

Internet Message Access Protocolversion 4 (IMAP4) 1-14

Internet Protocol. See IPIP

address mapping 4-5address types 5-9datagram 5-3, 5-6, 7-15datagram header fields 5-6datagram payload 5-8description 1-13fragmenting data 1-7header fields 5-7ICMP 5-3MTUs 5-3purpose 5-3routing 7-3routing data 1-7

IPMPconfiguring at boot time 8-68features 6-3manual configuration 8-58requirements 6-4, 6-20

IPv4address shortage 8-3addresses 5-9

IPv6address representation 8-6address shortage 8-3address types 8-5aggregatable global address 8-7, 8-12anycast address 8-6

authentication 8-4autoconfiguration 8-3, 8-8configure on non-router 8-19configuring interfaces 8-20, 8-24configuring multipathing 8-58configuring name service lookup 8-21displaying interfaces 8-35displaying route table 8-36embedded IPv4 address 8-13enabling 8-18expanded addressing 8-4format prefix 8-6interface troubleshooting 8-36IPMP configuration 8-58link-local address 8-6managing 8-35multicast address 8-5, 8-7name service lookup 8-25privacy header 8-4RFC 8-3RIP 8-23router configuration 8-24site-local address 8-6stateful autoconfiguration 8-8stateless autoconfiguration 8-8unicast address 8-5

JJumpStart software

clients 4-9

LLAN

media 2-8network devices 2-12

link speed 3-19link-local address 8-6, 8-11link-state protocol 7-10localhost entry 7-18local-mac-address? variable 3-8logical interfaces

administering 5-24configuring 5-26, 8-36


description 5-24incrementing 5-27removeif option 5-28unconfiguring 5-28

loopback address type 8-14loopback interface 3-12

MMAC address

banner command 3-8files 4-11ifconfig utility 3-8setting 3-8viewing 3-8

managingDHCP tables 11-31IPv6 8-35NTP daemons 12-10

mappings to host names 10-21maximum transfer unit. See MTUmedia access control address. See MAC

addressmedia systems

1000BASE-CX 2-111000BASE-LX 2-111000BASE-SX 2-111000BASE-T 2-11100BASE - TX 2-9100BASE-FX 2-10100BASE-T4 2-1010BASE-T 2-9

messages, ICMP 5-4monitoring route table changes 7-22MTU

data size 3-12description 3-12fragmentation 5-3Internet layer 5-3maximum frame size 3-12

multicast addressdescription 3-7, 5-11format prefixes 8-7IPv6 8-5purpose 8-15scope bits 8-16

multihomed host 7-40multipath, viewing operation 6-28multipathing

configuring 6-6, 6-21, 8-58troubleshooting 6-30

multiple access 3-2

Nname daemon control program (ndc ) 10-45name server 10-20name service lookup 8-21, 8-25name-service database 4-11names-to-IP addresses 10-21ND 8-18ndc utility 10-45ndd parameters 3-19ndd utility 3-18, 3-19, 3-20, 4-4ndpd.conf file 8-25Neighbor Discovery Protocol (ND) 8-18netmask

contiguous 5-15definition 5-18file 5-18noncontiguous 5-15

netstat utilitydisplaying collisions 3-4displaying Ethernet interfaces 3-17field descriptions 3-17-i option 3-17input and output errors 3-5

network devicesbridges 2-12LANs 2-12switches 2-12

Network File System (NFS) 1-9network interface card (NIC) 3-6, 6-2Network Interface layer

description 1-4protocols

IEEE 802.4 1-6IEEE 802.5 1-6PPP 1-12SLIP 1-12

TCP/IP 3-2network is unreachable 7-15


network modelconcepts 1-3functions 1-3layered model 1-3layers 1-3rules 1-3structure 1-3

network name 7-16, 7-44network number 5-18network overload 3-5network packets, capturing 3-14network performance problems 3-4network protocols 1-2Network Time Protocol. See NTPnetwork topologies

and OSPF 7-10bus configurations 2-2describing 2-2ring configurations 2-4star configurations 2-3

NFS 1-9NIC 3-6, 6-2no route to host 7-15noncontiguous netmasks 5-15noncontiguous subnet masks 5-15non-intelligent hubs 2-3nonvolatile random access memory

(NVRAM), Ethernet addresses 3-6noripin directive 7-20NS record 10-20, 10-21nslookup utility 10-36NTP

basic concepts 12-2configuration file parts 12-6configuring a server 12-5configuring clients 12-13configuring stratum of a NTP

server 12-8configuring the stratum 12-8external reference servers 12-9fudge entry 12-8functions 12-3managing daemons 12-10multicast advertisement 12-8ntpg utility 12-12peers 12-12

query program 12-12snoop utility 12-16terms 12-3troubleshooting 12-15undisciplined local clock 12-7xntpdc utility 12-10

ntp.conf file 12-8ntpq utility 12-12NVRAM 3-6

Oone-backup file 10-30one-rbackup file 10-30output errors 3-5

Ppacket data unit 1-5parameters

instance 3-19TRACK_INTERFACES_ONLY_WITH_

GROUPS8-66path-vector algorithm 7-11PDU 1-5peer-to-peer

description 1-10encapsulation 1-11

physical network interface 5-25piggybacking 9-11pntadm utility 11-31Point-to-Point Protocol (PPP) 1-12POP3 1-14port-based address 3-8port-based approach, Ethernet

addresses 3-6Post Office Protocol, version 3

(POP3) 1-14PPP 1-12prefix notation 8-13presenting data, Application layer

functions 1-9process, in.rdisc 7-30programmable read-only memory

(PROM) 4-10


protocol stack features 1-3protocol statistics 3-18protocols

connection-oriented 9-3EGP 7-10FTP 1-9, 1-14functions 1-2ICMP 5-3IGP 7-9IP 5-3link-state 7-10NFS 1-9RDISC 7-30reliable 9-6SLIP 1-12SMTP 1-9SNMP 1-9SSH 1-9stack 1-2stateful 9-5stateless 9-5TCP 9-2, 9-8telnet 1-9Transport layer 9-2, 9-8UDP 9-2, 9-8unreliable 9-7

RRARP

/etc/ethers files 4-11/etc/inet/hosts files 4-11description 1-13in.rarp daemon 4-11operation 4-9performing a boot 4-10PROM 4-10TCP/IP Internet layer protocol

description 1-13RDISC Protocol 7-30, 8-18reducing network traffic 9-11reference clock 12-3reliable protocol 9-6remote procedure call (RPC) 3-14removeif option 5-28Request for Comment. See RFC

retransmit message 9-6REVARP request 4-9Reverse Address Resolution Protocol. See

RARPreverse loopback 10-25reverse-domain file 10-24RFC

documents 1-4listings 1-4

ring configurations 2-4RIP 7-7, 8-23root name server 10-20route command 7-24route poisoning 7-27route table

description 7-12display 7-12fields 7-13flush 7-23monitoring changes 7-22netmask 7-23protocol 7-10search order 7-14updates 7-6, 7-31

routeradvertisement 8-19configuration 8-24discover 8-18troubleshooting 8-22

Router Discovery (RDISC) Protocol 8-18routing

add route 7-24advertisement 7-7autonomous system 7-8broadcast 7-28configuring at boot time 7-38configuring without rebooting 7-40default 7-6, 7-19direct 7-4dynamic 7-7fundamentals 7-3hold-down state 7-26hops 7-25indirect 7-4initialization 7-38initializing non-router 7-41


route poisoning 7-27route table 7-6split horizons 7-26static 7-6triggered updates 7-26troubleshooting 7-42

Routing Information Protocol (RIP) 7-7,8-23

RPC 3-14RUNNING flag 6-5

Sscope bits 8-16scripts

/etc/rc2.d/S69inet 4-11, 5-17, 6-18,7-7, 7-39, 8-29

/etc/rc2.d/S72inetsvc 5-17/etc/rcSd/S30network.sh 5-17,

6-18secure shell 1-9security

DNS 10-27restricting queries 10-28

segment type 2-8self-contained messages 9-4semantics in network protocols 1-2sender side congestion window 9-12sequencing 1-2Serial Line Internet Protocol (SLIP) 1-12servers

DHCP configuration 11-7stratum 12-3

Simple Mail Transfer Protocol(SMTP) 1-9, 1-14

Simple Network Management Protocol(SNMP) 1-9, 1-14

site-local address 8-6, 8-12SLIP 1-12SMTP 1-9, 1-14SNMP 1-9, 1-14snoop utility

capture network packets 3-14NTP 12-16reading the file 3-16summary mode 3-14

using 3-14verbose mode 3-14

SOA record 10-22speed matching 1-2split horizons 7-26SSH 1-9standby interface 6-3star configurations 2-3stateful

autoconfiguration 8-8protocol 9-5

statelessautoconfiguration 8-8protocol 9-5

static routesconfiguring 7-18configuring manual 7-21definition 7-6

strata 12-3stratum-1 server 12-3subnet address 5-21subnet masks

contiguous 5-15noncontiguous 5-15

subnetting 5-12switches 2-12switching devices 2-12

TTCP

congestion window 9-12datagram header 9-10description 1-13, 9-10flow control 9-12header information 9-11high-bandwidth network 9-13large window 9-13network congestion 9-12protocol 1-8, 9-2, 9-8receiver-side window

advertisements 9-12reliability 1-8satellite networks 9-13segment acknowledgement 9-12segments 1-8


TCP/IPARP 4-2common protocols 1-12model 1-1Network Interface layer 3-2peer-to-peer communication 1-10PPP 1-12protocol stack 9-8protocols 1-12SLIP protocol 1-12

TCP/IP layer modelApplication layer 1-4common hardware platform 1-4Internet layer 1-4Network Interface layer 1-4primary functions 1-5Transport layer 1-4

telnet protocol 1-9, 1-14test address 6-5, 8-61time keeping 12-2time-to-live 10-20timing in network protocols 1-2TRACK_INTERFACES_ONLY_WITH_GROUPS

parameter 8-66transfer, buffered 9-11transmission

full-duplex 3-4half-duplex 3-4

Transmission Control Protocol. See TCPTransmission Control Protocol/Internet

Protocol. See TCP/IPTransport layer

connectionless communication 1-8connection-oriented

communication 1-8description 1-4, 1-7error detection 9-8fundamentals 9-2protocol 9-2, 9-8

transport server 9-2transporting data, Application layer

functions 1-9triggered updates 7-26troubleshooting

DHCP clients 11-45DNS server 10-33

IPv6 interface 8-36multipathing 6-30network names 7-44non-router configuration 8-22NTP 12-15router configuration 7-42, 8-33routing 7-42, 7-44tools 3-17

twisted-pair 2-8

UUDP

datagram header 9-9datagrams 1-8description 1-13, 9-9procedure call 3-14protocol 9-2, 9-8reliability 1-8, 9-9

unconfiguring logical interfaces 5-28undisciplined local clock 12-7unicast addresses

description 3-7, 5-9, 8-5types 8-11

unreliable protocol 9-7unspecified address type 8-14unstructured stream orientation 9-11User Datagram Protocol. See UDPutilities

arp 4-5dhcpconfig 11-8, 11-28dhcpmgr 11-8dhtadm 11-34if_mpadm 6-28ifconfig 5-3, 5-26ndc 10-45ndd 3-18, 3-19, 3-20netstat 3-4, 3-5nslookup 10-36ntpg 12-12ntpq 12-12pntadm 11-31snoop 3-14, 12-16xntpdc 12-10


Vvariable length subnet mask (VLSM) 5-20variables

FAILURE_DETECTION_TIME 6-5local-mac-address? 3-8

virtual circuit connection 9-11virtual interfaces 5-24Virtual Local Area Network (VLAN) 2-5VLAN 2-5VLSM 5-20

Wweb servers 10-24window advertisement 9-12

Xxntpd daemon 12-7xntpdc utility 12-10

Documents

SCNA for Solaris10 (TCP-IP) Cx310-203