Showing posts with label Networking. Show all posts
Showing posts with label Networking. Show all posts

Monday, 20 May 2013

HOWTO determine the MAC address of a network interface


Sometimes it can be useful to know the physical address of a network interface (MAC address), to perform some configuration and/or troubleshooting.

Find the MAC address

On the most of the systems this information can be retrieved using the ifconfig or the netstat commands but this is not true for IBM AIX.

To get the MAC address, use the lscfg as root as follow:

Command: displaying the MAC address of the interface <INTERFACE>

# lscfg -vpl <INTERFACE>


To retrieve the MAC address of the interface ent0:

Command: displaying the MAC address of the interface ent0

# lscfg -vl ent0
  ent0             U787B.001.DNW7722-P1-T9  2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
      2-Port 10/100/1000 Base-TX PCI-X Adapter:
        Network Address.............000D604DFA2A
        ROM Level.(alterable).......DV0210
        Hardware Location Code......U787B.001.DNW7722-P1-T9
  Name:  ethernet
    Node:  ethernet@1
    Device Type:  network
    Physical Location: U787B.001.DNW7722-P1-T9

Monday, 22 April 2013

Networking [AIX]

To find out the link status, link speed and mac address and statistics of an Ethernet adapter ent0
 # entstat -d ent0  (or entstat -dt en0)
 Device Type: 10/100/1000 Base-TX PCI-X Adapter (14106902)
 Hardware Address: 00:11:25:08:1c:21

 Transmit Statistics:                          Receive Statistics: 
 --------------------                          -------------------
 Packets: 242183399                            Packets: 318139934
 Bytes: 41638159225                            Bytes: 234717791764
 Interrupts: 0                                 Interrupts: 172984103
 Transmit Errors: 0                            Receive Errors: 0
 Packets Dropped: 0                            Packets Dropped: 0
                                              Bad Packets: 0
 Max Packets on S/W Transmit Queue: 21        
 S/W Transmit Queue Overflow: 0
 Current S/W+H/W Transmit Queue Length: 1

 Broadcast Packets: 16676                      Broadcast Packets: 6200001
 Multicast Packets: 0                          Multicast Packets: 0
 No Carrier Sense: 0                           CRC Errors: 0
 DMA Underrun: 0                               DMA Overrun: 0
 Lost CTS Errors: 0                            Alignment Errors: 0
 Max Collision Errors: 0                       No Resource Errors: 0
 Late Collision Errors: 0                      Receive Collision Errors: 0
 Deferred: 0                                   Packet Too Short Errors: 0
 SQE Test: 0                                   Packet Too Long Errors: 0
 Timeout Errors: 0                             Packets Discarded by Adapter: 0
 Single Collision Count: 0                     Receiver Start Count: 0
 Multiple Collision Count: 0
 Current HW Transmit Queue Length: 1

 General Statistics:
 No mbuf Errors: 0
 Adapter Reset Count: 1
 Adapter Data Rate: 2000
 Driver Flags: Up Broadcast Debug 
         Running Simplex 64BitSupport 
         ChecksumOffload PrivateSegment LargeSend 

 10/100/1000 Base-TX PCI-X Adapter (14106902) Specific Statistics:
 Link Status : Up
 Media Speed Selected: Auto negotiation
 Media Speed Running: 1000 Mbps Full Duplex
 PCI Mode: PCI-X (100-133)
 PCI Bus Width: 64-bit
 Latency Timer: 144
 Cache Line Size: 128
 Jumbo Frames: Disabled
 TCP Segmentation Offload: Enabled
 TCP Segmentation Offload Packets Transmitted: 681521
 TCP Segmentation Offload Packet Errors: 0
 Transmit and Receive Flow Control Status: Disabled
 Transmit and Receive Flow Control Threshold (High): 49152
 Transmit and Receive Flow Control Threshold (Low): 24576
 Transmit and Receive Storage Allocation (TX/RX): 8/5
To find out the statistics of each adapter in a etherchannel
 # entstat -dt en2 
==> where en2 is a etherchannel device
==> This output give statistics about ent1 and ent2 including the link status and speed.  
To find out the MAC address, Hardware/Physical location of a network card
  # lscfg -vpl ent1 
   ent1             U7879.001.DQDGMBD-P1-T6  2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)

        2-Port 10/100/1000 Base-TX PCI-X Adapter:
        Network Address.............001125E6ACAA
        ROM Level.(alterable).......DV0210
        Hardware Location Code......U7879.001.DQDGMBD-P1-T6


  Name:  ethernet
    Node:  ethernet@1
    Device Type:  network
    Physical Location: U7879.001.DQDGMBD-P1-T6
Setting multiple IP address for a single network card
 # ifconfig lo0 alias 
 # ifconfig en0 alias <IPadress> netmask <net_mask>
To make the alias permaent, either add the above line to /etc/ or /etc/rc.tcpip. You can also make it permanent by running the following command.
 # chdev -l en0 -a alias=<IP_address>,<netmask>
To delete a static route manually

Syntax :-

chdev -l inet0 -a delroute=<net>,<destination_address>,<Gate_way_address>,<Subnet_mask>
 # chdev -l inet0 -a delroute='net','',''
To change the IP address of an interface manually
 # chdev -l en0 -a netaddr= -a netmask= -a state=up
To set the IP address initially
 # mktcpip -h <hostname> -a <ipaddress> -m <subnet_mask> -i <if_name> -n <NameServer_address> 
   -d <domain_name> -g <gateway_address> -A no 
Smit fast paths
 # smit chinet or smit inet

Name resolution order

We can achieve in two ways.
 01. By modifying /etc/netsvc.conf file
 02. By setting NSORDER Variable. (NSORDER Overrides /etc/netsvc.conf.
To change the Network speed
 # ifconfig en0 down detach
 # chdev -l ent0 -a media_speed=......
 # ifconfig en0 up

Network Options:


 command is used to change the network tuning parameters.

To list the current network parameters / network options
 # no  -a     
To enable IP forwarding
 # no -o "ipforwarding=1"
To make ipforwarding=1 permanent now and after reboot
 # no -p -o ipforwarding=1
To make the mbuff value to 200000 after the reboot
 # no -r -o ipforwarding=1
To set the ipforwarding to the default level
 # no -d ipforwarding

Network Packet Tracing and analyzing commands

Iptrace, Ipreport and tcpdump commands are used to trace and analyze network packets in AIX.

Using iptrace and ipreport utility:

1. Log in as a root user, then type the following command to start the iptrace utility:
 # startsrc -s iptrace -a -s it-ibm01 \ 
   -d it-ibm100 -p tcp -i en0 /tmp/iptrace.raw 
The utility will capture all packets using TCP protocol through the en0 interface from the source host it-ibm01 to the destination host it-ibm100. Captured packets are logged into the raw file /tmp/iptrace.raw.

2. To stop the iptrace daemon so that it no longer captures packets, type the following command:
 # stopsrc -s iptrace
3. To format the report
 # ipreport -srn /tmp/iptrace.raw > /tmp/iptrace.rpt

Using tcpdump utility:

1. To start tcpdump utility:
 # tcpdump -i en0 -w /tmp/tcpdump.raw host it-ibm01 and it-ibm100 and tcp
2. To read the captured /tmp/tcpdump.raw file
 # tcpdump -v -x -r /tmp/tcpdump.raw > /tmp/tcpdump.rpt


EtherChannel and IEEE 802.3ad Link Aggregation are network port aggregation technologies that allow several Ethernet adapters to be aggregated together to form a single pseudo Ethernet device. For example, ent0 and ent1 can be aggregated into an EtherChannel adapter called ent3; interface en3 would then be configured with an IP address. The system considers these aggregated adapters as one adapter. In addition, all adapters in the EtherChannel or Link Aggregation are given the same hardware (MAC) address, so they are treated by remote systems as if they were one adapter. Both EtherChannel and IEEE 802.3ad Link Aggregation require support in the switch so it is aware which switch ports should be treated as one.

The adapters that belong to an EtherChannel must be connected to the same EtherChannel-enabled switch. You must manually configure this switch to treat the ports that belong to the EtherChannel as an aggregated link

If an adapter fails, network traffic is automatically sent on the next available adapter without disruption to existing user connections. The adapter is automatically returned to service on the EtherChannel or Link Aggregation when it recovers.

Because the EtherChannel cannot be spread across two switches, the entire EtherChannel is lost if the switch is unplugged or fails. To solve this problem, a new backup option available in AIX 5.2 and later keeps the service running when the main EtherChannel fails. The backup and EtherChannel adapters should be attached to different network switches, which must be inter-connected for this setup to work properly. In the event that all of the adapters in the EtherChannel fail, the backup adapter will be used to send and receive all traffic. When any link in the EtherChannel is restored, the service is moved back to the EtherChannel.

Network Interface Backup

Network Interface Backup protects against a single point of network failure by providing failure detection and failover with no disruption to user connections. When operating in this mode, only one adapter is active at any given time. If the active adapter fails, another adapter in the EtherChannel will be used for all traffic. When operating in Network Interface Backup mode, it is not necessary to connect to EtherChannel-enabled switches.

The Network Interface Backup setup is most effective when the adapters are connected to different network switches, as this provides greater redundancy than connecting all adapters to one switch. When connecting to different switches, make sure there is a connection between the switches. This provides failover capabilities from one adapter to another by ensuring that there is always a route to the currently-active adapter.

To create a etherchannel with Network Backup
 # mkdev -c adapter -s pseudo -t ibm_ech -a adapter_names='ent0' -a backup_adapter='ent2'
 ent3 Available

 # lsattr -El ent3
 adapter_names   ent0           EtherChannel Adapters                       True
 alt_addr        0x000000000000 Alternate EtherChannel Address              True
 auto_recovery   yes            Enable automatic recovery after failover    True
 backup_adapter  ent2           Adapter used when whole channel fails       True
 hash_mode       default        Determines how outgoing adapter is chosen   True
 mode            standard       EtherChannel mode of operation              True
 netaddr         0              Address to ping                             True
 noloss_failover yes            Enable lossless failover after ping failure True
 num_retries     3              Times to retry ping before failing          True
 retry_time      1              Wait time (in seconds) between pings        True
 use_alt_addr    no             Enable Alternate EtherChannel Address       True
 use_jumbo_frame no             Enable Gigabit Ethernet Jumbo Frames        True

Friday, 19 April 2013

Network Related commands in AIX

host  Resolves ip to host name (from /etc/hosts file)

host ibm                 Resolve ibm to ip address (from /etc/hosts file)

hostname ibm      To change the host name to ibm

entstat en0         To the status of ethernet device en0

entstat -d en0     To list the detailed status of device en0

no -a                  To list all net configurable attributes and their values

no -d thewall      To change thewall parameter to its default value

no -o ipforwarding=1   To make the machine as router in tcpip networks

traceroute ibm            To trace the route to ibm

ping ibm                     To tcp ping to the machine ibm

ifconfig -a                  To show the status of all network interfaces

ifconfig en0                To show the status of en0

ifconfig en0 up           Turns on network card en0

ifconfig en0 down       Turns off network card en0
ifconfig en0 detach     Removes en0 card from the network interface list

ifconfig en0 inet netmask up     configure en0 and starts immediately

mktcpip -h ibm -a -m -i en0  assign hostname as ibm, IP as subnetmask to en0 interface

ifconfig en0 alias   Create alias ip address for en0

route add 0          
To make as default gateway for entire network

route add   To make 13.7 as gateway for 12.0 network

route -f                To clear the gateway table

chdev -l inet0 -a hostname=ibm    To change the host name to ibm permanently

netstat -a                To show the state of all sockets

netstat -c                 To show the network buffers cache

netstat -D                To show the net drops of packets

netstat -i               To display interface statistics

netstat -r               To show the routing table

netstat -rn             To show routing table (ip will be given instead of host names)

netstat -s                 To show the statistics of the protocols

netstat -s -p <>      To show the statistics of respective protocols

Saturday, 6 April 2013

AIX Network commands

Resolve umserv01 to ip address (from /etc/hosts file):
#host umserv01
To change the host name to umserv01:
#hostname umserv01
To the status of ethernet device en0:
#entstat en0
To list the detailed status of device en0:
#entstat -d en0
To list all net configurable attributes and their values:
#no -a
To change umserv01wall parameter to its default value:
#no -d umserv01wall
To make the machine as router in tcpip networks:
#no -o ipforwarding=1
To trace the route to umserv01:
#traceroute umserv01
To tcp ping to the machine umserv01:
#ping umserv01
To show the status of all network interfaces:
#ifconfig -a
To show the status of en0:
#ifconfig en0
Turns on network card en0:
#ifconfig en0 up
Turns off network card en0:
#ifconfig en0 down
Removes en0 card from the network interface list:
#ifconfig en0 detach
Configure en0 starts immediately:
Temporarily:# ifconfig en0 inet netmask up
Permanently:# chdev -l en0 -a netaddr= -a netmask=0xffffff00
Create alias ip address for en0:
Temporarily:# ifconfig en0 alias netmask
Permanently:# chdev -l en0 -a alias4=,
Remove a permanently added alias:
# chdev -l en0 -a delalias4=,
# smitty tcpip -> further Configuration -> Network Interfaces -> Network Interface Selection -> Configure Aliases
To make as default gateway for entire network:
Temporarily:#route add 0
Permanently:#chdev -l inet0 -a route=0,
To make 200.7 as gateway for 300.0 network:
#route add
To clear the gateway table:
#route -f
To change the host name to umserv01 permanently:
#chdev -l inet0 -a hostname=umserv01
To set the MTU to 1500 on en69:
#chdev -l en69 -a mtu=1500
To show the state of all sockets:
#netstat -a
To show the network buffers cache:
#netstat -c
To show the net drops of packets:
#netstat -D
To display interface statistics:
#netstat -i
To show the routing table:
#netstat -r
To show routing table (ip will be given instead of host names)
#netstat -rn
To show the statistics of the protocols
#netstat -s
To show the statistics of respective protocols
#netstat -s -p < tcp/udp/ipv6>

Monday, 1 April 2013

Linux Network bonding – setup guide

Linux network Bonding is creation of a single bonded interface by combining 2 or more Ethernet interfaces. This helps in high availability of your network interface and offers performance improvement. Bonding is same as port trunking or teaming.

Bonding allows you to aggregate multiple ports into a single group, effectively combining the bandwidth into a single connection. Bonding also allows you to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. For example, you can aggregate three megabits ports into a three-megabits trunk port. That is equivalent with having one interface with three megabytes speed.

Steps for bonding in Oracle Enterprise Linux and Redhat Enterprise Linux are as follows..

Step 1. Create the file ifcfg-bond0

Create the file ifcfg-bond0 with the IP address, netmask and gateway. Shown below is my test bonding config file.
$ cat /etc/sysconfig/network-scripts/ifcfg-bond0


Step 2. Modify eth0, eth1 and eth2 configuration

Modify eth0, eth1 and eth2 configuration as shown below. Comment out, or remove the ip address, netmask, gateway and hardware address from each one of these files, since settings should only come from the ifcfg-bond0 file above. Make sure you add the MASTER and SLAVE configuration in these files.
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Settings for Bond

$ cat /etc/sysconfig/network-scripts/ifcfg-eth1

# Settings for bonding

$ cat /etc/sysconfig/network-scripts/ifcfg-eth2


Step 3. Set the parameters for bond0

Set the parameters for bond0 bonding kernel module. Select the network bonding mode based on you need, documented at . The modes are

  • mode=0 (Balance Round Robin)
  • mode=1 (Active backup)
  • mode=2 (Balance XOR)
  • mode=3 (Broadcast)
  • mode=4 (802.3ad)
  • mode=5 (Balance TLB)
  • mode=6 (Balance ALB)
Add the following lines to /etc/modprobe.conf
# bonding commands
alias bond0 bonding
options bond0 mode=1 miimon=100

Step 4.Load the bond driver module

Load the bond driver module from the command prompt.
$ modprobe bonding

Step 5.Restart the network

Restart the network, or restart the computer.
$ service network restart # Or restart computer

When the machine boots up check the proc settings.
$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.0.2 (March 23, 2006)

Bonding Mode: adaptive load balancing
Primary Slave: None
Currently Active Slave: eth2
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth2
MII Status: up
Link Failure Count: 0
Permanent HW addr: 00:13:72:80: 62:f0

Look at ifconfig -a and check that your bond0 interface is active. You are done!.

To verify whether the failover bonding works..

  • Do an ifdown eth0 and check /proc/net/bonding/bond0 and check the “Current Active slave”.
  • Do a continuous ping to the bond0 ipaddress from a different machine and do a ifdown the active interface. The ping should not break.

Sunday, 31 March 2013

IBM AIX TCP Traffic Regulation

AIX TCP Traffic Regulation


TCP network services and subsystems running on AIX automatically and transparently take advantage of this powerful DoS mitigation technology using simple administrative tuning. This new feature provides a simplified approach to increased network security by leveraging centralized management and firewall-based customization. 

In addition to providing effective service-level and system-level TCP DoS mitigation, IBM AIX TCP Traffic Regulation provides system-wide TCP connection resource diversity across source Internet protocol addresses initiating connections. 

Due to the mass adoption of Internet technology by governments, banks, universities, hospitals, and businesses around the world, our society has transformed to depend on the availability of network services for daily operation. It is imperative that our society's network infrastructure become resilient to active attacks on this availability. 

IBM AIX TCP Traffic Regulation provides a low-cost solution for network service attack resiliency. Availability is assured at the operating system level, allowing for transparent mitigation of active and passive network denial-of-service attacks. To activate protection, an administrator defines a firewall profile and customizes it to protect the specific TCP ports handling critical services. These centralized custom firewall profiles provide the security administrator greater power and flexibility in tailoring network security solutions.

Operation system architecture

IBM AIX TCP Traffic Regulation provides a new architectural layer within the AIX operating system. The goal of this new layer is two-fold: 
  • Provide a centralized management framework for defining custom TCP firewall profiles.
  • Actively manage incoming TCP socket connections and resource diversity in accordance to the current firewall policy.

Figure 1. IBM AIX TCP Traffic Regulation (TR) Architecture 

The firewall policy itself is governed by the profile definitions added, removed, or modified by a systems administrator.

 Each profile consists of three elements: 
  • TCP port or port-range requiring protection.
  • Maximum number of incoming socket connections allowed for this profile's TCP port(s).
  • Diversity value (a numerical quantity used to tune the overall diversity of shared TCP resources across the pool of maximum incoming socket connections).
This system of mitigation works transparently, requiring no change to existing applications. TCP TR actively manages incoming socket connection requests at the kernel level, allowing the mitigation to work transparently- requiring no change to existing applications (See Figure 1). Thus, any network service software running on AIX and operating on the TCP ports covered by these firewall profiles are automatically protected from denial-of-service attacks.

Firewall profiles are defined using the tcptr command-line utility. This utility provides interactive administration and scripted manipulation of TCP TR policies. The entire TCP TR system can be turned on or off with the tcptr_enable network option. For example, to activate the subsystem, use the following no command:

no -p -o tcptr_enable=1

The tcptr command assigns a maximum limit of incoming TCP connections to a given network port or a range of ports. Administrative users control system resources related to TCP TR by adding or removing pools of connection resources to be shared collectively by incoming socket requests remotely accessing the AIX TCP layer.

Optionally, a diversity tunable can be specified allowing for increased resource sharing policy control.
Once in effect, these TCP TR profiles become the active policy governing connections. The operating system automatically ensures that resources are shared across multiple remote IP addresses that are attempting to connect through TCP to a specific port. 

Attack overview

Network services are generally agnostic to the underlying operating system resources available and allocated for their benefit of TCP communication. Most TCP services simply attempt to accept new socket connection requests as they are received. If left uncapped, a continuous barrage of TCP connection requests and subsequent consumption of TCP resources by these network services will eventually use up all the available system resources.

Figure 2. Topology for TCP resource exhaustion

A malicious attacker can make use of this behavior and launch a remote denial-of-service attack against a vulnerable network service over the Internet. The attack eventually makes the service unavailable by establishing thousands of socket connection requests with the vulnerable system. This occurs either from bringing down the system itself or maxing out socket availability for the vulnerable service. Once the system or service has been made unavailable, legitimate clients are blocked from using the network service hosted by the system under attack (See Figure 2).

TCP TR utility

The TCP TR utility configures or displays TCP TR policy information to control the maximum incoming socket connections for ports. The syntax of the utility follows:
tcptr -add <start port> <end port> <max connection> [divisor]
tcptr -delete <start port> <end port>
tcptr -show

  • -add adds new TCP TR policies to the system. You should specify the maximum allowable connections for the current policy, the start port, and the end port with this flag. The start port and the end port can be the same port when a port range is not specified. Optionally, you can specify a divisor to allow a greater diversity of resource sharing on the pool of available TCP connections.
  • -delete deletes existing TCP TR policies that are defined for the system. This flag requires the user specify the maximum allowable connections for the current policy, the start port, and the end port (can be the same as start port if not specifying a port-range).
  • -show displays all existing TCP TR policies defined on the system. You might use the -show flag to see the active policies before using the -delete flag.
The parameters are:

<max connection>Specifies the maximum incoming TCP connections for the given TR policy.
<start port>Specifies the beginning port for the current TR policy.
<end port>Specifies the end port for the current TR policy. If the port is a range, the value specified must be larger than the start port. If the TR policy is for a single port, the value specified must be equal to the value specified for the start port.
<divisor>Specifies a divisor to compare the number of available incoming TCP connections with the number of consumed incoming TCP connections for an IP, and corresponds to a division of the overall available connections by a power of two. The divisor is the power of two that is used in the division. This parameter is optional, and if it is not specified, the default value is one. In that case, half of the number of available connections are used.


To add a TCP Traffic Regulation Policy that covers only TCP port 23, and to set a maximum incoming connection pool of 256 with an available connections divisor of 3, enter the following command: 
# tcptr -add 23 23 256 3
To add a TCP Traffic Regulation Policy that covers a TCP port that ranges from 5000 to 6000, and to set a maximum incoming connection pool of 5000 with an available connections divisor of 2, enter the following command: 
# tcptr -add 5000 6000 5000 2
To show TCP Traffic Regulation Policies set for the system, enter the following command:
# tcptr -show 
To delete the TCP Traffic Regulation Policy that covers a TCP port that ranges from 5000 to 6000, enter the following command: 
# tcptr -delete 5000 6000


IBM AIX TCP Traffic Regulation provides a low-cost solution for network service attack resiliency. Availability is assured at the operating system level allowing for transparent mitigation of active and/or passive network denial-of-service attacks. Network services requiring security and availability should benefit from this powerful operating system technology.

Configuring Persistent static route in Linux

Static routing

Static routing is a form of routing that occurs when a router uses a manually-configured routing entry, rather than information from a dynamic routing protocol to forward traffic. In many cases, static routes are usually manually configured by a network administrator by adding in entries into a routing table, though this may not always be the case.

Unlike dynamic routing, static routes are fixed and do not change if the network is changed or reconfigured. Static routing and dynamic routing are not mutually exclusive. Both dynamic routing and static routing are usually used on a router to maximize routing efficiency and to provide backups in the event that dynamic routing information fails to be exchanged. Static routing can also be used in stub networks, or to provide a gateway of last resort.

Static routes will be added usually through "route add" command. The drawback of 'route' command is that, when Linux reboots it will forget static routes. But to make it persistent across reboots, you have to add it to /etc/sysconfig/network-scripts/route-<eth> .

To add static route using "route add": 

# route add -net netmask gw dev eth0 

Adding Persistent static route:

You need to edit /etc/sysconfig/network-scripts/route-eth0 file to define static routes for eth0 interface. 

Save and close the file. Restart networking: 
# service network restart 
Verify new routing table: 
# route –n 
# netstat –nr