ipfstat io
block in proto tcp from any to 192.168.2.0 24 port telnet Note - The ipfstat -io command does not display the rules in the same sequence as they are listed in the etc ipf ipf.conf file. The out rules are listed in order first, and then the in rules are listed. Configuring Logging in the Solaris IP Filter Firewall The Solaris IP Filter firewall includes the ability to log its actions. Logged information is sent to the dev ipl device. The dev ipl device can be monitored by running the ipmon...
sys13 dig 19216822 twoedu x 19216824 1
lt lt gt gt DiG 9.2.4 lt lt gt gt 192.168.2.2 two.edu -x 192.168.2.4 global options printcmd Got answer - gt gt HEADER lt lt - opcode QUERY, status NOERROR, id 1914 flags qr aa rd ra QUERY 1, ANSWER 0, AUTHORITY 1, ADDITIONAL 0 QUESTION SECTION two.edu. IN A AUTHORITY SECTION two.edu. 86400 IN SOA sys22.two.edu. root.sys22.two.edu. 2005010101 3600 1800 6048000 86400 Query time 4 msec SERVER 192.168.2.2 53 192.168.2.2 WHEN Wed Jan 12 08 19 05 2005 MSG SIZE rcvd 72 Got answer - gt gt HEADER lt...
Configure the Stratum
You can configure the stratum of an NTP server manually by editing the fudge entry in the etc inet ntp.conf file. This is useful when you do not have access to an external NTP server and you have to synchronize with another system manually. When a local clock is configured to act as an accurate source of time, NTP detects this. Systems that use their own clock as a time source advertise themselves as a stratum-4 server by default. However, the fudge keyword can be used to alter this behavior....
Probebased IPMP Requirements
The following items are required to configure probe-based IPMP on a system The Solaris 8 10 00 OS, as a minimum, must be installed. Unique MAC addresses must be configured on each network interface. The default configuration for most Sun network adapters has all network interfaces on a system using the same MAC Ethernet address. IPMP requires that all interfaces in an IPMP group be connected to the same IP link. Switched networks use MAC addresses when making decisions about where to send...
8 Specify a network address by either selecting one or typing one type a subnet
The DHCP Configuration Wizard - Step 7 window appears. Figure 11-12 shows you where to specify information about the network. This example uses the defaults Local-Area LAN and Use router discovery protocol. Figure 11-12 DHCP Configuration Wizard - Step 7 Window Figure 11-12 DHCP Configuration Wizard - Step 7 Window 9. Select either Local-Area LAN or Point-to-Point. 10. Select either Use router discovery protocol or type the router information in the Use router field. The DHCP Configuration...
Duplicate Address Detection
Systems run a duplicate address detection algorithm on an address before that address is assigned to an interface. This is done without regard to the manner in which the address was obtained. The duplicate address detection algorithm works by sending a neighbor solicitation message to the network that contains the address in question. The system receives a neighbor advertisement from any device that is currently using the address. Therefore, if no response is received, the systems assume that...
Subnetting
You can divide a network into subnets to do the following Isolate network traffic within local subnets, therefore reducing contention for network bandwidth Enable localization of specific network protocols to a subnet Permit the association of a subnet with a specific geography or a department Enable administrative work to be broken into logical units Figure 5-10 shows the basic idea of subnetting, which is to divide the standard host number field into two parts the subnet number and the host...
Using the snoop Utility 1
To view NTP server multicast advertisements, use the snoop utility. Using device dev hme promiscuous mode sys11 - gt 224.0.1.1 NTP broadcast st 1 2004-08-16 11 11 52.98017 sys11 - gt 224.0.1.1 NTP broadcast st 1 2004-08-16 11 12 56.98017 sys11 - gt 224.0.1.1 NTP broadcast st 1 2004-08-16 11 14 00.98016 sys11 - gt 224.0.1.1 NTP broadcast st 1 2004-08-16 11 15 04.98016 Clients synchronize with servers using unicast packets, as follows 1. The NTP client sends a message to an NTP server with its...
sys12 rndc status
sys12 rndc trace sys12 rndc status Assign the debug level to a specific level. sys12 rndc trace 8 sys12 rndc status number of zones 5 debug level 8 xfers running 0 xfers deferred 0 soa queries in progress 0 query logging is ON server is up and running sys12 If logging is enabled, the debug level is shown along with the logged messages Jan 13 07 12 37.548 general debug 1 received control channel command 'dumpdb' Jan 13 07 17 02.598 general debug 1 received control channel command 'status' Jan 13...
EthernetII Frame Analysis
The Ethernet-II frame is a single unit of data transported through the LAN. It is a series of bits with a definite beginning and a definite end. The Ethernet specification describes how bits are encoded on the network and how hosts on the network detect the beginning and the end of a transmission. Figure 3-3 shows the Ethernet-II frame format. Note - There are two common Ethernet frame formats the Ethernet-II format and the logical link control 802.3 format. The primary difference between these...
netstat r
Destination Gateway Flags Ref Use Interface Observe that the destination networks are now displayed by name instead of by network number, and the loopback address is replaced by its entry from the etc inet hosts file.
Unreliable Protocols
An unreliable protocol does not require that each transmission is acknowledged by the receiving host. Figure 9-8 shows how an unreliable protocol could work.
Initializing a Multihomed Host
A multihomed host is a system with two or more physical network interfaces that does not forward IP datagrams between the networks to which it is attached. In the Solaris 10 OS, all systems with two or more physical network interfaces are multihomed hosts by default. To create a multihomed host, complete the following steps 1. Become a superuser on the prospective multihomed system. 2. Create an etc hostname.interface file for each additional network interface that is installed in the system....
Configuring Filtering on a Specific Network Interface
The Solaris IP Filter firewall applies each rule to every network interface on the system by default. Use of the on keyword enables you to apply a rule to a particular network interface only. Note - The Solaris IP Filter firewall does not filter the loopback interface. You should not use the interface identifier lo0 in the etc ipf ipf.conf file. Note that the lo identifier does not appear in the etc ipf pfil.ap file. To apply a rule to a specific interface, use the on keyword followed by the...
Dynamic Routes
Dynamic routes are added to or removed from the routing table by processes, such as the in.routed daemons. When the routing table is updated with information about other reachable networks, the router can forward or deliver datagrams to these networks. The svc network initial SMF service enables routing. Routing in the Solaris 10 OS is implemented by the in.routed daemon. The in.routed daemon implements three routing protocols Routing Information Protocol version 1 RIPv1 Routing Information...
DHCP Server Functions
The DHCP server manages the IP address space of networks connected directly to that server and also manages remote networks connected by BOOTP relay agents. The in.dhcpd daemon runs on the DHCP server. Figure 11-3 shows the interaction between a DHCP client and server. All DHCP offers are evaluated and DHCPREQUEST S Sent Figure 11-3 DHCP Client-Server Interaction Figure 11-4 shows the difference that a BOOTP relay makes for a client that is attempting to contact a server. All DHCP requests are...
Vlsm
RFC 950 specifies how an IP network could use subnet masks. When an IP network is assigned more than one subnet mask, it is considered a network with VLSMs because the extended-network numbers have different lengths at each subnet level. Two of the main advantages to assign more than one subnet mask to a given IP network number are Multiple subnet masks permit more efficient use of an organization's assigned IP address space. Multiple subnet masks permit route aggregation, which can...
Configuring a DHCP Client to Request a Dynamic Host Name
If a client system is already running the Solaris 10 OS and is not using DHCP, complete the following steps to configure the DHCP client to request dynamic host names 1. Log in as the root user on the DHCP client system. 2. Enable DHCP on the client by creating the appropriate file for the external interface, which is hme0 in this example. Note - Verify that the etc hostname, interface file exists for the interface being configured using DHCP otherwise, the interface will not be plumbed. This...
Configuring a DHCP Client to Use its Own Host Name
DHCP clients running the Solaris 10 OS can be configured to use their own hostname instead of a hostname supplied by the DHCP server. If a client system is already running the Solaris 10 OS and is not using DHCP, complete the following steps to configure the DHCP client to use its own host name 1. Log in as the root user on the DHCP client system. 2. Edit the etc default dhcpagent file. 3. Find the keyword REQUEST_HOSTNAME in the etc default dhcpagent file, and verify that the entry is not...
netstat rnv
Destination Mask Gateway Device Mxfrg Rtt Ref Flg Out In Fwd 172.20.221.6 255.255.255.255 192.168.2.254 1500 0 1 UGH 0 0 192.168.2.0 255.255.254.0 192.168.3.239 eri0 1500 0 1 U 0 0 127.0.0.1 255.255.255.255 127.0.0.1 lo0 8232 0 1 UH 10 0 A CIDR and VLSM aware routing protocol, such as RIPv2, must be used on the router that connects this supernetted network to other networks. Subnetting is the application of a netmask on an IP address to divide the network up into smaller pieces. CIDR and VLSM...
Configuring the Solaris IP Filter Firewall to Log by Using Syslog
The -s option to the ipmon command causes log information to be sent to the syslogd daemon. The Solaris IP Filter firewall sends packets by using the local0 facility, and so the etc syslog.conf file must be configured appropriately to record logging information sent to it by the ipmon command. The Solaris IP Filter firewall generates messages at four levels, as show in Table 13-3. Table 13-3 Solaris IP Filter Firewall Message Levels Table 13-3 Solaris IP Filter Firewall Message Levels Packets...
Configuring a Singleton IPMP Group in IPv6 on the Command Line
To create a singleton IPMP group, assign a multipath group name to the interface ifconfig hme0 inet6 group singleton inet 128.0.0.1 netmask ff000000 hme0 mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname singleton ether 8 0 20 b9 72 23 hme0 mtu 1500 index 2 ether 8 0 20 c1 4b 44 inet6 fe80 a00 20ff fec1 4b44 10 groupname singleton hme0 1 mtu 1500 index 2 inet6 2000 1 a00 20ff fec1 4b44 64 hme0 2 mtu 1500 index 2 inet6 fec0 1 a00 20ff fec1 4b44 64 If the single...
View the Linkbased IPMP Configuration
To view the configuration of the interfaces when the system is booted, use the ifconfig command inet 127.0.0.1 netmask ff000000 hme0 mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8 0 20 b9 72 23 hme1 mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname ipmp_group0 ether 8 0 20 ac 9b 21 To verify that the IPMP daemon is running, use the following command Messages to the console and to var adm messages from...
Working on all NonRouter Systems sysX2 sysX3 sysX4 Aqj
10. Either reboot the non-router systems, or wait a few minutes for the route information to propagate the network. svc.startd The system is coming down. Please wait. 11. Use the ping command to send ICMP echo requests from a non-router system to the site-local address of another non-router system on another subnet to verify that the routing is functioning as expected. You may have to wait enough time for the routing information to be updated after the prior step's system boot . ping fec0 2 a00...
Start the inmpathd Daemon to Monitor the Interfaces
The starting of the in.mpathd daemon is controlled by the TRACK_INTERFACES_0NLY_WITH_GR0UPS parameter in the etc default mpathd file. The contents of this file are pragma ident mpathd.dfl 1.2 00 07 17 SMI Time taken by mpathd to detect a NIC failure in ms. The minimum time that can be specified is 100 ms. Failback is enabled by default. To disable failback turn off this opti By default only interfaces configured as part of multipathing groups are tracked. Turn off this option to track all...
routeadm
IPv4 forwarding IPv4 routing IPv6 forwarding IPv6 routing IPv4 routing daemon IPv4 routing daemon args IPv4 routing daemon stop IPv6 routing daemon IPv6 routing daemon args IPv6 routing daemon stop kill -TERM 'cat var tmp in.routed.pid' kill -TERM 'cat var tmp in.ripngd.pid' To stop the in.routed daemon, type the command
Configuring Linkbased IPMP by Using Configuration Files
This example shows IPMP configuration on an existing, configured hme0 interface and on an existing, but unconfigured, hme1 interface on the sys11 192.168.1.1 system. The multipath group is called ipmp-group0. The data address for the hme0 interface remains 192.168.1.1, and the data address for the hme1 interface is 192.168.1.21. To configure link-based IPMP, complete the following steps, which are described in greater detail in the next sections. 1. Verify the Solaris OS release. 2. Configure...
Configuring Secondary DNS Servers
The contents of the etc named.conf file on the secondary DNS server can be less complex than that of the primary server. If a server is to act as both a primary server for some domains and a secondary server for other domains, the etc named.conf file must contain keywords that are appropriate to both functions. The master keyword denotes a primary server for a domain, and the slave keyword denotes a secondary server for a domain when used as arguments to the type directive. An example of an etc...
Introducing the dhcptab Table
Use the dhcptab configuration table to organize groups of configuration parameters as macro definitions. You can reference one macro in the definition of other macros. The DHCP server uses these macros to return groups of configuration parameters to DHCP and BOOTP clients. The preferred methods of managing the dhcptab table are through the use of the dhcpmgr utility or dhtadm command. View the contents of the dhcptab table by using the Macros and Options tabs in the DHCP Manager, or by using...
Configuring Probebased IPMP by Using Configuration Files
This example shows IPMP configuration on an existing configured hme0 interface and on an existing but unconfigured qfel interface on the sysll 192.168.1.1 system. The multipath group is called mpgrp-one. Note - To maximize the resistance of your configuration to failure, the IPMP group should consist of interfaces that each reside on a different interface card. This approach minimizes the number of common components in a configuration. The 192.168.1.51 address for the hme0 interface The...
Now that IPMP is completely configured to view the configuration of the
inet 127.0.0.1 netmask ff000000 hme0 mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8 0 20 b9 72 23 inet 192.168.1.51 netmask ffffff00 broadcast 192.168.1.255 qfe1 mtu 1500 index 3 inet 192.168.1.21 netmask ffffff00 broadcast 192.168.1.255 groupname mpgrp-one ether 8 0 20 ac 9b 21 inet 192.168.1.71 netmask ffffff00 broadcast 192.168.1.255
Configuring an IPv6 6to4 Router
The 6to4 router mechanism is designed to support the transition from IPv4 to IPv6 addressing. Using the 6to4 mechanism, two IPv6 networks can communicate with each other over an intermediate IPv4 network. A 6to4 tunnel is created and the intermediate network does not need to be IPv6 aware. Use of the 6to4 mechanism requires a boundary router on each IPv6 network. The boundary router is configured with one interface running IPv4 and connected to the public internet by using a public IPv4...
grep ipnodes etcnsswitchconf
Configuring the etc inet ndpd.conf File Configure the etc inet ndpd.conf file to contain the subnet's prefix configuration information on the routers. You do not advertise link-local addresses on a router because a link-local address cannot be routed. Recall that A link-local address starts with FE8. A site-local address starts with FEC. An aggregatable global-unicast address starts with 2 or 3. The following example demonstrates how to configure this information Router advertisements are to be...
RIP Version 2
RIP version 2 was developed to address some of the limitations of RIPv1, while maintaining backward compatibility combined with the simplicity of RIPv1. RIPv2 has the following characteristics RIPv2 supports VLSM and non-byte-bounded subnet masks. RIPv2 uses muticast to advertise routes. The 224.0.0.9 multicast address is reserved for RIPv2. RIPv2 includes support for simple authentication of messages. Note - RIP version 2 is defined in RFC 2453.
ifconfig hme01 plumb 19216911 up
To view the changes made to the interface, use the ifconfig command inet 127.0.0.1 netmask ff000000 hme0 mtu 1500 index 2 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 8 0 20 b9 72 23 hme0 1 mtu 1500 index 2 inet 192.169.1.1 netmask ffffff00 broadcast 192.169.1.255 The hme0 1 interface is now configured, it has a default netmask of ffffff00 255.255.255.0 , and it has a broadcast address of 192.169.1.255. You can assign different values for the netmask and broadcast address if...
PeertoPeer Communication
Peer-to-peer communication occurs when one layer on a system communicates with a corresponding layer on another system. Figure 1-7 illustrates the peer-to-peer communications between the layers at either end of a network interaction. For example, the Application layer on the source system interacts with the Application layer on the destination system. Communication Path Physical Transmission Medium Communication Path Physical Transmission Medium TH Transport Header IH Internet Header NH Network...
Topics Not Covered
This course does not cover the following topics. Many of these topics are covered in other courses offered by Sun Educational Services Solaris Operating System Solaris OS system administration -Covered in SA-200-S10 Intermediate System Administration for the Solaris 10 Operating System and SA-202-S10 Advanced System Administration for the Solaris 10 Operating System Server storage administration - Covered in ES-222 Solaris Volume Manager Administration and ES-310 Volume Manager With Sun...