On network servers, it is an important requirement to ensure that the network interface is available at all times. On Red Hat Enterprise Linux 7, you can create aggregated network interfaces.
Use network teaming or network bonding to accomplish this goal.In earlier versions of RHEL, network bonding was the default method for creating aggregated network interfaces. In RHEL 7, network teaming has been added as a solution. The main difference between these two is that network bonding happened completely in user space, whereas, in network teaming, the teamd daemon is added to allow interaction in user space as well. Even if both methods are still valid, network teaming is the preferred method.On earlier versions of Red Hat Enterprise Linux, network bonding was used to accomplish the same goals. Network teaming is new in Red Hat Enterprise Linux 7.
The solution consists of a small kernel driver and a daemon that is available in userspace: teamd. # rpm -qa grep teamdteamd-1.27-4.el7.x8664The kernel takes care of handling network packets, while the teamd driver handles logic and interface processing. To determine how exactly this is happening, different runners are used. Runners in teaming are equivalent to the bonding modes.
They are used to define the logic of traffic handling between the interfaces that are involved in the configuration. The table below gives a summary of available runners. RunnerRemarkroundrobinThis is the default that we are using, it simply sends packets to all interfaces in the team in a round robin manner, that is one at a time followed by the next interface.broadcastAll traffic is sent over all ports.activebackupOne interface is in use while the other is set aside as a backup, the link is monitored for changes and will use the failover link if needed.loadbalanceTraffic is balanced over all interfaces based on Tx traffic, equal load should be shared over available interfaces.lacpImplements 802.3ad LACP protocol.1. Configure Network Team Using JSON-format definitions Not Persistent1.
Create a JSON-format definition file for the team and its component ports,in this example, /root/teamconfig/team0.conf.
Enable Network Redhat 7 0
Linux TCP/IP Network Configuration Files:FileDescription/etc/resolv.confList DNS servers for internet domain name resolution.Manual page for: /etc//etc/hostsLists hosts to be resolved locally (not by DNS).Manual page for: /etc//etc/nsswitch.confList order of host name search. Typically look at local files, then NIS server, then DNS server.Manual page for: /etc/Red Hat/Fedora/CentOS: /etc/sysconfig/networkSpecify network configuration. Static IP, DHCP, NIS, etc.Red Hat/Fedora/CentOS: /etc/sysconfig/network-scripts/ifcfg- deviceSpecify TCP network information.Ubuntu/Debian: /etc/network/interfacesSpecify network configuration and devices.
Static IP and info, DHCP, etc. Domain Resolution Configuration Files:The following files configure the system so that host names can be resolved.This is required when one will ssh to a host name eg. Venus.megacorp.com or point an email client to smtp.megacorp.com.The system must be able to resolve the host names to IP addresses so that the network connection can be made. File: /etc/ - host name resolver configuration file to define server responsible for name resolutionsearch name-of-domain.com - Name of your domain or ISP's domain if using their name servernameserver XXX.XXX.XXX.XXX - IP address of primary name servernameserver XXX.XXX.XXX.XXX - IP address of secondary name serverThis configures Linux so that it knows which DNS server will be resolvingdomain names into IP addresses. If using DHCP client, this will automaticallybe sent to you by the ISP and loaded into this file as part of the DHCP protocol.
If using a staticIP address, ask the ISP or check another machine on your network.Red Hat/Fedora GUI: /usr/sbin/system-config-network (select tab 'DNS'). File: /etc/ - locally resolve node names to IP addresses by explicit definition127.0.0.1 your-node-name.your-domain.com localhost.localdomain localhostXXX.XXX.XXX.XXX node-nameNote when adding hosts to this file, place the fully qualified namefirst. (It helps sendmail identify your server correctly) i.e.:XXX.XXX.XXX.XXX superserver.yolinux.com superserverThis informs Linux of local systems on the network which arenot handled by the DNS server.(or for all systems in your LAN if you are not using DNS or NIS)The file format for the hosts file is specified by.Red Hat/Fedora configuration GUI: /usr/sbin/system-config-network (select tab 'Hosts').
File: /etc/ - System Databases and Name Service Switch configuration file. Define the cascading priority of name resolvershosts: files dns nisplus nisThis example tells Linux to first resolve a host name by looking at thelocal hosts file ( /etc/hosts), then if the name is not found lookto your DNS server as defined by /etc/resolv.conf and if not found there look to your NIS server.In the past this file has had the following names:/etc/nsswitch.conf, /etc/svc.conf, /etc/netsvc.conf. Depending onthe distribution.Note that device configuration information can be found in the autogenerated file /etc/udev/rules.d/70-persistent-net.rules. Fedora / Red Hat Network Configuration Files:Files which hold the Linux system network configuration:. /etc/sysconfig/networkRed Hat network configuration file used by the system during the boot process.
File: /etc/sysconfig/network-scripts/ifcfg-eth0Configuration settings for your first ethernet port (0). Yoursecond port is eth1. File:.
/etc/modprobe.conf (kernel 2.6). /etc/modules.conf (kernel 2.4). (or for older systems: /etc/conf.modules)Example statement for Intel ethernet card:alias eth0 eepro100Modules for other devices on the system will also be listed.This tells the kernel which device driver to use if configured as aloadable module.
(default for Red Hat). Command line IP Configuration: ifconfigifconfig interface aftype options address.where:. interface: eth0, eth1, eth2 represent the computer ethernet interfaces.
aftype: inet (TCP/IP, default), inet6 (IPv6), ax25 (AMPR Packet Radio), ddp (Appletalk Phase 2), ipx (Novell IPX) or netrom (AMPR Packet radio)Options:OptionDescriptionupActivate the interface. Implied if IP addresses are specified.downShut down interfacearpEnable ARP protocol on this interface. Allow ARP to detect the addresses of computer hosts attached to the network.-arpDisable ARP protocol on this interfacepromiscEnable promiscuous mode. Receive all packets on the network not just those destined for this interface.-promiscDisable promiscuous mode.mtu ##Specify the Maximum Transfer Unit (MTU) of the interface. The MTU is the maximum number of octets the interface is able to handle in a single transaction.
Defaults: Ethernet: 1500 SLIP: 296broadcast XXX.XXX.XXX.XXXSet the network broadcast address for this interface.netmask XXX.XXX.XXX.XXXSet the IP network mask for this interface.Man page. Network Classes:The concept of network classes is a little obsolete as subnets are now usedto define smaller networks using CIDR (Classless Inter-Domain Routing) as detailed above.These subnets may be part of a class A, B, C, etcnetwork. For historical reference the network classes are defined as follows:.
Class A: Defined by the first 8 bits with a range of 0 - 127.First number (8 bits) is defined by Internic i.e. 77.XXX.XXX.XXXOne class A network can define 16,777,214 hosts.Range: 0.0.0.0 - 127.255.255.255.
Class B: Defined by the first 8 bits with a range from 128 - 191First two numbers (16 bits) are defined by Internic i.e. 182.56.XXX.XXXOne class B network can define 65,534 hosts.Range: 128.0.0.0 - 191.255.255.255. Class C: Defined by the first 8 bits with a range from 192 - 223First three numbers (24 bits) are defined by Internic i.e. 220.56.222.XXXOne class B network can define 254 hosts.Range: 192.0.0.0 - 223.255.255.255.
Class D: Defined by the first 8 bits with a range from 224 - 239This is reserved for multicast networks (RFC988)Range: 224.0.0.0 - 239.255.255.255. Class E: Defined by the first 8 bits with a range from 240 - 255This is reserved for experimental use.Range: 240.0.0.0 - 247.255.255.255. Enable Forwarding:Forwarding allows the network packets on one network interface (i.e. Eth0) to be forwarded to another network interface (i.e. Eth1).This will allow the Linux computer to connect ('ethernet bridge') or route network traffic.The bridge configuration will merge two (or several) networksinto one single network topology.
IpTables firewall rules can be usedto filter traffic.A router configuration can support multicast and basic IP routing using the ' route'command. IP masquerading (NAT) can be used to connect private localarea networks (LAN) to the internet or load balance servers. Turn on IP forwarding to allow Linux computer to act as a gateway or router.echo 1 /proc/sys/net/ipv4/ipforwardDefault is 0. One can add firewall rules by using (or ).Another method is to alter the Linux kernel config file: /etc/sysctl.confSet the following value:net.ipv4.ipforward = 1See file /etc/sysconfig/network for storing this configuration.FORWARDIPV4=trueChange the default 'false' to 'true'.All methods will result in a proc file value of '1'.Test: cat /proc/sys/net/ipv4/ipforwardThe and(Kernel 2.2 RH 7.0-) cover /proc/sys/net/ipv4/. file descriptions.Also see: (YoLinux tutorials). Configure Linux as an internet gateway router:( iptables). ( ipvsadm).
![]()
Adding a network interface card (NIC):Manual method:This does not alter the permanent configuration and will onlyconfigure support until the next reboot. cd /lib/modules/2.2.5-15/net/ - Use kernel version for your system.
VPN, Tunneling:. YoLinux. IPSec VPN for Linux. IPSec VPN for Linux (follow-on to FreeSWAN).
SSL VPNsolution for site to site, WiFi security, and enterprise-scale remoteaccess with load balancing, failover, and fine-grained access-controls. Java SLL based VPN. VLAN.
traffic analysis. CIPE: Crypto IP Encapsulation (Easiest way to configure twoLinux gateways connecting two private networks over the internet withencryption.).
CIPE is a simple encapsulation system that securely connects two subnets. Matthew D. Wilson. virtual private networks. Useful Linux networking commands:. /etc/rc.d/init.d/network start - command to start, restart or stop the network. Display connections, routing tables, stats etc.
List externally connected processes: netstat -punta.a: Show both listening and non-listening sockets.p: Show PID of process owning socket.u: Show UDP.t: Show TCP.n: Show IP addresses only. Inetd/xinetd: Network Socket Listener Daemons:The network listening daemons listen and respond to all networksocket connections made on the TCP/IP ports assigned to it.The ports are defined by the file /etc/services.When a connection is made, the listener will attempt to invoke the assignedprogram and pipe the data to it.This simplified matters by allowing the assigned program to read from stdininstead of making its own sockets connection. The listener handles thenetwork socket connection.Two network listening and management daemons have been used in Red Hat Linuxdistributions:.
inetd: Red Hat 6.x and older. xinetd: Red Hat 7.0-9.0, Fedora. Inetd:Configuration file: /etc/inetd.confEntries in this file consist of a single line made up of the following fields:service socket-type protocol wait user server cmdline. service: The name assigned to the service.
Matches the name given in the file /etc/services. socket-type:. stream: connection protocols (TCP). dgram: datagram protocols (UDP). raw. rdm.
seqpacket. protocol: Transport protocol name which matches a name in the file /etc/protocols. Udp, icmp, tcp, rpc/udp, rpc/tcp, ip, ipv6. wait: Applies only to datagram protocols (UDP). wait.max: One server for the specified port at any time (RPC). nowait.max: Continue to listen and launch new services if a new connection is made. (multi-threaded)Max refers to the maximum number of server instances spawned in 60 seconds.
(default=40). user.group: login id of the user the process is executed under. Oftennobody, root or a special restricted id for that service. server: Full path name of the server program to be executed. cmdline: Command line to be passed to theserver. This includes argument 0 (argv0), that is the command name.This field is empty for internal services.Example of internal TCP services: echo, discard, chargen (charactergenerator), daytime (human readable time), and time (machine readabletime).
(see RFC)Sample File: /etc/inetd.conf#echo stream tcp nowait root internal#echo dgram udp wait root internalftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d#swat stream tcp nowait.400 root /usr/sbin/swat swatA line may be commented out by using a '#' as the first character in the line.This will turn the service off.The maximum length of a line is 1022 characters.The inet daemon must be restarted to pick upthe changes made to the file:/etc/rc.d/init.d/inetd restartFor more information see the man pages 'inetd' and 'inetd.conf'. Remote commands: rcp, rsh, rlogin, rwho.Most of the original Unix remote commands have been superceded by secureshell equivalents.
Instead of telnet, rsh or rlogin, one should use the encrypted connection ssh. user interface to the TELNET protocol. remote login. remote shell to execute a command and return results.
Remote command execution over UUCP. Sons of thunder don't hate me quotes. remote file copy. Unix to Unix copy (AWS and RHEL EPEL repo)- UUCP execution daemon- UUCP file transfer daemon- Call up another system (cu is an old legacy command which is reported to not work very well)See the for use of ssh, rssh, scp and sftp. RWHO: Remote Who daemon - rwhodThe ' rwho' command is used to display users logged into computers on your LAN.By default, Red Hat Linux has the network interface to the rwhod disabled.Thus if one issues the command ' rwho',you will only see who is logged into the system you are logged into andnot remote systems on the network.This is a safe approach for internet servers as it reduces the exposureof a service which could be exploited by hackers. If you wish to use rwhodon a local private and firewall protected network, here is how:Allow broadcast capabilities.
Edit /etc/init.d/rwhodchange from: daemon rwhodto: daemon rwhod -bStart service:. Set service to start with system boot: chkconfig -level 345 rwhod on. Start rwhod service: service rwhod start(or: service rwhod restart)Man pages:.: who is logged in on local network machines.: system status server.: show who is logged on to the same system.
PAM: Network Wrappers:Pluggable Authentication Modules for Linux (TCP Wrappers)This system allows or denies network access.One can reject or allow specific IP addresses or subnets to access your system.File: /etc/hosts.allow in.ftpd:208.188.34.105This specifically allows the given IP address to ftp to your system.One can also specify an entire domain. I.e.name-of-domain.comNote the beginning '.' .File: /etc/hosts.deny ALL:ALLThis generally denies any access.File: /etc/inetd.conf ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -aThe inet daemon accepts the incoming network stream and assigns itto the PAM TCP wrapper, /usr/sbin/tcpd, which accepts or denies the network connection asdefined by /etc/hosts.allow and /etc/hosts.deny and thenpasses it along to ftp. This is logged to /var/log/secureAdvanced PAM: More specific access can be assigned and controlled bycontrolling the level of authentication required for access.Files reflect the inet service name.
Rules and modules are stacked toachieve the level of security desired.See the files in /etc/pam.d/. (some systems use /etc/pam.conf)The format: service type control module-path module-arguments. auth - (type) Password is required for the user. nullok - Null or non-existent password is acceptable. shadow - encrypted passwords kept in /etc/shadow. account - (type) Verifies password.
Can track and force password changes. password - (type) Controls password update. retry=3 - Sets the number of login attempts. minlen=8 - Set minimum length of password.
session - (type) Controls monitoringModules:. /lib/security/pampwdb.so - password database module.
/lib/security/pamshells.so -. /lib/security/pamcracklib.so - checks is password is crackable. /lib/security/pamlistfile.soAfter re-configuration, restart the daemon: killall -HUP inetdFor more info see:. ICMP:ICMP is the network protocol used by the ping and traceroutecommands.ICMP redirect packets are sent from the router to the host to inform the host of a better route.To enable ICMP redirect, add the following line to /etc/sysctl.conf:net.ipv4.conf.all.acceptredirects = 1Add the following to the file: /etc/rc.d/rc.localfor f in /proc/sys/net/ipv4/conf/./acceptredirectsdoecho 1 $fdoneCommand to view Kernel IP routing cache: /sbin/route -CnNOTE: This may leave you vulnerable to hackers as attackers may alteryour routes. Traffic Control (TC) and TC New Generation (TCNG):TC: Install:. Ubuntu/Debian: apt-get install iproute. Red Hat/CentOS/Fedora: yum install iprouteDescription:The Linux Kernel is capable of controlling bandwidth peaks, traffic prioritization and scheduling and if necessary, dropping excess traffic, all using the traffic control command 'tc' to manage a set of queues (default queue: pfifofast).Bandwidth control is called traffic shaping.
Network Monitoring Tools:. dump traffic on a network. See discussion below.Command line optionDescription-cExit after receiving count packets.-CSpecify size of output dump files.-iSpecify interface if multiple exist. Lowest used by default. Eth0-w file-nameWrite the raw packets to file rather than parsing and printing them out.They can later be printed with the -r option.-nImprove speed by not performing DNS lookups. TCP vs UDP:Transmission Control Protocol (TCP) is a network transport Internet Protocol (IP) typically used for its bi-directional communications reliability.TCP is a protocol which first establishes a connection and then transmits data over that connection. Configuring Linux For Network Multicast:Regular network exchanges of data are peer to peer unicast transactions.An HTTP request to a web server (TCP/IP), email SNMP (TCP/IP), DNS (UDP),FTP (TCP/IP).
SLIP: Serial Line IP (older than PPP and less capable)Devices:InterfacesDescriptionsl0sl1sl2sl3SLIP interfaces. Serial port related man pages:. get/set Linux serial port informationTypical configuration:.
Interrupt detection: /sbin/setserial -W /dev/cua. Configuration: /sbin/setserial /dev/cua1 autoirq skiptest autoconfigor /sbin/setserial /dev/cua1 autoirq skiptest autoconfig uart 16550. Display Configuration: /sbin/setserial -bg /dev/cua.
Enable hardware handshake: stty crtscts.
10.4 Command-line Network Configuration InterfacesIf the NetworkManager service is running, youcan use the nmcli command to display the stateof the system's physical network interfaces, for example:# nmcli device statusDEVICE TYPE STATEem1 ethernet connectedem2 ethernet connectedlo loopback unmanagedYou can use the ip command to display thestatus of an interface, for debugging, or for system tuning. Forexample, to display the status of all active interfaces:# ip addr show1: lo: mtu 16436 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6::1/128 scope hostvalidlft forever preferredlft forever2: em1: mtu 1500 qdisc pfifofast state UP qlen 1000link/ether 08:00:27:16:c3:33 brd ff:ff:ff:ff:ff:ffinet 10.0.2.15/24 brd 10.0.2.255 scope global em1inet6 fe80::a00:27ff:fe16:c333/64 scope linkvalidlft forever preferredlft foreverFor each network interface, the output shows the current IPaddress, and the status of the interface. To display the status ofa single interface such as em1, specify itsname as shown here:# ip addr show dev em12: em1: mtu 1500 qdisc pfifofast state UP qlen 1000link/ether 08:00:27:16:c3:33 brd ff:ff:ff:ff:ff:ffinet 10.0.2.15/24 brd 10.0.2.255 scope global em1inet6 fe80::a00:27ff:fe16:c333/64 scope linkvalidlft forever preferredlft foreverYou can also use ip to set properties andactivate a network interface. The following example sets the IPaddress of the em2 interface and activates it:# ip addr add 10.1.1.1/24 dev em2# ip link set em2 up. NoteYou might be used to using the ifconfigcommand to perform these operations.
However,ifconfig is considered obsolete and willeventually be replaced altogether by the ipcommand.Any settings that you configure for network interfaces usingip do not persist across system reboots. Tomake the changes permanent, set the properties in the/etc/sysconfig/network-scripts/ifcfg- interfacefile.Any changes that you make to an interface file in/etc/sysconfig/network-scripts do not takeeffect until you restart the network service or bring theinterface down and back up again.
When a system administrator wants to increase the bandwidth available and provide redundancy and load balancing for data transfers, a kernel feature known as network bonding allows to get the job done in a cost-effective way.Read more about how to increase or bandwidth throttling in LinuxHow to Limit the Network Bandwidth Used by Applications in a Linux with TrickleVia— TecMint.com (@tecmint)In simple words, bonding means aggregating two or more physical network interfaces (called slaves) into a single, logical one (called master). If a specific NIC (Network Interface Card) experiences a problem, communications are not affected significantly as long as the other(s) remain active.Read more about network bonding in Linux systems here:.Enabling and Configuring Network Bonding or TeamingBy default, the bonding kernel module is not enabled. Thus, we will need to load it and ensure it is persistent across boots.
![]()
When used with the -first-time option, modprobe will alert us if loading the module fails: # modprobe -first-time bondingThe above command will load the bonding module for the current session. In order to ensure persistency, create a.conf file inside /etc/modules-load.d with a descriptive name, such as /etc/modules-load.d/bonding.conf: # echo '# Load the bonding kernel module at boot' /etc/modules-load.d/bonding.conf# echo 'bonding' /etc/modules-load.d/bonding.confNow reboot your server and once it restarts, make sure the bonding module is loaded automatically, as seen in Fig. Check Network Bonding Module Loaded in KernelIn this article we will use 3 interfaces ( enp0s3, enp0s8, and enp0s9) to create a bond, named conveniently bond0.To create bond0, we can either use nmtui, the text interface for controlling NetworkManager. When invoked without arguments from the command line, nmtui brings up a text interface that allows you to edit an existing connection, activate a connection, or set the system hostname.Choose Edit connection – Add – Bond as illustrated in Fig. Create Network Bonding ChannelIn the Edit Connection screen, add the slave interfaces ( enp0s3, enp0s8, and enp0s9 in our case) and give them a descriptive (Profile) name (for example, NIC #1, NIC #2, and NIC #3, respectively).In addition, you will need to set a name and device for the bond ( TecmintBond and bond0 in Fig.
3, respectively) and an IP address for bond0, enter a gateway address, and the IPs of DNS servers.Note that you do not need to enter the MAC address of each interface since nmtui will do that for you. You can leave all other settings as default. 3 for more details.
Check Kernel Interface TableIt is important to note that there are several bonding modes, each with its distinguishing characteristics. They are documented in section 4.5 of the guide. Depending on your needs, you will choose one or the other.In our current setup, we chose the Round-robin mode (see Fig. 3), which ensures packets are transmitted beginning with the first slave in sequential order, ending with the last slave, and starting with the first again.The Round-robin alternative is also called mode 0, and provides load balancing and fault tolerance. To change the bonding mode, you can use nmtui as explained before (see also Fig. Changing Bonding Mode Using nmtuiIf we change it to Active Backup, we will be prompted to choose a slave that will the only one active interface at a given time. If such card fails, one of the remaining slaves will take its place and becomes active.Let’s choose enp0s3 to be the primary slave, bring bond0 down and up again, restart the network, and display the kernel interface table (see Fig.
8).Note how data transfers ( TX-OK and RX-OK) are now being made over enp0s3 only: # ip link set dev bond0 down# ip link set dev bond0 up# systemctl restart network. Check Network Bond as Kernel SummaryIn this chapter we have discussed how to set up and configure bonding in Red Hat Enterprise Linux 7 (also works on CentOS 7 and Fedora 22+) in order to increase bandwidth along with load balancing and redundancy for data transfers.As you take the time to explore other bonding modes, you will come to master the concepts and practice related with this topic of the certification.If you have questions about this article, or suggestions to share with the rest of the community, feel free to let us know using the comment form below. I noticed a serious problem that needs your attention: How to configure automatic recovery of a failed port in RHEL7.0 teaming? I successfully configured teaming (active backup) by following a similar procedure, in a RHEL 7.0 server.The failover from port1 to port2 (from main to backup) was also successful by just applying the proper command, but when I tried to failover again from port2 to port1 (from backup to main), it was not possible.I found port1 still in a failed state (down) and I had to recover it up manually. This is a big problem because if the backup (port2) also fails, the network will remain in a failed state and never recovers.So is there a solution to this problem: a command to (try to) immediately recover (stimulate) a failed port after a failover, so that it becomes soon ready to switch back to main (active) again if/when necessary. This means the config must always try keeping both ports UP so that failover never fails. Great article.
However, when a server reboots, the bond0 link doesn’t come up because there’s a bug in centos7 that doesn’t start up the bond0 interface automatically.To resolve my issue, I added this command below which stated above to the “ /etc/rc.d/rc.local” and then run “ chmod +x /etc/rc.d/rc.local” to ensure that this script will be executed during boot. Reason being that /etc/rc.local or /etc/rc.d/rc.local are no longer executed by default due to systemd-changes. To still use those, you need to make /etc/rc.d/rc.local executable.So again,1. Open this file /etc/rc.d/rc.local2. Add “ ip link set dev bond0 up” to it (bond0 is your bonding interface or whatever it was named as).3.
Save and run “ chmod +x /etc/rc.d/rc.local“.
Multi-page HTML.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |