Difference between revisions of "HowTo Setup A Server With Multiple Network Interface Adapters Using: "nstnetcfg""

From NST Wiki
Jump to navigationJump to search
(Manual Mode)
(Manual Mode)
Line 985: Line 985:
 
</div>
 
</div>
  
Enable Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using all network interfaces found in file: "'''/etc/nst/promisc.conf'''"
+
Enable Promiscuous mode ''''On'''' for network interface: "'''netmon0'''" using the promiscuous configuration file: "'''/etc/nst/promisc.conf'''"
 
<div class="screen">
 
<div class="screen">
 
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div>
 
<div class="userInput"><span class="prompt">[root@probe ~]# </span>nstnetcfg -m promiscon -v;</div>

Revision as of 09:06, 18 August 2015

Overview

This page demonstrates how to setup networking with an NST server that is configured with multiple network interface adapters for performing simultaneous network computing surveillance tasks. The NST script: "nstnetcfg" command line tool was designed to make this task easy to accomplish using the underlying "network" service.

The diagram below will be used as a reference for setting up a multi-network interface adapter server using NST. The rear panel of a 1U Server is shown with NIC attachments to the network infrastructure. The network security staff for fictitious company: "TxyCorp" would like to use NST for monitoring different network segments throughout their network. In particular, they would like to monitor traffic entering and leaving their corporation, web server traffic, all client electronic business transactions and remote traffic to and from their satellite offices. They will use a combination of SPAN (Switched Port Analyzer) ports and a Non-Aggregational Network TAP to expose network traffic on these segments.

When booting up "NST Live" or after a hard disk installation, the "Network Manager" service is on by default for managing all network interfaces found on an NST system. Network Manager provides a quick and easy method for setting up networking on a system equipped with a wireless interface that uses DHCP for IPv4 Address configuration. When a system is configured with two or more wired network interfaces or requires a multi-homed network setup, the "network" service may be a better choice for setting up the network configuration.

The nstnetcfg script will help mitigate some of the error prone tasks necessary when setting up networking on a NST (Linux) system using the "network" service.

A Multi-Network Interface Adapter NST Server Configuration
Note: The "Sys Admin Network" is an out-of-band network for the management of enterprise servers within this network infrastructure. The "ILOM" (Integrated Lights Out Management) network interface (i.e., "NetMgt") and the "Serial Console" device (i.e., "ttyS0") are shown for completeness and are not used by "nstnetcfg".

Network Interface Setup Configuration Information

In this section we will identify each network interface and how it should be setup using the 1U Server configuration illustrated in the reference diagram above. Network parameters such as the Subnet Mask, Host Name(s), Domain Name Servers, Domain Name, Gateway and Default Interface will also be identified. The table below depicts values that will be used by the nstnetcfg script.

Interface / Parameter Configuration Values Network Service
Management
em0 IPv4 Address: 172.30.1.16, Network Routing Prefix: 24, Host Name: nstsurv1-mon, Gateway: 10.221.1.1 network
em1 IPv4 Address: 10.221.5.14, Network Routing Prefix: 16, Host Name: nstsurv1, Gateway: 10.221.1.1 network
em2 IPv4 Address: stealth network
em3 IPv4 Address: stealth network
p2p1 IPv4 Address: stealth network
p2p2 IPv4 Address: stealth network
p4p1 IPv4 Address: stealth network
p4p2 IPv4 Address: stealth network
p6p1 IPv4 Address: stealth network
p6p2 IPv4 Address: stealth network
Domain Name Servers 10.221.1.10, 10.221.1.11 N/A
Domain Name txycorp.com N/A
Virtual Host (ssl.conf) *:443 N/A
Server Name (ssl.conf) nstsurv1.txycorp.com:443 N/A

 

Network Interface Configuration: nstnetcfg

The NST script: "nstnetcfg" will now be used for setting up networking on this server. This script will disable the "NetworkManager" service and enable the "network" service when setting up a static IPv4 Address (--mode ipv4). The "NetworkManager" service will also be disabled at boot time and the "network" service will be enabled at boot time. Use the sequence of nstnetcfg invocations below to serve as an example for setting up networking on your particular server with NST.

Note: The reader is encouraged to review the man page for "nstnetcfg" as reference material prior to its use. One can also use the "--verbose" output parameter for greater visibility on the progress of nstnetcfg during its configuration stages.

Warning.png The "nstnetcfg" script should only be run on a Serial Console or a Desktop Terminal due to the fact that the "IPv4 Addressing" for this NST system will most likely change.

Initialize All Network Interfaces

The nstnetcfg mode: "init" will put the networking setup posture in a known initialized state. Both the "NetworkManager" service and the "network" service will be disabled with their associated configuration files and/or entries removed. The "LoopBack" interface device is never removed and reset to the factory default state with this mode. The Name Service Switch configuration file: "/etc/nsswitch.conf" will have its hosts entry set to: "files dns". It is best practice to first use this mode prior to setting up networking so that any lingering "NetworkManager" configuration files will Not interfere with the "network" service operation.

[root@probe ~]# nstnetcfg --mode init;
[root@probe ~]#

 

Static IPv4 Configured Interfaces

The example NST server shown above uses a "Multi-Home" configuration with network interface devices: "em0" and "em1" set with static IPv4 Addresses: 172.30.1.16 and 10.221.5.14 respectively.

Interface: em1

The "em1" interface device is network attached to the "TxyCorp" Intranet. This network provides name services and external access to the Internet. The "Host Name", "Domain Name", "Name Servers" and "Gateway" values are set accordingly. A host name entry for "nstsurv1" will be added to the Hosts file: "/etc/hosts", the system host name will be set to: "nstsurv1". A "16" network routing prefix (CIDR - Format) will be used. The configuration for this interface is shown below.

[root@probe ~]# nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11";
[root@probe ~]#

Interface: em0

The "em0" network interface is connected to the "Security Network" for performing network surveillance tasks using the "NST WUI" and the large collection of NST network security applications and tools. The "--hosts-file-only" setting is used so that only the Hosts file: "/etc/hosts" will be updated with a host name entry for: "nstserv1-mon". Note that there is No "--gateway" parameter used with this interface because there is only one default gateway (i.e., "10.221.1.1") for this Multi-Home example configuration. It is not necessary to again set the system "Host Name", "Domain Name" and "Name Servers" values since these were specified in the configuration for network interface "em1". A "24" network routing prefix (CIDR - Format) will be used.

[root@probe ~]# nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon --hosts-file-only;
[root@probe ~]#

 

Stealth Configured Interfaces

The "Stealth" network interfaces (i.e., An interface in the "UP" state with No binding IPv4 Address) will now be configured. These interfaces are strategically network attached throughout the network infrastructure for surveillance monitoring.

Interface: em2

This network interface: "em2" is used to monitor the Transmit Data: "TxD" port on a Network TAP (Test Access Point) for all traffic leaving (egress) the "TxyCorp" corporation at the Firewall Dirty Side.

[root@probe ~]# nstnetcfg --mode stealth --interface em2;
[root@probe ~]#

Interface: em3

This network interface: "em3" is used to monitor the Receive Data: "RxD" port on a Network TAP for all traffic entering (ingress) the "TxyCorp" corporation at the Firewall Dirty Side.

[root@probe ~]# nstnetcfg --mode stealth --interface em3;
[root@probe ~]#

Interface: p2p1

This network interface: "p2p1" is used to monitor specific "Web Server" traffic on a SPAN (Switched Port Analyzer) port.

[root@probe ~]# nstnetcfg --mode stealth --interface p2p1;
[root@probe ~]#

Interface: p2p2

This network interface: "p2p2" is used to monitor specific "Web Server" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p2p2;
[root@probe ~]#

Interface: p4p1

This 10 Gigabit Ethernet network interface: "p4p1" is used to monitor specific "Business Transaction" data packets on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p4p1;
[root@probe ~]#

Interface: p4p2

This 10 Gigabit Ethernet network interface: "p4p2" is used to monitor specific "Business Transaction" data packets on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p4p2;
[root@probe ~]#

Interface: p6p1

This network interface: "p6p1" is used to monitor specific "Remote Office" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p6p1;
[root@probe ~]#

Interface: p6p2

This network interface: "p6p2" is used to monitor specific "Remote Office" traffic on a SPAN port.

[root@probe ~]# nstnetcfg --mode stealth --interface p6p2;
[root@probe ~]#

Stealth Interface Combo Setting Command

The output below is a compact way of using a Bash "for loop " statement to configure all "Stealth" interfaces in one command line invocation.

[root@probe ~]# for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2; do nstnetcfg --mode stealth --interface ${i}; done
[root@probe ~]#

Apache SSL Configuration For Proper HTTPS NST WUI Access

If the "IPv4 Address" on an NST system is changed, the Apache Web Server SSL configuration file: "/etc/httpd/conf.d/ssl.conf" needs to be modified for proper HTTPS access to the "NST WUI". The following "nstnetcfg" command uses the "ssl" mode to allow all hosts "HTTPS" access to the "NST WUI" using Server Name: "nstsurv1.txycorp.com". A new "SSL" certificate and key file will also be generated.

[root@probe ~]# nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443;
[root@probe ~]#

 

Using A Bash Script With "nstnetcfg"

It may be better to use a Bash script given the numerous invocations of "nstnetcfg" with this NST network configuration setup. A good location to store your script would be in directory: "/etc/nst". This will allow one to easily make changes to your network configuration by editing the script and running it. An example script below is shown for: "/etc/nst/net_cfg.sh" using the above invocations of "nstnetcfg". One can copy and paste this script as a starter template file for your usage.

#!/bin/bash

#
# Script: "net_cfg.sh"

#
# Description: Helper script for setting up the configuration of network interfaces
#              on Server: "nstsurv1" using: "nstnetcfg".

#
# Short Usage: "nstnetcfg"
#
#   nstnetcfg [-m|--mode TEXT] [-i|--interface DEVICE]
#          [-a|--ipv4-addr-prefix IPv4ADDR/PREFIX] [-g|--gateway IPv4ADDR]
#          [--mac-addr MACADDR] [--host-name TEXT] [--domain-name TEXT]
#          [--name-servers IPv4ADDRLIST] [--hosts-file-only [true]|false]
#          [--virtual-host TEXT] [--server-name TEXT]
#          [-h|--help [true]|false] [-H|--help-long [true]|false]
#          [-v|--verbose [true]|false] [--version [true]|false]
#
#   Available Modes: ipv4, dhcp, ssl, stealth, netmgr, rmint, init, show

#
# Uncomment to enable verbosity 
#VERBOSE=" --verbose";

#
# Network Interface: Initialization
/usr/bin/nstnetcfg --mode init${VERBOSE};

#
# Network Interface: em1
/usr/bin/nstnetcfg --mode ipv4 --interface em1 --ipv4-addr-prefix 10.221.5.14/16 --gateway 10.221.1.1 \
  --host-name nstsurv1 --domain-name txycorp.com --name-servers "10.221.1.10,10.221.1.11"${VERBOSE};

#
# Network Interface: em0
/usr/bin/nstnetcfg --mode ipv4 --interface em0 --ipv4-addr-prefix 172.30.1.16/24 --host-name nstsurv1-mon \
  --hosts-file-only${VERBOSE}; 

#
# Network Interface: em2
/usr/bin/nstnetcfg --mode stealth --interface em2${VERBOSE};

#
# Network Interface: em3
/usr/bin/nstnetcfg --mode stealth --interface em3${VERBOSE};

#
# Network Interface: p2p1
/usr/bin/nstnetcfg --mode stealth --interface p2p1${VERBOSE};

#
# Network Interface: p2p2
/usr/bin/nstnetcfg --mode stealth --interface p2p2${VERBOSE};

#
# Network Interface: p4p1
/usr/bin/nstnetcfg --mode stealth --interface p4p1${VERBOSE};

#
# Network Interface: p4p2
/usr/bin/nstnetcfg --mode stealth --interface p4p2${VERBOSE};

#
# Network Interface: p6p1
/usr/bin/nstnetcfg --mode stealth --interface p6p1${VERBOSE};

#
# Network Interface: p6p2
/usr/bin/nstnetcfg --mode stealth --interface p6p2${VERBOSE};

#
# Uncomment for using a Stealth Interface Combo Setting
#for i in em2 em3 p2p1 p2p2 p4p1 p4p2 p6p1 p6p2;
#  do /usr/sbin/nstnetcfg --mode stealth --interface ${i};
#done

#
# Apache SSL Configuration
/usr/bin/nstnetcfg --mode ssl --interface em1 --virtual-host *:443 --server-name nstsurv1.txycorp.com:443${VERBOSE};

Script Invocation

Make sure the script has it's execute permissions set:

[root@probe ~]# chmod +x "/etc/nst/net_cfg.sh";
[root@probe ~]#

Execute the script:

[root@probe ~]# /etc/nst/net_cfg.sh;
[root@probe ~]#

 

List All Installed Network Interface Devices Using: "getipaddr"

The NST script: "getipaddr" can be used to list all available network interface devices on an NST system.

[root@probe ~]# /usr/bin/getipaddr -D;
lo
em0
em1
em2
em3
p2p1
p2p2
p4p1
p4p2
p6p1
p6p2
[root@probe ~]#

List All 'Virtual' Installed Network Interface Devices Using: "getipaddr"

[root@probe ~]# /usr/bin/getipaddr -D --virtual;
lo
[root@probe ~]#

List All 'Physical' Installed Network Interface Devices Using: "getipaddr"

[root@probe ~]# /usr/bin/getipaddr -D --physical;
em0
em1
em2
em3
p2p1
p2p2
p4p1
p4p2
p6p1
p6p2
[root@probe ~]#

 

Renaming A Network Interface Device

The NST script: "nstnetcfg" can also be used to rename a Network Interface Device thus providing a predictable Network Interface Name that is stable and available after each successive system reboot. In this section we will demonstrate how to rename a network interface device from: "eno16777984" to: "net0" using the "nstnetcfg" utility. This utility's rename mode generates a udev rules file that is used by systemd/udev at system boot time to automatically assign the predictable, stable network interface name for local Ethernet, WLAN and/or WWAN network interfaces.

       


The current Network Interface Devices available are shown:

[root@probe ~]# /usr/bin/getipaddr -D;
eno16777984
lo
[root@probe ~]#

The current IP Address configuration:

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777984: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0
       valid_lft 75211sec preferred_lft 75211sec
    inet6 fe80::20c:29ff:fee2:380b/64 scope link 
       valid_lft forever preferred_lft forever
[root@probe ~]#

The "nstnetcfg" utility will now be used to rename the network interface device from: "eno16777984" to: "net0". Notice the creation and content of the generated custom udev network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules"

Warning.png The "nstnetcfg" script should only be run on a Serial Console or a Desktop Terminal when changing the name of the Primary Network Interface Device. Otherwise, network connectivity may be lost if remotely connected to this NST system while performing this task.

Warning.png Try to use simple network device names (e.g. net0, netfw, Net_DMZ or NetRt1). Avoid using hyphen (-) or space ( ) characters in the new network interface device. Instead, use the underscore (_) character or CamelCase for separation clarity in your device naming convention.

[root@probe ~]# /usr/bin/nstnetcfg --mode rename --rename net0 --interface eno16777984 --verbose;

Generating a new/updated custom 'udev' network rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules":
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="00:0c:29:e2:38:0b", NAME="net0"

Renaming Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-eno16777984" to "/etc/sysconfig/network-scripts/ifcfg-net0"

Labeling Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-net0" - NAME="net0"

The Network Interface Device rename from: "eno16777984" to "net0" will take effect on the next system reboot.

[root@probe ~]#

Now perform a system reboot:

[root@probe ~]# /usr/bin/systemctl reboot;

[root@probe ~]#

After a system Reboot, the "nstnetcfg" utility is now run to verify the generated udev rules file: "/etc/udev/rules.d/79-my-net-name-slot.rules" which internally uses the udevadm tool.

[root@probe ~]# /usr/bin/nstnetcfg --mode testudev --interface net0 --verbose;
/bin/udevadm test "/sys/class/net/net0";
calling: test
version 208
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

=== trie on-disk ===
tool version:          208
file size:         5882628 bytes
header size             80 bytes
strings            1299372 bytes
nodes              4583176 bytes
load module index
read rules file: /usr/lib/udev/rules.d/10-dm.rules
read rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules
read rules file: /usr/lib/udev/rules.d/13-dm-disk.rules
read rules file: /usr/lib/udev/rules.d/40-libgphoto2.rules
IMPORT found builtin 'usb_id --export %%p', replacing /usr/lib/udev/rules.d/40-libgphoto2.rules:11
read rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules
read rules file: /usr/lib/udev/rules.d/42-usb-hid-pm.rules
read rules file: /usr/lib/udev/rules.d/50-udev-default.rules
read rules file: /usr/lib/udev/rules.d/56-hpmud.rules
read rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules
read rules file: /usr/lib/udev/rules.d/60-drm.rules
read rules file: /usr/lib/udev/rules.d/60-ffado.rules
read rules file: /usr/lib/udev/rules.d/60-fprint-autosuspend.rules
read rules file: /usr/lib/udev/rules.d/60-keyboard.rules
read rules file: /usr/lib/udev/rules.d/60-net.rules
read rules file: /usr/lib/udev/rules.d/60-pcmcia.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-input.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-serial.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules
read rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules
read rules file: /usr/lib/udev/rules.d/60-raw.rules
read rules file: /usr/lib/udev/rules.d/61-accelerometer.rules
read rules file: /usr/lib/udev/rules.d/62-multipath.rules
read rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules
read rules file: /usr/lib/udev/rules.d/64-btrfs.rules
read rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules
read rules file: /usr/lib/udev/rules.d/65-libwacom.rules
read rules file: /usr/lib/udev/rules.d/65-md-incremental.rules
read rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules
read rules file: /usr/lib/udev/rules.d/69-dm-lvm-metad.rules
read rules file: /usr/lib/udev/rules.d/69-libmtp.rules
read rules file: /usr/lib/udev/rules.d/69-pilot-link.rules
read rules file: /usr/lib/udev/rules.d/69-xorg-vmmouse.rules
read rules file: /usr/lib/udev/rules.d/70-power-switch.rules
read rules file: /usr/lib/udev/rules.d/70-printers.rules
read rules file: /usr/lib/udev/rules.d/70-spice-vdagentd.rules
read rules file: /usr/lib/udev/rules.d/70-touchpad-quirks.rules
read rules file: /usr/lib/udev/rules.d/70-uaccess.rules
read rules file: /usr/lib/udev/rules.d/70-wacom.rules
read rules file: /usr/lib/udev/rules.d/71-biosdevname.rules
read rules file: /usr/lib/udev/rules.d/71-seat.rules
read rules file: /usr/lib/udev/rules.d/73-seat-late.rules
read rules file: /usr/lib/udev/rules.d/75-net-description.rules
read rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules
read rules file: /usr/lib/udev/rules.d/75-tty-description.rules
read rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules
read rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-pcmcia-device-blacklist.rules
read rules file: /usr/lib/udev/rules.d/77-mm-platform-serial-whitelist.rules
read rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-usb-device-blacklist.rules
read rules file: /usr/lib/udev/rules.d/77-mm-usb-serial-adapters-greylist.rules
read rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules
read rules file: /usr/lib/udev/rules.d/77-nm-olpc-mesh.rules
read rules file: /usr/lib/udev/rules.d/78-sound-card.rules
read rules file: /etc/udev/rules.d/79-my-net-name-slot.rules
read rules file: /usr/lib/udev/rules.d/80-drivers.rules
read rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules
read rules file: /usr/lib/udev/rules.d/80-net-name-slot.rules
read rules file: /usr/lib/udev/rules.d/80-udisks.rules
read rules file: /usr/lib/udev/rules.d/80-udisks2.rules
read rules file: /usr/lib/udev/rules.d/85-regulatory.rules
read rules file: /usr/lib/udev/rules.d/85-usbmuxd.rules
read rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules
read rules file: /usr/lib/udev/rules.d/90-alsa-tools-firmware.rules
read rules file: /usr/lib/udev/rules.d/90-pulseaudio.rules
read rules file: /usr/lib/udev/rules.d/91-drm-modeset.rules
read rules file: /usr/lib/udev/rules.d/95-cd-devices.rules
read rules file: /usr/lib/udev/rules.d/95-dm-notify.rules
read rules file: /usr/lib/udev/rules.d/95-udev-late.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-dell.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-fujitsu.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-gateway.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-ibm.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-lenovo.rules
read rules file: /usr/lib/udev/rules.d/95-upower-battery-recall-toshiba.rules
read rules file: /usr/lib/udev/rules.d/95-upower-csr.rules
read rules file: /usr/lib/udev/rules.d/95-upower-hid.rules
read rules file: /usr/lib/udev/rules.d/95-upower-wup.rules
read rules file: /etc/udev/rules.d/98-kexec.rules
read rules file: /etc/udev/rules.d/99-gpsd.rules
read rules file: /usr/lib/udev/rules.d/99-qemu-guest-agent.rules
read rules file: /usr/lib/udev/rules.d/99-systemd.rules
rules contain 393216 bytes tokens (32768 * 12 bytes), 32346 bytes strings
29283 strings (243715 bytes), 26259 de-duplicated (214394 bytes), 3025 trie nodes used
PROGRAM '/lib/udev/rename_device' /usr/lib/udev/rules.d/60-net.rules:1
starting '/lib/udev/rename_device'
'/lib/udev/rename_device' [2075] exit with return code 0
PROGRAM '/sbin/biosdevname --policy physical -i net0' /usr/lib/udev/rules.d/71-biosdevname.rules:22
starting '/sbin/biosdevname --policy physical -i net0'
'/sbin/biosdevname --policy physical -i net0' [2076] exit with return code 4
IMPORT builtin 'net_id' /usr/lib/udev/rules.d/75-net-description.rules:6
IMPORT builtin 'hwdb' /usr/lib/udev/rules.d/75-net-description.rules:12
NAME 'net0' /etc/udev/rules.d/79-my-net-name-slot.rules:1
RUN '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/$name --prefix=/proc/sys/net/ipv4/neigh/$name --prefix=/proc/sys/net/ipv6/conf/$name --prefix=/proc/sys/net/ipv6/neigh/$name' /usr/lib/udev/rules.d/99-systemd.rules:52
ACTION=add
DEVPATH=/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/net0
ID_BUS=pci
ID_MM_CANDIDATE=1
ID_MODEL_FROM_DATABASE=VMXNET3 Ethernet Controller
ID_MODEL_ID=0x07b0
ID_NET_LABEL_ONBOARD=enEthernet0
ID_NET_NAME_MAC=enx000c29e2380b
ID_NET_NAME_ONBOARD=eno16777984
ID_NET_NAME_PATH=enp3s0
ID_NET_NAME_SLOT=ens160
ID_OUI_FROM_DATABASE=VMware, Inc.
ID_PCI_CLASS_FROM_DATABASE=Network controller
ID_PCI_SUBCLASS_FROM_DATABASE=Ethernet controller
ID_VENDOR_FROM_DATABASE=VMware
ID_VENDOR_ID=0x15ad
IFINDEX=2
INTERFACE=net0
SUBSYSTEM=net
SYSTEMD_ALIAS=/sys/subsystem/net/devices/net0
TAGS=:systemd:
USEC_INITIALIZED=78468
run: '/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/ipv4/conf/net0 --prefix=/proc/sys/net/ipv4/neigh/net0 --prefix=/proc/sys/net/ipv6/conf/net0 --prefix=/proc/sys/net/ipv6/neigh/net0'
unload module index
[root@probe ~]#

One can see that the Network Interface device has been changed to: "net0":

[root@probe ~]# /usr/bin/getipaddr -D;
net0
lo
[root@probe ~]#

The IP Address configuration after the device rename is shown:

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e2:38:0b brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.120/24 brd 10.222.222.255 scope global dynamic net0
       valid_lft 75211sec preferred_lft 75211sec
    inet6 fe80::20c:29ff:fee2:380b/64 scope link 
       valid_lft forever preferred_lft forever
[root@probe ~]#

 

Managing IPv4 Alias Addresses

The NST script: "nstnetcfg" can also be used to Create and Delete (i.e., Manage) IPv4 Alias Addresses. By example we will Add and Remove IPv4 Alias Addresses: "10.222.222.241/24 and "10.222.222.242/24 to an NST system on IPv4 Alias Network Interfaces: "p5p1:a1" and "p5p1:a2" respectively. This example is shown in the sections below.

Note: You can not manage IPv4 aliases for interfaces which are under NetworkManager control (the interface must be managed by the network service). In addition, you may need to review/update your routing after adding your aliases.



Adding IPv4 Alias Addresses

In this section we will show how the nstnetcfg script can be used to add "IPv4 Alias Addresses" to an NST system.

First, the current IP Address state is shown on our demo NST system:

[root@probe ~]# ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a236:9fff:fe00:696a/64 scope link 
       valid_lft forever preferred_lft forever
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff
[root@probe ~]#


Next, the first IPv4 Alias Address: "10.222.222.241/24" bound to IPv4 Alias Network Interface: "p5p1:a1" using the Gateway: "10.222.222.1" and Host Name: "probe-a1" is now added to the NST system:

[root@probe ~]# nstnetcfg -m ipv4 -i p5p1:a1 -a 10.222.222.241/24 -g 10.222.222.1 --host-name probe-a1 -v;
 
Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".

Setting up the 'Static IPv4 Address' network configuration
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Network Interface: "p5p1:a1".

Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.

The "network" service is already running, skip trying to 'start'.

Enabling the "network" service at system boot time.

Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a1".
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".

[root@probe ~]#


Next, the second IPv4 Alias Address: "10.222.222.242/24" bound to IPv4 Alias Network Interface: "p5p1:a2" using the Gateway: "10.222.222.1" and Host Name: "probe-a2" is now added to the NST system:

[root@probe ~]# nstnetcfg -m ipv4 -i p5p1:a2 -a 10.222.222.242/24 -g 10.222.222.1 --host-name probe-a2 -v;

Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".

Setting up the 'Static IPv4 Address' network configuration
file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Network Interface: "p5p1:a2".

Setting the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.

The "network" service is already running, skip trying to 'start'.

Enabling the "network" service at system boot time.

Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds for IPv4 Alias Interface: "p5p1:a2".
Successfully brought 'Up' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".

[root@probe ~]#

Finally, the IP Address state is now shown with the two (2) IPv4 Alias Addresses added:

[root@probe ~]# ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1
       valid_lft forever preferred_lft forever
    inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1
       valid_lft forever preferred_lft forever
    inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a236:9fff:fe00:696a/64 scope link 
       valid_lft forever preferred_lft forever
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff
[root@probe ~]#

The IPv4 Alias Addresses wil also be configured in the hosts file "/etc/hosts":

[root@probe ~]# cat /etc/hosts;
127.0.0.1	localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6

10.222.222.10    striker.nst.net striker
10.222.222.141   probe-a1
10.222.222.142   probe-a2
[root@probe ~]#
Note: A network configuration file in directory: "/etc/sysconfig/network-scripts" was created for both IPv4 Alias Addresses above (i.e., "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" and "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2"). This will allow the IPv4 Alias Address configuration to survive a system reboot.

List All Installed Network Interface Devices Including IP Alias Interfaces Using: "getipaddr"

The NST script: "getipaddr" can also be used to list all available network interface devices including IP Alias Network Interfaces on an NST system.

[root@probe ~]# getipaddr -D --ip-alias;
lo
p1p1
p1p2
p5p1
p5p1:a1
p5p1:a2
[root@probe ~]#

Display all IPv4 Addresses including IP Alias Addresses bound to Network Interface: "p5p1" in CIDR notation:

[root@probe ~]# getipaddr -i p5p1 -D --ip-alias --ip-network-address-cidr;
p5p1 10.222.222.10/24
p5p1:a1 10.222.222.241/24
p5p1:a2 10.222.222.242/24
[root@probe ~]#


Removing IPv4 Alias Addresses

In this section we will show how the nstnetcfg script can be used to remove "IPv4 Alias Addresses" on an NST system.

First, the current IP Address state is shown on our demo NST system with configured IPv4 Alias Addresses:

[root@probe ~]# ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1
       valid_lft forever preferred_lft forever
    inet 10.222.222.241/24 brd 10.222.222.255 scope global secondary p5p1:a1
       valid_lft forever preferred_lft forever
    inet 10.222.222.242/24 brd 10.222.222.255 scope global secondary p5p1:a2
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a236:9fff:fe00:696a/64 scope link 
       valid_lft forever preferred_lft forever
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff
[root@probe ~]#


Next, the first IPv4 Alias Address: "10.222.222.241/24" bound to IPv4 Alias Network Interface: "p5p1:a1" is now removed to the NST system:

[root@probe ~]# nstnetcfg -m rmint -i p5p1:a1 -v;

Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a1".

Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a1" for IPv4 Alias Interface: "p5p1:a1"

Clean all IPv4 Address entries: "10.222.222.241" in Hosts file: "/etc/hosts".

Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:
Successfully brought 'Up' Network Interface: "p5p1".

[root@probe ~]#

Next, the first IPv4 Alias Address: "10.222.222.242/24" bound to IPv4 Alias Network Interface: "p5p1:a2" is now removed to the NST system:

[root@probe ~]# nstnetcfg -m rmint -i p5p1:a2 -v;

Attempting to bring 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".
Successfully brought 'Down' Network Interface: "p5p1" for IPv4 Alias Interface: "p5p1:a2".

Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p5p1:a2" for IPv4 Alias Interface: "p5p1:a2"

Clean all IPv4 Address entries: "10.222.222.242" in Hosts file: "/etc/hosts".

Attempting to bring 'Up' Network Interface: "p5p1" in 5 seconds:
Successfully brought 'Up' Network Interface: "p5p1".

[root@probe ~]#

Finally, the IP Address state is shown on our demo NST system with all IPv4 Alias Addresses removed:

[root@probe ~]# ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p5p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global p5p1
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a236:9fff:fe00:696a/64 scope link 
       valid_lft forever preferred_lft forever
4: p1p2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff
[root@probe ~]#

The NST script: "getipaddr" also shows that no IP Alias Network Interfaces are configured on the NST demo system.

[root@probe ~]# getipaddr -D --ip-alias;
lo
p1p1
p1p2
p5p1
[root@probe ~]#


Promiscuous Mode Control

Overview

The Promiscuous state of a network interface device can be manually controlled by the "nstnetcfg" script. One can also use the systemd service: "promisc.service" for automatically setting the Promiscuous state 'On' for one or more network interface devices at system boot. One may not be able to set the Promiscuous state 'Off' if another network application like wireshark or tcpdump is active and in capture mode. A counter is used by each Kernel network driver module and incremented for each application that requests the Promiscuous mode to be set 'On' for the network interface device. Until these applications have all set the Promiscuous state 'Off', can one control the device's Promiscuous mode with the "nstnetcfg" script.


Manual Mode

This section will demonstrate how to use the "nstnetcfg" script to manually set the Promiscuous mode of network interface: "netmon0" to the 'On' state:

[root@probe ~]# nstnetcfg --mode promiscon -i netmon0 -v;

Setting the Promiscuous state 'On' for Network Interface: "netmon0".

First make sure the Network Interface: "netmon0" is up:
/sbin/ip link set up netmon0;

Next set the Promiscuous state: 'On':
/sbin/ip link set promisc on netmon0;
[root@probe ~]#

Now we demonstrate how to use the "nstnetcfg" script to manually set the Promiscuous mode of network interface: "netmon0" to the 'Off' state:

[root@probe ~]# nstnetcfg --mode promiscoff -i netmon0 -v;

Setting the Promiscuous state 'Off' for Network Interface: "netmon0".

First make sure the Network Interface: "netmon0" is up:
/sbin/ip link set up netmon0;

Next set the Promiscuous state: 'Off':
/sbin/ip link set promisc off netmon0;
[root@probe ~]#

Alternatively, one could add the network interface: "netmon0" to the NST promiscuous configuration file: "/etc/nst/promisc.conf" using "nstnetcfg" mode: "promisccfg" and then control the Promiscuous modes with the following usage:

Configure network Interface: "netmon0" in the NST promiscuous configuration file: "/etc/nst/promisc.conf"

[root@probe ~]# nstnetcfg -m promisccfg --promisc add -i netmon0 -v;

Using Promiscuous configuration operation mode: "add" for Network Interface device: "netmon0".

Adding Network Interface device: "netmon0" to the Promiscuous configuration file.

Updated Promiscuous configuration file: "/etc/nst/promisc.conf".

Content of Promiscuous configuration file: "/etc/nst/promisc.conf"
==================================================================
#
# NST: 2015
#
# Configuration file for a list Network Interface Adapters
# that can have their promiscuous mode enabled or disabled
# by the NST Script: "nstnetcfg".
#
# Typically the NST script: "nstnetcfg" modes:
# 'promiscon, promiscoff or promisccfg' use or configure this file.
# Use a space character as the delimiter when multiple interfaces
# are specificied.

#
# Example for Network Interface Adapters: netmon0 and netmon1
# PROMISCINTS="netmon1 netmon2";

PROMISCINTS="netmon0";
[root@probe ~]#

Enable Promiscuous mode 'On' for network interface: "netmon0" using the promiscuous configuration file: "/etc/nst/promisc.conf"

[root@probe ~]# nstnetcfg -m promiscon -v;

Setting the Promiscuous state 'On' for Network Interface: "netmon0".

First make sure the Network Interface: "netmon0" is up:
/sbin/ip link set up netmon0;

Next set the Promiscuous state: 'On':
/sbin/ip link set promisc on netmon0;
[root@probe ~]#

Automatic At System Boot

Managing a 'Bonding' Network Interface

In this section we will use "nstnetcfg" to create a 'Bond Master' Network Interface device: "bond0" by aggregating 2 (two) NIC adapters" "p1p1" and "p1p2" into a single interface. Behind the scene, the Linux bonding driver is performing the actual mechanism for creating and managing the bond device.

A bond interface device may be useful when working with an "Non-Aggregational Network Tap". By combining the non-aggregational ports of the TAP back into a single interface allows both Transmit and Receive network traffic to be seen by a listening network analysis or monitoring application.



 

The network diagram shown below will be used for the example bonding configuration demonstrated in this section. The NST WUI Ntopng IPv4 Hosts application is performing surveillance monitoring on the firewall dirty side using the Bonded Network Interface: "bond0".

A NST "nstnetcfg" Bonding Configuration with Monitoring
Note: The network traffic monitored on the Dualcomm ETAP 3105 10/100/1000Base-T Regeneration Network TAP Aggregational Port: "3" (NST Probe Port: "p5p1") may be equal to or less than the traffic monitored on the Bonded Network Interface: "bond0" that is created in this section. If the combined effective data rate on the "Slave" Network Interfaces: "p1p1" and "p1p2" exceeds 1Gb/sec, then Aggregational Port: "3" (NST Probe Port: "p5p1") will start to buffer and eventually lose packets where as the Bonded Network Interface: "bond0" will not.

Network Interface Bond Creation

First lets show the current network configuration using the "ip" network utility:

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:69:6b brd ff:ff:ff:ff:ff:ff
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff
[root@probe ~]#

The "p1p1" and "p1p2" NIC adapters connected to the non-aggregational Network TAP (Ports: "4" and "5" respectively) will now be bonded into a single interface: "bond0" using nstnetcfg mode: "bonding". The bond interface is now in "Stealth" mode since it has no binding IPv4 Address.

[root@probe ~]# /usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2 --bonding-opts "mode=0 miimon=100" -v;

Attempting to configure 'Bonding Master' Network Interface: "bond0".

Stopping the "network" service.

Attempting to bring 'Down' Network Interface: "p1p1".
Successfully brought 'Down' Network Interface: "p1p1".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"
for Network Interface: "p1p1".

Attempting to bring 'Down' Network Interface: "p1p2".
Successfully brought 'Down' Network Interface: "p1p2".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"
for Network Interface: "p1p2".

Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"
for Network Interface: "bond0".

Starting up the "network" service.

Enabling the "network" service at system boot time.
[root@probe ~]#

The network configuration using the "ip" network utility is now shown after the creation of the "bond0" device:

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.222.222.10/24 brd 10.222.222.255 scope global eno0
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
4: p1p2: <BROADCAST,MULTICAST,PROMISC,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
5: p5p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:22:17 brd ff:ff:ff:ff:ff:ff
18: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::a236:9fff:fe00:696a/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
[root@probe ~]#

Notice that the network interfaces: "p1p1" and "p1p2" have the "SLAVE" flag set and the bond network interface: "bond0" has the "MASTER" flag set. Network traffic can now be monitored or captured on this new Bonded Virtual Network Interface: "bond0".

Network Interface Bond Removal

In this section we will remove the bonding network interface: "bond" using "nstnetcfg" mode: "rmbonding":

[root@probe ~]# /usr/bin/nstnetcfg --mode rmbonding --interface bond0 -v;

Attempting to remove 'Bonding Master' Network Interface: "bond0".

Stopping the "network" service.

Removing the "Linux Bonding Driver" module.

Removing the 'Bonding Master' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0".

Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2".

Attempting to 'Initialize' Network Interface: "p1p2" to a 'Unmanaged' state.

Attempting to bring 'Down' Bonding Slave Network Interface: "p1p2".
Successfully brought 'Down' Bonding Slave Network Interface: "p1p2".

Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2" for Interface: "p1p2".

Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"
for Network Interface: "p1p2".

Removing the 'Bonding Slave' Network Interface configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1".

Attempting to 'Initialize' Network Interface: "p1p1" to a 'Unmanaged' state.

Attempting to bring 'Down' Bonding Slave Network Interface: "p1p1".
Successfully brought 'Down' Bonding Slave Network Interface: "p1p1".

Removing the previous Network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1" for Interface: "p1p1".

Setting up an 'Unmanaged' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"
for Network Interface: "p1p1".

Starting up the "network" service.

Enabling the "network" service at system boot time.
[root@probe ~]#

 

Binding an IPv4 Address to a 'Bonding' Network Interface

In this section we will use "nstnetcfg" to bind an IPv4 Address to a Bonded Network Interface. This method can also use one of the available Linux bonding driver modes to increase the effective bandwidth from the NST system to the network.




 

The network diagram shown below will be used for the example IPv4 Address binding to the 'Bonded' Network Interface: "bond0". A Quad Gigabit NIC Adapter with ports: "p1p1", "p1p2", "p1p3" and "p1p4" will be bound together to form a new 'Bonding Master' Virtual Network Interface: "bond0".

Binding an IPv4 Address to a 'Bonded' Network Interface Using "nstnetcfg"

Network Interface Bond Creation

First lets show the current network configuration using the "ip" network utility:

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,PROMISC,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.224.2.33/16 brd 10.224.255.255 scope global eno0
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff
4: p1p2: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff
5: p1p3: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff
6: p1p4: <BROADCAST,MULTICAST,PROMISC> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff
[root@probe ~]#

The "p1p1", "p1p2", "p1p3" and "p1p4" NIC LAN ports are now bonded into a single interface: "bond0" using nstnetcfg mode: "bonding". The bond interface is now currently in "Stealth" mode with no binding IPv4 Address.

[root@probe ~]# /usr/bin/nstnetcfg --mode bonding --interface bond0 --bonding-slave-ints p1p1,p1p2,p1p3,p1p4 --bonding-opts "mode=5 miimon=100" -v;

Attempting to configure 'Bonding Master' Network Interface: "bond0".

Stopping the "network" service.

Attempting to bring 'Down' Network Interface: "p1p1".
Successfully brought 'Down' Network Interface: "p1p1".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p1"
for Network Interface: "p1p1".

Attempting to bring 'Down' Network Interface: "p1p2".
Successfully brought 'Down' Network Interface: "p1p2".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p2"
for Network Interface: "p1p2".

Attempting to bring 'Down' Network Interface: "p1p3".
Successfully brought 'Down' Network Interface: "p1p3".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p3"
for Network Interface: "p1p3".

Attempting to bring 'Down' Network Interface: "p1p4".
Successfully brought 'Down' Network Interface: "p1p4".

Setting up a 'Bonding Slave' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-p1p4"
for Network Interface: "p1p4".

Setting up a 'Bonding Master' network configuration file: "/etc/sysconfig/network-scripts/ifcfg-bond0"
for Network Interface: "bond0".

Starting up the "network" service.

Enabling the "network" service at system boot time.
[root@probe ~]#

The Linux bonding driver is configured for mode: "5" - Adaptive Transmit Load Balancing. This mode creates a channel bond that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each "Slave" Interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC Address of the failed receiving slave.

IPv4 Address Binding to the Bond Interface

Next the "nstnetcfg" utility is now used to bind the IPv4 Address: "172.18.1.11" to the 'Bond Master' Virtual network Interface: "bond0":

[root@probe ~]# /usr/bin/nstnetcfg --mode ipv4 --interface bond0 -a 172.18.1.11/24 -g 10.224.1.1 --hosts-file-only --host-name striker-bond -v;
Configuring a static IPv4 Address: "172.18.1.11/24" for 'Bonding Master' Network Interface: "bond0".

Attempting to bring 'Down' Bonding Master Network Interface: "bond0".
Successfully brought 'Down' Bonding Master Network Interface: "bond0".

Setting up the 'Static IPv4 Address' network configuration
file: "/etc/sysconfig/network-scripts/ifcfg-bond0" for Network Interface: "bond0".

Updating the hosts file: "/etc/hosts" with the IPv4 Address & Host Name.

The "network" service is already running, skip trying to 'start'.

Enabling the "network" service at system boot time.

Attempting to bring 'Up' Bonding Master Network Interface: "bond0" in 5 seconds.
Successfully brought 'Up' Bonding Master Network Interface: "bond0".

[root@probe ~]#

Finally, the network configuration is now shown using the "ip" utility with IPv4 Address: "172.18.1.11" bound to the 'Bonding Master' Virtual Network Interface: "bond0":

[root@probe ~]# /usr/sbin/ip addr show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 30:85:a9:44:7e:37 brd ff:ff:ff:ff:ff:ff
    inet 10.224.2.33/16 brd 10.222.255.255 scope global eno0
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:fe44:7e37/64 scope link 
       valid_lft forever preferred_lft forever
3: p1p1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000
    link/ether a0:36:9f:00:71:52 brd ff:ff:ff:ff:ff:ff
4: p1p2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether a0:36:9f:00:71:53 brd ff:ff:ff:ff:ff:ff
5: p1p3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state Up group default qlen 1000
    link/ether a0:36:9f:00:71:54 brd ff:ff:ff:ff:ff:ff
6: p1p4: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether a0:36:9f:00:71:55 brd ff:ff:ff:ff:ff:ff
12: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether a0:36:9f:00:69:6a brd ff:ff:ff:ff:ff:ff
    inet 172.18.1.11/24 brd 172.18.1.255 scope global bond0
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:9fff:fe00:696a/64 scope link 
       valid_lft forever preferred_lft forever
[root@probe ~]#