Routing PSD/FAQ
Table of Contents
1.0: Routing
1.1: About Routing
1.2: Routing Definitions
1.2.1: A Note on ARP
1.3: How Routing Starts Up
1.4: IP addresses, Netmasks and Subnet
2.0: Debugging Routing
2.1: ifconfig
2.2: netstat
2.3: ping
2.4: traceroute
3.0: Common How Tos
3.1: How to Set a default router
3.2: How to Add Static Routes
3.3: How to Use in.rdisc
3.4: How to Use in.routed
3.5: How to Force a Machine to Be a Router
3.6: How to Force a SunOS Machine Not to Be a Router
3.7: How to Force a Solaris Machine Not to Be a Router
3.8: How to Set a Netmask under SunOS
3.9: How to Set a Netmask under Solaris
3.10: How to Subnet by Bit
3.11: How to Protect a Gateway Machine
3.12: How to Proxy ARP
3.13: How to Delete ARP Entries
4.0: Some Frequently Asked Questions
4.1: Miscellaneous Questions
4.2: Basic Routing Problems
4.3: in.routed Errors
4.4: netmask Problems
4.5: traceroute Problems
4.6: arp Problems
5.0: Patches
5.1: Routing Patches for SunOS
5.2: Routing Patches for Solaris
5.3: ARP Patches for SunOS
6.0: Known Bugs & RFEs
6.1: Bugs
6.2: RFEs
7.0: References
7.1: Important man Pages
7.2: Sunsolve Documents
7.2.1: Infodocs
7.2.2: SRDBs
7.3: Sun Educational Services
7.4: Solaris Documentation
7.5: Third Party Documentation
7.6: RFCs
8.0: Supportability
9.0: Additional Support
1.1 About Routing
This PSD documents a wide variety of information concerning routing as
implemented in the SunOS and Solaris operating systems. It is intended
as both an introduction to routing, and as a guide to the most common
problems. Routing can be a very complex subject, and this PSD can
really only skim the surface of it. If you are setting up a complex
routing environment, you will probably also want to refer to the more
complete references listed in Section 7.0.
For this discussion of routing, an understanding is needed of various
aspects of ROUTING, as well as NETMASKS. These are both covered below.
Solaris in.routed supports RIPv1 ( rip version 1).
RIPv2 is available in gated, gated is not SUPPORTED 1.2: Routing Definitions
The ROUTING TABLE is a table maintained in the kernel that determines
how packets are routed to other systems. A number of programs may add
or delete routes from the routing tables, including route, ifconfig,
in.routed and in.rdisc. The routing table consists of three types of
routes:
HOST ROUTES are checked first and define a route to just one host.
NETWORK ROUTES are checked second and define a route to all the hosts
on one network.
DEFAULT ROUTES are used as a catch-all, when no host or network routes
are found to a destination. They usually send to a more knowledgeable
routing machine, which has a better chance of being able to find a
host or network route to the destination. (see Section 3.1 for how to
add a default static route as explained in Sections 3.3 and 3.4,
default routes may also be used with in.routed and in.rdisc.)
For a packet to get from your machine to its destination, it usually
goes through a number of routers. Each of these routers decides what
to do with the packet based on the set of rules listed above.
Systems are configured to handle routing in one of two ways:
With STATIC ROUTING, the tables in the kernel are defined when the
system boots and do not change. The ROUTE command can also be used to
manually add and remove static routes. (see Section 3.1 for how to add
an automatic default route at boot time see Section 3.2 for how to
use route to add static routes.)
With DYNAMIC ROUTING, the tables in the kernel are updated by a
ROUTING DAEMON as the network changes. SunOS and Solaris machines both
provide IN.ROUTED to exchange routing information between hosts.
in.routed depends upon RIP PACKETS to exchange this info. Solaris also
provides IN.RDISC, which just manipulates default routes. in.rdisc
depends upon ROUTER DISCOVERY PACKETS to gather this information. (see
Sections 3.3 and 3.4 for how to run in.routed, and in.rdisc,
respectively.)
In addition, IFCONFIG will always add routes when interfaces are
brought up. These routes will be to directly connected networks for
most interfaces, though they will be to directly connected hosts for
point-to-point interfaces.
With regard to routing, machines are divided into two classes, routers
and hosts:
A machine with more than one interface is, by default, defined to be a
ROUTER. If in.rdisc or in.routed are running, they will advertise
routing information. In addition, the machine will automatically
forward IP packets. (see Section 3.6 and 3.7 for how to force a
multiple-interface machine not to be a router.)
A machine with only one interface is a HOST. If in.rdisc or in.routed
are running, the host will listen for routing information. Hosts do
not advertise routing information.
1.2.1: A Note on ARP
This document also contains some information on ARP, the ADDRESS
RESOLUTION PROTOCOL. ARP is the protocol which converts the IP address
to an address appropriate to the hardware type (ie, Ethernet addresses
on an ether network). After normal routing protocols have done their
work, ARP springs in to action. It's what actually gets packets from
one machine to another.
Usually, you should not have to worry about ARP at all. Except in
special setups, it should work totally transparently. 1.3: How Routing Starts Up
Solaris and SunOS each have a specific order which they use to start
up routing:
If an /etc/defaultrouter file exists (see Section 3.1), only static
routing will be used, and a static default route will be created to
the machine listed in the defaultrouter file.
If there is no /etc/defaultrouter file, and the machine is a router,
both in.routed and in.rdisc will be started, and they will advertise
routing information. SunOS machines will only start up in.routed, as
in.rdisc is not available under SunOS.
If there is no /etc/defaultrouter file, and the machine is a host,
in.rdisc is initially started. If any machines on the same network
advertise via Routing Discovery, in.rdisc will be used as the dynamic
routing program if there are no machines advertising via Routing
Discovery, in.rdisc will quickly quit. SunOS skips this step.
Finally, if there is no /etc/defaultrouter file, and either the
machine is running SunOS, or in.rdisc has failed, then in.routed is
started. It will listen for other in.routed programs advertising via
RIP packets. This is the default manner in which most out-of-the-box
Suns will operate. 1.4: IP addresses, Netmasks and Subnets
All IP ADDRESSES are divided into two portions: the NETWORK ADDRESS,
and the HOST ADDRESS. The network portion of the IP address defines
the level at which routing is done this means that all machines with
the same network address are on the same network. For example, if we
had the IP address a.b.c.d, we might learn that the network portion of
that address was a.b, and the host portion of that address was c.d. In
that case, all machines with the IP address a.b.*.* would be on the
same network. We would typically see a route to the network a.b.0.0.
By default, Internet IP addresses are divided into 3 Classes. Each of
these ranges has a different portion of the IP address reserved as the
network and host addresses.
Class IP Range Network Host
Class A 1.*.*.* to 127.*.*.* a b.c.d
Class B 128.*.*.* to 191.*.*.* a.b c.d
Class C 192.*.*.* to 223.*.*.* a.b.c d
Multicast:
Class D 224.0.0.0 to 239.255.255.255.
Reserved:
Class E 240.0.0.0 to 247.255.255.255
Given the standard classes, a few typical network routes would be:
16.0.0.0
150.101.0.0
207.48.123.0
NETMASKS are a shorthand way to define what portion of an IP address
is reserved for the network address. The netmask is a set of 1 and 0
bits set to 1 define the network portion of an IP address, while
bits set to 0 define the host portion of an IP address. We can look at
the example of a Class B network address. In the address a.b.c.d, the
network portion is a.b and the host portion is c.d. This is equivalent
to the netmask 255.255.0.0:
255.255.0.0 = 11111111.11111111.00000000.00000000
This means that the three classes of networks have the following three
default Netmasks:
Class IP Range Netmask Nodes/Network
Class A 1.*.*.* to 127.*.*.* 255.0.0.0 16,777,215
Class B 128.*.*.* to 191.*.*.* 255.255.0.0 65,535
Class C 192.*.*.* to 223.*.*.* 255.255.255.0 255
Thus, packets sent to 100.1.2.3 are routed at the level 100.0.0.0 (and
all 16 million machines in the 100.*.*.* range should form one
distinct network), while packets sent to 200.1.2.3 are routed at the
level 200.1.2.0 (and all 255 machines in the 200.1.2.* range should
form one distinct network).
Often, the default Netmasks are not sufficient. You can further divide
a network by defining a custom netmask. This is termed SUBNETTING. A
custom netmask changes the definition of the network size, and also
changes the level at which routing is done. For example, many people
on Class A or B networks implement a netmask of 255.255.255.0, so that
all routing is done to networks of 255 or less machines. Sections 3.8
and 3.9 explain how to set a custom netmask for SunOS and Solaris.
This netmasking is really done down at the bit level. These means that
you can divide a network even further. An example of this is given
down in Section 3.10.
[Example Note: references to the network 150.101.*.* in this document should
be understood to be entirely fictitious, and are only used for reasons of
example.]
Ip Addressing assignment notes:
InterNic Pre-Reserved Private Network - see RFC 1918
proposes network numbers that are reserved for private use.
( networks not on the internet or behind a Firewall using NAT)
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
It is unwise to create a private network with the same addressing as one
assigned on the global internet.
What Addresses NOT to use ?
IP address is all zeros
IP address of all ones
A valid network number
A valid subnet number
loopback
127.x.x.x
addresses reserved by the Network Information Center.
( 0.x.x.x, 128.0.x.x, 191.255.x.x, 129.0.0.x, 223.255.255.x )
Multicast
224.x.x.x (greater than 223.*.*.*)
What is the meaning of N in x.x.x.x/N?
N is the number of significant bits in a prefix. This is a compact notation.
In the old days, you'd write 129.146.86.51, netmask 255.255.255.0.
Nowadays, you can just say 129.146.86.51/24, because 24 bits of the address
indicate the subnet. We no longer have class in IP addresses (as of Solaris
2.6),
so this syntax fits better. Also this will be the PRIMARY way of saying
things in IPv6.
2.0 Debugging Routing can be somewhat tricky because problems could exist anywhere
between you and your destination machine. The following commands are
helpful, because they can be used to isolate which machine is the one
with incorrect information.
The following understanding of routing is necessary to be able to
fully debug your routing tables:
For communication from host A to host B to work, there must be a route
from A to B and there must be a route from B to A.
If there is an intermediate machine, machine C, then there should be a
route from A to B through C, and C must have a route to B. The reverse
is true as well. There must be a route from B to A through C and also
a route from C to A.
Also, C must be configured to pass packets from one interface to
another to allow routing. This is done via the ip_forwarding variable
described in sections 3.6 and 3.7.
When debugging routing, you must also know whether you are working
with a host or a router, as they have very different characteristics.
2.1: ifconfig
It is always best to start investigating routing problems by making
sure that your interfaces are set up correctly. By running ifconfig,
you can see your current interface setup:
# ifconfig -a
lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232
inet 127.0.0.1 netmask ff000000
le0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
inet 150.101.16.28 netmask ffffff00 broadcast 150.101.16.255
ether 8:0:20:10:78:d
When an interface is brought up, it automatically creates a route.
This route will be to the local network for multipoint interfaces
(ether, FDDI, TR, etc), or to a host for point-to-point interfaces
(PPP).
If your main interface (le0 in the above example) is not UP and
RUNNING, clearly no routing will be occurring through it. If the
interface is UP, you will also want to examine the inet and netmask
entries of your main interface, and make sure they are set correctly.
If the inet is set wrong, check your /etc/hostname.interfacename file
(ie, hostname.le0) and your /etc/hosts file. If the netmask is set
wrong, check your /etc/netmasks file (see Section 3.8 and Section 3.9
for correct netmask setup).
2.2: netstat
You can examine your current routing tables by running the command
netstat, as follows:
%%%% netstat -rn
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
127.0.0.1 UH 0 581 lo0
150.101.16.0 150.101.16.28 U 3 935 le0
224.0.0.0 150.101.16.28 U 3 0 le0
default 150.101.16.3 UG 0 802
default 150.101.16.12 UG 0 854
By examining this table, and correlating it with your problems, you
can sometimes figure out what is going on. For example, if some of my
non-local packets were randomly getting lost, I might suspect that one
of my two default routes was dropping packets.
Some problems are even more obvious. For example, if the "default"
entries were not present in the Routing Table above, I would probably
find that I could route nowhere but 127.0.0.1, 150.101.16.0 and
224.0.0.0. (In actuality, 224.0.0.0 is a special multicast route,
while 127.0.0.1 is a special localhost route they can both be ignored
for basic discussions of routing, which would mean that I could really
route only to the network 150.101.16.0.)
2.3: ping
If your problem is not obvious from examining 'ifconfig -a' and
'netstat -rn', the ping command can be very useful in diagnosing it
further. Try running 'ping -s machine-with-no-route'. There are two
possibilities.
If you get some type of 'network unreachable' or 'host unreachable'
error, this typically means that there is no route on your machine to
the machine you are trying to ping. You will probably need to define a
static route for that machine's network, or possibly a default route.
Following are a few examples.
Under SunOS, you'll just get the basic '... unreachable' errors:
%%%% ping -s lab-manta
PING lab-manta: 56 data bytes
sendto: Network is unreachable
ping: wrote 150.101.89.28 64 chars, ret=-1
At this point, you should return to looking at your 'netstat -r'
table. You should find that there is no entry for the network you are
trying to ping.
Under Solaris, you will get some additional information. In the
following example, I am again pinging lab-manta from psi:
%%%% ping -s lab-manta
PING lab-manta: 56 data bytes
ICMP Host Unreachable from gateway psi (150.101.16.28) for icmp from psi
(150.101.16.28) to lab-manta (150.101.89.28)
The above message confirms very clearly that it is the gateway 'psi'
that did not have the route, when I tried to ping from 'psi' to
'lab-manta'. Again, I would have to examine psi's routing tables at
this point.
In addition, Solaris can sometimes report back errors that remote
machines are having:
%%%% ping -s lab-manta
PING lab-manta: 56 data bytes
ICMP Host Unreachable from gateway softmtv716 (150.101.16.3) for icmp from
psi (150.101.16.28) to lab-manta (150.101.89.28)
In this case, it is the gateway 'softmtv716', which is one of my
default routers, which does not have a path to the remote machines. If
I investigate the routing tables on that machine, I will probably find
that there is no route to the 150.101.89.0 subnet.
The other possibility is that ping just reports packets being dropped:
%%%% ping -s lab-manta
PING lab-manta: 56 data bytes
^C
----lab-manta PING Statistics----
7 packets transmitted, 0 packets received, 100%%%% packet loss
First, you should verify that the remote machine is up. If it is, you
likely have a routing problem.
Usually, this means that routes do exist in routing tables, but
something along the path just drops the packets. This usually occurs
because a router is set up wrong, or because a machine is listed as a
gateway, but is not configured to forward IP packets.
The only way to diagnose this is to examine a map of your network,
find all the IP addresses in between you and the machine that is not
responding, and then ping them one at a time. For example, I might
discover that to get to lab-manta, a packet first goes out of the Ethernet interface of psi, then into router-le0, then out of
router-le1, then into lab-manta. In this case, I would ping first psi,
then router-le0, then router-le1 then lab-manta. If router-le0
responded, but router-le1 did not, I would suspect that router was not
passing packets correctly.
(If you note such a problem, before examining the router, you should
check the netmask on your local machine, via the ifconfig -a command.
An incorrectly set netmask can cause the symptoms described above.)
If you discover that a remote router or non-Sun machine is not passing
packets, SunService is unable to provide further assistance in this
routing matter. Sections 8.0 and 9.0 explain your alternatives.
If you discover that a Sun machine is not passing packets, you should
make sure that the procedures explained in Sections 3.6 and 3.7 have
not been implemented on the remote machine, to prevent it from
routing.
Packets might also be dropped if there are not paths back to your
machine. In the above example, packets might go from psi, to router,
to lab-manta fine, and then run into problems on the return trip. If
nothing else has proved fruitful, you could then examine lab-manta,
and make sure it had a path to psi, through router, and then examine
router, and make sure that it also had a path to psi.
2.3.1: ping -sRv
ping is able to record routes for you. However, this is only of
limited utility because (1) you will not get any results if packets
are not being returned (2) there is a limit of 9 IP addresses -and-
(3) this method depends upon source routing, which may be turned off
on some machines, for security reasons.
Still, if you find that routes are being done incorrectly, you might
find it of some use. Here is an example of usage:
%%%% ping -sRv lab-classic
PING lab-classic: 56 data bytes
64 bytes from lab-classic (150.101.89.54): icmp_seq=0. time=7. ms
IP options: <record route> softmtv703-bb (150.101.15.60), four-oh
(150.101.89
.4), lab-classic (150.101.89.54), install-7 (150.101.89.25), four-oh-mrn
(150.10
1.15.11), softmtv716 (150.101.16.3), psi (150.101.16.28), (End of record)
^C
----lab-classic PING Statistics----
1 packets transmitted, 1 packets received, 0%%%% packet loss
round-trip (ms) min/avg/max = 7/7/7
This was done on this network:
16.28---(16.0)---16.3/15.60---(15.0)---15.11/89.4---(89.0)---89.54
psi softmtv four-oh lab-classic
Two things are of note here. First, the route we get returned is a
round trip, to the machine and back. Second, whenever a packet hits a
machine, ping -sRv records only the OUTGOING interface, not the
incoming interface. That is, the first time a packet goes through
softmtv, we see the address 15.60, not 16.3.
It's also interesting to see that the route was not symmetric. The
packet bounced off install-7 on the way back, which is a machine that
it did not touch on the way in. Examining that type of things can
point you towards possible errors in your routing.
If ping -sRv gives you massively incomplete info, or no info, you
should ignore it, as you're probably hitting one of the limitations
described at the start of this section.
2.4: traceroute
If you can't solve your routing problems by looking at the routing
tables and interfaces, a useful program for helping solve the problem
is traceroute.
Solaris 2.7 software bundles the popular traceroute utility.
Unfortunately, this program is not shipped with SunOS or Solaris prior to 2.7,
and as a result is not supported by SunService. However, you can easily find
a copy on the internet.
The ftp site ftp.dfn.de contains traceroute under the /pub/tools
directory. If you consult 'archie' or other searching programs, it is
likely that you will be able to find a more local copy.
Traceroute works by sending out a set of 3 UDP packets. These packets
are initially given a Time-To-Live of 1 hop, which is then increased
to 2 hops, then to 3, etc.... until the packets reach the remote
machine. This has the effect of stepping through the routers leading
towards a destination machine, one at a time. However, it also causes
you to only see a unidirectional route, from your client to the
destination machines. It's quite possible for routes to be different
going from and to a machine, and traceroute will not standardly show
this. For example, if packets followed the following path:
--> C -->
A B
<-- D <--
A traceroute from A to B would show: A, C, B, while a traceroute from
B to A would show: B, D, A. Only by doing both traceroutes could you
be sure of understanding the full route to and from a machine.
Once you have a copy of traceroute, you can run it to request the path
to a machine as follows:
# traceroute lab-classic
traceroute to lab-classic (150.101.89.54), 30 hops max, 40 byte packets
1 rainbow-16 (150.101.16.12) 6 ms * 3 ms
2 four-oh-mrn (150.101.15.11) 3 ms * 3 ms
3 lab-classic (150.101.89.54) 10 ms 3 ms 3 ms
Unlike ping, traceroute lists the INCOMING port of each machine.
We can get a round trip path by running traceroute with the following
options:
# traceroute -g remote-machine local-machine
For example, if I were logged in to psi, and wanted to know the round
trip path to lab-classic, I would type:
# traceroute -g lab-classic psi
traceroute to psi (150.101.16.28), 30 hops max, 40 byte packets
1 softmtv716 (150.101.16.3) 13 ms * 2 ms
2 four-oh-mrn (150.101.15.11) 3 ms * 3 ms
3 lab-classic (150.101.89.54) 4 ms 4 ms 3 ms
4 install-7 (150.101.89.25) 3 ms * 3 ms
5 four-oh-mrn (150.101.15.11) 3 ms * 3 ms
6 softmtv716 (150.101.16.3) 3 ms * 6 ms
7 psi (150.101.16.28) 10 ms 9 ms 3 ms
Again, we see that when the packets are headed to lab-classic, we just
get the INCOMING port listed. Oddly enough, traceroute reports the
same port on the way back. This is to avoid confusion.
However, this round trip method again uses source routing, which could
be a problem if some intervening machines disable source routing. If a
round trip invocation of traceroute seems to give bizarre results, you
should try running a traceroute in each direction, to be sure that you
are seeing the correct results.
Traceroute is more useful than ping -sRv because it will show us
partial paths, even if our destination machine is unreachable. In
addition, it will show more than 30 hops, while ping -sRv is limited
to 9.
For example, if I knew that packets were not getting to lab-manta, I
could run traceroute:
# traceroute lab-manta
traceroute to lab-manta (150.101.89.28), 30 hops max, 40 byte packets
1 rainbow-16 (150.101.16.12) 6 ms * 3 ms
2 four-oh-mrn (150.101.15.11) 3 ms * 3 ms
3 * * *
4 * * *
...
This would tell me that either four-oh is not passing packets, or the
router beyond four-oh is not answering at all. I could then examine
those machines for problems.
2.5: Running in.routed verbose and trace mode for debugging and logging
Examples:
in.routed -s -t
in.routed -q -v /var/adm/rip.log
See SunOS 5.6 in.routed(1M) man page
-v Allows a logfile (whose name must be supplied)
to be created showing the changes made to the routing tables with a
timestamp.
-t All packets sent or received are printed on standard output.
2.6 : Solaris 2.6 route debugging info
For further info see the 2.6 route man page and answerbook.
-------------------------
Route verbose mode example:
# route -v add 10.0.0.0 192.168.21.57 -net -netmask 255.255.255.0
so_dst: inet 10.0.0.0; so_gate: inet 192.168.21.57; so_mask: inet
255.255.255.0; RTM_ADD: Add Route: len 124, pid: 0, seq 1, errno 0,
flags:<UP,GATEWAY,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK>
10.0.0.0 brickwall 255.255.255.0
add net 10.0.0.0: gateway 129.151.21.57
-------------------------
Route monitor
# route monitor
got message of size 124
RTM_ADD: Add Route: len 124, pid: 20871, seq 1, errno 0,
flags:<UP,GATEWAY,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK>
10.0.0.0 elvis 255.255.255.0
-------------------------
Route get
# route get elvis
route to: elvis
destination: 192.168.21.0
mask: 255.255.255.0
interface: le0
flags: <UP,DONE>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 0
3.0 Common How Tos
3.1: How to Set a defaultrouter
If you want to define a default router, so that you can send all of
your non-local packets through one standard machine, simply create the
file /etc/defaultrouter. It should have as its sole contents, the hostname
or ipnumber of your router:
%%%% cat /etc/defaultrouter
router-1
or:
150.101.16.1
Note that any machine listed as a defaultrouter _must_ be on the same
subnet as your machine and the name listed in /etc/hosts.
On Solaris 2.4, and later, you can actually list multiple routers in
the /etc/defaultrouter file, one default router per line:
%%%% cat /etc/defaultrouter
router-1
router-2
router-3
You also need to make sure that every name which appears in
/etc/defaultrouter has an entry in your /etc/hosts file:
%%%% cat /etc/hosts
...
150.101.16.1 router-1
150.101.16.2 router-2
150.101.16.3 router-3
After you have created /etc/defaultrouter, and made sure that any
names listed in that file are also listed in /etc/hosts, you can
reboot your machine. When it comes back up, it will automatically be
routing through the defaultrouter that you have defined.
If you have a simple network, or if you are just trying to get routing
to work after your Sun machine is first installed, you probably want
to set up a defaultrouter, as is described here. Section 4.1 gives
some further advice on what type of routing to use.
How does multiple default routes work?
see SunSolve Infodoc
INFODOC ID: 17516
SYNOPSIS: How does multiple default routes work ( 2 static defaultrouter
entries) ?
Multiple default routes (wildcards) is a special case, they will be used in a
round-robin fashion. Network connections will alternate between the default routers
unless one is down, in which case it may take a few seconds to pick up the next default route.
IREs( internal routing entries) are selected in a alternating fashion and
that once selected, they are cached and the IRE entry is used for subsequent
packets until it is flushed at ip_ire_flush_interval time (default 20 minutes)
Multiple IRE entries are created by packets using the different default
routes, which can be observed with " netstat -ra ".
What happens if one of the default routers goes off-line?
The TCP module on the gateway will attempt to resend the packet to that failed
router based upon
tcp_ip_notify_cinterval = 10 seconds (timeout value when TCP is performing an
active open after which, TCP notifies IP to find a new route
OR
tcp_ip_notify_interval = 2 min (timeout value for an ESTABLISHED connection
after
which TCP notifies IP to find a new route.
What happens if the default router looses the route?
If the default router is up, and the route that it would use to forward the
packet is not available and the router knows this, then the router should
send back to your gateway an ICMP redirect, which should specify the IP
address of one of your other default routers.
3.2: How to Add Static Routes
At any time, you can add static routes to your machine via the route
command. The standard syntax for adding a network route is:
route add net "remote-network-ip gateway-ip" 'hop-metric-count'
On Solaris 2.6:
route add -net "remote-network-ip gateway-ip" -netmask
route add -host "host-ip local-intrf-ip" -interface
remote-network-ip is the network you are adding a route to, gateway-ip
is the ip address of the gateway that leads to that remote-network.
hop-count is an integer which identifies the number of gateways that
you must go through to get to the remote-network. A network that is
directly connected to your machine would have a hop count of 0 (ie,
the 150.101.16.0 net in the example below). A remote-network that is
directly connected to a gateway-machine that is, in turn, on the same
network as your machine would have a hop count of 1 (ie, the
150.101.17.0 net in the example below). Static routes are rarely added
for remote-networks with a hop count greater than 1.
One thing to note is that the metric is really not used except to differentiate
between a "gateway" route (metric > 0) and an interface route
(metric == 0)."
Routes created with the route(1m) command play no part in the RIPv1 protocol
.."
For example, on the following network:
YOUR-MACHINE---(150.101.16.0 NET)---ROUTER-1---(150.101.17.0 NET)
You could execute the following command from your machine, in order to
create a static route to the 150.101.17.0 net:
route add net 150.101.17.0 150.101.16.1 1
(150.101.16.1 is the IP address of router-1)
Solaris 2.6 example:
route add -net 150.101.17.0 150.101.16.1 -netmask 255.255.255.0
The route command can also be used to add routes to remote machines.
This is typically only done when using some type of point-to-point
interface. The syntax is:
route add host remote-machine-ip gateway-ip hop-count
ie:
route add host 150.101.17.100 150.101.16.1 1
Static routes are usually only used in conjunction with a
/etc/defaultrouter. You might do so if you had a couple of networks
which you did not want to go through your defaultrouter. In that case,
you will probably want to make the routes permanent, by adding the
route commands to the /etc/init.d/inetinit file.
You can not use the above method to add static routes if you are
running in.routed, as in.routed will automatically remove them after
90 seconds. If you are using in.routed, but want to include a few
static routes, you can do this with the /etc/gateways file, explained
in Section 3.4 below.
3.3: How to Use in.rdisc
The in.rdisc daemon is only available on Solaris machine it depends
on multicasting, which is not present on older SunOS machines.
If you do not have an /etc/defaultrouter file on a Solaris machine,
any routing host will automatically bring up in.rdisc at boot time. As
long as there is at least one router on the same network which
advertises Router Discovery messages, in.rdisc will continue running.
If nothing responds to the initial Router Discovery queries, in.rdisc
on a routing host will automatically quit, and the rc files will fall
through to in.routed.
Solaris routers will also automatically bring up in.rdisc at boot
time, if there is no /etc/defaultrouter file. They will not ever exit,
but rather will advertise via Router Discovery messages.
If you want in.rdisc to run, you should never have to do anything,
other than delete the /etc/defaultrouter file, if it exists, and make
sure that at least one Router Discovery compliant router exists on the
same subnet as your machine.
If you want to disable in.rdisc, you should simply rename it:
%%%% mv /usr/sbin/in.rdisc /usr/sbin/rdisc.save
In general, in.rdisc should only be run on routing hosts if your local
network is relatively complex.
3.4: How to Use in.routed
On a SunOS machine, in.routed will automatically be started if there
is no /etc/defaultrouter file and in.rdisc failed to find any Router Discovery
compliant routers on the local network.
in.routed will automatically start on routers if there is no /etc/defaultrouter
file, even if in.rdisc is running.
in.routed supports RIPv1 only.
You should not need to do anything, other than possibly deleting an
/etc/defaultrouter file, in order to get in.routed to run.
You can force in.routed to bring up standard network routes by putting
entries for them into the file /etc/gateways. The standard format for
that file is:
net <remote-network-ip> gateway <gateway-ip> metric
<hop-count> passive
or:
net <remote-network-ip> gateway <gateway-ip> metric
<hop-count> active
remote-network-ip, gateway-ip and hop-count are all described in
Section 3.2. The keyword 'passive' should be used if you want the
entry to be permanent.Passive gateways are maintained in the routing
tables forever.Information regarding their existence is not included in any
routing information transmitted. Active gateways are treated equally to network
interfaces. The keyword 'active' should be used if you want
in.routed to occasionally query the gateway host, and delete the route
if it becomes inactive. Routing information is distributed to the gateway
and if no routing information is received for a period of time,the associated
route is deleted.
An example of a gateway file follows:
%%%% cat /etc/gateways
net 150.101.17.0 gateway 150.101.16.1 metric 1 passive
net 0.0.0.0 gateway 150.101.16.2 metric 1 passive
The first line of this example is identical to the 'route add' command
given in Section 3.2. It creates a route for the network 150.101.17.0
through the gateway machine 150.101.16.1.
In the gateways file, the number 0.0.0.0 is a special number which
means 'default route'. Thus, the second line creates a default route
through the gateway machine 150.101.16.2.
The gateways file may also be used to add routes to specific hosts,
with the following syntax:
host <remote-machine-ip> gateway <gateway-ip> metric
<hop-count> passive
Or:
host <remote-machine-ip> gateway <gateway-ip> metric
<hop-count> active
Finally, the following directives may also be put in a gateways file:
norip <interface>
noripin <interface>
noripout <interface>
These prevent RIP (in.routed) packets from either going in or out of
the specified interface (norip prevents packets from going either in
or out). For example:
%%%% cat /etc/gateways
norip le1
The above would prevent RIP packets from going in or out of the le1
interface. This could be exceptionally helpful if you did not want
your RIP info to be broadcast out of your le1 interface for security
reasons.
In general, routed should only be used on routing hosts if your local
network is relatively complex. In addition, there must be machines on
the local network which will correctly send out RIP packets if there
are not, routed will fail to work correctly on a routing host.
If you wish to disable in.routed, the best way to do this is by
creating a defaultrouter file, as is described in Section 3.1.
3.5: How To Force a Machine to Be a Router
If your machine has at least two interfaces in addition to lo0, or if
your machine has at least one point-to-point interface, it will
automatically be set up as a router.
Solaris 2.x:
The IP layer will normally act as a router (forwarding datagrams that are not
addressed to it, among other things) when the machine has two or more
interfaces that are up. This behavior can be overridden by using ndd(1M)
to set the /dev/ip variable, ip_forwarding. The value 0 means do not
forward; the value 1 means forward. The initialization scripts
(see /etc/init.d/inetinit) set this value at boot time based on the number
of "up" interfaces, but will not turn on IP forwarding at all if the
file /etc/notrouter exists. When the IP module is loaded, ip_forwarding is 0
and remains so if:
only one non-DHCP-managed interface is up (the most common case)
the file /etc/notrouter exists and DHCP does not say that IP forwarding is
on
the file /etc/defaultrouter exists and DHCP does not say IP forwarding is
on
Otherwise, ip_forwarding will be set to 1 .
SunOS 4.x
On a SunOS machine, you will want to adjust the /etc/rc.local file,
to change the following line:
in.routed echo 'running routing daemon.'
To read:
in.routed -s echo 'running routing daemon.'
In order to insure that routed is in the "supplier" mode and routing
information is being advertised.
This is done for you automatically on Solaris machines if there
are 2 up interfaces on bootup.
ip_forwarding must be enabled to allow the system to forward packets
between interfaces.
to check
on SunOS 4.x
# echo "ip_forwarding/X" | adb -w /vmunix /dev/kmem
on Solaris 2.x
# ndd /dev/ip ip_forwarding
0 = don't forward, 1 = forwarding enabled
3.6: How to Force a SunOS Machine Not to Be a Router
If you do not want your multiple-interface SunOS machine to route
packets, you will need to rebuild the kernel. In the file
/sys/netinet/in_proto.c, change the following line:
#define IPFORWARDING 0
to read:
#define IPFORWARDING -1
Afterwards, config the kernel, remake it, and then install it.
It may be useful to note, that on SunOS machines, IPFORWARDING can
have three values:
-1 Never forward IP packets
0 Don't forward, but change IPFORWARDING to 1 if there are two
or more interfaces
1 Always forward IP packets
3.7: How to Force a Solaris Machine Not to Be a Router
If you do not want your multiple-interface machine, running Solaris
2.4 or lower, to route packets, you just need to make a small change
to the file /etc/init.d/inetinit. Find the following two lines:
numifs=`ifconfig -au grep inet wc -l`
numptptifs=`ifconfig -au grep inet egrep -e '-->' wc -l`
And immediately after them, insert the following:
numifs=2
numptptifs=0
After the machine next reboots, it will not act as a router.
If you are using Solaris 2.5 or greater, it's even easier to make your
machine not route packets. Simply create an /etc/notrouter file:
%% touch /etc/notrouter
Afterwards, reboot the machine.
It may be useful to note, that on Solaris machines, ip_forwarding can
have three values:
0 Never Forward
1 Always Forward
2 Only forward when two or more interfaces are up
The above steps result in the ndd /dev/ip ip_forwarding variable being
changed from "1" to "0", which prevents routing.
3.8: How to Set a Netmask under SunOS
In order to include a permanent netmask on your SunOS machine, you
must make an entry in the /etc/netmasks file, in the following format:
network-address-without-zeroes netmask
For example:
%%%% cat /etc/netmasks
150.101 255.255.255.0
The above would subnet the class B network, 150.101.0.0, into 254
subnets, from 150.101.1.0 to 150.101.254.0.
It is important to note that the entry in the left hand column must be
the original base network number (ie # for a Class A, #.# for a Class
B and #.#.# for a Class C), not the subnet.
3.9: How to Set a Netmask under Solaris
In order to include a permanent netmask on your Solaris machine, you
must make an entry in the /etc/netmasks file, in the following format:
network-address netmask
For example:
%%%% cat /etc/netmasks
150.101.0.0 255.255.255.0
The above would subnet the class B network, 150.101.0.0, into 254
subnets, from 150.101.1.0 to 150.101.254.0.
In 2.5.1 and below, only one entry for the entire class network is allowed
to support standard subnetting as specified in RFC-950
It is important to note that the entry in the left hand column must be
the original base network number (ie #.0.0.0 for a Class A, #.#.0.0
for a Class B and #.#.#.0 for a Class C), not the subnet.
The 2.6 kernel has changed to support VLSM. It is now possible to combine
the RFC-950 and RFC-1519 form of subnet masks in the netmasks file.
The network address should be the "SUBNETTED" address NOT the standard
network number based on the hosts ip address. (see man page for netmasks)
Here are a few examples:
A host address 192.188.206.65 with a netmask of 255.255.255.224
/etc/netmasks
192.188.206.64 255.255.255.224
A host address 172.31.16.193 with a netmask of 255.255.255.192
/etc/netmasks
172.31.16.192 255.255.255.192
See section 3.10 to get a better understanding of how to subnet by bit.
3.10: How to Subnet by Bit
As was noted in Section 1.3, subnetting is actually done at the bit
level. That is, all the bits that form the IP address are masked by
the bits that form the Netmask, in order to generate the Network
Address. Here's some examples of what a netmask looks like down at
the bit level:
255.255.255.0 = 11111111.11111111.11111111.00000000
255.255.255.192 = 11111111.11111111.11111111.11000000
And here are a few examples of using the '192' netmask:
IP Address Netmask Network Address
---------- ------- ---------------
150.101.16.90 255.255.255.192 150.101.16.64
150.101.16.150 255.255.255.192 150.101.16.128
Expanding out the first example should make this a bit more clear:
150.101.16.90 = 10010110.01100101.00010000.01011010
255.255.255.192 = 11111111.11111111.11111111.11000000
Network Address = 10010110.01100101.00010000.01000000 = 150.101.16.64
The resulting network number is 150.101.16.64 and the host address
is 26.
The only caveat is that RFC 917 states that it is illegal to have a
subnet address that is all 0s or all 1s. This means that when you
split your class C, you will lose the bottom set of IP addresses, and
also the top set of IP addresses.
Putting this all together, we can take a look at two examples. These
examples both assume a Class C network (that is a network between
192.*.*.* and 223.*.*.*), which you wish to subnet.
IP ADDRESS = any Class C
NETMASK = 255.255.255.128 = 11111111.11111111.11111111.10000000
Subnet 1 = '0' Illegal because subnet is all 0s
Subnet 2 = '1' Illegal because subnet is all 1s
Clearly, using the 255.255.255.128 mask to subnet a Class C is useless.
IP ADDRESS = any Class C
NETMASK = 255.255.255.192 = 11111111.11111111.11111111.11000000
Subnet 1 = '00' Illegal because subnet is all 0s
addresses x.x.x.0 to x.x.x.63 are wasted
Subnet 2 = '01' network x.x.x.64, broadcast x.x.x.127
machines range from x.x.x.65 to x.x.x.126
Subnet 3 = '10' network x.x.x.128, broadcast x.x.x.191
machines range from x.x.x.129 to x.x.x.190
Subnet 4 = '11' Illegal because subnet is all 1s
addresses x.x.x.192 to x.x.x.255 are wasted
Thus, if you had a Class C that you wanted to divide into two subnets,
you would use the 192 netmask described above, and end up with two
ranges of 63 machines each.
Now, the above all assumes that you own a Class C network, that is a
network with an network address between 192.*.*.* and 223.*.*.*.
Another common situation is the case where you are on a Class B
network (ie 150.101.0.0), but you actually control a network
equivalent in size to a Class C (ie 150.101.16.0), and you want to
subnet further. Things work about the same as above, but you do not
have to waste the top and bottom IP ranges. This is because the entire
subnet, which is nine or more bits long, is not set to all 0s or all 1s
in those cases only the last two digits are. So, if we were subnetting
150.101.16.0 further, using the 192 subnet, our table would look like
this:
IP ADDRESS = 150.101.16.0
(though any class B, further subnetted will work the same)
NETMASK = 255.255.255.192 = 11111111.11111111.11111111.11000000
Subnet 1 = '00010000.00' network 150.101.16.0, broadcast 150.101.16.63
machines range from 150.101.16.1 to 150.101.16.62
Subnet 2 = '00010000.01' network 150.101.16.64, broadcast 150.101.16.127
machines range from 150.101.16.65 to 150.101.16.126
Subnet 3 = '00010000.10' network 150.101.16.128, broadcast 150.101.16.191
machines range from 150.101.16.129 to 150.101.16.190
Subnet 4 = '00010000.11' network 150.101.16.192, broadcast 150.101.16.255
machines range from 150.101.16.193 to 150.101.16.254
Subnetting by the bit can be a pretty complex process and SunService
can not provide further assistance on initial configuration of this
type. However, if you're trying to subnet at this small of a level,
and don't totally understand how to do so, consult Section 8.0 and 9.0
for where you can get further assistance from within Sun.
3.11: How to Protect a Gateway Machine
Routing:
---------------
You may find that you wish to keep a gateway machine from sending
routing information via certain interfaces. This is usually done on a
machine that acts as a firewall of some type. Assuming that you have a
multiple interface machine that is advertising routing information
(via in.routed and in.rdisc), you should do two things.
First, totally turn off in.rdisc:
%%%% mv /usr/sbin/in.rdisc /usr/sbin/rdisc.save
Second, add norip lines to the /etc/gateways file for all interfaces
that you do not want routing information to be sent through. For
example, if le1 led to an external net, you would probably add the
following entry:
%%%% cat /etc/gateways
norip le1
This type of setup should only be done on a firewall machine where you
are trying to decrease your net connectivity.
IP forwarding:
---------------
For Security and network isolation. You can set ip_forwarding off and
ip_strict_dst_multihoming on, if you are trying to prevent access to
the other interfaces.
"ndd /dev/ip ip_forwarding" Determines if the workstation will route
packets.
ex: ndd -set /dev/ip ip_forwarding 0
"ndd /dev/ip ip_strict_dst_multihoming" Determines whether to use
Strict
Destination Multihoming. If this variable is set to True, and ip_forwarding
is turned off, then the machine will not except packets destined for a
different interface. RFC112
ex: ndd -set /dev/ip ip_strict_dst_multihoming 0
also see:
"ip_forward_directed_broadcasts" Determines whether to forward
broadcasts directed to a specific net or subnet, if directly connected
"ip_forward_src_routed" Determines whether to forward packets that are
source routed,(packets which have a specific machine listed as part of route)
3.12: How to Proxy Arp
Proxy ARPing involves one machine answering ARP requests for another
machine. This is most frequently done when a point-to-point interface
(ie PPP) is being used. For example, imagine the following setup:
ppp-machine psi
150.101.16.200---PPP LINK--ttya--150.101.16.28--le0--150.101.16.0 NETWORK
8:0:20:1:2:70 8:0:20:1:2:3
^^^ether NA
default route=psi
In this example systems on le0 network would have problems, because systems
on the le0 network and ppp link are not directly connected on the 150.101.16.0
network, 150.101.16.X will arp for 150.101.16.200 and not get a response.
Using psi to proxy arp on behalf of the ppp-machine will allow the packets
to be forwarded properly.
The following command, run on psi, would allow that machine to proxy
arp for ppp-machine:
# arp -s ppp-machine 8:0:20:1:2:3 pub
^^^ ^^^^^^^^^^^^
ppp client hostname psi servers Ethernet Mac address
Note that psi supplies its own Ethernet address, not ppp-machine's.
This is because ARP should cause packets to go to psi, which is the
only machine which actually can pass on packets to ppp-machine.
(This command should also be put in the rc files if you wish it to be
permanent.)
Example:
Create an executable file called /etc/rc2.d/S99proxyarp. This should
have an arp entry for each of the clients , listing your server's Ethernet address:
#!/bin/sh
#
# S99proxyarp script to force ip forwarding
# and add published arp entries for point to point clients.
ndd -set /dev/ip ip_forwarding 1
arp -s ppp-pc1 8:0:20:1:2:3 pub
arp -s ppp-pc2 8:0:20:1:2:3 pub
make it executable:
# chmod +x /etc/rc2.d/S99proxyarp
3.13: How to Remove ARP Entries in Solaris?
You may determine that you need to remove arp entries. This could be
done if a machine has changed ether addresses, and you must have
access to it at once, or if a proxy arp has changed. You can delete a
single ARP entry with the following command:
# arp -d machine-name
a simple way to clear a machine's entire ARP cache without rebooting, deleting
entries manually or waiting for timeouts.
# ifconfig le0 <IP>
The above command ( = ifconfig down; ifconfig up) will delete all entries
including static entries and published virtual interface entries.
See srdb 11416 for arp time-out info.
srdb 11416 what are the ARP values set by ndd?
4.0 Some Frequently Asked Questions
4.1: Miscellaneous Questions
QUESTION: Does Sun support gated?
ANSWER: No. The public domain version of gated is available via several ftp sites,
However, SunService can provide NO assistance with gated.
Where to get GateD:
The GateD Consortium can be reached at:
http://www.gated.org/
http://www.gated.org/new_web/code/code/gated-multi/code.html
Sun offers this tar file strictly as a convenience, and offer no warranty,
etc. ftp://playground.sun.com/pub/GateD/
QUESTION: What type of routing should I use?
ANSWER: This depends on your overall network setup, and your goals.
If your machine is on a simple unchanging network, that only has a few
routers connecting it, it is best to just install one static default
router. In addition, you _must_ use a static default router if you do
not (or can not) propagate either Router Discovery or RIP messages
within your network. The only deficit with this method is that you
don't have a fallback if the primary router fails. This is not a
problem in Solaris 2.4 and above, which allow multiple router entries
in the defaultrouter file. Section 3.1 explains how to set up a
default router.
If you have a complex internal network, or a network that frequently
changes, or you want to make sure that your machine has fallback
opportunities if your primary router goes down, you should use one of
the dynamic routing programs. If you have multiple routers which all
support Router Discovery and are on a Solaris system, you will want to
run in.rdisc. Otherwise, you'll want to run in.routed.
Note that dynamic routing programs will not work unless you have
already configured the machines on your network to send out either
Router Discovery or RIP messages. Also, you should be aware that the
dynamic routing protocols will introduce some limited level of
additional traffic to your network.
Sections 3.3 and 3.4 explain how to set up in.routed and in.rdisc.
QUESTION: What routes are automatically set up?
ANSWER: A few routes automatically get set up every time your machine is
booted.
First, all machines will always have a localhost route back to
themselves:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
127.0.0.1 UH 0 591 lo0
This is standard and increases the efficiency of packets that a
machine sends to itself.
Second, Solaris machines have a special multicast route:
224.0.0.0 150.101.16.28 U 3 0 le0
Multicast routes are used by certain programs that broadcast to a
group of machines rather than to the subnet in general.
Finally, all machines will always set up one route for each of their
interfaces. The route will be a simple one which says that all packets
which go to the interface's network should be routed through the
interface.
For example, I have one interface, le0, with an IP address of
150.101.16.28. Since I use a netmask of 255.255.255.0, this means that
my local network is 150.101.16.0, and the route looks like this:
150.101.16.0 150.101.16.28 U 3 951 le0
(It should be noted that machines which use point-to-point interfaces,
such as PPP, will have slightly different routes consult the PPP Tip
Sheet for more info on these.)
QUESTION: Where did all these routes in my routing table come from? When I look
at netstat -rn I see a lot of routes that I didn't add.
ANSWER: As noted in the previous question and answer, you will get one for each
interface is configured on bootup as well as for the loopback and multicast
addresses.
One of the following Sun routing daemons may have added them:
in.routed
in.rdisc
GateD (or any other 3rd party, non-Sun supported routing daemon may add them)
/etc/gateways may have routing table entries that get added
They may have manually been entered on the command line
ICMP redirects from routers can add them (look for the D flag in the netstat
-rn
output).
They may have been added to some script (probably executed during bootup)
somewhere on the system. Check for this by grep'ing for "route" in
directories like /etc/rc2.d, /etc/rc3.d and so on.
QUESTION: Why was ip_forwarding changed in 2.6 and above.
ANSWER: ip_forwarding of 0 is now the default and the value 2 was removed to comply
more strictly to RFC1122 (default MUST be to not forward packets)
In 2.6, 2.7 if a defaultrouter is defined, then S69inet will set
ip_forwarding off(0)
unless DHCP has set IpFwdF. see 2.7 ip(7P)
Bug references:
Bug Id: 1113271 Synopsis: ip_forwarding should be configurable via /etc/system
Bug Id: 4135171 Synopsis: 2.6 routing issue should be documented
Bug Id: 4052347 Synopsis: Man page for ip needs updated for new ip_forwarding
values in Solaris 2.6
To force ip_forwarding on, add the ndd change in the startup script.
ndd -set /dev/ip ip_forwarding 1
The Netra implements a S99routing
(/opt/netra/networking/routing/bin/boot.conf)
that turns it on
#!/bin/sh
ndd -set /dev/ip ip_forwarding 1
ndd -set /dev/ip ip_forward_src_routed 0
---
2.7 ip man page update:
"...The IP layer will normally act as a router (forwarding
datagrams that are not addressed to it, among other things)
when the machine has two or more interfaces that are up.
... When the IP module is loaded, ip_forwarding is 0
and remains so if:
o only one non-DHCP-managed interface is up (the most
common case)
o the file /etc/notrouter exists and DHCP does not say
that IP forwarding is on
o the file /etc/defaultrouter exists and DHCP does not
say IP forwarding is on
Otherwise, ip_forwarding will be set to 1."
-
4.2: Basic Routing Problems
This sections outlines a very common routing problems. The techniques
described in Section 2.0 will be needed to resolve more difficult
routing problems.
QUESTION: Why can I only ping machines on my subnet?
ANSWER 1: You are using in.routed (this is how a machine ships by default),
but are not propagating RIP packets on your network. You should define
a default router, as described in Section 3.1.
ANSWER 2: Your netmask is set incorrectly on the machine which can not ping.
Sections 3.8 and 3.9 describe how to define a permanent custom
netmask.
ANSWER 3: You have a default router defined, but that machine is not
forwarding the IP packets. If that router is a Sun machine, you should
make sure that it has _not_ been modified as described in Section 3.6
or 3.7. If it is a non-Sun machine, SunService can not provide further
assistance in resolving why it might not be forwarding IP packets.
4.3: in.routed Errors
QUESTION: Why does in.routed constantly generate the following error:
"packet from unknown router, x.x.x.x"
ANSWER: This occurs because your machine is receiving broadcast packets
from a router that is on a different subnet. Since broadcast packets
will not typically cross subnet boundaries, this usually means that
you have machines from two subnets on the same physical wire.
Often, this is a mistake if you see this error, and do not expect to
have multiple networks on the same wire, you should track down the
source machine (x.x.x.x), and fix its IP address.
However, there are cases where this setup might be intentional, as
outlined in RFC 1597. This would imply that you had several networks
all using the same physical wire. Unfortunately, this is not currently
supported correctly, as is described in Section 6.1.
If you are on a SunOS machine, just install patch 100283 and this
problem will go away. More information on this is contained in Section
5.1.
Under Solaris, a fix for this issue is still pending. If the errors
are too much, you should revert to using a default router, as
described in Section 3.1, until the problem is corrected.
QUESTION: Why does in.routed keep bringing my PPP interface up?
ANSWER: in.routed automatically sends out RIP packets every 30 seconds.
This will keep your PPP interface up. To prevent this, you can put the
following entry in your /etc/gateways file:
%%%% cat /etc/gateways
norip ipdptp0
This will allow you to continue running in.routed, without have it
keep your PPP interface constantly up. Another Tip Sheet exists for
PPP which explains many routing problems associated with a PPP
interface.
4.4: netmask and broadcast Problems
QUESTION: why is my netmasks entry being ignored?
ANSWER 1: The network address listed in the netmasks file is a subnet
instead of the base network. Remember that the network address should
just be # if you are on a class A, #.# if you are on a class B, and
#.#.# if you are on a class C. Section 1.3 has a listing of which IP
addresses belong to which classes.
A2: Although you have added the netmasks to /etc/netmasks, you have
not put it in NIS. After NIS is brought up, your /etc/netmasks file is
no longer consulted. Make sure to duplicate any netmasks entries in
your NIS maps.
QUESTION: Why do I get segmentation faults on boot after changing my netmasks
file?
ANSWER: This is a known bug in some Solaris systems. It is mentioned in
Section 6.1. If you examine your /etc/netmasks file, you will find
that it contains blank lines. Remove them, reboot, and your system
will come up clean.
QUESTION: Does Sun support variable-length subnetting, per RFC 1219?
ANSWER: Solaris 2.6 or above supports VLSM and CIDR.
Q1: Why can't I add a netmask for a remote subnet?
QUESTION 2: If I add a netmask for a subnet not directly connected to my
machine, it is ignored. Why?
ANSWER: Sun systems only support netmasks for networks that are directly
connected to a machine. This means that if you try and add a netmask
for a network that is not directly connected to your machine, it will
fail. If you want to route to a remote network which is subnetted, the
correct method is to route to a machine that is directly connected to
the subnetted network, and then allow that machine to route to the
appropriate subnetwork.
When RFC 1219 is implemented on Suns, this functionality may become
available.
QUESTION: How do I make SunOS 4.x limited broadcast all 1's like solaris2.
ANSWER:
Manually specify the broadcast,
---------
example:
# ifconfig le0 flags=63<UP,BROADCAST,NOTRAILERS,RUNNING>
inet 1207.48.123.87 netmask ffffff00 broadcast 207.48.123.0
ether 8:0:20:1a:f:83
# ifconfig le0 broadcast 129.151.21.255
# ifconfig le0 flags=63<UP,BROADCAST,NOTRAILERS,RUNNING>
inet 207.48.123.87 netmask ffffff00 broadcast 207.48.123.255
ether 8:0:20:1a:f:83
---------
Add a ifconfig line to /etc/rc.local to take effect on bootup.
...
# set the netmask from NIS if running, or /etc/netmasks for all ether
interfaces
ifconfig -a netmask + broadcast + > /dev/null
ifconfig le0 broadcast 207.48.123.255
4.5: traceroute information and Problems
Sun does not support the public domain traceroute package.
New :
Solaris 2.7 software bundles the popular traceroute utility. The traceroute
utility is used to trace the route an IP packet follows to an Internet host.
Traceroute uses the
IP protocol ttl (time to live) field and attempts to elicit an ICMP
TIME_EXCEEDED response from each gateway along the path, and PORT_UNREACHABLE
(or ECHO_REPLY) from
the destination host. The traceroute utility starts sending probes with a ttl
of 1, and increases by one until it gets to the intended host or has passed
through a maximum
number of intermediate hosts.
The traceroute utility is especially useful for determining routing
configuration problems and routing path failures. If a particular host is
unreachable, the traceroute utility
can be used to see what path the packet follows to the intended host and where
possible failures occur. The traceroute utility also displays the round-trip
time for each
gateway along the path to the target host. This information can be useful for
analyzing where traffic is slow between the two hosts.
For more information, see TCP/IP and Data Communications Administration Guide.
The below questions simply note some problems that
we have run into with traceroute, and the simple steps that can be
taken to correct them. Further problems or errors with traceroute
should be directed to the traceroute author.
QUESTION: Why does traceroute fail on every other packet, under Solaris:
# traceroute psi
traceroute to psi (150.101.16.28), 30 hops max, 40 byte packets
1 psi (150.101.16.28) 6 ms * 2 ms
ANSWER: Solaris introduced a variable called 'ip_icmp_err_interval' which
enforces a minimum time in between ICMP error messages. traceroute
depends upon ICMP error messages, and tends to send them very fast. As
a result, if ip_icmp_err_interval is set to the default value on a
Solaris machine, traceroute's second packet will always get dropped,
as shown above. You can disable this Solaris feature by adjusting the
ndd variable:
# ndd -set /dev/ip ip_icmp_err_interval 0
If you want this change to be permanent, you should add it to the file
/etc/rc2.d/S69inet.
However, since every single Solaris machine between you and your
destination must change this variable, it is often more reasonable
just to let every second packet get dropped, and not worry about it.
4.6: arp Problems
QUESTION: Why does arp fail with the following message:
# arp -s system 0:8:20:1:2:3 pub
"system: No such device or address"
ANSWER: This occurs if you try and use arp to add a machine that is not on
a local network. You may only arp entries for hosts on subnets that
are directly connected to your machine.
5.0 Patches
The following is the list of all of the routing related patches for
4.1.3, 4.1.3_u1, 4.1.4, 5.3 and 5.4. If you are having routing
problems, installing the patches is a good place to start, especially
if you recognize the general symptoms noted below.
In order for a machine to be stable, all of the recommended patches
should be installed as well. The list of recommended patches for your
operating system is available from sunsolve1.sun.com.
5.1: Routing Patches for SunOS
100283 SunOS 4.1.1 4.1.2 4.1.3: in.routed mishandles gateways, multipl
Fixes problems in the way that routed broadcasts some routes, and
corrects an error in routing to machines with multiple interfaces on
the same physical wire.
5.2: Routing Patches for Solaris
101318 SunOS 5.3: Jumbo patch for kernel (includes libc, lockd)
104231 SunOS 5.3: in.routed patch
101945 SunOS 5.4: jumbo patch for kernel
104232 SunOS 5.4: in.routed patch
103169 SunOS 5.5: arp,ip,udp,icmp driver and ifconfig fixes
104234 SunOS 5.5: in.routed patch
103630 SunOS 5.5.1: ip ifconfig arp udp icmp patch
104236 SunOS 5.5.1: in.routed finds packet from unknown router
104958 SunOS 5.5.1: usr/sbin/in.rdisc patch
105786 SunOS 5.6: /kernel/drv/ip patch
Resolve a large number of problems related to in.routed, and the
kernel routing tables. Should be installed on all machines,
but are an absolute necessity for routers.
5.3: ARP Patches for SunOS
100361 SunOS 4.1.1 4.1.2 4.1.3: server not responding due to limits of arp
Corrects problems caused by the arp table being limited to 512 entries.
Should be installed if you are hitting this limit.
6.0 Known Bugs And RFEs
The following bugs & rfes reflect currently open issues with the routing
software.
6.1: Bugs
1182386 in.routed finds packet from unknown router
Sun's in.routed complains if it gets a broadcast from a router on a different
network. This is in
violation of RFC 1597. The following patches correct this:
104022 SunOS 4.1.3: in.routed fixes
104023 SunOS 4.1.3_U1: in.routed finds packet from unknown router
104024 SunOS 4.1.4: in.routed finds packet from unknown router
104231 SunOS 5.3: in.routed patch
104232 SunOS 5.4: in.routed patch
104234 SunOS 5.5: in.routed patch
104236 SunOS 5.5.1: in.routed finds packet from unknown router
104237 SunOS 5.5.1_x86: in.routed finds packet from unknown router\unformat
3002202 ifconfig core dumps when /etc/netmasks ends with blank line
On Solaris 2.4, if you inadvertantly end your netmasks file with a blank line,
ifconfig will coredump
on the next boot you will need to bring your system down to single user mode in
order to correct this
problem. No patch will be made available for this in 2.4, but the problem has
been corrected in 2.5
\unformat
6.2: RFEs
1061398 allow subnet specification in /etc/netmasks for OSPF2, RFC 1219
This RFE requests that the Sun routing programs be brought into accordance with
RFC 1219, to allow
Variable Length Subnet Masks (VLSM) and Classless Inter-Domain Routing (CIDR).
VLSM pertains to routing within a network. Without VLSM, all subnets of a
network must use the
same mask. The mask need not be a conventional "even byte boundary"
mask (ie 255.255.0.0 or
255.255.255.0) but the same mask must be used throughout the network.
CIDR pertains to routing to other networks. Without CIDR, it is impossible to
have routes to a
subnet of another network. You can have a route to another network. But you
cannot add a more
specific route to a subnet of that other network.
Bug/RFE 1061398 is addressed in Solaris 2.6.
Outstanding routing protocol RFE's:
Bug Id: 1047216 Synopsis: Would like gated incorporated into next O.S release
Bug Id: 1168709 Synopsis: Request for support of OSPF (rfc1247) in Solaris
Bug Id: 4075054 Synopsis: Solaris 2.6 doesn't deliver a routing deamon to
support
variable length subnet
7.0 References
7.1: Important Man Pages
arp
in.rdisc (Solaris only)
netmasks
route
routed
routing
7.2: Sunsolve Documents
There are a number of Sunsolve documents concerning routing,
subnetting and netmasks. The ones listed below are simply those which
contain some amount of information which is not already in this
document.
7.2.1: Infodocs
2176 Subnetting definition
2180 Routing and delivery of datagrams
7.2.2: SRDBs
4713 ARP Thrashing in Large Bridged Networks
5823 booting diskless client fails with ARP/RARP timeout
5986 Subnetting
7.3: Sun Educational Services
[pending]
7.4: Solaris Documentation
[pending]
7.5: Third Party Documentation
_
TCP/IP Illustrated, Volume 1_, by W. Richard Stevens, published by
Addison-Wesley Publishing Company, ISBN 0-201-63345-9
An excellent text explaining how the various TCP/IP protocols work.
The chapters on arp, ping, traceroute, IP routing, dynamic routing,
broadcasting and multicasting are all very useful in gaining an
understanding of the way that the routing protocols work.
_Internetworking With TCP/IP Volume 1_, by Douglas Comer
Another book with good information on networking.
7.6: RFCs
RFC's are the internet-written documents that define the specifications
of many common networking programs. They can be retrieved from
nic.ddn.mil, in the /rfc directory.
A very large number of RFCs describe routing over the internet.
Included below are just some of the RFCs which most directly cover the
topics described in this document.
917 Internet subnets
Original specs for subnets and netmasks.
950 Internet Standard Subnetting Procedure
Additional notes on subnetting.
1219 On the Assignment of Subnet Numbers
Suggestions for additions to the subnet specs, which have not yet
been incorporated by Sun.
1256 ICMP router discovery messages
Specs for the Router discovery protocol, as implemented in in.rdisc.
8.0: Supportability
Sun is not responsible for the initial configuration of your
network routing. In addition, we can not help resolve routing problems
caused by your routers, bridges or other machines.
SunService can help resolve problems where your Sun is not sending
packets correctly to its next-hop router, or where one of your Sun's
routing daemons is not responding correctly, but in such cases, the
contact must be a system administrator who has a good understanding of
the network layout, and its routing design.
9.0: Additional Support
For overall routing configuration, please contact your local
SunService office for possible consulting offerings. Sun's Customer
Relations organization can put you in touch with your local Sun Integration or Sales office.
|