Become an author Introduction It is essential to have an understanding of basic networking tools when administering and troubleshooting Linux servers. While some tools are made primarily for monitoring, other low-level utilities are used to configure the network connection itself and implement default settings. Traditionally, a group of unrelated tools lumped together under the title of net-tools was used to do this. They were often packaged together to provide full functionality coverage, but their development and usage strategy varied from tool to tool. Because of inconsistencies, as well as halted maintenance, a collection of tools known under the umbrella moniker iproute2 has been used to replace these separate tools.
|Published (Last):||15 June 2004|
|PDF File Size:||15.40 Mb|
|ePub File Size:||4.58 Mb|
|Price:||Free* [*Free Regsitration Required]|
That is, both If you are not sure if something is a correct host address, use ipcalc or similar program to check. If you add more than one address, your machine will accept packets for all of them. All additional addresses you set will become secondary addresses. Linux does allow the same address to be configured on multiple interfaces and it has valid use cases.
Try to always set the primary address first. However, if the sysctl variable net. Note that net. By default all neighbors are displayed. Commands from the "ip link" family perform operations that are common for all interface types, like viewing link information or changing the MTU. In newer iproute2 versions since at least 3. You need to bring them up to start using them. You need to bring it down before doing it.
The most known example is MAC address for ethernet devices. Apart from reducing fragmentation in tunnels like in example above, this is also used to increase performance of gigabit ethernet links that support so called "jumbo frames" frames up to bytes large. If all your equipment supports gigabit ethernet, you may want to do something like: ip link set dev eth0 mtu Note that you may need to configure it on your L2 switches too, some of them have it disabled by default.
In this case neighbor table entries for whitelisted MACs should be created manually see neighbor table management section , or nothing will be able to communicate with that interface. Do not change this flag unless you are sure what you are going to do and why.
VLANs can be created over bridge, bonding and other interfaces capable of processing ethernet frames too. The common use case for it is like this: suppose you are a service provider and you have a customer who wants to use your network infrastructure to connect parts of their network to each other.
The service tag is the VLAN tag the provider uses to carry client traffic through their network. The client tag is the tag set by the customer. Standards-compliant QinQ is available since Linux 3. They look like normal ethernet interfaces from user point of view, and handle all traffic for MAC address they are assigned with received by their parent interface. This is commonly used for testing, or for using several instances of a service identified by MAC when only one physical interface is available.
The first purpose of them is for communication of programs inside the host. The second purpose exploits the fact they are always up unless administratively taken down. This is often used to assign service addresses to them on routers with more than one physical interface. As long as the traffic to the address assigned to a loopback or dummy interface is routed to the machine that owns it, you can access it through any of its interfaces.
They can be used to relay traffic transparently between ethernet interfaces, and, increasingly common, as ethernet switches for virtual machines running inside hypervisors. You can assign an IP address to a bridge and it will be visible from all bridge ports. If this command fails, check if "bridge" module is loaded. It operates only on datalink layer and ceases all network layer operation. You need to set up bonding parameters according to your situation.
This is far beyond the cheat sheet scope, so consult the documentation. This is also far beyond the scope of this document, consult tc documentation. They are used in conjunction with system partitioning features such as network namespaces and containers OpenVZ and LXC for connecting one partition to another.
You can add network interfaces to a numbered group and perform operations on all the interfaces from that group at once. Links not assigned to any group belong to group 0 aka "default".
Symbolic name "default" for group 0 comes exactly from there. You can have up to named groups. Once you configured a group name, number and name can be used interchangeably in ip commands.
Example: After that you can use that name in all operations, like in ip link set dev eth0. When the userspace program opens them they get a file descriptor.
Packets routed by the kernel networking stack to the device are read from the file descriptor, data the userspace program writes to the file descriptor are injected as local outgoing packets into the networking stack.
The difference between the two is: tap sends and receives raw Ethernet frames. The commands listed here manipulate persistent devices. This command is the only way to find out if some device is in tun or tap mode.
This is often used for virtual private networks in conjunction with encrypted transport protocols like IPsec , or connecting networks that use some protocol via an intermediate network that does not use it e.
IPv6 networks separated by an IPv4-only segment. Note: tunnels on their own offer zero security. They are as secure as their underlying network. So if you need security, use them over an encrypted transport, e. Note that tunnels are created in DOWN state, you need to bring them up. There are so called "tunnel brokers" that provide it to everyone interested, e. Hurricane Electric tunnelbroker. Recent kernel and iproute2 versions also support gretap over IPv6, you need to replace the mode with "ip6gretap" to create an IPv6-based link.
Tunnel interface created this way looks like an L2 link, and it can be added to a bridge group. This is used to connect L2 segments via a routed network. Key may be in dotted decimal IPv4-like format. Note that key does not add any security to the tunnel. This is the same to what is called "mode gre multipoint" in Cisco IOS. This type of tunnels allows you to communicate with multiple endpoints by using the same tunnel interface. As there is no explicit remote endpoint address, obviously it is not enough to just create a tunnel.
Your system needs to know where the other endpoints are. For testing you can add peers manually given remote endpoint uses This one of the cases where link-layer address concept gets interesting. Recent versions allow both full and abbreviated forms tested in iproute2-ss In many distros L2TPv3 is compiled as a module, and may not be loaded by default. Compared to other tunneling protocol implementations in Linux, L2TPv3 terminology is somewhat reversed. You create a tunnel, and then bind sessions to it.
You can bind multiple sessions with different identifiers to the same tunnel. Virtual network interfaces by default named l2tpethX are associated with sessions.
Note: Linux kernel implements only handling of data frames, so you can create only unmanaged tunnels with iproute2, with all settings configured manually on both sides. If you want to use L2TP for remote access VPN or something else other than fixed pseudowire, you need a userspace daemon to handle it. This is outside of this document scope.
Session identifiers on both endpoints must match. Once you create a tunnel and a session, l2tpethX interface will appear, in down state. Change the state to up and bridge it with another interface or assign an address. Also it supports virtual network separation by transmitting a network identifier along with the frame.
The downside is that you will need to use a multicast routing protocol, typically PIM-SM, to get it to work over routed networks.
IPROUTE2 TUTORIAL PDF
However having used the trusted ifconfig, route and arp for so many years, I have never bothered to use ip and hence I now need to Google every time I want to see what my IP address is! Find IP addresses of all active interfaces, equivalent of ifconfig ip addr show up Alternatively, if you want to see all the interfaces irrespective of their status, equivalent of ifconfig -a ip addr Assign an IP address to an interface, equivalient of ifconfig eth0 Using iproute2 you can add multiple ip addresses to the same interface without the use of interface tags like eth Mark an interface active or bring up an interface, equivalent of ifconfig eth0 up sudo ip addr link set eth0 up Mark an interface inactive or bring down an interface, equivalent of ifconfig eth0 down sudo ip addr link set eth0 down Enable promisc flag on interfaces, equivalent of ifconfig eth0 promisc sudo ip link set dev eth0 promisc on Disable promisc flag on interfaces, equivalent of ifconfig eth0 -promisc sudo ip link set dev eth0 promisc off Mac Address spoofing, equivalent of ifconfig eth0 hw ether aa:bb:cc:dd:ee:ff ip link set dev eth0 down ip link set dev eth0 address aa:bb:cc:dd:ee:ff ip link set dev eth0 up Display the arp cache, equivalent of arp -an ip neigh show To see arp cache for a specific interface ip neigh show dev eth0 To see the arp entry for a specific ip address ip neigh show For more information refer to the man pages. Even the sub-commands have short forms. So you could write something like: ip r s dev eth0 instead of ip route show dev eth0 Total.
Gestion du réseau sous Linux avec iproute2
Arashir This type of tunnels will be widely used when transit operators phase IPv4 out i. Each device must have at least one address in order to use the corresponding protocol. IP Global Command Syntax. Moreover, when you move an interface to another namespace, it loses all existing configuration such as IP addresses configured on it and goes to DOWN state. What we are showing here is that unlike the behaviour in the 2. If the netmask does not exist then we call the standard class netmask function jproute2 determine the standard class for the given ip address.
iproute2 tutorial for ifconfig, arp, route users
That is, both If you are not sure if something is a correct host address, use ipcalc or similar program to check. If you add more than one address, your machine will accept packets for all of them. All additional addresses you set will become secondary addresses. Linux does allow the same address to be configured on multiple interfaces and it has valid use cases. Try to always set the primary address first. However, if the sysctl variable net.