Re: how to force hpux to send packets out a particular interface

support_5 · ‎06-17-2004

Hi folks,

Was wondering how we can make hp-ux send data out a particular interface, when there are more than one interface on the machine and when both those interfaces are on the same subnet and neither of them are the default route (which exists on yet another interface).

ie there are 3 interfaces, one has the default route on subnet A, and the other two have two unique IP addresses on subnet B, but we only want packets to leave the box on one of those interfaces, and not the other?

How can we force HP-UX to do this? Is it to do with the way the lan cards/routes are listed in netstat -rn? how can we "bump up" in the list the entry for the particular lan card we want packets to leave on? Is it determined by the PPA number of the lan card? Or what?

Much appreciate any advice on this, and in general, how the internal routing on HP-UX works.

Thank you,

- Andrew Gray

Sridhar Bhaskarla · ‎06-17-2004

Hi Andrew,

Two lan cards on the same subnet is not a supported configuration by HP though you can make it to work.

I believe the last interface configured on the system will be used to send the packets out. Receiving can be done on any interface based on how the packets were addressed to.

So if you want this setting to be retained after the reboot, make sure the interface from which you want to send the packets out got a higher index number in /etc/rc.config.d/netconf file.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

Sridhar Bhaskarla · ‎06-17-2004

Just thought of it after clicking submit.

If your idea is to aggregate teh bandwidth, I suggest you use APA spending some $$ - Auto Port Aggregation which is meant for that purpose.

docs.hp.com has documents on it.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

support_5 · ‎06-17-2004

Hi,

Thanks for that info.

What about if it was the same lan card, but different aliased IP addresses? For example MC/ServiceGuard does this with packages. This way, you would have different IP addresses configured, but you wanted packets to that network to only go out one from one ip address?

I wasn't thinking of bandwidth aggregation. Was more thinking about how to modify the way the packets are sent out.

I didn't know that multiple interfaces on the same subnet were not supported on HP-UX. Is that really the case? Surely it's not that hard to implement? What is the limitation?

Thanks again!

- Andrew Gray

Mohanasundaram_1 · ‎06-18-2004

Hi Andrew,

Two interfaces on the same subnet is not supported in HP-UX, though it is very easy to configure, as you said.

When you configure 2 interfaces on the same subnet, I found that the CDE does not work properly, rlogin will not work and I do not know what other problems can come.

Serviceguard has the inbuilt feature to handle this same subnet IP configuration. However, outside serviceguard it is not supported.

Hope this helps.

With regards,
Mohan.

Attitude, Not aptitude, determines your altitude

rick jones · ‎06-18-2004

If you want traffic to a specific destination to leave the system by a specific interface, you need to setup specific routes (host or subnet) associated with that interface. You may also need/want to set ip_strong_es_model to a value of 1 and have applications bind to the apropriate source IP address, at which point their outbound traffic will favor routes with a matcing source IP address.

I'm not sure that multiple _physical_ interfaces in the same subnet is "unsupported" but it is something that may not always provide the behaviour one first expects.

As for the order of routes and such, one cannot rely on that, and if you do, you will only be asking for trouble later. The only "ordering" on which one can rely is that routes will be selected based on the closest match first (host, net, default) taking source IP address into consideration if ip_strong_es_model is set

there is no rest for the wicked yet the virtuous have no pillows

Sridhar Bhaskarla · ‎06-20-2004

Andrew,

The fact that HP doesn't support this configuration is from the following document - LAN administrator's guide.

http://docs.hp.com/hpux/onlinedocs/B2355-90796/B2355-90796.html

Look at the Troubleshooting Q&A.

You can configure logical interfaces (like lanx:1 etc) even outside serviceguard which is different from your configuration where the physical interface is different.

The outbound IP address/interface is determined by the order the subnet route appears in the systems' routing table.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

support_5 · ‎06-20-2004

Hi All,

Thank you for your input. There is some very informative stuff there. Although there are a few conflicting opinions too, which it would be nice if they were resolved. But I get the general idea.

ip_strong_es_model
I would love to know what "ip_strong_es_model" is and what it means.

Thank you once again.

- Andrew Gray

rick jones · ‎06-22-2004

re ip_strong_es_model - you can try ndd -h ip_strong_es_model, or ftp://ftp.cup.hp.com/dist/networking/briefs/annotated_ndd.txt

there is no rest for the wicked yet the virtuous have no pillows

D Block 2 · ‎06-23-2004

we are having a similar concern, so I tryed the:

ndd -set /dev/tcp ip_strong_es_model 1

and my window got hung. I have to caution you when using this option. I fixed the problem by getting on the Console, and reverting this to default or 0.

Golf is a Good Walk Spoiled, Mark Twain.

Jeff Schussele · ‎06-23-2004

Hi Tom,

That probably happened because you're connection was not achieved using the proper route. You essentially hung your session because the route your traffic was using was not standard and you were set an enforcement of proper routing. Don't blame the OS for this - it was merely doing what you asked it to do.

If one is to make this change they should do it from the console during a quiescent period or from run-level 1 by manually editing the /etc/rc.config/nddconf file *before* coming up to run-level 3.

My 2 cents,
Jeff

PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!

rick jones · ‎06-23-2004

In the discussion at the URL I posted, I'm pretty sure (but not 100%) that I describe that setting ip_strong_es_model to 1 also means that IP datagrams will only be accepted on the interface with the matching IP address. They will not longer be accepted on other interfaces on the system.

That is part of the "strength" of the strong ES model.

there is no rest for the wicked yet the virtuous have no pillows

D Block 2 · ‎06-23-2004

Jeff- thx 4 the your comments, I agree that one should be on the console.. lesson learned here. keep in mind, this was done to a Virtual Partition within a SuperDome Complex.. having 2 physical lan cards, and 4 networks defined, 3 of which are on one gelan card, and the 4th being exclusive on the 2nd gelan card.

Rick- can you clarify about "datagrams", I always think of a datagrams as an unreliable delivery or UDP if you will, rather than the tcp transport being used by Telnet. I'm sure I'm patched all the way up for these gelan cards.. thanks to the ASE Jeff working on our acct.

Golf is a Good Walk Spoiled, Mark Twain.

D Block 2 · ‎06-23-2004

Andrew (IT Support) - wanted to thank you for posting this issue.. I seem to have a number of concerns similar to yours. so I hope you allow me to tangent off abit into some discussions with the Network kings.. Rick, etc..

Golf is a Good Walk Spoiled, Mark Twain.

support_5 · ‎06-23-2004

Yes, that's quite alright, go ahead. It has been interesting reading about how it all works, particularly the strong_es model concept. Although the concern has been raised that HP-UX will not accept packets arriving on different interfaces than the ones configured with the IP address, I highly doubt that this would happen since the routers will always route the packets to the interface with the IP address (unless routing is stuffed)

- Andrew

rick jones · ‎06-24-2004

packet is the "generic" term if you will. then down at the data link layer (layer2) we talk about frames. at the network layer (layer 3, eg IP) we talk about datagrams (or IP datagram fragments). at the transport layer (layer 4) we talk about datagrams for UDP or segments for TCP.

sooo, we could in theory have a frame, which contains an IP datagram fragment which contains part of a TCP segment.

wrt the only accept datagrams (I used the term datagrams because it was an IP layer decision) on the matching interface in ip_strong_es_model... folks might go ahead and excercise the support contract(s) (everyone is getting support contracts right?-) and ask for, oh, lets call it the ip_firm_es_model, that would have the outbound charactersitics of the ip_strong_es_model = 1, but the inbound characteristics of the ip_strong_es_model = 0 (ie the weak ES model). i'd probably not add a new ndd setting, but simply a new value for ip_strong_es_model = 2 comes to mind as a possibility.

there is no rest for the wicked yet the virtuous have no pillows

support_5 · ‎06-24-2004

That is a brilliant idea. That gives many possibilities in how you could configure your network, and perhaps improve things like security without hurting the simplicity and ease of the administration.

Great idea? How about a feature request??

- Andrew Gray

Carlos Martinez Juarez · ‎07-29-2004

I've a similar environment:
- MC/Service Guard
- A machine that only receives from an IP address
- Multiple lan cards.

My solution is to enable lan1:1 on /etc/rc.config.d/netconf like this

INTERFACE_NAME[1]=lan1
IP_ADDRESS[1]=0.0.0.0

INTERFACE_NAME[4]=lan1:1
IP_ADDRESS[4]=192.168.1.2
(...)

You can set up lan1 on "customer_defined_run_cmds" in the control script of MC/Service Guard with:

ifconfig lan1 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

(this is th IP that we need to send packets)

and disable lan1 on
"customer_defined_halt_cmds" with

ifconfig lan1 0.0.0.0

(this is to avoid duplicate IP address on your environment in case of packet switching)

Let me know if it works for you
Have a nice day ;-)

support_5 · ‎08-01-2004

There is a better way to do this in MC/ServiceGuard. eg in the cntl file:

IP[0]="203.12.1.10"
SUBNET[0]="203.12.1.0"

This sets the parameters for the IP address which get setup in the HP defined procedure "add_ip_address".

- Andrew

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: how to force hpux to send packets out a particular interface

how to force hpux to send packets out a particular interface