933k_4@bul0us

/etc/fstab, /etc/mtab, /etc/exports, file systems, DNS, NFS, NIS, and the Art of Linux

2007-12-03T21:56:00.002-05:00

y0duh says, “Linux very powerful operating system (OS), very powerful indeed.” How many times have you heard the praises of Linux being sung by the hacker community (not to be confused with crackers), hardcore geeks, computer enthusiasts, or anyone who detests Microsoft? Well this article is not meant to be one of those intended to sway the masses to convert to Linux; in fact, it is written for purely selfish reasons. In December I intend to take the Linux+ certification exam followed by the RHCT certification exam in February. At this point some of the network administration files and services, particularly those that pertain to distributing information, are still a little murky, which inspired this article. The files and services that I am referring to are the NFS, NIS, and DNS services and the /etc/mtab, /etc/fstab, and /etc/exports files.

0000. What is Linux?

Linux is an open source multi-user OS developed by Linus Torvalds in 1991 using Richard Stallman’s “GNU is Not Unix” (GNU) project. Stallman is the founder of the Free Software Foundation and the author of the Free Software Manifesto. Torvalds created Linux partially because he was bored, partially as a hobby, but mostly because Minux, the OS Torvalds was using at the time, had limited capabilities as an OS. Torvalds initially started developing Linux by writing a terminal emulation program for the Minux OS. He eventually started adding features to the terminal emulator program as was necessary. This project evolved into what eventually became the first version of the Linux OS. Torvalds then uploaded the OS to the Internet, and asked other programmers to post any recommendations and/or suggestions they had about his OS. To Torvald’s surprise, people immediately started making suggestions for the new operating system and even requested to start supporting the software. The rest, as they say, is history.

A key feature that makes Linux so powerful is the command line interface (CLI). Anything done via the graphical user interface (GUI) can be done from the command line. In fact some, like me, believe that the GUI hinders a user’s ability to utilize all of an OS’ features and abilities. It is often more difficult finding features while navigating with the GUI. From the CLI a user can do exactly what she intends to do with the OS. It is not that Windows lacks the tools of Linux; it just hinders a user by scattering many of its features throughout the OS (I can only make this point about Windows since the Mac OS X is built on the UNIX kernel). Interestingly it appears that lately even Windows is making its CLI more functional.

Today Linux is over 16 years old and has numerous distributions. Usually a Linux user learns and loyally aligns with one of these distributions (personally I prefer Red Hat or Suse). However, the easiest way to begin using Linux is to decide which distribution to use and to download a copy from one of the many websites.

0001. Linux File Systems

The Linux file system is made up of multiple directories that are arranged in a hierarchical structure. The file structure can be described as a tree with the root or “/” directory acting as the trunk. All other directories branch off the root directory. Each directory houses a particular type of file. For instance, the /etc directory contains all of the OS configuration files. If a program needs to be configured, the program’s configuration file is almost always in the /etc directory. The /home directory contains the OS user(s) files, and of course the /boot directory contains booting instructions files. The /var directory houses the OS log files. Other directories that bear mentioning are the /mnt, /src, and /tmp directories. One other directory critical to Linux is the swap file directory. The swap file acts as the virtual memory for a Linux system. It is often recommended that this file be twice the size of the amount of physical RAM of a computer. The swap file is the equivalent of the virtual memory file of a Windows machine. It is recommended that all directories be installed on separate partitions. The one exception to this practice is the /home directory. It should be noted that the only two files absolutely necessary for a Linux installation are the swap and “/” directories.

Some novice users have a difficult time switching between different Linux distributions because certain files are often placed in different locations; however, the basic directory structures are comparable between all Linux brands. In fact most Linux OS distributions have similar, although not exact, file structures.

0010. Network File System (NFS)

NFS allows files to be shared across a Linux network. Case in point, individual files and directories can be shared among multiple users on a network. Often one computer acts as a server while other client computers access it for particular files or directories. Setting up NFS is fairly straight forward; the configuration file is naturally located in the /etc directory. This file, /etc/exports, is used to configure NFS by indicating which files/directories are shared remotely. The format for the /etc/exports file is as follows:

/home/departments/sales sally.company.com (ro)

The statement indicates that the /home/departments/sales directory can be accessed by the host sally.company.com with read only privileges. Next start the NFS daemon with the “service nfs start” command.

On a remote client, a file can be manually accessed using the “mount” command, or managed by the OS using the “autofs” utility. The autofs utility automatically loads any files or directories a user has rights or access to. File shares can also be set up to automatically mount at when the OS starts up. The etc/fstab can be used to accomplish this task. The “fstab” file stands for file system table. This file lists all of the OS file system directories to be mounted by default. Of course the root user has access to and can alter this file.

0011. /etc/fstab

As stated above, fstab stands for file system table. According to Mark Sobell’s “A Practical Guide to Linux” the fstab file contains the list of file systems that the Linux host checks by default (Sobell, 601). The file is also used by the mount and umount utilities to mount or unmount directories. This file is located in the /etc directory. Here is an example of what an fstab entry looks like (note: the numbers underneath the fields are not part of the configuration file):

/dev/cdrom     /cdrom       iso9660    user,noauto,ro
#1                #2        #3        #4

As you can see the entry contains several fields. The first field gives the physical location of the file system. The location in the example is the CD-ROM drive. The second is the mount point of the file system. A mount point is physical location of the file system being mounted. The CD-ROM is being mounted to the /cdrom directory. The third field is the device or file system type. CD-ROMs use an iso9660 file system. The fourth field in the example gives any parameters to be used while mounting the file system. According to the example anyone can load the CD-ROM drive with read-only permissions.

0100. /etc/mtab

The /etc/mtab file lists all of the devices and files to be mounted when the OS boots. Clearly mtab stands for mount table. The “mount” command will display all mounted files and devices. Here is an example of an mtab entry (note: the numbers underneath the fields are not part of the configuration file):

/dev/hda        on        /        type    ext3    (rw)
#1                        #2        #3    #4        #5

The first entry (#1) is the physical location of the mount. In this instance the root directory (field #2) is located on the primary IDE drive. Moreover, the /dev/hda is also the mount point for the root directory. The file system type is ext3 (fields #3 and #4) and the root file system was mounted with read and write file permissions (field #5).

As should be obvious, the /etc/mtab and /etc/fstab files are very similar in structure. Each file has entry lines that have several fields, both are used by the mount and umount utilities, and both contain mounting points for the directories and files being loaded.

0101. Network Information Service (NIS)

NIS, formerly known as the Yellow Pages, allows important information to be distributed across a Linux network. For instance, password information, user groups, and individual network server information (IP addresses and hostnames) can all be shared between multiple Linux systems using a NIS server functioning as a centralized database. Like Network File System, NIS is set up in a client/server model.

There are several NIS tools used by the multiple Linux distributions. Most of the tools all begin with the letters “yp”, so they will be referred to as yp-tools from this point forward. The server must have multiple yp-tools available, while the client computers only need the client yp-tool(s).

The network services switch file (nsswitch.conf), contains the order that a host searches for information when it is requested. If NIS is used to lookup particular information on a network the nsswitch.conf file can be utilized to point to a NIS server as one of the locations to find information. Like all configuration files the nsswitch.conf file is located in the /etc directory and the NIS daemon must be started with the “service ypserv start” command. If NIS is being used to manage information about particular network hosts, for instance servers, the nsswitch.conf file must be configured.

NIS clients can be setup in multiple ways. The customary method is the edit the /etc/host.conf file. This file tells a host the order in which to resolve a search for files. Traditionally the configuration contains an entry to first search the computer and then to use the DNS server:

order hosts,bind

An entry must also be added to point to a NIS server:

order hosts,bind,nis

0110. Domain Name Service (DNS)

DNS is a very complex application with entire books written on the subject; this article merely skims the surface of this Internet tool. Only the files necessary to run the client and server services will be discussed.

When the Internet was small it was relatively easy to remember network addresses on the Internetwork. Of course that was eons ago, now it is practically impossible to remember the IP address of every host and domain name on the Internet. DNS is the solution to the problem. DNS is a service that resolves human readable domain names into IP addresses. This allows users to type in Universal Resource Locators (URL) like www.redhat.com/index.html instead of 209.132.177.50. In order for DNS to work a network must have a registered domain name.

There is a complex DNS system integrated into the Internet. It has a hierarchical structure, similar to the Linux file system. This hierarchy usually encompasses root and local network nameservers, although more complex networks could have additional tiers. The root nameservers house the databases for the top level domains (TLD). A TLD is the suffix located at the end of a domain name (i.e. .com, .net, .mil, etc.). Root DNS servers only accept requests from other nameservers.

Most domains (networks) will have a local nameserver that is responsible for the local network’s name resolution requests; in other words, local DNS servers are responsible for maintaining the database of hostnames requested by the local network. This database reduces the number of times a local nameserver has to seek out a root DNS server when a domain name has to be resolved. If a network does not have a physical DNS server, the domain more than likely uses an ISP’s nameserver(s).

Let us assume that the domain name, www.redhat.com/index.html, is being requested for the first time on a network. The resolution begins by interpreting the URL from right to left. There is an implicit “.” (period) at the end of the TLD which indicates to begin looking at the root of the DNS system. So DNS will start at the root nameserver of the TLD; in this instance the commercial (.com) name server. Next the Red Hat domain will be resolved. On the Red Hat domain the web server (www) host will be resolved, and the web server will supply the index.html webpage being requested. In other words the URL requests the index.html file located on the Red Hat domain’s web server.

There are several critical DNS files. On the DNS server, the /etc/named.conf file is the main configuration file. This is the file that an administrator will configure to get DNS functioning on the network. Directions on how to configure this file would require another article, so I will omit those instructions. Once the named.conf file has been configured, the “service named start” command should be administered from the command line in order to actually start the DNS service.

The /etc/hosts and the /etc/resolv.conf files must be configured for all DNS clients. The /etc/hosts file dictates how an address is resolved locally:

127.0.0.1 localhost.localdomain localhost
209.132.177.50 redhat.com

while the /etc/resolv.conf file defines which nameserver(s) to use:

nameserver 192.168.1.1
nameserver 200.200.173.1

DNS has multiple tools to manage the service. The “host” command is a DNS lookup tool. Basically the command allows users to identify nameservers. The “dig” command, like the host command, identifies nameservers; however, the tool is a bit more powerful. Several options can be used with the dig command to find specific information about a nameserver. This flexibility makes dig a great tool to use when troubleshooting DNS issues. Finally, the “nslookup” command allows a host to query Internet domain servers for information. The tool allows users to request information about the domain, the domain nameserver, and particular hosts on the domain. Indeed DNS is a powerful tool that makes navigation of the Internet feasible. With millions of hosts and domains on the Internet today it would be virtually impossible to manage them all without DNS.

0111. EOL

As with other articles, it is impossible to cover the full scope of the Linux OS. But hopefully it is obvious how powerful this multi-user OS is in the world of computers. It should also be apparent that the OS is multifaceted. In short, Linux is a powerful OS that allows users to have transparent access to all of the OS tools.

1000. Check Em’

A Practical Guide to Linux. Mark G. Sobell
Just For Fun: The Story of an Accidental Revolutionary. Linus Torvalds and David Diamond
http://www.redhat.com
http://linux.die.net/

Zen VLANs

2007-11-17T23:06:00.001-05:00

This article attempts to provide a brief explanation of what VLANs are and how they work on a network. As a network administrator it is your responsibility to make sure that network users receive the services they need to successfully perform their job. For instance, it may be necessary to group certain individuals together on the network, or to separate particular parts of the network from certain users. Both of these tasks and many others can be accomplished by implementing virtual local area networks (VLANs). A VLAN is pretty much what its name implies, a network (LAN) that functions virtually or logically on a physical network. VLANs are a great solution for organizationally breaking a network into functional parts, grouping or organizing network users, controlling the size of a broadcast domain, or administering an additional layer of security on the network.

LANs

A local area network (LAN) is a network that is under the control of one administrator. It is traditionally the combination of all of the devices located on a campus; this encompasses both network devices (routers, switches, hubs, etc.) and end devices (computers, printers, scanners, etc.). These devices will share the same media and IP addressing scheme, and users on the network are grouped together according to where they are physically located. These physical restraints could pose a problem within some organizations.

VLANs

A VLAN is a group of devices on a network that behave as if they are attached to the same media and perform like an independent network. Here is an example: several individuals at XYZ, Inc. are working on the same project. These individuals work in two different departments located in different areas throughout the XYZ Inc. campus. Management has decided that it would be more efficient if the team is set up on its own separate network. The network administrator suggests implementing a VLAN solution. Now Jill in Accounting on the third floor is logically, as opposed to physically, connected to Jack in Marketing on the seventh floor.

How They Work

There are two essential network devices that are necessary for VLAN implementation: a switch and a router. According to Cisco Systems a switch is “a network device that filters, forwards, and floods frames based on the destination address of each frame” http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/s12.htm. A switch operates at the network layer (layer 1) of the TCP/IP Model and is usually the network aggregation point to attach end devices to the network. For example, your office PC (assuming you are on a wired network) more than likely is connected to the network via a switch.

Routers are essential for inter-network communication. A router is a computer that moves (routes) data packets between different networks. Routers use Inter-network Layer IP addresses and route databases (tables) to accomplish this task. Routers also create a broadcast domain on the network by containing broadcast request packets within the LAN. Sometimes too much network traffic can bog down a network, especially if the number of broadcast request packets increase. In most cases reducing the size of the broadcast domain may resolve the problem.

Since a router creates a broadcast domain on each network and each network must have a router for inter-network connectivity, it can be deduced that all inter-broadcast domain communication is done via the router as well. And since VLANs behave like an individual network, it could be correctly presumed that they are indeed their own broadcast domain. Given that inter-network connectivity is through a router, it can be ascertained that inter-VLAN communication is achieved through a router or another router-like device also:

Routers=broadcast domain -> VLANs=broadcast domain

Inter-broadcast domain connectivity through router -> Inter-VLAN connectivity through router as well.

Security

Bear in mind that VLANs logically group users and devices on the network. This characteristic could possibly be exploited to add an additional layer of security on the network. A network administrator could separate individuals and devices into groups and regulate the network traffic between them. Access Control Lists (ACL) or other filtering techniques could be used for even more granular control of VLAN packet traffic.

VLAN implementation could also be used to control the size of a broadcast domain. Scaling down the broadcast domain size reduces the amount of network packets a user will be privy to on the network. This decreases the amount of information a malicious user or attacker could capture/“sniff” from the network. Furthermore, VLANs allow the network administrator to manage users by hierarchically assigning them to particular VLANs. This hinders an attacker from having access to the “entire network” by simply attaching to the LAN.

Implementation

Recall that the two essential network devices for VLAN implementation are the router and the switch. The following VLAN configuration will assume that the reader is setting up a “router-on-a-stick” VLAN topology using a Cisco router with Catalyst 2950 or 2960 switches.

The router configuration for the “router-on-a-stick” VLAN implementation is relatively simple. Most of the router settings are standard except for the port (trunk) which handles the VLAN traffic. A trunk is a network segment/channel that moves network packets between two points-in this case VLAN packets. Each trunk must be set up for encapsulation. Encapsulation is the process of tagging VLAN packets as they traverse the network. Dot1q encapsulation will be used in this configuration.

The trunk port will have multiple sub-interfaces programmed on it. The reason, each VLAN must have an individual interface dedicated to it. Fortunately these interfaces do not have to be actual physical interfaces. This is why Cisco routers allow multiple sub-interfaces (logical interfaces) to be configured on one physical port. Each sub-interface will require a unique IP address. Every IP address is then associated to an individual VLAN. At last, the routing protocol must be configured on the router. The following configuration will use EIGRP.

All switches will also need to be configured to participate in the VLAN process. Initially VLAN Trunking Protocol (VTP) must be set up on each switch. VTP reduces the amount of management a network administrator must do on a VLANed network. One switch will act as the VTP server while the others will function as clients. The VTP server is in charge of passing all relevant VLAN information to the VTP clients. A VTP management domain must then be created on the switches. Naturally all switches within the same VTP domain share like information. The domain for the following example will be “Cisco.” Individual VLANs must also be programmed into the switch, and each switchport will be assigned to a particular VLAN. The VLANs on the switch must be identical to the ones configured on the router. Finally, one of the switchports must function as the trunk port between the switch and the router, and like the router will use dot1q encapsulation.

Device Configurations

VLAN Router

The configuration will omit the basic router configurations and focus on the VLAN settings.
router#
router#config t
router(c)#hostname vlan_router
vlan_router(c)#interface s0/0
vlan_router(if)#ip address 200.200.200.201 255.255.255.252
vlan_router(if)#no shutdown
vlan_router(if)#description WAN Interface to ISP

Program sub-interfaces on the router trunk port. These allow an interface to behave like multiple physical ports/interfaces. Sub-interfaces also preserve resources since multiple interfaces function on one port.
vlan_router(if)#interface fastethernet 0/0
vlan_router(if)#no shutdown
vlan_router(if)#interface f0/0.1

An encapsulation type must be applied to each trunk on a VLANed network. Dot1q is the non-proprietary encapsulation type used on VLAN networks. The native keyword applies dot1q to the native VLAN, which is VLAN 1 by default.
vlan_router(if)# encapsulation dot1q native
vlan_router(if)#ip address 192.168.1.1 255.255.255.0
vlan_router(if)#description Sub-interface for VLAN 1
vlan_router(if)#interface f0/0.10
vlan_router(sub-if)#encapsulation dot1q 10
vlan_router(sub-if)#ip address 192.168.10.1 255.255.255.0
vlan_router(sub-if)# description Sub-interface for Accounting VLAN 10
vlan_router(sub-if)#interface f0/0.20
vlan_router(sub-if)#encapsulation dot1q 20
vlan_router(sub-if)#ip address 192.168.20.1 255.255.255.0
vlan_router(sub-if)#description Sub-interface for Marketing VLAN 20
vlan_router(sub-if)#exit

Program the router to use EIGRP with an autonomous system of 100 as the routing protocol. EIGRP should not do automatic summarization.
vlan_router(c)#router eigrp 100
vlan_router(c-router)#network 192.168.1.0
vlan_router(c-router)#network 192.168.10.0
vlan_router(c-router)#network 192.168.20.0
vlan_router(c-router)#network 200.200.200.200
vlan_router(c-router)#no auto-summary
vlan_router(c-router)#end
vlan_router#write memory

VLAN Switch

It is important to understand that by default there is at least one VLAN on every network. There is no need to program VLAN 1 into the switch because it already exists. Enter the VLAN database mode to set up VLANS on the switch. VLANs must have a unique VLAN number and name.
switch#vlan database
switch(vlan)#vlan 10 name Accounting
switch(vlan)#vlan 20 name Marketing

Set up the switch as a VTP server and assign the VTP domain the title “Cisco.”
switch(vlan)#vtp server
switch(vlan)#vtp domain Cisco
switch(vlan)#exit

Designate a switchport as the trunk port and apply dot1q VLAN encapsulation.
switch#conf t
switch(c)#hostname vlan_switch
vlan_switch(c)#interface f0/24
vlan_switch(if)#switchport mode trunk
vlan_switch(if)#switchport trunk encapsulation dot1q

Spanning-Tree is a feature that avoids switching loops between switches with multiple trunks. Although this configuration is not necessary for this set-up, it is a good habit to form when configuring switches. The portfast keyword allows a non-trunking switchport to skip the process of checking the port for switching loops.
vlan_switch(if)#interface range f0/0 - 4
vlan_switch(if)#switchport access vlan 1
vlan_switch(if)#spanning-tree portfast

vlan_switch(if)#interface range f0/5 - 13
vlan_switch(if)#switchport access vlan 10
vlan_switch(if)#spanning-tree portfast

vlan_switch(if)#interface range f0/14 - 23
vlan_switch(if)#switchport access vlan 20
vlan_router(if)#spanning-tree portfast

Only one VLAN can be enabled at a time, so enable (with the no shutdown command) VLAN 1 since it is the management VLAN.
vlan_router(if)#interface vlan 1
vlan_router(if)#ip address 192.168.1.2 255.255.255.0
vlan_router(if)#no shutdown
vlan_router(if)#description Management VLAN

vlan_router(if)#interface vlan 10
vlan_router(if)#ip address 192.168.10.2 255.255.255.0
vlan_router(if)#description Accounting VLAN

vlan_router(if)#interface vlan 20
vlan_router(if)#ip address 192.168.20.2 255.255.255.0
vlan_router(if)#description Marketing VLAN

vlan_switch(if)#end
vlan_switch#write memory

Conclusion

It should be stressed that entire books can be written about VLANs. This article merely scratches the surface of this great tool. Whether implementing VLANs for security, to organize your network into functional working parts, to add structure to the network, to eliminate flat LAN design, or reduce the size of a broadcast domain, VLANing is a great skill to add to your networking toolbox. So go ahead and give it a try. Happy VLANing!

by y0duh

Reasons for Layer 3 Switching

2007-10-26T05:38:00.000-04:00

Here is a short paper that may justify using layer three switches on a network. I hope that it is informative.

Reasons for L3 switching

Layer 3 switches can be used to route internal LAN or inter-VLAN traffic thereby reducing the amount of traffic processed by an enterprise router. This is especially effective when a L3 switch is used to connect a backbone within an enterprise network. However, the L3 switch will still have to rely on the network router to learn routing tables and route packets that have to be sent over the WAN. The enterprise router will mostly serve as the network gateway; thus, it will generally be used to perform inter-Autonomous System (AS) routing.

VLANs and Cisco’s Three Layered Hierarchical Model Design

VLANs are virtual LANs created by an administrator for various reasons. VLANs will behave as if devices (within the same VLAN) are attached to the same switch and media. They will also create their own broadcast domain(s). Inter-VLAN traffic must be routed through a L3 device-this could be a router or a L3 switch. Often times L3 switches are used on VLANed networks to reduce the amount of processing a router has to perform when routing VLAN traffic. This is in accordance to Cisco’s Three Layered Hierarchical Model Design which states that the Core layer (most often the enterprise router(s)) should be used to specifically move traffic as quickly and efficiently as possible. See the following website for more information about the Three Layered Hierarchical Model Design: http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd2002.htm.

Routing-on-a-Stick

A L3 switch could be omitted from a VLANed network with “routing-on-a-stick.” This network design uses the network router to do “trunking” between VLANs thereby managing inter-VLAN traffic. Configuring “routing-on-a-stick” is pretty straight-forward. A port on the router has to be configured to do trunking, and sub-interfaces must be configured on a router port. However, routing-on-a-stick does add to the processing the router is already performing on the network. In addition, for some network administrators, routing-on-a-stick may add to the complexity of a router configuration. Usually this setup is not a problem on small/simple networks, but could become cumbersome and difficult on larger, complex networks.

Conclusion

In conclusion, according to the Cisco Three Layered Hierarchical Design Model, if a router is acting strictly as a core layer device the only thing it should do is quickly move traffic. Yet, a “collapsed network” could be used where a router will act as both a core and distribution layer device. In the case of VLANs, the router will have trunking configured on one of its ports thereby adding to the processing that the router must do on the network while routing inter-VLAN traffic. Although the collapsed network design is less expensive since it eliminates the need for additional equipment (i.e. the L3 switch) it is not always the most efficient setup for a network using multiple VLANs.

Cheers,
y0duh

Genesis

2007-10-25T09:22:00.000-04:00

The beginning of my first blog. Hopefully I will be devoted enough to keep up with it.

-y0duh