Novell Home

TCP/IP on NetWare 6 -- Frequently Asked Questions

Novell Cool Solutions: Feature
By Amandeep Singh Sandhu

Digg This - Slashdot This

Posted: 15 Apr 2002
 

Information in this document was recently referenced by Novell Research AppNote "A Technical Overview of Novell TCP/IP in NetWare 6"

Abstract: The Novell TCP/IP FAQ provides answers to a selection of common questions on the various protocols (IP, TCP, UDP and others) that make up the TCP/IP protocol suite. The FAQ also provides some implementation details on NetWare, specifically NetWare 6.

Topics Covered in the FAQ

  • 1.1 Administration
    • Q 1. Does NetWare 6 support Native IP?
    • Q 2. What are the binaries for NetWare 6 TCP/IP?
    • Q 3. In which directories do the TCP/IP binaries reside?
    • Q 4. Which NLM is used to configure the TCP/IP stack?
    • Q 5. How does one monitor the different statistical variables of the TCP/IP stack?
    • Q 6. Is NetWare 6 TCP/IP stack different from the previous version of TCP/IP stack in NetWare? If so, how?
  • 1.2 IP Addressing
    • Q 1. How can I configure the IP address of a NetWare server?
    • Q 2. Does NetWare 6 support subnetting?
    • Q 3. Does NetWare 6 support supernetting?
    • Q 4. What should you take care of while configuring a supernetted address on a NetWare server?
    • Q 5. What are ARP-able and non-ARP-able primary IP addresses?
    • Q 6. What are ARP-able and non-ARP-able secondary IP addresses?
    • Q 7. Why is a secondary IP address used?
    • Q 8. How can I add a Secondary IP Address?
    • Q 9. How can I remove a Secondary IP Address?
    • Q 10. How can I display a Secondary IP Address?
    • Q 11. Once the server is rebooted will the Secondary IP Addresses be active?
    • Q 12. Once an interface is deleted/disabled will the Secondary IP Addresses bound on that interface be active?
    • Q 13. Does the addition of Secondary IP Address command necessarily go into AUTOEXEC.NCF to recover the lost Secondary IP Addresses because of server reboot or deletion/disabling of an interface?
    • Q 14. Is it possible to add non-ARPable Secondary IP Address?
    • Q 15. How do I add Secondary IP Address to a specific card.
    • Q 16. What is the support for Direct Server Return (DSR) provided by the stack?
    • Q 17. What is multihoming?
    • Q 18. What kind of multihoming support is available in NetWare?
    • Q 19. How do I verify successful Primary bindings when there are multiple IP Addresses on same NIC?
    • Q 20. What is interface grouping?
    • Q 21. Can I group interfaces with different IP addresses?
    • Q 22. Can I group interfaces bound to different networks?
    • Q 23. How do I check the multihoming configuration of NetWare?
    • Q 24. Can I ungroup interfaces with a different IP address?
  • 1.3 Load Balancing & Fault Tolerance
    • Q 1. How do I configure load balancing and fault tolerance in NetWare? How do I verify the configuration?
    • Q 2. Can I configure load balancing and fault tolerance feature using command line interface?
    • Q 3. How do I verify load balancing is working?
    • Q 4. Can I group adapters with different capacities, different vendors, and different properties (Card with Hardware check summing support, etc)?
    • Q 5. What is a primary interface in load balancing and fault tolerance group?
    • Q 6. What is the difference between grouped and ungrouped interfaces?
    • Q 7. What properties are in common when multiple interfaces are grouped?
    • Q 8. How do I enable Load Balancing and Fault Tolerance for a group?
    • Q 9. How are broadcast and multicast packets handled?
    • Q 10. What will happen to TCP connections when one of the adapters fails and the other one takes over?
    • Q 11. Will there be any packet drop during adapter failover?
    • Q 12. How does the client come to know that the adapter to which it is connected is failed and it has to send request to the new adapter?
    • Q 13. How this solution is different from Compaq teaming solution?
    • Q 14. Do clients see the same MAC address for all the interfaces in the grouped network?
    • Q 15. Does the load balancing and fault tolerance solution co-exist with third party solutions like Compaq's ALB and NFT feature?
    • Q 16. Is this feature supported on all network adapters? Does it require specific driver to be installed?
    • Q 17. Why have load balancing when you already have load sharing?
    • Q 18. Can load balancing alone be configured, without fault tolerance on?
    • Q 19. Can load balancing be an overhead with the increase in the number of NICs?
    • Q 20. Is fault tolerance and load balancing supported with token ring and FDDI?
    • Q 21. How do I know when any of the NIC fails? Would fault tolerance give me any alert message?
    • Q 22. How do ARP entries of our server at routers get flushed in case of fault tolerance? How does load balancing happen across different NICs?
    • Q 23. Does the load get balanced between gateways?
    • Q 24. Will the group information for Load Balancing/Fault Tolerance be set to NO in INETCFG when any one of the two duplicate bindings in a group is deleted?
  • 1.4 IP Features
    • Q 1. Can the stack offload checksum into the NIC?
    • Q 2. How can I configure Dead Gateway Detection and use the same?
    • Q 3. Is DGD an overhead to the system?
    • Q 4. What is MDG?
    • Q 5. How do I configure Multiple Default Gateway?
    • Q 6. How is the preference decided in case of MDGs?
  • 1.5 Routing Protocols
    • Q 1.What routing protocols are supported on this stack?
  • 1.6 Tools
    • Q 1. What kind of tools are available to check the network connectivity?
    • Q 2. Does NetWare support trace route utility?
    • Q 3. Can I use IPTrace option with more Hops?
    • Q 4. Is the IPTrace option different from NetWare 5? What are the new options?
    • Q 5. How do I monitor TCP/IP statistics?
    • Q 6. How can I find any black hole router between any two hosts?
  • 1.7 ARP
    • Q 1. Does NetWare support proxy ARP?
    • Q 2. Does NetWare detect duplicate IP address on the network?
    • Q 3. How can I view IP address to MAC mappings?
  • 1.8 TCP
    • Q 1. What is the Don't Fragment option?
    • Q 2. What is Path MTU Black Hole router?
    • Q 3. What is PMTU Black Hole Detection and Recovery?
    • Q 4. Is there a performance penalty for PMTU BHD?
    • Q 5. How do I configure PMTU BHD on the system?
    • Q 6. Is there some tool to find the PMTU BH Router?
    • Q 7. What is the maximum window size that the TCP/IP stack supports?
    • Q 8. In what link would Large Window size be helpful?
    • Q 9. How can an application use Large Window?
    • Q 10. What is SACK?
    • Q 11. Does the TCP/IP stack support SACK?
    • Q 12. When will SACK be helpful?
    • Q 13. Will SACK and LW have an impact on the LAN connection?
  • 1.9 UDP
    • Q 1. What is the maximum packet size that UDP can transmit?
    • Q 2. Does UDP support multiple listeners on the same IP address and port?
    • Q 3. Does UDP processing happens on all processors?
    • Q 4. Is the Path MTU Discovery feature available on the stack (RFC 1191)?
  • 1.10 WAN
    • Q 1. Can I dial up to the NetWare server and use it?
    • Q 2. How can I connect to WAN?
    • Q 3. What interfaces are supported for PPP?
    • Q 4. Can I have a Dial on Demand connection or do I have to have a permanent leased connection?
    • Q 5. In case one channel goes bad, can I use a Dial Backup?
    • Q 6. Do the dial up services provide an QoS?
    • Q 7. Is the dial up connection secure?
  • 1.11 Security
    • Q 1. What is a SYN attack?
    • Q 2. How do you protect NetWare 6 from a SYN attack?
    • Q 3. What will happen in case a SYN attack takes place?
    • Q 4. What is a FIN attack?
    • Q 5. What are the set options for enabling FIN Attack check solution and how to tune them?
    • Q 6. Does NetWare 6 TCP/IP stack support IPsec?
  • 1.12 Application Interfaces
    • Q 1. What kind of application interfaces are supported to use the TCP/IP services?
  • 1.13 IPX to IP transition
    • Q 1. I have a IPX network and would like to migrate to NetWare 6. Can I do it?
    • Q 2. How is SCMD different from NetWare IP?
    • Q 3. Is NetWare IP supported on NetWare 6?
  • 1.14 Release Mechanism
    • Q 1. Where can I get latest TCP/IP stack?
    • Q 2. Would the new features like load Balancing and Fault Tolerance, Large windows, SACK and so on be available on NetWare 5.1?
  • 1.15 References to other Docs
    • Q 1. Where do I get the TCP/IP Admin Guide?
    • Q 2. Where do I get the latest NDK information on TCP/IP?
  • 1.16 NetWare Applications on TCP/IP
    • Q 1. What is the support available for redirection?
  • 1.17 Other Information
    • Q 1. What is the extent of CIDR support being provided by the stack?
    • Q 2. Are there any Web based mechanisms for configuring the stack?


    1.1 Administration

    Q 1. Does NetWare 6 support Native IP?
    Ans. Yes, NetWare 6 completely supports Native IP.

    Q 2. What are the binaries for NetWare 6 TCP/IP?
    Ans. The binaries for NetWare 6 TCP/IP are:

  • TCP.NLM, TCPIP.NLM, BSDSOCK.NLM - both secure and non-secure versions.
  • NETLIB.NLM - one version which runs with both secure and non-secure versions of the earlier NLMs.
  • INETCFG.NLM and TCPCFG.NLM - used for configuration.
  • Q 3. In which directories do the TCP/IP binaries reside?
    Ans. The TCP/IP binaries reside in SYS:\SYSTEM

    Q 4. Which NLM is used to configure the TCP/IP stack?
    Ans. The following two NLMs are used to configure the stack: INETCFG.NLM and TCPCFG.NLM

    Q 5. How does one monitor the different statistical variables of the TCP/IP stack?
    Ans. You can use the tools Monitor and TCPCON that list all the sub-options of the stack. From NetWare 6 SP 1 onwards you can view the statistics from the web using Novell Remote Manager. For more details look at the latest TCP/IP Administration Guide.

    Q 6. Is NetWare 6 TCP/IP stack different from the previous version of TCP/IP stack in NetWare? If so, how?
    Ans. Yes this stack is very different from its earlier versions. The NetWare 6 TCP/IP stack gives you many more features like:

  • Load Balancing and Fault Tolerance,
  • SACK and Large Windows,
  • Dead Gateway Detection and Multiple Default Gateways,
  • Path MTU Black hole detection and recovery for TCP connections,
  • MP enabled TCP and UDP stacks,
  • Defense against FIN, SYN and Smurf attacks and many more.
  • 1.2 IP Addressing

    Q 1. How can I configure the IP address of a NetWare server?
    Ans. Once you have configured the cards go to INETCFG > Bindings > Configure the address with netmask. You can also do this by using the command line: bind ip <driver name> address = <ip address> mask = <netmask>

    Q 2. Does NetWare 6 support subnetting?
    Ans. Yes, NetWare 6 supports subnetting.

    Q 3. Does NetWare 6 support supernetting?
    Ans. Yes, it is supported only on end hosts.

    Q 4. What should you take care of while configuring a supernetted address on a NetWare server?
    Ans. You can not make a NetWare server a router when supernetting is enabled.

    Q 5. What are ARP-able and non-ARP-able primary IP addresses?
    Ans. ARP-able is the one that responds to an ARP request, non-ARP-able does not propagate the MAC address outside. If an IP address is bound with no-ARP option a new IP address will be created on the basis of the MAC address where it is bound.

    Q 6. What are ARP-able and non-ARP-able secondary IP addresses?
    Ans. The ARP-able secondary IP address responds to an ARP request while the non-ARP-able secondary IP address does not propagate the MAC address outside. The IP address will remain the same in case of noARP also.

    Q 7. Why is a secondary IP address used?
    Ans. The secondary IP address can be used to configure NetWare as a multihomed host. Then the client will see each secondary IP address as a logical host. Secondary IP address can also be used to launch different services on different IP addresses. Another benefit that secondary IP address provides is that it can be configured as virtual IP address using the NoArp option which can be used for load balancing in a clustering environment.

    Q 8. How can I add a Secondary IP Address?
    Ans. To do so, go to the server prompt and enter Add secondary ipaddress <ipaddress>

    Q 9. How can I remove a Secondary IP Address?
    Ans. To do so, go to the server prompt and enter Delete secondary ipaddress <ipaddress>

    Q 10. How can I display a Secondary IP Address?
    Ans. To do so, go to the server prompt and enter Display secondary ipaddress

    Q 11. Once the server is rebooted will the Secondary IP Addresses be active?
    Ans. No. The Secondary IP Addresses information will be lost if the server reboots. Alternately, the administrator can manually add the Secondary IP Address addition command add secondary ip address a.b.c.d in the AUTOEXEC.NCF after the line SYS:ETC\INISYS.NCF. So this will be executed when the server reboots.

    Q 12. Once an interface is deleted/disabled will the Secondary IP Addresses bound on that interface be active?
    Ans. No. If an interface is deleted/disabled then the Secondary IP Addresses on that interface will be lost and the administrator can run AUTOEXEC.NCF if he has added the Secondary IP Address command into AUTOEXEC.NCF and if there is an interface with same network.

    Q 13. Does the addition of a Secondary IP Address command necessarily go into AUTOEXEC.NCF to recover the lost Secondary IP Addresses because of server reboot or deletion/disabling of an interface?
    Ans. No. One can write any .NCF file containing the commands add secondary ip address a.b.c.d and can execute this from the system console by simply typing the .NCF file name.

    Q 14. Is it possible to add a non-ARPable Secondary IP Address?
    Ans. You can add non-ARPable Secondary IP Address using the command line option. To do so, Add secondary ipaddress <ipaddress> noarp

    Q 15. How do I add a Secondary IP Address to a specific card?
    Ans. To add Secondary IP Address to a specific card at the console prompt add secondary ipaddress <ipaddress> prompt. After this it will query you to select the card you want to specify in case of multihoming machine.

    Q 16. What is the support for Direct Server Return (DSR) provided by the stack?
    Ans. Direct Server Return can be configured using non-ARPable Secondary IP Addresses.

    Q 17. What is multihoming?
    Ans. Multihoming is the feature that enables a system to have more than one network interface and also ensures that the interface assumes multiple IP addresses on the same network. It is typically used for all IP networks bound to a router, irrespective of whether the networks are bound to the same interface or to different interfaces.

    Q 18. What kind of multihoming support is available in NetWare?
    Ans. NetWare 6 supports different kinds of multihoming combinations; between Single/Multiple NIC and also between Single/Multiple IP Address.

    Q 19. How do I verify successful Primary bindings when there are multiple IP Addresses on same NIC?
    Ans. For the relevant interface this can be verified through TCPCON > Protocol Information > IP > IP Addresses. This information would not be correctly available through utilities such as CONFIG and INETCFG.

    Q 20. What is interface grouping?
    Ans. Grouping is the process of selecting the NICs you want from the available set of multihomed NICs. After selecting the required NICs (Grouping) they can be enabled for load balancing and fault tolerance. These NICs should be bound to the same subnet.

    In NetWare 6 two types of grouping enable you to optimize the load balancing and fault tolerance feature. They are:

  • Single IP Address/Multiple NICs are grouped automatically.
  • Multiple IP Addresses/Multiple NIC can be manually grouped and later ungrouped as needed.
  • The advantage of grouping in NetWare 6 is that once you group the NICs load sharing is automatically enabled. Once the NICs are grouped they are visible as a group of network adapters for a group of IP addresses or for a single IP address. This group would have a singular identity, with its own set of properties, and the properties of individual NICs in this group would no longer be valid. After that each and every IP Address looks like it is associated with more than one Network Adapters. This is the basis of the load balancing and fault tolerance. To optimize the advantages of the feature the user must ensure that all the NICs to be grouped lie on the same LAN segment.

    In NetWare 6 grouping is done in a way that all the MAC addresses are visible to the outer world, and they can use that to send their requests. Once the NICs are grouped their individual identity is no more valid. However, if the user wants to preserve the individual identity, NetWare provides you the option of ungrouping the NIC.

    Q 21. Can I group interfaces with different IP addresses?
    Ans. Yes, you can group interfaces with multiple IP addresses provided all the IP addresses should belong to the same subnet.

    Q 22. Can I group interfaces bound to different networks?
    Ans. No, you can't do that.

    Q 23. How do I check the multihoming configuration of NetWare?
    Ans. Right now you can verify this using 'Display Secondary IP address' console command. In NetWare 6.1 this will be available in 'Config' console command.

    Q 24. Can I ungroup interfaces with different IP address?
    Ans. Yes, you can do that. Ungrouping is a process of removing a particular NIC from the grouped set. Ungrouping can be done for the Multiple IP addresses/Multiple NICs type of groups.

    Ungrouping is most advantageous when the user wants to configure a particular NIC differently from the group. NetWare 6 provides that. Also the NICs are LAN segment independent. Such types of ungrouping can be used for security purpose, for QOS, or if the user wants to have a different configuration for a particular card.

    1.3 Load Balancing & Fault Tolerance

    Q 1. How do I configure load balancing and fault tolerance in NetWare? How do I verify the configuration?
    Ans. You can configure load balancing and fault tolerance using INETCFG. You can verify the same using TCP/IP protocol configuration menu.

    Q 2. Can I configure load balancing and fault tolerance feature using command line interface?
    Ans. No, you can't do that. You can configure load balancing and fault tolerance using INETCFG only.

    Q 3. How do I verify load balancing is working?
    Ans. Right now no statistics are available to provide this information in the production version. However, in the debug version of TCP/IP NLM this can be viewed using _IP command. The other ways of verification is by capturing packets and check the source MAC address of the outgoing packets.

    Q 4. Can I group adapters with different capacities, different vendors, and different properties (Card with Hardware check summing support, etc)?
    Ans. Yes, you can group adapters with different capacities and from different vendors.

    Q 5. What is a primary interface in load balancing and fault tolerance group?
    Ans. When you group a number of interfaces, one interface will automatically become the primary interface. You have the option of changing this interface and making another one the primary interface. The primary interface in the group handles all the broadcasts, and routing related issues for the group.

    Q 6. What is the difference between grouped and ungrouped interfaces?
    Ans. Grouped interface will participate in load sharing, load balancing and fault tolerance, while ungrouped interfaces can not participate in these. Ungrouping can be done for the Multiple IP addresses/Multiple NICs type of groups. Ungrouping is most advantageous when the user wants to configure a particular NIC differently from the group. Grouped interface adapters will have same properties, while ungrouped adapters may have different properties.

    Q7. What properties are in common when multiple interfaces are grouped?
    Ans. The following properties are in common when multiple interfaces are grouped: Subnet Mask, Frame type, RIP options, OSPF options, Broadcast address, Multicast override IP address, TOS, ARP options, Router Discovery options, NAT options, Load balancing and Fault Tolerance options.

    Q 8. How do I enable Load Balancing and Fault Tolerance for a group?
    Ans. Using INETCFG, there are two switches: system and group. You have to enable load balancing and fault tolerance at both the places. When same IP address is bound to multiple interfaces, load sharing and fault tolerance is enabled by default.

    Q 9. How broadcast and multicast packets are handled?
    Ans. If a group exists then broadcast packets are handled by the primary interface. Otherwise every interface will handle the broadcast. Multicast would also be handled by every interface.

    Q 10. What will happen to TCP connections when one of the adapters fails and the other one takes over?
    Ans. Nothing, thanks to fault tolerance, the TCP connections would remain intact.

    Q 11. Will there be any packet drop during adapter failover?
    Ans. Yes, there could be a minor packet drop during failover. Connection oriented applications like TCP won't find out any difference where as datagram applications like UDP will see a packet drop based the configured fault tolerance interval.

    Q 12. How does the client come to know that the adapter to which it is connected is failed and it has to send request to the new adapter?
    Ans. When an adapter fails a Gratuitous ARP would be sent to the client with the new adapter's MAC address.

    Q 13. How this solution is different from Compaq teaming solution?
    Ans. In this solution the MAC addresses are visible and multiple configurations are possible which is not the case in the Compaq teaming solution. And our teaming solution is vendor independent and it operates from Layer 3.

    Q 14. Do clients see the same MAC address for all the interfaces in the grouped network?
    Ans. No, all the MAC addresses are visible.

    Q 15. Does the load balancing and fault tolerance solution co-exist with third party solutions like Compaq's ALB and NFT feature?
    Ans. No, the NetWare solution is different from Compaq's solution. The main difference being that in this solution the MAC addresses are visible and multiple configurations are possible.

    Q 16. Is this feature supported on all network adapters? Does it require specific driver to be installed?
    Ans. This feature is supported on all those network adapters that strictly follow ODI specifications.

    Q 17. Why have load balancing when you already have load sharing?
    Ans. This feature is an enhancement of what load sharing gives you. This is an intelligent algorithm and is helpful when the drivers are heavily loaded.

    Q 18. Can load balancing alone be configured, without fault tolerance on?
    Ans. Yes, load balancing alone can also work.

    Q 19. Can Load Balancing be an overhead with the increase in the number of NICs?
    Ans. Load balancing has a slight overhead but the benefits it gives surpass the cost it takes to run.

    Q 20. Is fault tolerance and load balancing supported with token ring and FDDI?
    Ans. No, it is supported for Ethernet only. This would be supported in future releases.

    Q 21. How do I know when any of the NIC fails? Would fault tolerance give me any alert message?
    Ans. Yes, it would give you an alert on the logger screen. It will appear as:

    display secondary IP address - will tell DOWN if the interface is faulty.

    Q 22.How do ARP entries of our server at routers get flushed in case of fault tolerance? How does load balancing happen across different NICs?
    Ans. By using Gratuitous ARP we can advertise the new MAC address for any IP address so the older entry would be flushed at the router.

    For load balancing we send a reply for the ARP request of the client with the less loaded MAC address, and for send packets we use any of the grouped interfaces depending on the load.

    Q 23.Does the load get balanced between gateways?
    Ans. No, the load is not balanced. The NetWare 6 stack provides fault tolerance only.

    Q 24. Will the group information for Load Balancing/Fault Tolerance be set to NO in INETCFG when any one of the two duplicate bindings in a group is deleted?
    Ans. No. This has to be manually done, if required. However, if it is not manually set to NO there would be no impact on the Load Balancing/Fault Tolerance configuration.

    1.4 IP Features

    Q 1. Can the stack offload checksum into the NIC?
    Ans. Yes, if the NIC supports checksum, IP stack default offloads it into NIC.

    Q 2. How can I configure Dead Gateway Detection and use the same?
    Ans. To configure Dead Gateway Detection go to INETCFG > Protocols > TCPIP > then go to the option Dead Gateway Detection and enable it. You can also specify the Probe Interval and Timeout.

    Q 3. Is DGD an overhead to the system?
    Ans. Yes it is an overhead, but its use offsets any resource that it may be consuming.

    Q 4. What is MDG?
    Ans. You can have more than one default gateways to your system. It provides greater robustness in case of any failures.

    Q 5. How do I configure Multiple Default Gateway?
    Ans. Using INETCFG > Protocols > TCPIP > then go to the option Static Routing and add default route entries.

    Q 6. How is the preference decided in case of MDGs?
    Ans. First preference is given to the Static Default Gateways, second to RIP and third to ICMP. If there are more than one Static Default Gateways then the priority would be decided on the basis of the configured metric for the route. RIP has its own algorithm for updating the Default Gateways.

    1.5 Routing Protocols

    Q 1. What routing protocols are supported on this stack?
    Ans. This stock provides the following routing protocols: RIP I and RIP II, OSPF, EGP, and ICMP Router Discovery.

    1.6 Tools

    Q 1. What kind of tools are available to check the network connectivity?
    Ans. The stack gives you Ping and tping to check network connectivity.

    Q 2. Does NetWare support trace route utility?
    Ans. Yes such a utility is supported and its called IPtrace.

    Q 3. Can I use IPTrace option with more Hops?
    Ans. Yes, you can change the Hops option.

    Q 4. Is the IPTrace option different from NetWare 5? What are the new options?
    Ans. Yes it is different. A number of new options provided are:

    PMTUBHR - used for detecting a PMTU Black Hole router
    STARTHOP - starting a TTL value
    PKT - number of packets sent for each Hop (default 3)

    Q 5. How do I monitor TCP/IP statistics?
    Ans. You can monitor the TCP/IP statistics using the TCPCON utility and from NetWare 6 SP 1 onwards you can view the statistics from the web using Novell Remote Manager. For more details look at the latest TCP/IP Administration Guide.

    Q 6. How can I find any black hole router between any two hosts?
    Ans. Black hole between any two hosts can be found using tping utility by using different packet size along with the 'set don't fragment bit' option.

    1.7 ARP

    Q 1. Does NetWare support proxy ARP?
    Ans. Yes, NetWare supports proxy ARP.

    Q 2. Does NetWare detect duplicate IP address on the network?
    Ans. Yes, It gives alert message on the console along with the MAC address.

    Q3. How can I view IP address to MAC mappings?
    Ans. To view IP address to MAC mappings using the TCPCON utility. Go to Protocol Information > IP > IP Address Translations menu.

    1.8 TCP

    Q 1. What is the Don't Fragment option?
    Ans. Whenever a router gets a datagram with Don't Fragment (DF) bit set in its header and the packet size is greater than the next MTU, the router cannot forward the packet. In such a case, the router sends an ICMP Destination Unreachable DF bit set message to the host. Typically, an IP datagram cannot be forwarded because its maximum segment size is too large for the receiving server and the Don't Fragment bit is set in the header of the datagram.

    Q 2. What is Path MTU Black Hole router?
    Ans. Sometimes an IP datagram cannot be forwarded because its maximum segment size is too large for the receiving server and the Don't Fragment bit is set in the header of the datagram. Routers that ignore these datagrams and send no message are called PMTU Black Hole routers.

    Some routers might silently drop large frames, even when the DF bit is not set. Firewalls are often misconfigured to suppress all ICMP messages.

    Q 3. What is PMTU Black Hole Detection and Recovery?
    Ans. This feature provides the facility to detect a connection failure due to black hole routers and helps to recover such connections.

    To respond effectively to black hole routers, the Novell TCP/IP stack now provides a Path MTUBH Detect feature. Path MTUBH Detect recognizes repeated unacknowledged transmissions and responds by turning off the Don't Fragment bit. After a datagram is transmitted successfully, the MTUBH Detect feature reduces the maximum segment size and turns the Don't Fragment bit on again.

    Q 4. Is there a performance penalty for PMTU BHD?
    Ans. PMTU BHD might have a slight performance penalty when there are multiple retransmissions.

    Q 5. How do I configure PMTU BHD on the system?
    Ans. Here are the details to configure PMTU BHD on the system:

    Syntax: set tcp path mtu black hole detection and recovery = string
    Description: Enable or disable the Path MTU Black Hole Detection and Recovery option.
    Range: On | Off
    Default: Off (disabled)

    Q 6. Is there some tool to find the PMTU BH Router?
    Ans. Yes, you can do it with a PMTU option in IPTrace.

    Q 7. What is the maximum window size that the TCP/IP stack supports?
    Ans. The TCP/IP stack supports a maximum window size of 1GB.

    Q 8. In what link would Large Window size be helpful?
    Ans. TCP Large Window size is useful on fast networks with large round-trip times.

    Think of a water hose. To achieve maximum water flow, the hose should be full. As the hose increases in diameter and length, the volume of water to keep it full increases. In networks, diameter equates to bandwidth, length is measured as round-trip time, and the TCP window size is analogous to the volume of water necessary to keep the hose full. On fast networks with large round-trip times, the TCP window size must be increased to achieve maximum TCP bandwidth.

    TCP performance depends not upon the transfer rate itself, but rather upon the product of the transfer rate and the round-trip delay. This 'bandwidth delay product' measures the amount of data that would fill the pipe. It is the buffer space required at the sender and the receiver to obtain maximum throughput on the TCP connection over the path, i.e., the amount of unacknowledged data that TCP must handle in order to keep the pipeline full.

    So on fast networks with large round-trip times, having a large TCP Window helps by allowing for a greater amount of unacknowledged data.

    Q 9. How can an application use Large Window?
    Ans. You can use the SO_SNDBUF and SO_RCVBUF TCP socket options. The TCP SET option for configuring a Large Window is:

    Syntax: set tcp large window option = string Description: Enable or disable the Large Window option.
    Range: On | Off
    Default: On (enabled)

    Q 10. What is SACK?
    Ans. The Selective Acknowledgment (SACK) is a mechanism that includes a retransmission algorithm that helps overcome weak links on the TCP/IP stack. The selective acknowledgment extension uses two TCP options. The first is an enabling option, SACK-permitted, which can be sent in a SYN segment to indicate that the SACK option can be used once the connection is established.

    The SACK-permitted option is a two-byte option. The second option is the SACK option itself, which can be sent over an established connection once both the sender and the receiver have successfully negotiated the SACK-permit option. Whenever there is loss of data, the data receiver can send the SACK option to acknowledge the out-of-order segments.

    Q 11. Does the TCP/IP stack support SACK?
    Ans. Yes the NetWare 6 stack supports SACK as per RFC 1323.

    Q 12. When will SACK be helpful?
    Ans. SACK is very helpful in a scenario when there is a heavy flow of traffic and some packets are getting lost. With SACK, the sender doesn't have to resend all the packets that were sent after one lost packet. He can selectively resend only the packets that were lost.

    Q 13. Will SACK and LW have an impact on the LAN connection?
    Ans. SACK will not have any impact on a LAN connection where as Large Windows is very useful in Giga bit networks.

    1.9 UDP

    Q 1. What is the maximum packet size that UDP can transmit?
    Ans. The UDP can transmit a maximum packet size of 36992 bytes.

    Q 2. Does UDP support multiple listeners on the same IP address and port?
    Ans. No, as of now the UDP does not support it but it would be available by NetWare 6.1.

    Q 3. Does UDP processing happens on all processors?
    Ans. Yes, UDP stack is MP enabled.

    Q 4. Is the Path MTU Discovery feature available on the stack (RFC 1191)?
    Ans. Yes, the feature is available on the stack.

    1.10 WAN

    Q 1. Can I dial up to the NetWare server and use it?
    Ans. For a dial up connection you need to have Novell Internet Access Server support (NIAS). With NetWare 6, NIAS is a stand alone product and needs to be downloaded separately.

    Q 2. How can I connect to WAN?
    Ans. NetWare can be configured as a Remote Access Server with NIAS 4.1 running on it. With a modem and a phone line a PPP connection can be established with WAN. This gives an entry point to WAN.

    Q 3. What interfaces are supported for PPP?
    Ans. The following interfaces are supported for PPP: RS232 and Async Modems (Raise DTR, Hayes and V34).

    Q 4. Can I have a Dial on Demand connection or do I have to have a permanent leased connection?
    Ans. You can have either of the two kinds of connection. NetWare supports both.

    Q 5. In case one channel goes bad, can I use a Dial Backup?
    Ans. Yes, you can use a dial backup by configuring two primary call destinations in the WAN Call Directory option and defining the backup associations.

    Q 6. Do the dial up services provide an QoS?
    Ans. Yes, the VJ header compression is available for slow serial links.

    Q 7. Is the dial up connection secure?
    Ans. Yes the dial up connection is secure. You could use either PAP or CHAP for authentication.

    1.11 Security

    Q 1. What is a SYN attack?
    Ans. A SYN attack is one in which the TCP connection initiation stage is misused by an attacker. The attacker sends faked or spoofed connection requests called the SYN packets with a non-existing source address. On receiving such packets the stack will allocate resources for this connection and respond with a SYN Ack. Because the source address was non-existent no body would respond to this SYN Ack. This would cause the resources to be blocked for a long period of time, till the connections time out. If an attacker floods your system with a large number of packets the legitimate users would not be able to access your system.

    Q 2. How do you protect NetWare 6 from a SYN attack?
    Ans. There is a two pronged strategy to protect NetWare 6 from a SYN attack:

    1. As the number of connection requests grow, we allow less time than the usual 75 seconds to the client side, after allocating the resources to complete the three-way handshake (by sending third ACK). In case of a moderate attack, this gives the legitimate users some possibility for getting a connection through.
    2. When the number of connection requests grow beyond a predicted threshold there is greater possibility of such a denial of service activity. In a typical SYN attack, the third ACK never comes through, thereby blocking the resources for that period and the attack is repeated to prevent any legitimate request getting through. To handle such a situation, the stack does not block its resources before the three-way handshake is complete. It is done by the server sending a cookie (derived from secrets and sequence number information) to the client. Since all legitimate clients will send the third ACK back, so after the cookie verification, resources will be allocated and connection put directly in the ESTABLISHED state. The SYN attack packets, therefore, are handled without utilizing any memory resources.

    Q 3. What will happen in case a SYN attack takes place?
    Ans. If a SYN attack happens over a period of time and at a very large scale the legitimate users would not be able to access your system.

    Q 4. What is a FIN attack?
    Ans. A FIN attack is an attack that targets the connection end states of TCP. A connection is established without any data transfers, the connection is closed immediately overwhelming the server with close requests and forcing the server to keep track of a large number of graceful closure states.

    Q 5. What are the set options for enabling FIN Attack check solution and how to tune them?
    Ans. You could enable a FIN Attack Defense using the SET options:

    Syntax: set tcp defend land attacks = string
    Description: Enable or disable defense against land attacks.
    Range: On | Off
    Default: On (enabled)

    The maximum wait states could be = 1000 (depending on how many connections should be there in the closing states of TCP). Tuning can be done by observing the number of connections in different states using _tcp command. If too many connections are present in FIN_WAIT_1 states and any other connection states associated with TCP connection closure the value should be set appropriately.

    The TCP Defend Fin Attack solution provides a simple, single tuning option, the Minimum Threshold parameter. In the TCP stack, the wait states (FIN_WAIT1, FIN_WAIT2, CLOSED_WAIT, LAST_ACK and CLOSING) are arranged in ascending order of importance by considering which of the states are less risky to terminate. The order is static.

    The stack assumes that there is no risk in terminating all connections in a less important state. According to the arrangement of states, if a less important connection is over using resources then it is selected. Alternately, if an important state is over using and the less important states do not dominate, it would be selected for reset only. At any given point in time a Minimum Threshold number of connections will be permitted.

    Q 6. Does NetWare 6 TCP/IP stack support IPsec?
    Ans. Yes the NetWare 6 TCP/IP stack supports IPsec.

    1.12 Application Interfaces

    Q 1. What kind of application interfaces are supported to use the TCP/IP services?
    Ans. The following application interfaces are supported to use the TCP/IP services:

  • SDSOCK interface is supported for all socket operations
  • Winsock 2 interface is supported
  • TLI is supported but not recommended
  • Native interface is supported but not recommended
  • 1.13 IPX to IP transition

    Q 1. I have a IPX network and would like to migrate to NetWare 6. Can I do it?
    Ans. Yes you can migrate using the Server Compatibility Mode Driver (SCMD). For more details on the same see: http://www.novell.com/documentation/lg/nw6p/index.html

    Q 2. How is SCMD different from NetWare IP?
    Ans. NetWare IP is used for IP connectivity in IPX networks whereas SCMD is used for IPX to IP migration.

    Q 3. Is NetWare IP supported on NetWare 6?
    Ans. NetWare IP is not certified on NetWare 6.

    1.14 Release Mechanism

    Q 1. Where can I get latest TCP/IP stack?
    Ans. The latest TCP/IP stack is available with NetWare 6. You could also get it at http://www.novell.com/products/netware/

    Q 2. Would the new features like load Balancing and Fault Tolerance, Large windows, SACK and so on be available on NetWare 5.1?
    Ans. They should be available in NetWare 5.1 Support Pack 4 by January, 2002.

    1.15 References to other Docs

    Q 1. Where do I get the TCP/IP Admin Guide?
    Ans. You can get the latest TCP/IP Admin Guide at: http://www.novell.com/documentation/lg/nw6p/index.html

    Q 2. Where do I get the latest NDK information on TCP/IP?
    Ans. The latest information is at: http://developer.novell.com/ndk/

    1.16 NetWare Applications on TCP/IP

    Q 1. What is the support available for redirection?
    Ans. At present BorderManager supports IP Address and port redirection for proxy applications.

    1.17 Other Information

    Q 1. What is the extent of CIDR support being provided by the stack?
    Ans. In the present stack CIDR has been implemented for an end host.

    Q 2. Are there any Web based mechanisms for configuring the stack?
    Ans. No, not yet. But we are working on it and would soon be available by NetWare 6.1 SP1.


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell