Upload
cpawan699508
View
224
Download
2
Embed Size (px)
Citation preview
All Rights Reserved © 2010, Alcatel-Lucent
Page 1
Copyright © 2008 by Alcatel-Lucent - All rights reservedPassing on and copying of this document, use and
communication of its contents not permitted without written authorization from Alcatel-Lucent
Safety Warning
Both lethal and dangerous voltages are present within the equipment. Do not wear conductive jewelry while working on the equipment. Always observe all safety precautions and do not work on the equipment alone.
Caution
The equipment used during this course is electrostatic sensitive. Please observe correct anti-static precautions.
Trade Marks
Alcatel and MainStreet are trademarks of Alcatel.
All other trademarks, service marks and logos (“Marks”) are the property of their respective holders including Alcatel-Lucent. Users are not permitted to use these Marks without the prior consent of Alcatel or such third party owning the Mark. The absence of a Mark identifier is not a representation that a particular product or service name is not a Mark.
Copyright
This document contains information that is proprietary to Alcatel-Lucent and may be used for training purposes only. No other use or transmission of all or any part of this document is permitted without Alcatel-Lucent’s written permission, and must include all copyright and other proprietary notices. No other use or transmission of all or any part of its contents may be used, copied, disclosed or conveyed to any party in any manner whatsoever without prior written permission from Alcatel-Lucent.
Use or transmission of all or any part of this document in violation of any applicable Canadian or other legislation is hereby expressly prohibited.
User obtains no rights in the information or in any product, process, technology or trademark which it includes
All Rights Reserved © 2010, Alcatel-Lucent
Page 2
User obtains no rights in the information or in any product, process, technology or trademark which it includes or describes, and is expressly prohibited from modifying the information or creating derivative works without the express written consent of Alcatel-Lucent.
Alcatel-Lucent, The Alcatel-Lucent logo, MainStreet and Newbridge are registered trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. Alcatel-Lucent assumes no responsibility for the accuracy of the information presented, which is subject to change without notice.
© 2007 Alcatel-Lucent. All rights reserved.
Disclaimer
In no event will Alcatel-Lucent be liable for any direct, indirect, special, incidental or consequential damages, including lost profits, lost business or lost data, resulting from the use of or reliance upon the information, whether or not Alcatel has been advised of the possibility of such damages.
Mention of non-Alcatel-Lucent products or services is for information purposes only and constitutes neither an endorsement nor a recommendation.
Please refer to technical practices supplied by Alcatel-Lucent for current information concerning Alcatel-Lucent equipment and its operation.
1. Backbone NE supervision
2. DNS server : Server handling
3. DNS server : APN zones declaration
4. DNS server : RA zones declaration
5. DNS server : APN zone configuration
6. DNS server : Synchronization
7. DNS server : Inter-PLMN roaming
8. BGP in Border gateway
9. RADIUS server: Configuring authentication
All Rights Reserved © 2010, Alcatel-Lucent
Page 3
9. RADIUS server: Configuring authentication
10. RADIUS server: Configuring authorization
11. RADIUS server: Configuring a proxy function
12. VLAN management : OS management interface
13. VLAN management : Switch VLAN configuration
Annexes
Conventions used in this guide
Where you can get further information
If you want further information you can refer to the following:
Note Provides you with additional information about the topic being discussed.
Although this information is not required knowledge, you might find it useful or
interesting.
Technical Reference (1) 24.348.98 – Points you to the exact section of Alcatel-Lucent Technical
Practices where you can find more information on the topic being discussed.
WarningAlerts you to instances where non-compliance could result in equipment damage or
personal injury.
All Rights Reserved © 2010, Alcatel-Lucent
Page 4
If you want further information you can refer to the following:
� Technical Practices for the specific product
� Technical support page on the Alcatel website: http://www.alcatel-lucent.com
All Rights Reserved © 2010, Alcatel-Lucent
Page 5
All Rights Reserved © 2010, Alcatel-Lucent
Page 6
All Rights Reserved © 2010, Alcatel-Lucent
Page 7
To access the XMC, students will integrate 4 working groups. Group identifiers will be assigned by the trainer.
Start your browser and open a web session to the XMC
Once you are logged, select <Network Management> option in the portal left-hand pane. The Network Management window will be loaded.
In the <Network Management> window left-hand pane, select a NE. The information concerning that NE will be displayed in the right-hand pane.
� What is the IP address of the selected NE ? ………………………………………
� Is the OMC able to communicate with the NE ? ……………………………….
� What is the supervision state ? ……………………………………..
� Is the NE currently in alarm? ……………………………………..
All Rights Reserved © 2010, Alcatel-Lucent
Page 8
Select a supervised NE in the map.
� Note the color of the icon ……………………. What does it mean? ………………………………..
� Right-click on it to display the contextual menu. Select the option <Display Alarms>
Check the <Alarms> window to find the alarm with a severity matching the color of the icon.
What is the problem? …………………………………………………………………………………..
� Go back to Network Management window. Unplug the cable linking DNS2 to the backbone
What happens to the icon representing DNS2? …………………………
Navigate to the Alarms window and display the corresponding alarm.
Write it here …………………………………………..
Plug the cable back in place and verify the disappearance of the alarm.
How long does it take? …………………
All Rights Reserved © 2010, Alcatel-Lucent
Page 9
Select a supervised NE in the map. How do you recognize it? ……………………………………………………………
� Right-click on it to display the contextual menu. Select the option <Stop Supervision >.
In the confirmation window, click on <Ok>. What has happened to the NE icon?
……………………………………………………………………………………………
Note the state of Supervision …………………………….
Write down the NE IP address ……………………………..
� Delete the highlighted NE, using the top window menu option Network Elements -> Remove
� Re-create the NE using menu option Network Elements -> Declare.
� Right-click on the new NE to display the contextual menu.
Select the option <Start Supervision> to restart the supervision.
What happens? ………………………………………………………………
� Wait until the supervision is activated and check:.
What is the state of the supervision now? ………………………………
And the alarm status ? ………………………………….
And the communication link …………………………
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 10
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 11
All Rights Reserved © 2010, Alcatel-Lucent
Page 12
Four working groups will be created, two students will integrate each group.
The trainer will assign the identifiers to each group. Groups 1 and 2 will work on DNS1, groups 3 and 4 will practice on DNS2
All Rights Reserved © 2010, Alcatel-Lucent
Page 13
Log in as user root to the DNS server and open a terminal window using the icon in the toolbar.
You can open a terminal window by selecting Applications (the main menu on the panel) => System Tools=> Terminal.
You can also start a shell prompt by right-clicking on the desktop and choosing Open Terminal from the menu.
1- In the shell window, restart the DNS process daemon by typing the command:
# service named restart
2- Start the LINUX configuration software
In the terminal window, type :
# linuxconf &
All Rights Reserved © 2010, Alcatel-Lucent
Page 14
3- Verify that the DNS management module (dnsconf)is activated (checked) in linuxconf.
Otherwise, the graphical interface to manage the DNS will not be available.
� In the linuxconf window, select the Control tab.
� Under Control tab, select the Modules
� Verify that dnsconf is checked. (activate it if it is not).
All Rights Reserved © 2010, Alcatel-Lucent
Page 15
4 - Click on Networking option on left-hand tree menu. Select <Client tasks>
Select the <Host name and IP network devices> option
Host name : ………………...
IP address : ………………...
5 - Check the local resolver configuration:
Click <Name Server specification> menu option
Write down the following values
Default domain: …………………………………………..
Search domain: …………………………………………..
What is the role of search domain fields?
…………………………………………………… ………………………………………………………………
…………………………………………………………………………………………………………………….
All Rights Reserved © 2010, Alcatel-Lucent
Page 16
6 – Click on the <Server Tasks> tab
Select the option <Domain Name Server>
Display the list of DNS zones managed by this server by clicking on the <domains> button.
Write down their names.
………………………………………………………………..
………………………………………………………………..
In your opinion, why two different zones are used for the same PLMN?
………………………………………………………………………………………………………………………
………………………………………………………………………………………………………………………
All Rights Reserved © 2010, Alcatel-Lucent
Page 17
7-Display the main DNS configuration files
Start the Linux file manager
Display the file /etc/named.conf
What is the role of the global options? …………………………………………………..
In which directory are stored the zone definition files ? …….…………………………..
What is the name of the file containing the resources for the zone mncxxx.mccyyy.gprs ? (*)
………………………..
Navigate to directory /var/named
Display the contents of the different files
What is the purpose of the root.cache file ? ……………………………………………………….
……………………………………………………………………………………………………………
Which type of record defines the zone in the mncxxx.mccyyy.gprs (*) file ? ………………………….
Note : xxx corresponds to the MNC value, yyy to the MCC
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 18
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 19
All Rights Reserved © 2010, Alcatel-Lucent
Page 20
The trainer will assign the identifiers to each group. Groups 1 and 2 will work on DNS1, groups 3 and 4 will practice on DNS2
All Rights Reserved © 2010, Alcatel-Lucent
Page 21
Zone name :
Operator group 1 : mnc111.mcc777.gprs
Operator group 2 : mnc222.mcc777.gprs
Operator group 3 : mnc333.mcc777.gprs
Operator group 2 : mnc444.mcc777.gprs
e-mail of the responsible of the zone:
Operator group 1 : [email protected]
Operator group 2 : [email protected]
Operator group 3 : [email protected]
Operator group 4 : [email protected]
Period between two updates of the secondary server :
2 hours
If there is no response to the secondary update request, the retry period will be :
30 minutes
Delete zone of the secondary name server if no update during :
10 days
Negative caching value:
1 hours
Default TTL provided in the DNS response when the TTL is absent in a RR :
5 hours
Mail box for the zone : none
Restriction to access to the zone : None
Modification of the Primary server: Must be immediately notified to secondary
All Rights Reserved © 2010, Alcatel-Lucent
Page 22
1- Start the LINUX configuration software
In a terminal window type :
# netconf&
2- Access the zone declaration window
Select tab <Server tasks>
Click on <Domain Name Server (DNS)>
Select tab <Config>
Click on <domains>
Click on <Add>
3- Create a new zone
Browse through the tabs and fill-in the various field using the parameters proposed in the previous page.
Click on <Accept> to create the zone.
Exit netconf
4 – Restart the DNS server.
In a terminal window type:
# service named restart
Note _ on exit, netconf will propose to restart the daemon. Select the option “Do nothing” andrestart the server manually.
All Rights Reserved © 2010, Alcatel-Lucent
Page 23
5- Verify the generated file
Check if the new zone appears in the configuration file : /etc/named.conf
Display the new zone file in directory /var/named and verify the Resource Records. Correct them if necessary.
6- Test the access to this new zone.
From a computer connected to the IP backbone, in a terminal window, run “nslookup” or “dig” (see annex for nslookup explanations) and send a Request to retrieve the SOA Record of your zone.
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 24
All Rights Reserved © 2010, Alcatel-Lucent
Page 25
All Rights Reserved © 2010, Alcatel-Lucent
Page 26
The trainer will assign the identifiers to each group. Groups 1 and 2 will work on DNS1, groups 3 and 4 will practice on DNS2
All Rights Reserved © 2010, Alcatel-Lucent
Page 27
Apply the procedure used in the previous exercise to declare a zone for the RA in your PLMN.
Use dig to verify the availability of the zone
Zone name :
Operator group 1 : mnc0111.mcc0777.gprs.
Operator group 2 : mnc0222.mcc0777.gprs.
Operator group 3 : mnc0333.mcc0777.gprs.
Operator group 2 : mnc0444.mcc0777.gprs.
e-mail of the responsible of the zone:
Operator group 1 : [email protected]
Operator group 2 : [email protected]
Operator group 3 : [email protected]
Operator group 4 : [email protected]
Period between two updates of the secondary server :
3 hours
If there is no response to the secondary update request, the retry period will be :
15 minutes
Delete zone of the secondary name server if no update during :
14 days
Negative caching value:
2 hours
Default TTL provided in the DNS response when the TTL is absent in a RR :
30 minutes
Mail box for the zone: None
Restriction to access to the zone : None
Modification of the Primary server: Must be immediately notified to secondary
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 28
All Rights Reserved © 2010, Alcatel-Lucent
Page 29
All Rights Reserved © 2010, Alcatel-Lucent
Page 30
The trainer will assign the identifiers to each group. Groups 1 and 2 will work on DNS1, groups 3 and 4 will practice on DNS2
All Rights Reserved © 2010, Alcatel-Lucent
Page 31
Fill in the APN database zone that you created in the previous practical work using the data provided below and the addresses
in the diagram. The value of X corresponds to the operator group id.
Device name TTL Comments
iggsn Default IP addresses of the physical interfaces
iggsn-gtp Default IP address of the gtp virtual interface in the iGGSN
sgsn Default IP address of management interface
sgsn-r1B Default IP address of the SGSN-Router 1 (IP backbone side)
sgsn-r2B Default IP address of the SGSN-Router 2 (IP backbone side)
sgsn-r1 Default IP addresses of the SGSN-Router 1 (LAN IO side)
sgsn-r2 Default IP addresses of the SGSN-Router 2 (LAN IO side)
station-n Default IP addresses of each station on LAN I/O 1 and 2 (n=a,b,c,d,e,f)
vigilon Default IP address of the Vigilon
omcps Default IP address of the OMC-PS
MMS 10 sec use CNAME to link the APN to the GTP interface
INET 10 sec use CNAME to link the APN to the GTP interface
WAP 10 sec use CNAME to link the APN to the GTP interface
All Rights Reserved © 2010, Alcatel-Lucent
Page 32
Start the network configuration application (# netconf&)
Select <Servers Tasks> and click on <Domain Name Server (DNS)>.
In the <DNS configurator> window, select tab <Add/Edit>
In the window <Edit hosts by domain>, double click on the zone to be modified
Next, in the window <Hosts to edit>, click on <Add>
In the window <Host or domain specification>, enter the name of the host in frontof the zone name
Click on <Accept> . A new window (next page) appears to enter the parametersof the record
All Rights Reserved © 2010, Alcatel-Lucent
Page 33
In the window <Host information>
Fill-in the IP address(es) corresponding to the hostname and the TTL value (if TTL is different from the default value)
Click on <Accept>
Repeat the procedure for each record you need to add to the database.
Note _ For CNAME records, you ‘ll use only the nickname field, all the other fields will remain empty
Quit netconf application
Display the file to verify that all the entries are correctly recorded.
Display the zone file in the directory : /var/named.
All Rights Reserved © 2010, Alcatel-Lucent
Page 34
After you have entered all the resources in the database, verify the availability of this information for the clients
� From your PC, use dig or nslookup to request translations from the DNS
eg. dig WAP.mncxxx.mcc777.gprs.
Check that the TTL associated to the record is correct.
The tools you have learnt in class may help you to check and correct your configuration in case of problem. Check the log file for messages concerning the named daemon.
Note _ Remember to restart the daemon every time you modify the database, otherwise the new
parameters will be ignored.
All Rights Reserved © 2010, Alcatel-Lucent
Page 35
All Rights Reserved © 2010, Alcatel-Lucent
Page 36
All Rights Reserved © 2010, Alcatel-Lucent
Page 37
In this practical work, you will configure a secondary for your zone. This secondary database will reside in a neighbor DNS
server eg. Primary zone for PLMN mnc111 mcc777was configured on DNS1, now the secondary zone will be
declared in machine DNS2.
All Rights Reserved © 2010, Alcatel-Lucent
Page 38
In your primary zone, add a NS record to indicate that there is another authoritative server for the zone. If you skip this step, synchronization will never happen
Start the Network Configuration application ( # netconf & )
Select <Servers Tasks> and click on <Domain Name Server (DNS)>.
In the <DNS configurator> window, select tab <Config>
Click on <Domains>
In the <Primary Zones> window, double click on your primary zone. The <PrimarySpecification> window will display
In the Name Servers (NS) tab, add an entry pointing to the secondary server.
Click on <Accept>
Note _ Do not forget to restart named after the modification (# service named restart )
All Rights Reserved © 2010, Alcatel-Lucent
Page 39
Open a session to the DNS server that will store your secondary zone
Launch the protocol analyzer ( # ethereal &) and start a capture.
It is recommended that you apply a capture filter to limit the number of packets in the trace.
From a command window, invoke the Network Configuration application ( # netconf & )
Click on button <Secondaries>
In the window <Secondaries>
Click on <Add>
In the window <Secondary specification>
Enter the name of the zone and the IP address of the primary fields
Click on <Accept>
Exit netconf.
All Rights Reserved © 2010, Alcatel-Lucent
Page 40
Stop the capture on the protocol analyzer and display the trace. Explain the results………………………………………………………………………………………………………………………………………..
………………………………………………………………………………………………………………………………………..
………………………………………………………………………………………………………………………………………..
Note _ To force a resynchronization, restart named (# service named restart).
Display the the DNS configuration file (/etc/named.conf) as well as secondary zone file (directory:/var/named/sec ).
How do you know if the secondary has been updated ?
………………………………………………………………………………………………………………………………
Start a new capture on your protocol analyser and add a new RR in the Primary zone.
Is the update of the secondary is immediate? ………. If not, verify that nofifications are enabled
Use dig or nslookup to check if the secondary server is able to handle requests.
eg . dig @<ip-address-of-the-secondary> WAP.mncxxx.mcc777.gprs.
eg . nslookup>server <ip-address-of-the-secondary>>WAP.mncxxx.mcc777.gprs.
All Rights Reserved © 2010, Alcatel-Lucent
Page 41
All Rights Reserved © 2010, Alcatel-Lucent
Page 42
All Rights Reserved © 2010, Alcatel-Lucent
Page 43
Note _ Secondary zones created in the DNS in previous exercise must be removed, otherwise requests will not be forwarded to the GRX DNS
PLMNs 1, 2, 3, 4 are connected to a GRX network and use the services of GRX Root DNS server to reach the other PLMNs connected to the network.
� PLMN 1 reaches operators PLMN2, 3 and 4 through the GRX network and has a bilateral roaming agreement with operator PLMN5
� PLMN 2 reaches operators PLMN1, 3 and 4 through the GRX network and has a bilateral roaming agreement with operator PLMN6
� PLMN 3 reaches operators PLMN1, 2 and 4 through the GRX network and has a bilateral roaming agreement with operator PLMN5
� PLMN 4 reaches operators PLMN1, 2 and 3 through the GRX network and has a bilateral roaming agreement with operator PLMN6
All Rights Reserved © 2010, Alcatel-Lucent
Page 44
Start the network configuration application (# netconf&)
Select tab <Server tasks>
Click on <Domain name server (DNS)>, a window “DNS configurator appears:
Select <Forward Zones>
In the <Forward Zones> window click on <Add>
In the <Select Forward zone specification>,
� enter the zone name for which requests will be forwarded and,� the IP address(es) of the FPLMN DNS server(s) where the requests for this zone
will be redirected.
Exit netconf and restart named.
Launch the protocol analyzer and start a capture. A capture filter is recommended (eg. Port 53)
From your PC, use dig or nslookup to send a request to your PLMN DNS asking for an APN in another network.
eg. from PLMN1 a user requests translation of MMS.mnc555.mcc777.gprs. => dig MMS.mnc555.mcc777.gprs.
Stop the capture and check the trace to display the forwarded request.
All Rights Reserved © 2010, Alcatel-Lucent
Page 45
Start the network configuration application (# netconf&)
Select tab <Server tasks>
Click on <Domain name server (DNS)>, a window <DNS configurator> appears:
Select <Forwarders>
In the <Forwarders> window,
Enter the IP address(es) of the root DNS server(s) where the requests will be redirected.
Exit netconf and restart named.
Launch the protocol analyzer and start a capture. A capture filter is recommended
From your PC, use dig or nslookup to send a request to your PLMN DNS asking for an APN in another network.
eg. from PLMN1 a user requests translation of MMS.mnc444.mcc777.gprs. => dig MMS.mnc444.mcc777.gprs.
Stop the capture and check the trace to display the forwarded request.
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 46
All Rights Reserved © 2010, Alcatel-Lucent
Page 47
All Rights Reserved © 2010, Alcatel-Lucent
Page 48
All Rights Reserved © 2010, Alcatel-Lucent
Page 49
All Rights Reserved © 2010, Alcatel-Lucent
Page 50
All Rights Reserved © 2010, Alcatel-Lucent
Page 51
All Rights Reserved © 2010, Alcatel-Lucent
Page 52
All Rights Reserved © 2010, Alcatel-Lucent
Page 53
Configure authentication in the RADIUS server to allow the MS access to their company networks
� Operator group 1 : MS1 will be configured on RADIUS1 and should be allowed access to company1.comnetwork. Login is “MS1” and password “mobile”
� Operator group 2 : MS2 will be configured on RADIUS1 and should be allowed access to company2.comnetwork. Login is “MS2” and password is “mobile”
� Operator group 3 : MS3 will be configured on RADIUS2 and should be allowed access to company3.comnetwork. Login is “MS3” and password is “mobile”
� Operator group 4 : MS4 will be configured on RADIUS2 and should be allowed access to company4.comnetwork. Login is “MS4” and password is “mobile”
Shared secret between GGSN and RADIUS servers is “ggsn”
All Rights Reserved © 2010, Alcatel-Lucent
Page 54
Configure the shared secret to allow requests coming from your device to be processed by the RADIUS server.
Start netconf (# netconf &)
Select the tab <Server Tasks>
Click on <RADIUS Configurator> button
In the <RADIUS Configurator> window, select the option <Clients>
In the <List of clients>, click on <Add>
Enter the name or IP address of your device and the shared secret
Click on <Accept>
Click on <Dismiss>
All Rights Reserved © 2010, Alcatel-Lucent
Page 55
Configure a new user in the users file
Select the tab <Server Tasks>
Click on <RADIUS Configurator> button
In the <RADIUS Configurator> window, select the option <Users>
In the <User list entries>, click on <Add>
Enter the name of your user and,
In the <Match> tab, select the type of authentication and enter a password for the user
Note - Do not configure any other parameter in this exercise
Click on <Accept>
Click on <Dismiss>
All Rights Reserved © 2010, Alcatel-Lucent
Page 56
The new entry will be the last in the list. If it is behind a default entry, it will never be checked since a DEFAULT matches all users. You need to move the DEFAULT entry to the end of the list.
In the <User list entries>, hightlight the DEFAULT entry and
In the <Match> tab of User entry, click on <Move>
In the Select new position window, move DEFAULT to (last position)
Click on <Dismiss>
Exit netconf
Open the file manager and go to directory: /etc/raddb
� Display the content of the clients file. Verify that your device is correctly declared
� Display the contents of the users file. Check that your new user appears correctly configured.
Restart the RADIUS server : # service radiusd restart
All Rights Reserved © 2010, Alcatel-Lucent
Page 57
Use radtest to check your configuration.
From terminal window, type the command
radtest username password server_name_or_address nas_name_ or_address shared_secret
and verify that the response from the server is correct
Open a new terminal window
Stop the RADIUS server: #service radiusd stop
Start the RADIUS server in debug mode with output to the screen (option –x)
/usr/sbin/radiusd –x & => wait until it is ready
From the first terminal window, resend the radtest command
Compare the output of the radtest command with the output of the server. Can you read the password? ………….
Restart the RADIUS server in normal mode. Use CTRL-C to kill the process and then service radiusd startto reinitialize it.
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 58
All Rights Reserved © 2010, Alcatel-Lucent
Page 59
All Rights Reserved © 2010, Alcatel-Lucent
Page 60
All Rights Reserved © 2010, Alcatel-Lucent
Page 61
RADIUS server will authenticate access request from the MS to their company network’s and will assign theIP configuration parameters required for the session
� Operator group 1 : MS11 will be configured on RADIUS1 and should be allowed access to company1.comnetwork. Login is “MS11” and password “mobile”.� Ip @ to be assigned:192.168.1.10,� Netmask : 255.255.255.0
� Operator group 2 : MS22 will be configured on RADIUS1 and should be allowed access to company2.comnetwork. Login is “MS22” and password is “mobile”� Ip @ to be assigned:192.168.2.10,� Netmask : 255.255.255.0
� Operator group 3 : MS33 will be configured on RADIUS2 and should be allowed access to company3.comnetwork. Login is “MS33” and password is “mobile”� Ip @ to be assigned:192.168.3.10,� Netmask : 255.255.255.0
� Operator group 4 : MS44 will be configured on RADIUS2 and should be allowed access to company4.comnetwork. Login is “MS44” and password is “mobile”� Ip @ to be assigned:192.168.1.10� Netmask : 255.255.255.0
� For all users,
� MTU : 1500 bytes� Service Type : Framed
Shared secret between GGSN and RADIUS servers is “ggsn”
All Rights Reserved © 2010, Alcatel-Lucent
Page 62
Configure a new user in the users file
Select the tab <Server Tasks>
Click on <RADIUS Configurator> button
In the <RADIUS Configurator> window, select the option <Users>
In the <User list entries>, click on <Add>
Enter the name of your user and,
In the <Match> tab, select the type of authentication and,
enter a password for the user
Click on <Changes> tab
All Rights Reserved © 2010, Alcatel-Lucent
Page 63
Click on tab <Misc>
Select the service type from the list
Click on tab <Frames>
Enter the IP address, subnet mask and MTU value for this profile and,
Click on <Accept>
If your new user is behind a DEFAULT entry, move the DEFAULT entry to the end of the list like in the previous exercise.
Restart the RADIUS server (# service radiusd restart)
All Rights Reserved © 2010, Alcatel-Lucent
Page 64
Use radtest to check your configuration.
From terminal window, type the command
radtest username password server_name_or_address nas_name_ or_address shared_secret
and verify that the response from the server is correct
Open a new terminal window
Stop the RADIUS server: #service radiusd stop
Start the RADIUS server in debug mode with output to the screen (option –x)
/usr/sbin/radiusd –x & => wait until it is ready
From the first terminal window, resend the radtest command and compare the responses in both terminals.
Send a request with a wrong password and check the output.
Is the access allowed? ……………………………………………………………
All Rights Reserved © 2010, Alcatel-Lucent
Page 65
Start the protocol analyzer. Launch a capture. It is recommended to apply a capture filter (eg. Port 1812)
Ask the trainer to launch an access request from a GGSN. Compare the parameters in the request from the
GGSN to those in the previous debug.
What is the value of the NAS-Port-Type now ?………………. And the value of the NAS Port-Id ?…………………….
What information is transmitted in the parameter Calling-Station? ………………………………………………………
What information is conveyed by the parameter Called-Station? ………………………………………………………..
What is the value of the Framed-Protocol? ………. What does it mean? ………………………………………………
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 66
All Rights Reserved © 2010, Alcatel-Lucent
Page 67
All Rights Reserved © 2010, Alcatel-Lucent
Page 68
All Rights Reserved © 2010, Alcatel-Lucent
Page 69
Each one of the client companies have set up a RADIUS server to authenticate and authorize their users.Because of security
concerns, the only devices authorized to address these internal RADIUS servers are the PLMN RADIUS. PLMNRADIUS server
should act as a proxy, relaying access requests to the companies RADIUS servers.
� Operator group1 : MSa is configured on company1.com RADIUS server.� Login is “[email protected]” and password “mobile”.� Proxy server is RADIUS1
� Operator group 2 : MSb is configured on company2.com RADIUS server.� Login is “MSb @company2.com” and password “mobile”.� Proxy server is RADIUS1
� Operator group 3 : MSc is configured on company3.com RADIUS server.� Login is “MSc @company3.com” and password “mobile”.� Proxy server is RADIUS2
� Operator group 4 : MSd is configured on company4.com RADIUS server.� Login is “MSd @company4.com” and password “mobile”.� Proxy server is RADIUS2
Shared secret between proxy server and company RADIUS servers is “proxy”
All Rights Reserved © 2010, Alcatel-Lucent
Page 70
Configure the shared secret to allow requests relayed by your RADIUS server to be processed by the remote RADIUS.
Start netconf (# netconf &)
Select the tab <Server Tasks>
Click on <RADIUS Configurator> button
In the <RADIUS Configurator> window, select the option <Clients>
In the <List of clients>, click on <Add>
Enter the name or IP address of the company RADIUS server and the shared secret
Click on <Accept>
Click on <Dismiss>
All Rights Reserved © 2010, Alcatel-Lucent
Page 71
Configure a realm to tell your server where to send the request for a domain
In the <RADIUS Configurator> window, select the option <Realms>
In the <Realms> window, click on <Add>
Enter the domain name ( what appears after the @ sign) and the ip address of the company RADIUS server
Click on <Accept>
Click on <Dismiss>
It is recommended to add the following line in the /etc/raddb/users file:
DEFAULT Realm = “companyX.com”
It will prevent the proxy from responding with an error because it doesn’t know the user.
Use vi to manually edit the users file.
Restart the RADIUS server (# service radiusd restart)
All Rights Reserved © 2010, Alcatel-Lucent
Page 72
Start the protocol analyzer. Launch a capture. A capture filter for RADIUS traffic is recommended.
Use radtest to send an access request to your RADIUS server.
Stop the capture.
Check from the trace that the request has been relayed to the company server
All Rights Reserved © 2010, Alcatel-Lucent
Page 73
All Rights Reserved © 2010, Alcatel-Lucent
Page 74
For this Practical Work, only 2 operator groups will be created, group 1 will work on the first OS switch,
group 2 on the second one
All Rights Reserved © 2010, Alcatel-Lucent
Page 75
From your web browser, open a http session to the switch (address provided by the trainer for each group)
Login as admin ( default password = switch )
Browse the menus in the left-hand pane and find the following information:
� From where is the switch running, working or certified directory? ………………………………….
� Click on <Stack> in the top menu bar. Select <Topology> option. Is the switch in slot 1 acting as a primary or a
secondary? ……………………………………..
� Click on <Status>. How many tokens have been used? ………..
� Is it possible to add switches to the stack ? …………………………..
� Select <Health> button in the left-hand pane.
� What is the current CPU usage level? ……… Has the alarm threshold been exceeded at anytime? …………….
� Select <Adjacencies> button in the left-hand pane. Can you identify the device connected to interface 10 in slot 1?
All Rights Reserved © 2010, Alcatel-Lucent
Page 76
Configuration file backup
In your PC, launch your ftp client.
Open an ftp session to the switch. Log in as admin (passwd: switch)
Download file boot.cfg from directory /flash/working to your PC
Logout the ftp session
Use a text editor eg. Wordpad to display the content of the file.
All Rights Reserved © 2010, Alcatel-Lucent
Page 77
Generating a snapshot
Login to the switch through the web interface
In the left-hand pane, click on <System> button
In the right-hand window top menu, select option Snapshot -> Create Snapshot
Enter a name for your snapshot file and activate the “Select All” checkbox.
Click on <Generate Snapshot> button to validate the command
On the top menu bar, select option File Management -> Local
Verify that the snapshot file is actually created in the directory /flash
Open a new ftp session and download the snapshot file to your PC.
Compare the snapshot file with the boot.cfg file that you downloaded in the previous page.
Note _ vim editor might be useful for this comparison.
Are they similar? ……………………….
If you renamed the snapshot file, could it be used to replace a lost/corrupted boot.cfg file? …………………….
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 78
All Rights Reserved © 2010, Alcatel-Lucent
Page 79
All Rights Reserved © 2010, Alcatel-Lucent
Page 80
All Rights Reserved © 2010, Alcatel-Lucent
Page 81
For this Practical Work, only 2 operator groups will be created, both groups will be connected to the distribution stack. The trainer will indicate which ports can be used in the stack.
Determine the MAC address of the following devices connected to the switch:
DNS (in a terminal window, type ifconfig) ……………………………………..
The operator group PC (in a command window, type ipconfig /all) ……………………………….
Note _ to access the DNS, you open a telnet session from a terminal not included in the present practical work configuration.
.
All Rights Reserved © 2010, Alcatel-Lucent
Page 82
Open a session to the switch and select menu option Layer 2 -> VLAN Mgmt. in the left-hand pane. In the top menu, click on <Source MAC Learning> and then on <Source MAC Data> . In the list displayed, look for the MAC addresses you had found in the previous page and determine to which ports the devices are connected.
DNS port ……………………………..
Your PC port ………………………….
Check the VLAN membership of these ports in the switch.
DNS port is member of VLAN(s) ……………………………..
Your PC port is member of VLAN(s) ………………………….
Can the PC from Group 1 ping the PC in Group 2 ? ………..
Can the PC ping DNS1 or DNS2 ? ………… Why? ………………………………………………………………..
Reconfigure the PCs with following parameters (final config in page 88)
� Group 1 => IP address 172.24.40.51 /24 Default gateway : 172.24.40.1
� Group 2 => IP address 172.24.50.52 /24 Default gateway : 172.24.50.1
All Rights Reserved © 2010, Alcatel-Lucent
Page 83
Create a new VLAN for the PC.
Operator group 1 will create VLAN 400
Operator group 2 will create VLAN 500
Select menu option Layer 2 -> VLAN Mgmt. in the left-hand pane.
In the top menu, click on <VLAN Configuration> and then on <VLANs> .
In the <VLAN Administration > window, click on <Add> button.
Enter a VLAN ID and a brief description (optional) for your VLAN.
Set the Admin Status parameter to “Enabled“ to declare the VLAN as active.
Click on <Apply> button to create the VLAN
Click on <Refresh> button and verify that your VLAN has been correctly configured
All Rights Reserved © 2010, Alcatel-Lucent
Page 84
Add a member to the VLAN
Click on menu option <Layer 2 -> VLAN Mgmt.> in the left hand pane.
Select <VLAN Configuration> and then Ports -> Port Association>option on the right-hand top menu.
Click on <Move Ports> button
Select your VLAN id from the list.
Highlight the port(s) to be added to the VLAN. (use CTROL or SHIFT keys to select more than one port)
Click on <Apply> to validate the command.
Note_ The new VLAN is now the default VLAN for these ports
Can the PC from Group 1 ping the PC in Group 2 and vice-versa? ………………..
Why? ………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………..
All Rights Reserved © 2010, Alcatel-Lucent
Page 85
Add a router port to the VLAN
Click on menu option <Layer 2 -> VLAN Mgmt.> in the left hand pane.
Select <VLAN Configuration> and then IP VLANs option on the right-hand top menu.
Click on <Add> button
Select your VLAN id from the list
Enter the IP address to be used the VLAN gateway and the associated subnet mask( check the network diagram at the end of the PW to find out their values )
Modify the encapsulation type if needed and enable the frame forwarding.
Click on <Apply> button
Can the PC from Group 1 ping the PC in Group 2 and vice-versa? ………………..
Can the PC ping the DNS ? …………………………….
Explain ………………………………………………………………………………………………………………………………
...……………………………………………………………………………………………………………………………………..
All Rights Reserved © 2010, Alcatel-Lucent
Page 86
All Rights Reserved © 2010, Alcatel-Lucent
Page 87
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 88
NSLOOKUP for Windows
Nslookup displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Before using this tool, you should be familiar with how DNS works. The Nslookup command-line tool is available only if you have installed the TCP/IP protocol.
SYNTAX
nslookup [-SubCommand ...] [{ComputerToFind| [-Server]}]
PARAMETERS
-SubCommand ... : Specifies one or more nslookup subcommands as a command-line option. For a list of subcommands, see Related Topics.
ComputerToFind : Looks up information for ComputerToFind using the current default DNS name server, if no other server is specified. To look up a computer not in the current DNS domain, append a period to the name.
-Server : Specifies to use this server as the DNS name server. If you omit -Server, the default DNS name server is used.
{help|?} : Displays a short summary of nslookup subcommands.
Remarks
• If ComputerToFind is an IP address and the query is for an A or PTR resource record type, the name of the computer is
returned. If ComputerToFind is a name and does not have a trailing period, the default DNS domain name is appended to the
name. This behavior depends on the state of the following set subcommands: domain, srchlist, defname, and search.
Windows NSLOOKUP (1)
All Rights Reserved © 2010, Alcatel-Lucent
Page 89
search.
• If you type a hyphen (-) instead of ComputerToFind, the command prompt changes to nslookup interactive mode.
• The command-line length must be less than 256 characters.
• Nslookup has two modes: interactive and noninteractive.
If you need to look up only a single piece of data, use noninteractive mode. For the first parameter, type the name or IP address of the computer that you want to look up. For the second parameter, type the name or IP address of a DNS name server. If you omit the second argument, nslookup uses the default DNS name server.
If you need to look up more than one piece of data, you can use interactive mode. Type a hyphen (-) for the first parameter and the name or IP address of a DNS name server for the second parameter. Or, omit both parameters and nslookup uses the default DNS name server. Following are some tips about working in interactive mode:
� To interrupt interactive commands at any time, press CTRL+B.
� To exit, type exit.
� To treat a built-in command as a computer name, precede it with the escape character (\).
� An unrecognized command is interpreted as a computer name.
� If the lookup request fails, nslookup prints an error message. The following table lists possible
� error messages.
* Timed out_ The server did not respond to a request after a certain amount of time and a certain number of retries. You can set the time-out period with the set timeout subcommand. You can set the number of retries with the set retry subcommand.
* No response from server _ No DNS name server is running on the server computer.
* No records _ The DNS name server does not have resource records of the current query type for the computer, although the computer name is valid. The query type is specified with the set querytypecommand.
* Nonexistent domain _ The computer or DNS domain name does not exist.
* Connection refused -or- Network is unreachable _ The connection to the DNS name server or finger server could not be made. This error commonly occurs with ls and finger requests.
* Server failure _ The DNS name server found an internal inconsistency in its database and could not return a valid answer.
* Refused _ The DNS name server refused to service the request.
* Format error _ The DNS name server found that the request packet was not in the proper format. It may indicate an error in nslookup.
All interactive mode commands are described in the “Nslookup for Linux” section (next page)
Windows NSLOOKUP (2)
All Rights Reserved © 2010, Alcatel-Lucent
Page 90
NSLOOKUP for Linux
SYNTAX _ nslookup [-option ... ] [host-to-find | -[server ] ]
DESCRIPTION
Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive.
Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.
Interactive mode is entered in the following cases:
a) when no arguments are given (the default name server will be used),
b) when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument.
The optional second argument specifies the host name or address of a name server.
The options listed under the ``set '' command below can be specified in the .nslookuprc file in the user's home directory if
they are listed one per line. Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
nslookup -query=hinfo -timeout=10
INTERACTIVE COMMANDS
Commands may be interrupted at any time by typing a control-C. To exit, type a control-D (EOF ) or type exit The command line length must be less than 256 characters. To treat a built-in command as
Linux NSLOOKUP (1)
All Rights Reserved © 2010, Alcatel-Lucent
Page 91
type exit The command line length must be less than 256 characters. To treat a built-in command as a host name, precede it with an escape character (.&\ . ) N.B.: An unrecognized command will be interpreted as a host name.
host [server ] _ Look up information for host using the current default server or using server , if specified. If host is an Internet address and the query type is A or PTR , the name of the host is returned. If host is a name and does not have a trailing period, the default domain name is appended to the name. (This behavior depends on the state of the set options domain,
srchlist , defname , and search . To look up a host not in the current domain, append a period to the name.
server domain
lserver domain _ Changes the default server to domain ; lserver uses the initial server to look up information about domain
while server uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
root _ Changes the default server to the server for the root of the domain name space. Currently, the host ns.internic.net is used. (This command is a synonym for ``lserver ns.internic.net '' The name of the root server can be changed with the ``set root '' command.
finger [name ] [> filename ] or finger [name ] [>> filename ] _ Connects with the finger server on the current host. The current host is defined when a previous lookup for a host was successful and returned address information (see the ``set querytype=A '' command). The name is optional. > and >> can be used to redirect output in the usual manner.
ls [option ] domain [> filename ] or ls [option ] domain [>> filename ] _ List the information available for domain , optionally creating or appending to filename The default output contains host names and their Internet addresses. Option can be one of the following:
-t querytype _ lists all records of the specified type (see querytype below).
-a _ lists aliases of hosts in the domain; synonym for ``-t CNAME ''
-d _ lists all records for the domain; synonym for ``-t ANY ''
-h _ lists CPU and operating system information for the domain; synonym for ``-t HINFO ''
-s _ lists well-known services of hosts in the domain; synonym for ``-t WKS ''
When output is directed to a file, hash marks are printed for every 50 records received from the server.
view filename _ Sorts and lists the output of previous ls command(s) with more(1).
help or ? _ Prints a brief summary of commands.
exit _ Exits the program.
set keyword [= value ] _ This command is used to change state information that affects the lookups. Valid keywords are:
all _ Prints the current values of the frequently-used options to set Information about the current default server and host is also printed.
class= value _ Change the query class to one of:
IN _ the Internet class
CHAOS _ the Chaos class
HESIOD _ the MIT Athena Hesiod class
ANY wildcard (any of the above)_ The class specifies the protocol group of the information.
(Default = IN ; abbreviation = cl[no ] debug _ Turn debugging mode on. A lot more information is printed about the packet sent to the server and the
resulting answer. (Default = nodebug ; abbreviation = Op Ic no deb[no ] d2 _ Turn exhaustive debugging mode on. Essentially all fields of every packet are printed. (Default = nod2domain= name _ Change the default domain name to name . The default domain name is appended to a lookup request depending on the state of the defname and search options. The domain search list
Linux NSLOOKUP (2)
All Rights Reserved © 2010, Alcatel-Lucent
Page 92
domain= name _ Change the default domain name to name . The default domain name is appended to a lookup request depending on the state of the defname and search options. The domain search list contains the parents of the default domain if it has at least two components in its name. For example, if the default domain is CC.Berkeley.EDU, the search list is CC.Berkeley.EDU and Berkeley.EDU. Use the ``set srchlist '' command to specify a different list. Use the ``set all '' command to display the list. (Default = value from hostname(1), /etc/resolv.conf or LOCALDOMAIN; abbreviation = dosrchlist= name1/name2/... _ Change the default domain name to name1 and the domain search list to name1 , name2 , etc. A maximum of 6 names separated by slashes (/) can be specified. For example, set srchlist=lcs.MIT.EDU/ai.MIT.EDU/MIT.EDU sets the domain to lcs.MIT.EDU and the search list to the three names. This command overrides the default domain name and search list of the ``set domain '' command. Use the ``set all '' command to display the list.
(Default = value based on hostname(1), /etc/resolv.conf or LOCALDOMAIN; abbreviation = srchl[no ] defname _ If set, append the default domain name to a single-component lookup request (i.e., one that does not contain a period). (Default = defname ; abbreviation = Op Ic no defname[no ] search _ If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. (Default = search ; abbreviation = Op Ic no seaport= value _ Change the default TCP/UDP name server port to value (Default = 53; abbreviation = po
querytype= value or type= value _ Change the type of information query to one of:
A _ the host's Internet address.
CNAME _ the canonical name for an alias.
HINFO _ the host CPU and operating system type.
MINFO _ the mailbox or mail list information.
MX _ the mail exchanger.
NS _ the name server for the named zone.
PTR _ the host name if the query is an Internet address; otherwise, the pointer to other information.
SOA _ the domain's ``start-of-authority '' information.
TXT _ the text information.
UINFO _ the user information.
WKS _ the supported well-known services.
Other types (ANY, AXFR, MB, MD, MF, NULL ) are described in the RFC-1035 document.
(Default = A ; abbreviations = q , ty[no ] recurse _ Tell the name server to query other servers if it does not have the information. (Default = recurse ; abbreviation = Op Ic no recretry= number _ Set the number of retries to number When a reply to a request is not received within a certain amount of time (changed with ``set timeout ) , '' the timeout period is doubled and the request is resent. The retry value controls how many times a request is resent before giving up. (Default = 4, abbreviation = ret )
root= host _ Change the name of the root server to host . This affects the ``root '' command. (Default = ns.internic.net. abbreviation = ro )
timeout= number _ Change the initial timeout interval for waiting for a reply to number seconds. Each retry doubles the timeout period. (Default = 5 seconds; abbreviation = ti )
[no ] vc _ Always use a virtual circuit when sending requests to the server. (Default = novc ;abbreviation = Op Ic no v
Linux NSLOOKUP (3)
All Rights Reserved © 2010, Alcatel-Lucent
Page 93
abbreviation = Op Ic no v
[no ] ignoretc _Ignore packet truncation errors. (Default = noignoretc ; abbreviation = Op Ic no ig
DIAGNOSTICS
If the lookup request was not successful, an error message is printed. Possible errors are:
Timed out : The server did not respond to a request after a certain amount of time (changed with ``set timeout= value ) '‘ and a certain number of retries (changed with ``set retry= value ''
No response from server : No name server is running on the server machine.
No records : The server does not have resource records of the current query type for the host, although the host name is valid. The query type is specified with the ``set querytype '' command.
Non-existent domain : The host or domain name does not exist.
Connection refused
Network is unreachable : The connection to the name or finger server could not be made at the current time. This error commonly occurs with ls and finger requests.
Server failure : The name server found an internal inconsistency in its database and could not return a valid answer.
Refused : The name server refused to service the request.
Format error : The name server found that the request packet was not in the proper format. It may indicate an error in nslookup.
FILES
Linux NSLOOKUP (4)
All Rights Reserved © 2010, Alcatel-Lucent
Page 94
FILES
/etc/resolv.conf _ initial domain name and name server addresses
$HOME/.nslookuprc _ user's initial options
/usr/share/misc/nslookup.help _ summary of commands
ENVIRONMENT
HOSTALIASES _ file containing host aliases
LOCALDOMAIN _ overrides default domain
dig - DNS lookup utility
SYNOPSIS
dig [ @server ] [ -b address ] [ -c class ] [ -f filename ] [ -k filename ] [ -p port# ] [ -t type ] [ -x addr ] [ -yname:key ] [ name ] [ type ] [ class ] [ queryopt... ]
dig [ -h ]
dig [ global-queryopt... ] [ query... ]
DESCRIPTION
dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot
DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given.
Unlike earlier versions, the BIND9 implementation of dig allows multiple lookups to be issued from the command line.
Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf.
When no command line arguments or options are given, will perform an NS query for "." (the root).
SIMPLE USAGE
A typical invocation of dig looks like:
dig @server name typedig @server name typedig @server name typedig @server name typewhere:
server _ is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied server argument is a hostname, dig resolves that name before
querying that name server. If no server argument is provided, dig consults /etc/resolv.conf and queries the name servers listed there. The reply from the name server that responds is displayed.
DIG (1)
All Rights Reserved © 2010, Alcatel-Lucent
Page 95
the name servers listed there. The reply from the name server that responds is displayed.
name _ is the name of the resource record that is to be looked up.
type _ indicates what type of query is required --- ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is supplied, dig will perform a lookup for an A record.
OPTIONS
The -b option sets the source IP address of the query to address.
The default query class (IN for internet) is overridden by the -c option. class is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to dig using the command-line interface.
If a non-standard port number is to be queried, the -p option is used. port# is the port number that digwill send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number.
The -t option sets the query type to type. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was N.
Reverse lookups - mapping addresses to names - are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the name, class and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and binary labels as defined in RFC2874. To use the older RFC1886 method using the IP6.INT domain and "nibble" labels, specify the -n (nibble) option.
QUERY OPTIONS
dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string “no” to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +keyword=value. The query options are:
+[no]tcp _ Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
+[no]vc _ Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit".
+[no]ignore _ Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
+domain=somename _ Set the search list to contain the single domain somename, as if specified in a domain directive in /etc/resolv.conf, and enable search list processing as if the +search option were given.
+[no]search _ Use [do not use] the search list defined by the searchlist or domain directive in resolv.conf(if any). The search list is not used by default.
+[no]defname _ Deprecated, treated as a synonym for +[no]search+[no]aaonly _ This option does nothing. It is provided for compatibilty with old versions of dig where it set
an unimplemented resolver flag. +[no]adflag _ Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard
meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
+[no]cdflag _ Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
+[no]recursive _ Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means dig normally sends recursive queries. Recursion is automatically disabled when the +nssearch or +trace query options are used.
+[no]nssearch _ When this option is set, dig attempts to find the authoritative name servers for the zone
DIG (2)
All Rights Reserved © 2010, Alcatel-Lucent
Page 96
+[no]nssearch _ When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
+[no]trace _ Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
+[no]cmd _ Toggles the printing of the initial comment in the output identifying the version of dig and the query options that have been applied. This comment is printed by default.
+[no]short _ Provide a terse answer. The default is to print the answer in a verbose form. +[no]identify _ Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
+[no]comments _ Toggle the display of comment lines in the output. The default is to print comments. +[no]stats _ This query option toggles the printing of statistics: when the query was made, the size of the
reply and so on. The default behaviour is to print the query statistics. +[no]qr _ Print [do not print] the query as it is sent. By default, the query is not printed. +[no]question _ Print [do not print] the question section of a query when an answer is returned. The
default is to print the question section as a comment. +[no]answer _ Display [do not display] the answer section of a reply. The default is to display it. +[no]authority _ Display [do not display] the authority section of a reply. The default is to display it. +[no]additional _ Display [do not display] the additional section of a reply. The default is to display it.
+[no]all _ Set or clear all display flags. +time=T _ Sets the timeout for a query to T seconds. The default time out is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied.
+tries=T _ Sets the number of times to retry UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of retries is silently rounded up to 1.
+ndots=D _ Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.
+bufsize=B _ Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
+[no]multiline _ Print records like the SOA records in a verbose multi-line format with human-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the digoutput.
+[no]fail _ Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
+[no]besteffort _ Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
+[no]dnssec _ Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the the OPT record in the additional section of the query.
MULTIPLE QUERIES
The BIND 9 implementation of dig supports specifying multiple queries on the command line (in addition to supporting the -f batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
In this case, each query argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional
DIG (3)
All Rights Reserved © 2010, Alcatel-Lucent
Page 97
above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the +[no]cmd option) can be overridden by a query-specific set of query options. For example:
dig +qr www.isc.org any dig +qr www.isc.org any dig +qr www.isc.org any dig +qr www.isc.org any ----x x x x 127127127127....0000....0000....1 1 1 1 isc.org ns +noqrisc.org ns +noqrisc.org ns +noqrisc.org ns +noqrshows how dig could be used from the command line to make three lookups: an ANY query for
www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of isc.org. A global query option of +qr is applied, so that dig shows the initial query it made for each lookup. The final query has a local query option of +noqr which means that dig will not print the initial query when it looks up the NS records for isc.org.
FILES
/etc/resolv.conf
Page intentionally left blank
All Rights Reserved © 2010, Alcatel-Lucent
Page 98
All Rights Reserved © 2010, Alcatel-Lucent
Page 99