Linux on iSeries Network Alternatives

by Erwin Earley

In "The iSeries: A Flexible and Integrated Environment for Linux," I showed you how to install Linux on an iSeries and setup a Linux partition. You are now ready to develop Linux applications that access DB2 on an OS/400 partition. But before you get too far down the Linux development path, please allow me to depart from program-related content again, in order to not only expand your Linux networking capabilities but also to expand your application development opportunities. Oh yeah, you might also get to impress your systems administrator.

As you know from my previous article, Linux in a logical partition on an iSeries can take advantage of the virtual network capability of logical partitioning (LPAR), to establish communication among the partitions. This is great for Linux partitions that want to access data from DB2 UDB on OS/400, since the speed of the virtual network emulates 1 GB Ethernet. But how do you get your Linux partitions to communicate in a larger network? This article explores a variety of methods for bridging the virtual Ethernet connections to external Internet connections.

There are a number of ways to establish network communications for a Linux partition, including allocating a physical network card to Linux, as well as using Linux to bridge external network communications across to one or more virtual LAN in the iSeries system. While both of these options are viable and important to understand, this article focuses on two other methods: Proxy ARP and Network Address Translation (NAT).

Establishing a Virtual Network

Both Proxy ARP and NAT can be used to bridge external network traffic to one or more virtual network in the iSeries system. The first step in establishing the network configuration is setting up a virtual LAN on the iSeries. Virtual networking in iSeries provides the capability of building up to 16 high-speed networks inside the system that allow communication among the partitions. The virtual networks emulate 1 GB Ethernet connections and provide for fast, secure communications among Linux, Windows, and OS/400 partitions.

Allocating virtual Ethernet connections can be accomplished via 5250 emulation commands or via iSeries Navigator. To allocate a virtual Ethernet connection via iSeries Navigator, go to the Properties window and right-click Configure Logical Partitions, then Physical System, and Properties.

Connections can be established by simply clicking the checkbox for the virtual LANs that you want the partitions to have connections on. Remember that Linux will "see" a real network adapter.

Keep in mind that allocation of virtual LAN connections only establishes an internal network that can be used for network communication among the partitions. Bridging these internal LANs (or networks) to an external network with Proxy ARP or NAT will require an OS/400 connection on each of the virtual LANs to be bridged. Allocating an OS/400 connection on the virtual LAN is accomplished in the same way that allocation of virtual LAN connections for Linux partitions were established, as described above.

Once OS/400 has been allocated, a virtual LAN connection to a corresponding Ethernet Line Descriptor needs to be created. The Create Line Desc (Ethernet) command, or CRTLINETH, is used to create the new line descriptor.

The resource name used in this command is the resource name of the OS/400 connection on the virtual Ethernet. This resource name can be determined by reviewing the communication resources. Enter the command DSPHDWRSC *CMN to display a list of the communication resources on the system.

Each OS/400 connection on the virtual Ethernet is indicated by an entry with a type of 268C. OS/400 has a connection on the virtual Ethernet with a resource name of CMN19.

Once the new line descriptor has been created, it should be varied on.

Steps for Setting Up Proxy ARP

As I mentioned, both Proxy ARP and NAT require an OS/400 connection on the virtual LAN that is being bridged, and both require a new TCP/IP interface. But configuring the TCP/IP interface is different for these two solutions.

When using Proxy ARP to bridge a virtual LAN to an external LAN, a bank (or a range) of addresses is established for all of the partitions that are being bridged, including the OS/400 partition. There a number of specific requirements for this bank of address, including the following:

• The addresses must be consecutive.
• The range must be 4, 8, 16, or 32 addresses long.
• The range must begin on a 4-, 8-, 16-, or 32-address boundary.

It is recommended that an IP Subnet Calculator be used to help determine an address range for Proxy ARP. One such tool is WildPackets, which can be found at www.wildpackets.com.

The Add TCP/IP Interface, or ADDTCPIFC, command is used to create the TCP/IP interface for the OS/400 partition on the virtual LAN.

Here are some specifics on the information provided to this command:

• The Internet address is the address of the OS/400 partition on the virtual LAN.
• The line description is the name of the line descriptor given when the new line descriptor was created for the OS/400 connection on the virtual LAN.
• The subnet mask is used to indicate the size of the virtual LAN. A subnet mask of 255.255.255.224 would result in a range that is 32 addresses long. Keep in mind that two of those addresses will not be available for partition usage. One of the address (the first in the range) is used as the address (or ID) of the network. The other address (the last in the range) is used as the broadcast address of the network.
• The associated local interface is used to indicate the address that the traffic should be bridged to. This address is that of the physical network interface for the OS/400 partition on the external network.

Once the new interface has been created, it should be varied on. This completes the setup for OS/400. Configuration of Linux networking will be accomplished the same as any other Linux networking. One key to keep in mind is that when defining the router (or default gateway) for Linux, the address of the OS/400 partition on the virtual Ethernet should be used. Also, the subnet mask that Linux will use is the same as what was used to create the OS/400 TCP/IP interface on the virtual LAN.

To summarize the setup of Proxy ARP:

• During partition configuration, specify at least one common virtual LAN identifier for all partitions that need to communicate.
• From the external LAN network administrator, request a block of 4, 8, 16, or 32 consecutive IP addresses, beginning on a 4-, 8-, 16-, or 32-address boundary (or a subnet). For example, 4 could be 192.168.12.100-103, supporting two partitions; 8 could be 192.168.12.96-103, supporting up to six partitions; 16 could be 192.168.12.96-111, supporting up to 14 partitions; 32 could be 192.168.12.96-117, supporting up to 30 partitions.
• In the OS/400 partitions, create an Ethernet line description (CRTLINETH), and create a TCP/IP interface for the virtual LAN, specifying the external LAN I Paddress as the "associated local interface."
• In Linux configure the IP address for the virtual LAN adapter and a default route for the virtual LAN as the address of the OS/400 partition on the virtual LAN.

Steps for Setting Up NAT

Network Address Translation is a method of bridging network traffic in which all network traffic for a given set of partitions is received by the OS/400 physical network adapter, then the address in the network packets are modified and rebroadcast on the virtual LAN. For NAT to work, two addresses are assigned to each partition; one of these addresses is the address that the partition will be known as on the external network, while the other address is a private address that will only be used on the virtual LAN.

The main advantage of NAT is that the addresses assigned on the external network do not need to be consecutive; rather, they can be scattered across the address scheme of the external network. A disadvantage of NAT is that the partitions never "know" their real (or external) address, because the address in the network packet will be modified before the packet is received by the Linux partition. Setting up NAT will result in a number of TCP/IP interfaces being created in OS/400 on the physical network adapter: one for each partition using NAT.

The iSeries Navigator is used to create the necessary address mappings for NAT. All of the iSeries options discussed below can be found under Network, IP Policies, Packet Rules, then Configuration.

Set up two addresses for each partition: The first address is for the private (or virtual) network, and the second is for the partition on the outside (external) network.

The first step in NAT is to define the internal address for the partition.

The address name is user-defined and will be used when the address mapping (see below) is established. The subnet address is the address for the partition on the virtual LAN. The subnet mask needs to be 255.255.255.255, so that only a single address is NATed.

The second step is to define the external address for the partition on the network. The same form in iSeries Navigator is used.

As an example, if you wanted to NAT three partitions, eight addresses would need to be defined. Six of these addresses would be for the Linux partitions, while the other two would be for the OS/400 partition on the virtual LAN.

Once the addresses have been defined, the mappings need to be generated. These mappings will be used to map the internal address to the external address. Mapping is accomplished with the Mapped Addresses function, under Address Translation.

The mapped address name should be the defined name for the internal (virtual) address. The "To address name" should be the defined name for the external (or the "real") address. The line name should be the line interface defined for the network adapter.

A mapping needs to be defined for each set of defined address. In our example, we would create four mappings:

Once the internal and external addresses have been defined, and the mappings established, the mappings need to be activated. Activation is accomplished by the Activate function, in Packet Rules.

A summary of Network Address Translation:

• NAT establishes a private network.
• NAT maps real addresses to private addresses.
• Configuration for NAT is done in iSeries Navigator.
• The operating system (Linux) has no knowledge of its actual address.

IP Datagram Forwarding

Both Proxy ARP and NAT rely on OS/400 having the ability to forward datagram packets between the internal (virtual) network and the external (physical) network. Datagram forwarding is disabled by default. It needs to be enabled, via TCP/IP Attributes.

Which Solution Is for You?

A number of solutions can be implemented for networking Linux partitions on an iSeries. Many Linux installations use the virtual LAN capability of the iSeries and then use Proxy ARP or NAT to bridge network traffic among virtual and real networks.

The following table provides a summary of the various options for networking Linux on an iSeries system. There is also a summary of information for native connections and Proxy ARP via Linux (not covered in this article).

Keep in mind that while the virtual LAN emulates GB Ethernet, the network traffic on the external network will be impacted by the speed of the external network. In other words, when bridging traffic from the virtual LAN to an external LAN, where the external LAN is built on 100 MB equipment, communication among partitions on the virtual LAN will be at GB speed, while communication between a Linux partition and an external client (or server) will be at 100 MB speed.

Finally, a network for partitions on an iSeries provides a flexible and robust set of solutions that can be mixed in order to provide a network configuration specific to the needs of the environment in which iSeries Linux partitions are being implemented.

Where's the Downloadable Code?

This article is quite a departure from typical Midrange Programmer content, but hopefully it has provided you with some additional tools and advice that will help you to properly network your Linux partition with the world outside of the iSeries. From here, the sky's the limit for your development and data accessing opportunities. Besides, how many times in your career have you run into a systems administrator who has wanted to write code? Won't it be nice to turn the tables and show your administrator the various methods used to network your Linux partition--and which method might be best?

Erwin Earley is an advisory software engineer at IBM and has worked at the Rochester, Minnesota, development lab since 1996. Erwin provides education and enablement services for Linux on iSeries at the iSeries Technology Center. He has worked in the IT industry for 24 years and has experience with several Unix variants, as well as Linux and OS/400. Erwin also provides Linux education classes at a local university. E-mail: earleye@us.ibm.com

Sponsored By LAKEVIEW TECHNOLOGY

Neuvo Central Argentino Railroad Stays on Track with MIMIX Nuevo Central Argentino (NCA) is a proud part of the railroading tradition. NCA transports more than six million tons of goods 24 hours a day, seven days a week. NCA runs a mixed IBM eServer iSeries and xSeries environment with OS/400 and Microsoft Windows. It is imperative that the systems are always available; otherwise, trains stop and goods perish. NCA set up two data centers for disaster recovery in different buildings. They choose MIMIX and MIMIX for Windows to replicate data and applications in near real-time, and to switch users between the systems simply and quickly. NCA suffered critical system failures in both its iSeries and xSeries environments. The company estimates that had MIMIX not been in place, the failures would have resulted in three-day system outages. Instead, with MIMIX, there was no interruption and no user impact. NCA is confident that MIMIX has already paid for itself. Get the full story at: http://www.mimix.com/profiles/index.asp#NCA Lakeview Technology http://www.mimix.com