Admin Alert: Setting Up IBM i TCP/IP Host Routes

March 5, 2014 Joe Hertvik

On an IBM i partition, you may need to route IP traffic for a particular server over a specific IP address. You could be doing this to segment network traffic or because you can only reach a host server through a specific interface (say an interface that has access to a firewall). Here’s the drill for modifying your IBM i TCP/IP routing entries to set up host routing.

The Situation

The best way to demonstrate how to set up IBM i host routing is by showing you an example. So let’s start with a single IBM i partition with a simple IP interface and routing setup. This partition is configured with the following setup.

It was originally set up with only one IP interface on the machine. For this example, I’ll call the original interface 10.200.1.75.
All the IP traffic is routed to the partition’s network gateway through the default address. Let’s also say the network’s gateway resides at 10.200.1.1 and the machine is initially configured so that no matter what, all traffic will be sent to the gateway for processing.
The organization is activating another interface, 10.200.1.80, and they want to route all the traffic to a high availability server at 10.201.1.1 over the new interface.

Here’s how you could reconfigure your TCP/IP routes to accomplish these tasks. Once you see how easy it is to set up host routing, you should be able to use this example as a template for adding other host routing setups to an IBM i partition.

The Setup

You can view your IP interfaces and the routes these interfaces use through green-screen options under the Configure TCP/IP menu. You can bring up this menu by running the Configure TCP/IP (CFGTCP) command.

You can view your configured and active TCP/IP interfaces by taking option 1, Work with TCP/IP interfaces. For this example, let’s assume both our 10.200.1.75 and 10.200.1.80 interfaces are activated. Here’s how we can approach changing the routing configuration to put in new host routing for accessing the 10.201.1.1 server.

1. Take option 2=Work with TCP/IP routes to view your current routes. If no other host routing has been configured, you’d see a routing screen that looks something like this.

Work with TCP/IP Routes
Type options, press Enter.
  1=Add   2=Change   4=Remove   5=Display
     Route            Subnet           Next             Preferred
Opt  Destination      Mask             Hop              Interface
     *DFTROUTE        *NONE            10.200.1.1       *NONE

TCP/IP routes tell the operating system how to direct TCP/IP traffic in your system. In this case, our partition only has one TCP/IP route, which is referred to as the default route (*DFTROUTE). Most IBM i partitions have a *DFTROUTE entry to handle routing any IP traffic that doesn’t have specific host routing entries. For this machine, the default route above specifies that all TCP/IP traffic should be routed according to the following criteria.

Any traffic that does not have a host routing entry will use this *DFTROUTE entry for routing instructions (as defined by the *DFTROUTE routing entry name and Subnet mask = *NONE parameter).
Traffic using this routing entry will use any available interface on the system (Preferred interface = *NONE) to send the traffic out to the network.
Traffic using this entry will be sent to the 10.200.1.1 gateway, because the Next Hop parameter is defined as 10.200.1.1. The next hop parameter tells TCP/IP where to send traffic for further routing.

2. According to our *DFTROUTE entry, traffic will automatically be routed over both the 10.200.1.75 interface AND the 10.200.1.80 interface (because the Preferred Interface value on the *DFTROUTE is equal to *NONE, both interfaces can be selected). But the reason we added the 10.200.1.80 interface is that we are implementing a high availability solution and we want to do the following:

Route all traffic to the new High Availability server (10.210.1.1) over the 10.200.1.80 interface. This will allow us to segment HA traffic over that interface so that it doesn’t compete with production traffic going out over the 10.200.1.75 interface.
Modify the *DFTROUTE entry to only use the 10.200.1.75 interface for transmitting any network traffic that is not intended for the 10.210.1.1 HA server. We need to stop using the 10.200.1.80 interface for default traffic.

The new configuration will allow us to segment IP traffic on this machine to meet these goals. The next steps show how to do this, and what the routing entries will look like after the configuration is complete.

3. Before changing the configuration, always be sure to take a print screen of your current routing entries and keep it handy. This will help you restore your routing configuration in case there’s a problem.

4. Make your changes when your system is restricted or TCP/IP is turned off. This will ensure that no traffic is affected while you are changing your routing entries. While routing changes can be implemented and become active while TCP/IP is running, I recommend performing changes on a quiet system if you’re going to overhaul your routing entries or make changes to your *DFTROUTE entry.

5. On the Work with TCP/IP Routes screen, enter a 4=Remove in front of your current *DFTROUTE TCP/IP entry. We have to delete the *DFTROUTE entry because you have to remove and re-enter the Preferred Interface information in order to make the changes outlined in point 2.

6. Again on the Work with TCP/IP Routes screen, enter a 1=Add on the input line on the screen. You’ll see an Add TCP/IP Route (ADDTCPRTE) screen appear. You would fill in the following fields as shown below to add a new routing entry that uses the 10.200.1.80 interface for transmitting traffic intended for the 10.210.1.1 HA server.

                          Add TCP/IP Route (ADDTCPRTE)

Type choices, press Enter.

Route destination  . . . . . . . > '10.210.1.1'

Subnet mask  . . . . . . . . . . > *HOST
Type of service  . . . . . . . .   *NORMAL       *MINDELAYâ€¦
Next hop . . . . . . . . . . . . > '10.210.1.1'
Preferred binding interface  . .   10.200.1.80
Maximum transmission unit  . . .   *IFC          576-16388, *IFC
Route metric . . . . . . . . . .   1             1-16
Route redistribution . . . . . .   *NO           *NO, *YES
Duplicate route priority . . . .   *MEDIUM       1-10, *MEDIUMâ€¦
Text 'description' . . . . . . .   *BLANK

Once added, your routing table will now look like this.

Work with TCP/IP Routes
Type options, press Enter.
  1=Add   2=Change   4=Remove   5=Display
     Route            Subnet           Next             Preferred
Opt  Destination      Mask             Hop              Interface
     10.210.1.1       *HOST	           10.210.1.1       10.200.1.80

What happened is we’ve just added a host routing entry (*HOST) that tells TCP/IP how to handle packets intended for the 10.210.1.1 server (the Route Destination). This *HOST entry tells TCP/IP to always use the 10.200.1.80 interface to send packets (the Preferred Interface) to the 10.210.1.1 server (the Next Hop). This entry is only used for sending packets to 10.210.1.1. It supersedes any *DFTROUTE routing entries on the system, and it will only be used to transmit data to 10.210.1.1.

7. Once again, go back to the Work with TCP/IP Routes screen and enter 1=Add on the input line to add your new *DFTROUTE entry. In this example, we would fill in the entry fields like this.

                          Add TCP/IP Route (ADDTCPRTE)

Type choices, press Enter.

Route destination  . . . . . . . > *DFTROUTE

Subnet mask  . . . . . . . . . . > *NONE
Type of service  . . . . . . . .   *NORMAL       *MINDELAYâ€¦
Next hop . . . . . . . . . . . . > '10.200.1.1'
Preferred binding interface  . .   10.200.1.75
Maximum transmission unit  . . .   *IFC          576-16388, *IFC
Route metric . . . . . . . . . .   1             1-16
Route redistribution . . . . . .   *NO           *NO, *YES
Duplicate route priority . . . .   *MEDIUM       1-10, *MEDIUMâ€¦
Text 'description' . . . . . . .   *BLANK

Because this is the new default route for TCP/IP traffic, all traffic that is not specifically routed by another TCP/IP route (such as the 10.210.1.1 *HOST route we entered in the previous step) will be routed via the 10.200.1.75 IP interface.

8. Once the two new routes have been added, the TCP/IP routing table will now look like this.

Work with TCP/IP Routes
Type options, press Enter.
  1=Add   2=Change   4=Remove   5=Display
     Route            Subnet           Next             Preferred
Opt  Destination      Mask             Hop              Interface
     *DFTROUTE        *NONE            10.200.1.1       10.200.1.75
     10.210.1.1       *HOST	            10.210.1.1       10.200.1.80

In IBM i TCP/IP routing, specific *HOST routing entries always trump *DFTROUTE entries. So with these entries, we would achieve our goals of: 1) always sending traffic to 10.210.1.1 through the 10.200.1.80 interface, while 2) sending all other traffic through the 10.200.1.75 interface.

Other Things You Can Do

And that’s all there is to setting up dedicated host routing entries on an IBM i partition. You set up individual host routing entries to send traffic through specific IP interfaces, and then you set up a *DFTROUTE entry to handle any traffic that is not specifically covered by the host routes. And it’s easy to expand host routing on this system. Here are some other things you can do with *DFTROUTE and *HOST entries.

Send TCP/IP traffic for an entire Class A, Class B, or Class C network through a specific interface. We could add another routing interface that sends any traffic intended for the 10.210 network through the 10.200.1.80 interface. We would do that by adding another routing interface that has a Route destination of 10.210.0.0, a Subnet mask of 255.255.0.0, and a Preferred Interface of 10.200.1.80. Because a host routing entry trumps the *DFTROUTE entry, all traffic for the 10.210.0.0 network would now be routed through the 10.200.1.80 interface.
Put in a backup *DFTROUTE routing entry. I could add another interface (10.200.1.90 maybe) and set up a second *DFTROUTE entry so default traffic could be routed over that interface, as well. By having a second *DFTROUTE entry, I would be free to start and stop the 10.200.1.75 interface at will, because the 10.200.1.90 would also route the default traffic. This comes in handy when you’re moving network connections on your system or you’re rerouting traffic so it goes through new pieces of equipment (such as a WAN optimizer like a Riverbed Steelhead device).
In the right situation, you could even eliminate your *DFTROUTE routing entries. For some partitions, you may only want to route IP traffic to certain sub-networks or hosts. You could limit who your partition talks to by eliminating the *DFTROUTE entirely and only putting in entries for hosts that you want your machine to talk to.

Once you get the feel of working with routing entries, many opportunities will present themselves. The key is to get started with the first routing entries, as shown in this article.

Joe Hertvik is an IBM i subject matter expert (SME) and the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago, featuring multiple IBM i ERP systems. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002. Check out his blog where he features practical information for tech users at joehertvik.com.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot