Grid Interface Configuration | Advanced Linux Administration

Slide 1 of 35  |  ALA-03  |  Week 1 of 8
Grid Interface Configuration
Linux Network Setup
ip link/addr  •  Static vs DHCP  •  Netplan  •  Bonding  •  VLANs  •  Routing
Your cell's node arrived with no network configuration. You have the interface name, a static IP assignment from network ops, and a VLAN tag. The grid does not connect itself. This module is how you bring it online correctly and persistently across reboots.
35 Slides ALA-03 Week 1 of 8 Ubuntu 22.04 LTS
Slide 2 of 35
The Linux Network Stack
Layers you control and the tools that manage them.
Physical Link (L2) IP (L3) Transport Application ethtool ip link ip addr/route ss curl/dig
Layer 2: Link Layer
Physical and logical interfaces. Ethernet frames. MAC addresses. Controlled with ip link. Operations: bring interface up/down, set MTU, rename interface, configure bonding and bridges. No IP addressing at this layer.
Layer 3: Network Layer
IP addresses and routing. Controlled with ip addr (addresses) and ip route (routing table). Operations: assign IP addresses, add/delete routes, configure default gateway. ARP operates between L2 and L3.
Configuration Persistence
ip commands make changes immediately but they do NOT survive reboot. Persistent configuration requires Netplan (Ubuntu 22.04 default), NetworkManager, or systemd-networkd. The tool you use to configure persistence is separate from the tool you use to inspect state.
The Old vs New Toolchain
ifconfig, route, and netstat are from the deprecated net-tools package. They are not installed on Ubuntu 22.04 by default. The modern replacements are: ip (replaces ifconfig and route), ss (replaces netstat). Learn the new tools -- they provide more information and are maintained.
Slide 3 of 35
ip link — Interface Management
Inspect and control network interfaces at Layer 2.
# List all network interfaces with state and MAC address ip link show # Short form: same output ip link # Show a specific interface ip link show eth0 # Bring an interface UP ip link set eth0 up # Bring an interface DOWN ip link set eth0 down # Set MTU (Maximum Transmission Unit) ip link set eth0 mtu 9000 # jumbo frames (if network supports it) # Rename an interface ip link set eth0 name grid-primary # Set a specific MAC address ip link set eth0 address aa:bb:cc:dd:ee:ff
Reading ip link Output
The state UP or state DOWN shows the administrative state. LOWER_UP in the flags means a physical carrier is detected (cable plugged in). A link can be administratively UP but without carrier if no cable is connected.
Slide 4 of 35
ip addr — Address Management
Assign, display, and remove IP addresses on interfaces.
192.168.10 .50 /24 Network Portion (24 bits) Host (8 bits) Subnet Mask: 255.255.255.0 = /24 CIDR
# Show all addresses on all interfaces ip addr show # Show only IPv4 addresses ip -4 addr show # Show only IPv6 addresses ip -6 addr show # Show addresses for a specific interface ip addr show eth0 # Assign a static IP address (with CIDR prefix length) ip addr add 192.168.10.50/24 dev eth0 # Assign a secondary IP address (two IPs on one interface) ip addr add 192.168.10.51/24 dev eth0 # Remove a specific IP address ip addr del 192.168.10.51/24 dev eth0 # Flush ALL addresses from an interface ip addr flush dev eth0
These Changes Are Not Persistent
ip addr add configures the address in the running kernel. It disappears on reboot. To make addresses permanent, configure them in Netplan or NetworkManager. The ip command is for immediate changes and verification -- not for permanent configuration.
Slide 5 of 35
Interface Naming: Predictable Names
Why modern systems do not use eth0/eth1 and how to read the new names.
Old Names (eth0, eth1)
Under the legacy naming scheme, interface numbering was assigned during boot in kernel discovery order. On a dual-NIC system, which card became eth0 and which became eth1 could change depending on which was initialized first. This caused silent routing failures after hardware changes.
Predictable Network Interface Names
Modern systems use names derived from physical location. en = Ethernet, wl = wireless. Suffixes: p = PCI bus, s = slot. Examples: enp3s0 (PCI bus 3, slot 0), ens3 (slot 3), eno1 (onboard NIC 1). The name is tied to the physical slot, not boot order.
# Decode the interface name # enp3s0 = en (ethernet) + p3 (PCI bus 3) + s0 (slot 0) # ens160 = en (ethernet) + s160 (slot 160, common on VMware) # eno1 = en (ethernet) + o1 (onboard, from firmware index) # eth0 = legacy, still used in containers and minimal installs # Identify which interface maps to which physical port ethtool enp3s0 # detailed NIC info ethtool -p enp3s0 # blink the NIC LED for physical ID (if supported) ip link show enp3s0 # check link state and MAC
Slide 6 of 35
Netplan: Ubuntu's Network Configuration Layer
Netplan is the abstraction layer. It generates config for the backend renderer.
YAML Config /etc/netplan/ Netplan netplan apply systemd-networkd NetworkManager Interface enp3s0
What Netplan Is
Netplan reads YAML configuration files in /etc/netplan/ and generates configuration for either NetworkManager or systemd-networkd (your choice of renderer). You write one YAML file; Netplan translates it to the backend format.
File Location
Configuration files live in /etc/netplan/. Files are processed in lexicographic order. Common default file: 00-installer-config.yaml. You can split configuration across multiple files. The highest-numbered file wins on conflicts.
Apply Changes
netplan apply applies changes without disconnection (where possible). netplan try applies changes and automatically reverts after 120 seconds if you do not confirm -- safe for remote configuration. netplan generate only generates backend files without applying.
Always Use netplan try on Remote Systems
If you misconfigure the network on a remote server and run netplan apply, you may lose access permanently (until someone physically visits the machine). netplan try gives you 120 seconds to confirm. If you lose connectivity, it automatically reverts.
Slide 7 of 35
Netplan: DHCP Configuration
Simplest Netplan file. The interface requests an address from a DHCP server.
DHCP (dynamic) Client DISCOVER OFFER DHCP Server Static (manual) YAML Interface + Auto-config, lease renewal - IP can change on renewal + Predictable, no server needed - Manual updates required
# /etc/netplan/00-installer-config.yaml # Minimal DHCP configuration network: version: 2 renderer: networkd # or: NetworkManager ethernets: enp3s0: dhcp4: true # request IPv4 from DHCP dhcp6: false # no IPv6 --- # Apply the configuration netplan try # safe: auto-reverts after 120s if not confirmed # Press Enter to confirm when prompted # Verify the address was assigned ip -4 addr show enp3s0 # Inspect the generated systemd-networkd file cat /run/systemd/network/10-netplan-enp3s0.network
YAML Indentation
Netplan YAML files are whitespace-sensitive. Use exactly 2 spaces per indentation level. No tabs. A misaligned line causes netplan apply to fail with a parsing error that can be cryptic. Use netplan generate first to validate syntax without applying.
Slide 8 of 35
Netplan: Static IP Configuration
Assign a fixed address, gateway, and DNS servers persistently.
# /etc/netplan/00-static-config.yaml network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false addresses: - 192.168.10.50/24 # CIDR notation, not subnet mask routes: - to: default # default gateway (0.0.0.0/0) via: 192.168.10.1 nameservers: addresses: - 8.8.8.8 - 8.8.4.4 search: - sector.internal - corp.example.com --- # Validate syntax, then apply netplan generate # check for YAML errors netplan try # apply with auto-revert safety
Slide 9 of 35
Netplan: Multiple Interfaces
Configure a management interface (DHCP) and a data interface (static) simultaneously.
# /etc/netplan/00-multi-interface.yaml network: version: 2 renderer: networkd ethernets: enp2s0: # Management interface: DHCP from corporate network dhcp4: true dhcp4-overrides: use-routes: false # do NOT install DHCP-provided default route use-dns: false # do NOT use DHCP-provided DNS enp3s0: # Data interface: static address for sector traffic dhcp4: false addresses: - 10.0.100.10/24 routes: - to: default via: 10.0.100.1 nameservers: addresses: - 10.0.0.53 - 10.0.0.54
use-routes: false
When two interfaces both receive DHCP leases, both will try to install a default route, creating two default gateways with equal metric. Linux will use both in an unpredictable pattern (ECMP). Use use-routes: false on the secondary interface to prevent this.
Slide 10 of 35
NetworkManager vs systemd-networkd
Two backends. Different strengths. Choose based on workload.
Netplan YAML NetworkManager Desktop / WiFi / VPN systemd-networkd Server / Static / Minimal
NetworkManager
Designed for desktops and laptops with dynamic connectivity. Handles WiFi, VPNs, mobile broadband, and frequent network changes gracefully. GUI tools (nmtui, nmcli) available. Default renderer on Ubuntu Desktop. Heavier resource footprint than networkd.
systemd-networkd
Minimal, fast, systemd-native. Designed for servers with static or predictable network configuration. No daemon running between configuration events. Reads .network files from /etc/systemd/network/. Default on Ubuntu Server. Integrates with systemd-resolved for DNS.
# Check which backend is active systemctl is-active NetworkManager systemctl is-active systemd-networkd # Switch Netplan to use NetworkManager (change renderer in YAML) # renderer: NetworkManager (in /etc/netplan/*.yaml) # nmcli: NetworkManager command-line interface nmcli device status # list devices and their status nmcli connection show # list configured connections nmcli device connect enp3s0 # connect a device # nmtui: text-based UI for NetworkManager (useful on headless servers) nmtui # launches interactive TUI
Slide 11 of 35
NIC Bonding: Redundancy and Throughput
Combine multiple physical interfaces into one logical interface. Bonding provides failover or aggregated bandwidth.
Mode 1: active-backup enp3s0 ACTIVE enp4s0 STANDBY bond0 Mode 4: 802.3ad LACP enp3s0 enp4s0 bond0 Switch LACP enabled No switch config needed Requires switch LACP config
Your sector node has two 1 Gbps NICs. You can use them independently (1 Gbps each), as an active-backup pair (1 Gbps, automatic failover if one NIC or cable fails), or as an active-active bond (2 Gbps effective throughput). The choice depends on your priority: availability or throughput.
Mode 0: balance-rr
Round-robin. Transmits packets in sequence across all member interfaces. Provides load balancing and fault tolerance. Requires switch support (802.3ad or static LAG). Can cause out-of-order packet delivery. Not recommended for TCP-heavy workloads without switch coordination.
Mode 1: active-backup
One interface is active; the others are standby. On failure, a standby immediately takes over. No switch configuration required. Bandwidth limited to one NIC at a time. The most common production choice for servers where fault tolerance is the priority and switch config is not available.
Mode 4: 802.3ad LACP
Link Aggregation Control Protocol (IEEE 802.3ad). The switch and server negotiate the bond dynamically. Provides both fault tolerance and load balancing. Requires switch-side LACP configuration. Most data center environments use this for server uplinks. Best throughput per port count.
Slide 12 of 35
Bonding Mode Reference
All 7 modes. Know Mode 1 and Mode 4 deeply. Know the rest exist.
Mode 0: balance-rr
Round-robin across all slaves. Load balance + fault tolerance. Requires switch LAG config.
Mode 1: active-backup
One active, rest standby. Failover only. No switch config needed. Most compatible.
Mode 2: balance-xor
XOR of src/dst MAC determines slave. Same slave for each destination. Requires switch support.
Mode 3: broadcast
Send all traffic on all slaves simultaneously. Fault tolerance only. Very high traffic volume.
Mode 4: 802.3ad (LACP)
Dynamic link aggregation. Requires switch LACP. Best combination of throughput and redundancy.
Mode 5: balance-tlb
Transmit load balancing without switch support. Receive traffic on the active NIC only.
Mode 6: balance-alb
Adaptive load balancing. Includes both transmit and receive load balancing without switch support. Uses ARP negotiation to distribute receive traffic. No special switch configuration needed.
Slide 13 of 35
Netplan: Bonding Configuration
Configure a Mode 4 (LACP) bond in Netplan YAML.
# /etc/netplan/10-bonding.yaml network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false enp4s0: dhcp4: false bonds: bond0: interfaces: [enp3s0, enp4s0] addresses: - 10.0.100.10/24 routes: - to: default via: 10.0.100.1 nameservers: addresses: [10.0.0.53] parameters: mode: 802.3ad # LACP lacp-rate: fast # PDU every 1s (vs 30s for slow) mii-monitor-interval: 100 # check link every 100ms transmit-hash-policy: layer3+4 # use IP + port for load balance
Slide 14 of 35
Netplan: Active-Backup Bond
Failover without switch coordination. Works with any switch.
# /etc/netplan/10-active-backup-bond.yaml network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false enp4s0: dhcp4: false bonds: bond0: interfaces: [enp3s0, enp4s0] addresses: - 192.168.1.100/24 routes: - to: default via: 192.168.1.1 parameters: mode: active-backup primary: enp3s0 # preferred active interface mii-monitor-interval: 200 # check every 200ms fail-over-mac-policy: active # MAC follows the active port
Verify Bond Status
cat /proc/net/bonding/bond0 shows the current mode, active slave, and state of each member. This is the definitive source of truth for bond status. ip link show bond0 confirms the bond interface is up.
Test Failover
With active-backup configured: bring the primary interface down with ip link set enp3s0 down, then ping the gateway and watch /proc/net/bonding/bond0. The secondary takes over in under 200ms.
Slide 15 of 35
VLANs: Layer 2 Segmentation
Carry multiple logical networks over a single physical interface using 802.1Q tagging.
Untagged Ethernet Frame Access Port VLAN 100 +802.1Q tag Tagged Frame [VLAN 100] Trunk Link -tag Access Port VLAN 100 Untagged Ethernet Frame 802.1Q VLAN Tagging Flow: access port adds/removes the 4-byte VLAN tag
What a VLAN Is
A Virtual LAN (802.1Q) inserts a 4-byte tag into Ethernet frames. The tag contains a VLAN ID (1-4094). Switches use this tag to segregate traffic into separate broadcast domains. The same physical cable carries frames for multiple logical networks simultaneously.
Trunk vs Access Ports
An access port carries untagged traffic for one VLAN. A trunk port carries tagged traffic for multiple VLANs. Your Linux server must be connected to a trunk port to use VLAN subinterfaces. The switch configuration must allow the VLAN tags your server will send.
# Create a VLAN subinterface with ip link (not persistent) ip link add link enp3s0 name enp3s0.100 type vlan id 100 ip link set enp3s0.100 up ip addr add 10.100.0.10/24 dev enp3s0.100 # Add a second VLAN on the same physical interface ip link add link enp3s0 name enp3s0.200 type vlan id 200 ip link set enp3s0.200 up ip addr add 10.200.0.10/24 dev enp3s0.200 # Verify VLAN interfaces ip link show type vlan cat /proc/net/vlan/config
Slide 16 of 35
Netplan: VLAN Configuration
Persistent VLAN subinterfaces in Netplan YAML.
# /etc/netplan/20-vlans.yaml network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false vlans: enp3s0.100: # name of the VLAN interface id: 100 # VLAN tag ID link: enp3s0 # parent physical interface dhcp4: false addresses: - 10.100.0.10/24 routes: - to: 10.100.0.0/24 via: 10.100.0.1 enp3s0.200: id: 200 link: enp3s0 dhcp4: false addresses: - 10.200.0.10/24
VLAN on a Bond
You can combine bonding and VLANs. The VLAN interfaces are created on top of the bond interface: set link: bond0 instead of the physical interface name. This gives you both redundancy (from the bond) and segmentation (from the VLAN).
enp3s0 enp4s0 bond0 bond0.100 bond0.200 10.100.0.10/24 10.200.0.10/24 Redundancy + Segmentation
Slide 17 of 35
Routing Tables: ip route
How the kernel decides which interface and gateway to use for each destination.
Destination Gateway Interface Metric 0.0.0.0/0 192.168.10.1 enp3s0 100 192.168.10.0/24 connected enp3s0 0 10.0.0.0/8 192.168.10.254 enp3s0 50 Longest prefix match wins -- /24 beats /8 beats /0 (default)
# Display the main routing table ip route show # Example output: # default via 192.168.10.1 dev enp3s0 proto dhcp src 192.168.10.50 metric 100 # 192.168.10.0/24 dev enp3s0 proto kernel scope link src 192.168.10.50 # Add a static route: reach 10.0.0.0/8 via gateway 192.168.10.254 ip route add 10.0.0.0/8 via 192.168.10.254 dev enp3s0 # Add a host route: specific destination via a gateway ip route add 203.0.113.50/32 via 192.168.10.1 # Add default gateway ip route add default via 192.168.10.1 # Delete a route ip route del 10.0.0.0/8 # Show which route would be used for a specific destination (route lookup) ip route get 8.8.8.8 # 8.8.8.8 via 192.168.10.1 dev enp3s0 src 192.168.10.50 uid 1000
Slide 18 of 35
Route Metrics and Policy Routing
Multiple routes to the same destination. Control which one the kernel prefers.
Metric
When multiple routes match the same destination, the kernel uses the route with the lowest metric. DHCP typically assigns metric 100. You can set metric manually. Routes with the same prefix length and same metric are used in ECMP (equal-cost multipath) -- traffic is distributed.
Policy Routing (Multiple Tables)
Linux supports multiple routing tables (up to 252). You can route traffic differently based on source IP, incoming interface, or packet marks. Common use: a server with two ISPs where traffic from IP 10.0.1.x must use ISP-A and traffic from 10.0.2.x must use ISP-B.
# Add routes with explicit metrics ip route add default via 192.168.1.1 metric 100 # primary default route ip route add default via 192.168.2.1 metric 200 # backup default route # In Netplan: set metric on a route # routes: # - to: default # via: 192.168.1.1 # metric: 100 # Policy routing: route table 100 via different gateway ip route add default via 192.168.2.1 table 100 ip rule add from 192.168.2.0/24 table 100 # traffic from this subnet uses table 100 ip rule show # display routing policy rules
Slide 19 of 35
Netplan: Persistent Static Routes
Add custom routes that survive reboots and interface restarts.
# /etc/netplan/00-static-config.yaml with custom routes network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false addresses: - 192.168.10.50/24 routes: - to: default # default gateway via: 192.168.10.1 metric: 100 - to: 10.0.0.0/8 # reach internal networks via this gateway via: 192.168.10.254 metric: 50 - to: 172.16.0.0/12 # DMZ range via: 192.168.10.200 --- # After applying, verify all routes are present netplan try ip route show
Slide 20 of 35
DNS Resolution: systemd-resolved
The DNS resolver on Ubuntu 22.04 and how to configure and inspect it.
# systemd-resolved is the local stub resolver on Ubuntu 22.04 # It listens on 127.0.0.53:53 and forwards queries to upstream DNS # Check the resolver status and configured DNS servers resolvectl status # Per-interface DNS -- each interface can have its own DNS resolvectl dns enp3s0 # show DNS for this interface # Look up a hostname using systemd-resolved resolvectl query sector-db.internal # Flush the local DNS cache resolvectl flush-caches # Show DNS statistics (queries, cache hits, etc.) resolvectl statistics # /etc/resolv.conf is a symlink to the resolved stub ls -la /etc/resolv.conf # lrwxrwxrwx -> /run/systemd/resolve/stub-resolv.conf # If you need to bypass resolved and use a direct resolv.conf ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Slide 21 of 35
Bridges: Layer 2 Switching in Software
Connect virtual machines or containers to the physical network at Layer 2.
VM 1 tap0 VM 2 tap1 Container veth0 br0 Linux Bridge enp3s0 Physical NIC LAN VMs/containers get L2 access to the physical network through the bridge
What a Bridge Does
A Linux bridge acts as a virtual Ethernet switch. Physical interfaces and virtual interfaces (TAP, veth) can be added as bridge members. Frames are forwarded based on MAC address learning, just like a hardware switch. Used by KVM/QEMU, LXC, and Docker bridge networks.
Common Use Case
You want VMs on a hypervisor to appear on the same Layer 2 network as physical machines. You bridge the physical NIC (enp3s0) with the TAP interfaces of each VM. The VMs receive their own DHCP addresses from the same server as physical machines.
# /etc/netplan/30-bridge.yaml network: version: 2 renderer: networkd ethernets: enp3s0: dhcp4: false bridges: br0: interfaces: [enp3s0] dhcp4: true parameters: stp: false # disable Spanning Tree (no loops in simple configs) forward-delay: 0 # no forwarding delay (useful for VMs)
Slide 22 of 35
MTU and Jumbo Frames
Maximum Transmission Unit. Get it wrong and you get silent data corruption or throughput collapse.
Standard MTU: 1500
The default MTU for Ethernet is 1500 bytes. Every switch, router, and NIC on the path between two hosts must support the MTU being used. A packet larger than the interface MTU is either fragmented (if the DF bit is not set) or dropped with an ICMP Fragmentation Needed message (if DF is set).
Jumbo Frames: 9000+
Large MTU values (typically 9000 bytes) reduce CPU overhead per byte transferred by requiring fewer frames per transfer. Beneficial for storage traffic (iSCSI, NFS) and inter-datacenter traffic. Requires every device on the path to support jumbo frames -- including all switches. A mismatch causes complete connection failures for large transfers.
# Check current MTU ip link show enp3s0 # ...mtu 1500... # Set MTU temporarily ip link set enp3s0 mtu 9000 # Persistent MTU in Netplan # ethernets: # enp3s0: # mtu: 9000 # Test MTU path: send a large packet with DF bit set # If fragmentation is needed and DF is set, you get an ICMP error ping -M do -s 8972 10.0.100.1 # -M do = DF bit, -s = payload size (8972 + 28 header = 9000)
Slide 23 of 35
IP Forwarding: Routing Between Interfaces
Enable your Linux host to forward packets between interfaces. Required for routers, firewalls, and VPN gateways.
# Check current forwarding state (0 = disabled, 1 = enabled) sysctl net.ipv4.ip_forward cat /proc/sys/net/ipv4/ip_forward # Enable IP forwarding immediately (not persistent) sysctl -w net.ipv4.ip_forward=1 # Enable IPv6 forwarding sysctl -w net.ipv6.conf.all.forwarding=1 # Persistent: add to /etc/sysctl.d/ (survives reboots) cat > /etc/sysctl.d/90-forwarding.conf <<EOF net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 EOF # Apply sysctl changes without rebooting sysctl --system # Verify iptables / nftables is not blocking forwarded traffic iptables -P FORWARD ACCEPT # allow all forwarded packets (adjust for security) iptables -L FORWARD -n -v # review current FORWARD chain rules
Slide 24 of 35
Network Namespaces: Isolated Network Stacks
The foundation of container networking. Each namespace has its own interfaces, routing table, and firewall rules.
Host Namespace enp3s0 veth-host 192.168.100.1/30 veth pair sector-ns Namespace veth-ns 192.168.100.2/30 lo (isolated) Each namespace has its own routing table, firewall rules, and interface state
# Create a new network namespace ip netns add sector-ns # List network namespaces ip netns list # Run a command inside the namespace ip netns exec sector-ns ip link show # Only loopback (lo) exists -- completely isolated # Create a veth pair: a virtual cable with two ends ip link add veth-host type veth peer name veth-ns # Move one end into the namespace ip link set veth-ns netns sector-ns # Configure the host-side end ip addr add 192.168.100.1/30 dev veth-host ip link set veth-host up # Configure the namespace-side end ip netns exec sector-ns ip addr add 192.168.100.2/30 dev veth-ns ip netns exec sector-ns ip link set veth-ns up ip netns exec sector-ns ip route add default via 192.168.100.1 # Test connectivity ip netns exec sector-ns ping -c 2 192.168.100.1
Slide 25 of 35
ARP: Address Resolution Protocol
How your system maps IP addresses to MAC addresses on the local network.
# View the ARP cache (IP to MAC mappings) ip neighbour show # 192.168.10.1 dev enp3s0 lladdr aa:bb:cc:dd:ee:01 REACHABLE # Short form ip neigh # Flush the ARP cache for an interface (useful when IP-MAC mapping changes) ip neigh flush dev enp3s0 # Add a static ARP entry (prevent ARP spoofing for critical hosts) ip neigh add 192.168.10.1 lladdr aa:bb:cc:dd:ee:01 dev enp3s0 nud permanent # Delete a specific ARP entry ip neigh del 192.168.10.50 dev enp3s0 # Send a gratuitous ARP (announce your IP-MAC binding) # Useful after IP address changes or to update switches arping -c 3 -A -I enp3s0 192.168.10.50
ARP States
ARP entries cycle through: INCOMPLETE (ARP request sent, no reply yet), REACHABLE (confirmed, within reachability time), STALE (timeout expired, will reverify on next use), FAILED (host did not reply), PERMANENT (static, never times out).
Slide 26 of 35
ethtool — NIC Diagnostics
Query and control NIC settings below the IP layer: speed, duplex, offloading, ring buffers.
# Show NIC settings: speed, duplex, auto-negotiation ethtool enp3s0 # Speed: 1000Mb/s Duplex: Full Auto-negotiation: on Link: yes # Show interface statistics (packet counts, errors) ethtool -S enp3s0 | grep -E '(error|drop|miss)' # Show driver information ethtool -i enp3s0 # Show hardware offloading features ethtool -k enp3s0 # Set speed and duplex manually (force, disable auto-negotiate) ethtool -s enp3s0 speed 1000 duplex full autoneg off # Wake-on-LAN: check if supported ethtool enp3s0 | grep 'Wake-on' # Enable Wake-on-LAN (if supported) ethtool -s enp3s0 wol g
Offloading Tip
TCP/UDP checksum offloading to the NIC hardware can be disabled for troubleshooting (packets captured with tcpdump may show incorrect checksums when offloading is enabled, confusing protocol analyzers). Use ethtool -K enp3s0 rx off tx off to disable for testing, then re-enable.
Slide 27 of 35
Network Tuning with sysctl
Kernel parameters that control TCP behavior, buffer sizes, and security posture.
# /etc/sysctl.d/90-network-tuning.conf # TCP buffer sizes: increase for high-throughput or high-latency links net.core.rmem_max = 134217728 net.core.wmem_max = 134217728 net.ipv4.tcp_rmem = 4096 87380 134217728 net.ipv4.tcp_wmem = 4096 65536 134217728 # TCP congestion control algorithm net.ipv4.tcp_congestion_control = bbr # Google BBR: better for modern networks net.core.default_qdisc = fq # required for BBR # Security: prevent common network attacks net.ipv4.conf.all.rp_filter = 1 # reverse path filter (anti-spoofing) net.ipv4.conf.all.accept_source_route = 0 # reject source-routed packets net.ipv4.icmp_echo_ignore_broadcasts = 1 # ignore broadcast ping (smurf protection) net.ipv4.tcp_syncookies = 1 # SYN flood protection --- # Apply immediately sysctl --system
Slide 28 of 35
systemd-networkd: Direct .network Files
Configure network interfaces directly without Netplan when you need fine-grained control.
# /etc/systemd/network/10-enp3s0.network [Match] Name=enp3s0 [Network] Address=10.0.100.10/24 Gateway=10.0.100.1 DNS=10.0.0.53 DNS=10.0.0.54 Domains=sector.internal [Route] Destination=10.0.0.0/8 Gateway=10.0.100.254 --- # Apply: restart networkd (or reload if no breaking changes) systemctl restart systemd-networkd # Show network status via networkd networkctl status networkctl status enp3s0 networkctl list # all managed interfaces
When to Use Direct networkd Files
Netplan generates networkd files. If you need features that Netplan does not expose (certain networkd-specific options), write networkd files directly and avoid Netplan for those interfaces. Do not mix Netplan and manual networkd files for the same interface.
Slide 29 of 35
Configuration Troubleshooting: Layer by Layer
A systematic approach to "the network does not work" after a configuration change.
L1: Cable ip link L2: MAC ethtool L3: IP ip addr L3: Route ip route L4+: DNS resolvectl Troubleshoot bottom-up: verify each layer before moving to the next
You applied a Netplan change. The new configuration does not work. You cannot reach the gateway. Follow this sequence from Layer 1 up.
# Layer 1: Is the physical link up? ip link show enp3s0 # state UP + LOWER_UP = cable connected and interface up # Layer 2: Is the interface up and does it have the right MAC? ip link show enp3s0 ethtool enp3s0 # check Speed/Duplex # Layer 3: Does the interface have the correct IP and prefix? ip addr show enp3s0 # Layer 3: Is the routing table correct? ip route show # Layer 3: Can we reach the default gateway? ping -c 4 192.168.10.1 # Layer 3: ARP resolution working? ip neigh show # is gateway MAC resolved? # Layer 4 and above: DNS working? resolvectl query google.com # Check Netplan-generated files for accuracy cat /run/systemd/network/10-netplan-enp3s0.network
Slide 30 of 35
Debugging Netplan
Validate, generate, inspect. Find problems before they disconnect you.
# Step 1: Check YAML syntax python3 -c "import yaml; yaml.safe_load(open('/etc/netplan/00-config.yaml'))" # Step 2: Validate with netplan (checks both YAML and semantic validity) netplan generate --debug # Step 3: View generated networkd or NetworkManager files ls /run/systemd/network/ cat /run/systemd/network/10-netplan-enp3s0.network # Step 4: Apply safely netplan try # 120 second auto-revert if you don't confirm # Step 5: Check networkd journal for errors journalctl -u systemd-networkd -b --no-pager # Common YAML mistakes: # - Tabs instead of spaces (YAML does not allow tabs) # - Wrong indentation depth (2 spaces per level) # - IP address as 192.168.1.0/24 instead of 192.168.1.10/24 # - routes: without -to and -via properly indented
Slide 31 of 35
nmcli: NetworkManager CLI
When your system uses NetworkManager as the backend, use nmcli for inspection and changes.
# List all NetworkManager connections nmcli connection show # Show details of a specific connection nmcli connection show "Wired connection 1" # Show all device statuses nmcli device status # Create a new static connection nmcli connection add type ethernet ifname enp3s0 con-name sector-static \ ip4 10.0.100.10/24 gw4 10.0.100.1 # Modify an existing connection nmcli connection modify sector-static ipv4.dns "10.0.0.53 10.0.0.54" # Bring a connection up/down nmcli connection up sector-static nmcli connection down sector-static # Set a connection to auto-connect on boot nmcli connection modify sector-static connection.autoconnect yes
Slide 32 of 35
Real-Time Interface Monitoring
Watch traffic counters, bandwidth usage, and error rates live.
# /proc/net/dev: raw packet and byte counters per interface cat /proc/net/dev # watch: refresh counters every second watch -n 1 'cat /proc/net/dev | grep enp3s0' # ip -s link: bytes/packets with error stats ip -s link show enp3s0 # sar: historical and real-time network stats (requires sysstat) sar -n DEV 2 5 # sample every 2 seconds, 5 times # iftop: bandwidth per connection (must install: apt install iftop) iftop -i enp3s0 # nethogs: bandwidth per process (must install: apt install nethogs) nethogs enp3s0 # Check interface error counters with ethtool ethtool -S enp3s0 | grep -E '(error|drop|crc|fifo)'
Slide 33 of 35  |  Lab Exercises
Practice Exercises
Complete these on your Ubuntu 22.04 lab VM before the lab session ends.
1 Configure a static IP on your primary interface using Netplan. Include the address, gateway, and two DNS servers. Use netplan try (not apply). Verify with ip addr, ip route, and resolvectl status.
2 Add a VLAN subinterface (VLAN ID 100) on your primary interface using Netplan. Assign it a static IP in the 10.100.0.0/24 range. Verify with ip link show type vlan and ip addr show.
3 Add a custom static route to the 172.16.0.0/12 range via a gateway of your choice. Verify it appears in ip route show. Test with ip route get 172.16.1.1. Remove the route with ip route del.
4 Enable IP forwarding persistently using /etc/sysctl.d/. Add the anti-spoofing sysctl parameters. Apply with sysctl --system and verify with sysctl net.ipv4.ip_forward.
5 Create a network namespace, add a veth pair, connect one end to the namespace, configure IP addresses on both ends, and verify connectivity with ping from inside the namespace. Document each step.
Slide 34 of 35
What's Next
Configuration complete. Now you need to verify it works and diagnose when it does not.
ALA-04: Grid Diagnostics
ss, ip route, traceroute, dig, tcpdump, nmap. Every interface you configured in this module can be diagnosed using the tools in ALA-04. Configuration and diagnostics are inseparable in production networking.
Week 2: Firewall and Security
nftables, iptables, ufw. The routes you configured here interact directly with firewall rules. A misconfigured FORWARD chain will drop packets on interfaces you correctly configured. Security comes after connectivity.
Week 3: DNS and DHCP Servers
Running your own DNS (Bind9/Unbound) and DHCP (ISC-DHCP/Kea) servers. The nameservers and search domains you configured in Netplan this week are the clients. Week 3 builds the servers they connect to.
Slide 35 of 35  |  ALA-03
ALA-03 Summary: Key Takeaways
You can now configure any Linux network interface -- static or DHCP, single or bonded, tagged or untagged -- and make those configurations survive reboots. You understand the difference between transient ip commands and persistent Netplan YAML. This is operational network engineering, not button-clicking.
8 Facts to Carry Out of This Lecture
1 ip link = Layer 2 (interfaces). ip addr = Layer 3 (addresses). ip route = routing. All three are transient -- they disappear on reboot without Netplan or networkd config.
2 Netplan YAML lives in /etc/netplan/. Use 2-space indentation. Always use netplan try on remote systems -- it auto-reverts in 120 seconds if you lose connectivity.
3 DHCP use-routes: false prevents multiple default gateways when two interfaces both receive DHCP leases. Missing this causes unpredictable routing behavior.
4 Bond Mode 1 (active-backup) = fault tolerance, no switch config needed. Mode 4 (802.3ad LACP) = throughput + redundancy, requires switch LACP config.
5 VLANs require a trunk port on the switch. VLAN subinterface names follow the pattern interface.vlanid (e.g., enp3s0.100).
6 systemd-networkd and NetworkManager are both valid backends. Use networkd for servers, NetworkManager for desktops. Set the renderer in Netplan YAML.
7 IP forwarding (net.ipv4.ip_forward=1) must be enabled for the system to route packets between interfaces. Set it persistently in /etc/sysctl.d/.
8 MTU mismatches cause silent large-packet failures. Test with ping -M do -s 8972. Set MTU in Netplan with the mtu: key. Every device on the path must support the same MTU.