Network Configuration Tutorial
You can configure multiple network interfaces after installing and initializing a CipherTrust Manager physical appliance or private cloud Virtual CipherTrust Manager.
Caution
Network interface configuration on public clouds should be done using the cloud provider's tools.
This configuration is performed using GNOME NetworkManager and its nmcli tool.
This tutorial provides an example of typical network configuration steps. These steps show how to view network devices, view network connections, set DHCP with IPv4 for a connection, and then modify the connection to use a static IP instead of DHCP.
Planning is required for network interface bonding, configuring static routes, or configuring VLAN.
Basic Network Configuration Tasks with nmcli
Connect as the
ksadmin
user to the CipherTrust Manager appliance through its serial connection, or the Virtual CipherTrust Manager through its console.Caution
Modifying a remote network interface over SSH is risky. The remote connection will stop responding if the IP address settings are incorrectly configured, resulting in the remote machine being unreachable.
Use
nmcli
to list the available network devices (also called network interfaces or NICs). The devices listed in this example are truncated for brevity.nmcli device DEVICE TYPE STATE CONNECTION kylo0 bridge connected kylo0 ens3 ethernet connected Wired connection 1 ens4 ethernet disconnected -- veth05d02c4 ethernet unmanaged -- ...
The output of this command might show over 30 devices. However, only a few require explanation:
kylo0
is used for internal communication by CipherTrust Manager services. It should never be altered in any way.ens3
is an active device with a NetworkManager connection profile namedWired Connection 1
.ens4
is an inactive device with no NetworkManager connection profile defined.veth05d02c4
is an unmanaged device and should be ignored because NetworkManager cannot be used to control or configure the device.
As a general rule, device names starting with
eth
oren
are devices an administrator can configure.Use
nmcli
to see an active device's live values. In this example the only active device so far is ens3.nmcli device show ens3 GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: Wired connection 1 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/8 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 10.121.105.97/22 IP4.GATEWAY: 10.121.104.1 IP4.DNS[1]: 10.121.8.7 IP4.DNS[2]: 172.16.2.13 IP4.DNS[3]: 172.16.2.12 IP6.ADDRESS[1]: fe80::bd7e:b93f:7e66:4b92/64 IP6.GATEWAY:
The output shows that IPv4 has an address and accompanying values and that IPv6 only has a link-local address.
Use
nmcli conn
to see the configured network devices that NetworkManager calls connections. Notice that the connections listed in this example do not include deviceens4
because it is not yet configured.nmcli conn NAME UUID TYPE DEVICE Wired connection 1 9d86421b-7032-48eb-ac5a-3c84d285d01e 802-3-ethernet ens3
Use
nmcli
to create a connection configuration for the deviceens4
using DHCP for IPv4 and no IPv6 configuration. Whenipv4.method
and/oripv6.method
are not explicitly provided, then NetworkManager usesauto
by default.Note
There is a known issue in CipherTrust Manager instances upgraded from 2.4 and earlier, where the network interface name may be associated with a different MAC address after a reboot. Because of this issue, it is highly recommended to bind the connection to the device's MAC address instead of the network interface name when creating the connection profile.
View details for
ens4
. Retain the MAC address, shown as theGENERAL.HWADDR
value, for creating a connection later.nmcli device show ens4 GENERAL.DEVICE: ens4 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:55 ...
Create the connection, binding it to the MAC address. Provide a meaningful connection name based on the context of use. For example, if
ens3
is responsible for web traffic andens4
is responsible for database traffic, then naming the connectionsweb
anddb
provides better context for how they are used.nmcli conn add type ethernet con-name <connection_name> ifname '' -- ethernet.mac-address 00:50:56:99:3F:55 ipv4.method auto ipv6.method ignore
Use
nmcli
to confirm the connection is created with the correct configuration for deviceens4
. The configuration and active values in this example are truncated for brevity.nmcli conn show <connection_name> connection.id: <connection_name> connection.uuid: d797d28c-fe8a-49ab-8181-271870d6cfc6 connection.interface-name: ens4 connection.type: 802-3-ethernet ... ipv4.method: auto ... ipv6.method: ignore ... IP4.ADDRESS[1]: 10.121.105.113/22 IP4.GATEWAY: 10.121.104.1 IP4.DNS[1]: 10.121.8.7 IP4.DNS[2]: 172.16.2.13 IP4.DNS[3]: 172.16.2.12 ...
The output format uses lowercase key names to indicate configuration values (e.g.
ipv4.method
) and uppercase key names to indicate live values (e.g.IP4.ADDRESS[1]
). From this output we can see the newly configured device's IP address obtained via DHCP is 10.121.105.113.Try connecting to the connection's IP address from a browser and confirm that CipherTrust Manager UI loads. If the UI does not load, try pinging the address to confirm the IP address can be reached or use other network tools such as
netcat
to verify connectivity.You can use the
modify
sub-command to change the connection configuration. Usenmcli
to modify deviceens4
's connection to use a static IP address instead of DHCP. You must provide a gateway and DNS server(s).nmcli conn modify <connection_name> ipv4.method manual ipv4.addresses 10.121.105.18/22 ipv4.gateway 10.121.104.1 ipv4.dns 8.8.8.8,8.8.4.4 nmcli conn show <connection_name> | grep IP4.ADDRESS IP4.ADDRESS[1]: 10.121.105.113/22
To ensure that DHCP-provided DNS servers are ignored, run the command:
nmcli conn modify <connection_name> ipv4.ignore-auto-dns yes
Notice that the IP4.ADDRESS[1] field listed in the second command still has the original IP address obtained via DHCP. In order to activate the modification, the connection must be restarted using the
up
sub-command:nmcli conn up <connection_name> Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15) nmcli conn show <connection_name> | grep IP4.ADDRESS IP4.ADDRESS[1]: 10.121.105.18/22