Planning Network Configuration
You can configure multiple network interfaces after installing and initializing a CipherTrust Manager physical appliance or private cloud Virtual CipherTrust Manager.
This configuration uses GNOME NetworkManager and its nmcli tool
nmcli
is available to the ksadmin
user through the CipherTrust Manager appliance's serial connection, or the Virtual CipherTrust Manager's console.
Caution
Modifying a remote network interface over SSH is risky. The remote connection will stop responding if the IP address settings are incorrectly configured, resulting in the remote machine being unreachable.
This section details available settings and techniques to plan your network configuration. There is also a network configuration tutorial available for a simple set up without network interface bonding, VLAN, or static routes.
You might wish to:
set IPv4 or IPv6 for a Network Device.
We suggest explicitly disabling IPv6 unless it is required for your network. That way, there are fewer IP addresses exposed for CipherTrust Manager network devices, and therefore fewer ways for potential attackers to reach CipherTrust Manager.
configure a Static IP Address or DHCP.
By default, CipherTrust Manager uses DHCP. You can configure a static IP address or DHCP so that CipherTrust Manager conforms to the way your network more broadly assigns IP addresses.
set a static MAC address for a connection
There is a known issue where network device names sometimes swap MAC addresses after a reboot. This has been observed for network interfaces beginning with
eth
and bonded connections created from network interfaces beginning witheth
.We recommended creating a connection for each hardware network device so that the NetworkManager connection binds to the hardware device's MAC address instead of the network interface name, even if the network device is not connected. It is important to apply this to all network devices because even a network device that is not currently used may be used in the future.
A static route can restrict externally-bound services, such as a connection to an external root-of-trust HSM, to a specific network interface. You can additionally disable the default route so that only traffic for a specific external service goes through the network interface.
A bonded network interface provides redundancy and performance improvements by aggregating two or more network interfaces to form a single logical interface.
VLAN can be useful to virtually isolate CipherTrust Manager network interfaces from other systems on the physical network to enhance security without the need for additional network equipment.
Setting IPv4 or IPv6 Protocol for a Network Device
By default, NetworkManager uses auto
for ipv4.method
and ipv6.method
, creating both IPv4 and IPv6 addresses for a CipherTrust Manager network device. You can explicitly provide ipv4.method
and/or ipv6.method
to disable creation of either type of address.
You can specify IPv4 or IPv6 when first adding a network connection, or when modifying a network connection.
Disabling IPv6 for a network interface does not disable the link local address. As traffic to and from link local addresses cannot be propagated through a router, an IPv6 link local address generally does not present security concerns with external attackers. If you still need to disable the link local address, contact customer support.
To Add a New Connection with IPv4 Only
Use
nmcli
to see an active device's live values to create a connection. Retain the MAC address, shown as theGENERAL.HWADDR
value, for creating a connection later.$ nmcli device show ens3 GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54
In the
nmcli connection add
command, specifyipv4.method auto ipv6.method ignore
.nmcli conn add type ethernet con-name <connection-name> ifname '' -- ethernet.mac-address <desired-MAC-address> -- ipv4.method auto ipv6.method ignore
View the connection details to ensure IPv6 is disabled.
ipv6.method
is set toignore
for correct configuration. For example:nmcli con show <connection-name> connection.id: eth0 [...] ipv6.method: ignore [...] IP6.ADDRESS[1]: fe80::c9c:4cff:fe6a:1267/64
To Modify an Existing Connection to Disable IPv6
Modify the IPv6 configuration for the connection.
nmcli con modify <connection-name> ipv6.method ignore
Apply the configuration changes to the connection.
nmcli con up <connection-name>
View the connection details to ensure IPv6 is disabled.
ipv6.method
is set toignore
for correct configuration.nmcli con show <connection-name> connection.id: eth0 [...] ipv6.method: ignore [...] IP6.ADDRESS[1]: fe80::c9c:4cff:fe6a:1267/64
Configuring Static IP Address or DHCP
If you are setting up a new connection, use nmcli conn add
to set static IP address or DHCP. If you are modifying an existing connection, use nmcli conn modify
to set static IP address or DHCP. By default, CipherTrust Manager attempts to use DHCP for its connections.
Both static IP sections include setting manual gateways and DNS servers.
To set a static IP for a new connection
Use
nmcli
to see an active device's live values to create a connection. Retain the MAC address, shown as theGENERAL.HWADDR
value, for creating a connection later.$ nmcli device show <device-name> GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54
Run the following command, providing a gateway and DNS address, with the
auto
method to set a static IPv4 address and no IPv6 address:nmcli conn add type ethernet con-name <connection_name> ifname '' -- ethernet.mac-address <desired-MAC-address> – ipv4.method manual ipv6.method ignore ipv4.addresses <static_IP_address> ipv4.gateway <gateway_address> ipv4.dns <dns_addresses>
To ensure that DHCP-provided DNS servers are ignored, run the command:
$ nmcli conn modify <network device> ipv4.ignore-auto-dns yes
To activate the DNS setting, restart the connection using the
up
sub-command:$ nmcli conn up <device_name>
To change to a static IP from DHCP
Modify the connection, providing a manual static IP address, a gateway, and DNS servers.
$ nmcli conn modify <connection_name> ipv4.method manual ipv4.addresses <static_ip_address> ipv4.gateway <gateway_ip_address> ipv4.dns <dns_server>
To ensure that DHCP-provided DNS servers are ignored, run the command:
$ nmcli conn modify <network device> ipv4.ignore-auto-dns yes
To activate the modification, restart the connection using the
up
sub-command:$ nmcli conn up <device_name> Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15)
To set DHCP for a new connection
Use
nmcli
to see an active device's live values to create a connection. Retain the MAC address, shown as theGENERAL.HWADDR
value, for creating a connection later.$ nmcli device show <device-name> GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54
Run the following command with the
auto
method to set DHCP with IPv4 and to ignore IPv6:nmcli conn add type ethernet con-name <connection_name> ifname '' -- ethernet.mac-address <desired-MAC-address> -- ipv4.method auto ipv6.method ignore
To change to DHCP from a static IP
Run the following command with the
auto
method to set DHCP with IPv4 and to ignore IPv6:nmcli conn modify con-name <connection_name> ifname '' -- ethernet.mac-address <desired-MAC-address> -- ipv4.method auto ipv6.method ignore
To activate the new setting, restart the connection using the
up
sub-command:$ nmcli conn up <device_name>
Configuring Static MAC Address
For CipherTrust Manager appliances, some configurations can result in alternating MAC address after reboot. We have observed alternating MAC addresses with network interface names beginning with eth
and bonded connections created from network interfaces beginning with eth
.
We recommended that each connection binds to the hardware device's MAC address instead of the network interface name, even if the network device is not connected. It is important to apply this to all network devices because even a network device that is not currently used may be used in the future.
To set a connection to a static MAC address
View MAC address currently in use for a network interface.
nmcli device show <network-device-name>
Example Result
GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54 ...
The
GENERAL.HWADDR
value is the MAC address to associate to a connection name.Modify the desired connection to use the desired MAC address.
$ nmcli connection modify <connection-name> ifname '' -- ethernet.mac-address <desired-MAC-address> ipv4.method
Apply the configuration change.
$ nmcli conn up cluster
Note
For bonded network interfaces, this feature should be used together with fail_over_mac=0
, which is the default setting.
Configuring Static Routes
You can use static routes to ensure that outbound traffic from a specific service only goes through a specific network interface.
For example, you might want to ensure traffic to an external root-of-trust HSM only takes place through the ens3 network interface. If you set a static route for ens3 that includes the HSM's IP address range, CipherTrust Manager directs all traffic bound for the HSM's IP address through ens3.
If you want to dedicate a network interface to only route traffic from a specific service, and not to route traffic from other services, you must also disable the default route.
To configure a static route:
Modify the NetworkManager connection to use a static route.
Run the command:
$ nmcli conn modify <connection name> +ipv4.routes "<static route> <gateway>"
Example:
$ nmcli conn modify ens3 +ipv4.routes "192.168.122.0/24 172.30.1.1"
Apply the configuration change.
Run the command:
$ nmcli conn up <connection name>
Example:
$ nmcli conn up <connection name> Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/10)
Verify that the route is active.
$ ip route default via 172.30.1.1 dev ens3 proto static 172.30.0.128/26 dev kylo0 proto kernel scope link src 172.30.0.129 172.30.1.0/24 dev ens3 proto kernel scope link src 172.30.1.71 192.168.122.0/24 via 172.30.1.1 dev ens3 proto static
The output shows that the route is now active.
Disable the Default Route
If an interface should only communicate with IP addresses matching a static route for the interface, remove the default route entry. Removing the default route entry for an interface disallows traffic to all other destination IPs.
For example, if you set a static route to restrict HSM traffic to the eth1 interface, leaving the default entry in place means that CipherTrust Manager might also direct traffic for LDAP through eth1.
By default, all active network interfaces have a default route entry in the routing table. The metric value (lower means higher priority) determines which interface is used to route traffic that does not have an explicit static route. Unless otherwise configured, the metric value might change for a given interface (for example, after reboot or after modifying an interface's configuration) which might result in traffic for an external service being routed via a different interface.
Check if the interface has a default route. In this example we are checking for
eth1
.$ ip route
Example response
default via 172.30.1.1 dev eth0 proto dhcp metric 101 default via 172.30.1.1 dev eth1 proto dhcp metric 102 172.30.1.0/24 dev eth0 proto kernel scope link src 172.30.1.71 metric 101 172.30.1.0/24 dev eth0 proto kernel scope link src 172.30.1.72 metric 102 172.30.0.128/25 dev kylo0 proto kernel scope link src 172.30.0.129 192.168.122.0/24 via 172.30.1.1 dev eth0 proto static
A default route for
eth1
is present on the second line.Remove the route for
eth1
.$ nmcli c mod eth1 ipv4.never-default true ipv6.never-default true $ nmcli c up eth1
Verify that the default route is removed:
$ ip route
Example response
default via 172.30.1.1 dev eth0 proto dhcp metric 101 172.30.1.0/24 dev eth0 proto kernel scope link src 172.30.1.71 metric 101 172.30.1.0/24 dev eth0 proto kernel scope link src 172.30.1.72 metric 102 172.30.0.128/25 dev kylo0 proto kernel scope link src 172.30.0.129 192.168.122.0/24 via 172.30.1.1 dev eth0 proto static
The default route for
eth1
is removed.
Bonding Network Interfaces
The official Linux kernel HOWTO documents this feature in detail.
The nmcli's reference documentation covers details specific to NetworkManager configuration.
Note
Bonding network interfaces is intended for physical appliances, for example, CipherTrust Manager k570. It is generally not relevant to virtual CipherTrust Manager instances, as bonding is not useful in a virtual environment.
Start by using
nmcli
to create a bonded connection for fail-over only (the most basic type of bond).$ nmcli conn add type bond con-name bond0 ifname bond0 -- bond.options mode=active-backup Connection 'bond0' (c6661f6b-5d68-4ffa-9ae8-63f0e4224cb4) successfully added. $ nmcli conn show bond0 bond.options: mode=active-backup
Alternatively, for certain networking environments such as in a virtual environment, the default setting of
fail_over_mac=0
might not be optimal and settingfail_over_mac=1
can be an option. Please refer to the Linux Kernel HOWTO for more information. The command to create the bonded connection would then be:$ nmcli conn add type bond con-name bond0 ifname bond0 -- bond.options mode=active-backup,fail_over_mac=1 Connection 'bond0' (c6661f6b-5d68-4ffa-9ae8-63f0e4224cb4) successfully added. $ nmcli conn show bond0 ... bond.options: mode=active-backup,fail_over_mac=1
Next, use
nmcli
to list devices and add some of them to the bond.$ nmcli device DEVICE TYPE STATE CONNECTION ... ens3 ethernet connected ens3 ens4 ethernet disconnected -- ...
Create the bond connections for
ens3
andens4
by specifyingbond0
as their master and bring them up. Notice thatens3
has an existing connection profile, so delete it first to ensure only the bond connection profile is used.$ nmcli conn delete ens3 Connection 'ens3' (f4e38090-6d3c-4612-b5b5-2d4c6a0c361d) successfully deleted. $ nmcli conn add type ethernet con-name ens3-bond0 ifname ens3 master bond0 Connection 'ens3-bond0' (3d87c66e-a128-4e4f-897a-b31cf1b5fdbf) successfully added. $ nmcli conn add type ethernet con-name ens4-bond0 ifname ens4 master bond0 Connection 'ens4-bond0' (b488d1f4-4a73-43ee-8a7f-9e992a850903) successfully added. $ nmcli conn up ens3-bond0 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7) $ nmcli conn up ens4-bond0 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
Next, use
nmcli
to bring up the bonded interface and confirm that it received an IP address.$ nmcli conn show bond0 ... connection.type: bond ... IP4.ADDRESS[1]: 10.121.105.113/22
Verify the bonded interface continues to receive and transmit data when either of the enslaved network interfaces are down (e.g. by removing the cable, disabling the port in the switch, etc.).
It is recommended to restart the OS to verify that the bond persist across reboots. If it does not then check if a connection profile exist for any of the interfaces that compose this bond and have an equal or higher connection priority. Either delete the duplicate connection profile or increase the priority of the bonded connections so it has precedence.
Virtual LAN (VLAN)
Virtual Local Area Network (VLAN) is a mechanism to virtually isolate systems located on the same physical network. If you want to configure your CipherTrust Manager network adapters to use VLAN, we recommend having supporting network equipment and also configuring VLAN on the network layer.
VLAN can be configured with any VLAN ID and it is also possible to mix non-VLAN and multiple VLANs on the same network adapter. When mixing non-VLAN and multiple VLANs be careful to keep subnets and routing correct for the machine to be able to route traffic using the correct VLAN ID.
All examples are illustrated using a static IP address but DHCP can be used assuming there is a VLAN aware DHCP server on the network.
Switch a network adapter to VLAN only
This example disables any non-VLAN configuration on the selected network adapter and enables VLAN ID 10 with a static IP address. With this configuration, this machine can only talk to other machines using the same VLAN ID.
Delete any existing connections to make sure no stale configuration is left on the connections. If the connections are not already configured, the commands fail as expected with 'Error: unknown connection'.
$ nmcli conn delete ens3.10
$ nmcli conn delete ens3
Target setup:
ens3
with no network configurationens3.10
with VLAN ID 10 and a static IP address192.168.1.2
Setup commands:
$ nmcli conn add type vlan con-name ens3.10 dev ens3 id 10 ip4 192.168.1.2/24
Any traffic to the subnet 192.168.1.0/24
uses VLAN 10 unless there are other subnets and routes configured on this machine using the same subnet.
Mixing non-VLAN and VLAN on same network adapter
This example enables both non-VLAN and VLAN on the same network adapter with different subnets. With this configuration, this machine can talk to other machines without VLAN on one subnet and with VLAN on another subnet.
Delete any existing connections to make sure no stale configuration is left on the connection. If the connections are not already configured, the commands fail as expected with 'Error: unknown connection'.
$ nmcli conn delete ens3.10
$ nmcli conn delete ens3
Target setup:
ens3
with no VLAN and with static IP address192.168.1.2
ens3.10
with VLAN ID 10 and a static IP address192.168.2.2
Setup commands:
$ nmcli conn add type ethernet con-name ens3 ifname ens3 ip4 192.168.1.2/24
$ nmcli conn add type vlan con-name ens3.10 dev ens3 id 10 ip4 192.168.2.2/24
Any traffic to the subnet 192.168.1.0/24
does not use VLAN and any traffic to the subnet 192.168.2.0/24
uses VLAN 10 unless there are other subnets and routes configured on this machine using the same subnet.
Multiple VLANs on same network adapter
It is also possible to have multiple VLANs on the same network adapter. This example disables any non-VLAN configuration on the selected network adapter and enables VLAN ID 10 and VLAN ID 20 with static IP addresses with different subnets. With this configuration this machine can talk to two different VLANs using two different subnets.
Delete any existing connection to make sure no stale configuration is left on the connection. If the connections are not already configured, the commands fail as expected with 'Error: unknown connection'.
$ nmcli conn delete ens3.10
$ nmcli conn delete ens3.20
$ nmcli conn delete ens3
Target setup:
ens3
with no network configurationens3.10
with VLAN ID 10 and a static IP address192.168.1.2
ens3.20
with VLAN ID 20 and a static IP address192.168.2.2
Setup commands:
$ nmcli conn add type vlan con-name ens3.10 dev ens3 id 10 ip4 192.168.1.2/24
$ nmcli conn add type vlan con-name ens3.20 dev ens3 id 20 ip4 192.168.2.2/24
Any traffic to the subnet 192.168.1.0/24
uses VLAN 10 and any traffic to the subnet 192.168.2.0/24
uses VLAN 20 unless there are other subnets and routes configured on this machine using the same subnet.
VLAN with bonding
VLAN can also be used together with bonding. The principle is very similar to the normal non-bonding case with the difference that the bonded network adapter is used as the device. Consult Bonding Network Interfaces for more information on setting up bonding.
Switch a network adapter to VLAN only
This example disables any non-VLAN configuration on the selected bonded network adapter and enables VLAN ID 10 with a static IP address. With this configuration this machine can only talk to other machines using the same VLAN ID.
Delete any existing connection to make sure no stale configuration is left on the connection. If the connections are not already configured, the commands fail as expected with 'Error: unknown connection'.
$ nmcli conn delete bond0.10
$ nmcli conn delete ens3-bond0
$ nmcli conn delete ens4-bond0
$ nmcli conn delete bond0
Target setup:
bond0
with no network configurationbond0.10
with VLAN ID 10 and a static IP address192.168.1.2
Setup commands:
$ nmcli conn add type bond con-name bond0 ifname bond0 -- bond.options mode=active-backup ipv4.method disabled ipv6.method ignore
$ nmcli conn add type ethernet con-name ens3-bond0 ifname ens3 master bond0
$ nmcli conn add type ethernet con-name ens4-bond0 ifname ens4 master bond0
$ nmcli conn add type vlan con-name bond0.10 dev bond0 id 10 ip4 192.168.1.2/24
Any traffic to the subnet 192.168.1.0/24
uses VLAN 10 unless there are other subnets and routes configured on this machine using the same subnet.
Mixing non-VLAN and VLAN on same network adapter
This example enables both non-VLAN and VLAN on the same network adapter with different subnets. With this configuration this machine can talk to other machines without VLAN on one subnet and with VLAN on another subnet.
Delete any existing connection to make sure no stale configuration is left on the connection. If the connections are not already configured, the commands fail as expected with 'Error: unknown connection'.
$ nmcli conn delete bond0.10
$ nmcli conn delete ens3-bond0
$ nmcli conn delete ens4-bond0
$ nmcli conn delete bond0
Target setup:
bond0
with no VLAN and with static IP address192.168.1.2
bond0.10
with VLAN ID 10 and a static IP address192.168.2.2
Setup commands:
$ nmcli conn add type bond con-name bond0 ifname bond0 ip4 192.168.1.2/24 -- bond.options mode=active-backup
$ nmcli conn add type ethernet con-name ens3-bond0 ifname ens3 master bond0
$ nmcli conn add type ethernet con-name ens4-bond0 ifname ens4 master bond0
$ nmcli conn add type vlan con-name bond0.10 dev bond0 id 10 ip4 192.168.2.2/24
Any traffic to the subnet 192.168.1.0/24
does not use VLAN and any traffic to the subnet 192.168.2.0/24
uses VLAN 10 unless there are other subnets and routes configured on this machine using the same subnet.