Network Configuration Tutorial
You can configure multiple network interfaces after installing and initializing a CipherTrust Manager physical appliance or private cloud Virtual CipherTrust Manager.
Caution
Network interface configuration on public clouds should be done using the cloud provider's tools.
This configuration is performed using GNOME NetworkManager and its nmcli tool.
This tutorial provides an example of typical network configuration steps. These steps show how to view network devices, view network connections, set DHCP with IPv4 for a connection, and then modify the connection to use a static IP instead of DHCP.
Planning is required for network interface bonding, configuring static routes, or configuring VLAN.
Basic Network Configuration Tasks with nmcli
Connect as the
ksadmin
user to the CipherTrust Manager appliance through its serial connection, or the Virtual CipherTrust Manager through its console.Caution
Modifying a remote network interface over SSH is risky. The remote connection will stop responding if the IP address settings are incorrectly configured, resulting in the remote machine being unreachable.
Use
nmcli
to list the available network devices (also called network interfaces or NICs). The devices listed in this example are truncated for brevity.$ nmcli device DEVICE TYPE STATE CONNECTION kylo0 bridge connected kylo0 ens3 ethernet connected ens3 ens4 ethernet disconnected -- veth05d02c4 ethernet unmanaged -- ...
The output of this command may show over 30 devices. However, only a few require explanation:
kylo0
is used for internal communication by CipherTrust Manager services. It should never be altered in any way.ens3
is an active device with a NetworkManager connection profile namedens3
.ens4
is an inactive device with no NetworkManager connection profile defined.veth05d02c4
is an unmanaged device and should be ignored because NetworkManager cannot be used to control or configure the device.
As a general rule, device names starting with
eth
oren
are devices an administrator can configure.Consider giving connections meaningful names based on the context of their use. For example, if
ens3
is responsible for web traffic andens4
is responsible for database traffic, then naming the connectionsweb
anddb
provides better context for how they are used.Use
nmcli
to see an active device's live values. In this example the only active device so far is ens3.$ nmcli device show ens3 GENERAL.DEVICE: ens3 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:50:56:99:3F:54 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: ens3 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/8 WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 10.121.105.97/22 IP4.GATEWAY: 10.121.104.1 IP4.DNS[1]: 10.121.8.7 IP4.DNS[2]: 172.16.2.13 IP4.DNS[3]: 172.16.2.12 IP6.ADDRESS[1]: fe80::bd7e:b93f:7e66:4b92/64 IP6.GATEWAY:
The output shows that IPv4 has an address and accompanying values and that IPv6 only has a link-local address. Retain the MAC address, shown as the
GENERAL.HWADDR
value, for creating a connection later.Use
nmcli
to see the configured network devices that NetworkManager calls connections. Notice that the connections listed in this example do not include deviceens4
because it is not yet configured.$ nmcli conn NAME UUID TYPE DEVICE ens3 9d86421b-7032-48eb-ac5a-3c84d285d01e 802-3-ethernet ens3 kylo0 78765519-b051-4d85-a9bd-3a681ce3c9cf bridge kylo0
A connection NAME and a DEVICE name are the same in this example. However, the connection name does not need to match the device name and may be any string, such as "Wired connection 1".
Use
nmcli
to create a connection configuration for deviceens4
using DHCP for IPv4 and no IPv6 configuration. Whenipv4.method
and/oripv6.method
are not explicitly provided, then NetworkManager usesauto
by default.There is a known issue in CipherTrust Manager instances upgraded from 2.4 and earlier, where the network interface name may be associated with a different MAC address after a reboot. Because of this issue, it is highly recommended to bind the connection to the MAC address instead of the network interface name when creating the connection profile.
$ nmcli conn add type ethernet con-name ens4 ifname '' -- ethernet.mac-address 00:50:56:99:3F:55 ipv4.method auto ipv6.method ignore
Use
nmcli
to confirm the connection is created with the correct configuration for deviceens4
. The configuration and active values in this example are truncated for brevity.$ nmcli conn show ens4 connection.id: ens4 connection.uuid: d797d28c-fe8a-49ab-8181-271870d6cfc6 connection.interface-name: ens4 connection.type: 802-3-ethernet ... ipv4.method: auto ... ipv6.method: ignore ... IP4.ADDRESS[1]: 10.121.105.113/22 IP4.GATEWAY: 10.121.104.1 IP4.DNS[1]: 10.121.8.7 IP4.DNS[2]: 172.16.2.13 IP4.DNS[3]: 172.16.2.12 ...
The output format uses lowercase key names to indicate configuration values (e.g.
ipv4.method
) and uppercase key names to indicate live values (e.g.IP4.ADDRESS[1]
). From this output we can see the newly configured device's IP address obtained via DHCP is 10.121.105.113.Try connecting to
ens4
's address from a browser and confirm that CipherTrust Manager UI loads. If the UI does not load, try pinging the address to confirm the IP address can be reached. If neither works, then double check the connection values are as expected.Now that a connection is created for
ens4
, if it needs to be altered, then themodify
sub-command may be used. Usenmcli
to modify deviceens4
's connection to use a static IP address instead of DHCP. You must provide a gateway and DNS server(s).$ nmcli conn modify ens4 ipv4.method manual ipv4.addresses 10.121.105.18/22 ipv4.gateway 10.121.104.1 ipv4.dns 8.8.8.8,8.8.4.4 nmcli conn show ens4 | grep IP4.ADDRESS IP4.ADDRESS[1]: 10.121.105.113/22
To ensure that DHCP-provided DNS servers are ignored, run the command:
$ nmcli conn modify ens4 ipv4.ignore-auto-dns yes
Notice that the IP4.ADDRESS[1] field listed in the second command still has the original IP address obtained via DHCP. In order to activate the modification, the connection must be restarted using the
up
sub-command:$ nmcli conn up ens4 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15) $ nmcli conn show ens4 | grep IP4.ADDRESS IP4.ADDRESS[1]: 10.121.105.18/22