Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CipherTrust Manager Deployment

Network Configuration Tutorial

search

Please Note:

Network Configuration Tutorial

You can configure multiple network interfaces after installing and initializing a CipherTrust Manager physical appliance or private cloud Virtual CipherTrust Manager.

Network interface configuration on public clouds should be done using the cloud provider's tools.

This configuration is performed using GNOME NetworkManager and its nmcli tool.

This tutorial provides an example of typical network configuration steps. These steps show how to view network devices, view network connections, set DHCP with IPv4 for a connection, and then modify the connection to use a static IP instead of DHCP.

Planning is required for network interface bonding, configuring static routes, or configuring VLAN.

Basic Network Configuration Tasks with nmcli

  1. Connect as the ksadmin user to the CipherTrust Manager appliance through its serial connection, or the Virtual CipherTrust Manager through its console.

    Modifying a remote network interface over SSH is risky. The remote connection will stop responding if the IP address settings are incorrectly configured, resulting in the remote machine being unreachable.

  2. Use nmcli to list the available network devices (also called network interfaces or NICs). The devices listed in this example are truncated for brevity.

    $ nmcli device
    
    DEVICE       TYPE      STATE         CONNECTION
    kylo0        bridge    connected     kylo0
    ens3         ethernet  connected     ens3
    ens4         ethernet  disconnected  --
    veth05d02c4  ethernet  unmanaged     --
    ...
    

    The output of this command may show over 30 devices. However, only a few require explanation:

    • kylo0 is used for internal communication by CipherTrust Manager services. It should never be altered in any way.

    • ens3 is an active device with a NetworkManager connection profile named ens3.

    • ens4 is an inactive device with no NetworkManager connection profile defined.

    • veth05d02c4 is an unmanaged device and should be ignored because NetworkManager cannot be used to control or configure the device.

    As a general rule, device names starting with eth or en are devices an administrator can configure.

    Consider giving connections meaningful names based on the context of their use. For example, if ens3 is responsible for web traffic and ens4 is responsible for database traffic, then naming the connections web and db provides better context for how they are used.

  3. Use nmcli to see an active device's live values. In this example the only active device so far is ens3.

    $ nmcli device show ens3
    
    GENERAL.DEVICE:            ens3
    GENERAL.TYPE:              ethernet
    GENERAL.HWADDR:            00:50:56:99:3F:54
    GENERAL.MTU:               1500
    GENERAL.STATE:             100 (connected)
    GENERAL.CONNECTION:        ens3
    GENERAL.CON-PATH:          /org/freedesktop/NetworkManager/ActiveConnection/8
    WIRED-PROPERTIES.CARRIER:  on
    IP4.ADDRESS[1]:            10.121.105.97/22
    IP4.GATEWAY:               10.121.104.1
    IP4.DNS[1]:                10.121.8.7
    IP4.DNS[2]:                172.16.2.13
    IP4.DNS[3]:                172.16.2.12
    IP6.ADDRESS[1]:            fe80::bd7e:b93f:7e66:4b92/64
    IP6.GATEWAY:
    

    The output shows that IPv4 has an address and accompanying values and that IPv6 only has a link-local address. Retain the MAC address, shown as the GENERAL.HWADDR value, for creating a connection later.

  4. Use nmcli to see the configured network devices that NetworkManager calls connections. Notice that the connections listed in this example do not include device ens4 because it is not yet configured.

    $ nmcli conn
    
    NAME   UUID                                  TYPE            DEVICE
    ens3   9d86421b-7032-48eb-ac5a-3c84d285d01e  802-3-ethernet  ens3
    kylo0  78765519-b051-4d85-a9bd-3a681ce3c9cf  bridge          kylo0
    

    A connection NAME and a DEVICE name are the same in this example. However, the connection name does not need to match the device name and may be any string, such as "Wired connection 1".

  5. Use nmcli to create a connection configuration for device ens4 using DHCP for IPv4 and no IPv6 configuration. When ipv4.method and/or ipv6.method are not explicitly provided, then NetworkManager uses auto by default.

    There is a known issue in CipherTrust Manager instances upgraded from 2.4 and earlier, where the network interface name may be associated with a different MAC address after a reboot. Because of this issue, it is highly recommended to bind the connection to the MAC address instead of the network interface name when creating the connection profile.

    $ nmcli conn add type ethernet con-name ens4 ifname '' -- ethernet.mac-address 00:50:56:99:3F:55 ipv4.method auto ipv6.method ignore
    
  6. Use nmcli to confirm the connection is created with the correct configuration for device ens4. The configuration and active values in this example are truncated for brevity.

    $ nmcli conn show ens4
    
    connection.id:                          ens4
    connection.uuid:                        d797d28c-fe8a-49ab-8181-271870d6cfc6
    connection.interface-name:              ens4
    connection.type:                        802-3-ethernet
    ...
    ipv4.method:                            auto
    ...
    ipv6.method:                            ignore
    ...
    IP4.ADDRESS[1]:                         10.121.105.113/22
    IP4.GATEWAY:                            10.121.104.1
    IP4.DNS[1]:                             10.121.8.7
    IP4.DNS[2]:                             172.16.2.13
    IP4.DNS[3]:                             172.16.2.12
    ...
    

    The output format uses lowercase key names to indicate configuration values (e.g. ipv4.method) and uppercase key names to indicate live values (e.g. IP4.ADDRESS[1]). From this output we can see the newly configured device's IP address obtained via DHCP is 10.121.105.113.

  7. Try connecting to ens4's address from a browser and confirm that CipherTrust Manager UI loads. If the UI does not load, try pinging the address to confirm the IP address can be reached. If neither works, then double check the connection values are as expected.

  8. Now that a connection is created for ens4, if it needs to be altered, then the modify sub-command may be used. Use nmcli to modify device ens4's connection to use a static IP address instead of DHCP. You must provide a gateway and DNS server(s).

    $ nmcli conn modify ens4 ipv4.method manual ipv4.addresses 10.121.105.18/22 ipv4.gateway 10.121.104.1 ipv4.dns 8.8.8.8,8.8.4.4
    
    nmcli conn show ens4 | grep IP4.ADDRESS
    
    IP4.ADDRESS[1]:                         10.121.105.113/22
    
  9. To ensure that DHCP-provided DNS servers are ignored, run the command:

    $ nmcli conn modify ens4 ipv4.ignore-auto-dns yes
    
  10. Notice that the IP4.ADDRESS[1] field listed in the second command still has the original IP address obtained via DHCP. In order to activate the modification, the connection must be restarted using the up sub-command:

    $ nmcli conn up ens4
    
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15)
    
    $ nmcli conn show ens4 | grep IP4.ADDRESS
    
    IP4.ADDRESS[1]:                         10.121.105.18/22