Essential Examples for System Administrators (Bridge, VLAN, and SSH Safety)
NetworkManager’s command-line tool nmcli is a powerful utility for managing network connections on Linux servers. For system administrators, mastering nmcli is essential—it allows you to configure everything from basic static IPs to complex setups involving bridges and VLANs, all from the terminal.
However, there’s one critical risk every admin must understand: making network changes over SSH can lock you out of the server permanently. This guide covers the essential nmcli commands you need to know and, crucially, the precautions required to avoid losing remote access.
Understanding nmcli Basics: Connections vs. Devices
Before diving into commands, it’s important to understand two key concepts in NetworkManager:
- Device: The physical (or virtual) network interface itself (e.g.,
eth0,ens33). You can view devices withnmcli device status. - Connection: The configuration profile applied to a device. One device can have multiple connections (though only one active at a time), and connections can be modified and reapplied. You view these with
nmcli connection show.
Essential nmcli Commands for Daily Administration
Here are the foundational commands for inspecting and managing network interfaces.
1. Viewing Network Status
Check overall NetworkManager status, list all devices and their state, or see all configured connection profiles (active or not).
# Check general NetworkManager running status
nmcli general status
# List all network devices and their connection state
nmcli device status
# Show all configured connections
nmcli connection show
# Show only active connections
nmcli connection show --active2. Configuring a Static IP Address
This is one of the most common tasks. This modifies an existing connection named 'Wired connection 1' to use a manual (static) IP configuration .
# Set static IP, gateway, and DNS
nmcli connection modify 'Wired connection 1' \
ipv4.method manual \
ipv4.addresses 192.168.1.100/24 \
ipv4.gateway 192.168.1.1 \
ipv4.dns "8.8.8.8 8.8.4.4"
# Activate the modified connection
nmcli connection up 'Wired connection 1'Note: The ipv4.addresses property uses CIDR notation (e.g., /24). Multiple DNS servers can be specified with spaces or commas .
3. Switching Back to DHCP
Reverting a connection to automatic configuration via DHCP.
nmcli connection modify 'Wired connection 1' \
ipv4.method auto \
ipv4.addresses "" \
ipv4.gateway "" \
ipv4.dns ""
nmcli connection up 'Wired connection 1'4. Creating a New Ethernet Connection from Scratch
If you’re setting up a new interface (e.g., eth1), you can create a connection profile directly.
# Create a new DHCP connection bound to interface eth1
nmcli connection add type ethernet con-name 'Office LAN' ifname eth1
# Create a new static IP connection for eth1 in one command
nmcli connection add type ethernet con-name 'Static Backup' ifname eth1 \
ip4 10.0.0.50/24 gw4 10.0.0.1Advanced nmcli: Configuring VLANs
VLANs allow you to segment network traffic on a single physical interface. You can set up VLAN-only interfaces or mix tagged and untagged traffic.
Scenario 1: Switch an interface to VLAN-only (ID 10)
This disables regular traffic on eth0 and creates a VLAN sub-interface eth0.10 .
# First, delete any existing non-VLAN connection on eth0 (optional but clean)
nmcli connection delete eth0 2>/dev/null
# Create VLAN connection with ID 10 and static IP
nmcli connection add type vlan con-name eth0.10 dev eth0 id 10 \
ip4 192.168.10.50/24Scenario 2: Mixing VLAN and native traffic on the same NIC
This configures eth0 to communicate on the native (untagged) network while simultaneously handling traffic for VLAN 20 .
# Native connection (no VLAN)
nmcli connection add type ethernet con-name eth0 ifname eth0 \
ip4 192.168.1.50/24
# VLAN connection (ID 20) on the same physical interface
nmcli connection add type vlan con-name eth0.20 dev eth0 id 20 \
ip4 192.168.20.50/24Important: Ensure the subnets are different (e.g., 1.0/24 and 20.0/24) to avoid routing conflicts .
Advanced nmcli: Configuring Network Bridges
Bridges are essential for virtualization—they connect virtual machines to the same network as the host.
Scenario: Creating a bridge (br0) and adding a physical interface (eth0)
# 1. Create the bridge interface
nmcli connection add type bridge con-name br0 ifname br0 \
ip4 192.168.1.50/24 gw4 192.168.1.1
# 2. Convert the physical interface eth0 into a bridge port (slave)
nmcli connection add type ethernet slave-type bridge con-name br0-port1 \
ifname eth0 master br0
# 3. Bring up the bridge and the slave connection
nmcli connection up br0
nmcli connection up br0-port1After this setup, VMs can be attached to br0 to appear as distinct devices on the 192.168.1.0/24 network .
Complex Scenario: Bridge on top of a VLAN on top of a Bond (Advanced Enterprise)
In data center environments, you may need to present bridged networks to VMs that are segmented by VLAN and served by a bonded interface for redundancy .
# 1. Create the bridge (Layer 2 only, no IP)
nmcli connection add type bridge ifname br0 ipv4.method disabled con-name br0
# 2. Create VLAN on the bond interface and attach it to the bridge
nmcli connection add type vlan ifname bond0.100 dev bond0 id 100 \
ipv4.method disabled master br0 con-name bond0.100
# 3. Create the bond and attach physical NICs (net1, net2)
nmcli connection add type bond ifname bond0 bond.options "mode=active-backup" \
con-name bond0 master br0
nmcli connection add type ethernet ifname net1 con-name net1 master bond0
nmcli connection add type ethernet ifname net2 con-name net2 master bond0Critical Caution: Avoiding SSH Lockout When Working Remotely
Never modify the network interface you are currently using to connect to the server via SSH without a rollback plan. This is the single most important rule of remote network administration. If you change the IP address, subnet mask, or gateway incorrectly, or if you disable the connection, the SSH session will hang and you will be completely locked out .
Here are the standard operating procedures to prevent disaster:
- Use
nmcliInteractive Mode (Recommended): Thenmcli connection editcommand is the safest method. It allows you to make multiple changes and apply them atomically with a singleactivate. Most importantly, it has a built-in timeout and automatic rollback. If the new configuration fails, it reverts to the previous working connection . - Script the Rollback (The
atcommand): If you are running direct modification commands (nmcli connection modify), always schedule a rollback job. This is a “dead man’s switch.” If you get locked out, the system will revert changes after a few minutes.# Schedule a rollback in 2 minutes (120 seconds) echo "nmcli connection up 'Current Connection Name'" | at now + 2 minutes # Now, run your risky modification and up commands... # If you are successful, remove the scheduled job: atrm <job_number> - Test with
reapply(If Supported): Some connection types supportnmcli device reapplywhich attempts to apply new settings without deactivating the link entirely. However, this is not supported for all properties (like IP method changes). - Bind to MAC Address: When creating connections, especially if interface names can change (common with
eth0/eth1renames), bind the profile to the hardware MAC address. This ensures the right config goes to the right port .nmcli connection add type ethernet con-name 'Safe Connection' ifname '*' \ ethernet.mac-address 00:50:56:99:3F:54 ... - Disable IPv6 if Unused: Unless specifically required, set
ipv6.method ignoreon connections. This reduces complexity and the number of routes/IPs exposed, which can prevent unintended connectivity issues .
Summary of Best Practices
- Prefer
nmcliover manual file editing:nmclivalidates syntax and ensures the NetworkManager daemon is aware of changes immediately. - Use Tab Completion:
nmclisupports excellent bash completion. Use it to discover options (e.g.,nmcli connection add typefollowed by Tab). - Check Your Work: Use
nmcli connection show <name>to see the configured values (lowercaseipv4.addresses) vs.nmcli device show <dev>for the actual live values (uppercaseIP4.ADDRESS[1]) . - Always have Out-of-Band Access: For production servers, ensure you have console access (iDRAC, IPMI, cloud VNC console) as a backup to reverse network lockouts.
By understanding these commands and adhering to the safety precautions, you can confidently manage complex Linux networking entirely from the command line.