Home » Blog » Configuring VLANs with NMCLI on RHEL 9

Information

Configuring VLANs with NMCLI on RHEL 9

Benhcmark Administrator

17/10/2025

8 Views 0

SaveSavedRemoved 0

Mastering VLAN Configuration on RHEL 9 with NMCLI: A Step-by-Step Guide

In modern network environments, segmenting traffic is crucial for security, performance, and organization. Virtual LANs (VLANs) are the industry standard for logically dividing a single physical network into multiple, isolated broadcast domains. For administrators working with Red Hat Enterprise Linux 9, the nmcli command-line tool provides a powerful and efficient way to manage network configurations, including the creation and management of VLANs.

This guide will walk you through the entire process of configuring, verifying, and managing VLAN interfaces using nmcli on RHEL 9.

Prerequisites

Before you begin, ensure you have the following:

• A system running Red Hat Enterprise Linux 9.
• Root or sudo privileges.
• The name of the physical network interface (e.g., eno1, eth0) that will serve as the parent for your VLANs.

Step 1: Identify Your Parent Network Interface

First, you need to know the name of the physical network device that will carry the tagged VLAN traffic. You can list all available network devices and their status using the following command:

nmcli device status

Look for your primary, connected Ethernet device in the output. For this guide, we will assume the parent interface is named eno1.

Step 2: Create the VLAN Interface

With the parent interface identified, you can create a new VLAN connection profile. The nmcli command for this is straightforward and allows you to define all necessary parameters in a single line.

The core command structure is:
nmcli connection add type vlan con-name <connection-name> ifname <vlan-interface-name> dev <parent-device> id <vlan-id>

Let’s break down the components:

• type vlan: Specifies that we are creating a VLAN connection.
• con-name: A user-friendly name for the NetworkManager connection profile (e.g., VLAN-100-Marketing).
• ifname: The name of the new virtual network interface (e.g., vlan100 or eno1.100).
• dev: The parent physical interface (e.g., eno1).
• id: The numerical VLAN tag or ID (e.g., 100).

Example: To create a VLAN with ID 100 on the eno1 interface, you would run:

sudo nmcli connection add type vlan con-name VLAN-100-Marketing ifname vlan100 dev eno1 id 100

This command creates a new connection profile and a corresponding virtual interface named vlan100. By default, this new connection is configured to use DHCP for its IP address.

Step 3: Assign a Static IP Address (Optional)

In many server environments, a static IP address is required. If you need to assign a static IP instead of using DHCP, you can modify the connection profile you just created.

You will need to set the IPv4 addressing method to manual and provide the IP address, subnet mask (in CIDR notation), and gateway.

Example: To configure the VLAN-100-Marketing connection with a static IP address of 192.168.100.10/24 and a gateway of 192.168.100.1, use the following commands:

sudo nmcli connection modify VLAN-100-Marketing ipv4.method manual
sudo nmcli connection modify VLAN-100-Marketing ipv4.addresses 192.168.100.10/24
sudo nmcli connection modify VLAN-100-Marketing ipv4.gateway 192.168.100.1
sudo nmcli connection modify VLAN-100-Marketing ipv4.dns "8.8.8.8,1.1.1.1"

It is crucial to set the ipv4.method to manual; otherwise, the static IP settings will be ignored.

Step 4: Activate and Verify the VLAN Connection

After creating and configuring the connection profile, you need to bring it online. Activate the connection using its name:

sudo nmcli connection up VLAN-100-Marketing

Once activated, you should verify that the interface is up and has the correct IP address.

1. Check the interface status and IP address:

ip addr show vlan100

You should see the vlan100 interface listed with the correct IP address (192.168.100.10/24 in our static example) and a state of UP.

2. Check the active NetworkManager connections:

nmcli connection show --active

Your new VLAN connection, VLAN-100-Marketing, should appear in the list of active connections.

Managing Your VLANs

nmcli also makes it simple to manage your existing VLAN connections.

• To view the detailed configuration of a VLAN:

  nmcli connection show VLAN-100-Marketing
  

• To temporarily take a VLAN interface down:

  sudo nmcli connection down VLAN-100-Marketing
  

• To permanently delete a VLAN connection profile:
  First, bring the connection down, then delete it.

  sudo nmcli connection down VLAN-100-Marketing
  sudo nmcli connection delete VLAN-100-Marketing
  

Security Best Practices for VLANs

Properly configuring VLANs is only half the battle. Securing them is equally important.

1. Use Firewall Rules: A VLAN is an isolated broadcast domain, not a security boundary. Use firewalld to create strict rules controlling which traffic is allowed to pass between VLANs. Assign your new VLAN interfaces to appropriate firewall zones to enforce policy.
   bash
sudo firewall-cmd --zone=internal --change-interface=vlan100 --permanent
sudo firewall-cmd --reload

2. Avoid the Native VLAN for Devices: The native (untagged) VLAN can be a security risk. It’s best practice to configure it as an unused, isolated “blackhole” VLAN and ensure all production devices reside on explicitly tagged VLANs.
3. Prune Unused VLANs: On your network switches, only allow the necessary VLANs on trunk ports. Pruning unnecessary VLANs from trunks limits the potential attack surface if one VLAN is compromised.

By leveraging the power of nmcli on RHEL 9, you can implement a robust, secure, and easily manageable VLAN architecture for your enterprise environment.

Source: https://infotechys.com/set-up-vlans-using-nmcli-on-rhel-9/