KVM Host Network Management using Network Manager (NMCLI)

CloudSpinx
September 5, 2025
9:25 pm
No Comments

While administering a KVM host, one of the crucial things is network configuration. Virtual machines (VMs) rely on stable connectivity to be able to talk to one another, the host, and outside networks. nmcli is a terminal-based NetworkManager client that enables administrators to create, edit, delete, and inspect network connections with the absence of a GUI. It comes in handy where headless setups have been the case (in the majority of KVM hosts) due to the unavailability of GUI tools.

On many Linux distributions, Network Manager is installed by default. If it’s not installed, you can install it by running the following commands:

Debian-based systems:

sudo apt update && sudo apt install network-manager

RHEL-based systems:

sudo dnf install NetworkManager -y
sudo systemctl enable --now NetworkManager

You will then use nmcli command line tool to create and configure Linux bridge.

Check your ethernet interface name:

ip link show
# OR
ip addr

Set the variables to be used:

# Specify the name of the physical interface (eth0)
PHY_INT=eth0

# Specify the name of the bridge interface (br0)
BR_NAME=br0

If using static IP address on the bridge provide extra configurations:

# Static IP address of the bridge with netmask
IPADDR=192.168.1.10/24

# The default gateway
GATEWAY=192.168.1.1
# DNS server 1
DNS1=8.8.8.8
# DNS server 2
DNS2=8.8.4.4

🔥 TRENDING - Our #1 Selling eBook

Mastering KVM Virtualization - The Ultimate eBook

From home labs to production clouds - master KVM Host management, automating KVM administration using Terraform, Vagrant, and cloud automation. This eBook will enable you to build scalable virtual infrastructure that works whether you're learning at home or deploying enterprise solutions. Get your full copy today

Only $10 $20

Get Instant Access →

1. Create Linux bridge (No VLAN)

Let’s consider two examples:

Create a bridge with DHCP:

# Add a new bridge
sudo nmcli connection add type bridge con-name ${BR_NAME} ifname ${BR_NAME}

# Add the Ethernet interface to the bridge
sudo nmcli connection add type bridge-slave ifname ${PHY_INT} master ${BR_NAME}

# Disable STP on the Bridge
sudo nmcli connection modify ${BR_NAME} bridge.stp no

# Set the bridge to use DHCP
sudo nmcli connection modify ${BR_NAME} ipv4.method auto

# Bring up the bridge
sudo nmcli connection up ${BR_NAME}

# Enable automatic start
sudo nmcli connection modify ${BR_NAME} connection.autoconnect yes

# Set connection mode to auto
sudo nmcli connection modify ${BR_NAME} connection.autoconnect yes

# Bring up the bridge
sudo nmcli connection up ${BR_NAME}

Create a bridge with Static IP address:

# Create a new bridge (br0)
sudo nmcli connection add type bridge con-name ${BR_NAME} ifname ${BR_NAME}

# Add Ethernet interface to the bridge (eth0)
sudo nmcli connection add type bridge-slave ifname ${PHY_INT} master ${BR_NAME}

# Set IP address and subnet mask for the bridge
sudo nmcli connection modify ${BR_NAME} ipv4.addresses ${IPADDR}

# Set bridge default gateway
sudo nmcli connection modify ${BR_NAME} ipv4.gateway ${GATEWAY}

# Set DNS servers
sudo nmcli connection modify ${BR_NAME} ipv4.dns ${DNS1} #+ipv4.dns ${DNS2}

# Set IPv4 addressing method to manual
sudo nmcli connection modify ${BR_NAME} ipv4.method manual

# Disable STP on the Bridge
sudo nmcli connection modify ${BR_NAME} bridge.stp no

# Enable automatic start
sudo nmcli connection modify ${BR_NAME} connection.autoconnect yes

# Bring up the bridge
sudo nmcli connection up ${BR_NAME}

Delete primary physical interface connection:

nmcli con delete ${PHY_INT}

Verify verify the bridge configuration using the nmcli command:

nmcli device status
nmcli connection show
# Show bridge specific configurations
nmcli connection show ${BR_NAME}

You can restart the server to confirm network work or restart NetworkManager. The confirm your IP settings by running:

ip ad
brctl show

Sample output:

# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 6c:4b:90:67:a2:e8 brd ff:ff:ff:ff:ff:ff
    altname enx6c4b9067a2e8
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 34:e1:2d:da:41:93 brd ff:ff:ff:ff:ff:ff
    altname wlx34e12dda4193
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6c:4b:90:67:a2:e8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    inet6 fe80::2d59:ee87:1c4b:f8a5/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.6c4b9067a2e8       no              enp0s31f6

2. Create Linux bridge (with VLAN)

Follow the following steps to create a Linux bridge using an interface with VLAN tagging.

Define physical interface and bridge name.

# Specify the name of the physical interface (eth0)
PHY_INT=eth0

# Specify the name of the bridge interface (br0)
BR_NAME=br0

Define VLAN tag:

VLAN_ID=100

If using static IP addressing also set relevant value assignemts like below:

# Static IP address of the bridge with netmask
IPADDR=192.168.1.10/24

# The default gateway
GATEWAY=192.168.1.1
# DNS server 1
DNS1=8.8.8.8
# DNS server 2
DNS2=8.8.4.4

Create a VLAN Interface

Start by creating a VLAN interface on the desired physical interface:

sudo nmcli connection add type vlan con-name \
  vlan100 ifname vlan${VLAN_ID} dev ${PHY_INT} id ${VLAN_ID}

Create a Linux Bridge

Create a bridge interface with the desired name .

sudo nmcli connection add type bridge con-name ${BR_NAME} ifname ${BR_NAME}

Enable automatic starting of the bridge.

sudo nmcli connection modify ${BR_NAME} connection.autoconnect yes

Disable STP on the bridge.

sudo nmcli connection modify ${BR_NAME} bridge.stp no

If using DHCP set connection method to auto:

sudo nmcli connection modify ${BR_NAME} ipv4.method auto

Add the VLAN Interface to the Bridge

sudo nmcli connection add type bridge-slave con-name \
${BR_NAME}-port1 ifname vlan${VLAN_ID} master ${BR_NAME}

Configure IP Address for the Bridge (optional)

If you are not using DHCP, configure static IP address for the bridge:

# Set IP address and subnet mask for the bridge
sudo nmcli connection modify ${BR_NAME} ipv4.addresses ${IPADDR}

# Set bridge default gateway
sudo nmcli connection modify ${BR_NAME} ipv4.gateway ${GATEWAY}

# Set DNS servers
sudo nmcli connection modify ${BR_NAME} ipv4.dns ${DNS1} #+ipv4.dns ${DNS2}

# Set IPv4 addressing method to manual
sudo nmcli connection modify ${BR_NAME} ipv4.method manual

Activate VLAN interface and bridge

Finally bring up the VLAN interface and the bridge.

sudo nmcli connection up vlan${VLAN_ID}
sudo nmcli connection up ${BR_NAME}

Confirm that the interfaces are online:

nmcli con show vlan${VLAN_ID}
nmcli con show ${BR_NAME}

3. Create Linux bridge on Bond Interface

A network bond is a method to combine or aggregate physical and virtual network interfaces to provide a logical interface with higher throughput or redundancy. In a bond, the kernel handles all operations exclusively. You can create bonds on different types of devices, such as Ethernet devices or VLANs.

In this section we will look at how you can configure network bond using nmcliand create a Linux bridge from the interface.

Available bonding modes

Bonding Mode	Description	Switch Configuration
`0 (balance-rr)`	Round-robin distribution of packets across interfaces.	Static Etherchannel (not LACP-negotiated)
`1 (active-backup)`	One interface is active, others are in backup mode.	Autonomous ports
`2 (balance-xor)`	XOR hashing of MAC addresses to distribute packets across interfaces.	Requires specific switch configuration
`3 (broadcast)`	Broadcast packets to all interfaces.	Not recommended for most use cases
`4 (802.3ad)`	LACP (Link Aggregation Control Protocol) for dynamic link aggregation.	LACP-capable switch required
`5 (balance-tlb)`	Transmit load balancing based on destination MAC address hash.	No specific switch configuration required
`6 (balance-alb)`	Adaptive load balancing based on traffic patterns.	No specific switch configuration required

BONDING_OPTS Parameters

The BONDING_OPTS parameter in a bonding interface configuration allows you to specify additional options for the bonding driver. Here’s a table of commonly used options:

Option	Description
`mode`	Specifies the bonding mode (e.g., `0`, `1`, `4`).
`miimon`	ARP/ICMP link monitoring interval in milliseconds.
`downdelay`	Delay before marking a slave down (milliseconds).
`updelay`	Delay before marking a slave up (milliseconds).
`lacp_rate`	LACP rate (slow/fast) for mode 4 (802.3ad).
`xmit_hash_policy`	Transmit hash policy (e.g., `layer2`, `layer3+4`).
`arp_ip`	IP address for ARP requests.
`fail_over_mac`	MAC address to use for the bond interface.

Let’s set the bridge name, bond name and interfaces that will be used to create a bond interface.

# Specify the name of the bridge interface (br0)
BR_NAME=br0

# Define bond name
BOND_NAME=bond0

# Bond interfaces
INT1=eth1
INT2=eth2

If using static IP addressing, set IP related information for the bridge interface if you want to configure IP address on it.

# Static IP address of the bridge with netmask
IPADDR=192.168.1.10/24

# The default gateway
GATEWAY=192.168.1.1
# DNS server 1
DNS1=8.8.8.8
# DNS server 2
DNS2=8.8.4.4

Create a bridge interface

sudo nmcli connection add type bridge ifname ${BR_NAME} con-name ${BR_NAME}
sudo nmcli connection modify ${BR_NAME} bridge.stp no
sudo nmcli connection modify ${BR_NAME} connection.autoconnect yes

Configure Bridge IPv4 settings (Optional)

To use DHCP, enter:

sudo nmcli connection modify ${BR_NAME} ipv4.method auto

To set a static IPv4 address, network mask, default gateway, and DNS server to the bridge br0 connection:

sudo nmcli connection modify ${BR_NAME} ipv4.addresses ${IPADDR}
sudo nmcli connection modify ${BR_NAME} ipv4.gateway ${GATEWAY}
sudo nmcli connection modify ${BR_NAME} ipv4.dns ${DNS1} +ipv4.address ${DNS2}
sudo nmcli connection modify ${BR_NAME} ipv4.method manual

If setting single DNS server remove +ipv4.address ${DNS2}.

Create a bond interface

With mode 1 (active-backup)

sudo nmcli connection add type bond con-name ${BOND_NAME} \
ifname ${BOND_NAME} bond.options "mode=active-backup,miimon=100" \
master ${BR_NAME}

With mode 0 (balance-rr)

sudo nmcli connection add type bond con-name ${BOND_NAME} \
ifname ${BOND_NAME} bond.options "mode=balance-rr,miimon=100"

With mode 4 (802.3ad)

sudo nmcli connection add type bond con-name ${BOND_NAME} \
ifname ${BOND_NAME} bond.options "mode=802.3ad,lacp_rate=fast,miimon=100"

Assign interfaces to the bond

Create connection profiles for the interfaces, and add them to the bond connection. This should be used if the interfaces you want to assign to the bond are not configured

sudo nmcli connection add type ethernet \
con-name ${BOND_NAME}-port1 ifname ${INT1} master ${BOND_NAME}

sudo nmcli connection add type ethernet \
con-name ${BOND_NAME}-port2 ifname ${INT2} master ${BOND_NAME}

Activate the interfaces

Bring up the bridge which will activate bond interface.

sudo nmcli connection up ${BR_NAME}

Display the network interfaces:

nmcli device status

You can also confirm the bond is up by running the command:

cat /proc/net/bonding/${BOND_NAME}

For bridge you can user brctl command:

$ brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.92b356815b4a    no        bond0

Extra notes

Setting bridge MTU

BRIDGE_MTU=1500 # Example setting MTU to 1500
sudo nmcli con modify ${BR_NAME} 802-3-ethernet.mtu ${BRIDGE_MTU}

Setting Bond and its interfaces MTU

BOND_MTU=9000 # Example setting bond MTU to 9000
sudo nmcli con modify ${BOND_NAME} 802-3-ethernet.mtu ${BOND_MTU}
sudo nmcli con modify ${BOND_NAME}-port1 802-3-ethernet.mtu ${BOND_MTU}
sudo nmcli con modify ${BOND_NAME}-port2 802-3-ethernet.mtu ${BOND_MTU}

Create VLAN on the bond and attaching to bridge

VLAN=200
# Create sub-vlan interface from bond
sudo nmcli con add type vlan con-name ${BOND_NAME}.${VLAN} \
ifname ${BOND_NAME}.${VLAN} dev ${BOND_NAME} id ${VLAN}

# Set bond vlan interface as master to bridge
sudo nmcli con modify ${BOND_NAME}.${VLAN} master ${BR_NAME}

🌍 Whether at work or on the go, access Mastering KVM Virtualization anytime, in the book you will learn:

Host Network Management using Netplan: bridges, VLANs, Bonded interfaces
Host Network Management using Network Manager (NMCLI) – bridged, VLANs, Bonds/Teamed
Host Network Management using Networking Scripts
Host Network Management using Open vSwitch

Watch out for other KVM guides from our team:

Join our Linux and open source community. Subscribe to our newsletter for tips, tricks, and collaboration opportunities!

Unlock the Right Solutions with Confidence

At CloudSpinx, we don’t just offer services - we deliver clarity, direction, and results. Whether you're navigating cloud adoption, scaling infrastructure, or solving DevOps challenges, our seasoned experts help you make smart, strategic decisions with total confidence. Let us turn complexity into opportunity and bring your vision to life.

Elearning

Cloud Services

Infra Services

Iac & GitOps

IT Support

InfoSec

Development