Network Configuration with nmcli

Introduction

NetworkManager Command Line Interface (nmcli) is a powerful command-line tool for controlling NetworkManager and managing network connections on Linux systems. It provides comprehensive functionality for configuring, monitoring, and troubleshooting network settings without requiring a graphical interface. This tool is particularly valuable for system administrators, DevOps engineers, and users who prefer command-line operations or need to automate network configuration tasks.

NetworkManager is the default network management daemon on most modern Linux distributions, including Red Hat Enterprise Linux, CentOS, Fedora, Ubuntu, and Debian. The nmcli tool serves as the primary interface for interacting with NetworkManager from the command line, offering the same functionality available through graphical network management tools.

Core Concepts and Architecture

NetworkManager Components

NetworkManager operates through several key components that work together to manage network connectivity:

NetworkManager Daemon: The core service that runs as a system daemon, managing network interfaces and connections. It automatically handles network detection, connection establishment, and maintains network state information.

Connection Profiles: These are configuration templates that define how to connect to specific networks. Each profile contains all necessary parameters including IP addresses, DNS settings, security credentials, and other network-specific configurations.

Device Management: NetworkManager tracks all network devices on the system, including Ethernet adapters, wireless cards, mobile broadband modems, and virtual interfaces. Each device can have multiple connection profiles associated with it.

Active Connections: These represent currently established network connections, linking specific devices with their active connection profiles.

nmcli Architecture

The nmcli tool operates through a hierarchical command structure with main objects and their associated actions:

| Object | Purpose | Primary Actions | |--------|---------|----------------| | general | System and NetworkManager status | status, hostname, permissions, logging | | networking | Overall networking control | on, off, connectivity | | radio | Wireless and mobile radio control | wifi, wwan, all | | connection | Connection profile management | show, up, down, add, modify, delete | | device | Network device management | status, show, set, connect, disconnect | | agent | NetworkManager secret agent | secret, polkit, all | | monitor | Real-time monitoring | connection changes, device status |

Basic nmcli Syntax and Usage

Command Structure

The general syntax for nmcli commands follows this pattern:

`bash nmcli [OPTIONS] OBJECT { COMMAND | help } `

Global Options: - -t, --terse: Produce terse output suitable for scripting - -p, --pretty: Pretty-print output for human readability - -m, --mode {tabular|multiline}: Control output format - -f, --fields : Specify which fields to display - -e, --escape {yes|no}: Escape special characters in values - -w, --wait : Set timeout for operations

Basic Information Commands

System Status Overview: `bash nmcli general status ` This command provides a comprehensive overview of NetworkManager's current state, including overall connectivity status, wireless hardware state, and networking enablement status.

Network Connectivity Check: `bash nmcli networking connectivity check ` Performs an active connectivity test to verify internet accessibility, returning status indicators such as full, limited, portal, or none.

Device Status Summary: `bash nmcli device status ` Lists all network devices with their current state, connection status, and associated connection profiles.

Connection Management

Viewing Connection Profiles

List All Connections: `bash nmcli connection show ` Displays all configured connection profiles with their names, UUIDs, types, and associated devices.

Detailed Connection Information: `bash nmcli connection show "connection-name" ` Provides comprehensive details about a specific connection profile, including all configuration parameters, IP settings, DNS configuration, and security settings.

Active Connections Only: `bash nmcli connection show --active ` Filters the display to show only currently active network connections.

Connection State Management

Activating Connections: `bash nmcli connection up "connection-name" ` Brings up a specific connection profile, establishing network connectivity according to the profile's configuration.

Deactivating Connections: `bash nmcli connection down "connection-name" ` Terminates an active network connection while preserving the connection profile for future use.

Connection Reload: `bash nmcli connection reload ` Forces NetworkManager to re-read all connection profile files, useful after manual configuration file modifications.

Creating New Connection Profiles

Ethernet Connection with DHCP: `bash nmcli connection add \ type ethernet \ con-name "office-ethernet" \ ifname eth0 \ autoconnect yes `

Ethernet Connection with Static IP: `bash nmcli connection add \ type ethernet \ con-name "server-static" \ ifname eth0 \ ip4 192.168.1.100/24 \ gw4 192.168.1.1 \ ipv4.dns "8.8.8.8,8.8.4.4" \ autoconnect yes `

WiFi Connection with WPA2: `bash nmcli connection add \ type wifi \ con-name "home-wifi" \ ifname wlan0 \ ssid "MyHomeNetwork" \ wifi-sec.key-mgmt wpa-psk \ wifi-sec.psk "mypassword" \ autoconnect yes `

Advanced Connection Configuration

IP Address Configuration

Multiple IP Addresses: `bash nmcli connection modify "connection-name" \ +ipv4.addresses "192.168.1.100/24,192.168.1.101/24" \ ipv4.gateway "192.168.1.1" `

IPv6 Configuration: `bash nmcli connection modify "connection-name" \ ipv6.method manual \ ipv6.addresses "2001:db8::100/64" \ ipv6.gateway "2001:db8::1" `

DNS Configuration: `bash nmcli connection modify "connection-name" \ ipv4.dns "8.8.8.8,1.1.1.1" \ ipv4.dns-search "example.com,local.domain" `

Advanced Network Parameters

MTU Settings: `bash nmcli connection modify "connection-name" \ ethernet.mtu 9000 `

VLAN Configuration: `bash nmcli connection add \ type vlan \ con-name "vlan100" \ dev eth0 \ id 100 \ ip4 192.168.100.10/24 `

Bridge Configuration: `bash

Create bridge interface

Add slave interface to bridge

Device Management

Device Status and Information

Comprehensive Device Status: `bash nmcli device show ` Provides detailed information about all network devices, including hardware addresses, driver information, and current configuration.

Specific Device Details: `bash nmcli device show eth0 ` Displays comprehensive information about a specific network device, including all active settings and capabilities.

Device Control Operations

Connect Device to Specific Network: `bash nmcli device connect eth0 ` Attempts to establish a connection using the best available connection profile for the specified device.

Disconnect Device: `bash nmcli device disconnect eth0 ` Terminates all active connections on the specified device and prevents automatic reconnection.

Device Reconnection: `bash nmcli device reapply eth0 ` Reapplies the current connection configuration to the device, useful for applying configuration changes without disconnecting.

Wireless Network Management

WiFi Operations

WiFi Status Check: `bash nmcli radio wifi ` Reports the current state of wireless radio hardware and software switches.

Enable/Disable WiFi: `bash nmcli radio wifi on nmcli radio wifi off ` Controls the wireless radio state system-wide, affecting all wireless interfaces.

Network Scanning: `bash nmcli device wifi list ` Performs a scan for available wireless networks and displays detailed information including signal strength, security settings, and channel information.

Refresh WiFi Scan: `bash nmcli device wifi rescan ` Forces a new scan for wireless networks, updating the available network list.

WiFi Connection Management

Connect to Open Network: `bash nmcli device wifi connect "OpenNetwork" `

Connect to Secured Network: `bash nmcli device wifi connect "SecureNetwork" password "networkpassword" `

Connect with Hidden SSID: `bash nmcli device wifi connect "HiddenNetwork" password "password" hidden yes `

Enterprise WiFi Configuration: `bash nmcli connection add \ type wifi \ con-name "enterprise-wifi" \ ifname wlan0 \ ssid "CorpNetwork" \ wifi-sec.key-mgmt wpa-eap \ 802-1x.eap peap \ 802-1x.phase2-auth mschapv2 \ 802-1x.identity "username" \ 802-1x.password "password" `

Network Configuration Tables

Connection Types and Parameters

| Connection Type | Key Parameters | Use Cases | |----------------|----------------|-----------| | ethernet | con-name, ifname, ip4, gw4 | Wired network connections | | wifi | ssid, wifi-sec.key-mgmt, wifi-sec.psk | Wireless network connections | | bridge | stp, priority, forward-delay | Network bridging, virtualization | | bond | mode, miimon, primary | Link aggregation, redundancy | | vlan | dev, id, flags | Network segmentation | | vpn | vpn-type, user-name, gateway | Remote access, site-to-site | | gsm/cdma | apn, username, password | Mobile broadband connections |

IPv4 Configuration Methods

| Method | Description | Configuration Example | |--------|-------------|----------------------| | auto | DHCP with automatic configuration | ipv4.method auto | | manual | Static IP configuration | ipv4.method manual ipv4.addresses 192.168.1.100/24 | | link-local | Automatic link-local addressing | ipv4.method link-local | | shared | Internet connection sharing | ipv4.method shared | | disabled | Disable IPv4 on interface | ipv4.method disabled |

Security Configuration Options

| Security Type | Parameters | Example Configuration | |---------------|------------|----------------------| | WPA2-PSK | key-mgmt wpa-psk, psk | wifi-sec.key-mgmt wpa-psk wifi-sec.psk "password" | | WPA3-SAE | key-mgmt sae, psk | wifi-sec.key-mgmt sae wifi-sec.psk "password" | | WPA Enterprise | key-mgmt wpa-eap, 802-1x settings | wifi-sec.key-mgmt wpa-eap 802-1x.eap peap | | WEP | key-mgmt none, wep-key0 | wifi-sec.key-mgmt none wifi-sec.wep-key0 "key" |

Troubleshooting and Monitoring

Real-time Monitoring

Connection Monitoring: `bash nmcli monitor ` Provides real-time updates about NetworkManager events, including connection state changes, device additions/removals, and configuration updates.

Connection-specific Monitoring: `bash nmcli connection monitor "connection-name" ` Monitors events specific to a particular connection profile.

Diagnostic Commands

Connectivity Testing: `bash nmcli networking connectivity check ` Performs comprehensive connectivity testing to determine the level of network access available.

Log Level Configuration: `bash nmcli general logging level DEBUG domains CORE,DEVICE,IP4,IP6,WIFI ` Adjusts NetworkManager logging verbosity for troubleshooting specific network issues.

Common Troubleshooting Scenarios

DNS Resolution Issues: `bash

Check current DNS settings

Modify DNS servers

IP Configuration Problems: `bash

Verify IP configuration

Reset to DHCP

WiFi Connection Failures: `bash

Check WiFi status

Reset WiFi connection

Scripting and Automation

Scripting Best Practices

Terse Output for Scripts: `bash nmcli -t -f NAME,TYPE,DEVICE connection show ` The terse format produces machine-readable output suitable for parsing in shell scripts.

Field Selection: `bash nmcli -t -f DEVICE,STATE device status ` Selecting specific fields reduces output complexity and improves script reliability.

Error Handling: `bash if nmcli connection show "myconnection" >/dev/null 2>&1; then echo "Connection exists" nmcli connection up "myconnection" else echo "Connection not found" exit 1 fi `

Automation Examples

Network Configuration Script: `bash #!/bin/bash

Network configuration automation script

Check if connection exists

Activate the connection

Advanced Configuration Scenarios

Bonding Configuration

Active-Backup Bond: `bash

Create bond master

Add slave interfaces

nmcli connection add \ type bond-slave \ con-name "bond0-slave-eth1" \ ifname eth1 \ master bond0 `

LACP Bond Configuration: `bash nmcli connection add \ type bond \ con-name "lacp-bond" \ ifname bond1 \ bond.options "mode=802.3ad,miimon=100,lacp_rate=fast" \ ip4 192.168.2.100/24 `

Team Configuration

Load Balancing Team: `bash

Create team master

Add team slaves

nmcli connection add \ type team-slave \ con-name "team0-slave-eth1" \ ifname eth1 \ master team0 `

VPN Configuration

OpenVPN Connection: `bash nmcli connection add \ type vpn \ con-name "corporate-vpn" \ vpn-type openvpn \ vpn.data "remote=vpn.company.com,connection-type=tls,cert=/path/to/cert.crt,key=/path/to/key.key,ca=/path/to/ca.crt" `

Security Considerations

Connection Security

Certificate-based Authentication: `bash nmcli connection modify "secure-connection" \ 802-1x.eap tls \ 802-1x.identity "user@domain.com" \ 802-1x.client-cert "/path/to/client.crt" \ 802-1x.private-key "/path/to/private.key" \ 802-1x.ca-cert "/path/to/ca.crt" `

Password Security: `bash

Use password prompting instead of command line

Permission Management

User Permissions: `bash nmcli general permissions ` Displays current user permissions for NetworkManager operations, showing which actions are allowed or require authentication.

Performance Optimization

Connection Optimization

MTU Optimization: `bash

Test optimal MTU size

Set optimal MTU

DNS Performance: `bash

Configure multiple DNS servers for redundancy

Monitoring Performance

Connection Statistics: `bash

Monitor connection statistics

Best Practices and Recommendations

Configuration Management

1. Consistent Naming: Use descriptive and consistent naming conventions for connection profiles to facilitate management and troubleshooting.

2. Documentation: Maintain documentation of network configurations, especially for complex setups involving bonding, bridging, or VLANs.

3. Backup Configurations: Regularly backup NetworkManager configuration files located in /etc/NetworkManager/system-connections/.

4. Testing: Always test network configurations in non-production environments before implementing in critical systems.

Security Best Practices

1. Credential Management: Avoid storing passwords in command history or scripts. Use NetworkManager's secret agent functionality for secure credential storage.

2. Certificate Validation: Always validate SSL/TLS certificates in VPN and enterprise wireless configurations.

3. Access Control: Implement proper user permissions and consider using PolicyKit rules for fine-grained access control.

Troubleshooting Methodology

1. Systematic Approach: Follow a systematic troubleshooting approach starting with basic connectivity and progressing to specific configuration issues.

2. Log Analysis: Utilize NetworkManager logs in combination with system logs to identify root causes of network issues.

3. Incremental Changes: Make incremental configuration changes and test each change individually to isolate problems.

The nmcli tool provides comprehensive network management capabilities that can handle everything from basic connectivity to complex enterprise network configurations. Understanding its command structure, options, and capabilities enables efficient network administration and troubleshooting in Linux environments. Regular practice with these commands and concepts will develop proficiency in managing network configurations effectively and securely.