How to manage network settings and devices using the nmcli command

NetworkManager Basics

NetworkManager is a daemon that monitors and manages network settings. In addition to the daemon, there is a GNOME Notiﬁcation Area applet providing network status information. Command-line and graphical tools talk to NetworkManager and save conﬁguration ﬁles in the /etc/sysconfig/network-scripts directory.

A device is a network interface.
A connection is a collection of settings that can be conﬁgured for a device.
Only one connection can be active for any one device at a time. Multiple connections may exist for use by different devices or to allow a conﬁguration to be altered for the same device. If you need to temporarily change networking settings, instead of changing the conﬁguration of a connection, you can change which connection is active for a device. For example, a device for a wireless network interface on a laptop might use different connections for the wireless network at a work site and for the wireless network at home.
Each connection has a name or ID that identiﬁes it.
The nmcli utility is used to create and edit connection ﬁles from the command line.

Viewing Networking Information

The nmcli dev status command displays the status of all network devices:

[user@host ~]$ nmcli dev status
DEVICE  TYPE      STATE         CONNECTION
eno1    ethernet  connected     eno1
ens3    ethernet  connected     static-ens3
eno2    ethernet  disconnected  -
lo      loopback  unmanaged     -

The nmcli con show command displays a list of all connections. To list only the active connections, add the –active option.

[user@host ~]$ nmcli con show
NAME         UUID                                  TYPE            DEVICE
eno2         ff9f7d69-db83-4fed-9f32-939f8b5f81cd  802-3-ethernet  -
static-ens3  72ca57a2-f780-40da-b146-99f71c431e2b  802-3-ethernet  ens3
eno1         87b53c56-1f5d-4a29-a869-8a7bdaf56dfa  802-3-ethernet  eno1

[user@host ~]$ nmcli con show --active
NAME         UUID                                  TYPE            DEVICE
static-ens3  72ca57a2-f780-40da-b146-99f71c431e2b  802-3-ethernet  ens3
eno1         87b53c56-1f5d-4a29-a869-8a7bdaf56dfa  802-3-ethernet  eno1

Adding a Network Connection

The nmcli con add command is used to add new network connections. The following example nmcli con add commands assume that the name of the network connection being added is not already in use.

The following command adds a new connection named eno2 for the interface eno2, which gets IPv4 networking information using DHCP and autoconnects on startup. It also gets IPv6 networking settings by listening for router advertisements on the local link. The name of the conﬁguration ﬁle is based on the value of the con-name option, eno2, and is saved to the /etc/sysconfig/network-scripts/ifcfg-eno2 ﬁle.

[root@host ~]# nmcli con add con-name eno2 type ethernet ifname eno2

The next example creates an eno2 connection for the eno2 device with a static IPv4 address, using the IPv4 address and network preﬁx 192.168.0.5/24 and default gateway 192.168.0.254, but still autoconnects at startup and saves its conﬁguration into the same ﬁle.

[root@host ~]# nmcli con add con-name eno2 type ethernet ifname eno2 ip4 192.168.0.5/24 gw4 192.168.0.254

This ﬁnal example creates an eno2 connection for the eno2 device with static IPv6 and IPv4 addresses, using the IPv6 address and network preﬁx 2001:db8:0:1::c000:207/64 and default IPv6 gateway 2001:db8:0:1::1, and the IPv4 address and network preﬁx 192.0.2.7/24 and default IPv4 gateway 192.0.2.1, but still autoconnects at startup and saves its conﬁguration into /etc/sysconfig/network-scripts/ifcfg-eno2.

[root@host ~]# nmcli con add con-name eno2 type ethernet ifname eno2 ip6 2001:db8:0:1::c000:207/64 gw6 2001:db8:0:1::1 ip4 192.0.2.7/24 gw4 192.0.2.1

Controlling Network Connections

The nmcli con up name command activates the connection name on the network interface it is bound to. Note that the command takes the name of a connection, not the name of the network interface. Remember that the nmcli con show command displays the names of all available connections.

[root@host ~]# nmcli con up static-ens3

The nmcli dev disconnect device command disconnects the network interface device and brings it down. This command can be abbreviated nmcli dev dis device:

[root@host ~]# nmcli dev dis ens3

Note: Use nmcli dev dis device to deactivate a network interface. The nmcli con down name command is normally not the best way to deactivate a network interface because it brings down the connection. However, by default, most wired system connections are conﬁgured with autoconnect enabled. This activates the connection as soon as its network interface is available. Since the connection’s network interface is still available, nmcli con down name brings the interface down, but then NetworkManager immediately brings it up again unless the connection is entirely disconnected from the interface.

Modifying Network Connection Settings

NetworkManager connections have two kinds of settings. There are static connection properties, conﬁgured by the administrator and stored in the conﬁguration ﬁles in /etc/sysconfig/network-scripts/ifcfg-*. There may also be active connection data, which the connection gets from a DHCP server and which are not stored persistently.

To list the current settings for a connection, run the nmcli con show name command, where name is the name of the connection. Settings in lowercase are static properties that the administrator can change. Settings in all caps are active settings in temporary use for this instance of the connection.

[root@host ~]# nmcli con show static-ens3
connection.id:                          static-ens3
connection.uuid:                        87b53c56-1f5d-4a29-a869-8a7bdaf56dfa
connection.interface-name:              -
connection.type:                        802-3-ethernet
connection.autoconnect:                 yes
connection.timestamp:                   1401803453
connection.read-only:                   no
connection.permissions:
connection.zone:                        -
connection.master:                      -
connection.slave-type:                  -
connection.secondaries:
connection.gateway-ping-timeout:        0
802-3-ethernet.port:                    -
802-3-ethernet.speed:                   0
802-3-ethernet.duplex:                  -
802-3-ethernet.auto-negotiate:          yes
802-3-ethernet.mac-address:             CA:9D:E9:2A:CE:F0
802-3-ethernet.cloned-mac-address:      -
802-3-ethernet.mac-address-blacklist:
802-3-ethernet.mtu:                     auto
802-3-ethernet.s390-subchannels:
802-3-ethernet.s390-nettype:            -
802-3-ethernet.s390-options:
ipv4.method:                            manual
ipv4.dns:                               192.168.0.254
ipv4.dns-search:                        example.com
ipv4.addresses:                         { ip = 192.168.0.2/24, gw = 192.168.0.254 }
ipv4.routes:
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    -
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     -
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv6.method:                            manual
ipv6.dns:                               2001:4860:4860::8888
ipv6.dns-search:                        example.com
ipv6.addresses:                         { ip = 2001:db8:0:1::7/64, gw = 2001:db8:0:1::1 }
ipv6.routes:
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.dhcp-hostname:                     -
...output omitted...

The nmcli con mod name command is used to change the settings for a connection. These changes are also saved in the /etc/sysconfig/network-scripts/ifcfg-name ﬁle for the connection. Available settings are documented in the nm-settings(5) man page.

To set the IPv4 address to 192.0.2.2/24 and default gateway to 192.0.2.254 for the connection static-ens3:

[root@host ~]# nmcli con mod static-ens3 ipv6.address "2001:db8:0:1::a00:1/64 2001:db8:0:1::1"

To set the IPv6 address to 2001:db8:0:1::a00:1/64 and default gateway to 2001:db8:0:1::1 for the connection static-ens3:

[root@host ~]# nmcli con mod static-ens3 ipv6.address "2001:db8:0:1::a00:1/64 2001:db8:0:1::1"

Note: If a connection that gets its IPv4 information from a DHCPv4 server is being changed to get it from static conﬁguration ﬁles only, the setting ipv4.method should also be changed from auto to manual. Likewise, if a connection that gets its IPv6 information by SLAAC or a DHCPv6 server is being changed to get it from static conﬁguration ﬁles only, the setting ipv6.method should also be changed from auto or dhcp to manual. Otherwise, the connection may hang or not complete successfully when it is activated, or it may get an IPv4 address from DHCP or an IPv6 address from DHCPv6 or SLAAC in addition to the static address.

A number of settings may have multiple values. A speciﬁc value can be added to the list or deleted from the list for a setting by adding a + or - symbol to the start of the setting name.

Deleting a Network Connection

The nmcli con del name command deletes the connection named name from the system, disconnecting it from the device and removing the ﬁle /etc/sysconfig/network-scripts/ifcfg-name.

[root@host ~]# nmcli con del static-ens3

Who can modify network settings?

The root user can make any necessary network conﬁguration changes with nmcli. However, regular users that are logged in on the local console can also make many network conﬁguration changes to the system. They have to log in at the system’s keyboard to either a textbased virtual console or the graphical desktop environment to get this control. The logic behind this is that if someone is physically present at the computer’s console, it’s likely being used as a workstation or laptop and they may need to conﬁgure, activate, and deactivate wireless or wired network interfaces at will. By contrast, if the system is a server in the datacenter, generally the only users logging in locally to the machine itself should be administrators.

Regular users that log in using ssh do not have access to change network permissions without becoming root. You can use the nmcli gen permissions command to see what your current permissions are.

Command line reference (cheat sheet)

The following table is a list of key nmcli commands discussed in this post.

COMMAND	PURPOSE
nmcli dev status	Show the NetworkManager status of all network interfaces.
nmcli con show	List all connections.
nmcli con show name	List the current settings for the connection name.
nmcli con add con-name name	Add a new connection named name.
nmcli con mod name	Modify the connection name.
nmcli con reload	Reload the configuration files (useful after they have been edited by hand).
nmcli con up name	Activate the connection name.
nmcli dev dis dev	Deactivate and disconnect the current connection on the network interface dev.
nmcli con del name	Delete the connection name and its configuration file.