IEEE 802.1Q VLAN tagging allows a single physical network interface to carry traffic for multiple logically isolated networks by inserting a 4-byte VLAN tag into Ethernet frames. This is essential in virtualization environments, network segmentation architectures, and anywhere a single uplink must serve multiple subnets. On RHEL 8, NetworkManager handles 802.1Q VLAN interfaces natively through nmcli — no kernel module loading or manual configuration file editing is required. This tutorial walks through creating a single tagged VLAN interface, adding multiple VLANs to the same physical interface, and using a VLAN with a Linux bridge for virtual machine networking.
Prerequisites
- RHEL 8 server with at least one network interface (e.g.,
ens3) - Root or sudo access
- NetworkManager installed and active (
systemctl status NetworkManager) - A managed network switch configured with a trunk port (802.1Q tagged) on the port connected to
ens3, or a lab environment using a hypervisor virtual switch with VLAN trunk mode enabled - VLAN IDs and subnets planned: VLAN 10 —
192.168.10.0/24, VLAN 20 —192.168.20.0/24
Step 1 — Create a Single VLAN Interface
The nmcli con add type vlan command creates a tagged sub-interface. The dev parameter specifies the parent physical interface, and id specifies the VLAN ID (1–4094). The interface name ens3.10 follows the conventional parent.vlanid naming scheme.
# Create VLAN 10 on top of ens3
nmcli con add type vlan
ifname ens3.10
con-name vlan10
dev ens3
id 10
# Assign a static IP to the VLAN interface
nmcli con mod vlan10
ipv4.method manual
ipv4.addresses 192.168.10.1/24
ipv4.gateway 192.168.10.254
# Bring the interface online
nmcli con up vlan10
# Confirm the interface is up and has the correct IP
ip addr show ens3.10Step 2 — Verify the VLAN Interface and Test Connectivity
After bringing the interface up, confirm that the kernel has created the tagged sub-interface and that the VLAN ID is correctly registered. The ip tool and nmcli both report the interface state; the VLAN ID can be verified directly from the kernel via /proc/net/vlan/.
# Show the VLAN interface with its flags and IP
ip addr show ens3.10
# Show the link details including the VLAN tag
ip -d link show ens3.10
# Confirm VLAN registration in the kernel
cat /proc/net/vlan/ens3.10
# Check the NM connection profile is persisted
nmcli con show vlan10
# Test reachability to the default gateway on VLAN 10
ping -c 3 -I ens3.10 192.168.10.254Step 3 — Add Multiple VLANs to the Same Physical Interface
A single trunk interface can carry dozens of VLANs simultaneously. Each VLAN gets its own sub-interface and IP. The physical interface ens3 does not need a native IP address in this configuration — it acts purely as a trunk carrier.
# Create VLAN 20
nmcli con add type vlan
ifname ens3.20
con-name vlan20
dev ens3
id 20
nmcli con mod vlan20
ipv4.method manual
ipv4.addresses 192.168.20.1/24
nmcli con up vlan20
# Create VLAN 30
nmcli con add type vlan
ifname ens3.30
con-name vlan30
dev ens3
id 30
nmcli con mod vlan30
ipv4.method manual
ipv4.addresses 192.168.30.1/24
nmcli con up vlan30
# List all interfaces and confirm all three VLANs are active
ip addr show | grep -E "ens3.[0-9]+"Step 4 — Bridge a VLAN Interface for VM Networking
When hosting virtual machines with KVM/QEMU, the hypervisor typically needs a Linux bridge so that VMs can share the VLAN network. Create a bridge, attach the VLAN sub-interface as its only uplink, then configure the bridge with an IP. VMs tap directly into the bridge and receive VLAN 10 traffic without any additional tagging awareness.
# Delete the IP from the VLAN interface — the bridge will own it
nmcli con mod vlan10 ipv4.method disabled
nmcli con up vlan10
# Create a bridge for VLAN 10
nmcli con add type bridge
ifname br10
con-name br10
ipv4.method manual
ipv4.addresses 192.168.10.1/24
# Attach the VLAN interface as a bridge slave
nmcli con add type bridge-slave
ifname ens3.10
con-name br10-slave-vlan10
master br10
# Bring both up
nmcli con up vlan10
nmcli con up br10
# Confirm bridge membership
bridge link show br10
# Verify bridge IP
ip addr show br10Step 5 — Configure the Switch Trunk Port
The RHEL server configuration is only half the picture. The switch port connected to ens3 must be set to 802.1Q trunk mode, listing every VLAN ID you intend to carry. The exact commands vary by vendor; the example below shows the configuration for a Cisco IOS-style switch.
# Cisco IOS example — configure the connected port as a trunk
# (Run on the switch, not on RHEL)
# Enter interface configuration
interface GigabitEthernet0/1
# Set the port to trunk mode
switchport mode trunk
# Allow VLANs 10, 20, and 30 on this trunk
switchport trunk allowed vlan 10,20,30
# Set the native (untagged) VLAN if required
switchport trunk native vlan 1
end
write memory
# Verify trunk configuration
show interfaces GigabitEthernet0/1 trunkStep 6 — Persist Configuration and Open Firewall Zones per VLAN
NetworkManager connections are already persistent, but firewalld needs a zone assignment for each VLAN interface so that firewall rules apply correctly. Assign each VLAN sub-interface to an appropriate firewalld zone and reload to activate.
# Assign each VLAN interface to a firewalld zone
firewall-cmd --permanent --zone=internal --add-interface=ens3.10
firewall-cmd --permanent --zone=internal --add-interface=ens3.20
firewall-cmd --permanent --zone=trusted --add-interface=ens3.30
firewall-cmd --reload
# Verify zone assignments
firewall-cmd --get-active-zones
# Confirm all VLAN connections restart correctly after a reboot
nmcli con show --active
# Quick reboot test (optional — ensure access via separate management interface)
# rebootConclusion
You have created 802.1Q VLAN sub-interfaces on RHEL 8 using nmcli, assigned static IPs to each VLAN, stacked multiple VLANs on a single physical trunk interface, bridged a VLAN interface to a Linux bridge for KVM virtual machine networking, and assigned the sub-interfaces to appropriate firewalld zones. All configurations are managed by NetworkManager and persist across reboots. The corresponding switch trunk port configuration ensures that tagged frames flow correctly between the RHEL host and the rest of your network infrastructure.
Next steps: Configuring Network Bonding and Teaming on RHEL 8, Setting Up a KVM Bridge Network for Virtual Machines on RHEL 8, and Implementing Inter-VLAN Routing with firewalld on RHEL 8.
