Managing the network on a KVM hypervisor is one of those tasks that separates a functional lab from a production-ready virtualization platform. Network Manager and its command-line tool nmcli give you full control over bridge interfaces, bonding, VLANs, and static addressing – all without touching a configuration file directly. This guide walks through setting up a network bridge on a KVM host using nmcli, which is the default networking stack on RHEL 10, AlmaLinux 10, Rocky Linux 10, Fedora, and Ubuntu 24.04 desktop installations.
Why Use a Network Bridge for KVM?
By default, libvirt creates a NAT-based virtual network called default that gives VMs outbound connectivity through the host. That works for testing, but in production you almost always want bridged networking. A bridge puts your virtual machines directly on the same Layer 2 network as the host, so they get IP addresses from your infrastructure DHCP server (or you assign them static IPs from your subnet). Other machines on the network can reach the VMs without any port forwarding or NAT rules.
Prerequisites
- A KVM host running RHEL 10, AlmaLinux 10, Rocky Linux 10, or Ubuntu 24.04
- Network Manager installed and running (default on most distributions)
- Root or sudo access
- At least one physical network interface available
Step 1 – Check Existing Network Connections
Before making changes, review what Network Manager currently manages. The nmcli connection show command lists all connection profiles, both active and inactive.
nmcli connection showYou will see output similar to this:
NAME UUID TYPE DEVICE
Wired connection 1 a1b2c3d4-e5f6-7890-abcd-ef1234567890 ethernet enp3s0Take note of the device name for your physical interface – in this example it is enp3s0. You can also check the device status directly.
nmcli device statusThis shows which devices are connected, disconnected, or unmanaged. You need to know the exact interface name before creating the bridge.
Step 2 – Create the Bridge Interface
Create a new bridge connection called br0. This is the virtual switch that your VMs will connect to.
sudo nmcli connection add type bridge con-name br0 ifname br0This creates a bridge connection profile named br0 and assigns it to a bridge interface also named br0. At this point the bridge exists but has no physical interface attached and no IP configuration.
Step 3 – Configure a Static IP Address on the Bridge
Assign a static IP address, gateway, and DNS servers to the bridge interface. Adjust the values to match your network.
sudo nmcli connection modify br0 ipv4.addresses 192.168.1.100/24
sudo nmcli connection modify br0 ipv4.gateway 192.168.1.1
sudo nmcli connection modify br0 ipv4.dns "8.8.8.8 8.8.4.4"
sudo nmcli connection modify br0 ipv4.dns-search "example.com"
sudo nmcli connection modify br0 ipv4.method manualThe ipv4.method manual setting tells Network Manager to use the static configuration instead of DHCP. If you prefer DHCP on the bridge (less common in production but valid in some setups), set ipv4.method auto instead and skip the address/gateway/dns lines.
You can also disable IPv6 if your environment does not use it.
sudo nmcli connection modify br0 ipv6.method disabledStep 4 – Add the Physical Interface to the Bridge
Now attach your physical Ethernet interface as a slave (member port) of the bridge. Replace enp3s0 with your actual interface name.
sudo nmcli connection add type bridge-slave con-name br0-port1 ifname enp3s0 master br0This creates a new connection profile called br0-port1 that enslaves enp3s0 to the br0 bridge.
Step 5 – Bring Up the Bridge and Deactivate the Old Connection
If you are connected over SSH, be careful here. Bringing down the old connection and bringing up the bridge should be done in a single operation or via a console session. If you are on a remote connection, consider using nmcli with a slight delay or run from a console.
First, deactivate the old Ethernet connection profile.
sudo nmcli connection down "Wired connection 1"Then bring up the bridge.
sudo nmcli connection up br0If your SSH session survives (and it should if the IP stayed the same or you assigned the correct static IP to br0), you are in good shape. If you lose connectivity, access the host via console and troubleshoot.
Optionally, prevent the old connection from auto-starting on boot.
sudo nmcli connection modify "Wired connection 1" autoconnect noStep 6 – Verify the Bridge Configuration
Run several checks to confirm everything is working as expected.
Check the bridge interface details.
nmcli connection show br0Verify the IP address is assigned to the bridge.
ip addr show br0Expected output should show the static IP you configured.
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
inet 192.168.1.100/24 brd 192.168.1.255 scope global noprefixroute br0Confirm the physical interface is part of the bridge.
bridge link showYou should see enp3s0 listed as a member of br0.
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwardingTest connectivity by pinging the gateway and an external host.
ping -c 3 192.168.1.1
ping -c 3 google.comCheck DNS resolution.
nmcli device show br0 | grep DNSStep 7 – Configure libvirt to Use the Bridge
Now that the bridge is active, you can attach virtual machines to it. When creating a new VM with virt-install, specify the bridge network.
virt-install \
--name testvm \
--ram 2048 \
--vcpus 2 \
--disk size=20 \
--os-variant ubuntu24.04 \
--network bridge=br0 \
--cdrom /var/lib/libvirt/images/ubuntu-24.04.isoFor an existing VM, you can change its network interface to use the bridge by editing the XML definition.
virsh edit testvmFind the <interface> section and update it to reference the bridge.
<interface type='bridge'>
<source bridge='br0'/>
<model type='virtio'/>
</interface>Restart the VM for the change to take effect.
virsh shutdown testvm
virsh start testvmUseful nmcli Commands for Ongoing Management
Here are some commands you will use regularly when managing KVM host networking with nmcli.
List all connections with details.
nmcli -t -f NAME,TYPE,DEVICE connection showShow detailed properties of the bridge.
nmcli -p connection show br0Add a second DNS server.
sudo nmcli connection modify br0 +ipv4.dns "1.1.1.1"Reload configuration after manual file edits.
sudo nmcli connection reloadDelete a connection profile.
sudo nmcli connection delete br0-port1Troubleshooting Tips
If your bridge is not forwarding traffic, check that STP (Spanning Tree Protocol) is not blocking. You can disable STP on the bridge for simple setups.
sudo nmcli connection modify br0 bridge.stp no
sudo nmcli connection up br0If VMs get no network access, verify that IP forwarding is enabled in the kernel.
cat /proc/sys/net/ipv4/ip_forwardIf it returns 0, enable it.
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-kvm-forward.conf
sudo sysctl --systemAlso confirm that firewall rules are not blocking bridge traffic. On RHEL 10 with firewalld, add the bridge to the trusted zone.
sudo firewall-cmd --zone=trusted --add-interface=br0 --permanent
sudo firewall-cmd --reloadSummary
Using nmcli to manage KVM host networking gives you a scriptable, reliable way to configure bridges without manually editing configuration files. The workflow is straightforward – create the bridge, assign IP settings, add the physical interface as a slave port, bring everything up, and verify. Once the bridge is active, any VM configured with bridge=br0 gets direct Layer 2 access to your physical network, which is exactly what you want for production KVM deployments.
