Exercise: Creating a Virtual Network with VLANs

Hands-On Network Segmentation

An advanced hands-on exercise where you will use nmcli to create virtual network interfaces and segment them into different VLANs.
Author

Chuck Nelson

Published

November 13, 2025

1 Purpose

This exercise provides a practical, hands-on application of network segmentation using VLANs. While we cannot create VLANs on a physical switch in this environment, we can simulate the same behavior within our Fedora VM. You will use the powerful nmcli (NetworkManager Command-Line Interface) tool to create virtual interfaces and assign them to different VLANs, demonstrating how traffic can be logically separated on the same physical device.

2 What You’ll Accomplish

By the end of this exercise, you will be able to:

  • Use nmcli to view network connections.
  • Create a new virtual bridge interface.
  • Create new VLAN interfaces tagged to the bridge.
  • Assign static IP addresses to your VLAN interfaces.
  • Verify that devices on different VLANs cannot communicate directly.

This exercise maps to the following program and course learning outcomes:

  • Program Learning Outcomes (PLOs):
    • 3. Apply terminology and numeric or system concepts: This exercise requires the direct application of VLAN tagging, IP addressing, and network interface configuration.
  • Course Learning Outcomes (CLOs):
    • 4. Configure hardware and basic network components: You will be directly configuring virtual network interfaces, which mirrors the process used on physical enterprise hardware.

This exercise develops the following skills, which align with the O*NET SOC Code 15-1232.00 for Computer User Support Specialists.

Learning Objective O*NET KSAs Technologies Used
Create and configure VLAN interfaces in Linux. Knowledge: Telecommunications, Computers & Electronics
Skills: Systems Analysis		 nmcli, VLANs
Assign static IP addresses to interfaces. Knowledge: Telecommunications
Abilities: Information Ordering, Deductive Reasoning		 IP Addressing

3 Prerequisites

This exercise requires a running Fedora 42 virtual machine with internet access and a user account with sudo privileges.

4 Step-by-Step Guide

Open a terminal window in your Fedora VM to begin.

4.1 Step 1: Explore nmcli

First, take a look at your existing connections with nmcli.

  1. Run the following command to see your connection profiles:

    nmcli connection show

    You will see the profile for your main Ethernet connection.

  2. Run this command to see the status of your devices:

    nmcli device status

4.2 Step 2: Create a Network Bridge

A bridge is a virtual switch that we can connect other interfaces to.

  1. Create a bridge named br10:

    nmcli connection add type bridge con-name br10 ifname br10

  2. Bring the bridge interface up:

    nmcli connection up br10

4.3 Step 3: Create VLAN Interfaces

Now, you will create two VLAN interfaces. Imagine these are for two different departments: Sales (VLAN 101) and Engineering (VLAN 102). These virtual interfaces will be “plugged into” your bridge.

  1. Create the “Sales” VLAN interface, tagged with ID 101:

    nmcli connection add type vlan con-name sales-vlan ifname vlan101 id 101 dev br10

  2. Create the “Engineering” VLAN interface, tagged with ID 102:

    nmcli connection add type vlan con-name engineering-vlan ifname vlan102 id 102 dev br10

  3. Verify that your new connections exist:

    nmcli connection show

    You should now see sales-vlan and engineering-vlan in the list.

4.4 Step 4: Assign Static IP Addresses

Assign an IP address to each VLAN from a different subnet. This mimics how a router would handle different VLANs.

  1. Assign an IP address to the Sales VLAN. We’ll use the 192.168.101.0/24 subnet.

    nmcli connection modify sales-vlan ipv4.addresses 192.168.101.1/24 ipv4.method manual

  2. Assign an IP address to the Engineering VLAN. We’ll use the 192.168.102.0/24 subnet.

    nmcli connection modify engineering-vlan ipv4.addresses 192.168.102.1/24 ipv4.method manual

  3. Bring the VLAN interfaces up to apply the changes:

    nmcli connection up sales-vlan
nmcli connection up engineering-vlan

4.5 Step 5: Verify the Configuration

Check that your interfaces have the correct IP addresses.

  1. Run ip addr:

    ip addr

    Look for the vlan101 and vlan102 interfaces and confirm they have the IP addresses you assigned.

In your student notebook, write down the inet line for both the vlan101 and vlan102 interfaces.

4.6 Step 6: Test Segmentation

The final step is to prove that the VLANs are separated. You will try to ping an address on the “Engineering” subnet from the “Sales” interface. This should fail, because there is no router between them.

  1. Run a ping command, using the -I flag to specify which interface to send the ping from. We will try to ping a hypothetical second device (192.168.102.10) on the engineering network from our sales interface.

    ping -c 4 -I vlan101 192.168.102.10

  2. Observe the output. The ping should fail with a “Destination Host Unreachable” or “Network is Unreachable” message. This is the expected result! It proves that the vlan101 interface has no direct path to the 192.168.102.0/24 network.

In your notebook, write down the result of your ping test. Did it succeed or fail? Why is this the correct outcome?

5 Reflect and Review

ImportantReflection: 3-2-1

Now that you have completed this exercise, reflect on your experience in your Microsoft Teams Student Notebook:

  • 3 new nmcli sub-commands you learned.
  • 2 virtual interfaces you created.
  • 1 question you still have about how routers handle traffic between VLANs.
TipCheck on Learning

Answer these questions in your notebook to solidify your understanding:

  1. What is the purpose of a network bridge in this exercise?
  2. In the nmcli command to create a VLAN, what does the id number represent?
  3. Why did we assign IP addresses from different subnets to each VLAN?
  4. Why did the final ping test fail, and what piece of hardware would be required to make it succeed?
Back to top