Objectives
What the exam tests
- Configure IPv4 and IPv6 addresses on network interfaces
- Configure hostname resolution using
/etc/hostsand DNS - Set and verify static and dynamic (DHCP) network configurations
- Configure the system hostname persistently
- Use NetworkManager tools (
nmcli,nmtui) to manage connections - Configure firewall rules to allow or block specific services and ports
- Use network diagnostic tools (
ss,ping,tracepath,nmap) - Configure routing — add static routes
Networking tasks appear on every RHCSA exam. Expect at least one task requiring you to configure a static IP address, set a hostname, and open a firewall port — and verify all three persist after a reboot.
Coverage weight by topic
nmcli IP configuration
Critical
firewalld
Very high
Hostname & DNS
High
Network diagnostics
High
IPv6 addressing
Medium
Static routes
Low
IP addressing concepts
IPv4 addressing fundamentals
An IPv4 address is 32 bits written as four decimal octets separated by dots. A subnet mask (or CIDR prefix) determines which part identifies the network and which identifies the host.
192.
168.
1.
100
/24
| CIDR | Subnet mask | Hosts per network | Common use |
|---|---|---|---|
/8 | 255.0.0.0 | 16,777,214 | Class A / large private |
/16 | 255.255.0.0 | 65,534 | Class B / medium private |
/24 | 255.255.255.0 | 254 | Class C / small LAN most common |
/25 | 255.255.255.128 | 126 | Half of a /24 |
/30 | 255.255.255.252 | 2 | Point-to-point links |
/32 | 255.255.255.255 | 1 | Host route / loopback |
Private IP address ranges
| Range | CIDR | Class | Notes |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | A | Large private networks, data centers |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | B | Medium private networks |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | C | Home and small office LANs most common on exam |
| 127.0.0.0 – 127.255.255.255 | 127.0.0.0/8 | Loopback | Local host only — 127.0.0.1 is localhost |
| 169.254.0.0 – 169.254.255.255 | 169.254.0.0/16 | Link-local | APIPA — assigned when DHCP fails |
IPv6 basics for RHCSA
# IPv6 is 128 bits written as 8 groups of 4 hex digits
# Full: 2001:0db8:0000:0000:0000:0000:0000:0001
# Compressed: 2001:db8::1 (:: collapses consecutive zero groups once)
# Common IPv6 addresses
::1 # loopback (equivalent to 127.0.0.1)
fe80::/10 # link-local (auto-configured on every interface)
fd00::/8 # unique local (private, like RFC1918)
2001:db8::/32 # documentation prefix (not routable)
# Configure IPv6 with nmcli
nmcli con mod "ens3" \
ipv6.method manual \
ipv6.addresses "2001:db8::1/64" \
ipv6.gateway "2001:db8::fffe"
nmcli con up "ens3"
# Show IPv6 addresses
ip -6 addr show
Network layer model — what exam tasks touch
| Layer | Function | RHCSA tools |
|---|---|---|
| Physical / Link | Hardware, MAC addresses, Ethernet | ip link, ethtool |
| Network (L3) | IP addressing, routing | nmcli, ip addr, ip route |
| Transport (L4) | TCP/UDP ports, connections | ss, firewalld port rules |
| Application (L7) | DNS, HTTP, SSH, NFS… | firewalld service rules, dig, curl |
nmcli — NetworkManager CLI
nmcli object and command structure
# nmcli structure: nmcli [object] [command] [options]
# objects: general networking device (dev) connection (con/c)
── STATUS OVERVIEW ───────────────────────────────────────────
nmcli general status # overall NM state
nmcli networking connectivity # full / limited / portal / none
nmcli device status # all interfaces + state + connection
nmcli device show # detailed info for every device
nmcli device show ens3 # specific device
nmcli connection show # all saved connection profiles
nmcli connection show --active # active connections only
nmcli connection show "ens3" # all settings for one profile
Configure a static IP address — full workflow
Identify the connection profile name
nmcli connection show
Set IP method to manual and configure all parameters
nmcli connection modify "ens3" \
ipv4.method manual \
ipv4.addresses "192.168.1.100/24" \
ipv4.gateway "192.168.1.1" \
ipv4.dns "8.8.8.8,1.1.1.1" \
ipv4.dns-search "example.com"
Bring the connection down then up to apply
nmcli connection down "ens3"
nmcli connection up "ens3"
Verify the configuration
ip addr show ens3
ip route show
cat /etc/resolv.conf
When adding a second IP to the same interface, use +ipv4.addresses (with the + prefix) to append rather than replace: nmcli con mod "ens3" +ipv4.addresses "192.168.1.101/24"
Configure DHCP
# Switch an existing connection back to DHCP
nmcli connection modify "ens3" \
ipv4.method auto \
ipv4.addresses "" \
ipv4.gateway "" \
ipv4.dns ""
nmcli connection down "ens3" && nmcli connection up "ens3"
# Verify DHCP-assigned address
ip addr show ens3
nmcli device show ens3 | grep IP4
Create a new connection profile
# Create a new Ethernet connection with static IP
nmcli connection add \
type ethernet \
con-name "lab-static" \
ifname ens4 \
ipv4.method manual \
ipv4.addresses "10.0.0.10/24" \
ipv4.gateway "10.0.0.1" \
ipv4.dns "10.0.0.53"
# Activate the new connection
nmcli connection up "lab-static"
# Create a DHCP connection
nmcli connection add \
type ethernet \
con-name "lab-dhcp" \
ifname ens5 \
ipv4.method auto
# Clone an existing connection
nmcli connection clone "ens3" "ens3-backup"
# Delete a connection profile
nmcli connection delete "lab-static"
Static routes
# Add a persistent static route via nmcli
nmcli connection modify "ens3" \
+ipv4.routes "172.16.0.0/16 192.168.1.254"
nmcli connection up "ens3"
# Add multiple static routes
nmcli connection modify "ens3" \
+ipv4.routes "10.10.0.0/24 192.168.1.1" \
+ipv4.routes "10.20.0.0/24 192.168.1.2"
# Temporary static route (lost on reboot)
ip route add 172.16.0.0/16 via 192.168.1.254
# View routing table
ip route show
ip route show table all # all routing tables
# Remove a temporary route
ip route del 172.16.0.0/16
Routes added with ip route add are runtime-only and lost on reboot. Always use nmcli connection modify +ipv4.routes for persistent routes.
nmtui — text-based UI alternative
# nmtui provides a menu-driven interface — useful if you forget nmcli syntax
nmtui
# nmtui subcommands (can be run directly)
nmtui edit # edit connection profiles
nmtui connect # connect / disconnect
nmtui hostname # set hostname
If you blank on nmcli syntax during the exam, nmtui provides the same functionality through a navigable menu. Both tools write to the same NetworkManager profile files.
DNS and hostname
Hostname management
# View current hostname and status
hostname
hostnamectl
hostnamectl status
# Set the system hostname permanently
hostnamectl set-hostname server1.example.com
hostnamectl set-hostname server1.example.com --static
# Hostname types
hostnamectl set-hostname "server1" --static # written to /etc/hostname
hostnamectl set-hostname "Lab Server 1" --pretty # human-friendly label
hostnamectl set-hostname "tmpname" --transient # runtime only, lost at reboot
# Manual method — edit /etc/hostname directly
echo "server1.example.com" > /etc/hostname
hostname -F /etc/hostname # apply without reboot
# Check /etc/hostname
cat /etc/hostname
Fully qualified domain names (FQDNs) use the format hostname.domain.tld. On the exam, if asked to set an FQDN, include the domain: hostnamectl set-hostname server1.example.com
/etc/hosts — local name resolution
# /etc/hosts is checked BEFORE DNS by default
# Format: IP_address canonical_hostname [aliases...]
# Default entries:
127.0.0.1 localhost localhost.localdomain localhost4
::1 localhost localhost.localdomain localhost6
# Add custom entries:
192.168.1.10 server1.example.com server1
192.168.1.20 server2.example.com server2 db
# Test resolution
getent hosts server1
ping -c 1 server1
Resolution order is controlled by /etc/nsswitch.conf. The default hosts: files dns means /etc/hosts is checked first, then DNS. Changing this is rarely needed on the exam.
DNS configuration
# /etc/resolv.conf — DNS resolver configuration
# (managed by NetworkManager — do not edit directly on RHEL 9)
cat /etc/resolv.conf
# Correct way: set DNS via nmcli
nmcli connection modify "ens3" ipv4.dns "8.8.8.8 8.8.4.4"
nmcli connection modify "ens3" ipv4.dns-search "example.com corp.local"
nmcli connection up "ens3"
# Test DNS resolution
dig example.com
dig @8.8.8.8 example.com # query a specific DNS server
nslookup example.com
host example.com
getent hosts example.com # uses /etc/hosts then DNS
# Verify DNS settings in NM
nmcli device show ens3 | grep DNS
nmcli connection show "ens3" | grep dns
Never edit /etc/resolv.conf directly on RHEL 9 — NetworkManager will overwrite it. Always use nmcli to set DNS servers.
firewalld
firewalld concepts — zones
firewalld uses zones to group rules. Each network interface is assigned to a zone. Interfaces in more trusted zones get less restrictive rules.
| Zone | Trust level | Default behavior |
|---|---|---|
drop | None | All incoming dropped silently. Only outgoing allowed. |
block | None | Incoming rejected with ICMP message. Outgoing allowed. |
public | Low | Only selected incoming allowed. Default zone |
external | Low | Masquerading enabled — for internet-facing interfaces. |
dmz | Medium | Some services accessible from outside. |
work | Medium | Mostly trusted — more services allowed. |
home | Medium-high | Trusted home network. |
internal | High | Trusted internal network. |
trusted | Full | All traffic accepted. Use with care. |
firewall-cmd — essential commands
── STATUS ────────────────────────────────────────────────────
firewall-cmd --state
systemctl status firewalld
firewall-cmd --list-all # everything in the default zone
firewall-cmd --list-all-zones # all zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones # zones with assigned interfaces
── SERVICES ──────────────────────────────────────────────────
firewall-cmd --list-services # currently allowed services
firewall-cmd --get-services # all available service definitions
# Add service — runtime (lost on reload)
firewall-cmd --add-service=http
# Add service — permanent (survives reboot)
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload # load permanent rules into runtime
# Remove service
firewall-cmd --permanent --remove-service=http
firewall-cmd --reload
── PORTS ─────────────────────────────────────────────────────
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=5000-5010/tcp # port range
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --remove-port=8080/tcp
firewall-cmd --reload
firewall-cmd --list-ports # verify open ports
Working with zones
# Change default zone
firewall-cmd --set-default-zone=internal
# Assign an interface to a zone
firewall-cmd --permanent --zone=internal --add-interface=ens4
firewall-cmd --reload
# Add a service to a specific zone (not the default)
firewall-cmd --permanent --zone=internal --add-service=nfs
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --reload
# Rich rules — for more complex matching
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.5" drop'
firewall-cmd --reload
The exam typically tests simple service/port additions to the default (
public) zone. Rich rules are less common but good to know for blocking specific source IPs.Common pre-defined firewalld services
| Service name | Port(s) | Protocol |
|---|---|---|
ssh | 22 | TCP |
http | 80 | TCP |
https | 443 | TCP |
ftp | 21 | TCP |
dns | 53 | TCP+UDP |
smtp | 25 | TCP |
nfs | 2049 | TCP+UDP |
samba | 139, 445 | TCP |
cockpit | 9090 | TCP |
kerberos | 88 | TCP+UDP |
ldap | 389 | TCP |
mysql | 3306 | TCP |
postgresql | 5432 | TCP |
Service definitions are stored in /usr/lib/firewalld/services/. You can create custom services in /etc/firewalld/services/.
Network diagnostics
ss — socket statistics (replaces netstat)
# Show all listening sockets
ss -tulnp
# -t = TCP -u = UDP -l = listening -n = numeric -p = process
# Show all established TCP connections
ss -tnp
# Filter by port
ss -tlnp sport = :80
ss -tlnp dport = :443
# Show UDP sockets
ss -ulnp
# Show UNIX domain sockets
ss -xlnp
# Summary of socket counts
ss -s
# Legacy alternative (still works)
netstat -tulnp
Connectivity and path diagnostics
── PING ──────────────────────────────────────────────────────
ping -c 4 192.168.1.1 # send 4 packets to gateway
ping -c 4 8.8.8.8 # test internet connectivity
ping -c 4 server1.example.com # test DNS resolution + connectivity
ping6 -c 4 ::1 # IPv6 loopback
── TRACEPATH / TRACEROUTE ────────────────────────────────────
tracepath 8.8.8.8 # trace route (no root needed)
traceroute 8.8.8.8 # traditional (needs root for ICMP)
traceroute -T 8.8.8.8 # TCP mode
── IP COMMANDS ───────────────────────────────────────────────
ip addr show # all addresses
ip addr show ens3 # specific interface
ip route show # routing table
ip link show # link status (up/down, MAC)
ip neigh show # ARP / neighbor table
── DNS LOOKUP ────────────────────────────────────────────────
dig example.com # A record query
dig example.com MX # mail exchange record
dig -x 8.8.8.8 # reverse lookup (PTR record)
dig @1.1.1.1 example.com # query a specific resolver
host example.com # simpler DNS lookup
nslookup example.com # interactive or one-shot lookup
getent hosts example.com # full NSS resolution (hosts file + DNS)
Network troubleshooting workflow
Check interface has an IP address
ip addr show ens3 # look for inet line
Check connection profile is active
nmcli connection show --active
Test gateway reachability
ip route show # find default gateway
ping -c 3 <gateway-IP>
Test DNS resolution
cat /etc/resolv.conf
dig example.com
Check firewall is not blocking traffic
firewall-cmd --list-all
ss -tulnp
Check SELinux is not blocking the service
journalctl -b | grep "avc: denied"
ausearch -m avc -ts recent
Port scanning with nmap
# Install nmap
dnf install -y nmap
# Scan top 1000 ports on a host
nmap 192.168.1.10
# Scan specific ports
nmap -p 22,80,443 192.168.1.10
# Scan a port range
nmap -p 1-1024 192.168.1.10
# Detect service versions
nmap -sV 192.168.1.10
# OS detection (requires root)
nmap -O 192.168.1.10
# Scan entire subnet
nmap 192.168.1.0/24
# Quick scan (ping sweep)
nmap -sn 192.168.1.0/24
Cheat sheet
Most-tested commands — quick reference
Show interfaces
nmcli device statusShow connections
nmcli connection showShow IP addresses
ip addr showShow routing table
ip route showSet static IP
nmcli con mod "ens3" ipv4.method manual ipv4.addresses "x.x.x.x/24"Set gateway
nmcli con mod "ens3" ipv4.gateway "x.x.x.x"Set DNS
nmcli con mod "ens3" ipv4.dns "8.8.8.8"Apply connection
nmcli con up "ens3"Switch to DHCP
nmcli con mod "ens3" ipv4.method autoAdd static route
nmcli con mod "ens3" +ipv4.routes "net/mask gw"Set hostname
hostnamectl set-hostname srv1.example.comShow hostname
hostnamectlTest DNS
dig example.comFull name resolution
getent hosts example.comCheck firewall state
firewall-cmd --list-allAllow HTTP permanently
firewall-cmd --permanent --add-service=http && firewall-cmd --reloadOpen port permanently
firewall-cmd --permanent --add-port=8080/tcp && firewall-cmd --reloadRemove service
firewall-cmd --permanent --remove-service=httpReload firewall
firewall-cmd --reloadList listening ports
ss -tulnpTest connectivity
ping -c 4 8.8.8.8Trace route
tracepath 8.8.8.8nmtui (GUI alternative)
nmtuiAvailable services
firewall-cmd --get-servicesnmcli property reference
| nmcli property | Value examples | Effect |
|---|---|---|
ipv4.method | manual / auto / disabled | Static, DHCP, or disable IPv4 |
ipv4.addresses | "192.168.1.10/24" | Set IP address and prefix |
ipv4.gateway | "192.168.1.1" | Default gateway |
ipv4.dns | "8.8.8.8 1.1.1.1" | DNS nameservers (space-separated) |
ipv4.dns-search | "example.com corp.local" | DNS search domains |
ipv4.routes | "10.0.0.0/8 192.168.1.1" | Static routes |
ipv6.method | manual / auto / ignore | Static, SLAAC, or disable IPv6 |
ipv6.addresses | "2001:db8::1/64" | IPv6 address |
connection.autoconnect | yes / no | Connect automatically at boot |
connection.interface-name | ens3 | Bind profile to a device |
Static IP — exam template
Find the connection profile name
nmcli connection show
Configure all IP parameters
nmcli con mod "PROFILE" \
ipv4.method manual \
ipv4.addresses "ADDR/PREFIX" \
ipv4.gateway "GW" \
ipv4.dns "DNS"
Apply the connection
nmcli con down "PROFILE" && nmcli con up "PROFILE"
Set hostname if required
hostnamectl set-hostname FQDN
Open firewall ports if required
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
Verify everything
ip addr show && ip route show && ping -c 2 <gateway>
Practice quiz
–
Question 1 of 8
You run nmcli connection modify "ens3" ipv4.method manual ipv4.addresses "192.168.1.50/24" ipv4.gateway "192.168.1.1". The address does not appear on the interface. What step is missing?
nmcli connection modify writes changes to the connection profile on disk but does not apply them to the running interface. You must then run nmcli connection down "ens3" && nmcli connection up "ens3" (or just nmcli connection up) to activate the new settings. A reboot would work but is unnecessary and slow. Restarting NetworkManager disconnects all interfaces briefly.Question 2 of 8
Which command adds a second IP address 10.0.0.5/24 to interface ens3 without removing the existing address?
The
+ prefix on a property name in nmcli means "append to" rather than "replace." Without the +, Option A would replace the existing address with the new one. Option C uses ip addr add which is runtime-only and lost on reboot. Option D is not valid nmcli syntax.Question 3 of 8
You add a service rule with firewall-cmd --permanent --add-service=http but HTTP traffic is still blocked immediately after the command. Why?
--permanent writes the rule to disk so it survives reboots, but does not activate it in the currently running firewall. You must follow with firewall-cmd --reload to load the permanent rules into the runtime configuration. Alternatively, add the service twice — once without --permanent (immediate, non-persistent) and once with it (persistent).Question 4 of 8
Which command shows all TCP and UDP ports that are currently listening on the system, including the process name?
ss -tulnp: -t TCP, -u UDP, -l listening only, -n numeric ports (no name lookup), -p show process/PID. This is the modern replacement for netstat -tulnp. Option C only shows ports explicitly opened in firewalld, not what's actually listening. Option A shows network link status, not sockets.Question 5 of 8
A host at 192.168.1.20 needs to reach the 10.50.0.0/24 network through gateway 192.168.1.254. Which command adds this route persistently?
nmcli connection modify +ipv4.routes adds a static route to the NetworkManager connection profile, making it persistent across reboots. After modifying, run nmcli connection up "ens3" to apply. Options A and C add runtime-only routes lost after reboot. Option D references a non-existent file.Question 6 of 8
You need the system to resolve the name devserver to 10.0.0.99 without configuring a DNS server. What is the correct approach?
/etc/hosts provides static local hostname-to-IP mappings and is consulted before DNS by default. The correct entry format is IP hostname [aliases]: 10.0.0.99 devserver. Option A — /etc/resolv.conf only accepts nameserver, search, and domain keywords, not host entries. Option D adds 10.0.0.99 as a DNS server to query, not a local mapping.Question 7 of 8
What does a 169.254.x.x address on an interface indicate?
The
169.254.0.0/16 range is the Automatic Private IP Addressing (APIPA) / link-local range (RFC 3927). When a system configured for DHCP cannot reach a DHCP server, it self-assigns an address from this range so it can still communicate with other hosts on the same link. Seeing a 169.254.x.x address is almost always a sign that DHCP is not working — check network connectivity and DHCP server availability.Question 8 of 8
Which firewalld zone accepts all incoming traffic without any restrictions?
The
trusted zone accepts all incoming traffic with no restrictions — it is the most permissive zone. The public zone (default) blocks most incoming traffic except explicitly allowed services like ssh and dhcpv6-client. The internal and home zones are more permissive than public but still apply rules. Use trusted only on completely controlled internal networks.