1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr { flush | { add | del } MACADDR | set [ MACADDR [
59 MACADDR [ ... ] ] ] } ]
60 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE ] [ type
62 ETYPE ] [ vrf NAME ]
63 ip link xstats type TYPE [ ARGS ]
65 ip link afstats [ dev DEVICE ]
67 ip link help [ TYPE ]
69 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib | macvlan |
71 macvtap | vcan | vxcan | veth | vlan | vxlan | ip6tnl | ipip |
72 sit | gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |
73 vti | nlmon | ipvlan | ipvtap | lowpan | geneve | vrf | macsec
74 | netdevsim | rmnet ]
75 ETYPE := [ TYPE | bridge_slave | bond_slave ]
77 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
79 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ]
81
84 ip link add - add virtual link
85 link DEVICE
86 specifies the physical device to act operate on.
87 NAME specifies the name of the new virtual device.
89 TYPE specifies the type of the new device.
91 Link types:
93 bridge - Ethernet Bridge device
95 bond - Bonding device
97 dummy - Dummy network interface
99 hsr - High-availability Seamless Redundancy device
101 ifb - Intermediate Functional Block device
103 ipoib - IP over Infiniband device
105 macvlan - Virtual interface base on link layer address
107 (MAC)
108 macvtap - Virtual interface based on link layer address
110 (MAC) and TAP.
111 vcan - Virtual Controller Area Network interface
113 vxcan - Virtual Controller Area Network tunnel interface
115 veth - Virtual ethernet interface
117 vlan - 802.1q tagged virtual LAN interface
119 vxlan - Virtual eXtended LAN
121 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
123 ipip - Virtual tunnel interface IPv4 over IPv4
125 sit - Virtual tunnel interface IPv6 over IPv4
127 gre - Virtual tunnel interface GRE over IPv4
129 gretap - Virtual L2 tunnel interface GRE over IPv4
131 erspan - Encapsulated Remote SPAN over GRE and IPv4
133 ip6gre - Virtual tunnel interface GRE over IPv6
135 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
137 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
139 vti - Virtual tunnel interface
141 nlmon - Netlink monitoring device
143 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
145 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
147 TAP
148 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
150 / Bluetooth
151 geneve - GEneric NEtwork Virtualization Encapsulation
153 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
155 sec)
156 vrf - Interface for L3 VRF domains
158 netdevsim - Interface for netdev API tests
160 rmnet - Qualcomm rmnet device
162 numtxqueues QUEUE_COUNT
165 specifies the number of transmit queues for new device.
166 numrxqueues QUEUE_COUNT
169 specifies the number of receive queues for new device.
170 gso_max_size BYTES
173 specifies the recommended maximum size of a Generic Segment Off‐
174 load packet the new device should accept.
175 gso_max_segs SEGMENTS
178 specifies the recommended maximum number of a Generic Segment
179 Offload segments the new device should accept.
180 index IDX
183 specifies the desired index of the new virtual device. The link
184 creation fails, if the index is busy.
185 VLAN Type Support
188 For a link of type VLAN the following additional arguments are
189 supported:
190 ip link add link DEVICE name NAME type vlan [ protocol
192 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
193 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
194 ingress-qos-map QOS-MAP ] [ egress-qos-map QOS-MAP ]
195 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
198 id VLANID - specifies the VLAN Identifer to use. Note
200 that numbers with a leading " 0 " or " 0x " are inter‐
201 preted as octal or hexadeimal, respectively.
202 reorder_hdr { on | off } - specifies whether ethernet
204 headers are reordered or not (default is on).
205 If reorder_hdr is on then VLAN header will be not
207 inserted immediately but only before passing to the
208 physical device (if this device does not support
209 VLAN offloading), the similar on the RX direction -
210 by default the packet will be untagged before being
211 received by VLAN device. Reordering allows to accel‐
212 erate tagging on egress and to hide VLAN header on
213 ingress so the packet looks like regular Ethernet
214 packet, at the same time it might be confusing for
215 packet capture as the VLAN header does not exist
216 within the packet.
217 VLAN offloading can be checked by ethtool(8):
219 ethtool -k <phy_dev> | grep tx-vlan-offload
221 where <phy_dev> is the physical device to which VLAN
223 device is bound.
224 gvrp { on | off } - specifies whether this VLAN should
226 be registered using GARP VLAN Registration Protocol.
227 mvrp { on | off } - specifies whether this VLAN should
229 be registered using Multiple VLAN Registration Protocol.
230 loose_binding { on | off } - specifies whether the VLAN
232 device state is bound to the physical device state.
233 ingress-qos-map QOS-MAP - defines a mapping of VLAN
235 header prio field to the Linux internal packet priority
236 on incoming frames. The format is FROM:TO with multiple
237 mappings separated by spaces.
238 egress-qos-map QOS-MAP - defines a mapping of Linux
240 internal packet priority to VLAN header prio field but
241 for outgoing frames. The format is the same as for
242 ingress-qos-map.
243 Linux packet priority can be set by iptables(8):
245 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
247 SIFY --set-class 0:4
248 and this "4" priority can be used in the egress qos
250 mapping to set VLAN prio "5":
251 ip link set veth0.10 type vlan egress 4:5
253 VXLAN Type Support
256 For a link of type VXLAN the following additional arguments are
257 supported:
258 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
260 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
261 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
262 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
263 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
264 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
265 ] [ [no]external ] [ gbp ] [ gpe ]
266 id VNI - specifies the VXLAN Network Identifer (or VXLAN
269 Segment Identifier) to use.
270 dev PHYS_DEV - specifies the physical device to use for
272 tunnel endpoint communication.
273 group IPADDR - specifies the multicast IP address to
276 join. This parameter cannot be specified with the
277 remote parameter.
278 remote IPADDR - specifies the unicast destination IP
281 address to use in outgoing packets when the destination
282 link layer address is not known in the VXLAN device for‐
283 warding database. This parameter cannot be specified
284 with the group parameter.
285 local IPADDR - specifies the source IP address to use in
288 outgoing packets.
289 ttl TTL - specifies the TTL value to use in outgoing
292 packets.
293 tos TOS - specifies the TOS value to use in outgoing
296 packets.
297 df DF - specifies the usage of the Don't Fragment flag
300 (DF) bit in outgoing packets with IPv4 headers. The
301 value inherit causes the bit to be copied from the orig‐
302 inal IP header. The values unset and set cause the bit
303 to be always unset or always set, respectively. By
304 default, the bit is not set.
305 flowlabel FLOWLABEL - specifies the flow label to use in
308 outgoing packets.
309 dstport PORT - specifies the UDP destination port to
312 communicate to the remote VXLAN tunnel endpoint.
313 srcport MIN MAX - specifies the range of port numbers to
316 use as UDP source ports to communicate to the remote
317 VXLAN tunnel endpoint.
318 [no]learning - specifies if unknown source link layer
321 addresses and IP addresses are entered into the VXLAN
322 device forwarding database.
323 [no]rsc - specifies if route short circuit is turned on.
326 [no]proxy - specifies ARP proxy is turned on.
329 [no]l2miss - specifies if netlink LLADDR miss notifica‐
332 tions are generated.
333 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
336 tions are generated.
337 [no]udpcsum - specifies if UDP checksum is calculated
340 for transmitted packets over IPv4.
341 [no]udp6zerocsumtx - skip UDP checksum calculation for
344 transmitted packets over IPv6.
345 [no]udp6zerocsumrx - allow incoming UDP packets over
348 IPv6 with zero checksum field.
349 ageing SECONDS - specifies the lifetime in seconds of
352 FDB entries learnt by the kernel.
353 maxaddress NUMBER - specifies the maximum number of FDB
356 entries.
357 [no]external - specifies whether an external control
360 plane (e.g. ip route encap) or the internal FDB should
361 be used.
362 gbp - enables the Group Policy extension (VXLAN-GBP).
365 Allows to transport group policy context across
367 VXLAN network peers. If enabled, includes the mark
368 of a packet in the VXLAN header for outgoing packets
369 and fills the packet mark based on the information
370 found in the VXLAN header for incoming packets.
371 Format of upper 16 bits of packet mark (flags);
373 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
375 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
377 D := Don't Learn bit. When set, this bit indicates
379 that the egress VTEP MUST NOT learn the source
380 address of the encapsulated frame.
381 A := Indicates that the group policy has already
383 been applied to this packet. Policies MUST NOT be
384 applied by devices when the A bit is set.
385 Format of lower 16 bits of packet mark (policy ID):
387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
389 | Group Policy ID |
390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
391 Example:
393 iptables -A OUTPUT [...] -j MARK --set-mark
394 0x800FF
395 gpe - enables the Generic Protocol extension (VXLAN-
399 GPE). Currently, this is only supported together with
400 the external keyword.
401 VETH, VXCAN Type Support
405 For a link of types VETH/VXCAN the following additional argu‐
406 ments are supported:
407 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
409 peer name NAME - specifies the virtual pair device name
412 of the VETH/VXCAN tunnel.
413 IPIP, SIT Type Support
417 For a link of type IPIPorSIT the following additional arguments
418 are supported:
419 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
421 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
422 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
423 mode { ip6ip | ipip | mplsip | any } ] [ external ]
424 remote ADDR - specifies the remote address of the tun‐
427 nel.
428 local ADDR - specifies the fixed local address for tun‐
431 neled packets. It must be an address on another inter‐
432 face on this host.
433 encap { fou | gue | none } - specifies type of secondary
436 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
437 indicates Generic UDP Encapsulation.
438 encap-sport { PORT | auto } - specifies the source port
441 in UDP encapsulation. PORT indicates the port by num‐
442 ber, "auto" indicates that the port number should be
443 chosen automatically (the kernel picks a flow based on
444 the flow hash of the encapsulated packet).
445 [no]encap-csum - specifies if UDP checksums are enabled
448 in the secondary encapsulation.
449 [no]encap-remcsum - specifies if Remote Checksum Offload
452 is enabled. This is only applicable for Generic UDP
453 Encapsulation.
454 mode { ip6ip | ipip | mplsip | any } - specifies mode in
457 which device should run. "ip6ip" indicates IPv6-Over-
458 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
459 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
460 Over IPv4. Supported for SIT where the default is
461 "ip6ip" and IPIP where the default is "ipip".
462 IPv6-Over-IPv4 is not supported for IPIP.
463 external - make this tunnel externally controlled (e.g.
466 ip route encap).
467 GRE Type Support
470 For a link of type GRE or GRETAP the following additional argu‐
471 ments are supported:
472 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
474 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
475 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
476 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
477 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
478 remcsum ] [ external ]
479 remote ADDR - specifies the remote address of the tun‐
482 nel.
483 local ADDR - specifies the fixed local address for tun‐
486 neled packets. It must be an address on another inter‐
487 face on this host.
488 [no][i|o]seq - serialize packets. The oseq flag enables
491 sequencing of outgoing packets. The iseq flag requires
492 that all input packets are serialized.
493 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
496 KEY is either a number or an IPv4 address-like dotted
497 quad. The key parameter specifies the same key to use
498 in both directions. The ikey and okey parameters spec‐
499 ify different keys for input and output.
500 [no][i|o]csum - generate/require checksums for tunneled
503 packets. The ocsum flag calculates checksums for outgo‐
504 ing packets. The icsum flag requires that all input
505 packets have the correct checksum. The csum flag is
506 equivalent to the combination icsum ocsum .
507 ttl TTL - specifies the TTL value to use in outgoing
510 packets.
511 tos TOS - specifies the TOS value to use in outgoing
514 packets.
515 [no]pmtudisc - enables/disables Path MTU Discovery on
518 this tunnel. It is enabled by default. Note that a
519 fixed ttl is incompatible with this option: tunneling
520 with a fixed ttl always makes pmtu discovery.
521 [no]ignore-df - enables/disables IPv4 DF suppression on
524 this tunnel. Normally datagrams that exceed the MTU
525 will be fragmented; the presence of the DF flag inhibits
526 this, resulting instead in an ICMP Unreachable (Fragmen‐
527 tation Required) message. Enabling this attribute
528 causes the DF flag to be ignored.
529 dev PHYS_DEV - specifies the physical device to use for
532 tunnel endpoint communication.
533 encap { fou | gue | none } - specifies type of secondary
536 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
537 indicates Generic UDP Encapsulation.
538 encap-sport { PORT | auto } - specifies the source port
541 in UDP encapsulation. PORT indicates the port by num‐
542 ber, "auto" indicates that the port number should be
543 chosen automatically (the kernel picks a flow based on
544 the flow hash of the encapsulated packet).
545 [no]encap-csum - specifies if UDP checksums are enabled
548 in the secondary encapsulation.
549 [no]encap-remcsum - specifies if Remote Checksum Offload
552 is enabled. This is only applicable for Generic UDP
553 Encapsulation.
554 external - make this tunnel externally controlled (e.g.
557 ip route encap).
558 IP6GRE/IP6GRETAP Type Support
562 For a link of type IP6GRE/IP6GRETAP the following additional
563 arguments are supported:
564 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
566 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
567 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
568 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
569 localremote ] [ dev PHYS_DEV ] [ external ]
570 remote ADDR - specifies the remote IPv6 address of the
573 tunnel.
574 local ADDR - specifies the fixed local IPv6 address for
577 tunneled packets. It must be an address on another
578 interface on this host.
579 [no][i|o]seq - serialize packets. The oseq flag enables
582 sequencing of outgoing packets. The iseq flag requires
583 that all input packets are serialized.
584 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
587 KEY is either a number or an IPv4 address-like dotted
588 quad. The key parameter specifies the same key to use
589 in both directions. The ikey and okey parameters spec‐
590 ify different keys for input and output.
591 [no][i|o]csum - generate/require checksums for tunneled
594 packets. The ocsum flag calculates checksums for outgo‐
595 ing packets. The icsum flag requires that all input
596 packets have the correct checksum. The csum flag is
597 equivalent to the combination icsum ocsum.
598 hoplimit TTL - specifies Hop Limit value to use in out‐
601 going packets.
602 encaplimit ELIM - specifies a fixed encapsulation limit.
605 Default is 4.
606 flowlabel FLOWLABEL - specifies a fixed flowlabel.
609 [no]allow-localremote - specifies whether to allow
612 remote endpoint to have an address configured on local
613 host.
614 tclass TCLASS - specifies the traffic class field on
617 tunneled packets, which can be specified as either a
618 two-digit hex value (e.g. c0) or a predefined string
619 (e.g. internet). The value inherit causes the field to
620 be copied from the original IP header. The values
621 inherit/STRING or inherit/00..ff will set the field to
622 STRING or 00..ff when tunneling non-IP packets. The
623 default value is 00.
624 external - make this tunnel externally controlled (or
627 not, which is the default). In the kernel, this is
628 referred to as collect metadata mode. This flag is
629 mutually exclusive with the remote, local, seq, key,
630 csum, hoplimit, encaplimit, flowlabel and tclass
631 options.
632 IPoIB Type Support
636 For a link of type IPoIB the following additional arguments are
637 supported:
638 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
640 MODE ]
641 pkey PKEY - specifies the IB P-Key to use.
644 mode MODE - specifies the mode (datagram or connected)
646 to use.
647 ERSPAN Type Support
650 For a link of type ERSPAN/IP6ERSPAN the following additional
651 arguments are supported:
652 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
654 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
655 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
656 mote ] [ external ]
657 remote ADDR - specifies the remote address of the tun‐
660 nel.
661 local ADDR - specifies the fixed local address for tun‐
664 neled packets. It must be an address on another inter‐
665 face on this host.
666 erspan_ver version - specifies the ERSPAN version num‐
669 ber. version indicates the ERSPAN version to be cre‐
670 ated: 1 for version 1 (type II) or 2 for version 2 (type
671 III).
672 erspan IDX - specifies the ERSPAN v1 index field. IDX
675 indicates a 20 bit index/port number associated with the
676 ERSPAN traffic's source port and direction.
677 erspan_dir { ingress | egress } - specifies the ERSPAN
680 v2 mirrored traffic's direction.
681 erspan_hwid hwid - an unique identifier of an ERSPAN v2
684 engine within a system. hwid is a 6-bit value for users
685 to configure.
686 [no]allow-localremote - specifies whether to allow
689 remote endpoint to have an address configured on local
690 host.
691 external - make this tunnel externally controlled (or
694 not, which is the default). In the kernel, this is
695 referred to as collect metadata mode. This flag is
696 mutually exclusive with the remote, local, erspan_ver,
697 erspan, erspan_dir and erspan_hwid options.
698 GENEVE Type Support
702 For a link of type GENEVE the following additional arguments are
703 supported:
704 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
706 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
707 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
708 [no]udp6zerocsumrx ]
709 id VNI - specifies the Virtual Network Identifer to use.
712 remote IPADDR - specifies the unicast destination IP
715 address to use in outgoing packets.
716 ttl TTL - specifies the TTL value to use in outgoing
719 packets. "0" or "auto" means use whatever default value,
720 "inherit" means inherit the inner protocol's ttl.
721 Default option is "0".
722 tos TOS - specifies the TOS value to use in outgoing
725 packets.
726 df DF - specifies the usage of the Don't Fragment flag
729 (DF) bit in outgoing packets with IPv4 headers. The
730 value inherit causes the bit to be copied from the orig‐
731 inal IP header. The values unset and set cause the bit
732 to be always unset or always set, respectively. By
733 default, the bit is not set.
734 flowlabel FLOWLABEL - specifies the flow label to use in
737 outgoing packets.
738 dstport PORT - select a destination port other than the
741 default of 6081.
742 [no]external - make this tunnel externally controlled
745 (or not, which is the default). This flag is mutually
746 exclusive with the id, remote, ttl, tos and flowlabel
747 options.
748 [no]udpcsum - specifies if UDP checksum is calculated
751 for transmitted packets over IPv4.
752 [no]udp6zerocsumtx - skip UDP checksum calculation for
755 transmitted packets over IPv6.
756 [no]udp6zerocsumrx - allow incoming UDP packets over
759 IPv6 with zero checksum field.
760 MACVLAN and MACVTAP Type Support
764 For a link of type MACVLAN or MACVTAP the following additional
765 arguments are supported:
766 ip link add link DEVICE name NAME type { macvlan | macvtap }
768 mode { private | vepa | bridge | passthru [ nopromisc ] |
769 source }
770 type { macvlan | macvtap } - specifies the link type to
773 use. macvlan creates just a virtual interface, while
774 macvtap in addition creates a character device /dev/tapX
775 to be used just like a tuntap device.
776 mode private - Do not allow communication between
778 macvlan instances on the same physical interface, even
779 if the external switch supports hairpin mode.
780 mode vepa - Virtual Ethernet Port Aggregator mode. Data
782 from one macvlan instance to the other on the same phys‐
783 ical interface is transmitted over the physical inter‐
784 face. Either the attached switch needs to support hair‐
785 pin mode, or there must be a TCP/IP router forwarding
786 the packets in order to allow communication. This is the
787 default mode.
788 mode bridge - In bridge mode, all endpoints are directly
790 connected to each other, communication is not redirected
791 through the physical interface's peer.
792 mode passthru [ nopromisc ] - This mode gives more power
794 to a single endpoint, usually in macvtap mode. It is not
795 allowed for more than one endpoint on the same physical
796 interface. All traffic will be forwarded to this end‐
797 point, allowing virtio guests to change MAC address or
798 set promiscuous mode in order to bridge the interface or
799 create vlan interfaces on top of it. By default, this
800 mode forces the underlying interface into promiscuous
801 mode. Passing the nopromisc flag prevents this, so the
802 promisc flag may be controlled using standard tools.
803 mode source - allows one to set a list of allowed mac
805 address, which is used to match against source mac
806 address from received frames on underlying interface.
807 This allows creating mac based VLAN associations,
808 instead of standard port or tag based. The feature is
809 useful to deploy 802.1x mac based behavior, where driv‐
810 ers of underlying interfaces doesn't allows that.
811 High-availability Seamless Redundancy (HSR) Support
814 For a link of type HSR the following additional arguments are
815 supported:
816 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
818 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
819 type hsr - specifies the link type to use, here HSR.
822 slave1 SLAVE1-IF - Specifies the physical device used
824 for the first of the two ring ports.
825 slave2 SLAVE2-IF - Specifies the physical device used
827 for the second of the two ring ports.
828 supervision ADDR-BYTE - The last byte of the multicast
830 address used for HSR supervision frames. Default option
831 is "0", possible values 0-255.
832 version { 0 | 1 } - Selects the protocol version of the
834 interface. Default option is "0", which corresponds to
835 the 2010 version of the HSR standard. Option "1" acti‐
836 vates the 2012 version.
837 BRIDGE Type Support
840 For a link of type BRIDGE the following additional arguments are
841 supported:
842 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
844 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
845 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
846 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
847 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
848 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
849 VLAN_STATS_ENABLED ] [ mcast_snooping MULTICAST_SNOOPING ] [
850 mcast_router MULTICAST_ROUTER ] [ mcast_query_use_ifaddr
851 MCAST_QUERY_USE_IFADDR ] [ mcast_querier MULTICAST_QUERIER ] [
852 mcast_hash_elasticity HASH_ELASTICITY ] [ mcast_hash_max
853 HASH_MAX ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
854 mcast_startup_query_count STARTUP_QUERY_COUNT ] [
855 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
856 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
857 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
858 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
859 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
860 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
861 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
862 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
863 [ nf_call_arptables NF_CALL_ARPTABLES ]
864 ageing_time AGEING_TIME - configure the bridge's FDB
867 entries ageing time, ie the number of seconds a MAC
868 address will be kept in the FDB after a packet has been
869 received from that address. after this time has passed,
870 entries are cleaned up.
871 group_fwd_mask MASK - set the group forward mask. This
873 is the bitmask that is applied to decide whether to for‐
874 ward incoming frames destined to link-local addresses,
875 ie addresses of the form 01:80:C2:00:00:0X (defaults to
876 0, ie the bridge does not forward any link-local
877 frames).
878 group_address ADDRESS - set the MAC address of the mul‐
880 ticast group this bridge uses for STP. The address must
881 be a link-local address in standard Ethernet MAC address
882 format, ie an address of the form 01:80:C2:00:00:0X,
883 with X in [0, 4..f].
884 forward_delay FORWARD_DELAY - set the forwarding delay
886 in seconds, ie the time spent in LISTENING state (before
887 moving to LEARNING) and in LEARNING state (before moving
888 to FORWARDING). Only relevant if STP is enabled. Valid
889 values are between 2 and 30.
890 hello_time HELLO_TIME - set the time in seconds between
892 hello packets sent by the bridge, when it is a root
893 bridge or a designated bridges. Only relevant if STP is
894 enabled. Valid values are between 1 and 10.
895 max_age MAX_AGE - set the hello packet timeout, ie the
897 time in seconds until another bridge in the spanning
898 tree is assumed to be dead, after reception of its last
899 hello message. Only relevant if STP is enabled. Valid
900 values are between 6 and 40.
901 stp_state STP_STATE - turn spanning tree protocol on
903 (STP_STATE > 0) or off (STP_STATE == 0). for this
904 bridge.
905 priority PRIORITY - set this bridge's spanning tree pri‐
907 ority, used during STP root bridge election. PRIORITY
908 is a 16bit unsigned integer.
909 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
911 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
912 disabled, the bridge will not consider the VLAN tag when
913 handling packets.
914 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
916 used for VLAN filtering.
917 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
919 PVID (native/untagged VLAN ID) for this bridge.
920 vlan_stats_enabled VLAN_STATS_ENABLED - enable
922 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
923 == 0) per-VLAN stats accounting.
924 mcast_snooping MULTICAST_SNOOPING - turn multicast
926 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
927 CAST_SNOOPING == 0).
928 mcast_router MULTICAST_ROUTER - set bridge's multicast
930 router if IGMP snooping is enabled. MULTICAST_ROUTER is
931 an integer value having the following meaning:
932 0 - disabled.
934 1 - automatic (queried).
936 2 - permanently enabled.
938 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
940 to use the bridge's own IP address as source address for
941 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
942 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
943 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
945 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
946 IGMP querier, ie sending of multicast queries by the
947 bridge (default: disabled).
948 mcast_querier_interval QUERIER_INTERVAL - interval
950 between queries sent by other routers. if no queries are
951 seen after this delay has passed, the bridge will start
952 to send its own queries (as if mcast_querier was
953 enabled).
954 mcast_hash_elasticity HASH_ELASTICITY - set multicast
956 database hash elasticity, ie the maximum chain length in
957 the multicast hash table (defaults to 4).
958 mcast_hash_max HASH_MAX - set maximum size of multicast
960 hash table (defaults to 512, value must be a power of
961 2).
962 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
964 cast last member count, ie the number of queries the
965 bridge will send before stopping forwarding a multicast
966 group after a "leave" message has been received
967 (defaults to 2).
968 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
970 val between queries to find remaining members of a
971 group, after a "leave" message is received.
972 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
974 number of IGMP queries to send during startup phase
975 (defaults to 2).
976 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
978 interval between queries in the startup phase.
979 mcast_query_interval QUERY_INTERVAL - interval between
981 queries sent by the bridge after the end of the startup
982 phase.
983 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
985 set the Max Response Time/Maximum Response Delay for
986 IGMP/MLD queries sent by the bridge.
987 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
989 after which the bridge will leave a group, if no member‐
990 ship reports for this group are received.
991 mcast_stats_enabled MCAST_STATS_ENABLED - enable
993 (MCAST_STATS_ENABLED > 0) or disable
994 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
995 accounting.
996 mcast_igmp_version IGMP_VERSION - set the IGMP version.
998 mcast_mld_version MLD_VERSION - set the MLD version.
1000 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1002 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1003 hooks on the bridge.
1004 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1006 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1007 0) ip6tables hooks on the bridge.
1008 nf_call_arptables NF_CALL_ARPTABLES - enable
1010 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1011 0) arptables hooks on the bridge.
1012 MACsec Type Support
1017 For a link of type MACsec the following additional arguments are
1018 supported:
1019 ip link add link DEVICE name NAME type macsec [ [ address
1021 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1022 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1023 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1024 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1025 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1026 ]
1027 address <lladdr> - sets the system identifier component
1030 of secure channel for this MACsec device.
1031 port PORT - sets the port number component of secure
1034 channel for this MACsec device, in a range from 1 to
1035 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1036 are interpreted as octal and hexadecimal, respectively.
1037 sci SCI - sets the secure channel identifier for this
1040 MACsec device. SCI is a 64bit wide number in hexadeci‐
1041 mal format.
1042 cipher CIPHER_SUITE - defines the cipher suite to use.
1045 icvlen LENGTH - sets the length of the Integrity Check
1048 Value (ICV).
1049 encrypt on or encrypt off - switches between authenti‐
1052 cated encryption, or authenticity mode only.
1053 send_sci on or send_sci off - specifies whether the SCI
1056 is included in every packet, or only when it is neces‐
1057 sary.
1058 end_station on or end_station off - sets the End Station
1061 bit.
1062 scb on or scb off - sets the Single Copy Broadcast bit.
1065 protect on or protect off - enables MACsec protection on
1068 the device.
1069 replay on or replay off - enables replay protection on
1072 the device.
1073 window SIZE - sets the size of the replay win‐
1077 dow.
1078 validate strict or validate check or validate disabled -
1082 sets the validation mode on the device.
1083 encodingsa AN - sets the active secure association for
1086 transmission.
1087 VRF Type Support
1091 For a link of type VRF the following additional arguments are
1092 supported:
1093 ip link add DEVICE type vrf table TABLE
1095 table table id associated with VRF device
1098 RMNET Type Support
1102 For a link of type RMNET the following additional arguments are
1103 supported:
1104 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1106 mux_id MUXID - specifies the mux identifier for the
1109 rmnet device, possible values 1-254.
1110 ip link delete - delete virtual link
1114 dev DEVICE
1115 specifies the virtual device to act operate on.
1116 group GROUP
1119 specifies the group of virtual links to delete. Group 0 is not
1120 allowed to be deleted since it is the default group.
1121 type TYPE
1124 specifies the type of the device.
1125 ip link set - change device attributes
1128 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1129 ately after any of the changes have failed. This is the only case when
1130 ip can move the system to an unpredictable state. The solution is to
1131 avoid changing several parameters with one ip link set call.
1132 dev DEVICE
1135 DEVICE specifies network device to operate on. When configuring
1136 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1137 ify the associated Physical Function (PF) device.
1138 group GROUP
1141 GROUP has a dual role: If both group and dev are present, then
1142 move the device to the specified group. If only a group is spec‐
1143 ified, then the command operates on all devices in that group.
1144 up and down
1147 change the state of the device to UP or DOWN.
1148 arp on or arp off
1151 change the NOARP flag on the device.
1152 multicast on or multicast off
1155 change the MULTICAST flag on the device.
1156 protodown on or protodown off
1159 change the PROTODOWN state on the device. Indicates that a pro‐
1160 tocol error has been detected on the port. Switch drivers can
1161 react to this error by doing a phys down on the switch port.
1162 dynamic on or dynamic off
1165 change the DYNAMIC flag on the device. Indicates that address
1166 can change when interface goes down (currently NOT used by the
1167 Linux).
1168 name NAME
1171 change the name of the device. This operation is not recommended
1172 if the device is running or has some addresses already config‐
1173 ured.
1174 txqueuelen NUMBER
1177 txqlen NUMBER
1179 change the transmit queue length of the device.
1180 mtu NUMBER
1183 change the MTU of the device.
1184 address LLADDRESS
1187 change the station address of the interface.
1188 broadcast LLADDRESS
1191 brd LLADDRESS
1193 peer LLADDRESS
1195 change the link layer broadcast address or the peer address when
1196 the interface is POINTOPOINT.
1197 netns NETNSNAME | PID
1200 move the device to the network namespace associated with name
1201 NETNSNAME or process PID.
1202 Some devices are not allowed to change network namespace: loop‐
1204 back, bridge, ppp, wireless. These are network namespace local
1205 devices. In such case ip tool will return "Invalid argument"
1206 error. It is possible to find out if device is local to a single
1207 network namespace by checking netns-local flag in the output of
1208 the ethtool:
1209 ethtool -k DEVICE
1211 To change network namespace for wireless devices the iw tool can
1213 be used. But it allows to change network namespace only for
1214 physical devices and by process PID.
1215 alias NAME
1218 give the device a symbolic name for easy reference.
1219 group GROUP
1222 specify the group the device belongs to. The available groups
1223 are listed in file /etc/iproute2/group.
1224 vf NUM specify a Virtual Function device to be configured. The associ‐
1227 ated PF device must be specified using the dev parameter.
1228 mac LLADDRESS - change the station address for the spec‐
1230 ified VF. The vf parameter must be specified.
1231 vlan VLANID - change the assigned VLAN for the specified
1234 VF. When specified, all traffic sent from the VF will be
1235 tagged with the specified VLAN ID. Incoming traffic will
1236 be filtered for the specified VLAN ID, and will have all
1237 VLAN tags stripped before being passed to the VF. Set‐
1238 ting this parameter to 0 disables VLAN tagging and fil‐
1239 tering. The vf parameter must be specified.
1240 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1243 VLAN tag. When specified, all VLAN tags transmitted by
1244 the VF will include the specified priority bits in the
1245 VLAN tag. If not specified, the value is assumed to be
1246 0. Both the vf and vlan parameters must be specified.
1247 Setting both vlan and qos as 0 disables VLAN tagging and
1248 filtering for the VF.
1249 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1252 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1253 traffic sent from the VF will be tagged with VLAN S-Tag.
1254 Incoming traffic will have VLAN S-Tags stripped before
1255 being passed to the VF. Setting to 802.1ad also enables
1256 an option to concatenate another VLAN tag, so both S-TAG
1257 and C-TAG will be inserted/stripped for outgoing/incom‐
1258 ing traffic, respectively. If not specified, the value
1259 is assumed to be 802.1Q. Both the vf and vlan parameters
1260 must be specified.
1261 rate TXRATE -- change the allowed transmit bandwidth, in
1264 Mbps, for the specified VF. Setting this parameter to 0
1265 disables rate limiting. vf parameter must be specified.
1266 Please use new API max_tx_rate option instead.
1267 max_tx_rate TXRATE - change the allowed maximum transmit
1270 bandwidth, in Mbps, for the specified VF. Setting this
1271 parameter to 0 disables rate limiting. vf parameter
1272 must be specified.
1273 min_tx_rate TXRATE - change the allowed minimum transmit
1276 bandwidth, in Mbps, for the specified VF. Minimum
1277 TXRATE should be always <= Maximum TXRATE. Setting this
1278 parameter to 0 disables rate limiting. vf parameter
1279 must be specified.
1280 spoofchk on|off - turn packet spoof checking on or off
1283 for the specified VF.
1284 query_rss on|off - toggle the ability of querying the
1286 RSS configuration of a specific VF. VF RSS information
1287 like RSS hash key may be considered sensitive on some
1288 devices where this information is shared between VF and
1289 PF and thus its querying may be prohibited by default.
1290 state auto|enable|disable - set the virtual link state
1292 as seen by the specified VF. Setting to auto means a
1293 reflection of the PF link state, enable lets the VF to
1294 communicate with other VFs on this host even if the PF
1295 link state is down, disable causes the HW to drop any
1296 packets sent by the VF.
1297 trust on|off - trust the specified VF user. This enables
1299 that VF user can set a specific feature which may impact
1300 security and/or performance. (e.g. VF multicast promis‐
1301 cuous mode)
1302 node_guid eui64 - configure node GUID for Infiniband
1304 VFs.
1305 port_guid eui64 - configure port GUID for Infiniband
1307 VFs.
1308 xdp object | pinned | off
1311 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1312 every packet at driver level. ip link output will indicate a
1313 xdp flag for the networking device. If the driver does not have
1314 native XDP support, the kernel will fall back to a slower,
1315 driver-independent "generic" XDP variant. The ip link output
1316 will in that case indicate xdpgeneric instead of xdp only. If
1317 the driver does have native XDP support, but the program is
1318 loaded under xdpgeneric object | pinned then the kernel will use
1319 the generic XDP variant instead of the native one. xdpdrv has
1320 the opposite effect of requestsing that the automatic fallback
1321 to the generic XDP variant be disabled and in case driver is not
1322 XDP-capable error should be returned. xdpdrv also disables
1323 hardware offloads. xdpoffload in ip link output indicates that
1324 the program has been offloaded to hardware and can also be used
1325 to request the "offload" mode, much like xdpgeneric it forces
1326 program to be installed specifically in HW/FW of the apater.
1327 off (or none ) - Detaches any currently attached XDP/BPF program
1329 from the given device.
1330 object FILE - Attaches a XDP/BPF program to the given device.
1332 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1333 contains the BPF program code, map specifications, etc. If a
1334 XDP/BPF program is already attached to the given device, an
1335 error will be thrown. If no XDP/BPF program is currently
1336 attached, the device supports XDP and the program from the BPF
1337 ELF file passes the kernel verifier, then it will be attached to
1338 the device. If the option -force is passed to ip then any prior
1339 attached XDP/BPF program will be atomically overridden and no
1340 error will be thrown in this case. If no section option is
1341 passed, then the default section name ("prog") will be assumed,
1342 otherwise the provided section name will be used. If no verbose
1343 option is passed, then a verifier log will only be dumped on
1344 load error. See also EXAMPLES section for usage examples.
1345 section NAME - Specifies a section name that contains the BPF
1347 program code. If no section name is specified, the default one
1348 ("prog") will be used. This option is to be passed with the
1349 object option.
1350 verbose - Act in verbose mode. For example, even in case of suc‐
1352 cess, this will print the verifier log in case a program was
1353 loaded from a BPF ELF file.
1354 pinned FILE - Attaches a XDP/BPF program to the given device.
1356 The FILE points to an already pinned BPF program in the BPF file
1357 system. The option section doesn't apply here, but otherwise
1358 semantics are the same as with the option object described
1359 already.
1360 master DEVICE
1363 set master device of the device (enslave device).
1364 nomaster
1367 unset master device of the device (release device).
1368 addrgenmode eui64|none|stable_secret|random
1371 set the IPv6 address generation mode
1372 eui64 - use a Modified EUI-64 format interface identifier
1374 none - disable automatic address generation
1376 stable_secret - generate the interface identifier based on a
1378 preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1379 random - like stable_secret, but auto-generate a new random
1381 secret if none is set
1382 link-netnsid
1385 set peer netnsid for a cross-netns interface
1386 type ETYPE TYPE_ARGS
1389 Change type-specific settings. For a list of supported types and
1390 arguments refer to the description of ip link add above. In
1391 addition to that, it is possible to manipulate settings to slave
1392 devices:
1393 Bridge Slave Support
1396 For a link with master bridge the following additional arguments
1397 are supported:
1398 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1400 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1401 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1402 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1403 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1404 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1405 mcast_flood { on | off } ] [ group_fwd_mask MASK ] [ neigh_sup‐
1406 press { on | off } ] [ vlan_tunnel { on | off } ] [ isolated {
1407 on | off } ] [ backup_port DEVICE ] [ nobackup_port ]
1408 fdb_flush - flush bridge slave's fdb dynamic entries.
1411 state STATE - Set port state. STATE is a number repre‐
1413 senting the following states: 0 (disabled), 1 (listen‐
1414 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1415 priority PRIO - set port priority (allowed values are
1417 between 0 and 63, inclusively).
1418 cost COST - set port cost (allowed values are between 1
1420 and 65535, inclusively).
1421 guard { on | off } - block incoming BPDU packets on this
1423 port.
1424 hairpin { on | off } - enable hairpin mode on this port.
1426 This will allow incoming packets on this port to be
1427 reflected back.
1428 fastleave { on | off } - enable multicast fast leave on
1430 this port.
1431 root_block { on | off } - block this port from becoming
1433 the bridge's root port.
1434 learning { on | off } - allow MAC address learning on
1436 this port.
1437 flood { on | off } - open the flood gates on this port,
1439 i.e. forward all unicast frames to this port also.
1440 Requires proxy_arp and proxy_arp_wifi to be turned off.
1441 proxy_arp { on | off } - enable proxy ARP on this port.
1443 proxy_arp_wifi { on | off } - enable proxy ARP on this
1445 port which meets extended requirements by IEEE 802.11
1446 and Hotspot 2.0 specifications.
1447 mcast_router MULTICAST_ROUTER - configure this port for
1449 having multicast routers attached. A port with a multi‐
1450 cast router will receive all multicast traffic. MULTI‐
1451 CAST_ROUTER may be either 0 to disable multicast routers
1452 on this port, 1 to let the system detect the presence of
1453 of routers (this is the default), 2 to permanently
1454 enable multicast traffic forwarding on this port or 3 to
1455 enable multicast routers temporarily on this port, not
1456 depending on incoming queries.
1457 mcast_fast_leave { on | off } - this is a synonym to the
1459 fastleave option above.
1460 mcast_flood { on | off } - controls whether a given port
1462 will flood multicast traffic for which there is no MDB
1463 entry.
1464 group_fwd_mask MASK - set the group forward mask. This
1466 is the bitmask that is applied to decide whether to for‐
1467 ward incoming frames destined to link-local addresses,
1468 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1469 0, ie the bridge does not forward any link-local frames
1470 coming on this port).
1471 neigh_suppress { on | off } - controls whether neigh
1473 discovery (arp and nd) proxy and suppression is enabled
1474 on the port. By default this flag is off.
1475 vlan_tunnel { on | off } - controls whether vlan to tun‐
1477 nel mapping is enabled on the port. By default this flag
1478 is off.
1479 backup_port DEVICE - if the port loses carrier all traf‐
1481 fic will be redirected to the configured backup port
1482 nobackup_port - removes the currently configured backup
1484 port
1485 Bonding Slave Support
1489 For a link with master bond the following additional arguments
1490 are supported:
1491 ip link set type bond_slave [ queue_id ID ]
1493 queue_id ID - set the slave's queue ID (a 16bit unsigned
1496 value).
1497 MACVLAN and MACVTAP Support
1501 Modify list of allowed macaddr for link in source mode.
1502 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1504 ... ]
1505 Commands:
1507 add - add MACADDR to allowed list
1508 set - replace allowed list
1510 del - remove MACADDR from allowed list
1512 flush - flush whole allowed list
1514 ip link show - display device attributes
1519 dev NAME (default)
1520 NAME specifies the network device to show. If this argument is
1521 omitted all devices in the default group are listed.
1522 group GROUP
1525 GROUP specifies what group of devices to show.
1526 up only display running interfaces.
1529 master DEVICE
1532 DEVICE specifies the master device which enslaves devices to
1533 show.
1534 vrf NAME
1537 NAME speficies the VRF which enslaves devices to show.
1538 type TYPE
1541 TYPE specifies the type of devices to show.
1542 Note that the type name is not checked against the list of sup‐
1544 ported types - instead it is sent as-is to the kernel. Later it
1545 is used to filter the returned interface list by comparing it
1546 with the relevant attribute in case the kernel didn't filter
1547 already. Therefore any string is accepted, but may lead to empty
1548 output.
1549 ip link xstats - display extended statistics
1552 type TYPE
1553 TYPE specifies the type of devices to display extended statis‐
1554 tics for.
1555 ip link afstats - display address-family specific statistics
1558 dev DEVICE
1559 DEVICE specifies the device to display address-family statistics
1560 for.
1561 ip link help - display help
1564 TYPE specifies which help of link type to dislpay.
1565 GROUP
1568 may be a number or a string from the file /etc/iproute2/group which can
1569 be manually filled.
1570
1573 ip link show
1574 Shows the state of all network interfaces on the system.
1575 ip link show type bridge
1577 Shows the bridge devices.
1578 ip link show type vlan
1580 Shows the vlan devices.
1581 ip link show master br0
1583 Shows devices enslaved by br0
1584 ip link set dev ppp0 mtu 1400
1586 Change the MTU the ppp0 device.
1587 ip link add link eth0 name eth0.10 type vlan id 10
1589 Creates a new vlan device eth0.10 on device eth0.
1590 ip link delete dev eth0.10
1592 Removes vlan device.
1593 ip link help gre
1595 Display help for the gre link type.
1596 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1598 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1599 remcsum
1600 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1601 tion, and the outer UDP checksum and remote checksum offload are
1602 enabled.
1603 ip link set dev eth0 xdp obj prog.o
1605 Attaches a XDP/BPF program to device eth0, where the program is
1606 located in prog.o, section "prog" (default section). In case a
1607 XDP/BPF program is already attached, throw an error.
1608 ip -force link set dev eth0 xdp obj prog.o sec foo
1610 Attaches a XDP/BPF program to device eth0, where the program is
1611 located in prog.o, section "foo". In case a XDP/BPF program is
1612 already attached, it will be overridden by the new one.
1613 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1615 Attaches a XDP/BPF program to device eth0, where the program was
1616 previously pinned as an object node into BPF file system under name
1617 foo.
1618 ip link set dev eth0 xdp off
1620 If a XDP/BPF program is attached on device eth0, detach it and
1621 effectively turn off XDP for device eth0.
1622 ip link add link wpan0 lowpan0 type lowpan
1624 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1625 802.15.4 device wpan0.
1626 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1628 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1629 erspan_hwid 17
1630 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1631
1634 ip(8), ip-netns(8), ethtool(8), iptables(8)
1635
1638 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1639iproute2 13 Dec 2012 IP-LINK(8)