1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr [ MACADDR ]
59 [ { flush | add | del } MACADDR ]
60 [ set MACADDR ] ]
61 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63 ] [ type ETYPE ] [ vrf NAME ]
64 ip link xstats type TYPE [ ARGS ]
66 ip link afstats [ dev DEVICE ]
68 ip link help [ TYPE ]
70 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72 macvlan | macvtap | vcan | vxcan | veth | vlan |
73 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75 | ipvtap | lowpan | geneve | vrf | macsec | netdevsim
76 | rmnet | xfrm ]
77 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83 ]
84 ip link property add [ altname NAME .. ]
86 ip link property del [ altname NAME .. ]
88
91 ip link add - add virtual link
92 link DEVICE
93 specifies the physical device to act operate on.
94 NAME specifies the name of the new virtual device.
96 TYPE specifies the type of the new device.
98 Link types:
100 bridge - Ethernet Bridge device
102 bond - Bonding device
104 dummy - Dummy network interface
106 hsr - High-availability Seamless Redundancy device
108 ifb - Intermediate Functional Block device
110 ipoib - IP over Infiniband device
112 macvlan - Virtual interface base on link layer address
114 (MAC)
115 macvtap - Virtual interface based on link layer address
117 (MAC) and TAP.
118 vcan - Virtual Controller Area Network interface
120 vxcan - Virtual Controller Area Network tunnel interface
122 veth - Virtual ethernet interface
124 vlan - 802.1q tagged virtual LAN interface
126 vxlan - Virtual eXtended LAN
128 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
130 ipip - Virtual tunnel interface IPv4 over IPv4
132 sit - Virtual tunnel interface IPv6 over IPv4
134 gre - Virtual tunnel interface GRE over IPv4
136 gretap - Virtual L2 tunnel interface GRE over IPv4
138 erspan - Encapsulated Remote SPAN over GRE and IPv4
140 ip6gre - Virtual tunnel interface GRE over IPv6
142 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
144 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
146 vti - Virtual tunnel interface
148 nlmon - Netlink monitoring device
150 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
152 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
154 TAP
155 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
157 / Bluetooth
158 geneve - GEneric NEtwork Virtualization Encapsulation
160 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
162 sec)
163 vrf - Interface for L3 VRF domains
165 netdevsim - Interface for netdev API tests
167 rmnet - Qualcomm rmnet device
169 xfrm - Virtual xfrm interface
171 numtxqueues QUEUE_COUNT
174 specifies the number of transmit queues for new device.
175 numrxqueues QUEUE_COUNT
178 specifies the number of receive queues for new device.
179 gso_max_size BYTES
182 specifies the recommended maximum size of a Generic Segment Off‐
183 load packet the new device should accept.
184 gso_max_segs SEGMENTS
187 specifies the recommended maximum number of a Generic Segment
188 Offload segments the new device should accept.
189 index IDX
192 specifies the desired index of the new virtual device. The link
193 creation fails, if the index is busy.
194 VLAN Type Support
197 For a link of type VLAN the following additional arguments are
198 supported:
199 ip link add link DEVICE name NAME type vlan [ protocol
201 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
202 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
203 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
204 egress-qos-map QOS-MAP ]
205 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
208 id VLANID - specifies the VLAN Identifer to use. Note
210 that numbers with a leading " 0 " or " 0x " are inter‐
211 preted as octal or hexadeimal, respectively.
212 reorder_hdr { on | off } - specifies whether ethernet
214 headers are reordered or not (default is on).
215 If reorder_hdr is on then VLAN header will be not
217 inserted immediately but only before passing to the
218 physical device (if this device does not support
219 VLAN offloading), the similar on the RX direction -
220 by default the packet will be untagged before being
221 received by VLAN device. Reordering allows to accel‐
222 erate tagging on egress and to hide VLAN header on
223 ingress so the packet looks like regular Ethernet
224 packet, at the same time it might be confusing for
225 packet capture as the VLAN header does not exist
226 within the packet.
227 VLAN offloading can be checked by ethtool(8):
229 ethtool -k <phy_dev> | grep tx-vlan-offload
231 where <phy_dev> is the physical device to which VLAN
233 device is bound.
234 gvrp { on | off } - specifies whether this VLAN should
236 be registered using GARP VLAN
237 Registration Protocol.
238 mvrp { on | off } - specifies whether this VLAN should
240 be registered using Multiple VLAN
241 Registration Protocol.
242 loose_binding { on | off } - specifies whether the VLAN
244 device state is bound to the physical device state.
245 bridge_binding { on | off } - specifies whether the VLAN
247 device link state tracks the state of bridge ports that
248 are members of the VLAN.
249 ingress-qos-map QOS-MAP - defines a mapping of VLAN
251 header prio field to the Linux internal packet priority
252 on incoming frames. The format is FROM:TO with multiple
253 mappings separated by spaces.
254 egress-qos-map QOS-MAP - defines a mapping of Linux
256 internal packet priority to VLAN header prio field but
257 for outgoing frames. The format is the same as for
258 ingress-qos-map.
259 Linux packet priority can be set by iptables(8):
261 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
263 SIFY --set-class 0:4
264 and this "4" priority can be used in the egress qos
266 mapping to set VLAN prio "5":
267 ip link set veth0.10 type vlan egress 4:5
269 VXLAN Type Support
272 For a link of type VXLAN the following additional arguments are
273 supported:
274 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
276 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
277 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
278 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
279 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
280 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
281 ] [ [no]external ] [ gbp ] [ gpe ]
282 id VNI - specifies the VXLAN Network Identifer (or VXLAN
285 Segment Identifier) to use.
286 dev PHYS_DEV - specifies the physical device to use for
288 tunnel endpoint communication.
289 group IPADDR - specifies the multicast IP address to
292 join. This parameter cannot be specified with the
293 remote parameter.
294 remote IPADDR - specifies the unicast destination IP
297 address to use in outgoing packets when the destination
298 link layer address is not known in the VXLAN device for‐
299 warding database. This parameter cannot be specified
300 with the group parameter.
301 local IPADDR - specifies the source IP address to use in
304 outgoing packets.
305 ttl TTL - specifies the TTL value to use in outgoing
308 packets.
309 tos TOS - specifies the TOS value to use in outgoing
312 packets.
313 df DF - specifies the usage of the Don't Fragment flag
316 (DF) bit in outgoing packets with IPv4 headers. The
317 value inherit causes the bit to be copied from the orig‐
318 inal IP header. The values unset and set cause the bit
319 to be always unset or always set, respectively. By
320 default, the bit is not set.
321 flowlabel FLOWLABEL - specifies the flow label to use in
324 outgoing packets.
325 dstport PORT - specifies the UDP destination port to
328 communicate to the remote
329 VXLAN tunnel endpoint.
330 srcport MIN MAX - specifies the range of port numbers to
333 use as UDP source ports to communicate to the remote
334 VXLAN tunnel endpoint.
335 [no]learning - specifies if unknown source link layer
338 addresses and IP addresses are entered into the VXLAN
339 device forwarding database.
340 [no]rsc - specifies if route short circuit is turned on.
343 [no]proxy - specifies ARP proxy is turned on.
346 [no]l2miss - specifies if netlink LLADDR miss notifica‐
349 tions are generated.
350 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
353 tions are generated.
354 [no]udpcsum - specifies if UDP checksum is calculated
357 for transmitted packets over IPv4.
358 [no]udp6zerocsumtx - skip UDP checksum calculation for
361 transmitted packets over IPv6.
362 [no]udp6zerocsumrx - allow incoming UDP packets over
365 IPv6 with zero checksum field.
366 ageing SECONDS - specifies the lifetime in seconds of
369 FDB entries learnt by the kernel.
370 maxaddress NUMBER - specifies the maximum number of FDB
373 entries.
374 [no]external - specifies whether an external control
377 plane (e.g. ip route encap) or the internal FDB should
378 be used.
379 gbp - enables the Group Policy extension (VXLAN-GBP).
382 Allows to transport group policy context across
384 VXLAN network peers. If enabled, includes the mark
385 of a packet in the VXLAN header for outgoing packets
386 and fills the packet mark based on the information
387 found in the VXLAN header for incoming packets.
388 Format of upper 16 bits of packet mark (flags);
390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
392 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
394 D := Don't Learn bit. When set, this bit indicates
396 that the egress VTEP MUST NOT learn the source
397 address of the encapsulated frame.
398 A := Indicates that the group policy has already
400 been applied to this packet. Policies MUST NOT be
401 applied by devices when the A bit is set.
402 Format of lower 16 bits of packet mark (policy ID):
404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
406 | Group Policy ID |
407 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
408 Example:
410 iptables -A OUTPUT [...] -j MARK --set-mark
411 0x800FF
412 gpe - enables the Generic Protocol extension (VXLAN-
416 GPE). Currently, this is only supported together with
417 the external keyword.
418 VETH, VXCAN Type Support
422 For a link of types VETH/VXCAN the following additional argu‐
423 ments are supported:
424 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
426 peer name NAME - specifies the virtual pair device name
429 of the VETH/VXCAN tunnel.
430 IPIP, SIT Type Support
434 For a link of type IPIPorSIT the following additional arguments
435 are supported:
436 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
438 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
439 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
440 mode { ip6ip | ipip | mplsip | any } ] [ external ]
441 remote ADDR - specifies the remote address of the tun‐
444 nel.
445 local ADDR - specifies the fixed local address for tun‐
448 neled packets. It must be an address on another inter‐
449 face on this host.
450 encap { fou | gue | none } - specifies type of secondary
453 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
454 indicates Generic UDP Encapsulation.
455 encap-sport { PORT | auto } - specifies the source port
458 in UDP encapsulation. PORT indicates the port by num‐
459 ber, "auto" indicates that the port number should be
460 chosen automatically (the kernel picks a flow based on
461 the flow hash of the encapsulated packet).
462 [no]encap-csum - specifies if UDP checksums are enabled
465 in the secondary encapsulation.
466 [no]encap-remcsum - specifies if Remote Checksum Offload
469 is enabled. This is only applicable for Generic UDP
470 Encapsulation.
471 mode { ip6ip | ipip | mplsip | any } - specifies mode in
474 which device should run. "ip6ip" indicates IPv6-Over-
475 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
476 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
477 Over IPv4. Supported for SIT where the default is
478 "ip6ip" and IPIP where the default is "ipip".
479 IPv6-Over-IPv4 is not supported for IPIP.
480 external - make this tunnel externally controlled (e.g.
483 ip route encap).
484 GRE Type Support
487 For a link of type GRE or GRETAP the following additional argu‐
488 ments are supported:
489 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
491 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
492 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
493 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
494 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
495 remcsum ] [ external ]
496 remote ADDR - specifies the remote address of the tun‐
499 nel.
500 local ADDR - specifies the fixed local address for tun‐
503 neled packets. It must be an address on another inter‐
504 face on this host.
505 [no][i|o]seq - serialize packets. The oseq flag enables
508 sequencing of outgoing packets. The iseq flag requires
509 that all input packets are serialized.
510 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
513 KEY is either a number or an IPv4 address-like dotted
514 quad. The key parameter specifies the same key to use
515 in both directions. The ikey and okey parameters spec‐
516 ify different keys for input and output.
517 [no][i|o]csum - generate/require checksums for tunneled
520 packets. The ocsum flag calculates checksums for outgo‐
521 ing packets. The icsum flag requires that all input
522 packets have the correct checksum. The csum flag is
523 equivalent to the combination icsum ocsum .
524 ttl TTL - specifies the TTL value to use in outgoing
527 packets.
528 tos TOS - specifies the TOS value to use in outgoing
531 packets.
532 [no]pmtudisc - enables/disables Path MTU Discovery on
535 this tunnel. It is enabled by default. Note that a
536 fixed ttl is incompatible with this option: tunneling
537 with a fixed ttl always makes pmtu discovery.
538 [no]ignore-df - enables/disables IPv4 DF suppression on
541 this tunnel. Normally datagrams that exceed the MTU
542 will be fragmented; the presence of the DF flag inhibits
543 this, resulting instead in an ICMP Unreachable (Fragmen‐
544 tation Required) message. Enabling this attribute
545 causes the DF flag to be ignored.
546 dev PHYS_DEV - specifies the physical device to use for
549 tunnel endpoint communication.
550 encap { fou | gue | none } - specifies type of secondary
553 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
554 indicates Generic UDP Encapsulation.
555 encap-sport { PORT | auto } - specifies the source port
558 in UDP encapsulation. PORT indicates the port by num‐
559 ber, "auto" indicates that the port number should be
560 chosen automatically (the kernel picks a flow based on
561 the flow hash of the encapsulated packet).
562 [no]encap-csum - specifies if UDP checksums are enabled
565 in the secondary encapsulation.
566 [no]encap-remcsum - specifies if Remote Checksum Offload
569 is enabled. This is only applicable for Generic UDP
570 Encapsulation.
571 external - make this tunnel externally controlled (e.g.
574 ip route encap).
575 IP6GRE/IP6GRETAP Type Support
579 For a link of type IP6GRE/IP6GRETAP the following additional
580 arguments are supported:
581 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
583 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
584 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
585 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
586 localremote ] [ dev PHYS_DEV ] [ external ]
587 remote ADDR - specifies the remote IPv6 address of the
590 tunnel.
591 local ADDR - specifies the fixed local IPv6 address for
594 tunneled packets. It must be an address on another
595 interface on this host.
596 [no][i|o]seq - serialize packets. The oseq flag enables
599 sequencing of outgoing packets. The iseq flag requires
600 that all input packets are serialized.
601 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
604 KEY is either a number or an IPv4 address-like dotted
605 quad. The key parameter specifies the same key to use
606 in both directions. The ikey and okey parameters spec‐
607 ify different keys for input and output.
608 [no][i|o]csum - generate/require checksums for tunneled
611 packets. The ocsum flag calculates checksums for outgo‐
612 ing packets. The icsum flag requires that all input
613 packets have the correct checksum. The csum flag is
614 equivalent to the combination icsum ocsum.
615 hoplimit TTL - specifies Hop Limit value to use in out‐
618 going packets.
619 encaplimit ELIM - specifies a fixed encapsulation limit.
622 Default is 4.
623 flowlabel FLOWLABEL - specifies a fixed flowlabel.
626 [no]allow-localremote - specifies whether to allow
629 remote endpoint to have an address configured on local
630 host.
631 tclass TCLASS - specifies the traffic class field on
634 tunneled packets, which can be specified as either a
635 two-digit hex value (e.g. c0) or a predefined string
636 (e.g. internet). The value inherit causes the field to
637 be copied from the original IP header. The values
638 inherit/STRING or inherit/00..ff will set the field to
639 STRING or 00..ff when tunneling non-IP packets. The
640 default value is 00.
641 external - make this tunnel externally controlled (or
644 not, which is the default). In the kernel, this is
645 referred to as collect metadata mode. This flag is
646 mutually exclusive with the remote, local, seq, key,
647 csum, hoplimit, encaplimit, flowlabel and tclass
648 options.
649 IPoIB Type Support
653 For a link of type IPoIB the following additional arguments are
654 supported:
655 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
657 MODE ]
658 pkey PKEY - specifies the IB P-Key to use.
661 mode MODE - specifies the mode (datagram or connected)
663 to use.
664 ERSPAN Type Support
667 For a link of type ERSPAN/IP6ERSPAN the following additional
668 arguments are supported:
669 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
671 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
672 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
673 mote ] [ external ]
674 remote ADDR - specifies the remote address of the tun‐
677 nel.
678 local ADDR - specifies the fixed local address for tun‐
681 neled packets. It must be an address on another inter‐
682 face on this host.
683 erspan_ver version - specifies the ERSPAN version num‐
686 ber. version indicates the ERSPAN version to be cre‐
687 ated: 1 for version 1 (type II) or 2 for version 2 (type
688 III).
689 erspan IDX - specifies the ERSPAN v1 index field. IDX
692 indicates a 20 bit index/port number associated with the
693 ERSPAN traffic's source port and direction.
694 erspan_dir { ingress | egress } - specifies the ERSPAN
697 v2 mirrored traffic's direction.
698 erspan_hwid hwid - an unique identifier of an ERSPAN v2
701 engine within a system. hwid is a 6-bit value for users
702 to configure.
703 [no]allow-localremote - specifies whether to allow
706 remote endpoint to have an address configured on local
707 host.
708 external - make this tunnel externally controlled (or
711 not, which is the default). In the kernel, this is
712 referred to as collect metadata mode. This flag is
713 mutually exclusive with the remote, local, erspan_ver,
714 erspan, erspan_dir and erspan_hwid options.
715 GENEVE Type Support
719 For a link of type GENEVE the following additional arguments are
720 supported:
721 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
723 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
724 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
725 [no]udp6zerocsumrx ]
726 id VNI - specifies the Virtual Network Identifer to use.
729 remote IPADDR - specifies the unicast destination IP
732 address to use in outgoing packets.
733 ttl TTL - specifies the TTL value to use in outgoing
736 packets. "0" or "auto" means use whatever default value,
737 "inherit" means inherit the inner protocol's ttl.
738 Default option is "0".
739 tos TOS - specifies the TOS value to use in outgoing
742 packets.
743 df DF - specifies the usage of the Don't Fragment flag
746 (DF) bit in outgoing packets with IPv4 headers. The
747 value inherit causes the bit to be copied from the orig‐
748 inal IP header. The values unset and set cause the bit
749 to be always unset or always set, respectively. By
750 default, the bit is not set.
751 flowlabel FLOWLABEL - specifies the flow label to use in
754 outgoing packets.
755 dstport PORT - select a destination port other than the
758 default of 6081.
759 [no]external - make this tunnel externally controlled
762 (or not, which is the default). This flag is mutually
763 exclusive with the id, remote, ttl, tos and flowlabel
764 options.
765 [no]udpcsum - specifies if UDP checksum is calculated
768 for transmitted packets over IPv4.
769 [no]udp6zerocsumtx - skip UDP checksum calculation for
772 transmitted packets over IPv6.
773 [no]udp6zerocsumrx - allow incoming UDP packets over
776 IPv6 with zero checksum field.
777 MACVLAN and MACVTAP Type Support
781 For a link of type MACVLAN or MACVTAP the following additional
782 arguments are supported:
783 ip link add link DEVICE name NAME type { macvlan | macvtap }
785 mode { private | vepa | bridge | passthru [ nopromisc ] |
786 source }
787 type { macvlan | macvtap } - specifies the link type to
790 use. macvlan creates just a virtual interface, while
791 macvtap in addition creates a character device /dev/tapX
792 to be used just like a tuntap device.
793 mode private - Do not allow communication between
795 macvlan instances on the same physical interface, even
796 if the external switch supports hairpin mode.
797 mode vepa - Virtual Ethernet Port Aggregator mode. Data
799 from one macvlan instance to the other on the same phys‐
800 ical interface is transmitted over the physical inter‐
801 face. Either the attached switch needs to support hair‐
802 pin mode, or there must be a TCP/IP router forwarding
803 the packets in order to allow communication. This is the
804 default mode.
805 mode bridge - In bridge mode, all endpoints are directly
807 connected to each other, communication is not redirected
808 through the physical interface's peer.
809 mode passthru [ nopromisc ] - This mode gives more power
811 to a single endpoint, usually in macvtap mode. It is not
812 allowed for more than one endpoint on the same physical
813 interface. All traffic will be forwarded to this end‐
814 point, allowing virtio guests to change MAC address or
815 set promiscuous mode in order to bridge the interface or
816 create vlan interfaces on top of it. By default, this
817 mode forces the underlying interface into promiscuous
818 mode. Passing the nopromisc flag prevents this, so the
819 promisc flag may be controlled using standard tools.
820 mode source - allows one to set a list of allowed mac
822 address, which is used to match against source mac
823 address from received frames on underlying interface.
824 This allows creating mac based VLAN associations,
825 instead of standard port or tag based. The feature is
826 useful to deploy 802.1x mac based behavior, where driv‐
827 ers of underlying interfaces doesn't allows that.
828 High-availability Seamless Redundancy (HSR) Support
831 For a link of type HSR the following additional arguments are
832 supported:
833 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
835 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
836 type hsr - specifies the link type to use, here HSR.
839 slave1 SLAVE1-IF - Specifies the physical device used
841 for the first of the two ring ports.
842 slave2 SLAVE2-IF - Specifies the physical device used
844 for the second of the two ring ports.
845 supervision ADDR-BYTE - The last byte of the multicast
847 address used for HSR supervision frames. Default option
848 is "0", possible values 0-255.
849 version { 0 | 1 } - Selects the protocol version of the
851 interface. Default option is "0", which corresponds to
852 the 2010 version of the HSR standard. Option "1" acti‐
853 vates the 2012 version.
854 BRIDGE Type Support
857 For a link of type BRIDGE the following additional arguments are
858 supported:
859 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
861 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
862 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
863 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
864 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
865 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
866 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
867 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
868 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
869 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
870 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
871 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
872 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
873 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
874 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
875 val QUERY_INTERVAL ] [ mcast_query_response_interval
876 QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
877 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
878 MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
879 mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
880 BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
881 bles NF_CALL_ARPTABLES ]
882 ageing_time AGEING_TIME - configure the bridge's FDB
885 entries ageing time, ie the number of seconds a MAC
886 address will be kept in the FDB after a packet has been
887 received from that address. after this time has passed,
888 entries are cleaned up.
889 group_fwd_mask MASK - set the group forward mask. This
891 is the bitmask that is applied to decide whether to for‐
892 ward incoming frames destined to link-local addresses,
893 ie addresses of the form 01:80:C2:00:00:0X (defaults to
894 0, ie the bridge does not forward any link-local
895 frames).
896 group_address ADDRESS - set the MAC address of the mul‐
898 ticast group this bridge uses for STP. The address must
899 be a link-local address in standard Ethernet MAC address
900 format, ie an address of the form 01:80:C2:00:00:0X,
901 with X
902 in [0, 4..f].
903 forward_delay FORWARD_DELAY - set the forwarding delay
905 in seconds, ie the time spent in LISTENING state (before
906 moving to LEARNING) and in LEARNING state (before moving
907 to FORWARDING). Only relevant if STP is enabled. Valid
908 values are between 2 and 30.
909 hello_time HELLO_TIME - set the time in seconds between
911 hello packets sent by the bridge, when it is a root
912 bridge or a designated bridges. Only relevant if STP is
913 enabled. Valid values are between 1 and 10.
914 max_age MAX_AGE - set the hello packet timeout, ie the
916 time in seconds until another bridge in the spanning
917 tree is assumed to be dead, after reception of its last
918 hello message. Only relevant if STP is enabled. Valid
919 values are between 6 and 40.
920 stp_state STP_STATE - turn spanning tree protocol on
922 (STP_STATE > 0) or off (STP_STATE == 0). for this
923 bridge.
924 priority PRIORITY - set this bridge's spanning tree pri‐
926 ority, used during STP root bridge election. PRIORITY
927 is a 16bit unsigned integer.
928 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
930 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
931 disabled, the bridge will not consider the VLAN tag when
932 handling packets.
933 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
935 used for VLAN filtering.
936 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
938 PVID (native/untagged VLAN ID) for this bridge.
939 vlan_stats_enabled VLAN_STATS_ENABLED - enable
941 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
942 == 0) per-VLAN stats accounting.
943 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
945 (VLAN_STATS_PER_PORT == 1) or disable
946 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
947 accounting. Can be changed only when there are no port
948 VLANs configured.
949 mcast_snooping MULTICAST_SNOOPING - turn multicast
951 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
952 CAST_SNOOPING == 0).
953 mcast_router MULTICAST_ROUTER - set bridge's multicast
955 router if IGMP snooping is enabled. MULTICAST_ROUTER is
956 an integer value having the following meaning:
957 0 - disabled.
959 1 - automatic (queried).
961 2 - permanently enabled.
963 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
965 to use the bridge's own IP address as source address for
966 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
967 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
968 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
970 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
971 IGMP querier, ie sending of multicast queries by the
972 bridge (default: disabled).
973 mcast_querier_interval QUERIER_INTERVAL - interval
975 between queries sent by other routers. if no queries are
976 seen after this delay has passed, the bridge will start
977 to send its own queries (as if mcast_querier was
978 enabled).
979 mcast_hash_elasticity HASH_ELASTICITY - set multicast
981 database hash elasticity, ie the maximum chain length in
982 the multicast hash table (defaults to 4).
983 mcast_hash_max HASH_MAX - set maximum size of multicast
985 hash table (defaults to 512, value must be a power of
986 2).
987 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
989 cast last member count, ie the number of queries the
990 bridge will send before stopping forwarding a multicast
991 group after a "leave" message has been received
992 (defaults to 2).
993 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
995 val between queries to find remaining members of a
996 group, after a "leave" message is received.
997 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
999 number of IGMP queries to send during startup phase
1000 (defaults to 2).
1001 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1003 interval between queries in the startup phase.
1004 mcast_query_interval QUERY_INTERVAL - interval between
1006 queries sent by the bridge after the end of the startup
1007 phase.
1008 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1010 set the Max Response Time/Maximum Response Delay for
1011 IGMP/MLD queries sent by the bridge.
1012 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1014 after which the bridge will leave a group, if no member‐
1015 ship reports for this group are received.
1016 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1018 (MCAST_STATS_ENABLED > 0) or disable
1019 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1020 accounting.
1021 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1023 mcast_mld_version MLD_VERSION - set the MLD version.
1025 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1027 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1028 hooks on the bridge.
1029 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1031 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1032 0) ip6tables hooks on the bridge.
1033 nf_call_arptables NF_CALL_ARPTABLES - enable
1035 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1036 0) arptables hooks on the bridge.
1037 MACsec Type Support
1042 For a link of type MACsec the following additional arguments are
1043 supported:
1044 ip link add link DEVICE name NAME type macsec [ [ address
1046 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1047 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1048 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1049 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1050 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1051 ]
1052 address <lladdr> - sets the system identifier component
1055 of secure channel for this MACsec device.
1056 port PORT - sets the port number component of secure
1059 channel for this MACsec device, in a range from 1 to
1060 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1061 are interpreted as octal and hexadecimal, respectively.
1062 sci SCI - sets the secure channel identifier for this
1065 MACsec device. SCI is a 64bit wide number in hexadeci‐
1066 mal format.
1067 cipher CIPHER_SUITE - defines the cipher suite to use.
1070 icvlen LENGTH - sets the length of the Integrity Check
1073 Value (ICV).
1074 encrypt on or encrypt off - switches between authenti‐
1077 cated encryption, or authenticity mode only.
1078 send_sci on or send_sci off - specifies whether the SCI
1081 is included in every packet, or only when it is neces‐
1082 sary.
1083 end_station on or end_station off - sets the End Station
1086 bit.
1087 scb on or scb off - sets the Single Copy Broadcast bit.
1090 protect on or protect off - enables MACsec protection on
1093 the device.
1094 replay on or replay off - enables replay protection on
1097 the device.
1098 window SIZE - sets the size of the replay win‐
1102 dow.
1103 validate strict or validate check or validate disabled -
1107 sets the validation mode on the device.
1108 encodingsa AN - sets the active secure association for
1111 transmission.
1112 VRF Type Support
1116 For a link of type VRF the following additional arguments are
1117 supported:
1118 ip link add DEVICE type vrf table TABLE
1120 table table id associated with VRF device
1123 RMNET Type Support
1127 For a link of type RMNET the following additional arguments are
1128 supported:
1129 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1131 mux_id MUXID - specifies the mux identifier for the
1134 rmnet device, possible values 1-254.
1135 XFRM Type Support
1139 For a link of type XFRM the following additional arguments are
1140 supported:
1141 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1143 dev PHYS_DEV - specifies the underlying physical inter‐
1146 face from which transform traffic is sent and received.
1147 if_id IF-ID - specifies the hexadecimal lookup key used
1150 to send traffic to and from specific xfrm policies.
1151 Policies must be configured with the same key. If not
1152 set, the key defaults to 0 and will match any policies
1153 which similarly do not have a lookup key configuration.
1154 ip link delete - delete virtual link
1158 dev DEVICE
1159 specifies the virtual device to act operate on.
1160 group GROUP
1163 specifies the group of virtual links to delete. Group 0 is not
1164 allowed to be deleted since it is the default group.
1165 type TYPE
1168 specifies the type of the device.
1169 ip link set - change device attributes
1172 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1173 ately after any of the changes have failed. This is the only case when
1174 ip can move the system to an unpredictable state. The solution is to
1175 avoid changing several parameters with one ip link set call. The modi‐
1176 fier change is equivalent to set.
1177 dev DEVICE
1181 DEVICE specifies network device to operate on. When configuring
1182 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1183 ify the associated Physical Function (PF) device.
1184 group GROUP
1187 GROUP has a dual role: If both group and dev are present, then
1188 move the device to the specified group. If only a group is spec‐
1189 ified, then the command operates on all devices in that group.
1190 up and down
1193 change the state of the device to UP or DOWN.
1194 arp on or arp off
1197 change the NOARP flag on the device.
1198 multicast on or multicast off
1201 change the MULTICAST flag on the device.
1202 protodown on or protodown off
1205 change the PROTODOWN state on the device. Indicates that a pro‐
1206 tocol error has been detected on the port. Switch drivers can
1207 react to this error by doing a phys down on the switch port.
1208 dynamic on or dynamic off
1211 change the DYNAMIC flag on the device. Indicates that address
1212 can change when interface goes down (currently NOT used by the
1213 Linux).
1214 name NAME
1217 change the name of the device. This operation is not recommended
1218 if the device is running or has some addresses already config‐
1219 ured.
1220 txqueuelen NUMBER
1223 txqlen NUMBER
1225 change the transmit queue length of the device.
1226 mtu NUMBER
1229 change the MTU of the device.
1230 address LLADDRESS
1233 change the station address of the interface.
1234 broadcast LLADDRESS
1237 brd LLADDRESS
1239 peer LLADDRESS
1241 change the link layer broadcast address or the peer address when
1242 the interface is POINTOPOINT.
1243 netns NETNSNAME | PID
1246 move the device to the network namespace associated with name
1247 NETNSNAME or process PID.
1248 Some devices are not allowed to change network namespace: loop‐
1250 back, bridge, wireless. These are network namespace local
1251 devices. In such case ip tool will return "Invalid argument"
1252 error. It is possible to find out if device is local to a single
1253 network namespace by checking netns-local flag in the output of
1254 the ethtool:
1255 ethtool -k DEVICE
1257 To change network namespace for wireless devices the iw tool can
1259 be used. But it allows to change network namespace only for
1260 physical devices and by process PID.
1261 alias NAME
1264 give the device a symbolic name for easy reference.
1265 group GROUP
1268 specify the group the device belongs to. The available groups
1269 are listed in file /etc/iproute2/group.
1270 vf NUM specify a Virtual Function device to be configured. The associ‐
1273 ated PF device must be specified using the dev parameter.
1274 mac LLADDRESS - change the station address for the spec‐
1276 ified VF. The vf parameter must be specified.
1277 vlan VLANID - change the assigned VLAN for the specified
1280 VF. When specified, all traffic sent from the VF will be
1281 tagged with the specified VLAN ID. Incoming traffic will
1282 be filtered for the specified VLAN ID, and will have all
1283 VLAN tags stripped before being passed to the VF. Set‐
1284 ting this parameter to 0 disables VLAN tagging and fil‐
1285 tering. The vf parameter must be specified.
1286 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1289 VLAN tag. When specified, all VLAN tags transmitted by
1290 the VF will include the specified priority bits in the
1291 VLAN tag. If not specified, the value is assumed to be
1292 0. Both the vf and vlan parameters must be specified.
1293 Setting both vlan and qos as 0 disables VLAN tagging and
1294 filtering for the VF.
1295 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1298 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1299 traffic sent from the VF will be tagged with VLAN S-Tag.
1300 Incoming traffic will have VLAN S-Tags stripped before
1301 being passed to the VF. Setting to 802.1ad also enables
1302 an option to concatenate another VLAN tag, so both S-TAG
1303 and C-TAG will be inserted/stripped for outgoing/incom‐
1304 ing traffic, respectively. If not specified, the value
1305 is assumed to be 802.1Q. Both the vf and vlan parameters
1306 must be specified.
1307 rate TXRATE -- change the allowed transmit bandwidth, in
1310 Mbps, for the specified VF. Setting this parameter to 0
1311 disables rate limiting. vf parameter must be specified.
1312 Please use new API max_tx_rate option instead.
1313 max_tx_rate TXRATE - change the allowed maximum transmit
1316 bandwidth, in Mbps, for the specified VF. Setting this
1317 parameter to 0 disables rate limiting. vf parameter
1318 must be specified.
1319 min_tx_rate TXRATE - change the allowed minimum transmit
1322 bandwidth, in Mbps, for the specified VF. Minimum
1323 TXRATE should be always <= Maximum TXRATE. Setting this
1324 parameter to 0 disables rate limiting. vf parameter
1325 must be specified.
1326 spoofchk on|off - turn packet spoof checking on or off
1329 for the specified VF.
1330 query_rss on|off - toggle the ability of querying the
1332 RSS configuration of a specific
1333 VF. VF RSS information like RSS hash key may be con‐
1334 sidered sensitive
1335 on some devices where this information is shared
1336 between VF and PF
1337 and thus its querying may be prohibited by default.
1338 state auto|enable|disable - set the virtual link state
1340 as seen by the specified VF. Setting to auto means a
1341 reflection of the PF link state, enable lets the VF to
1342 communicate with other VFs on this host even if the PF
1343 link state is down, disable causes the HW to drop any
1344 packets sent by the VF.
1345 trust on|off - trust the specified VF user. This enables
1347 that VF user can set a specific feature which may impact
1348 security and/or performance. (e.g. VF multicast promis‐
1349 cuous mode)
1350 node_guid eui64 - configure node GUID for Infiniband
1352 VFs.
1353 port_guid eui64 - configure port GUID for Infiniband
1355 VFs.
1356 xdp object | pinned | off
1359 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1360 every packet at driver level. ip link output will indicate a
1361 xdp flag for the networking device. If the driver does not have
1362 native XDP support, the kernel will fall back to a slower,
1363 driver-independent "generic" XDP variant. The ip link output
1364 will in that case indicate xdpgeneric instead of xdp only. If
1365 the driver does have native XDP support, but the program is
1366 loaded under xdpgeneric object | pinned then the kernel will use
1367 the generic XDP variant instead of the native one. xdpdrv has
1368 the opposite effect of requestsing that the automatic fallback
1369 to the generic XDP variant be disabled and in case driver is not
1370 XDP-capable error should be returned. xdpdrv also disables
1371 hardware offloads. xdpoffload in ip link output indicates that
1372 the program has been offloaded to hardware and can also be used
1373 to request the "offload" mode, much like xdpgeneric it forces
1374 program to be installed specifically in HW/FW of the apater.
1375 off (or none ) - Detaches any currently attached XDP/BPF program
1377 from the given device.
1378 object FILE - Attaches a XDP/BPF program to the given device.
1380 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1381 contains the BPF program code, map specifications, etc. If a
1382 XDP/BPF program is already attached to the given device, an
1383 error will be thrown. If no XDP/BPF program is currently
1384 attached, the device supports XDP and the program from the BPF
1385 ELF file passes the kernel verifier, then it will be attached to
1386 the device. If the option -force is passed to ip then any prior
1387 attached XDP/BPF program will be atomically overridden and no
1388 error will be thrown in this case. If no section option is
1389 passed, then the default section name ("prog") will be assumed,
1390 otherwise the provided section name will be used. If no verbose
1391 option is passed, then a verifier log will only be dumped on
1392 load error. See also EXAMPLES section for usage examples.
1393 section NAME - Specifies a section name that contains the BPF
1395 program code. If no section name is specified, the default one
1396 ("prog") will be used. This option is to be passed with the
1397 object option.
1398 verbose - Act in verbose mode. For example, even in case of suc‐
1400 cess, this will print the verifier log in case a program was
1401 loaded from a BPF ELF file.
1402 pinned FILE - Attaches a XDP/BPF program to the given device.
1404 The FILE points to an already pinned BPF program in the BPF file
1405 system. The option section doesn't apply here, but otherwise
1406 semantics are the same as with the option object described
1407 already.
1408 master DEVICE
1411 set master device of the device (enslave device).
1412 nomaster
1415 unset master device of the device (release device).
1416 addrgenmode eui64|none|stable_secret|random
1419 set the IPv6 address generation mode
1420 eui64 - use a Modified EUI-64 format interface identifier
1422 none - disable automatic address generation
1424 stable_secret - generate the interface identifier based on a
1426 preset
1427 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1428 random - like stable_secret, but auto-generate a new random
1430 secret if none is set
1431 link-netnsid
1434 set peer netnsid for a cross-netns interface
1435 type ETYPE TYPE_ARGS
1438 Change type-specific settings. For a list of supported types and
1439 arguments refer to the description of ip link add above. In
1440 addition to that, it is possible to manipulate settings to slave
1441 devices:
1442 Bridge Slave Support
1445 For a link with master bridge the following additional arguments
1446 are supported:
1447 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1449 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1450 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1451 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1452 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1453 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1454 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1455 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1456 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1457 backup_port DEVICE ] [ nobackup_port ]
1458 fdb_flush - flush bridge slave's fdb dynamic entries.
1461 state STATE - Set port state. STATE is a number repre‐
1463 senting the following states: 0 (disabled), 1 (listen‐
1464 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1465 priority PRIO - set port priority (allowed values are
1467 between 0 and 63, inclusively).
1468 cost COST - set port cost (allowed values are between 1
1470 and 65535, inclusively).
1471 guard { on | off } - block incoming BPDU packets on this
1473 port.
1474 hairpin { on | off } - enable hairpin mode on this port.
1476 This will allow incoming packets on this port to be
1477 reflected back.
1478 fastleave { on | off } - enable multicast fast leave on
1480 this port.
1481 root_block { on | off } - block this port from becoming
1483 the bridge's root port.
1484 learning { on | off } - allow MAC address learning on
1486 this port.
1487 flood { on | off } - open the flood gates on this port,
1489 i.e. forward all unicast frames to this port also.
1490 Requires proxy_arp and proxy_arp_wifi to be turned off.
1491 proxy_arp { on | off } - enable proxy ARP on this port.
1493 proxy_arp_wifi { on | off } - enable proxy ARP on this
1495 port which meets extended requirements by IEEE 802.11
1496 and Hotspot 2.0 specifications.
1497 mcast_router MULTICAST_ROUTER - configure this port for
1499 having multicast routers attached. A port with a multi‐
1500 cast router will receive all multicast traffic. MULTI‐
1501 CAST_ROUTER may be either 0 to disable multicast routers
1502 on this port, 1 to let the system detect the presence of
1503 of routers (this is the default), 2 to permanently
1504 enable multicast traffic forwarding on this port or 3 to
1505 enable multicast routers temporarily on this port, not
1506 depending on incoming queries.
1507 mcast_fast_leave { on | off } - this is a synonym to the
1509 fastleave option above.
1510 mcast_flood { on | off } - controls whether a given port
1512 will flood multicast traffic for which
1513 there is no MDB entry.
1514 mcast_to_unicast { on | off } - controls whether a given
1516 port will replicate packets using unicast
1517 instead of multicast. By default this flag is off.
1518 group_fwd_mask MASK - set the group forward mask. This
1520 is the bitmask that is applied to decide whether to for‐
1521 ward incoming frames destined to link-local addresses,
1522 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1523 0, ie the bridge does not forward any link-local frames
1524 coming on this port).
1525 neigh_suppress { on | off } - controls whether neigh
1527 discovery (arp and nd) proxy and suppression is enabled
1528 on the port. By default this flag is off.
1529 vlan_tunnel { on | off } - controls whether vlan to tun‐
1531 nel mapping is enabled on the port. By default this flag
1532 is off.
1533 backup_port DEVICE - if the port loses carrier all traf‐
1535 fic will be redirected to the configured backup port
1536 nobackup_port - removes the currently configured backup
1538 port
1539 Bonding Slave Support
1543 For a link with master bond the following additional arguments
1544 are supported:
1545 ip link set type bond_slave [ queue_id ID ]
1547 queue_id ID - set the slave's queue ID (a 16bit unsigned
1550 value).
1551 MACVLAN and MACVTAP Support
1555 Modify list of allowed macaddr for link in source mode.
1556 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1558 ... ]
1559 Commands:
1561 add - add MACADDR to allowed list
1562 set - replace allowed list
1564 del - remove MACADDR from allowed list
1566 flush - flush whole allowed list
1568 ip link show - display device attributes
1573 dev NAME (default)
1574 NAME specifies the network device to show.
1575 group GROUP
1578 GROUP specifies what group of devices to show.
1579 up only display running interfaces.
1582 master DEVICE
1585 DEVICE specifies the master device which enslaves devices to
1586 show.
1587 vrf NAME
1590 NAME speficies the VRF which enslaves devices to show.
1591 type TYPE
1594 TYPE specifies the type of devices to show.
1595 Note that the type name is not checked against the list of sup‐
1597 ported types - instead it is sent as-is to the kernel. Later it
1598 is used to filter the returned interface list by comparing it
1599 with the relevant attribute in case the kernel didn't filter
1600 already. Therefore any string is accepted, but may lead to empty
1601 output.
1602 ip link xstats - display extended statistics
1605 type TYPE
1606 TYPE specifies the type of devices to display extended statis‐
1607 tics for.
1608 ip link afstats - display address-family specific statistics
1611 dev DEVICE
1612 DEVICE specifies the device to display address-family statistics
1613 for.
1614 ip link help - display help
1617 TYPE specifies which help of link type to dislpay.
1618 GROUP
1621 may be a number or a string from the file /etc/iproute2/group which can
1622 be manually filled.
1623
1626 ip link show
1627 Shows the state of all network interfaces on the system.
1628 ip link show type bridge
1630 Shows the bridge devices.
1631 ip link show type vlan
1633 Shows the vlan devices.
1634 ip link show master br0
1636 Shows devices enslaved by br0
1637 ip link set dev ppp0 mtu 1400
1639 Change the MTU the ppp0 device.
1640 ip link add link eth0 name eth0.10 type vlan id 10
1642 Creates a new vlan device eth0.10 on device eth0.
1643 ip link delete dev eth0.10
1645 Removes vlan device.
1646 ip link help gre
1648 Display help for the gre link type.
1649 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1651 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1652 remcsum
1653 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1654 tion, and the outer UDP checksum and remote checksum offload are
1655 enabled.
1656 ip link set dev eth0 xdp obj prog.o
1658 Attaches a XDP/BPF program to device eth0, where the program is
1659 located in prog.o, section "prog" (default section). In case a
1660 XDP/BPF program is already attached, throw an error.
1661 ip -force link set dev eth0 xdp obj prog.o sec foo
1663 Attaches a XDP/BPF program to device eth0, where the program is
1664 located in prog.o, section "foo". In case a XDP/BPF program is
1665 already attached, it will be overridden by the new one.
1666 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1668 Attaches a XDP/BPF program to device eth0, where the program was
1669 previously pinned as an object node into BPF file system under name
1670 foo.
1671 ip link set dev eth0 xdp off
1673 If a XDP/BPF program is attached on device eth0, detach it and
1674 effectively turn off XDP for device eth0.
1675 ip link add link wpan0 lowpan0 type lowpan
1677 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1678 802.15.4 device wpan0.
1679 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1681 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1682 erspan_hwid 17
1683 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1684
1687 ip(8), ip-netns(8), ethtool(8), iptables(8)
1688
1691 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1692iproute2 13 Dec 2012 IP-LINK(8)