1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 type TYPE [ ARGS ]
18 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
20 ip link set { DEVICE | group GROUP }
22 [ { up | down } ]
23 [ type ETYPE TYPE_ARGS ]
24 [ arp { on | off } ]
25 [ dynamic { on | off } ]
26 [ multicast { on | off } ]
27 [ allmulticast { on | off } ]
28 [ promisc { on | off } ]
29 [ protodown { on | off } ]
30 [ trailers { on | off } ]
31 [ txqueuelen PACKETS ]
32 [ name NEWNAME ]
33 [ address LLADDR ]
34 [ broadcast LLADDR ]
35 [ mtu MTU ]
36 [ netns { PID | NETNSNAME } ]
37 [ link-netnsid ID ]
38 [ alias NAME ]
39 [ vf NUM [ mac LLADDR ]
40 [ VFVLAN-LIST ]
41 [ rate TXRATE ]
42 [ max_tx_rate TXRATE ]
43 [ min_tx_rate TXRATE ]
44 [ spoofchk { on | off } ]
45 [ query_rss { on | off } ]
46 [ state { auto | enable | disable } ]
47 [ trust { on | off } ]
48 [ node_guid eui64 ]
49 [ port_guid eui64 ] ]
50 [ xdp { off |
51 object FILE [ section NAME ] [ verbose ] |
52 pinned FILE } ]
53 [ master DEVICE ]
54 [ nomaster ]
55 [ vrf NAME ]
56 [ addrgenmode { eui64 | none | stable_secret | random } ]
57 [ macaddr { flush | { add | del } MACADDR | set [ MACADDR [
58 MACADDR [ ... ] ] ] } ]
59 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE ] [ type
61 ETYPE ] [ vrf NAME ]
62 ip link xstats type TYPE [ ARGS ]
64 ip link afstats [ dev DEVICE ]
66 ip link help [ TYPE ]
68 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib | macvlan |
70 macvtap | vcan | veth | vlan | vxlan | ip6tnl | ipip | sit |
71 gre | gretap | ip6gre | ip6gretap | vti | nlmon | ipvlan | low‐
72 pan | geneve | vrf | macsec ]
73 ETYPE := [ TYPE | bridge_slave | bond_slave ]
75 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
77 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ]
79
82 ip link add - add virtual link
83 link DEVICE
84 specifies the physical device to act operate on.
85 NAME specifies the name of the new virtual device.
87 TYPE specifies the type of the new device.
89 Link types:
91 bridge - Ethernet Bridge device
93 bond - Bonding device can - Controller Area Network
95 interface
96 dummy - Dummy network interface
98 hsr - High-availability Seamless Redundancy device
100 ifb - Intermediate Functional Block device
102 ipoib - IP over Infiniband device
104 macvlan - Virtual interface base on link layer address
106 (MAC)
107 macvtap - Virtual interface based on link layer address
109 (MAC) and TAP.
110 vcan - Virtual Controller Area Network interface
112 veth - Virtual ethernet interface
114 vlan - 802.1q tagged virtual LAN interface
116 vxlan - Virtual eXtended LAN
118 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
120 ipip - Virtual tunnel interface IPv4 over IPv4
122 sit - Virtual tunnel interface IPv6 over IPv4
124 gre - Virtual tunnel interface GRE over IPv4
126 gretap - Virtual L2 tunnel interface GRE over IPv4
128 ip6gre - Virtual tunnel interface GRE over IPv6
130 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
132 vti - Virtual tunnel interface
134 nlmon - Netlink monitoring device
136 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
138 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
140 / Bluetooth
141 geneve - GEneric NEtwork Virtualization Encapsulation
143 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
145 sec)
146 vrf - Interface for L3 VRF domains
148 numtxqueues QUEUE_COUNT
151 specifies the number of transmit queues for new device.
152 numrxqueues QUEUE_COUNT
155 specifies the number of receive queues for new device.
156 index IDX
159 specifies the desired index of the new virtual device. The link
160 creation fails, if the index is busy.
161 VLAN Type Support
164 For a link of type VLAN the following additional arguments are
165 supported:
166 ip link add link DEVICE name NAME type vlan [ protocol
168 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
169 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
170 ingress-qos-map QOS-MAP ] [ egress-qos-map QOS-MAP ]
171 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
174 id VLANID - specifies the VLAN Identifer to use. Note
176 that numbers with a leading " 0 " or " 0x " are inter‐
177 preted as octal or hexadeimal, respectively.
178 reorder_hdr { on | off } - specifies whether ethernet
180 headers are reordered or not (default is on).
181 If reorder_hdr is on then VLAN header will be not
183 inserted immediately but only before passing to the
184 physical device (if this device does not support
185 VLAN offloading), the similar on the RX direction -
186 by default the packet will be untagged before being
187 received by VLAN device. Reordering allows to accel‐
188 erate tagging on egress and to hide VLAN header on
189 ingress so the packet looks like regular Ethernet
190 packet, at the same time it might be confusing for
191 packet capture as the VLAN header does not exist
192 within the packet.
193 VLAN offloading can be checked by ethtool(8):
195 ethtool -k <phy_dev> | grep tx-vlan-offload
197 where <phy_dev> is the physical device to which VLAN
199 device is bound.
200 gvrp { on | off } - specifies whether this VLAN should
202 be registered using GARP VLAN Registration Protocol.
203 mvrp { on | off } - specifies whether this VLAN should
205 be registered using Multiple VLAN Registration Protocol.
206 loose_binding { on | off } - specifies whether the VLAN
208 device state is bound to the physical device state.
209 ingress-qos-map QOS-MAP - defines a mapping of VLAN
211 header prio field to the Linux internal packet priority
212 on incoming frames. The format is FROM:TO with multiple
213 mappings separated by spaces.
214 egress-qos-map QOS-MAP - defines a mapping of Linux
216 internal packet priority to VLAN header prio field but
217 for outgoing frames. The format is the same as for
218 ingress-qos-map.
219 Linux packet priority can be set by iptables(8):
221 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
223 SIFY --set-class 0:4
224 and this "4" priority can be used in the egress qos
226 mapping to set VLAN prio "5":
227 ip link set veth0.10 type vlan egress 4:5
229 VXLAN Type Support
232 For a link of type VXLAN the following additional arguments are
233 supported:
234 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
236 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
237 TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ srcport MIN MAX
238 ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [ [no]l2miss ] [
239 [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
240 [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER ] [
241 [no]external ] [ gbp ] [ gpe ]
242 id VNI - specifies the VXLAN Network Identifer (or VXLAN
245 Segment Identifier) to use.
246 dev PHYS_DEV - specifies the physical device to use for
248 tunnel endpoint communication.
249 group IPADDR - specifies the multicast IP address to
252 join. This parameter cannot be specified with the
253 remote parameter.
254 remote IPADDR - specifies the unicast destination IP
257 address to use in outgoing packets when the destination
258 link layer address is not known in the VXLAN device for‐
259 warding database. This parameter cannot be specified
260 with the group parameter.
261 local IPADDR - specifies the source IP address to use in
264 outgoing packets.
265 ttl TTL - specifies the TTL value to use in outgoing
268 packets.
269 tos TOS - specifies the TOS value to use in outgoing
272 packets.
273 flowlabel FLOWLABEL - specifies the flow label to use in
276 outgoing packets.
277 dstport PORT - specifies the UDP destination port to
280 communicate to the remote VXLAN tunnel endpoint.
281 srcport MIN MAX - specifies the range of port numbers to
284 use as UDP source ports to communicate to the remote
285 VXLAN tunnel endpoint.
286 [no]learning - specifies if unknown source link layer
289 addresses and IP addresses are entered into the VXLAN
290 device forwarding database.
291 [no]rsc - specifies if route short circuit is turned on.
294 [no]proxy - specifies ARP proxy is turned on.
297 [no]l2miss - specifies if netlink LLADDR miss notifica‐
300 tions are generated.
301 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
304 tions are generated.
305 [no]udpcsum - specifies if UDP checksum is calculated
308 for transmitted packets over IPv4.
309 [no]udp6zerocsumtx - skip UDP checksum calculation for
312 transmitted packets over IPv6.
313 [no]udp6zerocsumrx - allow incoming UDP packets over
316 IPv6 with zero checksum field.
317 ageing SECONDS - specifies the lifetime in seconds of
320 FDB entries learnt by the kernel.
321 maxaddress NUMBER - specifies the maximum number of FDB
324 entries.
325 [no]external - specifies whether an external control
328 plane (e.g. ip route encap) or the internal FDB should
329 be used.
330 gbp - enables the Group Policy extension (VXLAN-GBP).
333 Allows to transport group policy context across
335 VXLAN network peers. If enabled, includes the mark
336 of a packet in the VXLAN header for outgoing packets
337 and fills the packet mark based on the information
338 found in the VXLAN header for incomming packets.
339 Format of upper 16 bits of packet mark (flags);
341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
343 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
344 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
345 D := Don't Learn bit. When set, this bit indicates
347 that the egress VTEP MUST NOT learn the source
348 address of the encapsulated frame.
349 A := Indicates that the group policy has already
351 been applied to this packet. Policies MUST NOT be
352 applied by devices when the A bit is set.
353 Format of lower 16 bits of packet mark (policy ID):
355 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
357 | Group Policy ID |
358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
359 Example:
361 iptables -A OUTPUT [...] -j MARK --set-mark
362 0x800FF
363 gpe - enables the Generic Protocol extension (VXLAN-
367 GPE). Currently, this is only supported together with
368 the external keyword.
369 GRE, IPIP, SIT Type Support
373 For a link of types GRE/IPIP/SIT the following additional argu‐
374 ments are supported:
375 ip link add DEVICE type { gre | ipip | sit } remote ADDR local
377 ADDR [ encap { fou | gue | none } ] [ encap-sport { PORT | auto
378 } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum
379 ]
380 remote ADDR - specifies the remote address of the tun‐
383 nel.
384 local ADDR - specifies the fixed local address for tun‐
387 neled packets. It must be an address on another inter‐
388 face on this host.
389 encap { fou | gue | none } - specifies type of secondary
392 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
393 indicates Generic UDP Encapsulation.
394 encap-sport { PORT | auto } - specifies the source port
397 in UDP encapsulation. PORT indicates the port by num‐
398 ber, "auto" indicates that the port number should be
399 chosen automatically (the kernel picks a flow based on
400 the flow hash of the encapsulated packet).
401 [no]encap-csum - specifies if UDP checksums are enabled
404 in the secondary encapsulation.
405 [no]encap-remcsum - specifies if Remote Checksum Offload
408 is enabled. This is only applicable for Generic UDP
409 Encapsulation.
410 IP6GRE/IP6GRETAP Type Support
414 For a link of type IP6GRE/IP6GRETAP the following additional
415 arguments are supported:
416 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
418 ADDR [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] [ hoplimit TTL
419 ] [ encaplimit ELIM ] [ tclass TCLASS ] [ flowlabel FLOWLABEL ]
420 [ dscp inherit ] [ dev PHYS_DEV ]
421 remote ADDR - specifies the remote IPv6 address of the
424 tunnel.
425 local ADDR - specifies the fixed local IPv6 address for
428 tunneled packets. It must be an address on another
429 interface on this host.
430 [i|o]seq - serialize packets. The oseq flag enables
433 sequencing of outgoing packets. The iseq flag requires
434 that all input packets are serialized.
435 [i|o]key KEY - use keyed GRE with key KEY. KEY is either
438 a number or an IPv4 address-like dotted quad. The key
439 parameter specifies the same key to use in both direc‐
440 tions. The ikey and okey parameters specify different
441 keys for input and output.
442 [i|o]csum - generate/require checksums for tunneled
445 packets. The ocsum flag calculates checksums for outgo‐
446 ing packets. The icsum flag requires that all input
447 packets have the correct checksum. The csum flag is
448 equivalent to the combination icsum ocsum.
449 hoplimit TTL - specifies Hop Limit value to use in out‐
452 going packets.
453 encaplimit ELIM - specifies a fixed encapsulation limit.
456 Default is 4.
457 flowlabel FLOWLABEL - specifies a fixed flowlabel.
460 tclass TCLASS - specifies the traffic class field on
463 tunneled packets, which can be specified as either a
464 two-digit hex value (e.g. c0) or a predefined string
465 (e.g. internet). The value inherit causes the field to
466 be copied from the original IP header. The values
467 inherit/STRING or inherit/00..ff will set the field to
468 STRING or 00..ff when tunneling non-IP packets. The
469 default value is 00.
470 IPoIB Type Support
474 For a link of type IPoIB the following additional arguments are
475 supported:
476 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
478 MODE ]
479 pkey PKEY - specifies the IB P-Key to use.
482 mode MODE - specifies the mode (datagram or connected)
484 to use.
485 GENEVE Type Support
488 For a link of type GENEVE the following additional arguments are
489 supported:
490 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
492 [ tos TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
493 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
494 [no]udp6zerocsumrx ]
495 id VNI - specifies the Virtual Network Identifer to use.
498 remote IPADDR - specifies the unicast destination IP
501 address to use in outgoing packets.
502 ttl TTL - specifies the TTL value to use in outgoing
505 packets.
506 tos TOS - specifies the TOS value to use in outgoing
509 packets.
510 flowlabel FLOWLABEL - specifies the flow label to use in
513 outgoing packets.
514 dstport PORT - select a destination port other than the
517 default of 6081.
518 [no]external - make this tunnel externally controlled
521 (or not, which is the default). This flag is mutually
522 exclusive with the id, remote, ttl, tos and flowlabel
523 options.
524 [no]udpcsum - specifies if UDP checksum is calculated
527 for transmitted packets over IPv4.
528 [no]udp6zerocsumtx - skip UDP checksum calculation for
531 transmitted packets over IPv6.
532 [no]udp6zerocsumrx - allow incoming UDP packets over
535 IPv6 with zero checksum field.
536 MACVLAN and MACVTAP Type Support
540 For a link of type MACVLAN or MACVTAP the following additional
541 arguments are supported:
542 ip link add link DEVICE name NAME type { macvlan | macvtap }
544 mode { private | vepa | bridge | passthru [ nopromisc ] |
545 source }
546 type { macvlan | macvtap } - specifies the link type to
549 use. macvlan creates just a virtual interface, while
550 macvtap in addition creates a character device /dev/tapX
551 to be used just like a tuntap device.
552 mode private - Do not allow communication between
554 macvlan instances on the same physical interface, even
555 if the external switch supports hairpin mode.
556 mode vepa - Virtual Ethernet Port Aggregator mode. Data
558 from one macvlan instance to the other on the same phys‐
559 ical interface is transmitted over the physical inter‐
560 face. Either the attached switch needs to support hair‐
561 pin mode, or there must be a TCP/IP router forwarding
562 the packets in order to allow communication. This is the
563 default mode.
564 mode bridge - In bridge mode, all endpoints are directly
566 connected to each other, communication is not redirected
567 through the physical interface's peer.
568 mode passthru [ nopromisc ] - This mode gives more power
570 to a single endpoint, usually in macvtap mode. It is not
571 allowed for more than one endpoint on the same physical
572 interface. All traffic will be forwarded to this end‐
573 point, allowing virtio guests to change MAC address or
574 set promiscuous mode in order to bridge the interface or
575 create vlan interfaces on top of it. By default, this
576 mode forces the underlying interface into promiscuous
577 mode. Passing the nopromisc flag prevents this, so the
578 promisc flag may be controlled using standard tools.
579 mode source - allows one to set a list of allowed mac
581 address, which is used to match against source mac
582 address from received frames on underlying interface.
583 This allows creating mac based VLAN associations,
584 instead of standard port or tag based. The feature is
585 useful to deploy 802.1x mac based behavior, where driv‐
586 ers of underlying interfaces doesn't allows that.
587 High-availability Seamless Redundancy (HSR) Support
590 For a link of type HSR the following additional arguments are
591 supported:
592 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
594 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
595 type hsr - specifies the link type to use, here HSR.
598 slave1 SLAVE1-IF - Specifies the physical device used
600 for the first of the two ring ports.
601 slave2 SLAVE2-IF - Specifies the physical device used
603 for the second of the two ring ports.
604 supervision ADDR-BYTE - The last byte of the multicast
606 address used for HSR supervision frames. Default option
607 is "0", possible values 0-255.
608 version { 0 | 1 } - Selects the protocol version of the
610 interface. Default option is "0", which corresponds to
611 the 2010 version of the HSR standard. Option "1" acti‐
612 vates the 2012 version.
613 BRIDGE Type Support
616 For a link of type BRIDGE the following additional arguments are
617 supported:
618 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
620 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
621 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
622 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
623 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
624 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
625 VLAN_STATS_ENABLED ] [ mcast_snooping MULTICAST_SNOOPING ] [
626 mcast_router MULTICAST_ROUTER ] [ mcast_query_use_ifaddr
627 MCAST_QUERY_USE_IFADDR ] [ mcast_querier MULTICAST_QUERIER ] [
628 mcast_hash_elasticity HASH_ELASTICITY ] [ mcast_hash_max
629 HASH_MAX ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
630 mcast_startup_query_count STARTUP_QUERY_COUNT ] [
631 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
632 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
633 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
634 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
635 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
636 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
637 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
638 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
639 [ nf_call_arptables NF_CALL_ARPTABLES ]
640 ageing_time AGEING_TIME - configure the bridge's FDB
643 entries ageing time, ie the number of seconds a MAC
644 address will be kept in the FDB after a packet has been
645 received from that address. after this time has passed,
646 entries are cleaned up.
647 group_fwd_mask MASK - set the group forward mask. This
649 is the bitmask that is applied to decide whether to for‐
650 ward incoming frames destined to link-local addresses,
651 ie addresses of the form 01:80:C2:00:00:0X (defaults to
652 0, ie the bridge does not forward any link-local
653 frames).
654 group_address ADDRESS - set the MAC address of the mul‐
656 ticast group this bridge uses for STP. The address must
657 be a link-local address in standard Ethernet MAC address
658 format, ie an address of the form 01:80:C2:00:00:0X,
659 with X in [0, 4..f].
660 forward_delay FORWARD_DELAY - set the forwarding delay
662 in seconds, ie the time spent in LISTENING state (before
663 moving to LEARNING) and in LEARNING state (before moving
664 to FORWARDING). Only relevant if STP is enabled. Valid
665 values are between 2 and 30.
666 hello_time HELLO_TIME - set the time in seconds between
668 hello packets sent by the bridge, when it is a root
669 bridge or a designated bridges. Only relevant if STP is
670 enabled. Valid values are between 1 and 10.
671 max_age MAX_AGE - set the hello packet timeout, ie the
673 time in seconds until another bridge in the spanning
674 tree is assumed to be dead, after reception of its last
675 hello message. Only relevant if STP is enabled. Valid
676 values are between 6 and 40.
677 stp_state STP_STATE - turn spanning tree protocol on
679 (STP_STATE > 0) or off (STP_STATE == 0). for this
680 bridge.
681 priority PRIORITY - set this bridge's spanning tree pri‐
683 ority, used during STP root bridge election. PRIORITY
684 is a 16bit unsigned integer.
685 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
687 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
688 disabled, the bridge will not consider the VLAN tag when
689 handling packets.
690 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
692 used for VLAN filtering.
693 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
695 PVID (native/untagged VLAN ID) for this bridge.
696 vlan_stats_enabled VLAN_STATS_ENABLED - enable
698 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
699 == 0) per-VLAN stats accounting.
700 mcast_snooping MULTICAST_SNOOPING - turn multicast
702 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
703 CAST_SNOOPING == 0).
704 mcast_router MULTICAST_ROUTER - set bridge's multicast
706 router if IGMP snooping is enabled. MULTICAST_ROUTER is
707 an integer value having the following meaning:
708 0 - disabled.
710 1 - automatic (queried).
712 2 - permanently enabled.
714 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
716 to use the bridge's own IP address as source address for
717 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
718 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
719 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
721 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
722 IGMP querier, ie sending of multicast queries by the
723 bridge (default: disabled).
724 mcast_querier_interval QUERIER_INTERVAL - interval
726 between queries sent by other routers. if no queries are
727 seen after this delay has passed, the bridge will start
728 to send its own queries (as if mcast_querier was
729 enabled).
730 mcast_hash_elasticity HASH_ELASTICITY - set multicast
732 database hash elasticity, ie the maximum chain length in
733 the multicast hash table (defaults to 4).
734 mcast_hash_max HASH_MAX - set maximum size of multicast
736 hash table (defaults to 512, value must be a power of
737 2).
738 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
740 cast last member count, ie the number of queries the
741 bridge will send before stopping forwarding a multicast
742 group after a "leave" message has been received
743 (defaults to 2).
744 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
746 val between queries to find remaining members of a
747 group, after a "leave" message is received.
748 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
750 number of IGMP queries to send during startup phase
751 (defaults to 2).
752 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
754 interval between queries in the startup phase.
755 mcast_query_interval QUERY_INTERVAL - interval between
757 queries sent by the bridge after the end of the startup
758 phase.
759 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
761 set the Max Response Time/Maximum Response Delay for
762 IGMP/MLD queries sent by the bridge.
763 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
765 after which the bridge will leave a group, if no member‐
766 ship reports for this group are received.
767 mcast_stats_enabled MCAST_STATS_ENABLED - enable
769 (MCAST_STATS_ENABLED > 0) or disable
770 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
771 accounting.
772 mcast_igmp_version IGMP_VERSION - set the IGMP version.
774 mcast_mld_version MLD_VERSION - set the MLD version.
776 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
778 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
779 hooks on the bridge.
780 nf_call_ip6tables NF_CALL_IP6TABLES - enable
782 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
783 0) ip6tables hooks on the bridge.
784 nf_call_arptables NF_CALL_ARPTABLES - enable
786 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
787 0) arptables hooks on the bridge.
788 MACsec Type Support
793 For a link of type MACsec the following additional arguments are
794 supported:
795 ip link add link DEVICE name NAME type macsec [ [ address
797 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
798 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
799 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
800 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
801 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
802 ]
803 address <lladdr> - sets the system identifier component
806 of secure channel for this MACsec device.
807 port PORT - sets the port number component of secure
810 channel for this MACsec device, in a range from 1 to
811 65535 inclusive. Numbers with a leading " 0 " or " 0x "
812 are interpreted as octal and hexadecimal, respectively.
813 sci SCI - sets the secure channel identifier for this
816 MACsec device. SCI is a 64bit wide number in hexadeci‐
817 mal format.
818 cipher CIPHER_SUITE - defines the cipher suite to use.
821 icvlen LENGTH - sets the length of the Integrity Check
824 Value (ICV).
825 encrypt on or encrypt off - switches between authenti‐
828 cated encryption, or authenticity mode only.
829 send_sci on or send_sci off - specifies whether the SCI
832 is included in every packet, or only when it is neces‐
833 sary.
834 end_station on or end_station off - sets the End Station
837 bit.
838 scb on or scb off - sets the Single Copy Broadcast bit.
841 protect on or protect off - enables MACsec protection on
844 the device.
845 replay on or replay off - enables replay protection on
848 the device.
849 window SIZE - sets the size of the replay win‐
853 dow.
854 validate strict or validate check or validate disabled -
858 sets the validation mode on the device.
859 encodingsa AN - sets the active secure association for
862 transmission.
863 VRF Type Support
867 For a link of type VRF the following additional arguments are
868 supported:
869 ip link add DEVICE type vrf table TABLE
871 table table id associated with VRF device
874 ip link delete - delete virtual link
878 dev DEVICE
879 specifies the virtual device to act operate on.
880 group GROUP
883 specifies the group of virtual links to delete. Group 0 is not
884 allowed to be deleted since it is the default group.
885 type TYPE
888 specifies the type of the device.
889 ip link set - change device attributes
892 Warning: If multiple parameter changes are requested, ip aborts immedi‐
893 ately after any of the changes have failed. This is the only case when
894 ip can move the system to an unpredictable state. The solution is to
895 avoid changing several parameters with one ip link set call.
896 dev DEVICE
899 DEVICE specifies network device to operate on. When configuring
900 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
901 ify the associated Physical Function (PF) device.
902 group GROUP
905 GROUP has a dual role: If both group and dev are present, then
906 move the device to the specified group. If only a group is spec‐
907 ified, then the command operates on all devices in that group.
908 up and down
911 change the state of the device to UP or DOWN.
912 arp on or arp off
915 change the NOARP flag on the device.
916 multicast on or multicast off
919 change the MULTICAST flag on the device.
920 protodown on or protodown off
923 change the PROTODOWN state on the device. Indicates that a pro‐
924 tocol error has been detected on the port. Switch drivers can
925 react to this error by doing a phys down on the switch port.
926 dynamic on or dynamic off
929 change the DYNAMIC flag on the device. Indicates that address
930 can change when interface goes down (currently NOT used by the
931 Linux).
932 name NAME
935 change the name of the device. This operation is not recommended
936 if the device is running or has some addresses already config‐
937 ured.
938 txqueuelen NUMBER
941 txqlen NUMBER
943 change the transmit queue length of the device.
944 mtu NUMBER
947 change the MTU of the device.
948 address LLADDRESS
951 change the station address of the interface.
952 broadcast LLADDRESS
955 brd LLADDRESS
957 peer LLADDRESS
959 change the link layer broadcast address or the peer address when
960 the interface is POINTOPOINT.
961 netns NETNSNAME | PID
964 move the device to the network namespace associated with name
965 NETNSNAME or process PID.
966 Some devices are not allowed to change network namespace: loop‐
968 back, bridge, ppp, wireless. These are network namespace local
969 devices. In such case ip tool will return "Invalid argument"
970 error. It is possible to find out if device is local to a single
971 network namespace by checking netns-local flag in the output of
972 the ethtool:
973 ethtool -k DEVICE
975 To change network namespace for wireless devices the iw tool can
977 be used. But it allows to change network namespace only for
978 physical devices and by process PID.
979 alias NAME
982 give the device a symbolic name for easy reference.
983 group GROUP
986 specify the group the device belongs to. The available groups
987 are listed in file /etc/iproute2/group.
988 vf NUM specify a Virtual Function device to be configured. The associ‐
991 ated PF device must be specified using the dev parameter.
992 mac LLADDRESS - change the station address for the spec‐
994 ified VF. The vf parameter must be specified.
995 vlan VLANID - change the assigned VLAN for the specified
998 VF. When specified, all traffic sent from the VF will be
999 tagged with the specified VLAN ID. Incoming traffic will
1000 be filtered for the specified VLAN ID, and will have all
1001 VLAN tags stripped before being passed to the VF. Set‐
1002 ting this parameter to 0 disables VLAN tagging and fil‐
1003 tering. The vf parameter must be specified.
1004 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1007 VLAN tag. When specified, all VLAN tags transmitted by
1008 the VF will include the specified priority bits in the
1009 VLAN tag. If not specified, the value is assumed to be
1010 0. Both the vf and vlan parameters must be specified.
1011 Setting both vlan and qos as 0 disables VLAN tagging and
1012 filtering for the VF.
1013 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1016 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1017 traffic sent from the VF will be tagged with VLAN S-Tag.
1018 Incoming traffic will have VLAN S-Tags stripped before
1019 being passed to the VF. Setting to 802.1ad also enables
1020 an option to concatenate another VLAN tag, so both S-TAG
1021 and C-TAG will be inserted/stripped for outgoing/incom‐
1022 ing traffic, respectively. If not specified, the value
1023 is assumed to be 802.1Q. Both the vf and vlan parameters
1024 must be specified.
1025 rate TXRATE -- change the allowed transmit bandwidth, in
1028 Mbps, for the specified VF. Setting this parameter to 0
1029 disables rate limiting. vf parameter must be specified.
1030 Please use new API max_tx_rate option instead.
1031 max_tx_rate TXRATE - change the allowed maximum transmit
1034 bandwidth, in Mbps, for the specified VF. vf parameter
1035 must be specified.
1036 min_tx_rate TXRATE - change the allowed minimum transmit
1039 bandwidth, in Mbps, for the specified VF. Minimum
1040 TXRATE should be always <= Maximum TXRATE. vf parameter
1041 must be specified.
1042 spoofchk on|off - turn packet spoof checking on or off
1045 for the specified VF.
1046 query_rss on|off - toggle the ability of querying the
1048 RSS configuration of a specific VF. VF RSS information
1049 like RSS hash key may be considered sensitive on some
1050 devices where this information is shared between VF and
1051 PF and thus its querying may be prohibited by default.
1052 state auto|enable|disable - set the virtual link state
1054 as seen by the specified VF. Setting to auto means a
1055 reflection of the PF link state, enable lets the VF to
1056 communicate with other VFs on this host even if the PF
1057 link state is down, disable causes the HW to drop any
1058 packets sent by the VF.
1059 trust on|off - trust the specified VF user. This enables
1061 that VF user can set a specific feature which may impact
1062 security and/or performance. (e.g. VF multicast promis‐
1063 cuous mode)
1064 node_guid eui64 - configure node GUID for Infiniband
1066 VFs.
1067 port_guid eui64 - configure port GUID for Infiniband
1069 VFs.
1070 xdp object | pinned | off
1073 set (or unset) a XDP ("express data path") BPF program to run on
1074 every packet at driver level.
1075 off (or none ) - Detaches any currently attached XDP/BPF program
1077 from the given device.
1078 object FILE - Attaches a XDP/BPF program to the given device.
1080 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1081 contains the BPF program code, map specifications, etc. If a
1082 XDP/BPF program is already attached to the given device, an
1083 error will be thrown. If no XDP/BPF program is currently
1084 attached, the device supports XDP and the program from the BPF
1085 ELF file passes the kernel verifier, then it will be attached to
1086 the device. If the option -force is passed to ip then any prior
1087 attached XDP/BPF program will be atomically overridden and no
1088 error will be thrown in this case. If no section option is
1089 passed, then the default section name ("prog") will be assumed,
1090 otherwise the provided section name will be used. If no verbose
1091 option is passed, then a verifier log will only be dumped on
1092 load error. See also EXAMPLES section for usage examples.
1093 section NAME - Specifies a section name that contains the BPF
1095 program code. If no section name is specified, the default one
1096 ("prog") will be used. This option is to be passed with the
1097 object option.
1098 verbose - Act in verbose mode. For example, even in case of suc‐
1100 cess, this will print the verifier log in case a program was
1101 loaded from a BPF ELF file.
1102 pinned FILE - Attaches a XDP/BPF program to the given device.
1104 The FILE points to an already pinned BPF program in the BPF file
1105 system. The option section doesn't apply here, but otherwise
1106 semantics are the same as with the option object described
1107 already.
1108 master DEVICE
1111 set master device of the device (enslave device).
1112 nomaster
1115 unset master device of the device (release device).
1116 addrgenmode eui64|none|stable_secret|random
1119 set the IPv6 address generation mode
1120 eui64 - use a Modified EUI-64 format interface identifier
1122 none - disable automatic address generation
1124 stable_secret - generate the interface identifier based on a
1126 preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1127 random - like stable_secret, but auto-generate a new random
1129 secret if none is set
1130 link-netnsid
1133 set peer netnsid for a cross-netns interface
1134 type ETYPE TYPE_ARGS
1137 Change type-specific settings. For a list of supported types and
1138 arguments refer to the description of ip link add above. In
1139 addition to that, it is possible to manipulate settings to slave
1140 devices:
1141 Bridge Slave Support
1144 For a link with master bridge the following additional arguments
1145 are supported:
1146 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1148 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1149 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1150 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1151 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1152 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1153 mcast_flood { on | off } ]
1154 fdb_flush - flush bridge slave's fdb dynamic entries.
1157 state STATE - Set port state. STATE is a number repre‐
1159 senting the following states: 0 (disabled), 1 (listen‐
1160 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1161 priority PRIO - set port priority (allowed values are
1163 between 0 and 63, inclusively).
1164 cost COST - set port cost (allowed values are between 1
1166 and 65535, inclusively).
1167 guard { on | off } - block incoming BPDU packets on this
1169 port.
1170 hairpin { on | off } - enable hairpin mode on this port.
1172 This will allow incoming packets on this port to be
1173 reflected back.
1174 fastleave { on | off } - enable multicast fast leave on
1176 this port.
1177 root_block { on | off } - block this port from becoming
1179 the bridge's root port.
1180 learning { on | off } - allow MAC address learning on
1182 this port.
1183 flood { on | off } - open the flood gates on this port,
1185 i.e. forward all unicast frames to this port also.
1186 Requires proxy_arp and proxy_arp_wifi to be turned off.
1187 proxy_arp { on | off } - enable proxy ARP on this port.
1189 proxy_arp_wifi { on | off } - enable proxy ARP on this
1191 port which meets extended requirements by IEEE 802.11
1192 and Hotspot 2.0 specifications.
1193 mcast_router MULTICAST_ROUTER - configure this port for
1195 having multicast routers attached. A port with a multi‐
1196 cast router will receive all multicast traffic. MULTI‐
1197 CAST_ROUTER may be either 0 to disable multicast routers
1198 on this port, 1 to let the system detect the presence of
1199 of routers (this is the default), 2 to permanently
1200 enable multicast traffic forwarding on this port or 3 to
1201 enable multicast routers temporarily on this port, not
1202 depending on incoming queries.
1203 mcast_fast_leave { on | off } - this is a synonym to the
1205 fastleave option above.
1206 mcast_flood { on | off } - controls whether a given port
1208 will be flooded with multicast traffic for which there
1209 is no MDB entry.
1210 Bonding Slave Support
1214 For a link with master bond the following additional arguments
1215 are supported:
1216 ip link set type bond_slave [ queue_id ID ]
1218 queue_id ID - set the slave's queue ID (a 16bit unsigned
1221 value).
1222 MACVLAN and MACVTAP Support
1226 Modify list of allowed macaddr for link in source mode.
1227 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1229 ... ]
1230 Commands:
1232 add - add MACADDR to allowed list
1233 set - replace allowed list
1235 del - remove MACADDR from allowed list
1237 flush - flush whole allowed list
1239 ip link show - display device attributes
1244 dev NAME (default)
1245 NAME specifies the network device to show. If this argument is
1246 omitted all devices in the default group are listed.
1247 group GROUP
1250 GROUP specifies what group of devices to show.
1251 up only display running interfaces.
1254 master DEVICE
1257 DEVICE specifies the master device which enslaves devices to
1258 show.
1259 vrf NAME
1262 NAME speficies the VRF which enslaves devices to show.
1263 type TYPE
1266 TYPE specifies the type of devices to show.
1267 Note that the type name is not checked against the list of sup‐
1269 ported types - instead it is sent as-is to the kernel. Later it
1270 is used to filter the returned interface list by comparing it
1271 with the relevant attribute in case the kernel didn't filter
1272 already. Therefore any string is accepted, but may lead to empty
1273 output.
1274 ip link xstats - display extended statistics
1277 type TYPE
1278 TYPE specifies the type of devices to display extended statis‐
1279 tics for.
1280 ip link afstats - display address-family specific statistics
1283 dev DEVICE
1284 DEVICE specifies the device to display address-family statistics
1285 for.
1286 ip link help - display help
1289 TYPE specifies which help of link type to dislpay.
1290 GROUP
1293 may be a number or a string from the file /etc/iproute2/group which can
1294 be manually filled.
1295
1298 ip link show
1299 Shows the state of all network interfaces on the system.
1300 ip link show type bridge
1302 Shows the bridge devices.
1303 ip link show type vlan
1305 Shows the vlan devices.
1306 ip link show master br0
1308 Shows devices enslaved by br0
1309 ip link set dev ppp0 mtu 1400
1311 Change the MTU the ppp0 device.
1312 ip link add link eth0 name eth0.10 type vlan id 10
1314 Creates a new vlan device eth0.10 on device eth0.
1315 ip link delete dev eth0.10
1317 Removes vlan device.
1318 ip link help gre
1320 Display help for the gre link type.
1321 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1323 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1324 remcsum
1325 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1326 tion, and the outer UDP checksum and remote checksum offload are
1327 enabled.
1328 ip link set dev eth0 xdp obj prog.o
1330 Attaches a XDP/BPF program to device eth0, where the program is
1331 located in prog.o, section "prog" (default section). In case a
1332 XDP/BPF program is already attached, throw an error.
1333 ip -force link set dev eth0 xdp obj prog.o sec foo
1335 Attaches a XDP/BPF program to device eth0, where the program is
1336 located in prog.o, section "foo". In case a XDP/BPF program is
1337 already attached, it will be overridden by the new one.
1338 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1340 Attaches a XDP/BPF program to device eth0, where the program was
1341 previously pinned as an object node into BPF file system under name
1342 foo.
1343 ip link set dev eth0 xdp off
1345 If a XDP/BPF program is attached on device eth0, detach it and
1346 effectively turn off XDP for device eth0.
1347 ip link add link wpan0 lowpan0 type lowpan
1349 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1350 802.15.4 device wpan0.
1351
1354 ip(8), ip-netns(8), ethtool(8), iptables(8)
1355
1358 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1359iproute2 13 Dec 2012 IP-LINK(8)