1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr { flush | { add | del } MACADDR | set [ MACADDR [
59 MACADDR [ ... ] ] ] } ]
60 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE ] [ type
62 ETYPE ] [ vrf NAME ]
63 ip link xstats type TYPE [ ARGS ]
65 ip link afstats [ dev DEVICE ]
67 ip link help [ TYPE ]
69 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib | macvlan |
71 macvtap | vcan | vxcan | veth | vlan | vxlan | ip6tnl | ipip |
72 sit | gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |
73 vti | nlmon | ipvlan | ipvtap | lowpan | geneve | vrf | macsec
74 | netdevsim | rmnet ]
75 ETYPE := [ TYPE | bridge_slave | bond_slave ]
77 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
79 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ]
81
84 ip link add - add virtual link
85 link DEVICE
86 specifies the physical device to act operate on.
87 NAME specifies the name of the new virtual device.
89 TYPE specifies the type of the new device.
91 Link types:
93 bridge - Ethernet Bridge device
95 bond - Bonding device
97 dummy - Dummy network interface
99 hsr - High-availability Seamless Redundancy device
101 ifb - Intermediate Functional Block device
103 ipoib - IP over Infiniband device
105 macvlan - Virtual interface base on link layer address
107 (MAC)
108 macvtap - Virtual interface based on link layer address
110 (MAC) and TAP.
111 vcan - Virtual Controller Area Network interface
113 vxcan - Virtual Controller Area Network tunnel interface
115 veth - Virtual ethernet interface
117 vlan - 802.1q tagged virtual LAN interface
119 vxlan - Virtual eXtended LAN
121 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
123 ipip - Virtual tunnel interface IPv4 over IPv4
125 sit - Virtual tunnel interface IPv6 over IPv4
127 gre - Virtual tunnel interface GRE over IPv4
129 gretap - Virtual L2 tunnel interface GRE over IPv4
131 erspan - Encapsulated Remote SPAN over GRE and IPv4
133 ip6gre - Virtual tunnel interface GRE over IPv6
135 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
137 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
139 vti - Virtual tunnel interface
141 nlmon - Netlink monitoring device
143 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
145 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
147 TAP
148 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
150 / Bluetooth
151 geneve - GEneric NEtwork Virtualization Encapsulation
153 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
155 sec)
156 vrf - Interface for L3 VRF domains
158 netdevsim - Interface for netdev API tests
160 rmnet - Qualcomm rmnet device
162 numtxqueues QUEUE_COUNT
165 specifies the number of transmit queues for new device.
166 numrxqueues QUEUE_COUNT
169 specifies the number of receive queues for new device.
170 gso_max_size BYTES
173 specifies the recommended maximum size of a Generic Segment Off‐
174 load packet the new device should accept.
175 gso_max_segs SEGMENTS
178 specifies the recommended maximum number of a Generic Segment
179 Offload segments the new device should accept.
180 index IDX
183 specifies the desired index of the new virtual device. The link
184 creation fails, if the index is busy.
185 VLAN Type Support
188 For a link of type VLAN the following additional arguments are
189 supported:
190 ip link add link DEVICE name NAME type vlan [ protocol
192 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
193 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
194 ingress-qos-map QOS-MAP ] [ egress-qos-map QOS-MAP ]
195 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
198 id VLANID - specifies the VLAN Identifer to use. Note
200 that numbers with a leading " 0 " or " 0x " are inter‐
201 preted as octal or hexadeimal, respectively.
202 reorder_hdr { on | off } - specifies whether ethernet
204 headers are reordered or not (default is on).
205 If reorder_hdr is on then VLAN header will be not
207 inserted immediately but only before passing to the
208 physical device (if this device does not support
209 VLAN offloading), the similar on the RX direction -
210 by default the packet will be untagged before being
211 received by VLAN device. Reordering allows to accel‐
212 erate tagging on egress and to hide VLAN header on
213 ingress so the packet looks like regular Ethernet
214 packet, at the same time it might be confusing for
215 packet capture as the VLAN header does not exist
216 within the packet.
217 VLAN offloading can be checked by ethtool(8):
219 ethtool -k <phy_dev> | grep tx-vlan-offload
221 where <phy_dev> is the physical device to which VLAN
223 device is bound.
224 gvrp { on | off } - specifies whether this VLAN should
226 be registered using GARP VLAN Registration Protocol.
227 mvrp { on | off } - specifies whether this VLAN should
229 be registered using Multiple VLAN Registration Protocol.
230 loose_binding { on | off } - specifies whether the VLAN
232 device state is bound to the physical device state.
233 ingress-qos-map QOS-MAP - defines a mapping of VLAN
235 header prio field to the Linux internal packet priority
236 on incoming frames. The format is FROM:TO with multiple
237 mappings separated by spaces.
238 egress-qos-map QOS-MAP - defines a mapping of Linux
240 internal packet priority to VLAN header prio field but
241 for outgoing frames. The format is the same as for
242 ingress-qos-map.
243 Linux packet priority can be set by iptables(8):
245 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
247 SIFY --set-class 0:4
248 and this "4" priority can be used in the egress qos
250 mapping to set VLAN prio "5":
251 ip link set veth0.10 type vlan egress 4:5
253 VXLAN Type Support
256 For a link of type VXLAN the following additional arguments are
257 supported:
258 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
260 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
261 TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ srcport MIN MAX
262 ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [ [no]l2miss ] [
263 [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
264 [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER ] [
265 [no]external ] [ gbp ] [ gpe ]
266 id VNI - specifies the VXLAN Network Identifer (or VXLAN
269 Segment Identifier) to use.
270 dev PHYS_DEV - specifies the physical device to use for
272 tunnel endpoint communication.
273 group IPADDR - specifies the multicast IP address to
276 join. This parameter cannot be specified with the
277 remote parameter.
278 remote IPADDR - specifies the unicast destination IP
281 address to use in outgoing packets when the destination
282 link layer address is not known in the VXLAN device for‐
283 warding database. This parameter cannot be specified
284 with the group parameter.
285 local IPADDR - specifies the source IP address to use in
288 outgoing packets.
289 ttl TTL - specifies the TTL value to use in outgoing
292 packets.
293 tos TOS - specifies the TOS value to use in outgoing
296 packets.
297 flowlabel FLOWLABEL - specifies the flow label to use in
300 outgoing packets.
301 dstport PORT - specifies the UDP destination port to
304 communicate to the remote VXLAN tunnel endpoint.
305 srcport MIN MAX - specifies the range of port numbers to
308 use as UDP source ports to communicate to the remote
309 VXLAN tunnel endpoint.
310 [no]learning - specifies if unknown source link layer
313 addresses and IP addresses are entered into the VXLAN
314 device forwarding database.
315 [no]rsc - specifies if route short circuit is turned on.
318 [no]proxy - specifies ARP proxy is turned on.
321 [no]l2miss - specifies if netlink LLADDR miss notifica‐
324 tions are generated.
325 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
328 tions are generated.
329 [no]udpcsum - specifies if UDP checksum is calculated
332 for transmitted packets over IPv4.
333 [no]udp6zerocsumtx - skip UDP checksum calculation for
336 transmitted packets over IPv6.
337 [no]udp6zerocsumrx - allow incoming UDP packets over
340 IPv6 with zero checksum field.
341 ageing SECONDS - specifies the lifetime in seconds of
344 FDB entries learnt by the kernel.
345 maxaddress NUMBER - specifies the maximum number of FDB
348 entries.
349 [no]external - specifies whether an external control
352 plane (e.g. ip route encap) or the internal FDB should
353 be used.
354 gbp - enables the Group Policy extension (VXLAN-GBP).
357 Allows to transport group policy context across
359 VXLAN network peers. If enabled, includes the mark
360 of a packet in the VXLAN header for outgoing packets
361 and fills the packet mark based on the information
362 found in the VXLAN header for incoming packets.
363 Format of upper 16 bits of packet mark (flags);
365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
367 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
369 D := Don't Learn bit. When set, this bit indicates
371 that the egress VTEP MUST NOT learn the source
372 address of the encapsulated frame.
373 A := Indicates that the group policy has already
375 been applied to this packet. Policies MUST NOT be
376 applied by devices when the A bit is set.
377 Format of lower 16 bits of packet mark (policy ID):
379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
381 | Group Policy ID |
382 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
383 Example:
385 iptables -A OUTPUT [...] -j MARK --set-mark
386 0x800FF
387 gpe - enables the Generic Protocol extension (VXLAN-
391 GPE). Currently, this is only supported together with
392 the external keyword.
393 VETH, VXCAN Type Support
397 For a link of types VETH/VXCAN the following additional argu‐
398 ments are supported:
399 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
401 peer name NAME - specifies the virtual pair device name
404 of the VETH/VXCAN tunnel.
405 IPIP, SIT Type Support
409 For a link of type IPIPorSIT the following additional arguments
410 are supported:
411 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
413 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
414 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
415 mode { ip6ip | ipip | mplsip | any } ] [ external ]
416 remote ADDR - specifies the remote address of the tun‐
419 nel.
420 local ADDR - specifies the fixed local address for tun‐
423 neled packets. It must be an address on another inter‐
424 face on this host.
425 encap { fou | gue | none } - specifies type of secondary
428 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
429 indicates Generic UDP Encapsulation.
430 encap-sport { PORT | auto } - specifies the source port
433 in UDP encapsulation. PORT indicates the port by num‐
434 ber, "auto" indicates that the port number should be
435 chosen automatically (the kernel picks a flow based on
436 the flow hash of the encapsulated packet).
437 [no]encap-csum - specifies if UDP checksums are enabled
440 in the secondary encapsulation.
441 [no]encap-remcsum - specifies if Remote Checksum Offload
444 is enabled. This is only applicable for Generic UDP
445 Encapsulation.
446 mode { ip6ip | ipip | mplsip | any } - specifies mode in
449 which device should run. "ip6ip" indicates IPv6-Over-
450 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
451 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
452 Over IPv4. Supported for SIT where the default is
453 "ip6ip" and IPIP where the default is "ipip".
454 IPv6-Over-IPv4 is not supported for IPIP.
455 external - make this tunnel externally controlled (e.g.
458 ip route encap).
459 GRE Type Support
462 For a link of type GRE or GRETAP the following additional argu‐
463 ments are supported:
464 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
466 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
467 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
468 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
469 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
470 remcsum ] [ external ]
471 remote ADDR - specifies the remote address of the tun‐
474 nel.
475 local ADDR - specifies the fixed local address for tun‐
478 neled packets. It must be an address on another inter‐
479 face on this host.
480 [no][i|o]seq - serialize packets. The oseq flag enables
483 sequencing of outgoing packets. The iseq flag requires
484 that all input packets are serialized.
485 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
488 KEY is either a number or an IPv4 address-like dotted
489 quad. The key parameter specifies the same key to use
490 in both directions. The ikey and okey parameters spec‐
491 ify different keys for input and output.
492 [no][i|o]csum - generate/require checksums for tunneled
495 packets. The ocsum flag calculates checksums for outgo‐
496 ing packets. The icsum flag requires that all input
497 packets have the correct checksum. The csum flag is
498 equivalent to the combination icsum ocsum .
499 ttl TTL - specifies the TTL value to use in outgoing
502 packets.
503 tos TOS - specifies the TOS value to use in outgoing
506 packets.
507 [no]pmtudisc - enables/disables Path MTU Discovery on
510 this tunnel. It is enabled by default. Note that a
511 fixed ttl is incompatible with this option: tunneling
512 with a fixed ttl always makes pmtu discovery.
513 [no]ignore-df - enables/disables IPv4 DF suppression on
516 this tunnel. Normally datagrams that exceed the MTU
517 will be fragmented; the presence of the DF flag inhibits
518 this, resulting instead in an ICMP Unreachable (Fragmen‐
519 tation Required) message. Enabling this attribute
520 causes the DF flag to be ignored.
521 dev PHYS_DEV - specifies the physical device to use for
524 tunnel endpoint communication.
525 encap { fou | gue | none } - specifies type of secondary
528 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
529 indicates Generic UDP Encapsulation.
530 encap-sport { PORT | auto } - specifies the source port
533 in UDP encapsulation. PORT indicates the port by num‐
534 ber, "auto" indicates that the port number should be
535 chosen automatically (the kernel picks a flow based on
536 the flow hash of the encapsulated packet).
537 [no]encap-csum - specifies if UDP checksums are enabled
540 in the secondary encapsulation.
541 [no]encap-remcsum - specifies if Remote Checksum Offload
544 is enabled. This is only applicable for Generic UDP
545 Encapsulation.
546 external - make this tunnel externally controlled (e.g.
549 ip route encap).
550 IP6GRE/IP6GRETAP Type Support
554 For a link of type IP6GRE/IP6GRETAP the following additional
555 arguments are supported:
556 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
558 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
559 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
560 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
561 localremote ] [ dev PHYS_DEV ] [ external ]
562 remote ADDR - specifies the remote IPv6 address of the
565 tunnel.
566 local ADDR - specifies the fixed local IPv6 address for
569 tunneled packets. It must be an address on another
570 interface on this host.
571 [no][i|o]seq - serialize packets. The oseq flag enables
574 sequencing of outgoing packets. The iseq flag requires
575 that all input packets are serialized.
576 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
579 KEY is either a number or an IPv4 address-like dotted
580 quad. The key parameter specifies the same key to use
581 in both directions. The ikey and okey parameters spec‐
582 ify different keys for input and output.
583 [no][i|o]csum - generate/require checksums for tunneled
586 packets. The ocsum flag calculates checksums for outgo‐
587 ing packets. The icsum flag requires that all input
588 packets have the correct checksum. The csum flag is
589 equivalent to the combination icsum ocsum.
590 hoplimit TTL - specifies Hop Limit value to use in out‐
593 going packets.
594 encaplimit ELIM - specifies a fixed encapsulation limit.
597 Default is 4.
598 flowlabel FLOWLABEL - specifies a fixed flowlabel.
601 [no]allow-localremote - specifies whether to allow
604 remote endpoint to have an address configured on local
605 host.
606 tclass TCLASS - specifies the traffic class field on
609 tunneled packets, which can be specified as either a
610 two-digit hex value (e.g. c0) or a predefined string
611 (e.g. internet). The value inherit causes the field to
612 be copied from the original IP header. The values
613 inherit/STRING or inherit/00..ff will set the field to
614 STRING or 00..ff when tunneling non-IP packets. The
615 default value is 00.
616 external - make this tunnel externally controlled (or
619 not, which is the default). In the kernel, this is
620 referred to as collect metadata mode. This flag is
621 mutually exclusive with the remote, local, seq, key,
622 csum, hoplimit, encaplimit, flowlabel and tclass
623 options.
624 IPoIB Type Support
628 For a link of type IPoIB the following additional arguments are
629 supported:
630 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
632 MODE ]
633 pkey PKEY - specifies the IB P-Key to use.
636 mode MODE - specifies the mode (datagram or connected)
638 to use.
639 ERSPAN Type Support
642 For a link of type ERSPAN/IP6ERSPAN the following additional
643 arguments are supported:
644 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
646 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
647 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
648 mote ] [ external ]
649 remote ADDR - specifies the remote address of the tun‐
652 nel.
653 local ADDR - specifies the fixed local address for tun‐
656 neled packets. It must be an address on another inter‐
657 face on this host.
658 erspan_ver version - specifies the ERSPAN version num‐
661 ber. version indicates the ERSPAN version to be cre‐
662 ated: 1 for version 1 (type II) or 2 for version 2 (type
663 III).
664 erspan IDX - specifies the ERSPAN v1 index field. IDX
667 indicates a 20 bit index/port number associated with the
668 ERSPAN traffic's source port and direction.
669 erspan_dir { ingress | egress } - specifies the ERSPAN
672 v2 mirrored traffic's direction.
673 erspan_hwid hwid - an unique identifier of an ERSPAN v2
676 engine within a system. hwid is a 6-bit value for users
677 to configure.
678 [no]allow-localremote - specifies whether to allow
681 remote endpoint to have an address configured on local
682 host.
683 external - make this tunnel externally controlled (or
686 not, which is the default). In the kernel, this is
687 referred to as collect metadata mode. This flag is
688 mutually exclusive with the remote, local, erspan_ver,
689 erspan, erspan_dir and erspan_hwid options.
690 GENEVE Type Support
694 For a link of type GENEVE the following additional arguments are
695 supported:
696 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
698 [ tos TOS ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
699 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
700 [no]udp6zerocsumrx ]
701 id VNI - specifies the Virtual Network Identifer to use.
704 remote IPADDR - specifies the unicast destination IP
707 address to use in outgoing packets.
708 ttl TTL - specifies the TTL value to use in outgoing
711 packets. "0" or "auto" means use whatever default value,
712 "inherit" means inherit the inner protocol's ttl.
713 Default option is "0".
714 tos TOS - specifies the TOS value to use in outgoing
717 packets.
718 flowlabel FLOWLABEL - specifies the flow label to use in
721 outgoing packets.
722 dstport PORT - select a destination port other than the
725 default of 6081.
726 [no]external - make this tunnel externally controlled
729 (or not, which is the default). This flag is mutually
730 exclusive with the id, remote, ttl, tos and flowlabel
731 options.
732 [no]udpcsum - specifies if UDP checksum is calculated
735 for transmitted packets over IPv4.
736 [no]udp6zerocsumtx - skip UDP checksum calculation for
739 transmitted packets over IPv6.
740 [no]udp6zerocsumrx - allow incoming UDP packets over
743 IPv6 with zero checksum field.
744 MACVLAN and MACVTAP Type Support
748 For a link of type MACVLAN or MACVTAP the following additional
749 arguments are supported:
750 ip link add link DEVICE name NAME type { macvlan | macvtap }
752 mode { private | vepa | bridge | passthru [ nopromisc ] |
753 source }
754 type { macvlan | macvtap } - specifies the link type to
757 use. macvlan creates just a virtual interface, while
758 macvtap in addition creates a character device /dev/tapX
759 to be used just like a tuntap device.
760 mode private - Do not allow communication between
762 macvlan instances on the same physical interface, even
763 if the external switch supports hairpin mode.
764 mode vepa - Virtual Ethernet Port Aggregator mode. Data
766 from one macvlan instance to the other on the same phys‐
767 ical interface is transmitted over the physical inter‐
768 face. Either the attached switch needs to support hair‐
769 pin mode, or there must be a TCP/IP router forwarding
770 the packets in order to allow communication. This is the
771 default mode.
772 mode bridge - In bridge mode, all endpoints are directly
774 connected to each other, communication is not redirected
775 through the physical interface's peer.
776 mode passthru [ nopromisc ] - This mode gives more power
778 to a single endpoint, usually in macvtap mode. It is not
779 allowed for more than one endpoint on the same physical
780 interface. All traffic will be forwarded to this end‐
781 point, allowing virtio guests to change MAC address or
782 set promiscuous mode in order to bridge the interface or
783 create vlan interfaces on top of it. By default, this
784 mode forces the underlying interface into promiscuous
785 mode. Passing the nopromisc flag prevents this, so the
786 promisc flag may be controlled using standard tools.
787 mode source - allows one to set a list of allowed mac
789 address, which is used to match against source mac
790 address from received frames on underlying interface.
791 This allows creating mac based VLAN associations,
792 instead of standard port or tag based. The feature is
793 useful to deploy 802.1x mac based behavior, where driv‐
794 ers of underlying interfaces doesn't allows that.
795 High-availability Seamless Redundancy (HSR) Support
798 For a link of type HSR the following additional arguments are
799 supported:
800 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
802 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
803 type hsr - specifies the link type to use, here HSR.
806 slave1 SLAVE1-IF - Specifies the physical device used
808 for the first of the two ring ports.
809 slave2 SLAVE2-IF - Specifies the physical device used
811 for the second of the two ring ports.
812 supervision ADDR-BYTE - The last byte of the multicast
814 address used for HSR supervision frames. Default option
815 is "0", possible values 0-255.
816 version { 0 | 1 } - Selects the protocol version of the
818 interface. Default option is "0", which corresponds to
819 the 2010 version of the HSR standard. Option "1" acti‐
820 vates the 2012 version.
821 BRIDGE Type Support
824 For a link of type BRIDGE the following additional arguments are
825 supported:
826 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
828 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
829 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
830 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
831 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
832 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
833 VLAN_STATS_ENABLED ] [ mcast_snooping MULTICAST_SNOOPING ] [
834 mcast_router MULTICAST_ROUTER ] [ mcast_query_use_ifaddr
835 MCAST_QUERY_USE_IFADDR ] [ mcast_querier MULTICAST_QUERIER ] [
836 mcast_hash_elasticity HASH_ELASTICITY ] [ mcast_hash_max
837 HASH_MAX ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
838 mcast_startup_query_count STARTUP_QUERY_COUNT ] [
839 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
840 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
841 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
842 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
843 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
844 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
845 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
846 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
847 [ nf_call_arptables NF_CALL_ARPTABLES ]
848 ageing_time AGEING_TIME - configure the bridge's FDB
851 entries ageing time, ie the number of seconds a MAC
852 address will be kept in the FDB after a packet has been
853 received from that address. after this time has passed,
854 entries are cleaned up.
855 group_fwd_mask MASK - set the group forward mask. This
857 is the bitmask that is applied to decide whether to for‐
858 ward incoming frames destined to link-local addresses,
859 ie addresses of the form 01:80:C2:00:00:0X (defaults to
860 0, ie the bridge does not forward any link-local
861 frames).
862 group_address ADDRESS - set the MAC address of the mul‐
864 ticast group this bridge uses for STP. The address must
865 be a link-local address in standard Ethernet MAC address
866 format, ie an address of the form 01:80:C2:00:00:0X,
867 with X in [0, 4..f].
868 forward_delay FORWARD_DELAY - set the forwarding delay
870 in seconds, ie the time spent in LISTENING state (before
871 moving to LEARNING) and in LEARNING state (before moving
872 to FORWARDING). Only relevant if STP is enabled. Valid
873 values are between 2 and 30.
874 hello_time HELLO_TIME - set the time in seconds between
876 hello packets sent by the bridge, when it is a root
877 bridge or a designated bridges. Only relevant if STP is
878 enabled. Valid values are between 1 and 10.
879 max_age MAX_AGE - set the hello packet timeout, ie the
881 time in seconds until another bridge in the spanning
882 tree is assumed to be dead, after reception of its last
883 hello message. Only relevant if STP is enabled. Valid
884 values are between 6 and 40.
885 stp_state STP_STATE - turn spanning tree protocol on
887 (STP_STATE > 0) or off (STP_STATE == 0). for this
888 bridge.
889 priority PRIORITY - set this bridge's spanning tree pri‐
891 ority, used during STP root bridge election. PRIORITY
892 is a 16bit unsigned integer.
893 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
895 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
896 disabled, the bridge will not consider the VLAN tag when
897 handling packets.
898 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
900 used for VLAN filtering.
901 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
903 PVID (native/untagged VLAN ID) for this bridge.
904 vlan_stats_enabled VLAN_STATS_ENABLED - enable
906 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
907 == 0) per-VLAN stats accounting.
908 mcast_snooping MULTICAST_SNOOPING - turn multicast
910 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
911 CAST_SNOOPING == 0).
912 mcast_router MULTICAST_ROUTER - set bridge's multicast
914 router if IGMP snooping is enabled. MULTICAST_ROUTER is
915 an integer value having the following meaning:
916 0 - disabled.
918 1 - automatic (queried).
920 2 - permanently enabled.
922 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
924 to use the bridge's own IP address as source address for
925 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
926 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
927 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
929 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
930 IGMP querier, ie sending of multicast queries by the
931 bridge (default: disabled).
932 mcast_querier_interval QUERIER_INTERVAL - interval
934 between queries sent by other routers. if no queries are
935 seen after this delay has passed, the bridge will start
936 to send its own queries (as if mcast_querier was
937 enabled).
938 mcast_hash_elasticity HASH_ELASTICITY - set multicast
940 database hash elasticity, ie the maximum chain length in
941 the multicast hash table (defaults to 4).
942 mcast_hash_max HASH_MAX - set maximum size of multicast
944 hash table (defaults to 512, value must be a power of
945 2).
946 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
948 cast last member count, ie the number of queries the
949 bridge will send before stopping forwarding a multicast
950 group after a "leave" message has been received
951 (defaults to 2).
952 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
954 val between queries to find remaining members of a
955 group, after a "leave" message is received.
956 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
958 number of IGMP queries to send during startup phase
959 (defaults to 2).
960 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
962 interval between queries in the startup phase.
963 mcast_query_interval QUERY_INTERVAL - interval between
965 queries sent by the bridge after the end of the startup
966 phase.
967 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
969 set the Max Response Time/Maximum Response Delay for
970 IGMP/MLD queries sent by the bridge.
971 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
973 after which the bridge will leave a group, if no member‐
974 ship reports for this group are received.
975 mcast_stats_enabled MCAST_STATS_ENABLED - enable
977 (MCAST_STATS_ENABLED > 0) or disable
978 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
979 accounting.
980 mcast_igmp_version IGMP_VERSION - set the IGMP version.
982 mcast_mld_version MLD_VERSION - set the MLD version.
984 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
986 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
987 hooks on the bridge.
988 nf_call_ip6tables NF_CALL_IP6TABLES - enable
990 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
991 0) ip6tables hooks on the bridge.
992 nf_call_arptables NF_CALL_ARPTABLES - enable
994 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
995 0) arptables hooks on the bridge.
996 MACsec Type Support
1001 For a link of type MACsec the following additional arguments are
1002 supported:
1003 ip link add link DEVICE name NAME type macsec [ [ address
1005 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1006 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1007 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1008 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1009 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1010 ]
1011 address <lladdr> - sets the system identifier component
1014 of secure channel for this MACsec device.
1015 port PORT - sets the port number component of secure
1018 channel for this MACsec device, in a range from 1 to
1019 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1020 are interpreted as octal and hexadecimal, respectively.
1021 sci SCI - sets the secure channel identifier for this
1024 MACsec device. SCI is a 64bit wide number in hexadeci‐
1025 mal format.
1026 cipher CIPHER_SUITE - defines the cipher suite to use.
1029 icvlen LENGTH - sets the length of the Integrity Check
1032 Value (ICV).
1033 encrypt on or encrypt off - switches between authenti‐
1036 cated encryption, or authenticity mode only.
1037 send_sci on or send_sci off - specifies whether the SCI
1040 is included in every packet, or only when it is neces‐
1041 sary.
1042 end_station on or end_station off - sets the End Station
1045 bit.
1046 scb on or scb off - sets the Single Copy Broadcast bit.
1049 protect on or protect off - enables MACsec protection on
1052 the device.
1053 replay on or replay off - enables replay protection on
1056 the device.
1057 window SIZE - sets the size of the replay win‐
1061 dow.
1062 validate strict or validate check or validate disabled -
1066 sets the validation mode on the device.
1067 encodingsa AN - sets the active secure association for
1070 transmission.
1071 VRF Type Support
1075 For a link of type VRF the following additional arguments are
1076 supported:
1077 ip link add DEVICE type vrf table TABLE
1079 table table id associated with VRF device
1082 RMNET Type Support
1086 For a link of type RMNET the following additional arguments are
1087 supported:
1088 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1090 mux_id MUXID - specifies the mux identifier for the
1093 rmnet device, possible values 1-254.
1094 ip link delete - delete virtual link
1098 dev DEVICE
1099 specifies the virtual device to act operate on.
1100 group GROUP
1103 specifies the group of virtual links to delete. Group 0 is not
1104 allowed to be deleted since it is the default group.
1105 type TYPE
1108 specifies the type of the device.
1109 ip link set - change device attributes
1112 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1113 ately after any of the changes have failed. This is the only case when
1114 ip can move the system to an unpredictable state. The solution is to
1115 avoid changing several parameters with one ip link set call.
1116 dev DEVICE
1119 DEVICE specifies network device to operate on. When configuring
1120 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1121 ify the associated Physical Function (PF) device.
1122 group GROUP
1125 GROUP has a dual role: If both group and dev are present, then
1126 move the device to the specified group. If only a group is spec‐
1127 ified, then the command operates on all devices in that group.
1128 up and down
1131 change the state of the device to UP or DOWN.
1132 arp on or arp off
1135 change the NOARP flag on the device.
1136 multicast on or multicast off
1139 change the MULTICAST flag on the device.
1140 protodown on or protodown off
1143 change the PROTODOWN state on the device. Indicates that a pro‐
1144 tocol error has been detected on the port. Switch drivers can
1145 react to this error by doing a phys down on the switch port.
1146 dynamic on or dynamic off
1149 change the DYNAMIC flag on the device. Indicates that address
1150 can change when interface goes down (currently NOT used by the
1151 Linux).
1152 name NAME
1155 change the name of the device. This operation is not recommended
1156 if the device is running or has some addresses already config‐
1157 ured.
1158 txqueuelen NUMBER
1161 txqlen NUMBER
1163 change the transmit queue length of the device.
1164 mtu NUMBER
1167 change the MTU of the device.
1168 address LLADDRESS
1171 change the station address of the interface.
1172 broadcast LLADDRESS
1175 brd LLADDRESS
1177 peer LLADDRESS
1179 change the link layer broadcast address or the peer address when
1180 the interface is POINTOPOINT.
1181 netns NETNSNAME | PID
1184 move the device to the network namespace associated with name
1185 NETNSNAME or process PID.
1186 Some devices are not allowed to change network namespace: loop‐
1188 back, bridge, ppp, wireless. These are network namespace local
1189 devices. In such case ip tool will return "Invalid argument"
1190 error. It is possible to find out if device is local to a single
1191 network namespace by checking netns-local flag in the output of
1192 the ethtool:
1193 ethtool -k DEVICE
1195 To change network namespace for wireless devices the iw tool can
1197 be used. But it allows to change network namespace only for
1198 physical devices and by process PID.
1199 alias NAME
1202 give the device a symbolic name for easy reference.
1203 group GROUP
1206 specify the group the device belongs to. The available groups
1207 are listed in file /etc/iproute2/group.
1208 vf NUM specify a Virtual Function device to be configured. The associ‐
1211 ated PF device must be specified using the dev parameter.
1212 mac LLADDRESS - change the station address for the spec‐
1214 ified VF. The vf parameter must be specified.
1215 vlan VLANID - change the assigned VLAN for the specified
1218 VF. When specified, all traffic sent from the VF will be
1219 tagged with the specified VLAN ID. Incoming traffic will
1220 be filtered for the specified VLAN ID, and will have all
1221 VLAN tags stripped before being passed to the VF. Set‐
1222 ting this parameter to 0 disables VLAN tagging and fil‐
1223 tering. The vf parameter must be specified.
1224 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1227 VLAN tag. When specified, all VLAN tags transmitted by
1228 the VF will include the specified priority bits in the
1229 VLAN tag. If not specified, the value is assumed to be
1230 0. Both the vf and vlan parameters must be specified.
1231 Setting both vlan and qos as 0 disables VLAN tagging and
1232 filtering for the VF.
1233 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1236 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1237 traffic sent from the VF will be tagged with VLAN S-Tag.
1238 Incoming traffic will have VLAN S-Tags stripped before
1239 being passed to the VF. Setting to 802.1ad also enables
1240 an option to concatenate another VLAN tag, so both S-TAG
1241 and C-TAG will be inserted/stripped for outgoing/incom‐
1242 ing traffic, respectively. If not specified, the value
1243 is assumed to be 802.1Q. Both the vf and vlan parameters
1244 must be specified.
1245 rate TXRATE -- change the allowed transmit bandwidth, in
1248 Mbps, for the specified VF. Setting this parameter to 0
1249 disables rate limiting. vf parameter must be specified.
1250 Please use new API max_tx_rate option instead.
1251 max_tx_rate TXRATE - change the allowed maximum transmit
1254 bandwidth, in Mbps, for the specified VF. Setting this
1255 parameter to 0 disables rate limiting. vf parameter
1256 must be specified.
1257 min_tx_rate TXRATE - change the allowed minimum transmit
1260 bandwidth, in Mbps, for the specified VF. Minimum
1261 TXRATE should be always <= Maximum TXRATE. Setting this
1262 parameter to 0 disables rate limiting. vf parameter
1263 must be specified.
1264 spoofchk on|off - turn packet spoof checking on or off
1267 for the specified VF.
1268 query_rss on|off - toggle the ability of querying the
1270 RSS configuration of a specific VF. VF RSS information
1271 like RSS hash key may be considered sensitive on some
1272 devices where this information is shared between VF and
1273 PF and thus its querying may be prohibited by default.
1274 state auto|enable|disable - set the virtual link state
1276 as seen by the specified VF. Setting to auto means a
1277 reflection of the PF link state, enable lets the VF to
1278 communicate with other VFs on this host even if the PF
1279 link state is down, disable causes the HW to drop any
1280 packets sent by the VF.
1281 trust on|off - trust the specified VF user. This enables
1283 that VF user can set a specific feature which may impact
1284 security and/or performance. (e.g. VF multicast promis‐
1285 cuous mode)
1286 node_guid eui64 - configure node GUID for Infiniband
1288 VFs.
1289 port_guid eui64 - configure port GUID for Infiniband
1291 VFs.
1292 xdp object | pinned | off
1295 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1296 every packet at driver level. ip link output will indicate a
1297 xdp flag for the networking device. If the driver does not have
1298 native XDP support, the kernel will fall back to a slower,
1299 driver-independent "generic" XDP variant. The ip link output
1300 will in that case indicate xdpgeneric instead of xdp only. If
1301 the driver does have native XDP support, but the program is
1302 loaded under xdpgeneric object | pinned then the kernel will use
1303 the generic XDP variant instead of the native one. xdpdrv has
1304 the opposite effect of requestsing that the automatic fallback
1305 to the generic XDP variant be disabled and in case driver is not
1306 XDP-capable error should be returned. xdpdrv also disables
1307 hardware offloads. xdpoffload in ip link output indicates that
1308 the program has been offloaded to hardware and can also be used
1309 to request the "offload" mode, much like xdpgeneric it forces
1310 program to be installed specifically in HW/FW of the apater.
1311 off (or none ) - Detaches any currently attached XDP/BPF program
1313 from the given device.
1314 object FILE - Attaches a XDP/BPF program to the given device.
1316 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1317 contains the BPF program code, map specifications, etc. If a
1318 XDP/BPF program is already attached to the given device, an
1319 error will be thrown. If no XDP/BPF program is currently
1320 attached, the device supports XDP and the program from the BPF
1321 ELF file passes the kernel verifier, then it will be attached to
1322 the device. If the option -force is passed to ip then any prior
1323 attached XDP/BPF program will be atomically overridden and no
1324 error will be thrown in this case. If no section option is
1325 passed, then the default section name ("prog") will be assumed,
1326 otherwise the provided section name will be used. If no verbose
1327 option is passed, then a verifier log will only be dumped on
1328 load error. See also EXAMPLES section for usage examples.
1329 section NAME - Specifies a section name that contains the BPF
1331 program code. If no section name is specified, the default one
1332 ("prog") will be used. This option is to be passed with the
1333 object option.
1334 verbose - Act in verbose mode. For example, even in case of suc‐
1336 cess, this will print the verifier log in case a program was
1337 loaded from a BPF ELF file.
1338 pinned FILE - Attaches a XDP/BPF program to the given device.
1340 The FILE points to an already pinned BPF program in the BPF file
1341 system. The option section doesn't apply here, but otherwise
1342 semantics are the same as with the option object described
1343 already.
1344 master DEVICE
1347 set master device of the device (enslave device).
1348 nomaster
1351 unset master device of the device (release device).
1352 addrgenmode eui64|none|stable_secret|random
1355 set the IPv6 address generation mode
1356 eui64 - use a Modified EUI-64 format interface identifier
1358 none - disable automatic address generation
1360 stable_secret - generate the interface identifier based on a
1362 preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1363 random - like stable_secret, but auto-generate a new random
1365 secret if none is set
1366 link-netnsid
1369 set peer netnsid for a cross-netns interface
1370 type ETYPE TYPE_ARGS
1373 Change type-specific settings. For a list of supported types and
1374 arguments refer to the description of ip link add above. In
1375 addition to that, it is possible to manipulate settings to slave
1376 devices:
1377 Bridge Slave Support
1380 For a link with master bridge the following additional arguments
1381 are supported:
1382 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1384 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1385 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1386 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1387 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1388 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1389 mcast_flood { on | off } ] [ group_fwd_mask MASK ] [ neigh_sup‐
1390 press { on | off } ] [ vlan_tunnel { on | off } ] [ isolated {
1391 on | off } ] [ backup_port DEVICE ] [ nobackup_port ]
1392 fdb_flush - flush bridge slave's fdb dynamic entries.
1395 state STATE - Set port state. STATE is a number repre‐
1397 senting the following states: 0 (disabled), 1 (listen‐
1398 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1399 priority PRIO - set port priority (allowed values are
1401 between 0 and 63, inclusively).
1402 cost COST - set port cost (allowed values are between 1
1404 and 65535, inclusively).
1405 guard { on | off } - block incoming BPDU packets on this
1407 port.
1408 hairpin { on | off } - enable hairpin mode on this port.
1410 This will allow incoming packets on this port to be
1411 reflected back.
1412 fastleave { on | off } - enable multicast fast leave on
1414 this port.
1415 root_block { on | off } - block this port from becoming
1417 the bridge's root port.
1418 learning { on | off } - allow MAC address learning on
1420 this port.
1421 flood { on | off } - open the flood gates on this port,
1423 i.e. forward all unicast frames to this port also.
1424 Requires proxy_arp and proxy_arp_wifi to be turned off.
1425 proxy_arp { on | off } - enable proxy ARP on this port.
1427 proxy_arp_wifi { on | off } - enable proxy ARP on this
1429 port which meets extended requirements by IEEE 802.11
1430 and Hotspot 2.0 specifications.
1431 mcast_router MULTICAST_ROUTER - configure this port for
1433 having multicast routers attached. A port with a multi‐
1434 cast router will receive all multicast traffic. MULTI‐
1435 CAST_ROUTER may be either 0 to disable multicast routers
1436 on this port, 1 to let the system detect the presence of
1437 of routers (this is the default), 2 to permanently
1438 enable multicast traffic forwarding on this port or 3 to
1439 enable multicast routers temporarily on this port, not
1440 depending on incoming queries.
1441 mcast_fast_leave { on | off } - this is a synonym to the
1443 fastleave option above.
1444 mcast_flood { on | off } - controls whether a given port
1446 will be flooded with multicast traffic for which there
1447 is no MDB entry.
1448 group_fwd_mask MASK - set the group forward mask. This
1450 is the bitmask that is applied to decide whether to for‐
1451 ward incoming frames destined to link-local addresses,
1452 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1453 0, ie the bridge does not forward any link-local frames
1454 coming on this port).
1455 neigh_suppress { on | off } - controls whether neigh
1457 discovery (arp and nd) proxy and suppression is enabled
1458 on the port. By default this flag is off.
1459 vlan_tunnel { on | off } - controls whether vlan to tun‐
1461 nel mapping is enabled on the port. By default this flag
1462 is off.
1463 backup_port DEVICE - if the port loses carrier all traf‐
1465 fic will be redirected to the configured backup port
1466 nobackup_port - removes the currently configured backup
1468 port
1469 Bonding Slave Support
1473 For a link with master bond the following additional arguments
1474 are supported:
1475 ip link set type bond_slave [ queue_id ID ]
1477 queue_id ID - set the slave's queue ID (a 16bit unsigned
1480 value).
1481 MACVLAN and MACVTAP Support
1485 Modify list of allowed macaddr for link in source mode.
1486 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1488 ... ]
1489 Commands:
1491 add - add MACADDR to allowed list
1492 set - replace allowed list
1494 del - remove MACADDR from allowed list
1496 flush - flush whole allowed list
1498 ip link show - display device attributes
1503 dev NAME (default)
1504 NAME specifies the network device to show. If this argument is
1505 omitted all devices in the default group are listed.
1506 group GROUP
1509 GROUP specifies what group of devices to show.
1510 up only display running interfaces.
1513 master DEVICE
1516 DEVICE specifies the master device which enslaves devices to
1517 show.
1518 vrf NAME
1521 NAME speficies the VRF which enslaves devices to show.
1522 type TYPE
1525 TYPE specifies the type of devices to show.
1526 Note that the type name is not checked against the list of sup‐
1528 ported types - instead it is sent as-is to the kernel. Later it
1529 is used to filter the returned interface list by comparing it
1530 with the relevant attribute in case the kernel didn't filter
1531 already. Therefore any string is accepted, but may lead to empty
1532 output.
1533 ip link xstats - display extended statistics
1536 type TYPE
1537 TYPE specifies the type of devices to display extended statis‐
1538 tics for.
1539 ip link afstats - display address-family specific statistics
1542 dev DEVICE
1543 DEVICE specifies the device to display address-family statistics
1544 for.
1545 ip link help - display help
1548 TYPE specifies which help of link type to dislpay.
1549 GROUP
1552 may be a number or a string from the file /etc/iproute2/group which can
1553 be manually filled.
1554
1557 ip link show
1558 Shows the state of all network interfaces on the system.
1559 ip link show type bridge
1561 Shows the bridge devices.
1562 ip link show type vlan
1564 Shows the vlan devices.
1565 ip link show master br0
1567 Shows devices enslaved by br0
1568 ip link set dev ppp0 mtu 1400
1570 Change the MTU the ppp0 device.
1571 ip link add link eth0 name eth0.10 type vlan id 10
1573 Creates a new vlan device eth0.10 on device eth0.
1574 ip link delete dev eth0.10
1576 Removes vlan device.
1577 ip link help gre
1579 Display help for the gre link type.
1580 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1582 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1583 remcsum
1584 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1585 tion, and the outer UDP checksum and remote checksum offload are
1586 enabled.
1587 ip link set dev eth0 xdp obj prog.o
1589 Attaches a XDP/BPF program to device eth0, where the program is
1590 located in prog.o, section "prog" (default section). In case a
1591 XDP/BPF program is already attached, throw an error.
1592 ip -force link set dev eth0 xdp obj prog.o sec foo
1594 Attaches a XDP/BPF program to device eth0, where the program is
1595 located in prog.o, section "foo". In case a XDP/BPF program is
1596 already attached, it will be overridden by the new one.
1597 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1599 Attaches a XDP/BPF program to device eth0, where the program was
1600 previously pinned as an object node into BPF file system under name
1601 foo.
1602 ip link set dev eth0 xdp off
1604 If a XDP/BPF program is attached on device eth0, detach it and
1605 effectively turn off XDP for device eth0.
1606 ip link add link wpan0 lowpan0 type lowpan
1608 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1609 802.15.4 device wpan0.
1610 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1612 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1613 erspan_hwid 17
1614 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1615
1618 ip(8), ip-netns(8), ethtool(8), iptables(8)
1619
1622 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1623iproute2 13 Dec 2012 IP-LINK(8)