1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr [ MACADDR ]
59 [ { flush | add | del } MACADDR ]
60 [ set MACADDR ] ]
61 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63 ] [ type ETYPE ] [ vrf NAME ]
64 ip link xstats type TYPE [ ARGS ]
66 ip link afstats [ dev DEVICE ]
68 ip link help [ TYPE ]
70 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72 macvlan | macvtap | vcan | vxcan | veth | vlan |
73 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75 | ipvtap | lowpan | geneve | vrf | macsec | netdevsim
76 | rmnet | xfrm ]
77 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83 ]
84
87 ip link add - add virtual link
88 link DEVICE
89 specifies the physical device to act operate on.
90 NAME specifies the name of the new virtual device.
92 TYPE specifies the type of the new device.
94 Link types:
96 bridge - Ethernet Bridge device
98 bond - Bonding device
100 dummy - Dummy network interface
102 hsr - High-availability Seamless Redundancy device
104 ifb - Intermediate Functional Block device
106 ipoib - IP over Infiniband device
108 macvlan - Virtual interface base on link layer address
110 (MAC)
111 macvtap - Virtual interface based on link layer address
113 (MAC) and TAP.
114 vcan - Virtual Controller Area Network interface
116 vxcan - Virtual Controller Area Network tunnel interface
118 veth - Virtual ethernet interface
120 vlan - 802.1q tagged virtual LAN interface
122 vxlan - Virtual eXtended LAN
124 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
126 ipip - Virtual tunnel interface IPv4 over IPv4
128 sit - Virtual tunnel interface IPv6 over IPv4
130 gre - Virtual tunnel interface GRE over IPv4
132 gretap - Virtual L2 tunnel interface GRE over IPv4
134 erspan - Encapsulated Remote SPAN over GRE and IPv4
136 ip6gre - Virtual tunnel interface GRE over IPv6
138 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
140 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
142 vti - Virtual tunnel interface
144 nlmon - Netlink monitoring device
146 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
148 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
150 TAP
151 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
153 / Bluetooth
154 geneve - GEneric NEtwork Virtualization Encapsulation
156 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
158 sec)
159 vrf - Interface for L3 VRF domains
161 netdevsim - Interface for netdev API tests
163 rmnet - Qualcomm rmnet device
165 xfrm - Virtual xfrm interface
167 numtxqueues QUEUE_COUNT
170 specifies the number of transmit queues for new device.
171 numrxqueues QUEUE_COUNT
174 specifies the number of receive queues for new device.
175 gso_max_size BYTES
178 specifies the recommended maximum size of a Generic Segment Off‐
179 load packet the new device should accept.
180 gso_max_segs SEGMENTS
183 specifies the recommended maximum number of a Generic Segment
184 Offload segments the new device should accept.
185 index IDX
188 specifies the desired index of the new virtual device. The link
189 creation fails, if the index is busy.
190 VLAN Type Support
193 For a link of type VLAN the following additional arguments are
194 supported:
195 ip link add link DEVICE name NAME type vlan [ protocol
197 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
198 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
199 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
200 egress-qos-map QOS-MAP ]
201 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
204 id VLANID - specifies the VLAN Identifer to use. Note
206 that numbers with a leading " 0 " or " 0x " are inter‐
207 preted as octal or hexadeimal, respectively.
208 reorder_hdr { on | off } - specifies whether ethernet
210 headers are reordered or not (default is on).
211 If reorder_hdr is on then VLAN header will be not
213 inserted immediately but only before passing to the
214 physical device (if this device does not support
215 VLAN offloading), the similar on the RX direction -
216 by default the packet will be untagged before being
217 received by VLAN device. Reordering allows to accel‐
218 erate tagging on egress and to hide VLAN header on
219 ingress so the packet looks like regular Ethernet
220 packet, at the same time it might be confusing for
221 packet capture as the VLAN header does not exist
222 within the packet.
223 VLAN offloading can be checked by ethtool(8):
225 ethtool -k <phy_dev> | grep tx-vlan-offload
227 where <phy_dev> is the physical device to which VLAN
229 device is bound.
230 gvrp { on | off } - specifies whether this VLAN should
232 be registered using GARP VLAN
233 Registration Protocol.
234 mvrp { on | off } - specifies whether this VLAN should
236 be registered using Multiple VLAN
237 Registration Protocol.
238 loose_binding { on | off } - specifies whether the VLAN
240 device state is bound to the physical device state.
241 bridge_binding { on | off } - specifies whether the VLAN
243 device link state tracks the state of bridge ports that
244 are members of the VLAN.
245 ingress-qos-map QOS-MAP - defines a mapping of VLAN
247 header prio field to the Linux internal packet priority
248 on incoming frames. The format is FROM:TO with multiple
249 mappings separated by spaces.
250 egress-qos-map QOS-MAP - defines a mapping of Linux
252 internal packet priority to VLAN header prio field but
253 for outgoing frames. The format is the same as for
254 ingress-qos-map.
255 Linux packet priority can be set by iptables(8):
257 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
259 SIFY --set-class 0:4
260 and this "4" priority can be used in the egress qos
262 mapping to set VLAN prio "5":
263 ip link set veth0.10 type vlan egress 4:5
265 VXLAN Type Support
268 For a link of type VXLAN the following additional arguments are
269 supported:
270 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
272 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
273 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
274 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
275 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
276 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
277 ] [ [no]external ] [ gbp ] [ gpe ]
278 id VNI - specifies the VXLAN Network Identifer (or VXLAN
281 Segment Identifier) to use.
282 dev PHYS_DEV - specifies the physical device to use for
284 tunnel endpoint communication.
285 group IPADDR - specifies the multicast IP address to
288 join. This parameter cannot be specified with the
289 remote parameter.
290 remote IPADDR - specifies the unicast destination IP
293 address to use in outgoing packets when the destination
294 link layer address is not known in the VXLAN device for‐
295 warding database. This parameter cannot be specified
296 with the group parameter.
297 local IPADDR - specifies the source IP address to use in
300 outgoing packets.
301 ttl TTL - specifies the TTL value to use in outgoing
304 packets.
305 tos TOS - specifies the TOS value to use in outgoing
308 packets.
309 df DF - specifies the usage of the Don't Fragment flag
312 (DF) bit in outgoing packets with IPv4 headers. The
313 value inherit causes the bit to be copied from the orig‐
314 inal IP header. The values unset and set cause the bit
315 to be always unset or always set, respectively. By
316 default, the bit is not set.
317 flowlabel FLOWLABEL - specifies the flow label to use in
320 outgoing packets.
321 dstport PORT - specifies the UDP destination port to
324 communicate to the remote
325 VXLAN tunnel endpoint.
326 srcport MIN MAX - specifies the range of port numbers to
329 use as UDP source ports to communicate to the remote
330 VXLAN tunnel endpoint.
331 [no]learning - specifies if unknown source link layer
334 addresses and IP addresses are entered into the VXLAN
335 device forwarding database.
336 [no]rsc - specifies if route short circuit is turned on.
339 [no]proxy - specifies ARP proxy is turned on.
342 [no]l2miss - specifies if netlink LLADDR miss notifica‐
345 tions are generated.
346 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
349 tions are generated.
350 [no]udpcsum - specifies if UDP checksum is calculated
353 for transmitted packets over IPv4.
354 [no]udp6zerocsumtx - skip UDP checksum calculation for
357 transmitted packets over IPv6.
358 [no]udp6zerocsumrx - allow incoming UDP packets over
361 IPv6 with zero checksum field.
362 ageing SECONDS - specifies the lifetime in seconds of
365 FDB entries learnt by the kernel.
366 maxaddress NUMBER - specifies the maximum number of FDB
369 entries.
370 [no]external - specifies whether an external control
373 plane (e.g. ip route encap) or the internal FDB should
374 be used.
375 gbp - enables the Group Policy extension (VXLAN-GBP).
378 Allows to transport group policy context across
380 VXLAN network peers. If enabled, includes the mark
381 of a packet in the VXLAN header for outgoing packets
382 and fills the packet mark based on the information
383 found in the VXLAN header for incoming packets.
384 Format of upper 16 bits of packet mark (flags);
386 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
388 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
389 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
390 D := Don't Learn bit. When set, this bit indicates
392 that the egress VTEP MUST NOT learn the source
393 address of the encapsulated frame.
394 A := Indicates that the group policy has already
396 been applied to this packet. Policies MUST NOT be
397 applied by devices when the A bit is set.
398 Format of lower 16 bits of packet mark (policy ID):
400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
402 | Group Policy ID |
403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
404 Example:
406 iptables -A OUTPUT [...] -j MARK --set-mark
407 0x800FF
408 gpe - enables the Generic Protocol extension (VXLAN-
412 GPE). Currently, this is only supported together with
413 the external keyword.
414 VETH, VXCAN Type Support
418 For a link of types VETH/VXCAN the following additional argu‐
419 ments are supported:
420 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
422 peer name NAME - specifies the virtual pair device name
425 of the VETH/VXCAN tunnel.
426 IPIP, SIT Type Support
430 For a link of type IPIPorSIT the following additional arguments
431 are supported:
432 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
434 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
435 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
436 mode { ip6ip | ipip | mplsip | any } ] [ external ]
437 remote ADDR - specifies the remote address of the tun‐
440 nel.
441 local ADDR - specifies the fixed local address for tun‐
444 neled packets. It must be an address on another inter‐
445 face on this host.
446 encap { fou | gue | none } - specifies type of secondary
449 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
450 indicates Generic UDP Encapsulation.
451 encap-sport { PORT | auto } - specifies the source port
454 in UDP encapsulation. PORT indicates the port by num‐
455 ber, "auto" indicates that the port number should be
456 chosen automatically (the kernel picks a flow based on
457 the flow hash of the encapsulated packet).
458 [no]encap-csum - specifies if UDP checksums are enabled
461 in the secondary encapsulation.
462 [no]encap-remcsum - specifies if Remote Checksum Offload
465 is enabled. This is only applicable for Generic UDP
466 Encapsulation.
467 mode { ip6ip | ipip | mplsip | any } - specifies mode in
470 which device should run. "ip6ip" indicates IPv6-Over-
471 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
472 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
473 Over IPv4. Supported for SIT where the default is
474 "ip6ip" and IPIP where the default is "ipip".
475 IPv6-Over-IPv4 is not supported for IPIP.
476 external - make this tunnel externally controlled (e.g.
479 ip route encap).
480 GRE Type Support
483 For a link of type GRE or GRETAP the following additional argu‐
484 ments are supported:
485 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
487 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
488 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
489 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
490 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
491 remcsum ] [ external ]
492 remote ADDR - specifies the remote address of the tun‐
495 nel.
496 local ADDR - specifies the fixed local address for tun‐
499 neled packets. It must be an address on another inter‐
500 face on this host.
501 [no][i|o]seq - serialize packets. The oseq flag enables
504 sequencing of outgoing packets. The iseq flag requires
505 that all input packets are serialized.
506 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
509 KEY is either a number or an IPv4 address-like dotted
510 quad. The key parameter specifies the same key to use
511 in both directions. The ikey and okey parameters spec‐
512 ify different keys for input and output.
513 [no][i|o]csum - generate/require checksums for tunneled
516 packets. The ocsum flag calculates checksums for outgo‐
517 ing packets. The icsum flag requires that all input
518 packets have the correct checksum. The csum flag is
519 equivalent to the combination icsum ocsum .
520 ttl TTL - specifies the TTL value to use in outgoing
523 packets.
524 tos TOS - specifies the TOS value to use in outgoing
527 packets.
528 [no]pmtudisc - enables/disables Path MTU Discovery on
531 this tunnel. It is enabled by default. Note that a
532 fixed ttl is incompatible with this option: tunneling
533 with a fixed ttl always makes pmtu discovery.
534 [no]ignore-df - enables/disables IPv4 DF suppression on
537 this tunnel. Normally datagrams that exceed the MTU
538 will be fragmented; the presence of the DF flag inhibits
539 this, resulting instead in an ICMP Unreachable (Fragmen‐
540 tation Required) message. Enabling this attribute
541 causes the DF flag to be ignored.
542 dev PHYS_DEV - specifies the physical device to use for
545 tunnel endpoint communication.
546 encap { fou | gue | none } - specifies type of secondary
549 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
550 indicates Generic UDP Encapsulation.
551 encap-sport { PORT | auto } - specifies the source port
554 in UDP encapsulation. PORT indicates the port by num‐
555 ber, "auto" indicates that the port number should be
556 chosen automatically (the kernel picks a flow based on
557 the flow hash of the encapsulated packet).
558 [no]encap-csum - specifies if UDP checksums are enabled
561 in the secondary encapsulation.
562 [no]encap-remcsum - specifies if Remote Checksum Offload
565 is enabled. This is only applicable for Generic UDP
566 Encapsulation.
567 external - make this tunnel externally controlled (e.g.
570 ip route encap).
571 IP6GRE/IP6GRETAP Type Support
575 For a link of type IP6GRE/IP6GRETAP the following additional
576 arguments are supported:
577 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
579 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
580 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
581 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
582 localremote ] [ dev PHYS_DEV ] [ external ]
583 remote ADDR - specifies the remote IPv6 address of the
586 tunnel.
587 local ADDR - specifies the fixed local IPv6 address for
590 tunneled packets. It must be an address on another
591 interface on this host.
592 [no][i|o]seq - serialize packets. The oseq flag enables
595 sequencing of outgoing packets. The iseq flag requires
596 that all input packets are serialized.
597 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
600 KEY is either a number or an IPv4 address-like dotted
601 quad. The key parameter specifies the same key to use
602 in both directions. The ikey and okey parameters spec‐
603 ify different keys for input and output.
604 [no][i|o]csum - generate/require checksums for tunneled
607 packets. The ocsum flag calculates checksums for outgo‐
608 ing packets. The icsum flag requires that all input
609 packets have the correct checksum. The csum flag is
610 equivalent to the combination icsum ocsum.
611 hoplimit TTL - specifies Hop Limit value to use in out‐
614 going packets.
615 encaplimit ELIM - specifies a fixed encapsulation limit.
618 Default is 4.
619 flowlabel FLOWLABEL - specifies a fixed flowlabel.
622 [no]allow-localremote - specifies whether to allow
625 remote endpoint to have an address configured on local
626 host.
627 tclass TCLASS - specifies the traffic class field on
630 tunneled packets, which can be specified as either a
631 two-digit hex value (e.g. c0) or a predefined string
632 (e.g. internet). The value inherit causes the field to
633 be copied from the original IP header. The values
634 inherit/STRING or inherit/00..ff will set the field to
635 STRING or 00..ff when tunneling non-IP packets. The
636 default value is 00.
637 external - make this tunnel externally controlled (or
640 not, which is the default). In the kernel, this is
641 referred to as collect metadata mode. This flag is
642 mutually exclusive with the remote, local, seq, key,
643 csum, hoplimit, encaplimit, flowlabel and tclass
644 options.
645 IPoIB Type Support
649 For a link of type IPoIB the following additional arguments are
650 supported:
651 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
653 MODE ]
654 pkey PKEY - specifies the IB P-Key to use.
657 mode MODE - specifies the mode (datagram or connected)
659 to use.
660 ERSPAN Type Support
663 For a link of type ERSPAN/IP6ERSPAN the following additional
664 arguments are supported:
665 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
667 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
668 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
669 mote ] [ external ]
670 remote ADDR - specifies the remote address of the tun‐
673 nel.
674 local ADDR - specifies the fixed local address for tun‐
677 neled packets. It must be an address on another inter‐
678 face on this host.
679 erspan_ver version - specifies the ERSPAN version num‐
682 ber. version indicates the ERSPAN version to be cre‐
683 ated: 1 for version 1 (type II) or 2 for version 2 (type
684 III).
685 erspan IDX - specifies the ERSPAN v1 index field. IDX
688 indicates a 20 bit index/port number associated with the
689 ERSPAN traffic's source port and direction.
690 erspan_dir { ingress | egress } - specifies the ERSPAN
693 v2 mirrored traffic's direction.
694 erspan_hwid hwid - an unique identifier of an ERSPAN v2
697 engine within a system. hwid is a 6-bit value for users
698 to configure.
699 [no]allow-localremote - specifies whether to allow
702 remote endpoint to have an address configured on local
703 host.
704 external - make this tunnel externally controlled (or
707 not, which is the default). In the kernel, this is
708 referred to as collect metadata mode. This flag is
709 mutually exclusive with the remote, local, erspan_ver,
710 erspan, erspan_dir and erspan_hwid options.
711 GENEVE Type Support
715 For a link of type GENEVE the following additional arguments are
716 supported:
717 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
719 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
720 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
721 [no]udp6zerocsumrx ]
722 id VNI - specifies the Virtual Network Identifer to use.
725 remote IPADDR - specifies the unicast destination IP
728 address to use in outgoing packets.
729 ttl TTL - specifies the TTL value to use in outgoing
732 packets. "0" or "auto" means use whatever default value,
733 "inherit" means inherit the inner protocol's ttl.
734 Default option is "0".
735 tos TOS - specifies the TOS value to use in outgoing
738 packets.
739 df DF - specifies the usage of the Don't Fragment flag
742 (DF) bit in outgoing packets with IPv4 headers. The
743 value inherit causes the bit to be copied from the orig‐
744 inal IP header. The values unset and set cause the bit
745 to be always unset or always set, respectively. By
746 default, the bit is not set.
747 flowlabel FLOWLABEL - specifies the flow label to use in
750 outgoing packets.
751 dstport PORT - select a destination port other than the
754 default of 6081.
755 [no]external - make this tunnel externally controlled
758 (or not, which is the default). This flag is mutually
759 exclusive with the id, remote, ttl, tos and flowlabel
760 options.
761 [no]udpcsum - specifies if UDP checksum is calculated
764 for transmitted packets over IPv4.
765 [no]udp6zerocsumtx - skip UDP checksum calculation for
768 transmitted packets over IPv6.
769 [no]udp6zerocsumrx - allow incoming UDP packets over
772 IPv6 with zero checksum field.
773 MACVLAN and MACVTAP Type Support
777 For a link of type MACVLAN or MACVTAP the following additional
778 arguments are supported:
779 ip link add link DEVICE name NAME type { macvlan | macvtap }
781 mode { private | vepa | bridge | passthru [ nopromisc ] |
782 source }
783 type { macvlan | macvtap } - specifies the link type to
786 use. macvlan creates just a virtual interface, while
787 macvtap in addition creates a character device /dev/tapX
788 to be used just like a tuntap device.
789 mode private - Do not allow communication between
791 macvlan instances on the same physical interface, even
792 if the external switch supports hairpin mode.
793 mode vepa - Virtual Ethernet Port Aggregator mode. Data
795 from one macvlan instance to the other on the same phys‐
796 ical interface is transmitted over the physical inter‐
797 face. Either the attached switch needs to support hair‐
798 pin mode, or there must be a TCP/IP router forwarding
799 the packets in order to allow communication. This is the
800 default mode.
801 mode bridge - In bridge mode, all endpoints are directly
803 connected to each other, communication is not redirected
804 through the physical interface's peer.
805 mode passthru [ nopromisc ] - This mode gives more power
807 to a single endpoint, usually in macvtap mode. It is not
808 allowed for more than one endpoint on the same physical
809 interface. All traffic will be forwarded to this end‐
810 point, allowing virtio guests to change MAC address or
811 set promiscuous mode in order to bridge the interface or
812 create vlan interfaces on top of it. By default, this
813 mode forces the underlying interface into promiscuous
814 mode. Passing the nopromisc flag prevents this, so the
815 promisc flag may be controlled using standard tools.
816 mode source - allows one to set a list of allowed mac
818 address, which is used to match against source mac
819 address from received frames on underlying interface.
820 This allows creating mac based VLAN associations,
821 instead of standard port or tag based. The feature is
822 useful to deploy 802.1x mac based behavior, where driv‐
823 ers of underlying interfaces doesn't allows that.
824 High-availability Seamless Redundancy (HSR) Support
827 For a link of type HSR the following additional arguments are
828 supported:
829 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
831 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } ]
832 type hsr - specifies the link type to use, here HSR.
835 slave1 SLAVE1-IF - Specifies the physical device used
837 for the first of the two ring ports.
838 slave2 SLAVE2-IF - Specifies the physical device used
840 for the second of the two ring ports.
841 supervision ADDR-BYTE - The last byte of the multicast
843 address used for HSR supervision frames. Default option
844 is "0", possible values 0-255.
845 version { 0 | 1 } - Selects the protocol version of the
847 interface. Default option is "0", which corresponds to
848 the 2010 version of the HSR standard. Option "1" acti‐
849 vates the 2012 version.
850 BRIDGE Type Support
853 For a link of type BRIDGE the following additional arguments are
854 supported:
855 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
857 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
858 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
859 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
860 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
861 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
862 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
863 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
864 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
865 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
866 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
867 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
868 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
869 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
870 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
871 val QUERY_INTERVAL ] [ mcast_query_response_interval
872 QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
873 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
874 MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
875 mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
876 BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
877 bles NF_CALL_ARPTABLES ]
878 ageing_time AGEING_TIME - configure the bridge's FDB
881 entries ageing time, ie the number of seconds a MAC
882 address will be kept in the FDB after a packet has been
883 received from that address. after this time has passed,
884 entries are cleaned up.
885 group_fwd_mask MASK - set the group forward mask. This
887 is the bitmask that is applied to decide whether to for‐
888 ward incoming frames destined to link-local addresses,
889 ie addresses of the form 01:80:C2:00:00:0X (defaults to
890 0, ie the bridge does not forward any link-local
891 frames).
892 group_address ADDRESS - set the MAC address of the mul‐
894 ticast group this bridge uses for STP. The address must
895 be a link-local address in standard Ethernet MAC address
896 format, ie an address of the form 01:80:C2:00:00:0X,
897 with X
898 in [0, 4..f].
899 forward_delay FORWARD_DELAY - set the forwarding delay
901 in seconds, ie the time spent in LISTENING state (before
902 moving to LEARNING) and in LEARNING state (before moving
903 to FORWARDING). Only relevant if STP is enabled. Valid
904 values are between 2 and 30.
905 hello_time HELLO_TIME - set the time in seconds between
907 hello packets sent by the bridge, when it is a root
908 bridge or a designated bridges. Only relevant if STP is
909 enabled. Valid values are between 1 and 10.
910 max_age MAX_AGE - set the hello packet timeout, ie the
912 time in seconds until another bridge in the spanning
913 tree is assumed to be dead, after reception of its last
914 hello message. Only relevant if STP is enabled. Valid
915 values are between 6 and 40.
916 stp_state STP_STATE - turn spanning tree protocol on
918 (STP_STATE > 0) or off (STP_STATE == 0). for this
919 bridge.
920 priority PRIORITY - set this bridge's spanning tree pri‐
922 ority, used during STP root bridge election. PRIORITY
923 is a 16bit unsigned integer.
924 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
926 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
927 disabled, the bridge will not consider the VLAN tag when
928 handling packets.
929 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
931 used for VLAN filtering.
932 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
934 PVID (native/untagged VLAN ID) for this bridge.
935 vlan_stats_enabled VLAN_STATS_ENABLED - enable
937 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
938 == 0) per-VLAN stats accounting.
939 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
941 (VLAN_STATS_PER_PORT == 1) or disable
942 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
943 accounting. Can be changed only when there are no port
944 VLANs configured.
945 mcast_snooping MULTICAST_SNOOPING - turn multicast
947 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
948 CAST_SNOOPING == 0).
949 mcast_router MULTICAST_ROUTER - set bridge's multicast
951 router if IGMP snooping is enabled. MULTICAST_ROUTER is
952 an integer value having the following meaning:
953 0 - disabled.
955 1 - automatic (queried).
957 2 - permanently enabled.
959 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
961 to use the bridge's own IP address as source address for
962 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
963 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
964 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
966 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
967 IGMP querier, ie sending of multicast queries by the
968 bridge (default: disabled).
969 mcast_querier_interval QUERIER_INTERVAL - interval
971 between queries sent by other routers. if no queries are
972 seen after this delay has passed, the bridge will start
973 to send its own queries (as if mcast_querier was
974 enabled).
975 mcast_hash_elasticity HASH_ELASTICITY - set multicast
977 database hash elasticity, ie the maximum chain length in
978 the multicast hash table (defaults to 4).
979 mcast_hash_max HASH_MAX - set maximum size of multicast
981 hash table (defaults to 512, value must be a power of
982 2).
983 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
985 cast last member count, ie the number of queries the
986 bridge will send before stopping forwarding a multicast
987 group after a "leave" message has been received
988 (defaults to 2).
989 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
991 val between queries to find remaining members of a
992 group, after a "leave" message is received.
993 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
995 number of IGMP queries to send during startup phase
996 (defaults to 2).
997 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
999 interval between queries in the startup phase.
1000 mcast_query_interval QUERY_INTERVAL - interval between
1002 queries sent by the bridge after the end of the startup
1003 phase.
1004 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1006 set the Max Response Time/Maximum Response Delay for
1007 IGMP/MLD queries sent by the bridge.
1008 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1010 after which the bridge will leave a group, if no member‐
1011 ship reports for this group are received.
1012 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1014 (MCAST_STATS_ENABLED > 0) or disable
1015 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1016 accounting.
1017 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1019 mcast_mld_version MLD_VERSION - set the MLD version.
1021 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1023 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1024 hooks on the bridge.
1025 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1027 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1028 0) ip6tables hooks on the bridge.
1029 nf_call_arptables NF_CALL_ARPTABLES - enable
1031 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1032 0) arptables hooks on the bridge.
1033 MACsec Type Support
1038 For a link of type MACsec the following additional arguments are
1039 supported:
1040 ip link add link DEVICE name NAME type macsec [ [ address
1042 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1043 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1044 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1045 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1046 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1047 ]
1048 address <lladdr> - sets the system identifier component
1051 of secure channel for this MACsec device.
1052 port PORT - sets the port number component of secure
1055 channel for this MACsec device, in a range from 1 to
1056 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1057 are interpreted as octal and hexadecimal, respectively.
1058 sci SCI - sets the secure channel identifier for this
1061 MACsec device. SCI is a 64bit wide number in hexadeci‐
1062 mal format.
1063 cipher CIPHER_SUITE - defines the cipher suite to use.
1066 icvlen LENGTH - sets the length of the Integrity Check
1069 Value (ICV).
1070 encrypt on or encrypt off - switches between authenti‐
1073 cated encryption, or authenticity mode only.
1074 send_sci on or send_sci off - specifies whether the SCI
1077 is included in every packet, or only when it is neces‐
1078 sary.
1079 end_station on or end_station off - sets the End Station
1082 bit.
1083 scb on or scb off - sets the Single Copy Broadcast bit.
1086 protect on or protect off - enables MACsec protection on
1089 the device.
1090 replay on or replay off - enables replay protection on
1093 the device.
1094 window SIZE - sets the size of the replay win‐
1098 dow.
1099 validate strict or validate check or validate disabled -
1103 sets the validation mode on the device.
1104 encodingsa AN - sets the active secure association for
1107 transmission.
1108 VRF Type Support
1112 For a link of type VRF the following additional arguments are
1113 supported:
1114 ip link add DEVICE type vrf table TABLE
1116 table table id associated with VRF device
1119 RMNET Type Support
1123 For a link of type RMNET the following additional arguments are
1124 supported:
1125 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1127 mux_id MUXID - specifies the mux identifier for the
1130 rmnet device, possible values 1-254.
1131 XFRM Type Support
1135 For a link of type XFRM the following additional arguments are
1136 supported:
1137 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1139 dev PHYS_DEV - specifies the underlying physical inter‐
1142 face from which transform traffic is sent and received.
1143 if_id IF-ID - specifies the hexadecimal lookup key used
1146 to send traffic to and from specific xfrm policies.
1147 Policies must be configured with the same key. If not
1148 set, the key defaults to 0 and will match any policies
1149 which similarly do not have a lookup key configuration.
1150 ip link delete - delete virtual link
1154 dev DEVICE
1155 specifies the virtual device to act operate on.
1156 group GROUP
1159 specifies the group of virtual links to delete. Group 0 is not
1160 allowed to be deleted since it is the default group.
1161 type TYPE
1164 specifies the type of the device.
1165 ip link set - change device attributes
1168 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1169 ately after any of the changes have failed. This is the only case when
1170 ip can move the system to an unpredictable state. The solution is to
1171 avoid changing several parameters with one ip link set call. The modi‐
1172 fier change is equivalent to set.
1173 dev DEVICE
1177 DEVICE specifies network device to operate on. When configuring
1178 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1179 ify the associated Physical Function (PF) device.
1180 group GROUP
1183 GROUP has a dual role: If both group and dev are present, then
1184 move the device to the specified group. If only a group is spec‐
1185 ified, then the command operates on all devices in that group.
1186 up and down
1189 change the state of the device to UP or DOWN.
1190 arp on or arp off
1193 change the NOARP flag on the device.
1194 multicast on or multicast off
1197 change the MULTICAST flag on the device.
1198 protodown on or protodown off
1201 change the PROTODOWN state on the device. Indicates that a pro‐
1202 tocol error has been detected on the port. Switch drivers can
1203 react to this error by doing a phys down on the switch port.
1204 dynamic on or dynamic off
1207 change the DYNAMIC flag on the device. Indicates that address
1208 can change when interface goes down (currently NOT used by the
1209 Linux).
1210 name NAME
1213 change the name of the device. This operation is not recommended
1214 if the device is running or has some addresses already config‐
1215 ured.
1216 txqueuelen NUMBER
1219 txqlen NUMBER
1221 change the transmit queue length of the device.
1222 mtu NUMBER
1225 change the MTU of the device.
1226 address LLADDRESS
1229 change the station address of the interface.
1230 broadcast LLADDRESS
1233 brd LLADDRESS
1235 peer LLADDRESS
1237 change the link layer broadcast address or the peer address when
1238 the interface is POINTOPOINT.
1239 netns NETNSNAME | PID
1242 move the device to the network namespace associated with name
1243 NETNSNAME or process PID.
1244 Some devices are not allowed to change network namespace: loop‐
1246 back, bridge, ppp, wireless. These are network namespace local
1247 devices. In such case ip tool will return "Invalid argument"
1248 error. It is possible to find out if device is local to a single
1249 network namespace by checking netns-local flag in the output of
1250 the ethtool:
1251 ethtool -k DEVICE
1253 To change network namespace for wireless devices the iw tool can
1255 be used. But it allows to change network namespace only for
1256 physical devices and by process PID.
1257 alias NAME
1260 give the device a symbolic name for easy reference.
1261 group GROUP
1264 specify the group the device belongs to. The available groups
1265 are listed in file /etc/iproute2/group.
1266 vf NUM specify a Virtual Function device to be configured. The associ‐
1269 ated PF device must be specified using the dev parameter.
1270 mac LLADDRESS - change the station address for the spec‐
1272 ified VF. The vf parameter must be specified.
1273 vlan VLANID - change the assigned VLAN for the specified
1276 VF. When specified, all traffic sent from the VF will be
1277 tagged with the specified VLAN ID. Incoming traffic will
1278 be filtered for the specified VLAN ID, and will have all
1279 VLAN tags stripped before being passed to the VF. Set‐
1280 ting this parameter to 0 disables VLAN tagging and fil‐
1281 tering. The vf parameter must be specified.
1282 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1285 VLAN tag. When specified, all VLAN tags transmitted by
1286 the VF will include the specified priority bits in the
1287 VLAN tag. If not specified, the value is assumed to be
1288 0. Both the vf and vlan parameters must be specified.
1289 Setting both vlan and qos as 0 disables VLAN tagging and
1290 filtering for the VF.
1291 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1294 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1295 traffic sent from the VF will be tagged with VLAN S-Tag.
1296 Incoming traffic will have VLAN S-Tags stripped before
1297 being passed to the VF. Setting to 802.1ad also enables
1298 an option to concatenate another VLAN tag, so both S-TAG
1299 and C-TAG will be inserted/stripped for outgoing/incom‐
1300 ing traffic, respectively. If not specified, the value
1301 is assumed to be 802.1Q. Both the vf and vlan parameters
1302 must be specified.
1303 rate TXRATE -- change the allowed transmit bandwidth, in
1306 Mbps, for the specified VF. Setting this parameter to 0
1307 disables rate limiting. vf parameter must be specified.
1308 Please use new API max_tx_rate option instead.
1309 max_tx_rate TXRATE - change the allowed maximum transmit
1312 bandwidth, in Mbps, for the specified VF. Setting this
1313 parameter to 0 disables rate limiting. vf parameter
1314 must be specified.
1315 min_tx_rate TXRATE - change the allowed minimum transmit
1318 bandwidth, in Mbps, for the specified VF. Minimum
1319 TXRATE should be always <= Maximum TXRATE. Setting this
1320 parameter to 0 disables rate limiting. vf parameter
1321 must be specified.
1322 spoofchk on|off - turn packet spoof checking on or off
1325 for the specified VF.
1326 query_rss on|off - toggle the ability of querying the
1328 RSS configuration of a specific
1329 VF. VF RSS information like RSS hash key may be con‐
1330 sidered sensitive
1331 on some devices where this information is shared
1332 between VF and PF
1333 and thus its querying may be prohibited by default.
1334 state auto|enable|disable - set the virtual link state
1336 as seen by the specified VF. Setting to auto means a
1337 reflection of the PF link state, enable lets the VF to
1338 communicate with other VFs on this host even if the PF
1339 link state is down, disable causes the HW to drop any
1340 packets sent by the VF.
1341 trust on|off - trust the specified VF user. This enables
1343 that VF user can set a specific feature which may impact
1344 security and/or performance. (e.g. VF multicast promis‐
1345 cuous mode)
1346 node_guid eui64 - configure node GUID for Infiniband
1348 VFs.
1349 port_guid eui64 - configure port GUID for Infiniband
1351 VFs.
1352 xdp object | pinned | off
1355 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1356 every packet at driver level. ip link output will indicate a
1357 xdp flag for the networking device. If the driver does not have
1358 native XDP support, the kernel will fall back to a slower,
1359 driver-independent "generic" XDP variant. The ip link output
1360 will in that case indicate xdpgeneric instead of xdp only. If
1361 the driver does have native XDP support, but the program is
1362 loaded under xdpgeneric object | pinned then the kernel will use
1363 the generic XDP variant instead of the native one. xdpdrv has
1364 the opposite effect of requestsing that the automatic fallback
1365 to the generic XDP variant be disabled and in case driver is not
1366 XDP-capable error should be returned. xdpdrv also disables
1367 hardware offloads. xdpoffload in ip link output indicates that
1368 the program has been offloaded to hardware and can also be used
1369 to request the "offload" mode, much like xdpgeneric it forces
1370 program to be installed specifically in HW/FW of the apater.
1371 off (or none ) - Detaches any currently attached XDP/BPF program
1373 from the given device.
1374 object FILE - Attaches a XDP/BPF program to the given device.
1376 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1377 contains the BPF program code, map specifications, etc. If a
1378 XDP/BPF program is already attached to the given device, an
1379 error will be thrown. If no XDP/BPF program is currently
1380 attached, the device supports XDP and the program from the BPF
1381 ELF file passes the kernel verifier, then it will be attached to
1382 the device. If the option -force is passed to ip then any prior
1383 attached XDP/BPF program will be atomically overridden and no
1384 error will be thrown in this case. If no section option is
1385 passed, then the default section name ("prog") will be assumed,
1386 otherwise the provided section name will be used. If no verbose
1387 option is passed, then a verifier log will only be dumped on
1388 load error. See also EXAMPLES section for usage examples.
1389 section NAME - Specifies a section name that contains the BPF
1391 program code. If no section name is specified, the default one
1392 ("prog") will be used. This option is to be passed with the
1393 object option.
1394 verbose - Act in verbose mode. For example, even in case of suc‐
1396 cess, this will print the verifier log in case a program was
1397 loaded from a BPF ELF file.
1398 pinned FILE - Attaches a XDP/BPF program to the given device.
1400 The FILE points to an already pinned BPF program in the BPF file
1401 system. The option section doesn't apply here, but otherwise
1402 semantics are the same as with the option object described
1403 already.
1404 master DEVICE
1407 set master device of the device (enslave device).
1408 nomaster
1411 unset master device of the device (release device).
1412 addrgenmode eui64|none|stable_secret|random
1415 set the IPv6 address generation mode
1416 eui64 - use a Modified EUI-64 format interface identifier
1418 none - disable automatic address generation
1420 stable_secret - generate the interface identifier based on a
1422 preset
1423 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1424 random - like stable_secret, but auto-generate a new random
1426 secret if none is set
1427 link-netnsid
1430 set peer netnsid for a cross-netns interface
1431 type ETYPE TYPE_ARGS
1434 Change type-specific settings. For a list of supported types and
1435 arguments refer to the description of ip link add above. In
1436 addition to that, it is possible to manipulate settings to slave
1437 devices:
1438 Bridge Slave Support
1441 For a link with master bridge the following additional arguments
1442 are supported:
1443 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1445 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1446 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1447 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1448 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1449 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1450 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1451 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1452 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1453 backup_port DEVICE ] [ nobackup_port ]
1454 fdb_flush - flush bridge slave's fdb dynamic entries.
1457 state STATE - Set port state. STATE is a number repre‐
1459 senting the following states: 0 (disabled), 1 (listen‐
1460 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1461 priority PRIO - set port priority (allowed values are
1463 between 0 and 63, inclusively).
1464 cost COST - set port cost (allowed values are between 1
1466 and 65535, inclusively).
1467 guard { on | off } - block incoming BPDU packets on this
1469 port.
1470 hairpin { on | off } - enable hairpin mode on this port.
1472 This will allow incoming packets on this port to be
1473 reflected back.
1474 fastleave { on | off } - enable multicast fast leave on
1476 this port.
1477 root_block { on | off } - block this port from becoming
1479 the bridge's root port.
1480 learning { on | off } - allow MAC address learning on
1482 this port.
1483 flood { on | off } - open the flood gates on this port,
1485 i.e. forward all unicast frames to this port also.
1486 Requires proxy_arp and proxy_arp_wifi to be turned off.
1487 proxy_arp { on | off } - enable proxy ARP on this port.
1489 proxy_arp_wifi { on | off } - enable proxy ARP on this
1491 port which meets extended requirements by IEEE 802.11
1492 and Hotspot 2.0 specifications.
1493 mcast_router MULTICAST_ROUTER - configure this port for
1495 having multicast routers attached. A port with a multi‐
1496 cast router will receive all multicast traffic. MULTI‐
1497 CAST_ROUTER may be either 0 to disable multicast routers
1498 on this port, 1 to let the system detect the presence of
1499 of routers (this is the default), 2 to permanently
1500 enable multicast traffic forwarding on this port or 3 to
1501 enable multicast routers temporarily on this port, not
1502 depending on incoming queries.
1503 mcast_fast_leave { on | off } - this is a synonym to the
1505 fastleave option above.
1506 mcast_flood { on | off } - controls whether a given port
1508 will flood multicast traffic for which
1509 there is no MDB entry.
1510 mcast_to_unicast { on | off } - controls whether a given
1512 port will replicate packets using unicast
1513 instead of multicast. By default this flag is off.
1514 group_fwd_mask MASK - set the group forward mask. This
1516 is the bitmask that is applied to decide whether to for‐
1517 ward incoming frames destined to link-local addresses,
1518 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1519 0, ie the bridge does not forward any link-local frames
1520 coming on this port).
1521 neigh_suppress { on | off } - controls whether neigh
1523 discovery (arp and nd) proxy and suppression is enabled
1524 on the port. By default this flag is off.
1525 vlan_tunnel { on | off } - controls whether vlan to tun‐
1527 nel mapping is enabled on the port. By default this flag
1528 is off.
1529 backup_port DEVICE - if the port loses carrier all traf‐
1531 fic will be redirected to the configured backup port
1532 nobackup_port - removes the currently configured backup
1534 port
1535 Bonding Slave Support
1539 For a link with master bond the following additional arguments
1540 are supported:
1541 ip link set type bond_slave [ queue_id ID ]
1543 queue_id ID - set the slave's queue ID (a 16bit unsigned
1546 value).
1547 MACVLAN and MACVTAP Support
1551 Modify list of allowed macaddr for link in source mode.
1552 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1554 ... ]
1555 Commands:
1557 add - add MACADDR to allowed list
1558 set - replace allowed list
1560 del - remove MACADDR from allowed list
1562 flush - flush whole allowed list
1564 ip link show - display device attributes
1569 dev NAME (default)
1570 NAME specifies the network device to show. If this argument is
1571 omitted all devices in the default group are listed.
1572 group GROUP
1575 GROUP specifies what group of devices to show.
1576 up only display running interfaces.
1579 master DEVICE
1582 DEVICE specifies the master device which enslaves devices to
1583 show.
1584 vrf NAME
1587 NAME speficies the VRF which enslaves devices to show.
1588 type TYPE
1591 TYPE specifies the type of devices to show.
1592 Note that the type name is not checked against the list of sup‐
1594 ported types - instead it is sent as-is to the kernel. Later it
1595 is used to filter the returned interface list by comparing it
1596 with the relevant attribute in case the kernel didn't filter
1597 already. Therefore any string is accepted, but may lead to empty
1598 output.
1599 ip link xstats - display extended statistics
1602 type TYPE
1603 TYPE specifies the type of devices to display extended statis‐
1604 tics for.
1605 ip link afstats - display address-family specific statistics
1608 dev DEVICE
1609 DEVICE specifies the device to display address-family statistics
1610 for.
1611 ip link help - display help
1614 TYPE specifies which help of link type to dislpay.
1615 GROUP
1618 may be a number or a string from the file /etc/iproute2/group which can
1619 be manually filled.
1620
1623 ip link show
1624 Shows the state of all network interfaces on the system.
1625 ip link show type bridge
1627 Shows the bridge devices.
1628 ip link show type vlan
1630 Shows the vlan devices.
1631 ip link show master br0
1633 Shows devices enslaved by br0
1634 ip link set dev ppp0 mtu 1400
1636 Change the MTU the ppp0 device.
1637 ip link add link eth0 name eth0.10 type vlan id 10
1639 Creates a new vlan device eth0.10 on device eth0.
1640 ip link delete dev eth0.10
1642 Removes vlan device.
1643 ip link help gre
1645 Display help for the gre link type.
1646 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1648 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1649 remcsum
1650 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1651 tion, and the outer UDP checksum and remote checksum offload are
1652 enabled.
1653 ip link set dev eth0 xdp obj prog.o
1655 Attaches a XDP/BPF program to device eth0, where the program is
1656 located in prog.o, section "prog" (default section). In case a
1657 XDP/BPF program is already attached, throw an error.
1658 ip -force link set dev eth0 xdp obj prog.o sec foo
1660 Attaches a XDP/BPF program to device eth0, where the program is
1661 located in prog.o, section "foo". In case a XDP/BPF program is
1662 already attached, it will be overridden by the new one.
1663 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1665 Attaches a XDP/BPF program to device eth0, where the program was
1666 previously pinned as an object node into BPF file system under name
1667 foo.
1668 ip link set dev eth0 xdp off
1670 If a XDP/BPF program is attached on device eth0, detach it and
1671 effectively turn off XDP for device eth0.
1672 ip link add link wpan0 lowpan0 type lowpan
1674 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1675 802.15.4 device wpan0.
1676 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1678 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1679 erspan_hwid 17
1680 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1681
1684 ip(8), ip-netns(8), ethtool(8), iptables(8)
1685
1688 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1689iproute2 13 Dec 2012 IP-LINK(8)