1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 type TYPE [ ARGS ]
19 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
21 ip link set { DEVICE | group GROUP }
23 [ { up | down } ]
24 [ type ETYPE TYPE_ARGS ]
25 [ arp { on | off } ]
26 [ dynamic { on | off } ]
27 [ multicast { on | off } ]
28 [ allmulticast { on | off } ]
29 [ promisc { on | off } ]
30 [ protodown { on | off } ]
31 [ trailers { on | off } ]
32 [ txqueuelen PACKETS ]
33 [ name NEWNAME ]
34 [ address LLADDR ]
35 [ broadcast LLADDR ]
36 [ mtu MTU ]
37 [ netns { PID | NETNSNAME } ]
38 [ link-netnsid ID ]
39 [ alias NAME ]
40 [ vf NUM [ mac LLADDR ]
41 [ VFVLAN-LIST ]
42 [ rate TXRATE ]
43 [ max_tx_rate TXRATE ]
44 [ min_tx_rate TXRATE ]
45 [ spoofchk { on | off } ]
46 [ query_rss { on | off } ]
47 [ state { auto | enable | disable } ]
48 [ trust { on | off } ]
49 [ node_guid eui64 ]
50 [ port_guid eui64 ] ]
51 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
52 object FILE [ section NAME ] [ verbose ] |
53 pinned FILE } ]
54 [ master DEVICE ]
55 [ nomaster ]
56 [ vrf NAME ]
57 [ addrgenmode { eui64 | none | stable_secret | random } ]
58 [ macaddr [ MACADDR ]
59 [ { flush | add | del } MACADDR ]
60 [ set MACADDR ] ]
61 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
63 ] [ type ETYPE ] [ vrf NAME ]
64 ip link xstats type TYPE [ ARGS ]
66 ip link afstats [ dev DEVICE ]
68 ip link help [ TYPE ]
70 TYPE := [ bridge | bond | can | dummy | hsr | ifb | ipoib |
72 macvlan | macvtap | vcan | vxcan | veth | vlan |
73 vxlan | ip6tnl | ipip | sit | gre | gretap | erspan |
74 ip6gre | ip6gretap | ip6erspan | vti | nlmon | ipvlan
75 | ipvtap | lowpan | geneve | bareudp | vrf | macsec |
76 netdevsim | rmnet | xfrm ]
77 ETYPE := [ TYPE | bridge_slave | bond_slave ]
79 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
81 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
83 ]
84 ip link property add [ altname NAME .. ]
86 ip link property del [ altname NAME .. ]
88
91 ip link add - add virtual link
92 link DEVICE
93 specifies the physical device to act operate on.
94 NAME specifies the name of the new virtual device.
96 TYPE specifies the type of the new device.
98 Link types:
100 bridge - Ethernet Bridge device
102 bond - Bonding device
104 dummy - Dummy network interface
106 hsr - High-availability Seamless Redundancy device
108 ifb - Intermediate Functional Block device
110 ipoib - IP over Infiniband device
112 macvlan - Virtual interface base on link layer address
114 (MAC)
115 macvtap - Virtual interface based on link layer address
117 (MAC) and TAP.
118 vcan - Virtual Controller Area Network interface
120 vxcan - Virtual Controller Area Network tunnel interface
122 veth - Virtual ethernet interface
124 vlan - 802.1q tagged virtual LAN interface
126 vxlan - Virtual eXtended LAN
128 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
130 ipip - Virtual tunnel interface IPv4 over IPv4
132 sit - Virtual tunnel interface IPv6 over IPv4
134 gre - Virtual tunnel interface GRE over IPv4
136 gretap - Virtual L2 tunnel interface GRE over IPv4
138 erspan - Encapsulated Remote SPAN over GRE and IPv4
140 ip6gre - Virtual tunnel interface GRE over IPv6
142 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
144 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
146 vti - Virtual tunnel interface
148 nlmon - Netlink monitoring device
150 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
152 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
154 TAP
155 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
157 / Bluetooth
158 geneve - GEneric NEtwork Virtualization Encapsulation
160 bareudp - Bare UDP L3 encapsulation support
162 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
164 sec)
165 vrf - Interface for L3 VRF domains
167 netdevsim - Interface for netdev API tests
169 rmnet - Qualcomm rmnet device
171 xfrm - Virtual xfrm interface
173 numtxqueues QUEUE_COUNT
176 specifies the number of transmit queues for new device.
177 numrxqueues QUEUE_COUNT
180 specifies the number of receive queues for new device.
181 gso_max_size BYTES
184 specifies the recommended maximum size of a Generic Segment Off‐
185 load packet the new device should accept.
186 gso_max_segs SEGMENTS
189 specifies the recommended maximum number of a Generic Segment
190 Offload segments the new device should accept.
191 index IDX
194 specifies the desired index of the new virtual device. The link
195 creation fails, if the index is busy.
196 VLAN Type Support
199 For a link of type VLAN the following additional arguments are
200 supported:
201 ip link add link DEVICE name NAME type vlan [ protocol
203 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
204 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
205 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
206 egress-qos-map QOS-MAP ]
207 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
210 id VLANID - specifies the VLAN Identifer to use. Note
212 that numbers with a leading " 0 " or " 0x " are inter‐
213 preted as octal or hexadeimal, respectively.
214 reorder_hdr { on | off } - specifies whether ethernet
216 headers are reordered or not (default is on).
217 If reorder_hdr is on then VLAN header will be not
219 inserted immediately but only before passing to the
220 physical device (if this device does not support
221 VLAN offloading), the similar on the RX direction -
222 by default the packet will be untagged before being
223 received by VLAN device. Reordering allows to accel‐
224 erate tagging on egress and to hide VLAN header on
225 ingress so the packet looks like regular Ethernet
226 packet, at the same time it might be confusing for
227 packet capture as the VLAN header does not exist
228 within the packet.
229 VLAN offloading can be checked by ethtool(8):
231 ethtool -k <phy_dev> | grep tx-vlan-offload
233 where <phy_dev> is the physical device to which VLAN
235 device is bound.
236 gvrp { on | off } - specifies whether this VLAN should
238 be registered using GARP VLAN
239 Registration Protocol.
240 mvrp { on | off } - specifies whether this VLAN should
242 be registered using Multiple VLAN
243 Registration Protocol.
244 loose_binding { on | off } - specifies whether the VLAN
246 device state is bound to the physical device state.
247 bridge_binding { on | off } - specifies whether the VLAN
249 device link state tracks the state of bridge ports that
250 are members of the VLAN.
251 ingress-qos-map QOS-MAP - defines a mapping of VLAN
253 header prio field to the Linux internal packet priority
254 on incoming frames. The format is FROM:TO with multiple
255 mappings separated by spaces.
256 egress-qos-map QOS-MAP - defines a mapping of Linux
258 internal packet priority to VLAN header prio field but
259 for outgoing frames. The format is the same as for
260 ingress-qos-map.
261 Linux packet priority can be set by iptables(8):
263 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
265 SIFY --set-class 0:4
266 and this "4" priority can be used in the egress qos
268 mapping to set VLAN prio "5":
269 ip link set veth0.10 type vlan egress 4:5
271 VXLAN Type Support
274 For a link of type VXLAN the following additional arguments are
275 supported:
276 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
278 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
279 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
280 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
281 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
282 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
283 ] [ [no]external ] [ gbp ] [ gpe ]
284 id VNI - specifies the VXLAN Network Identifer (or VXLAN
287 Segment Identifier) to use.
288 dev PHYS_DEV - specifies the physical device to use for
290 tunnel endpoint communication.
291 group IPADDR - specifies the multicast IP address to
294 join. This parameter cannot be specified with the
295 remote parameter.
296 remote IPADDR - specifies the unicast destination IP
299 address to use in outgoing packets when the destination
300 link layer address is not known in the VXLAN device for‐
301 warding database. This parameter cannot be specified
302 with the group parameter.
303 local IPADDR - specifies the source IP address to use in
306 outgoing packets.
307 ttl TTL - specifies the TTL value to use in outgoing
310 packets.
311 tos TOS - specifies the TOS value to use in outgoing
314 packets.
315 df DF - specifies the usage of the Don't Fragment flag
318 (DF) bit in outgoing packets with IPv4 headers. The
319 value inherit causes the bit to be copied from the orig‐
320 inal IP header. The values unset and set cause the bit
321 to be always unset or always set, respectively. By
322 default, the bit is not set.
323 flowlabel FLOWLABEL - specifies the flow label to use in
326 outgoing packets.
327 dstport PORT - specifies the UDP destination port to
330 communicate to the remote
331 VXLAN tunnel endpoint.
332 srcport MIN MAX - specifies the range of port numbers to
335 use as UDP source ports to communicate to the remote
336 VXLAN tunnel endpoint.
337 [no]learning - specifies if unknown source link layer
340 addresses and IP addresses are entered into the VXLAN
341 device forwarding database.
342 [no]rsc - specifies if route short circuit is turned on.
345 [no]proxy - specifies ARP proxy is turned on.
348 [no]l2miss - specifies if netlink LLADDR miss notifica‐
351 tions are generated.
352 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
355 tions are generated.
356 [no]udpcsum - specifies if UDP checksum is calculated
359 for transmitted packets over IPv4.
360 [no]udp6zerocsumtx - skip UDP checksum calculation for
363 transmitted packets over IPv6.
364 [no]udp6zerocsumrx - allow incoming UDP packets over
367 IPv6 with zero checksum field.
368 ageing SECONDS - specifies the lifetime in seconds of
371 FDB entries learnt by the kernel.
372 maxaddress NUMBER - specifies the maximum number of FDB
375 entries.
376 [no]external - specifies whether an external control
379 plane (e.g. ip route encap) or the internal FDB should
380 be used.
381 gbp - enables the Group Policy extension (VXLAN-GBP).
384 Allows to transport group policy context across
386 VXLAN network peers. If enabled, includes the mark
387 of a packet in the VXLAN header for outgoing packets
388 and fills the packet mark based on the information
389 found in the VXLAN header for incoming packets.
390 Format of upper 16 bits of packet mark (flags);
392 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
394 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
396 D := Don't Learn bit. When set, this bit indicates
398 that the egress VTEP MUST NOT learn the source
399 address of the encapsulated frame.
400 A := Indicates that the group policy has already
402 been applied to this packet. Policies MUST NOT be
403 applied by devices when the A bit is set.
404 Format of lower 16 bits of packet mark (policy ID):
406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
408 | Group Policy ID |
409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
410 Example:
412 iptables -A OUTPUT [...] -j MARK --set-mark
413 0x800FF
414 gpe - enables the Generic Protocol extension (VXLAN-
418 GPE). Currently, this is only supported together with
419 the external keyword.
420 VETH, VXCAN Type Support
424 For a link of types VETH/VXCAN the following additional argu‐
425 ments are supported:
426 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
428 peer name NAME - specifies the virtual pair device name
431 of the VETH/VXCAN tunnel.
432 IPIP, SIT Type Support
436 For a link of type IPIPorSIT the following additional arguments
437 are supported:
438 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
440 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
441 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
442 mode { ip6ip | ipip | mplsip | any } ] [ external ]
443 remote ADDR - specifies the remote address of the tun‐
446 nel.
447 local ADDR - specifies the fixed local address for tun‐
450 neled packets. It must be an address on another inter‐
451 face on this host.
452 encap { fou | gue | none } - specifies type of secondary
455 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
456 indicates Generic UDP Encapsulation.
457 encap-sport { PORT | auto } - specifies the source port
460 in UDP encapsulation. PORT indicates the port by num‐
461 ber, "auto" indicates that the port number should be
462 chosen automatically (the kernel picks a flow based on
463 the flow hash of the encapsulated packet).
464 [no]encap-csum - specifies if UDP checksums are enabled
467 in the secondary encapsulation.
468 [no]encap-remcsum - specifies if Remote Checksum Offload
471 is enabled. This is only applicable for Generic UDP
472 Encapsulation.
473 mode { ip6ip | ipip | mplsip | any } - specifies mode in
476 which device should run. "ip6ip" indicates IPv6-Over-
477 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
478 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
479 Over IPv4. Supported for SIT where the default is
480 "ip6ip" and IPIP where the default is "ipip".
481 IPv6-Over-IPv4 is not supported for IPIP.
482 external - make this tunnel externally controlled (e.g.
485 ip route encap).
486 GRE Type Support
489 For a link of type GRE or GRETAP the following additional argu‐
490 ments are supported:
491 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
493 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
494 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
495 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
496 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
497 remcsum ] [ external ]
498 remote ADDR - specifies the remote address of the tun‐
501 nel.
502 local ADDR - specifies the fixed local address for tun‐
505 neled packets. It must be an address on another inter‐
506 face on this host.
507 [no][i|o]seq - serialize packets. The oseq flag enables
510 sequencing of outgoing packets. The iseq flag requires
511 that all input packets are serialized.
512 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
515 KEY is either a number or an IPv4 address-like dotted
516 quad. The key parameter specifies the same key to use
517 in both directions. The ikey and okey parameters spec‐
518 ify different keys for input and output.
519 [no][i|o]csum - generate/require checksums for tunneled
522 packets. The ocsum flag calculates checksums for outgo‐
523 ing packets. The icsum flag requires that all input
524 packets have the correct checksum. The csum flag is
525 equivalent to the combination icsum ocsum .
526 ttl TTL - specifies the TTL value to use in outgoing
529 packets.
530 tos TOS - specifies the TOS value to use in outgoing
533 packets.
534 [no]pmtudisc - enables/disables Path MTU Discovery on
537 this tunnel. It is enabled by default. Note that a
538 fixed ttl is incompatible with this option: tunneling
539 with a fixed ttl always makes pmtu discovery.
540 [no]ignore-df - enables/disables IPv4 DF suppression on
543 this tunnel. Normally datagrams that exceed the MTU
544 will be fragmented; the presence of the DF flag inhibits
545 this, resulting instead in an ICMP Unreachable (Fragmen‐
546 tation Required) message. Enabling this attribute
547 causes the DF flag to be ignored.
548 dev PHYS_DEV - specifies the physical device to use for
551 tunnel endpoint communication.
552 encap { fou | gue | none } - specifies type of secondary
555 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
556 indicates Generic UDP Encapsulation.
557 encap-sport { PORT | auto } - specifies the source port
560 in UDP encapsulation. PORT indicates the port by num‐
561 ber, "auto" indicates that the port number should be
562 chosen automatically (the kernel picks a flow based on
563 the flow hash of the encapsulated packet).
564 [no]encap-csum - specifies if UDP checksums are enabled
567 in the secondary encapsulation.
568 [no]encap-remcsum - specifies if Remote Checksum Offload
571 is enabled. This is only applicable for Generic UDP
572 Encapsulation.
573 external - make this tunnel externally controlled (e.g.
576 ip route encap).
577 IP6GRE/IP6GRETAP Type Support
581 For a link of type IP6GRE/IP6GRETAP the following additional
582 arguments are supported:
583 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
585 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
586 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
587 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
588 localremote ] [ dev PHYS_DEV ] [ external ]
589 remote ADDR - specifies the remote IPv6 address of the
592 tunnel.
593 local ADDR - specifies the fixed local IPv6 address for
596 tunneled packets. It must be an address on another
597 interface on this host.
598 [no][i|o]seq - serialize packets. The oseq flag enables
601 sequencing of outgoing packets. The iseq flag requires
602 that all input packets are serialized.
603 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
606 KEY is either a number or an IPv4 address-like dotted
607 quad. The key parameter specifies the same key to use
608 in both directions. The ikey and okey parameters spec‐
609 ify different keys for input and output.
610 [no][i|o]csum - generate/require checksums for tunneled
613 packets. The ocsum flag calculates checksums for outgo‐
614 ing packets. The icsum flag requires that all input
615 packets have the correct checksum. The csum flag is
616 equivalent to the combination icsum ocsum.
617 hoplimit TTL - specifies Hop Limit value to use in out‐
620 going packets.
621 encaplimit ELIM - specifies a fixed encapsulation limit.
624 Default is 4.
625 flowlabel FLOWLABEL - specifies a fixed flowlabel.
628 [no]allow-localremote - specifies whether to allow
631 remote endpoint to have an address configured on local
632 host.
633 tclass TCLASS - specifies the traffic class field on
636 tunneled packets, which can be specified as either a
637 two-digit hex value (e.g. c0) or a predefined string
638 (e.g. internet). The value inherit causes the field to
639 be copied from the original IP header. The values
640 inherit/STRING or inherit/00..ff will set the field to
641 STRING or 00..ff when tunneling non-IP packets. The
642 default value is 00.
643 external - make this tunnel externally controlled (or
646 not, which is the default). In the kernel, this is
647 referred to as collect metadata mode. This flag is
648 mutually exclusive with the remote, local, seq, key,
649 csum, hoplimit, encaplimit, flowlabel and tclass
650 options.
651 IPoIB Type Support
655 For a link of type IPoIB the following additional arguments are
656 supported:
657 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
659 MODE ]
660 pkey PKEY - specifies the IB P-Key to use.
663 mode MODE - specifies the mode (datagram or connected)
665 to use.
666 ERSPAN Type Support
669 For a link of type ERSPAN/IP6ERSPAN the following additional
670 arguments are supported:
671 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
673 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
674 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
675 mote ] [ external ]
676 remote ADDR - specifies the remote address of the tun‐
679 nel.
680 local ADDR - specifies the fixed local address for tun‐
683 neled packets. It must be an address on another inter‐
684 face on this host.
685 erspan_ver version - specifies the ERSPAN version num‐
688 ber. version indicates the ERSPAN version to be cre‐
689 ated: 0 for version 0 type I, 1 for version 1 (type II)
690 or 2 for version 2 (type III).
691 erspan IDX - specifies the ERSPAN v1 index field. IDX
694 indicates a 20 bit index/port number associated with the
695 ERSPAN traffic's source port and direction.
696 erspan_dir { ingress | egress } - specifies the ERSPAN
699 v2 mirrored traffic's direction.
700 erspan_hwid hwid - an unique identifier of an ERSPAN v2
703 engine within a system. hwid is a 6-bit value for users
704 to configure.
705 [no]allow-localremote - specifies whether to allow
708 remote endpoint to have an address configured on local
709 host.
710 external - make this tunnel externally controlled (or
713 not, which is the default). In the kernel, this is
714 referred to as collect metadata mode. This flag is
715 mutually exclusive with the remote, local, erspan_ver,
716 erspan, erspan_dir and erspan_hwid options.
717 GENEVE Type Support
721 For a link of type GENEVE the following additional arguments are
722 supported:
723 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
725 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
726 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
727 [no]udp6zerocsumrx ]
728 id VNI - specifies the Virtual Network Identifer to use.
731 remote IPADDR - specifies the unicast destination IP
734 address to use in outgoing packets.
735 ttl TTL - specifies the TTL value to use in outgoing
738 packets. "0" or "auto" means use whatever default value,
739 "inherit" means inherit the inner protocol's ttl.
740 Default option is "0".
741 tos TOS - specifies the TOS value to use in outgoing
744 packets.
745 df DF - specifies the usage of the Don't Fragment flag
748 (DF) bit in outgoing packets with IPv4 headers. The
749 value inherit causes the bit to be copied from the orig‐
750 inal IP header. The values unset and set cause the bit
751 to be always unset or always set, respectively. By
752 default, the bit is not set.
753 flowlabel FLOWLABEL - specifies the flow label to use in
756 outgoing packets.
757 dstport PORT - select a destination port other than the
760 default of 6081.
761 [no]external - make this tunnel externally controlled
764 (or not, which is the default). This flag is mutually
765 exclusive with the id, remote, ttl, tos and flowlabel
766 options.
767 [no]udpcsum - specifies if UDP checksum is calculated
770 for transmitted packets over IPv4.
771 [no]udp6zerocsumtx - skip UDP checksum calculation for
774 transmitted packets over IPv6.
775 [no]udp6zerocsumrx - allow incoming UDP packets over
778 IPv6 with zero checksum field.
779 Bareudp Type Support
783 For a link of type Bareudp the following additional arguments
784 are supported:
785 ip link add DEVICE type bareudp dstport PORT ethertype ETHERTYPE
787 [ srcportmin SRCPORTMIN ] [ [no]multiproto ]
788 dstport PORT - specifies the destination port for the
791 UDP tunnel.
792 ethertype ETHERTYPE - specifies the ethertype of the L3
795 protocol being tunnelled.
796 srcportmin SRCPORTMIN - selects the lowest value of the
799 UDP tunnel source port range.
800 [no]multiproto - activates support for protocols similar
803 to the one specified by ethertype. When ETHERTYPE is
804 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
805 nel to also handle multicast MPLS. When ETHERTYPE is
806 "ipv4", this allows the tunnel to also handle IPv6. This
807 option is disabled by default.
808 MACVLAN and MACVTAP Type Support
811 For a link of type MACVLAN or MACVTAP the following additional
812 arguments are supported:
813 ip link add link DEVICE name NAME type { macvlan | macvtap }
815 mode { private | vepa | bridge | passthru [ nopromisc ] |
816 source }
817 type { macvlan | macvtap } - specifies the link type to
820 use. macvlan creates just a virtual interface, while
821 macvtap in addition creates a character device /dev/tapX
822 to be used just like a tuntap device.
823 mode private - Do not allow communication between
825 macvlan instances on the same physical interface, even
826 if the external switch supports hairpin mode.
827 mode vepa - Virtual Ethernet Port Aggregator mode. Data
829 from one macvlan instance to the other on the same phys‐
830 ical interface is transmitted over the physical inter‐
831 face. Either the attached switch needs to support hair‐
832 pin mode, or there must be a TCP/IP router forwarding
833 the packets in order to allow communication. This is the
834 default mode.
835 mode bridge - In bridge mode, all endpoints are directly
837 connected to each other, communication is not redirected
838 through the physical interface's peer.
839 mode passthru [ nopromisc ] - This mode gives more power
841 to a single endpoint, usually in macvtap mode. It is not
842 allowed for more than one endpoint on the same physical
843 interface. All traffic will be forwarded to this end‐
844 point, allowing virtio guests to change MAC address or
845 set promiscuous mode in order to bridge the interface or
846 create vlan interfaces on top of it. By default, this
847 mode forces the underlying interface into promiscuous
848 mode. Passing the nopromisc flag prevents this, so the
849 promisc flag may be controlled using standard tools.
850 mode source - allows one to set a list of allowed mac
852 address, which is used to match against source mac
853 address from received frames on underlying interface.
854 This allows creating mac based VLAN associations,
855 instead of standard port or tag based. The feature is
856 useful to deploy 802.1x mac based behavior, where driv‐
857 ers of underlying interfaces doesn't allows that.
858 High-availability Seamless Redundancy (HSR) Support
861 For a link of type HSR the following additional arguments are
862 supported:
863 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
865 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
866 proto { 0 | 1 } ]
867 type hsr - specifies the link type to use, here HSR.
870 slave1 SLAVE1-IF - Specifies the physical device used
872 for the first of the two ring ports.
873 slave2 SLAVE2-IF - Specifies the physical device used
875 for the second of the two ring ports.
876 supervision ADDR-BYTE - The last byte of the multicast
878 address used for HSR supervision frames. Default option
879 is "0", possible values 0-255.
880 version { 0 | 1 } - Selects the protocol version of the
882 interface. Default option is "0", which corresponds to
883 the 2010 version of the HSR standard. Option "1" acti‐
884 vates the 2012 version.
885 proto { 0 | 1 } - Selects the protocol at the interface.
887 Default option is "0", which corresponds to the HSR
888 standard. Option "1" activates the Parallel Redundancy
889 Protocol (PRP).
890 BRIDGE Type Support
893 For a link of type BRIDGE the following additional arguments are
894 supported:
895 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
897 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
898 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
899 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
900 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [
901 vlan_default_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
902 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
903 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_router MULTI‐
904 CAST_ROUTER ] [ mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ]
905 [ mcast_querier MULTICAST_QUERIER ] [ mcast_hash_elasticity
906 HASH_ELASTICITY ] [ mcast_hash_max HASH_MAX ] [ mcast_last_mem‐
907 ber_count LAST_MEMBER_COUNT ] [ mcast_startup_query_count
908 STARTUP_QUERY_COUNT ] [ mcast_last_member_interval LAST_MEM‐
909 BER_INTERVAL ] [ mcast_membership_interval MEMBERSHIP_INTERVAL ]
910 [ mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
911 val QUERY_INTERVAL ] [ mcast_query_response_interval
912 QUERY_RESPONSE_INTERVAL ] [ mcast_startup_query_interval
913 STARTUP_QUERY_INTERVAL ] [ mcast_stats_enabled
914 MCAST_STATS_ENABLED ] [ mcast_igmp_version IGMP_VERSION ] [
915 mcast_mld_version MLD_VERSION ] [ nf_call_iptables NF_CALL_IPTA‐
916 BLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ] [ nf_call_arpta‐
917 bles NF_CALL_ARPTABLES ]
918 ageing_time AGEING_TIME - configure the bridge's FDB
921 entries ageing time, ie the number of seconds a MAC
922 address will be kept in the FDB after a packet has been
923 received from that address. after this time has passed,
924 entries are cleaned up.
925 group_fwd_mask MASK - set the group forward mask. This
927 is the bitmask that is applied to decide whether to for‐
928 ward incoming frames destined to link-local addresses,
929 ie addresses of the form 01:80:C2:00:00:0X (defaults to
930 0, ie the bridge does not forward any link-local
931 frames).
932 group_address ADDRESS - set the MAC address of the mul‐
934 ticast group this bridge uses for STP. The address must
935 be a link-local address in standard Ethernet MAC address
936 format, ie an address of the form 01:80:C2:00:00:0X,
937 with X
938 in [0, 4..f].
939 forward_delay FORWARD_DELAY - set the forwarding delay
941 in seconds, ie the time spent in LISTENING state (before
942 moving to LEARNING) and in LEARNING state (before moving
943 to FORWARDING). Only relevant if STP is enabled. Valid
944 values are between 2 and 30.
945 hello_time HELLO_TIME - set the time in seconds between
947 hello packets sent by the bridge, when it is a root
948 bridge or a designated bridges. Only relevant if STP is
949 enabled. Valid values are between 1 and 10.
950 max_age MAX_AGE - set the hello packet timeout, ie the
952 time in seconds until another bridge in the spanning
953 tree is assumed to be dead, after reception of its last
954 hello message. Only relevant if STP is enabled. Valid
955 values are between 6 and 40.
956 stp_state STP_STATE - turn spanning tree protocol on
958 (STP_STATE > 0) or off (STP_STATE == 0). for this
959 bridge.
960 priority PRIORITY - set this bridge's spanning tree pri‐
962 ority, used during STP root bridge election. PRIORITY
963 is a 16bit unsigned integer.
964 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
966 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
967 disabled, the bridge will not consider the VLAN tag when
968 handling packets.
969 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
971 used for VLAN filtering.
972 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
974 PVID (native/untagged VLAN ID) for this bridge.
975 vlan_stats_enabled VLAN_STATS_ENABLED - enable
977 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
978 == 0) per-VLAN stats accounting.
979 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
981 (VLAN_STATS_PER_PORT == 1) or disable
982 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats
983 accounting. Can be changed only when there are no port
984 VLANs configured.
985 mcast_snooping MULTICAST_SNOOPING - turn multicast
987 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
988 CAST_SNOOPING == 0).
989 mcast_router MULTICAST_ROUTER - set bridge's multicast
991 router if IGMP snooping is enabled. MULTICAST_ROUTER is
992 an integer value having the following meaning:
993 0 - disabled.
995 1 - automatic (queried).
997 2 - permanently enabled.
999 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1001 to use the bridge's own IP address as source address for
1002 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1003 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1004 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1006 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1007 IGMP querier, ie sending of multicast queries by the
1008 bridge (default: disabled).
1009 mcast_querier_interval QUERIER_INTERVAL - interval
1011 between queries sent by other routers. if no queries are
1012 seen after this delay has passed, the bridge will start
1013 to send its own queries (as if mcast_querier was
1014 enabled).
1015 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1017 database hash elasticity, ie the maximum chain length in
1018 the multicast hash table (defaults to 4).
1019 mcast_hash_max HASH_MAX - set maximum size of multicast
1021 hash table (defaults to 512, value must be a power of
1022 2).
1023 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1025 cast last member count, ie the number of queries the
1026 bridge will send before stopping forwarding a multicast
1027 group after a "leave" message has been received
1028 (defaults to 2).
1029 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1031 val between queries to find remaining members of a
1032 group, after a "leave" message is received.
1033 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1035 number of IGMP queries to send during startup phase
1036 (defaults to 2).
1037 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1039 interval between queries in the startup phase.
1040 mcast_query_interval QUERY_INTERVAL - interval between
1042 queries sent by the bridge after the end of the startup
1043 phase.
1044 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1046 set the Max Response Time/Maximum Response Delay for
1047 IGMP/MLD queries sent by the bridge.
1048 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1050 after which the bridge will leave a group, if no member‐
1051 ship reports for this group are received.
1052 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1054 (MCAST_STATS_ENABLED > 0) or disable
1055 (MCAST_STATS_ENABLED == 0) multicast (IGMP/MLD) stats
1056 accounting.
1057 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1059 mcast_mld_version MLD_VERSION - set the MLD version.
1061 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1063 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1064 hooks on the bridge.
1065 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1067 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1068 0) ip6tables hooks on the bridge.
1069 nf_call_arptables NF_CALL_ARPTABLES - enable
1071 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1072 0) arptables hooks on the bridge.
1073 MACsec Type Support
1078 For a link of type MACsec the following additional arguments are
1079 supported:
1080 ip link add link DEVICE name NAME type macsec [ [ address
1082 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1083 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1084 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1085 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1086 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1087 ]
1088 address <lladdr> - sets the system identifier component
1091 of secure channel for this MACsec device.
1092 port PORT - sets the port number component of secure
1095 channel for this MACsec device, in a range from 1 to
1096 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1097 are interpreted as octal and hexadecimal, respectively.
1098 sci SCI - sets the secure channel identifier for this
1101 MACsec device. SCI is a 64bit wide number in hexadeci‐
1102 mal format.
1103 cipher CIPHER_SUITE - defines the cipher suite to use.
1106 icvlen LENGTH - sets the length of the Integrity Check
1109 Value (ICV).
1110 encrypt on or encrypt off - switches between authenti‐
1113 cated encryption, or authenticity mode only.
1114 send_sci on or send_sci off - specifies whether the SCI
1117 is included in every packet, or only when it is neces‐
1118 sary.
1119 end_station on or end_station off - sets the End Station
1122 bit.
1123 scb on or scb off - sets the Single Copy Broadcast bit.
1126 protect on or protect off - enables MACsec protection on
1129 the device.
1130 replay on or replay off - enables replay protection on
1133 the device.
1134 window SIZE - sets the size of the replay win‐
1138 dow.
1139 validate strict or validate check or validate disabled -
1143 sets the validation mode on the device.
1144 encodingsa AN - sets the active secure association for
1147 transmission.
1148 VRF Type Support
1152 For a link of type VRF the following additional arguments are
1153 supported:
1154 ip link add DEVICE type vrf table TABLE
1156 table table id associated with VRF device
1159 RMNET Type Support
1163 For a link of type RMNET the following additional arguments are
1164 supported:
1165 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1167 mux_id MUXID - specifies the mux identifier for the
1170 rmnet device, possible values 1-254.
1171 XFRM Type Support
1175 For a link of type XFRM the following additional arguments are
1176 supported:
1177 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1179 dev PHYS_DEV - specifies the underlying physical inter‐
1182 face from which transform traffic is sent and received.
1183 if_id IF-ID - specifies the hexadecimal lookup key used
1186 to send traffic to and from specific xfrm policies.
1187 Policies must be configured with the same key. If not
1188 set, the key defaults to 0 and will match any policies
1189 which similarly do not have a lookup key configuration.
1190 ip link delete - delete virtual link
1194 dev DEVICE
1195 specifies the virtual device to act operate on.
1196 group GROUP
1199 specifies the group of virtual links to delete. Group 0 is not
1200 allowed to be deleted since it is the default group.
1201 type TYPE
1204 specifies the type of the device.
1205 ip link set - change device attributes
1208 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1209 ately after any of the changes have failed. This is the only case when
1210 ip can move the system to an unpredictable state. The solution is to
1211 avoid changing several parameters with one ip link set call. The modi‐
1212 fier change is equivalent to set.
1213 dev DEVICE
1217 DEVICE specifies network device to operate on. When configuring
1218 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1219 ify the associated Physical Function (PF) device.
1220 group GROUP
1223 GROUP has a dual role: If both group and dev are present, then
1224 move the device to the specified group. If only a group is spec‐
1225 ified, then the command operates on all devices in that group.
1226 up and down
1229 change the state of the device to UP or DOWN.
1230 arp on or arp off
1233 change the NOARP flag on the device.
1234 multicast on or multicast off
1237 change the MULTICAST flag on the device.
1238 allmulticast on or allmulticast off
1241 change the ALLMULTI flag on the device. When enabled, instructs
1242 network driver to retrieve all multicast packets from the net‐
1243 work to the kernel for further processing.
1244 promisc on or promisc off
1247 change the PROMISC flag on the device. When enabled, activates
1248 promiscuous operation of the network device.
1249 trailers on or trailers off
1252 change the NOTRAILERS flag on the device, NOT used by the Linux
1253 and exists for BSD compatibility.
1254 protodown on or protodown off
1257 change the PROTODOWN state on the device. Indicates that a pro‐
1258 tocol error has been detected on the port. Switch drivers can
1259 react to this error by doing a phys down on the switch port.
1260 dynamic on or dynamic off
1263 change the DYNAMIC flag on the device. Indicates that address
1264 can change when interface goes down (currently NOT used by the
1265 Linux).
1266 name NAME
1269 change the name of the device. This operation is not recommended
1270 if the device is running or has some addresses already config‐
1271 ured.
1272 txqueuelen NUMBER
1275 txqlen NUMBER
1277 change the transmit queue length of the device.
1278 mtu NUMBER
1281 change the MTU of the device.
1282 address LLADDRESS
1285 change the station address of the interface.
1286 broadcast LLADDRESS
1289 brd LLADDRESS
1291 peer LLADDRESS
1293 change the link layer broadcast address or the peer address when
1294 the interface is POINTOPOINT.
1295 netns NETNSNAME | PID
1298 move the device to the network namespace associated with name
1299 NETNSNAME or process PID.
1300 Some devices are not allowed to change network namespace: loop‐
1302 back, bridge, wireless. These are network namespace local
1303 devices. In such case ip tool will return "Invalid argument"
1304 error. It is possible to find out if device is local to a single
1305 network namespace by checking netns-local flag in the output of
1306 the ethtool:
1307 ethtool -k DEVICE
1309 To change network namespace for wireless devices the iw tool can
1311 be used. But it allows to change network namespace only for
1312 physical devices and by process PID.
1313 alias NAME
1316 give the device a symbolic name for easy reference.
1317 group GROUP
1320 specify the group the device belongs to. The available groups
1321 are listed in file /etc/iproute2/group.
1322 vf NUM specify a Virtual Function device to be configured. The associ‐
1325 ated PF device must be specified using the dev parameter.
1326 mac LLADDRESS - change the station address for the spec‐
1328 ified VF. The vf parameter must be specified.
1329 vlan VLANID - change the assigned VLAN for the specified
1332 VF. When specified, all traffic sent from the VF will be
1333 tagged with the specified VLAN ID. Incoming traffic will
1334 be filtered for the specified VLAN ID, and will have all
1335 VLAN tags stripped before being passed to the VF. Set‐
1336 ting this parameter to 0 disables VLAN tagging and fil‐
1337 tering. The vf parameter must be specified.
1338 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1341 VLAN tag. When specified, all VLAN tags transmitted by
1342 the VF will include the specified priority bits in the
1343 VLAN tag. If not specified, the value is assumed to be
1344 0. Both the vf and vlan parameters must be specified.
1345 Setting both vlan and qos as 0 disables VLAN tagging and
1346 filtering for the VF.
1347 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1350 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1351 traffic sent from the VF will be tagged with VLAN S-Tag.
1352 Incoming traffic will have VLAN S-Tags stripped before
1353 being passed to the VF. Setting to 802.1ad also enables
1354 an option to concatenate another VLAN tag, so both S-TAG
1355 and C-TAG will be inserted/stripped for outgoing/incom‐
1356 ing traffic, respectively. If not specified, the value
1357 is assumed to be 802.1Q. Both the vf and vlan parameters
1358 must be specified.
1359 rate TXRATE -- change the allowed transmit bandwidth, in
1362 Mbps, for the specified VF. Setting this parameter to 0
1363 disables rate limiting. vf parameter must be specified.
1364 Please use new API max_tx_rate option instead.
1365 max_tx_rate TXRATE - change the allowed maximum transmit
1368 bandwidth, in Mbps, for the specified VF. Setting this
1369 parameter to 0 disables rate limiting. vf parameter
1370 must be specified.
1371 min_tx_rate TXRATE - change the allowed minimum transmit
1374 bandwidth, in Mbps, for the specified VF. Minimum
1375 TXRATE should be always <= Maximum TXRATE. Setting this
1376 parameter to 0 disables rate limiting. vf parameter
1377 must be specified.
1378 spoofchk on|off - turn packet spoof checking on or off
1381 for the specified VF.
1382 query_rss on|off - toggle the ability of querying the
1384 RSS configuration of a specific
1385 VF. VF RSS information like RSS hash key may be con‐
1386 sidered sensitive
1387 on some devices where this information is shared
1388 between VF and PF
1389 and thus its querying may be prohibited by default.
1390 state auto|enable|disable - set the virtual link state
1392 as seen by the specified VF. Setting to auto means a
1393 reflection of the PF link state, enable lets the VF to
1394 communicate with other VFs on this host even if the PF
1395 link state is down, disable causes the HW to drop any
1396 packets sent by the VF.
1397 trust on|off - trust the specified VF user. This enables
1399 that VF user can set a specific feature which may impact
1400 security and/or performance. (e.g. VF multicast promis‐
1401 cuous mode)
1402 node_guid eui64 - configure node GUID for Infiniband
1404 VFs.
1405 port_guid eui64 - configure port GUID for Infiniband
1407 VFs.
1408 xdp object | pinned | off
1411 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1412 every packet at driver level. ip link output will indicate a
1413 xdp flag for the networking device. If the driver does not have
1414 native XDP support, the kernel will fall back to a slower,
1415 driver-independent "generic" XDP variant. The ip link output
1416 will in that case indicate xdpgeneric instead of xdp only. If
1417 the driver does have native XDP support, but the program is
1418 loaded under xdpgeneric object | pinned then the kernel will use
1419 the generic XDP variant instead of the native one. xdpdrv has
1420 the opposite effect of requestsing that the automatic fallback
1421 to the generic XDP variant be disabled and in case driver is not
1422 XDP-capable error should be returned. xdpdrv also disables
1423 hardware offloads. xdpoffload in ip link output indicates that
1424 the program has been offloaded to hardware and can also be used
1425 to request the "offload" mode, much like xdpgeneric it forces
1426 program to be installed specifically in HW/FW of the apater.
1427 off (or none ) - Detaches any currently attached XDP/BPF program
1429 from the given device.
1430 object FILE - Attaches a XDP/BPF program to the given device.
1432 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1433 contains the BPF program code, map specifications, etc. If a
1434 XDP/BPF program is already attached to the given device, an
1435 error will be thrown. If no XDP/BPF program is currently
1436 attached, the device supports XDP and the program from the BPF
1437 ELF file passes the kernel verifier, then it will be attached to
1438 the device. If the option -force is passed to ip then any prior
1439 attached XDP/BPF program will be atomically overridden and no
1440 error will be thrown in this case. If no section option is
1441 passed, then the default section name ("prog") will be assumed,
1442 otherwise the provided section name will be used. If no verbose
1443 option is passed, then a verifier log will only be dumped on
1444 load error. See also EXAMPLES section for usage examples.
1445 section NAME - Specifies a section name that contains the BPF
1447 program code. If no section name is specified, the default one
1448 ("prog") will be used. This option is to be passed with the
1449 object option.
1450 verbose - Act in verbose mode. For example, even in case of suc‐
1452 cess, this will print the verifier log in case a program was
1453 loaded from a BPF ELF file.
1454 pinned FILE - Attaches a XDP/BPF program to the given device.
1456 The FILE points to an already pinned BPF program in the BPF file
1457 system. The option section doesn't apply here, but otherwise
1458 semantics are the same as with the option object described
1459 already.
1460 master DEVICE
1463 set master device of the device (enslave device).
1464 nomaster
1467 unset master device of the device (release device).
1468 addrgenmode eui64|none|stable_secret|random
1471 set the IPv6 address generation mode
1472 eui64 - use a Modified EUI-64 format interface identifier
1474 none - disable automatic address generation
1476 stable_secret - generate the interface identifier based on a
1478 preset
1479 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1480 random - like stable_secret, but auto-generate a new random
1482 secret if none is set
1483 link-netnsid
1486 set peer netnsid for a cross-netns interface
1487 type ETYPE TYPE_ARGS
1490 Change type-specific settings. For a list of supported types and
1491 arguments refer to the description of ip link add above. In
1492 addition to that, it is possible to manipulate settings to slave
1493 devices:
1494 Bridge Slave Support
1497 For a link with master bridge the following additional arguments
1498 are supported:
1499 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1501 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1502 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1503 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1504 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1505 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1506 mcast_flood { on | off } ] [ mcast_to_unicast { on | off } ] [
1507 group_fwd_mask MASK ] [ neigh_suppress { on | off } ] [
1508 vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1509 backup_port DEVICE ] [ nobackup_port ]
1510 fdb_flush - flush bridge slave's fdb dynamic entries.
1513 state STATE - Set port state. STATE is a number repre‐
1515 senting the following states: 0 (disabled), 1 (listen‐
1516 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1517 priority PRIO - set port priority (allowed values are
1519 between 0 and 63, inclusively).
1520 cost COST - set port cost (allowed values are between 1
1522 and 65535, inclusively).
1523 guard { on | off } - block incoming BPDU packets on this
1525 port.
1526 hairpin { on | off } - enable hairpin mode on this port.
1528 This will allow incoming packets on this port to be
1529 reflected back.
1530 fastleave { on | off } - enable multicast fast leave on
1532 this port.
1533 root_block { on | off } - block this port from becoming
1535 the bridge's root port.
1536 learning { on | off } - allow MAC address learning on
1538 this port.
1539 flood { on | off } - open the flood gates on this port,
1541 i.e. forward all unicast frames to this port also.
1542 Requires proxy_arp and proxy_arp_wifi to be turned off.
1543 proxy_arp { on | off } - enable proxy ARP on this port.
1545 proxy_arp_wifi { on | off } - enable proxy ARP on this
1547 port which meets extended requirements by IEEE 802.11
1548 and Hotspot 2.0 specifications.
1549 mcast_router MULTICAST_ROUTER - configure this port for
1551 having multicast routers attached. A port with a multi‐
1552 cast router will receive all multicast traffic. MULTI‐
1553 CAST_ROUTER may be either 0 to disable multicast routers
1554 on this port, 1 to let the system detect the presence of
1555 of routers (this is the default), 2 to permanently
1556 enable multicast traffic forwarding on this port or 3 to
1557 enable multicast routers temporarily on this port, not
1558 depending on incoming queries.
1559 mcast_fast_leave { on | off } - this is a synonym to the
1561 fastleave option above.
1562 mcast_flood { on | off } - controls whether a given port
1564 will flood multicast traffic for which
1565 there is no MDB entry.
1566 mcast_to_unicast { on | off } - controls whether a given
1568 port will replicate packets using unicast
1569 instead of multicast. By default this flag is off.
1570 group_fwd_mask MASK - set the group forward mask. This
1572 is the bitmask that is applied to decide whether to for‐
1573 ward incoming frames destined to link-local addresses,
1574 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1575 0, ie the bridge does not forward any link-local frames
1576 coming on this port).
1577 neigh_suppress { on | off } - controls whether neigh
1579 discovery (arp and nd) proxy and suppression is enabled
1580 on the port. By default this flag is off.
1581 vlan_tunnel { on | off } - controls whether vlan to tun‐
1583 nel mapping is enabled on the port. By default this flag
1584 is off.
1585 backup_port DEVICE - if the port loses carrier all traf‐
1587 fic will be redirected to the configured backup port
1588 nobackup_port - removes the currently configured backup
1590 port
1591 Bonding Slave Support
1595 For a link with master bond the following additional arguments
1596 are supported:
1597 ip link set type bond_slave [ queue_id ID ]
1599 queue_id ID - set the slave's queue ID (a 16bit unsigned
1602 value).
1603 MACVLAN and MACVTAP Support
1607 Modify list of allowed macaddr for link in source mode.
1608 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1610 ... ]
1611 Commands:
1613 add - add MACADDR to allowed list
1614 set - replace allowed list
1616 del - remove MACADDR from allowed list
1618 flush - flush whole allowed list
1620 ip link show - display device attributes
1625 dev NAME (default)
1626 NAME specifies the network device to show.
1627 group GROUP
1630 GROUP specifies what group of devices to show.
1631 up only display running interfaces.
1634 master DEVICE
1637 DEVICE specifies the master device which enslaves devices to
1638 show.
1639 vrf NAME
1642 NAME speficies the VRF which enslaves devices to show.
1643 type TYPE
1646 TYPE specifies the type of devices to show.
1647 Note that the type name is not checked against the list of sup‐
1649 ported types - instead it is sent as-is to the kernel. Later it
1650 is used to filter the returned interface list by comparing it
1651 with the relevant attribute in case the kernel didn't filter
1652 already. Therefore any string is accepted, but may lead to empty
1653 output.
1654 ip link xstats - display extended statistics
1657 type TYPE
1658 TYPE specifies the type of devices to display extended statis‐
1659 tics for.
1660 ip link afstats - display address-family specific statistics
1663 dev DEVICE
1664 DEVICE specifies the device to display address-family statistics
1665 for.
1666 ip link help - display help
1669 TYPE specifies which help of link type to dislpay.
1670 GROUP
1673 may be a number or a string from the file /etc/iproute2/group which can
1674 be manually filled.
1675
1678 ip link show
1679 Shows the state of all network interfaces on the system.
1680 ip link show type bridge
1682 Shows the bridge devices.
1683 ip link show type vlan
1685 Shows the vlan devices.
1686 ip link show master br0
1688 Shows devices enslaved by br0
1689 ip link set dev ppp0 mtu 1400
1691 Change the MTU the ppp0 device.
1692 ip link add link eth0 name eth0.10 type vlan id 10
1694 Creates a new vlan device eth0.10 on device eth0.
1695 ip link delete dev eth0.10
1697 Removes vlan device.
1698 ip link help gre
1700 Display help for the gre link type.
1701 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1703 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1704 remcsum
1705 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1706 tion, and the outer UDP checksum and remote checksum offload are
1707 enabled.
1708 ip link set dev eth0 xdp obj prog.o
1710 Attaches a XDP/BPF program to device eth0, where the program is
1711 located in prog.o, section "prog" (default section). In case a
1712 XDP/BPF program is already attached, throw an error.
1713 ip -force link set dev eth0 xdp obj prog.o sec foo
1715 Attaches a XDP/BPF program to device eth0, where the program is
1716 located in prog.o, section "foo". In case a XDP/BPF program is
1717 already attached, it will be overridden by the new one.
1718 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1720 Attaches a XDP/BPF program to device eth0, where the program was
1721 previously pinned as an object node into BPF file system under name
1722 foo.
1723 ip link set dev eth0 xdp off
1725 If a XDP/BPF program is attached on device eth0, detach it and
1726 effectively turn off XDP for device eth0.
1727 ip link add link wpan0 lowpan0 type lowpan
1729 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1730 802.15.4 device wpan0.
1731 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1733 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1734 erspan_hwid 17
1735 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1736
1739 ip(8), ip-netns(8), ethtool(8), iptables(8)
1740
1743 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1744iproute2 13 Dec 2012 IP-LINK(8)