1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 [ gro_max_size BYTES ]
19 type TYPE [ ARGS ]
20 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
22 ip link set { DEVICE | group GROUP }
24 [ { up | down } ]
25 [ type ETYPE TYPE_ARGS ]
26 [ arp { on | off } ]
27 [ dynamic { on | off } ]
28 [ multicast { on | off } ]
29 [ allmulticast { on | off } ]
30 [ promisc { on | off } ]
31 [ protodown { on | off } ]
32 [ protodown_reason PREASON { on | off } ]
33 [ trailers { on | off } ]
34 [ txqueuelen PACKETS ]
35 [ max_gso_size BYTES ] [ max_gso_segs SEGMENTS ] [ max_gro_size
36 BYTES ]
37 [ name NEWNAME ]
38 [ address LLADDR ]
39 [ broadcast LLADDR ]
40 [ mtu MTU ]
41 [ netns { PID | NETNSNAME } ]
42 [ link-netnsid ID ]
43 [ alias NAME ]
44 [ vf NUM [ mac LLADDR ]
45 [ VFVLAN-LIST ]
46 [ rate TXRATE ]
47 [ max_tx_rate TXRATE ]
48 [ min_tx_rate TXRATE ]
49 [ spoofchk { on | off } ]
50 [ query_rss { on | off } ]
51 [ state { auto | enable | disable } ]
52 [ trust { on | off } ]
53 [ node_guid eui64 ]
54 [ port_guid eui64 ] ]
55 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
56 object FILE [ section NAME ] [ verbose ] |
57 pinned FILE } ]
58 [ master DEVICE ]
59 [ nomaster ]
60 [ vrf NAME ]
61 [ addrgenmode { eui64 | none | stable_secret | random } ]
62 [ macaddr [ MACADDR ]
63 [ { flush | add | del } MACADDR ]
64 [ set MACADDR ] ]
65 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
67 ] [ type ETYPE ] [ vrf NAME ] [ nomaster ]
68 ip link xstats type TYPE [ ARGS ]
70 ip link afstats [ dev DEVICE ]
72 ip link help [ TYPE ]
74 TYPE := [ amt | bridge | bond | can | dummy | hsr | ifb |
76 ipoib | macvlan | macvtap | vcan | vxcan | veth |
77 vlan | vxlan | ip6tnl | ipip | sit | gre | gretap |
78 erspan | ip6gre | ip6gretap | ip6erspan | vti | nlmon
79 | ipvlan | ipvtap | lowpan | geneve | bareudp | vrf |
80 macsec | netdevsim | rmnet | xfrm | gtp ]
81 ETYPE := [ TYPE | bridge_slave | bond_slave ]
83 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
85 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
87 ]
88 ip link property add dev DEVICE [ altname NAME .. ]
90 ip link property del dev DEVICE [ altname NAME .. ]
92
95 ip link add - add virtual link
96 link DEVICE
97 specifies the physical device to act operate on.
98 NAME specifies the name of the new virtual device.
100 TYPE specifies the type of the new device.
102 Link types:
104 bridge - Ethernet Bridge device
106 bond - Bonding device
108 dummy - Dummy network interface
110 hsr - High-availability Seamless Redundancy device
112 ifb - Intermediate Functional Block device
114 ipoib - IP over Infiniband device
116 macvlan - Virtual interface base on link layer address
118 (MAC)
119 macvtap - Virtual interface based on link layer address
121 (MAC) and TAP.
122 vcan - Virtual Controller Area Network interface
124 vxcan - Virtual Controller Area Network tunnel interface
126 veth - Virtual ethernet interface
128 vlan - 802.1q tagged virtual LAN interface
130 vxlan - Virtual eXtended LAN
132 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
134 ipip - Virtual tunnel interface IPv4 over IPv4
136 sit - Virtual tunnel interface IPv6 over IPv4
138 gre - Virtual tunnel interface GRE over IPv4
140 gretap - Virtual L2 tunnel interface GRE over IPv4
142 erspan - Encapsulated Remote SPAN over GRE and IPv4
144 ip6gre - Virtual tunnel interface GRE over IPv6
146 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
148 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
150 vti - Virtual tunnel interface
152 nlmon - Netlink monitoring device
154 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
156 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
158 TAP
159 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
161 / Bluetooth
162 geneve - GEneric NEtwork Virtualization Encapsulation
164 bareudp - Bare UDP L3 encapsulation support
166 amt - Automatic Multicast Tunneling (AMT)
168 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
170 sec)
171 vrf - Interface for L3 VRF domains
173 netdevsim - Interface for netdev API tests
175 rmnet - Qualcomm rmnet device
177 xfrm - Virtual xfrm interface
179 gtp - GPRS Tunneling Protocol
181 numtxqueues QUEUE_COUNT
184 specifies the number of transmit queues for new device.
185 numrxqueues QUEUE_COUNT
188 specifies the number of receive queues for new device.
189 gso_max_size BYTES
192 specifies the recommended maximum size of a Generic Segment Off‐
193 load packet the new device should accept.
194 gso_max_segs SEGMENTS
197 specifies the recommended maximum number of a Generic Segment
198 Offload segments the new device should accept.
199 gro_max_size BYTES
202 specifies the maximum size of a packet built by GRO stack on
203 this device.
204 index IDX
207 specifies the desired index of the new virtual device. The link
208 creation fails, if the index is busy.
209 VLAN Type Support
212 For a link of type VLAN the following additional arguments are
213 supported:
214 ip link add link DEVICE name NAME type vlan [ protocol
216 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
217 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
218 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
219 egress-qos-map QOS-MAP ]
220 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
223 id VLANID - specifies the VLAN Identifier to use. Note
225 that numbers with a leading " 0 " or " 0x " are inter‐
226 preted as octal or hexadecimal, respectively.
227 reorder_hdr { on | off } - specifies whether ethernet
229 headers are reordered or not (default is on).
230 If reorder_hdr is on then VLAN header will be not
232 inserted immediately but only before passing to the
233 physical device (if this device does not support
234 VLAN offloading), the similar on the RX direction -
235 by default the packet will be untagged before being
236 received by VLAN device. Reordering allows one to
237 accelerate tagging on egress and to hide VLAN header
238 on ingress so the packet looks like regular Ethernet
239 packet, at the same time it might be confusing for
240 packet capture as the VLAN header does not exist
241 within the packet.
242 VLAN offloading can be checked by ethtool(8):
244 ethtool -k <phy_dev> | grep tx-vlan-offload
246 where <phy_dev> is the physical device to which VLAN
248 device is bound.
249 gvrp { on | off } - specifies whether this VLAN should
251 be registered using GARP VLAN Registration Protocol.
252 mvrp { on | off } - specifies whether this VLAN should
254 be registered using Multiple VLAN Registration Protocol.
255 loose_binding { on | off } - specifies whether the VLAN
257 device state is bound to the physical device state.
258 bridge_binding { on | off } - specifies whether the VLAN
260 device link state tracks the state of bridge ports that
261 are members of the VLAN.
262 ingress-qos-map QOS-MAP - defines a mapping of VLAN
264 header prio field to the Linux internal packet priority
265 on incoming frames. The format is FROM:TO with multiple
266 mappings separated by spaces.
267 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
269 ternal packet priority to VLAN header prio field but for
270 outgoing frames. The format is the same as for ingress-
271 qos-map.
272 Linux packet priority can be set by iptables(8):
274 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
276 SIFY --set-class 0:4
277 and this "4" priority can be used in the egress qos
279 mapping to set VLAN prio "5":
280 ip link set veth0.10 type vlan egress 4:5
282 VXLAN Type Support
285 For a link of type VXLAN the following additional arguments are
286 supported:
287 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
289 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
290 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
291 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
292 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
293 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
294 ] [ [no]external ] [ gbp ] [ gpe ]
295 id VNI - specifies the VXLAN Network Identifier (or
298 VXLAN Segment Identifier) to use.
299 dev PHYS_DEV - specifies the physical device to use for
301 tunnel endpoint communication.
302 group IPADDR - specifies the multicast IP address to
305 join. This parameter cannot be specified with the re‐
306 mote parameter.
307 remote IPADDR - specifies the unicast destination IP ad‐
310 dress to use in outgoing packets when the destination
311 link layer address is not known in the VXLAN device for‐
312 warding database. This parameter cannot be specified
313 with the group parameter.
314 local IPADDR - specifies the source IP address to use in
317 outgoing packets.
318 ttl TTL - specifies the TTL value to use in outgoing
321 packets.
322 tos TOS - specifies the TOS value to use in outgoing
325 packets.
326 df DF - specifies the usage of the Don't Fragment flag
329 (DF) bit in outgoing packets with IPv4 headers. The
330 value inherit causes the bit to be copied from the orig‐
331 inal IP header. The values unset and set cause the bit
332 to be always unset or always set, respectively. By de‐
333 fault, the bit is not set.
334 flowlabel FLOWLABEL - specifies the flow label to use in
337 outgoing packets.
338 dstport PORT - specifies the UDP destination port to
341 communicate to the remote
342 VXLAN tunnel endpoint.
343 srcport MIN MAX - specifies the range of port numbers to
346 use as UDP source ports to communicate to the remote
347 VXLAN tunnel endpoint.
348 [no]learning - specifies if unknown source link layer
351 addresses and IP addresses are entered into the VXLAN
352 device forwarding database.
353 [no]rsc - specifies if route short circuit is turned on.
356 [no]proxy - specifies ARP proxy is turned on.
359 [no]l2miss - specifies if netlink LLADDR miss notifica‐
362 tions are generated.
363 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
366 tions are generated.
367 [no]udpcsum - specifies if UDP checksum is calculated
370 for transmitted packets over IPv4.
371 [no]udp6zerocsumtx - skip UDP checksum calculation for
374 transmitted packets over IPv6.
375 [no]udp6zerocsumrx - allow incoming UDP packets over
378 IPv6 with zero checksum field.
379 ageing SECONDS - specifies the lifetime in seconds of
382 FDB entries learnt by the kernel.
383 maxaddress NUMBER - specifies the maximum number of FDB
386 entries.
387 [no]external - specifies whether an external control
390 plane (e.g. ip route encap) or the internal FDB should
391 be used.
392 gbp - enables the Group Policy extension (VXLAN-GBP).
395 Allows one to transport group policy context across
397 VXLAN network peers. If enabled, includes the mark
398 of a packet in the VXLAN header for outgoing packets
399 and fills the packet mark based on the information
400 found in the VXLAN header for incoming packets.
401 Format of upper 16 bits of packet mark (flags);
403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
405 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
407 D := Don't Learn bit. When set, this bit indicates
409 that the egress VTEP MUST NOT learn the source ad‐
410 dress of the encapsulated frame.
411 A := Indicates that the group policy has already
413 been applied to this packet. Policies MUST NOT be
414 applied by devices when the A bit is set.
415 Format of lower 16 bits of packet mark (policy ID):
417 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
419 | Group Policy ID |
420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
421 Example:
423 iptables -A OUTPUT [...] -j MARK --set-mark
424 0x800FF
425 gpe - enables the Generic Protocol extension (VXLAN-
429 GPE). Currently, this is only supported together with
430 the external keyword.
431 VETH, VXCAN Type Support
435 For a link of types VETH/VXCAN the following additional argu‐
436 ments are supported:
437 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
439 peer name NAME - specifies the virtual pair device name
442 of the VETH/VXCAN tunnel.
443 IPIP, SIT Type Support
447 For a link of type IPIPorSIT the following additional arguments
448 are supported:
449 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
451 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
452 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
453 mode { ip6ip | ipip | mplsip | any } ] [ external ]
454 remote ADDR - specifies the remote address of the tun‐
457 nel.
458 local ADDR - specifies the fixed local address for tun‐
461 neled packets. It must be an address on another inter‐
462 face on this host.
463 encap { fou | gue | none } - specifies type of secondary
466 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
467 indicates Generic UDP Encapsulation.
468 encap-sport { PORT | auto } - specifies the source port
471 in UDP encapsulation. PORT indicates the port by num‐
472 ber, "auto" indicates that the port number should be
473 chosen automatically (the kernel picks a flow based on
474 the flow hash of the encapsulated packet).
475 [no]encap-csum - specifies if UDP checksums are enabled
478 in the secondary encapsulation.
479 [no]encap-remcsum - specifies if Remote Checksum Offload
482 is enabled. This is only applicable for Generic UDP En‐
483 capsulation.
484 mode { ip6ip | ipip | mplsip | any } - specifies mode in
487 which device should run. "ip6ip" indicates IPv6-Over-
488 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
489 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
490 Over IPv4. Supported for SIT where the default is
491 "ip6ip" and IPIP where the default is "ipip".
492 IPv6-Over-IPv4 is not supported for IPIP.
493 external - make this tunnel externally controlled (e.g.
496 ip route encap).
497 GRE Type Support
500 For a link of type GRE or GRETAP the following additional argu‐
501 ments are supported:
502 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
504 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
505 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
506 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
507 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
508 remcsum ] [ external ]
509 remote ADDR - specifies the remote address of the tun‐
512 nel.
513 local ADDR - specifies the fixed local address for tun‐
516 neled packets. It must be an address on another inter‐
517 face on this host.
518 [no][i|o]seq - serialize packets. The oseq flag enables
521 sequencing of outgoing packets. The iseq flag requires
522 that all input packets are serialized.
523 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
526 KEY is either a number or an IPv4 address-like dotted
527 quad. The key parameter specifies the same key to use
528 in both directions. The ikey and okey parameters spec‐
529 ify different keys for input and output.
530 [no][i|o]csum - generate/require checksums for tunneled
533 packets. The ocsum flag calculates checksums for outgo‐
534 ing packets. The icsum flag requires that all input
535 packets have the correct checksum. The csum flag is
536 equivalent to the combination icsum ocsum .
537 ttl TTL - specifies the TTL value to use in outgoing
540 packets.
541 tos TOS - specifies the TOS value to use in outgoing
544 packets.
545 [no]pmtudisc - enables/disables Path MTU Discovery on
548 this tunnel. It is enabled by default. Note that a
549 fixed ttl is incompatible with this option: tunneling
550 with a fixed ttl always makes pmtu discovery.
551 [no]ignore-df - enables/disables IPv4 DF suppression on
554 this tunnel. Normally datagrams that exceed the MTU
555 will be fragmented; the presence of the DF flag inhibits
556 this, resulting instead in an ICMP Unreachable (Fragmen‐
557 tation Required) message. Enabling this attribute
558 causes the DF flag to be ignored.
559 dev PHYS_DEV - specifies the physical device to use for
562 tunnel endpoint communication.
563 encap { fou | gue | none } - specifies type of secondary
566 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
567 indicates Generic UDP Encapsulation.
568 encap-sport { PORT | auto } - specifies the source port
571 in UDP encapsulation. PORT indicates the port by num‐
572 ber, "auto" indicates that the port number should be
573 chosen automatically (the kernel picks a flow based on
574 the flow hash of the encapsulated packet).
575 [no]encap-csum - specifies if UDP checksums are enabled
578 in the secondary encapsulation.
579 [no]encap-remcsum - specifies if Remote Checksum Offload
582 is enabled. This is only applicable for Generic UDP En‐
583 capsulation.
584 external - make this tunnel externally controlled (e.g.
587 ip route encap).
588 IP6GRE/IP6GRETAP Type Support
592 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
593 guments are supported:
594 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
596 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
597 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
598 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
599 localremote ] [ dev PHYS_DEV ] [ external ]
600 remote ADDR - specifies the remote IPv6 address of the
603 tunnel.
604 local ADDR - specifies the fixed local IPv6 address for
607 tunneled packets. It must be an address on another in‐
608 terface on this host.
609 [no][i|o]seq - serialize packets. The oseq flag enables
612 sequencing of outgoing packets. The iseq flag requires
613 that all input packets are serialized.
614 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
617 KEY is either a number or an IPv4 address-like dotted
618 quad. The key parameter specifies the same key to use
619 in both directions. The ikey and okey parameters spec‐
620 ify different keys for input and output.
621 [no][i|o]csum - generate/require checksums for tunneled
624 packets. The ocsum flag calculates checksums for outgo‐
625 ing packets. The icsum flag requires that all input
626 packets have the correct checksum. The csum flag is
627 equivalent to the combination icsum ocsum.
628 hoplimit TTL - specifies Hop Limit value to use in out‐
631 going packets.
632 encaplimit ELIM - specifies a fixed encapsulation limit.
635 Default is 4.
636 flowlabel FLOWLABEL - specifies a fixed flowlabel.
639 [no]allow-localremote - specifies whether to allow re‐
642 mote endpoint to have an address configured on local
643 host.
644 tclass TCLASS - specifies the traffic class field on
647 tunneled packets, which can be specified as either a
648 two-digit hex value (e.g. c0) or a predefined string
649 (e.g. internet). The value inherit causes the field to
650 be copied from the original IP header. The values in‐
651 herit/STRING or inherit/00..ff will set the field to
652 STRING or 00..ff when tunneling non-IP packets. The de‐
653 fault value is 00.
654 external - make this tunnel externally controlled (or
657 not, which is the default). In the kernel, this is re‐
658 ferred to as collect metadata mode. This flag is mutu‐
659 ally exclusive with the remote, local, seq, key, csum,
660 hoplimit, encaplimit, flowlabel and tclass options.
661 IPoIB Type Support
665 For a link of type IPoIB the following additional arguments are
666 supported:
667 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
669 MODE ]
670 pkey PKEY - specifies the IB P-Key to use.
673 mode MODE - specifies the mode (datagram or connected)
675 to use.
676 ERSPAN Type Support
679 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
680 guments are supported:
681 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
683 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
684 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
685 mote ] [ external ]
686 remote ADDR - specifies the remote address of the tun‐
689 nel.
690 local ADDR - specifies the fixed local address for tun‐
693 neled packets. It must be an address on another inter‐
694 face on this host.
695 erspan_ver version - specifies the ERSPAN version num‐
698 ber. version indicates the ERSPAN version to be cre‐
699 ated: 0 for version 0 type I, 1 for version 1 (type II)
700 or 2 for version 2 (type III).
701 erspan IDX - specifies the ERSPAN v1 index field. IDX
704 indicates a 20 bit index/port number associated with the
705 ERSPAN traffic's source port and direction.
706 erspan_dir { ingress | egress } - specifies the ERSPAN
709 v2 mirrored traffic's direction.
710 erspan_hwid hwid - an unique identifier of an ERSPAN v2
713 engine within a system. hwid is a 6-bit value for users
714 to configure.
715 [no]allow-localremote - specifies whether to allow re‐
718 mote endpoint to have an address configured on local
719 host.
720 external - make this tunnel externally controlled (or
723 not, which is the default). In the kernel, this is re‐
724 ferred to as collect metadata mode. This flag is mutu‐
725 ally exclusive with the remote, local, erspan_ver,
726 erspan, erspan_dir and erspan_hwid options.
727 GENEVE Type Support
731 For a link of type GENEVE the following additional arguments are
732 supported:
733 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
735 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
736 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
737 [no]udp6zerocsumrx ] [ innerprotoinherit ]
738 id VNI - specifies the Virtual Network Identifier to
741 use.
742 remote IPADDR - specifies the unicast destination IP ad‐
745 dress to use in outgoing packets.
746 ttl TTL - specifies the TTL value to use in outgoing
749 packets. "0" or "auto" means use whatever default value,
750 "inherit" means inherit the inner protocol's ttl. De‐
751 fault option is "0".
752 tos TOS - specifies the TOS value to use in outgoing
755 packets.
756 df DF - specifies the usage of the Don't Fragment flag
759 (DF) bit in outgoing packets with IPv4 headers. The
760 value inherit causes the bit to be copied from the orig‐
761 inal IP header. The values unset and set cause the bit
762 to be always unset or always set, respectively. By de‐
763 fault, the bit is not set.
764 flowlabel FLOWLABEL - specifies the flow label to use in
767 outgoing packets.
768 dstport PORT - select a destination port other than the
771 default of 6081.
772 [no]external - make this tunnel externally controlled
775 (or not, which is the default). This flag is mutually
776 exclusive with the id, remote, ttl, tos and flowlabel
777 options.
778 [no]udpcsum - specifies if UDP checksum is calculated
781 for transmitted packets over IPv4.
782 [no]udp6zerocsumtx - skip UDP checksum calculation for
785 transmitted packets over IPv6.
786 [no]udp6zerocsumrx - allow incoming UDP packets over
789 IPv6 with zero checksum field.
790 innerprotoinherit - use IPv4/IPv6 as inner protocol in‐
793 stead of Ethernet.
794 Bareudp Type Support
798 For a link of type Bareudp the following additional arguments
799 are supported:
800 ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
802 srcportmin PORT ] [ [no]multiproto ]
803 dstport PORT - specifies the destination port for the
806 UDP tunnel.
807 ethertype PROTO - specifies the ethertype of the L3 pro‐
810 tocol being tunnelled. ethertype can be given as plain
811 Ethernet protocol number or using the protocol name
812 ("ipv4", "ipv6", "mpls_uc", etc.).
813 srcportmin PORT - selects the lowest value of the UDP
816 tunnel source port range.
817 [no]multiproto - activates support for protocols similar
820 to the one specified by ethertype. When ethertype is
821 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
822 nel to also handle multicast MPLS. When ethertype is
823 "ipv4", this allows the tunnel to also handle IPv6. This
824 option is disabled by default.
825 AMT Type Support
828 For a link of type AMT the following additional arguments are
829 supported:
830 ip link add DEVICE type AMT discovery IPADDR mode { gateway |
832 relay } local IPADDR dev PHYS_DEV [ relay_port PORT ] [ gate‐
833 way_port PORT ] [ max_tunnels NUMBER ]
834 discovery IPADDR - specifies the unicast discovery IP
837 address to use to find remote IP address.
838 mode { gateway | relay } - specifies the role of AMT,
840 Gateway or Relay
841 local IPADDR - specifies the source IP address to use in
843 outgoing packets.
844 dev PHYS_DEV - specifies the underlying physical inter‐
846 face from which transform traffic is sent and received.
847 relay_port PORT - specifies the UDP Relay port to commu‐
849 nicate to the Relay.
850 gateway_port PORT - specifies the UDP Gateway port to
852 communicate to the Gateway.
853 max_tunnels NUMBER - specifies the maximum number of
855 tunnels.
856 MACVLAN and MACVTAP Type Support
860 For a link of type MACVLAN or MACVTAP the following additional
861 arguments are supported:
862 ip link add link DEVICE name NAME type { macvlan | macvtap }
864 mode { private | vepa | bridge | passthru [ nopromisc ] |
865 source [ nodst ] } [ bcqueuelen { LENGTH } ]
866 type { macvlan | macvtap } - specifies the link type to
869 use. macvlan creates just a virtual interface, while
870 macvtap in addition creates a character device /dev/tapX
871 to be used just like a tuntap device.
872 mode private - Do not allow communication between
874 macvlan instances on the same physical interface, even
875 if the external switch supports hairpin mode.
876 mode vepa - Virtual Ethernet Port Aggregator mode. Data
878 from one macvlan instance to the other on the same phys‐
879 ical interface is transmitted over the physical inter‐
880 face. Either the attached switch needs to support hair‐
881 pin mode, or there must be a TCP/IP router forwarding
882 the packets in order to allow communication. This is the
883 default mode.
884 mode bridge - In bridge mode, all endpoints are directly
886 connected to each other, communication is not redirected
887 through the physical interface's peer.
888 mode passthru [ nopromisc ] - This mode gives more power
890 to a single endpoint, usually in macvtap mode. It is not
891 allowed for more than one endpoint on the same physical
892 interface. All traffic will be forwarded to this end‐
893 point, allowing virtio guests to change MAC address or
894 set promiscuous mode in order to bridge the interface or
895 create vlan interfaces on top of it. By default, this
896 mode forces the underlying interface into promiscuous
897 mode. Passing the nopromisc flag prevents this, so the
898 promisc flag may be controlled using standard tools.
899 mode source [ nodst ] - allows one to set a list of al‐
901 lowed mac address, which is used to match against source
902 mac address from received frames on underlying inter‐
903 face. This allows creating mac based VLAN associations,
904 instead of standard port or tag based. The feature is
905 useful to deploy 802.1x mac based behavior, where driv‐
906 ers of underlying interfaces doesn't allows that. By de‐
907 fault, packets are also considered (duplicated) for des‐
908 tination-based MACVLAN. Passing the nodst flag stops
909 matching packets from also going through the destina‐
910 tion-based flow.
911 bcqueuelen { LENGTH } - Set the length of the RX queue
913 used to process broadcast and multicast packets. LENGTH
914 must be a positive integer in the range [0-4294967295].
915 Setting a length of 0 will effectively drop all broad‐
916 cast/multicast traffic. If not specified the macvlan
917 driver default (1000) is used. Note that all macvlans
918 that share the same underlying device are using the same
919 queue. The parameter here is a request, the actual queue
920 length used will be the maximum length that any macvlan
921 interface has requested. When listing device parameters
922 both the bcqueuelen parameter as well as the actual used
923 bcqueuelen are listed to better help the user understand
924 the setting.
925 High-availability Seamless Redundancy (HSR) Support
928 For a link of type HSR the following additional arguments are
929 supported:
930 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
932 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
933 proto { 0 | 1 } ]
934 type hsr - specifies the link type to use, here HSR.
937 slave1 SLAVE1-IF - Specifies the physical device used
939 for the first of the two ring ports.
940 slave2 SLAVE2-IF - Specifies the physical device used
942 for the second of the two ring ports.
943 supervision ADDR-BYTE - The last byte of the multicast
945 address used for HSR supervision frames. Default option
946 is "0", possible values 0-255.
947 version { 0 | 1 } - Selects the protocol version of the
949 interface. Default option is "0", which corresponds to
950 the 2010 version of the HSR standard. Option "1" acti‐
951 vates the 2012 version.
952 proto { 0 | 1 } - Selects the protocol at the interface.
954 Default option is "0", which corresponds to the HSR
955 standard. Option "1" activates the Parallel Redundancy
956 Protocol (PRP).
957 BRIDGE Type Support
960 For a link of type BRIDGE the following additional arguments are
961 supported:
962 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
964 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
965 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
966 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
967 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
968 fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
969 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
970 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_vlan_snooping MUL‐
971 TICAST_VLAN_SNOOPING ] [ mcast_router MULTICAST_ROUTER ] [
972 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ] [ mcast_querier
973 MULTICAST_QUERIER ] [ mcast_hash_elasticity HASH_ELASTICITY ] [
974 mcast_hash_max HASH_MAX ] [ mcast_last_member_count LAST_MEM‐
975 BER_COUNT ] [ mcast_startup_query_count STARTUP_QUERY_COUNT ] [
976 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
977 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
978 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
979 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
980 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
981 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
982 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
983 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
984 [ nf_call_arptables NF_CALL_ARPTABLES ]
985 ageing_time AGEING_TIME - configure the bridge's FDB en‐
988 tries ageing time, ie the number of seconds a MAC ad‐
989 dress will be kept in the FDB after a packet has been
990 received from that address. after this time has passed,
991 entries are cleaned up.
992 group_fwd_mask MASK - set the group forward mask. This
994 is the bitmask that is applied to decide whether to for‐
995 ward incoming frames destined to link-local addresses,
996 ie addresses of the form 01:80:C2:00:00:0X (defaults to
997 0, ie the bridge does not forward any link-local
998 frames).
999 group_address ADDRESS - set the MAC address of the mul‐
1001 ticast group this bridge uses for STP. The address must
1002 be a link-local address in standard Ethernet MAC address
1003 format, ie an address of the form 01:80:C2:00:00:0X,
1004 with X
1005 in [0, 4..f].
1006 forward_delay FORWARD_DELAY - set the forwarding delay
1008 in seconds, ie the time spent in LISTENING state (before
1009 moving to LEARNING) and in LEARNING state (before moving
1010 to FORWARDING). Only relevant if STP is enabled. Valid
1011 values are between 2 and 30.
1012 hello_time HELLO_TIME - set the time in seconds between
1014 hello packets sent by the bridge, when it is a root
1015 bridge or a designated bridges. Only relevant if STP is
1016 enabled. Valid values are between 1 and 10.
1017 max_age MAX_AGE - set the hello packet timeout, ie the
1019 time in seconds until another bridge in the spanning
1020 tree is assumed to be dead, after reception of its last
1021 hello message. Only relevant if STP is enabled. Valid
1022 values are between 6 and 40.
1023 stp_state STP_STATE - turn spanning tree protocol on
1025 (STP_STATE > 0) or off (STP_STATE == 0). for this
1026 bridge.
1027 priority PRIORITY - set this bridge's spanning tree pri‐
1029 ority, used during STP root bridge election. PRIORITY
1030 is a 16bit unsigned integer.
1031 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
1033 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
1034 disabled, the bridge will not consider the VLAN tag when
1035 handling packets.
1036 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
1038 used for VLAN filtering.
1039 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
1041 PVID (native/untagged VLAN ID) for this bridge.
1042 vlan_stats_enabled VLAN_STATS_ENABLED - enable
1044 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
1045 == 0) per-VLAN stats accounting.
1046 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
1048 (VLAN_STATS_PER_PORT == 1) or disable
1049 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1050 counting. Can be changed only when there are no port
1051 VLANs configured.
1052 mcast_snooping MULTICAST_SNOOPING - turn multicast
1054 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1055 CAST_SNOOPING == 0).
1056 mcast_vlan_snooping MULTICAST_VLAN_SNOOPING - turn mul‐
1058 ticast VLAN snooping on (MULTICAST_VLAN_SNOOPING > 0) or
1059 off (MULTICAST_VLAN_SNOOPING == 0).
1060 mcast_router MULTICAST_ROUTER - set bridge's multicast
1062 router if IGMP snooping is enabled. MULTICAST_ROUTER is
1063 an integer value having the following meaning:
1064 0 - disabled.
1066 1 - automatic (queried).
1068 2 - permanently enabled.
1070 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1072 to use the bridge's own IP address as source address for
1073 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1074 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1075 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1077 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1078 IGMP querier, ie sending of multicast queries by the
1079 bridge (default: disabled).
1080 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1082 tween queries sent by other routers. if no queries are
1083 seen after this delay has passed, the bridge will start
1084 to send its own queries (as if mcast_querier was en‐
1085 abled).
1086 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1088 database hash elasticity, ie the maximum chain length in
1089 the multicast hash table (defaults to 4).
1090 mcast_hash_max HASH_MAX - set maximum size of multicast
1092 hash table (defaults to 512, value must be a power of
1093 2).
1094 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1096 cast last member count, ie the number of queries the
1097 bridge will send before stopping forwarding a multicast
1098 group after a "leave" message has been received (de‐
1099 faults to 2).
1100 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1102 val between queries to find remaining members of a
1103 group, after a "leave" message is received.
1104 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1106 number of IGMP queries to send during startup phase (de‐
1107 faults to 2).
1108 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1110 interval between queries in the startup phase.
1111 mcast_query_interval QUERY_INTERVAL - interval between
1113 queries sent by the bridge after the end of the startup
1114 phase.
1115 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1117 set the Max Response Time/Maximum Response Delay for
1118 IGMP/MLD queries sent by the bridge.
1119 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1121 after which the bridge will leave a group, if no member‐
1122 ship reports for this group are received.
1123 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1125 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1126 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1127 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1129 mcast_mld_version MLD_VERSION - set the MLD version.
1131 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1133 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1134 hooks on the bridge.
1135 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1137 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1138 0) ip6tables hooks on the bridge.
1139 nf_call_arptables NF_CALL_ARPTABLES - enable
1141 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1142 0) arptables hooks on the bridge.
1143 MACsec Type Support
1148 For a link of type MACsec the following additional arguments are
1149 supported:
1150 ip link add link DEVICE name NAME type macsec [ [ address
1152 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1153 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1154 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1155 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1156 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1157 ]
1158 address <lladdr> - sets the system identifier component
1161 of secure channel for this MACsec device.
1162 port PORT - sets the port number component of secure
1165 channel for this MACsec device, in a range from 1 to
1166 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1167 are interpreted as octal and hexadecimal, respectively.
1168 sci SCI - sets the secure channel identifier for this
1171 MACsec device. SCI is a 64bit wide number in hexadeci‐
1172 mal format.
1173 cipher CIPHER_SUITE - defines the cipher suite to use.
1176 icvlen LENGTH - sets the length of the Integrity Check
1179 Value (ICV).
1180 encrypt on or encrypt off - switches between authenti‐
1183 cated encryption, or authenticity mode only.
1184 send_sci on or send_sci off - specifies whether the SCI
1187 is included in every packet, or only when it is neces‐
1188 sary.
1189 end_station on or end_station off - sets the End Station
1192 bit.
1193 scb on or scb off - sets the Single Copy Broadcast bit.
1196 protect on or protect off - enables MACsec protection on
1199 the device.
1200 replay on or replay off - enables replay protection on
1203 the device.
1204 window SIZE - sets the size of the replay win‐
1208 dow.
1209 validate strict or validate check or validate disabled -
1213 sets the validation mode on the device.
1214 encodingsa AN - sets the active secure association for
1217 transmission.
1218 VRF Type Support
1222 For a link of type VRF the following additional arguments are
1223 supported:
1224 ip link add DEVICE type vrf table TABLE
1226 table table id associated with VRF device
1229 RMNET Type Support
1233 For a link of type RMNET the following additional arguments are
1234 supported:
1235 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1237 mux_id MUXID - specifies the mux identifier for the rm‐
1240 net device, possible values 1-254.
1241 XFRM Type Support
1245 For a link of type XFRM the following additional arguments are
1246 supported:
1247 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1249 dev PHYS_DEV - specifies the underlying physical inter‐
1252 face from which transform traffic is sent and received.
1253 if_id IF-ID - specifies the hexadecimal lookup key used
1256 to send traffic to and from specific xfrm policies.
1257 Policies must be configured with the same key. If not
1258 set, the key defaults to 0 and will match any policies
1259 which similarly do not have a lookup key configuration.
1260 GTP Type Support
1264 For a link of type GTP the following additional arguments are
1265 supported:
1266 ip link add DEVICE type gtp role ROLE hsize HSIZE
1268 role ROLE - specifies the role of the GTP device, either
1271 sgsn or ggsn
1272 hsize HSIZE - specifies size of the hashtable which
1275 stores PDP contexts
1276 restart_count RESTART_COUNT - GTP instance restart
1279 counter
1280 ip link delete - delete virtual link
1284 dev DEVICE
1285 specifies the virtual device to act operate on.
1286 group GROUP
1289 specifies the group of virtual links to delete. Group 0 is not
1290 allowed to be deleted since it is the default group.
1291 type TYPE
1294 specifies the type of the device.
1295 ip link set - change device attributes
1298 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1299 ately after any of the changes have failed. This is the only case when
1300 ip can move the system to an unpredictable state. The solution is to
1301 avoid changing several parameters with one ip link set call. The modi‐
1302 fier change is equivalent to set.
1303 dev DEVICE
1307 DEVICE specifies network device to operate on. When configuring
1308 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1309 ify the associated Physical Function (PF) device.
1310 group GROUP
1313 GROUP has a dual role: If both group and dev are present, then
1314 move the device to the specified group. If only a group is spec‐
1315 ified, then the command operates on all devices in that group.
1316 up and down
1319 change the state of the device to UP or DOWN.
1320 arp on or arp off
1323 change the NOARP flag on the device.
1324 multicast on or multicast off
1327 change the MULTICAST flag on the device.
1328 allmulticast on or allmulticast off
1331 change the ALLMULTI flag on the device. When enabled, instructs
1332 network driver to retrieve all multicast packets from the net‐
1333 work to the kernel for further processing.
1334 promisc on or promisc off
1337 change the PROMISC flag on the device. When enabled, activates
1338 promiscuous operation of the network device.
1339 trailers on or trailers off
1342 change the NOTRAILERS flag on the device, NOT used by the Linux
1343 and exists for BSD compatibility.
1344 protodown on or protodown off
1347 change the PROTODOWN state on the device. Indicates that a pro‐
1348 tocol error has been detected on the port. Switch drivers can
1349 react to this error by doing a phys down on the switch port.
1350 protodown_reason PREASON on or off
1353 set PROTODOWN reasons on the device. protodown reason bit names
1354 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1355 sible reasons bits 0-31
1356 dynamic on or dynamic off
1359 change the DYNAMIC flag on the device. Indicates that address
1360 can change when interface goes down (currently NOT used by the
1361 Linux).
1362 name NAME
1365 change the name of the device. This operation is not recommended
1366 if the device is running or has some addresses already config‐
1367 ured.
1368 txqueuelen NUMBER
1371 txqlen NUMBER
1373 change the transmit queue length of the device.
1374 mtu NUMBER
1377 change the MTU of the device.
1378 address LLADDRESS
1381 change the station address of the interface.
1382 broadcast LLADDRESS
1385 brd LLADDRESS
1387 peer LLADDRESS
1389 change the link layer broadcast address or the peer address when
1390 the interface is POINTOPOINT.
1391 netns NETNSNAME | PID
1394 move the device to the network namespace associated with name
1395 NETNSNAME or process PID.
1396 Some devices are not allowed to change network namespace: loop‐
1398 back, bridge, wireless. These are network namespace local de‐
1399 vices. In such case ip tool will return "Invalid argument" er‐
1400 ror. It is possible to find out if device is local to a single
1401 network namespace by checking netns-local flag in the output of
1402 the ethtool:
1403 ethtool -k DEVICE
1405 To change network namespace for wireless devices the iw tool can
1407 be used. But it allows one to change network namespace only for
1408 physical devices and by process PID.
1409 alias NAME
1412 give the device a symbolic name for easy reference.
1413 group GROUP
1416 specify the group the device belongs to. The available groups
1417 are listed in file /etc/iproute2/group.
1418 vf NUM specify a Virtual Function device to be configured. The associ‐
1421 ated PF device must be specified using the dev parameter.
1422 mac LLADDRESS - change the station address for the spec‐
1424 ified VF. The vf parameter must be specified.
1425 vlan VLANID - change the assigned VLAN for the specified
1428 VF. When specified, all traffic sent from the VF will be
1429 tagged with the specified VLAN ID. Incoming traffic will
1430 be filtered for the specified VLAN ID, and will have all
1431 VLAN tags stripped before being passed to the VF. Set‐
1432 ting this parameter to 0 disables VLAN tagging and fil‐
1433 tering. The vf parameter must be specified.
1434 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1437 VLAN tag. When specified, all VLAN tags transmitted by
1438 the VF will include the specified priority bits in the
1439 VLAN tag. If not specified, the value is assumed to be
1440 0. Both the vf and vlan parameters must be specified.
1441 Setting both vlan and qos as 0 disables VLAN tagging and
1442 filtering for the VF.
1443 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1446 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1447 traffic sent from the VF will be tagged with VLAN S-Tag.
1448 Incoming traffic will have VLAN S-Tags stripped before
1449 being passed to the VF. Setting to 802.1ad also enables
1450 an option to concatenate another VLAN tag, so both S-TAG
1451 and C-TAG will be inserted/stripped for outgoing/incom‐
1452 ing traffic, respectively. If not specified, the value
1453 is assumed to be 802.1Q. Both the vf and vlan parameters
1454 must be specified.
1455 rate TXRATE -- change the allowed transmit bandwidth, in
1458 Mbps, for the specified VF. Setting this parameter to 0
1459 disables rate limiting. vf parameter must be specified.
1460 Please use new API max_tx_rate option instead.
1461 max_tx_rate TXRATE - change the allowed maximum transmit
1464 bandwidth, in Mbps, for the specified VF. Setting this
1465 parameter to 0 disables rate limiting. vf parameter
1466 must be specified.
1467 min_tx_rate TXRATE - change the allowed minimum transmit
1470 bandwidth, in Mbps, for the specified VF. Minimum
1471 TXRATE should be always <= Maximum TXRATE. Setting this
1472 parameter to 0 disables rate limiting. vf parameter
1473 must be specified.
1474 spoofchk on|off - turn packet spoof checking on or off
1477 for the specified VF.
1478 query_rss on|off - toggle the ability of querying the
1480 RSS configuration of a specific VF. VF RSS information
1481 like RSS hash key may be considered sensitive on some
1482 devices where this information is shared between VF and
1483 PF and thus its querying may be prohibited by default.
1484 state auto|enable|disable - set the virtual link state
1486 as seen by the specified VF. Setting to auto means a re‐
1487 flection of the PF link state, enable lets the VF to
1488 communicate with other VFs on this host even if the PF
1489 link state is down, disable causes the HW to drop any
1490 packets sent by the VF.
1491 trust on|off - trust the specified VF user. This enables
1493 that VF user can set a specific feature which may impact
1494 security and/or performance. (e.g. VF multicast promis‐
1495 cuous mode)
1496 node_guid eui64 - configure node GUID for Infiniband
1498 VFs.
1499 port_guid eui64 - configure port GUID for Infiniband
1501 VFs.
1502 xdp object | pinned | off
1505 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1506 every packet at driver level. ip link output will indicate a
1507 xdp flag for the networking device. If the driver does not have
1508 native XDP support, the kernel will fall back to a slower,
1509 driver-independent "generic" XDP variant. The ip link output
1510 will in that case indicate xdpgeneric instead of xdp only. If
1511 the driver does have native XDP support, but the program is
1512 loaded under xdpgeneric object | pinned then the kernel will use
1513 the generic XDP variant instead of the native one. xdpdrv has
1514 the opposite effect of requestsing that the automatic fallback
1515 to the generic XDP variant be disabled and in case driver is not
1516 XDP-capable error should be returned. xdpdrv also disables
1517 hardware offloads. xdpoffload in ip link output indicates that
1518 the program has been offloaded to hardware and can also be used
1519 to request the "offload" mode, much like xdpgeneric it forces
1520 program to be installed specifically in HW/FW of the apater.
1521 off (or none ) - Detaches any currently attached XDP/BPF program
1523 from the given device.
1524 object FILE - Attaches a XDP/BPF program to the given device.
1526 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1527 contains the BPF program code, map specifications, etc. If a
1528 XDP/BPF program is already attached to the given device, an er‐
1529 ror will be thrown. If no XDP/BPF program is currently attached,
1530 the device supports XDP and the program from the BPF ELF file
1531 passes the kernel verifier, then it will be attached to the de‐
1532 vice. If the option -force is passed to ip then any prior at‐
1533 tached XDP/BPF program will be atomically overridden and no er‐
1534 ror will be thrown in this case. If no section option is passed,
1535 then the default section name ("prog") will be assumed, other‐
1536 wise the provided section name will be used. If no verbose op‐
1537 tion is passed, then a verifier log will only be dumped on load
1538 error. See also EXAMPLES section for usage examples.
1539 section NAME - Specifies a section name that contains the BPF
1541 program code. If no section name is specified, the default one
1542 ("prog") will be used. This option is to be passed with the ob‐
1543 ject option.
1544 verbose - Act in verbose mode. For example, even in case of suc‐
1546 cess, this will print the verifier log in case a program was
1547 loaded from a BPF ELF file.
1548 pinned FILE - Attaches a XDP/BPF program to the given device.
1550 The FILE points to an already pinned BPF program in the BPF file
1551 system. The option section doesn't apply here, but otherwise se‐
1552 mantics are the same as with the option object described al‐
1553 ready.
1554 master DEVICE
1557 set master device of the device (enslave device).
1558 nomaster
1561 unset master device of the device (release device).
1562 addrgenmode eui64|none|stable_secret|random
1565 set the IPv6 address generation mode
1566 eui64 - use a Modified EUI-64 format interface identifier
1568 none - disable automatic address generation
1570 stable_secret - generate the interface identifier based on a
1572 preset
1573 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1574 random - like stable_secret, but auto-generate a new random se‐
1576 cret if none is set
1577 link-netnsid
1580 set peer netnsid for a cross-netns interface
1581 type ETYPE TYPE_ARGS
1584 Change type-specific settings. For a list of supported types and
1585 arguments refer to the description of ip link add above. In ad‐
1586 dition to that, it is possible to manipulate settings to slave
1587 devices:
1588 Bridge Slave Support
1591 For a link with master bridge the following additional arguments
1592 are supported:
1593 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1595 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1596 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1597 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1598 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1599 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1600 bcast_flood { on | off } ] [ mcast_flood { on | off } ] [
1601 mcast_to_unicast { on | off } ] [ group_fwd_mask MASK ] [
1602 neigh_suppress { on | off } ] [ vlan_tunnel { on | off } ] [
1603 isolated { on | off } ] [ locked { on | off } backup_port DEVICE
1604 ] [ nobackup_port ]
1605 fdb_flush - flush bridge slave's fdb dynamic entries.
1608 state STATE - Set port state. STATE is a number repre‐
1610 senting the following states: 0 (disabled), 1 (listen‐
1611 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1612 priority PRIO - set port priority (allowed values are
1614 between 0 and 63, inclusively).
1615 cost COST - set port cost (allowed values are between 1
1617 and 65535, inclusively).
1618 guard { on | off } - block incoming BPDU packets on this
1620 port.
1621 hairpin { on | off } - enable hairpin mode on this port.
1623 This will allow incoming packets on this port to be re‐
1624 flected back.
1625 fastleave { on | off } - enable multicast fast leave on
1627 this port.
1628 root_block { on | off } - block this port from becoming
1630 the bridge's root port.
1631 learning { on | off } - allow MAC address learning on
1633 this port.
1634 flood { on | off } - open the flood gates on this port,
1636 i.e. forward all unicast frames to this port also. Re‐
1637 quires proxy_arp and proxy_arp_wifi to be turned off.
1638 proxy_arp { on | off } - enable proxy ARP on this port.
1640 proxy_arp_wifi { on | off } - enable proxy ARP on this
1642 port which meets extended requirements by IEEE 802.11
1643 and Hotspot 2.0 specifications.
1644 mcast_router MULTICAST_ROUTER - configure this port for
1646 having multicast routers attached. A port with a multi‐
1647 cast router will receive all multicast traffic. MULTI‐
1648 CAST_ROUTER may be either 0 to disable multicast routers
1649 on this port, 1 to let the system detect the presence of
1650 routers (this is the default), 2 to permanently enable
1651 multicast traffic forwarding on this port or 3 to enable
1652 multicast routers temporarily on this port, not depend‐
1653 ing on incoming queries.
1654 mcast_fast_leave { on | off } - this is a synonym to the
1656 fastleave option above.
1657 bcast_flood { on | off } - controls flooding of broad‐
1659 cast traffic on the given port. By default this flag is
1660 on.
1661 mcast_flood { on | off } - controls whether a given port
1663 will flood multicast traffic for which there is no MDB
1664 entry. By default this flag is on.
1665 mcast_to_unicast { on | off } - controls whether a given
1667 port will replicate packets using unicast instead of
1668 multicast. By default this flag is off.
1669 group_fwd_mask MASK - set the group forward mask. This
1671 is the bitmask that is applied to decide whether to for‐
1672 ward incoming frames destined to link-local addresses,
1673 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1674 0, ie the bridge does not forward any link-local frames
1675 coming on this port).
1676 neigh_suppress { on | off } - controls whether neigh
1678 discovery (arp and nd) proxy and suppression is enabled
1679 on the port. By default this flag is off.
1680 vlan_tunnel { on | off } - controls whether vlan to tun‐
1682 nel mapping is enabled on the port. By default this flag
1683 is off.
1684 locked { on | off } - sets or unsets a port in locked
1686 mode, so that when enabled, hosts behind the port cannot
1687 communicate through the port unless a FDB entry repre‐
1688 senting the host is in the FDB. By default this flag is
1689 off.
1690 backup_port DEVICE - if the port loses carrier all traf‐
1692 fic will be redirected to the configured backup port
1693 nobackup_port - removes the currently configured backup
1695 port
1696 Bonding Slave Support
1700 For a link with master bond the following additional arguments
1701 are supported:
1702 ip link set type bond_slave [ queue_id ID ]
1704 queue_id ID - set the slave's queue ID (a 16bit unsigned
1707 value).
1708 MACVLAN and MACVTAP Support
1712 Modify list of allowed macaddr for link in source mode.
1713 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1715 ... ]
1716 Commands:
1718 add - add MACADDR to allowed list
1719 set - replace allowed list
1721 del - remove MACADDR from allowed list
1723 flush - flush whole allowed list
1725 Update the broadcast/multicast queue length.
1728 ip link set type { macvlan | macvap } [ bcqueuelen LENGTH ]
1730 bcqueuelen LENGTH - Set the length of the RX queue used
1732 to process broadcast and multicast packets. LENGTH must
1733 be a positive integer in the range [0-4294967295]. Set‐
1734 ting a length of 0 will effectively drop all broad‐
1735 cast/multicast traffic. If not specified the macvlan
1736 driver default (1000) is used. Note that all macvlans
1737 that share the same underlying device are using the same
1738 queue. The parameter here is a request, the actual queue
1739 length used will be the maximum length that any macvlan
1740 interface has requested. When listing device parameters
1741 both the bcqueuelen parameter as well as the actual used
1742 bcqueuelen are listed to better help the user understand
1743 the setting.
1744 ip link show - display device attributes
1747 dev NAME (default)
1748 NAME specifies the network device to show.
1749 group GROUP
1752 GROUP specifies what group of devices to show.
1753 up only display running interfaces.
1756 master DEVICE
1759 DEVICE specifies the master device which enslaves devices to
1760 show.
1761 vrf NAME
1764 NAME specifies the VRF which enslaves devices to show.
1765 type TYPE
1768 TYPE specifies the type of devices to show.
1769 Note that the type name is not checked against the list of sup‐
1771 ported types - instead it is sent as-is to the kernel. Later it
1772 is used to filter the returned interface list by comparing it
1773 with the relevant attribute in case the kernel didn't filter al‐
1774 ready. Therefore any string is accepted, but may lead to empty
1775 output.
1776 nomaster
1779 only show devices with no master
1780 ip link xstats - display extended statistics
1783 type TYPE
1784 TYPE specifies the type of devices to display extended statis‐
1785 tics for.
1786 ip link afstats - display address-family specific statistics
1789 dev DEVICE
1790 DEVICE specifies the device to display address-family statistics
1791 for.
1792 ip link help - display help
1795 TYPE specifies which help of link type to display.
1796 GROUP
1799 may be a number or a string from the file /etc/iproute2/group which can
1800 be manually filled.
1801
1804 ip link show
1805 Shows the state of all network interfaces on the system.
1806 ip link show type bridge
1808 Shows the bridge devices.
1809 ip link show type vlan
1811 Shows the vlan devices.
1812 ip link show master br0
1814 Shows devices enslaved by br0
1815 ip link set dev ppp0 mtu 1400
1817 Change the MTU the ppp0 device.
1818 ip link add link eth0 name eth0.10 type vlan id 10
1820 Creates a new vlan device eth0.10 on device eth0.
1821 ip link delete dev eth0.10
1823 Removes vlan device.
1824 ip link help gre
1826 Display help for the gre link type.
1827 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1829 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1830 remcsum
1831 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1832 tion, and the outer UDP checksum and remote checksum offload are
1833 enabled.
1834 ip link set dev eth0 xdp obj prog.o
1836 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1837 cated in prog.o, section "prog" (default section). In case a
1838 XDP/BPF program is already attached, throw an error.
1839 ip -force link set dev eth0 xdp obj prog.o sec foo
1841 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1842 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1843 ready attached, it will be overridden by the new one.
1844 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1846 Attaches a XDP/BPF program to device eth0, where the program was
1847 previously pinned as an object node into BPF file system under name
1848 foo.
1849 ip link set dev eth0 xdp off
1851 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1852 fectively turn off XDP for device eth0.
1853 ip link add link wpan0 lowpan0 type lowpan
1855 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1856 802.15.4 device wpan0.
1857 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1859 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1860 erspan_hwid 17
1861 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1862
1865 ip(8), ip-netns(8), ethtool(8), iptables(8)
1866
1869 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1870iproute2 13 Dec 2012 IP-LINK(8)