1IP-LINK(8) Linux IP-LINK(8)
2
3
4
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10
11
12 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_max_segs SEGMENTS ]
18 [ gro_max_size BYTES ]
19 type TYPE [ ARGS ]
20
21 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
22
23 ip link set { DEVICE | group GROUP }
24 [ { up | down } ]
25 [ type ETYPE TYPE_ARGS ]
26 [ arp { on | off } ]
27 [ dynamic { on | off } ]
28 [ multicast { on | off } ]
29 [ allmulticast { on | off } ]
30 [ promisc { on | off } ]
31 [ protodown { on | off } ]
32 [ protodown_reason PREASON { on | off } ]
33 [ trailers { on | off } ]
34 [ txqueuelen PACKETS ]
35 [ max_gso_size BYTES ] [ max_gso_segs SEGMENTS ] [ max_gro_size
36 BYTES ]
37 [ name NEWNAME ]
38 [ address LLADDR ]
39 [ broadcast LLADDR ]
40 [ mtu MTU ]
41 [ netns { PID | NETNSNAME } ]
42 [ link-netnsid ID ]
43 [ alias NAME ]
44 [ vf NUM [ mac LLADDR ]
45 [ VFVLAN-LIST ]
46 [ rate TXRATE ]
47 [ max_tx_rate TXRATE ]
48 [ min_tx_rate TXRATE ]
49 [ spoofchk { on | off } ]
50 [ query_rss { on | off } ]
51 [ state { auto | enable | disable } ]
52 [ trust { on | off } ]
53 [ node_guid eui64 ]
54 [ port_guid eui64 ] ]
55 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
56 object FILE [ section NAME ] [ verbose ] |
57 pinned FILE } ]
58 [ master DEVICE ]
59 [ nomaster ]
60 [ vrf NAME ]
61 [ addrgenmode { eui64 | none | stable_secret | random } ]
62 [ macaddr [ MACADDR ]
63 [ { flush | add | del } MACADDR ]
64 [ set MACADDR ] ]
65
66 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
67 ] [ type ETYPE ] [ vrf NAME ] [ nomaster ]
68
69 ip link xstats type TYPE [ ARGS ]
70
71 ip link afstats [ dev DEVICE ]
72
73 ip link help [ TYPE ]
74
75 TYPE := [ amt | bridge | bond | can | dummy | hsr | ifb |
76 ipoib | macvlan | macvtap | vcan | vxcan | veth |
77 vlan | vxlan | ip6tnl | ipip | sit | gre | gretap |
78 erspan | ip6gre | ip6gretap | ip6erspan | vti | nlmon
79 | ipvlan | ipvtap | lowpan | geneve | bareudp | vrf |
80 macsec | netdevsim | rmnet | xfrm | gtp ]
81
82 ETYPE := [ TYPE | bridge_slave | bond_slave ]
83
84 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
85
86 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
87 ]
88
89 ip link property add dev DEVICE [ altname NAME .. ]
90
91 ip link property del dev DEVICE [ altname NAME .. ]
92
93
95 ip link add - add virtual link
96 link DEVICE
97 specifies the physical device to act operate on.
98
99 NAME specifies the name of the new virtual device.
100
101 TYPE specifies the type of the new device.
102
103 Link types:
104
105 bridge - Ethernet Bridge device
106
107 bond - Bonding device
108
109 dummy - Dummy network interface
110
111 hsr - High-availability Seamless Redundancy device
112
113 ifb - Intermediate Functional Block device
114
115 ipoib - IP over Infiniband device
116
117 macvlan - Virtual interface base on link layer address
118 (MAC)
119
120 macvtap - Virtual interface based on link layer address
121 (MAC) and TAP.
122
123 vcan - Virtual Controller Area Network interface
124
125 vxcan - Virtual Controller Area Network tunnel interface
126
127 veth - Virtual ethernet interface
128
129 vlan - 802.1q tagged virtual LAN interface
130
131 vxlan - Virtual eXtended LAN
132
133 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
134
135 ipip - Virtual tunnel interface IPv4 over IPv4
136
137 sit - Virtual tunnel interface IPv6 over IPv4
138
139 gre - Virtual tunnel interface GRE over IPv4
140
141 gretap - Virtual L2 tunnel interface GRE over IPv4
142
143 erspan - Encapsulated Remote SPAN over GRE and IPv4
144
145 ip6gre - Virtual tunnel interface GRE over IPv6
146
147 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
148
149 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
150
151 vti - Virtual tunnel interface
152
153 nlmon - Netlink monitoring device
154
155 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
156
157 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
158 TAP
159
160 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
161 / Bluetooth
162
163 geneve - GEneric NEtwork Virtualization Encapsulation
164
165 bareudp - Bare UDP L3 encapsulation support
166
167 amt - Automatic Multicast Tunneling (AMT)
168
169 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
170 sec)
171
172 vrf - Interface for L3 VRF domains
173
174 netdevsim - Interface for netdev API tests
175
176 rmnet - Qualcomm rmnet device
177
178 xfrm - Virtual xfrm interface
179
180 gtp - GPRS Tunneling Protocol
181
182
183 numtxqueues QUEUE_COUNT
184 specifies the number of transmit queues for new device.
185
186
187 numrxqueues QUEUE_COUNT
188 specifies the number of receive queues for new device.
189
190
191 gso_max_size BYTES
192 specifies the recommended maximum size of a Generic Segment Off‐
193 load packet the new device should accept.
194
195
196 gso_max_segs SEGMENTS
197 specifies the recommended maximum number of a Generic Segment
198 Offload segments the new device should accept.
199
200
201 gro_max_size BYTES
202 specifies the maximum size of a packet built by GRO stack on
203 this device.
204
205
206 index IDX
207 specifies the desired index of the new virtual device. The link
208 creation fails, if the index is busy.
209
210
211 VLAN Type Support
212 For a link of type VLAN the following additional arguments are
213 supported:
214
215 ip link add link DEVICE name NAME type vlan [ protocol
216 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
217 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
218 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
219 egress-qos-map QOS-MAP ]
220
221
222 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
223
224 id VLANID - specifies the VLAN Identifier to use. Note
225 that numbers with a leading " 0 " or " 0x " are inter‐
226 preted as octal or hexadecimal, respectively.
227
228 reorder_hdr { on | off } - specifies whether ethernet
229 headers are reordered or not (default is on).
230
231 If reorder_hdr is on then VLAN header will be not
232 inserted immediately but only before passing to the
233 physical device (if this device does not support
234 VLAN offloading), the similar on the RX direction -
235 by default the packet will be untagged before being
236 received by VLAN device. Reordering allows one to
237 accelerate tagging on egress and to hide VLAN header
238 on ingress so the packet looks like regular Ethernet
239 packet, at the same time it might be confusing for
240 packet capture as the VLAN header does not exist
241 within the packet.
242
243 VLAN offloading can be checked by ethtool(8):
244
245 ethtool -k <phy_dev> | grep tx-vlan-offload
246
247 where <phy_dev> is the physical device to which VLAN
248 device is bound.
249
250 gvrp { on | off } - specifies whether this VLAN should
251 be registered using GARP VLAN Registration Protocol.
252
253 mvrp { on | off } - specifies whether this VLAN should
254 be registered using Multiple VLAN Registration Protocol.
255
256 loose_binding { on | off } - specifies whether the VLAN
257 device state is bound to the physical device state.
258
259 bridge_binding { on | off } - specifies whether the VLAN
260 device link state tracks the state of bridge ports that
261 are members of the VLAN.
262
263 ingress-qos-map QOS-MAP - defines a mapping of VLAN
264 header prio field to the Linux internal packet priority
265 on incoming frames. The format is FROM:TO with multiple
266 mappings separated by spaces.
267
268 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
269 ternal packet priority to VLAN header prio field but for
270 outgoing frames. The format is the same as for ingress-
271 qos-map.
272
273 Linux packet priority can be set by iptables(8):
274
275 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
276 SIFY --set-class 0:4
277
278 and this "4" priority can be used in the egress qos
279 mapping to set VLAN prio "5":
280
281 ip link set veth0.10 type vlan egress 4:5
282
283
284 VXLAN Type Support
285 For a link of type VXLAN the following additional arguments are
286 supported:
287
288 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
289 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
290 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
291 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
292 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
293 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
294 ] [ [no]external ] [ gbp ] [ gpe ]
295
296
297 id VNI - specifies the VXLAN Network Identifier (or
298 VXLAN Segment Identifier) to use.
299
300 dev PHYS_DEV - specifies the physical device to use for
301 tunnel endpoint communication.
302
303
304 group IPADDR - specifies the multicast IP address to
305 join. This parameter cannot be specified with the re‐
306 mote parameter.
307
308
309 remote IPADDR - specifies the unicast destination IP ad‐
310 dress to use in outgoing packets when the destination
311 link layer address is not known in the VXLAN device for‐
312 warding database. This parameter cannot be specified
313 with the group parameter.
314
315
316 local IPADDR - specifies the source IP address to use in
317 outgoing packets.
318
319
320 ttl TTL - specifies the TTL value to use in outgoing
321 packets.
322
323
324 tos TOS - specifies the TOS value to use in outgoing
325 packets.
326
327
328 df DF - specifies the usage of the Don't Fragment flag
329 (DF) bit in outgoing packets with IPv4 headers. The
330 value inherit causes the bit to be copied from the orig‐
331 inal IP header. The values unset and set cause the bit
332 to be always unset or always set, respectively. By de‐
333 fault, the bit is not set.
334
335
336 flowlabel FLOWLABEL - specifies the flow label to use in
337 outgoing packets.
338
339
340 dstport PORT - specifies the UDP destination port to
341 communicate to the remote
342 VXLAN tunnel endpoint.
343
344
345 srcport MIN MAX - specifies the range of port numbers to
346 use as UDP source ports to communicate to the remote
347 VXLAN tunnel endpoint.
348
349
350 [no]learning - specifies if unknown source link layer
351 addresses and IP addresses are entered into the VXLAN
352 device forwarding database.
353
354
355 [no]rsc - specifies if route short circuit is turned on.
356
357
358 [no]proxy - specifies ARP proxy is turned on.
359
360
361 [no]l2miss - specifies if netlink LLADDR miss notifica‐
362 tions are generated.
363
364
365 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
366 tions are generated.
367
368
369 [no]udpcsum - specifies if UDP checksum is calculated
370 for transmitted packets over IPv4.
371
372
373 [no]udp6zerocsumtx - skip UDP checksum calculation for
374 transmitted packets over IPv6.
375
376
377 [no]udp6zerocsumrx - allow incoming UDP packets over
378 IPv6 with zero checksum field.
379
380
381 ageing SECONDS - specifies the lifetime in seconds of
382 FDB entries learnt by the kernel.
383
384
385 maxaddress NUMBER - specifies the maximum number of FDB
386 entries.
387
388
389 [no]external - specifies whether an external control
390 plane (e.g. ip route encap) or the internal FDB should
391 be used.
392
393
394 gbp - enables the Group Policy extension (VXLAN-GBP).
395
396 Allows one to transport group policy context across
397 VXLAN network peers. If enabled, includes the mark
398 of a packet in the VXLAN header for outgoing packets
399 and fills the packet mark based on the information
400 found in the VXLAN header for incoming packets.
401
402 Format of upper 16 bits of packet mark (flags);
403
404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
405 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
407
408 D := Don't Learn bit. When set, this bit indicates
409 that the egress VTEP MUST NOT learn the source ad‐
410 dress of the encapsulated frame.
411
412 A := Indicates that the group policy has already
413 been applied to this packet. Policies MUST NOT be
414 applied by devices when the A bit is set.
415
416 Format of lower 16 bits of packet mark (policy ID):
417
418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
419 | Group Policy ID |
420 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
421
422 Example:
423 iptables -A OUTPUT [...] -j MARK --set-mark
424 0x800FF
425
426
427
428 gpe - enables the Generic Protocol extension (VXLAN-
429 GPE). Currently, this is only supported together with
430 the external keyword.
431
432
433
434 VETH, VXCAN Type Support
435 For a link of types VETH/VXCAN the following additional argu‐
436 ments are supported:
437
438 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
439
440
441 peer name NAME - specifies the virtual pair device name
442 of the VETH/VXCAN tunnel.
443
444
445
446 IPIP, SIT Type Support
447 For a link of type IPIPorSIT the following additional arguments
448 are supported:
449
450 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
451 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
452 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
453 mode { ip6ip | ipip | mplsip | any } ] [ external ]
454
455
456 remote ADDR - specifies the remote address of the tun‐
457 nel.
458
459
460 local ADDR - specifies the fixed local address for tun‐
461 neled packets. It must be an address on another inter‐
462 face on this host.
463
464
465 encap { fou | gue | none } - specifies type of secondary
466 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
467 indicates Generic UDP Encapsulation.
468
469
470 encap-sport { PORT | auto } - specifies the source port
471 in UDP encapsulation. PORT indicates the port by num‐
472 ber, "auto" indicates that the port number should be
473 chosen automatically (the kernel picks a flow based on
474 the flow hash of the encapsulated packet).
475
476
477 [no]encap-csum - specifies if UDP checksums are enabled
478 in the secondary encapsulation.
479
480
481 [no]encap-remcsum - specifies if Remote Checksum Offload
482 is enabled. This is only applicable for Generic UDP En‐
483 capsulation.
484
485
486 mode { ip6ip | ipip | mplsip | any } - specifies mode in
487 which device should run. "ip6ip" indicates IPv6-Over-
488 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
489 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
490 Over IPv4. Supported for SIT where the default is
491 "ip6ip" and IPIP where the default is "ipip".
492 IPv6-Over-IPv4 is not supported for IPIP.
493
494
495 external - make this tunnel externally controlled (e.g.
496 ip route encap).
497
498
499 GRE Type Support
500 For a link of type GRE or GRETAP the following additional argu‐
501 ments are supported:
502
503 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
504 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
505 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
506 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
507 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
508 remcsum ] [ external ]
509
510
511 remote ADDR - specifies the remote address of the tun‐
512 nel.
513
514
515 local ADDR - specifies the fixed local address for tun‐
516 neled packets. It must be an address on another inter‐
517 face on this host.
518
519
520 [no][i|o]seq - serialize packets. The oseq flag enables
521 sequencing of outgoing packets. The iseq flag requires
522 that all input packets are serialized.
523
524
525 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
526 KEY is either a number or an IPv4 address-like dotted
527 quad. The key parameter specifies the same key to use
528 in both directions. The ikey and okey parameters spec‐
529 ify different keys for input and output.
530
531
532 [no][i|o]csum - generate/require checksums for tunneled
533 packets. The ocsum flag calculates checksums for outgo‐
534 ing packets. The icsum flag requires that all input
535 packets have the correct checksum. The csum flag is
536 equivalent to the combination icsum ocsum .
537
538
539 ttl TTL - specifies the TTL value to use in outgoing
540 packets.
541
542
543 tos TOS - specifies the TOS value to use in outgoing
544 packets.
545
546
547 [no]pmtudisc - enables/disables Path MTU Discovery on
548 this tunnel. It is enabled by default. Note that a
549 fixed ttl is incompatible with this option: tunneling
550 with a fixed ttl always makes pmtu discovery.
551
552
553 [no]ignore-df - enables/disables IPv4 DF suppression on
554 this tunnel. Normally datagrams that exceed the MTU
555 will be fragmented; the presence of the DF flag inhibits
556 this, resulting instead in an ICMP Unreachable (Fragmen‐
557 tation Required) message. Enabling this attribute
558 causes the DF flag to be ignored.
559
560
561 dev PHYS_DEV - specifies the physical device to use for
562 tunnel endpoint communication.
563
564
565 encap { fou | gue | none } - specifies type of secondary
566 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
567 indicates Generic UDP Encapsulation.
568
569
570 encap-sport { PORT | auto } - specifies the source port
571 in UDP encapsulation. PORT indicates the port by num‐
572 ber, "auto" indicates that the port number should be
573 chosen automatically (the kernel picks a flow based on
574 the flow hash of the encapsulated packet).
575
576
577 [no]encap-csum - specifies if UDP checksums are enabled
578 in the secondary encapsulation.
579
580
581 [no]encap-remcsum - specifies if Remote Checksum Offload
582 is enabled. This is only applicable for Generic UDP En‐
583 capsulation.
584
585
586 external - make this tunnel externally controlled (e.g.
587 ip route encap).
588
589
590
591 IP6GRE/IP6GRETAP Type Support
592 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
593 guments are supported:
594
595 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
596 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
597 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
598 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
599 localremote ] [ dev PHYS_DEV ] [ external ]
600
601
602 remote ADDR - specifies the remote IPv6 address of the
603 tunnel.
604
605
606 local ADDR - specifies the fixed local IPv6 address for
607 tunneled packets. It must be an address on another in‐
608 terface on this host.
609
610
611 [no][i|o]seq - serialize packets. The oseq flag enables
612 sequencing of outgoing packets. The iseq flag requires
613 that all input packets are serialized.
614
615
616 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
617 KEY is either a number or an IPv4 address-like dotted
618 quad. The key parameter specifies the same key to use
619 in both directions. The ikey and okey parameters spec‐
620 ify different keys for input and output.
621
622
623 [no][i|o]csum - generate/require checksums for tunneled
624 packets. The ocsum flag calculates checksums for outgo‐
625 ing packets. The icsum flag requires that all input
626 packets have the correct checksum. The csum flag is
627 equivalent to the combination icsum ocsum.
628
629
630 hoplimit TTL - specifies Hop Limit value to use in out‐
631 going packets.
632
633
634 encaplimit ELIM - specifies a fixed encapsulation limit.
635 Default is 4.
636
637
638 flowlabel FLOWLABEL - specifies a fixed flowlabel.
639
640
641 [no]allow-localremote - specifies whether to allow re‐
642 mote endpoint to have an address configured on local
643 host.
644
645
646 tclass TCLASS - specifies the traffic class field on
647 tunneled packets, which can be specified as either a
648 two-digit hex value (e.g. c0) or a predefined string
649 (e.g. internet). The value inherit causes the field to
650 be copied from the original IP header. The values in‐
651 herit/STRING or inherit/00..ff will set the field to
652 STRING or 00..ff when tunneling non-IP packets. The de‐
653 fault value is 00.
654
655
656 external - make this tunnel externally controlled (or
657 not, which is the default). In the kernel, this is re‐
658 ferred to as collect metadata mode. This flag is mutu‐
659 ally exclusive with the remote, local, seq, key, csum,
660 hoplimit, encaplimit, flowlabel and tclass options.
661
662
663
664 IPoIB Type Support
665 For a link of type IPoIB the following additional arguments are
666 supported:
667
668 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
669 MODE ]
670
671
672 pkey PKEY - specifies the IB P-Key to use.
673
674 mode MODE - specifies the mode (datagram or connected)
675 to use.
676
677
678 ERSPAN Type Support
679 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
680 guments are supported:
681
682 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
683 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
684 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
685 mote ] [ external ]
686
687
688 remote ADDR - specifies the remote address of the tun‐
689 nel.
690
691
692 local ADDR - specifies the fixed local address for tun‐
693 neled packets. It must be an address on another inter‐
694 face on this host.
695
696
697 erspan_ver version - specifies the ERSPAN version num‐
698 ber. version indicates the ERSPAN version to be cre‐
699 ated: 0 for version 0 type I, 1 for version 1 (type II)
700 or 2 for version 2 (type III).
701
702
703 erspan IDX - specifies the ERSPAN v1 index field. IDX
704 indicates a 20 bit index/port number associated with the
705 ERSPAN traffic's source port and direction.
706
707
708 erspan_dir { ingress | egress } - specifies the ERSPAN
709 v2 mirrored traffic's direction.
710
711
712 erspan_hwid hwid - an unique identifier of an ERSPAN v2
713 engine within a system. hwid is a 6-bit value for users
714 to configure.
715
716
717 [no]allow-localremote - specifies whether to allow re‐
718 mote endpoint to have an address configured on local
719 host.
720
721
722 external - make this tunnel externally controlled (or
723 not, which is the default). In the kernel, this is re‐
724 ferred to as collect metadata mode. This flag is mutu‐
725 ally exclusive with the remote, local, erspan_ver,
726 erspan, erspan_dir and erspan_hwid options.
727
728
729
730 GENEVE Type Support
731 For a link of type GENEVE the following additional arguments are
732 supported:
733
734 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
735 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
736 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
737 [no]udp6zerocsumrx ] [ innerprotoinherit ]
738
739
740 id VNI - specifies the Virtual Network Identifier to
741 use.
742
743
744 remote IPADDR - specifies the unicast destination IP ad‐
745 dress to use in outgoing packets.
746
747
748 ttl TTL - specifies the TTL value to use in outgoing
749 packets. "0" or "auto" means use whatever default value,
750 "inherit" means inherit the inner protocol's ttl. De‐
751 fault option is "0".
752
753
754 tos TOS - specifies the TOS value to use in outgoing
755 packets.
756
757
758 df DF - specifies the usage of the Don't Fragment flag
759 (DF) bit in outgoing packets with IPv4 headers. The
760 value inherit causes the bit to be copied from the orig‐
761 inal IP header. The values unset and set cause the bit
762 to be always unset or always set, respectively. By de‐
763 fault, the bit is not set.
764
765
766 flowlabel FLOWLABEL - specifies the flow label to use in
767 outgoing packets.
768
769
770 dstport PORT - select a destination port other than the
771 default of 6081.
772
773
774 [no]external - make this tunnel externally controlled
775 (or not, which is the default). This flag is mutually
776 exclusive with the id, remote, ttl, tos and flowlabel
777 options.
778
779
780 [no]udpcsum - specifies if UDP checksum is calculated
781 for transmitted packets over IPv4.
782
783
784 [no]udp6zerocsumtx - skip UDP checksum calculation for
785 transmitted packets over IPv6.
786
787
788 [no]udp6zerocsumrx - allow incoming UDP packets over
789 IPv6 with zero checksum field.
790
791
792 innerprotoinherit - use IPv4/IPv6 as inner protocol in‐
793 stead of Ethernet.
794
795
796
797 Bareudp Type Support
798 For a link of type Bareudp the following additional arguments
799 are supported:
800
801 ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
802 srcportmin PORT ] [ [no]multiproto ]
803
804
805 dstport PORT - specifies the destination port for the
806 UDP tunnel.
807
808
809 ethertype PROTO - specifies the ethertype of the L3 pro‐
810 tocol being tunnelled. ethertype can be given as plain
811 Ethernet protocol number or using the protocol name
812 ("ipv4", "ipv6", "mpls_uc", etc.).
813
814
815 srcportmin PORT - selects the lowest value of the UDP
816 tunnel source port range.
817
818
819 [no]multiproto - activates support for protocols similar
820 to the one specified by ethertype. When ethertype is
821 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
822 nel to also handle multicast MPLS. When ethertype is
823 "ipv4", this allows the tunnel to also handle IPv6. This
824 option is disabled by default.
825
826
827 AMT Type Support
828 For a link of type AMT the following additional arguments are
829 supported:
830
831 ip link add DEVICE type AMT discovery IPADDR mode { gateway |
832 relay } local IPADDR dev PHYS_DEV [ relay_port PORT ] [ gate‐
833 way_port PORT ] [ max_tunnels NUMBER ]
834
835
836 discovery IPADDR - specifies the unicast discovery IP
837 address to use to find remote IP address.
838
839 mode { gateway | relay } - specifies the role of AMT,
840 Gateway or Relay
841
842 local IPADDR - specifies the source IP address to use in
843 outgoing packets.
844
845 dev PHYS_DEV - specifies the underlying physical inter‐
846 face from which transform traffic is sent and received.
847
848 relay_port PORT - specifies the UDP Relay port to commu‐
849 nicate to the Relay.
850
851 gateway_port PORT - specifies the UDP Gateway port to
852 communicate to the Gateway.
853
854 max_tunnels NUMBER - specifies the maximum number of
855 tunnels.
856
857
858
859 MACVLAN and MACVTAP Type Support
860 For a link of type MACVLAN or MACVTAP the following additional
861 arguments are supported:
862
863 ip link add link DEVICE name NAME type { macvlan | macvtap }
864 mode { private | vepa | bridge | passthru [ nopromisc ] |
865 source [ nodst ] } [ bcqueuelen { LENGTH } ]
866
867
868 type { macvlan | macvtap } - specifies the link type to
869 use. macvlan creates just a virtual interface, while
870 macvtap in addition creates a character device /dev/tapX
871 to be used just like a tuntap device.
872
873 mode private - Do not allow communication between
874 macvlan instances on the same physical interface, even
875 if the external switch supports hairpin mode.
876
877 mode vepa - Virtual Ethernet Port Aggregator mode. Data
878 from one macvlan instance to the other on the same phys‐
879 ical interface is transmitted over the physical inter‐
880 face. Either the attached switch needs to support hair‐
881 pin mode, or there must be a TCP/IP router forwarding
882 the packets in order to allow communication. This is the
883 default mode.
884
885 mode bridge - In bridge mode, all endpoints are directly
886 connected to each other, communication is not redirected
887 through the physical interface's peer.
888
889 mode passthru [ nopromisc ] - This mode gives more power
890 to a single endpoint, usually in macvtap mode. It is not
891 allowed for more than one endpoint on the same physical
892 interface. All traffic will be forwarded to this end‐
893 point, allowing virtio guests to change MAC address or
894 set promiscuous mode in order to bridge the interface or
895 create vlan interfaces on top of it. By default, this
896 mode forces the underlying interface into promiscuous
897 mode. Passing the nopromisc flag prevents this, so the
898 promisc flag may be controlled using standard tools.
899
900 mode source [ nodst ] - allows one to set a list of al‐
901 lowed mac address, which is used to match against source
902 mac address from received frames on underlying inter‐
903 face. This allows creating mac based VLAN associations,
904 instead of standard port or tag based. The feature is
905 useful to deploy 802.1x mac based behavior, where driv‐
906 ers of underlying interfaces doesn't allows that. By de‐
907 fault, packets are also considered (duplicated) for des‐
908 tination-based MACVLAN. Passing the nodst flag stops
909 matching packets from also going through the destina‐
910 tion-based flow.
911
912 bcqueuelen { LENGTH } - Set the length of the RX queue
913 used to process broadcast and multicast packets. LENGTH
914 must be a positive integer in the range [0-4294967295].
915 Setting a length of 0 will effectively drop all broad‐
916 cast/multicast traffic. If not specified the macvlan
917 driver default (1000) is used. Note that all macvlans
918 that share the same underlying device are using the same
919 queue. The parameter here is a request, the actual queue
920 length used will be the maximum length that any macvlan
921 interface has requested. When listing device parameters
922 both the bcqueuelen parameter as well as the actual used
923 bcqueuelen are listed to better help the user understand
924 the setting.
925
926
927 High-availability Seamless Redundancy (HSR) Support
928 For a link of type HSR the following additional arguments are
929 supported:
930
931 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
932 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
933 proto { 0 | 1 } ]
934
935
936 type hsr - specifies the link type to use, here HSR.
937
938 slave1 SLAVE1-IF - Specifies the physical device used
939 for the first of the two ring ports.
940
941 slave2 SLAVE2-IF - Specifies the physical device used
942 for the second of the two ring ports.
943
944 supervision ADDR-BYTE - The last byte of the multicast
945 address used for HSR supervision frames. Default option
946 is "0", possible values 0-255.
947
948 version { 0 | 1 } - Selects the protocol version of the
949 interface. Default option is "0", which corresponds to
950 the 2010 version of the HSR standard. Option "1" acti‐
951 vates the 2012 version.
952
953 proto { 0 | 1 } - Selects the protocol at the interface.
954 Default option is "0", which corresponds to the HSR
955 standard. Option "1" activates the Parallel Redundancy
956 Protocol (PRP).
957
958
959 BRIDGE Type Support
960 For a link of type BRIDGE the following additional arguments are
961 supported:
962
963 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
964 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
965 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
966 stp_state STP_STATE ] [ priority PRIORITY ] [ vlan_filtering
967 VLAN_FILTERING ] [ vlan_protocol VLAN_PROTOCOL ] [ vlan_de‐
968 fault_pvid VLAN_DEFAULT_PVID ] [ vlan_stats_enabled
969 VLAN_STATS_ENABLED ] [ vlan_stats_per_port VLAN_STATS_PER_PORT ]
970 [ mcast_snooping MULTICAST_SNOOPING ] [ mcast_vlan_snooping MUL‐
971 TICAST_VLAN_SNOOPING ] [ mcast_router MULTICAST_ROUTER ] [
972 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR ] [ mcast_querier
973 MULTICAST_QUERIER ] [ mcast_hash_elasticity HASH_ELASTICITY ] [
974 mcast_hash_max HASH_MAX ] [ mcast_last_member_count LAST_MEM‐
975 BER_COUNT ] [ mcast_startup_query_count STARTUP_QUERY_COUNT ] [
976 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
977 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
978 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
979 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
980 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
981 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
982 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
983 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
984 [ nf_call_arptables NF_CALL_ARPTABLES ]
985
986
987 ageing_time AGEING_TIME - configure the bridge's FDB en‐
988 tries ageing time, ie the number of seconds a MAC ad‐
989 dress will be kept in the FDB after a packet has been
990 received from that address. after this time has passed,
991 entries are cleaned up.
992
993 group_fwd_mask MASK - set the group forward mask. This
994 is the bitmask that is applied to decide whether to for‐
995 ward incoming frames destined to link-local addresses,
996 ie addresses of the form 01:80:C2:00:00:0X (defaults to
997 0, ie the bridge does not forward any link-local
998 frames).
999
1000 group_address ADDRESS - set the MAC address of the mul‐
1001 ticast group this bridge uses for STP. The address must
1002 be a link-local address in standard Ethernet MAC address
1003 format, ie an address of the form 01:80:C2:00:00:0X,
1004 with X
1005 in [0, 4..f].
1006
1007 forward_delay FORWARD_DELAY - set the forwarding delay
1008 in seconds, ie the time spent in LISTENING state (before
1009 moving to LEARNING) and in LEARNING state (before moving
1010 to FORWARDING). Only relevant if STP is enabled. Valid
1011 values are between 2 and 30.
1012
1013 hello_time HELLO_TIME - set the time in seconds between
1014 hello packets sent by the bridge, when it is a root
1015 bridge or a designated bridges. Only relevant if STP is
1016 enabled. Valid values are between 1 and 10.
1017
1018 max_age MAX_AGE - set the hello packet timeout, ie the
1019 time in seconds until another bridge in the spanning
1020 tree is assumed to be dead, after reception of its last
1021 hello message. Only relevant if STP is enabled. Valid
1022 values are between 6 and 40.
1023
1024 stp_state STP_STATE - turn spanning tree protocol on
1025 (STP_STATE > 0) or off (STP_STATE == 0). for this
1026 bridge.
1027
1028 priority PRIORITY - set this bridge's spanning tree pri‐
1029 ority, used during STP root bridge election. PRIORITY
1030 is a 16bit unsigned integer.
1031
1032 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
1033 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
1034 disabled, the bridge will not consider the VLAN tag when
1035 handling packets.
1036
1037 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
1038 used for VLAN filtering.
1039
1040 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
1041 PVID (native/untagged VLAN ID) for this bridge.
1042
1043 vlan_stats_enabled VLAN_STATS_ENABLED - enable
1044 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
1045 == 0) per-VLAN stats accounting.
1046
1047 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
1048 (VLAN_STATS_PER_PORT == 1) or disable
1049 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1050 counting. Can be changed only when there are no port
1051 VLANs configured.
1052
1053 mcast_snooping MULTICAST_SNOOPING - turn multicast
1054 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1055 CAST_SNOOPING == 0).
1056
1057 mcast_vlan_snooping MULTICAST_VLAN_SNOOPING - turn mul‐
1058 ticast VLAN snooping on (MULTICAST_VLAN_SNOOPING > 0) or
1059 off (MULTICAST_VLAN_SNOOPING == 0).
1060
1061 mcast_router MULTICAST_ROUTER - set bridge's multicast
1062 router if IGMP snooping is enabled. MULTICAST_ROUTER is
1063 an integer value having the following meaning:
1064
1065 0 - disabled.
1066
1067 1 - automatic (queried).
1068
1069 2 - permanently enabled.
1070
1071 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1072 to use the bridge's own IP address as source address for
1073 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1074 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1075
1076 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1077 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1078 IGMP querier, ie sending of multicast queries by the
1079 bridge (default: disabled).
1080
1081 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1082 tween queries sent by other routers. if no queries are
1083 seen after this delay has passed, the bridge will start
1084 to send its own queries (as if mcast_querier was en‐
1085 abled).
1086
1087 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1088 database hash elasticity, ie the maximum chain length in
1089 the multicast hash table (defaults to 4).
1090
1091 mcast_hash_max HASH_MAX - set maximum size of multicast
1092 hash table (defaults to 512, value must be a power of
1093 2).
1094
1095 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1096 cast last member count, ie the number of queries the
1097 bridge will send before stopping forwarding a multicast
1098 group after a "leave" message has been received (de‐
1099 faults to 2).
1100
1101 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1102 val between queries to find remaining members of a
1103 group, after a "leave" message is received.
1104
1105 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1106 number of IGMP queries to send during startup phase (de‐
1107 faults to 2).
1108
1109 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1110 interval between queries in the startup phase.
1111
1112 mcast_query_interval QUERY_INTERVAL - interval between
1113 queries sent by the bridge after the end of the startup
1114 phase.
1115
1116 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1117 set the Max Response Time/Maximum Response Delay for
1118 IGMP/MLD queries sent by the bridge.
1119
1120 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1121 after which the bridge will leave a group, if no member‐
1122 ship reports for this group are received.
1123
1124 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1125 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1126 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1127
1128 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1129
1130 mcast_mld_version MLD_VERSION - set the MLD version.
1131
1132 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1133 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1134 hooks on the bridge.
1135
1136 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1137 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1138 0) ip6tables hooks on the bridge.
1139
1140 nf_call_arptables NF_CALL_ARPTABLES - enable
1141 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1142 0) arptables hooks on the bridge.
1143
1144
1145
1146
1147 MACsec Type Support
1148 For a link of type MACsec the following additional arguments are
1149 supported:
1150
1151 ip link add link DEVICE name NAME type macsec [ [ address
1152 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1153 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1154 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1155 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1156 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1157 ]
1158
1159
1160 address <lladdr> - sets the system identifier component
1161 of secure channel for this MACsec device.
1162
1163
1164 port PORT - sets the port number component of secure
1165 channel for this MACsec device, in a range from 1 to
1166 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1167 are interpreted as octal and hexadecimal, respectively.
1168
1169
1170 sci SCI - sets the secure channel identifier for this
1171 MACsec device. SCI is a 64bit wide number in hexadeci‐
1172 mal format.
1173
1174
1175 cipher CIPHER_SUITE - defines the cipher suite to use.
1176
1177
1178 icvlen LENGTH - sets the length of the Integrity Check
1179 Value (ICV).
1180
1181
1182 encrypt on or encrypt off - switches between authenti‐
1183 cated encryption, or authenticity mode only.
1184
1185
1186 send_sci on or send_sci off - specifies whether the SCI
1187 is included in every packet, or only when it is neces‐
1188 sary.
1189
1190
1191 end_station on or end_station off - sets the End Station
1192 bit.
1193
1194
1195 scb on or scb off - sets the Single Copy Broadcast bit.
1196
1197
1198 protect on or protect off - enables MACsec protection on
1199 the device.
1200
1201
1202 replay on or replay off - enables replay protection on
1203 the device.
1204
1205
1206
1207 window SIZE - sets the size of the replay win‐
1208 dow.
1209
1210
1211
1212 validate strict or validate check or validate disabled -
1213 sets the validation mode on the device.
1214
1215
1216 encodingsa AN - sets the active secure association for
1217 transmission.
1218
1219
1220
1221 VRF Type Support
1222 For a link of type VRF the following additional arguments are
1223 supported:
1224
1225 ip link add DEVICE type vrf table TABLE
1226
1227
1228 table table id associated with VRF device
1229
1230
1231
1232 RMNET Type Support
1233 For a link of type RMNET the following additional arguments are
1234 supported:
1235
1236 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1237
1238
1239 mux_id MUXID - specifies the mux identifier for the rm‐
1240 net device, possible values 1-254.
1241
1242
1243
1244 XFRM Type Support
1245 For a link of type XFRM the following additional arguments are
1246 supported:
1247
1248 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ]
1249
1250
1251 dev PHYS_DEV - specifies the underlying physical inter‐
1252 face from which transform traffic is sent and received.
1253
1254
1255 if_id IF-ID - specifies the hexadecimal lookup key used
1256 to send traffic to and from specific xfrm policies.
1257 Policies must be configured with the same key. If not
1258 set, the key defaults to 0 and will match any policies
1259 which similarly do not have a lookup key configuration.
1260
1261
1262
1263 GTP Type Support
1264 For a link of type GTP the following additional arguments are
1265 supported:
1266
1267 ip link add DEVICE type gtp role ROLE hsize HSIZE
1268
1269
1270 role ROLE - specifies the role of the GTP device, either
1271 sgsn or ggsn
1272
1273
1274 hsize HSIZE - specifies size of the hashtable which
1275 stores PDP contexts
1276
1277
1278 restart_count RESTART_COUNT - GTP instance restart
1279 counter
1280
1281
1282
1283 ip link delete - delete virtual link
1284 dev DEVICE
1285 specifies the virtual device to act operate on.
1286
1287
1288 group GROUP
1289 specifies the group of virtual links to delete. Group 0 is not
1290 allowed to be deleted since it is the default group.
1291
1292
1293 type TYPE
1294 specifies the type of the device.
1295
1296
1297 ip link set - change device attributes
1298 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1299 ately after any of the changes have failed. This is the only case when
1300 ip can move the system to an unpredictable state. The solution is to
1301 avoid changing several parameters with one ip link set call. The modi‐
1302 fier change is equivalent to set.
1303
1304
1305
1306 dev DEVICE
1307 DEVICE specifies network device to operate on. When configuring
1308 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1309 ify the associated Physical Function (PF) device.
1310
1311
1312 group GROUP
1313 GROUP has a dual role: If both group and dev are present, then
1314 move the device to the specified group. If only a group is spec‐
1315 ified, then the command operates on all devices in that group.
1316
1317
1318 up and down
1319 change the state of the device to UP or DOWN.
1320
1321
1322 arp on or arp off
1323 change the NOARP flag on the device.
1324
1325
1326 multicast on or multicast off
1327 change the MULTICAST flag on the device.
1328
1329
1330 allmulticast on or allmulticast off
1331 change the ALLMULTI flag on the device. When enabled, instructs
1332 network driver to retrieve all multicast packets from the net‐
1333 work to the kernel for further processing.
1334
1335
1336 promisc on or promisc off
1337 change the PROMISC flag on the device. When enabled, activates
1338 promiscuous operation of the network device.
1339
1340
1341 trailers on or trailers off
1342 change the NOTRAILERS flag on the device, NOT used by the Linux
1343 and exists for BSD compatibility.
1344
1345
1346 protodown on or protodown off
1347 change the PROTODOWN state on the device. Indicates that a pro‐
1348 tocol error has been detected on the port. Switch drivers can
1349 react to this error by doing a phys down on the switch port.
1350
1351
1352 protodown_reason PREASON on or off
1353 set PROTODOWN reasons on the device. protodown reason bit names
1354 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1355 sible reasons bits 0-31
1356
1357
1358 dynamic on or dynamic off
1359 change the DYNAMIC flag on the device. Indicates that address
1360 can change when interface goes down (currently NOT used by the
1361 Linux).
1362
1363
1364 name NAME
1365 change the name of the device. This operation is not recommended
1366 if the device is running or has some addresses already config‐
1367 ured.
1368
1369
1370 txqueuelen NUMBER
1371
1372 txqlen NUMBER
1373 change the transmit queue length of the device.
1374
1375
1376 mtu NUMBER
1377 change the MTU of the device.
1378
1379
1380 address LLADDRESS
1381 change the station address of the interface.
1382
1383
1384 broadcast LLADDRESS
1385
1386 brd LLADDRESS
1387
1388 peer LLADDRESS
1389 change the link layer broadcast address or the peer address when
1390 the interface is POINTOPOINT.
1391
1392
1393 netns NETNSNAME | PID
1394 move the device to the network namespace associated with name
1395 NETNSNAME or process PID.
1396
1397 Some devices are not allowed to change network namespace: loop‐
1398 back, bridge, wireless. These are network namespace local de‐
1399 vices. In such case ip tool will return "Invalid argument" er‐
1400 ror. It is possible to find out if device is local to a single
1401 network namespace by checking netns-local flag in the output of
1402 the ethtool:
1403
1404 ethtool -k DEVICE
1405
1406 To change network namespace for wireless devices the iw tool can
1407 be used. But it allows one to change network namespace only for
1408 physical devices and by process PID.
1409
1410
1411 alias NAME
1412 give the device a symbolic name for easy reference.
1413
1414
1415 group GROUP
1416 specify the group the device belongs to. The available groups
1417 are listed in file /etc/iproute2/group.
1418
1419
1420 vf NUM specify a Virtual Function device to be configured. The associ‐
1421 ated PF device must be specified using the dev parameter.
1422
1423 mac LLADDRESS - change the station address for the spec‐
1424 ified VF. The vf parameter must be specified.
1425
1426
1427 vlan VLANID - change the assigned VLAN for the specified
1428 VF. When specified, all traffic sent from the VF will be
1429 tagged with the specified VLAN ID. Incoming traffic will
1430 be filtered for the specified VLAN ID, and will have all
1431 VLAN tags stripped before being passed to the VF. Set‐
1432 ting this parameter to 0 disables VLAN tagging and fil‐
1433 tering. The vf parameter must be specified.
1434
1435
1436 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1437 VLAN tag. When specified, all VLAN tags transmitted by
1438 the VF will include the specified priority bits in the
1439 VLAN tag. If not specified, the value is assumed to be
1440 0. Both the vf and vlan parameters must be specified.
1441 Setting both vlan and qos as 0 disables VLAN tagging and
1442 filtering for the VF.
1443
1444
1445 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1446 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1447 traffic sent from the VF will be tagged with VLAN S-Tag.
1448 Incoming traffic will have VLAN S-Tags stripped before
1449 being passed to the VF. Setting to 802.1ad also enables
1450 an option to concatenate another VLAN tag, so both S-TAG
1451 and C-TAG will be inserted/stripped for outgoing/incom‐
1452 ing traffic, respectively. If not specified, the value
1453 is assumed to be 802.1Q. Both the vf and vlan parameters
1454 must be specified.
1455
1456
1457 rate TXRATE -- change the allowed transmit bandwidth, in
1458 Mbps, for the specified VF. Setting this parameter to 0
1459 disables rate limiting. vf parameter must be specified.
1460 Please use new API max_tx_rate option instead.
1461
1462
1463 max_tx_rate TXRATE - change the allowed maximum transmit
1464 bandwidth, in Mbps, for the specified VF. Setting this
1465 parameter to 0 disables rate limiting. vf parameter
1466 must be specified.
1467
1468
1469 min_tx_rate TXRATE - change the allowed minimum transmit
1470 bandwidth, in Mbps, for the specified VF. Minimum
1471 TXRATE should be always <= Maximum TXRATE. Setting this
1472 parameter to 0 disables rate limiting. vf parameter
1473 must be specified.
1474
1475
1476 spoofchk on|off - turn packet spoof checking on or off
1477 for the specified VF.
1478
1479 query_rss on|off - toggle the ability of querying the
1480 RSS configuration of a specific VF. VF RSS information
1481 like RSS hash key may be considered sensitive on some
1482 devices where this information is shared between VF and
1483 PF and thus its querying may be prohibited by default.
1484
1485 state auto|enable|disable - set the virtual link state
1486 as seen by the specified VF. Setting to auto means a re‐
1487 flection of the PF link state, enable lets the VF to
1488 communicate with other VFs on this host even if the PF
1489 link state is down, disable causes the HW to drop any
1490 packets sent by the VF.
1491
1492 trust on|off - trust the specified VF user. This enables
1493 that VF user can set a specific feature which may impact
1494 security and/or performance. (e.g. VF multicast promis‐
1495 cuous mode)
1496
1497 node_guid eui64 - configure node GUID for Infiniband
1498 VFs.
1499
1500 port_guid eui64 - configure port GUID for Infiniband
1501 VFs.
1502
1503
1504 xdp object | pinned | off
1505 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1506 every packet at driver level. ip link output will indicate a
1507 xdp flag for the networking device. If the driver does not have
1508 native XDP support, the kernel will fall back to a slower,
1509 driver-independent "generic" XDP variant. The ip link output
1510 will in that case indicate xdpgeneric instead of xdp only. If
1511 the driver does have native XDP support, but the program is
1512 loaded under xdpgeneric object | pinned then the kernel will use
1513 the generic XDP variant instead of the native one. xdpdrv has
1514 the opposite effect of requestsing that the automatic fallback
1515 to the generic XDP variant be disabled and in case driver is not
1516 XDP-capable error should be returned. xdpdrv also disables
1517 hardware offloads. xdpoffload in ip link output indicates that
1518 the program has been offloaded to hardware and can also be used
1519 to request the "offload" mode, much like xdpgeneric it forces
1520 program to be installed specifically in HW/FW of the apater.
1521
1522 off (or none ) - Detaches any currently attached XDP/BPF program
1523 from the given device.
1524
1525 object FILE - Attaches a XDP/BPF program to the given device.
1526 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1527 contains the BPF program code, map specifications, etc. If a
1528 XDP/BPF program is already attached to the given device, an er‐
1529 ror will be thrown. If no XDP/BPF program is currently attached,
1530 the device supports XDP and the program from the BPF ELF file
1531 passes the kernel verifier, then it will be attached to the de‐
1532 vice. If the option -force is passed to ip then any prior at‐
1533 tached XDP/BPF program will be atomically overridden and no er‐
1534 ror will be thrown in this case. If no section option is passed,
1535 then the default section name ("prog") will be assumed, other‐
1536 wise the provided section name will be used. If no verbose op‐
1537 tion is passed, then a verifier log will only be dumped on load
1538 error. See also EXAMPLES section for usage examples.
1539
1540 section NAME - Specifies a section name that contains the BPF
1541 program code. If no section name is specified, the default one
1542 ("prog") will be used. This option is to be passed with the ob‐
1543 ject option.
1544
1545 verbose - Act in verbose mode. For example, even in case of suc‐
1546 cess, this will print the verifier log in case a program was
1547 loaded from a BPF ELF file.
1548
1549 pinned FILE - Attaches a XDP/BPF program to the given device.
1550 The FILE points to an already pinned BPF program in the BPF file
1551 system. The option section doesn't apply here, but otherwise se‐
1552 mantics are the same as with the option object described al‐
1553 ready.
1554
1555
1556 master DEVICE
1557 set master device of the device (enslave device).
1558
1559
1560 nomaster
1561 unset master device of the device (release device).
1562
1563
1564 addrgenmode eui64|none|stable_secret|random
1565 set the IPv6 address generation mode
1566
1567 eui64 - use a Modified EUI-64 format interface identifier
1568
1569 none - disable automatic address generation
1570
1571 stable_secret - generate the interface identifier based on a
1572 preset
1573 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1574
1575 random - like stable_secret, but auto-generate a new random se‐
1576 cret if none is set
1577
1578
1579 link-netnsid
1580 set peer netnsid for a cross-netns interface
1581
1582
1583 type ETYPE TYPE_ARGS
1584 Change type-specific settings. For a list of supported types and
1585 arguments refer to the description of ip link add above. In ad‐
1586 dition to that, it is possible to manipulate settings to slave
1587 devices:
1588
1589
1590 Bridge Slave Support
1591 For a link with master bridge the following additional arguments
1592 are supported:
1593
1594 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1595 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1596 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1597 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1598 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1599 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1600 bcast_flood { on | off } ] [ mcast_flood { on | off } ] [
1601 mcast_to_unicast { on | off } ] [ group_fwd_mask MASK ] [
1602 neigh_suppress { on | off } ] [ vlan_tunnel { on | off } ] [
1603 isolated { on | off } ] [ locked { on | off } backup_port DEVICE
1604 ] [ nobackup_port ]
1605
1606
1607 fdb_flush - flush bridge slave's fdb dynamic entries.
1608
1609 state STATE - Set port state. STATE is a number repre‐
1610 senting the following states: 0 (disabled), 1 (listen‐
1611 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1612
1613 priority PRIO - set port priority (allowed values are
1614 between 0 and 63, inclusively).
1615
1616 cost COST - set port cost (allowed values are between 1
1617 and 65535, inclusively).
1618
1619 guard { on | off } - block incoming BPDU packets on this
1620 port.
1621
1622 hairpin { on | off } - enable hairpin mode on this port.
1623 This will allow incoming packets on this port to be re‐
1624 flected back.
1625
1626 fastleave { on | off } - enable multicast fast leave on
1627 this port.
1628
1629 root_block { on | off } - block this port from becoming
1630 the bridge's root port.
1631
1632 learning { on | off } - allow MAC address learning on
1633 this port.
1634
1635 flood { on | off } - open the flood gates on this port,
1636 i.e. forward all unicast frames to this port also. Re‐
1637 quires proxy_arp and proxy_arp_wifi to be turned off.
1638
1639 proxy_arp { on | off } - enable proxy ARP on this port.
1640
1641 proxy_arp_wifi { on | off } - enable proxy ARP on this
1642 port which meets extended requirements by IEEE 802.11
1643 and Hotspot 2.0 specifications.
1644
1645 mcast_router MULTICAST_ROUTER - configure this port for
1646 having multicast routers attached. A port with a multi‐
1647 cast router will receive all multicast traffic. MULTI‐
1648 CAST_ROUTER may be either 0 to disable multicast routers
1649 on this port, 1 to let the system detect the presence of
1650 routers (this is the default), 2 to permanently enable
1651 multicast traffic forwarding on this port or 3 to enable
1652 multicast routers temporarily on this port, not depend‐
1653 ing on incoming queries.
1654
1655 mcast_fast_leave { on | off } - this is a synonym to the
1656 fastleave option above.
1657
1658 bcast_flood { on | off } - controls flooding of broad‐
1659 cast traffic on the given port. By default this flag is
1660 on.
1661
1662 mcast_flood { on | off } - controls whether a given port
1663 will flood multicast traffic for which there is no MDB
1664 entry. By default this flag is on.
1665
1666 mcast_to_unicast { on | off } - controls whether a given
1667 port will replicate packets using unicast instead of
1668 multicast. By default this flag is off.
1669
1670 group_fwd_mask MASK - set the group forward mask. This
1671 is the bitmask that is applied to decide whether to for‐
1672 ward incoming frames destined to link-local addresses,
1673 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1674 0, ie the bridge does not forward any link-local frames
1675 coming on this port).
1676
1677 neigh_suppress { on | off } - controls whether neigh
1678 discovery (arp and nd) proxy and suppression is enabled
1679 on the port. By default this flag is off.
1680
1681 vlan_tunnel { on | off } - controls whether vlan to tun‐
1682 nel mapping is enabled on the port. By default this flag
1683 is off.
1684
1685 locked { on | off } - sets or unsets a port in locked
1686 mode, so that when enabled, hosts behind the port cannot
1687 communicate through the port unless a FDB entry repre‐
1688 senting the host is in the FDB. By default this flag is
1689 off.
1690
1691 backup_port DEVICE - if the port loses carrier all traf‐
1692 fic will be redirected to the configured backup port
1693
1694 nobackup_port - removes the currently configured backup
1695 port
1696
1697
1698
1699 Bonding Slave Support
1700 For a link with master bond the following additional arguments
1701 are supported:
1702
1703 ip link set type bond_slave [ queue_id ID ]
1704
1705
1706 queue_id ID - set the slave's queue ID (a 16bit unsigned
1707 value).
1708
1709
1710
1711 MACVLAN and MACVTAP Support
1712 Modify list of allowed macaddr for link in source mode.
1713
1714 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1715 ... ]
1716
1717 Commands:
1718 add - add MACADDR to allowed list
1719
1720 set - replace allowed list
1721
1722 del - remove MACADDR from allowed list
1723
1724 flush - flush whole allowed list
1725
1726
1727 Update the broadcast/multicast queue length.
1728
1729 ip link set type { macvlan | macvap } [ bcqueuelen LENGTH ]
1730
1731 bcqueuelen LENGTH - Set the length of the RX queue used
1732 to process broadcast and multicast packets. LENGTH must
1733 be a positive integer in the range [0-4294967295]. Set‐
1734 ting a length of 0 will effectively drop all broad‐
1735 cast/multicast traffic. If not specified the macvlan
1736 driver default (1000) is used. Note that all macvlans
1737 that share the same underlying device are using the same
1738 queue. The parameter here is a request, the actual queue
1739 length used will be the maximum length that any macvlan
1740 interface has requested. When listing device parameters
1741 both the bcqueuelen parameter as well as the actual used
1742 bcqueuelen are listed to better help the user understand
1743 the setting.
1744
1745
1746 ip link show - display device attributes
1747 dev NAME (default)
1748 NAME specifies the network device to show.
1749
1750
1751 group GROUP
1752 GROUP specifies what group of devices to show.
1753
1754
1755 up only display running interfaces.
1756
1757
1758 master DEVICE
1759 DEVICE specifies the master device which enslaves devices to
1760 show.
1761
1762
1763 vrf NAME
1764 NAME specifies the VRF which enslaves devices to show.
1765
1766
1767 type TYPE
1768 TYPE specifies the type of devices to show.
1769
1770 Note that the type name is not checked against the list of sup‐
1771 ported types - instead it is sent as-is to the kernel. Later it
1772 is used to filter the returned interface list by comparing it
1773 with the relevant attribute in case the kernel didn't filter al‐
1774 ready. Therefore any string is accepted, but may lead to empty
1775 output.
1776
1777
1778 nomaster
1779 only show devices with no master
1780
1781
1782 ip link xstats - display extended statistics
1783 type TYPE
1784 TYPE specifies the type of devices to display extended statis‐
1785 tics for.
1786
1787
1788 ip link afstats - display address-family specific statistics
1789 dev DEVICE
1790 DEVICE specifies the device to display address-family statistics
1791 for.
1792
1793
1794 ip link help - display help
1795 TYPE specifies which help of link type to display.
1796
1797
1798 GROUP
1799 may be a number or a string from the file /etc/iproute2/group which can
1800 be manually filled.
1801
1802
1804 ip link show
1805 Shows the state of all network interfaces on the system.
1806
1807 ip link show type bridge
1808 Shows the bridge devices.
1809
1810 ip link show type vlan
1811 Shows the vlan devices.
1812
1813 ip link show master br0
1814 Shows devices enslaved by br0
1815
1816 ip link set dev ppp0 mtu 1400
1817 Change the MTU the ppp0 device.
1818
1819 ip link add link eth0 name eth0.10 type vlan id 10
1820 Creates a new vlan device eth0.10 on device eth0.
1821
1822 ip link delete dev eth0.10
1823 Removes vlan device.
1824
1825 ip link help gre
1826 Display help for the gre link type.
1827
1828 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1829 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1830 remcsum
1831 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1832 tion, and the outer UDP checksum and remote checksum offload are
1833 enabled.
1834
1835 ip link set dev eth0 xdp obj prog.o
1836 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1837 cated in prog.o, section "prog" (default section). In case a
1838 XDP/BPF program is already attached, throw an error.
1839
1840 ip -force link set dev eth0 xdp obj prog.o sec foo
1841 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1842 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1843 ready attached, it will be overridden by the new one.
1844
1845 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1846 Attaches a XDP/BPF program to device eth0, where the program was
1847 previously pinned as an object node into BPF file system under name
1848 foo.
1849
1850 ip link set dev eth0 xdp off
1851 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1852 fectively turn off XDP for device eth0.
1853
1854 ip link add link wpan0 lowpan0 type lowpan
1855 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1856 802.15.4 device wpan0.
1857
1858 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1859 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1860 erspan_hwid 17
1861 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1862
1863
1865 ip(8), ip-netns(8), ethtool(8), iptables(8)
1866
1867
1869 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1870
1871
1872
1873iproute2 13 Dec 2012 IP-LINK(8)