1YAML configuration(5) YAML configuration(5)
2
6 netplan - YAML network configuration abstraction for various backends
7
9 netplan [ COMMAND | help ]
10
12 See netplan help for a list of available commands on this system.
13
15 Introduction
16 Distribution installers, cloud instantiation, image builds for particu‐
17 lar devices, or any other way to deploy an operating system put its de‐
18 sired network configuration into YAML configuration file(s). During
19 early boot, the netplan "network renderer" runs which reads
20 /{lib,etc,run}/netplan/*.yaml and writes configuration to /run to hand
21 off control of devices to the specified networking daemon.
22 • Configured devices get handled by systemd-networkd by default, unless
24 explicitly marked as managed by a specific renderer (NetworkManager)
25 • Devices not covered by the network config do not get touched at all.
27 • Usable in initramfs (few dependencies and fast)
29 • No persistent generated config, only original YAML config
31 • Parser supports multiple config files to allow applications like lib‐
33 virt or lxd to package up expected network config (virbr0, lxdbr0),
34 or to change the global default policy to use NetworkManager for ev‐
35 erything.
36 • Retains the flexibility to change backends/policy later or adjust to
38 removing NetworkManager, as generated configuration is ephemeral.
39 General structure
41 netplan's configuration files use the YAML
42 (http://yaml.org/spec/1.1/current.html) format. All
43 /{lib,etc,run}/netplan/*.yaml are considered. Lexicographically later
44 files (regardless of in which directory they are) amend (new mapping
45 keys) or override (same mapping keys) previous ones. A file in
46 /run/netplan completely shadows a file with same name in /etc/netplan,
47 and a file in either of those directories shadows a file with the same
48 name in /lib/netplan.
49 The top-level node in a netplan configuration file is a network: map‐
51 ping that contains version: 2 (the YAML currently being used by curtin,
52 MaaS, etc. is version 1), and then device definitions grouped by their
53 type, such as ethernets:, modems:, wifis:, or bridges:. These are the
54 types that our renderer can understand and are supported by our back‐
55 ends.
56 Each type block contains device definitions as a map where the keys
58 (called "configuration IDs") are defined as below.
59 Device configuration IDs
61 The key names below the per-device-type definition maps (like ether‐
62 nets:) are called "ID"s. They must be unique throughout the entire set
63 of configuration files. Their primary purpose is to serve as anchor
64 names for composite devices, for example to enumerate the members of a
65 bridge that is currently being defined.
66 (Since 0.97) If an interface is defined with an ID in a configuration
68 file; it will be brought up by the applicable renderer. To not have
69 netplan touch an interface at all, it should be completely omitted from
70 the netplan configuration files.
71 There are two physically/structurally different classes of device defi‐
73 nitions, and the ID field has a different interpretation for each:
74 Physical devices
76 (Examples: ethernet, modem, wifi) These can dynamically come and
78 go between reboots and even during runtime (hot plugging). In
79 the generic case, they can be selected by match: rules on de‐
80 sired properties, such as name/name pattern, MAC address, driv‐
81 er, or device paths. In general these will match any number of
82 devices (unless they refer to properties which are unique such
83 as the full path or MAC address), so without further knowledge
84 about the hardware these will always be considered as a group.
85 It is valid to specify no match rules at all, in which case the
87 ID field is simply the interface name to be matched. This is
88 mostly useful if you want to keep simple cases simple, and it's
89 how network device configuration has been done for a long time.
90 If there are match: rules, then the ID field is a purely opaque
92 name which is only being used for references from definitions of
93 compound devices in the config.
94 Virtual devices
96 (Examples: veth, bridge, bond, vrf) These are fully under the
98 control of the config file(s) and the network stack. I. e.
99 these devices are being created instead of matched. Thus match:
100 and set-name: are not applicable for these, and the ID field is
101 the name of the created virtual device.
102 Common properties for physical device types
104 Note: Some options will not work reliably for devices matched by name
105 only and rendered by networkd, due to interactions with device renaming
106 in udev. Match devices by MAC when setting options like: wakeonlan or
107 *-offload.
108 • match (mapping)
110 This selects a subset of available physical devices by various
112 hardware properties. The following configuration will then
113 apply to all matching devices, as soon as they appear. All
114 specified properties must match.
115 • name (scalar)
117 Current interface name. Globs are supported, and the prima‐
119 ry use case for matching on names, as selecting one fixed
120 name can be more easily achieved with having no match: at
121 all and just using the ID (see above). (NetworkManager: as
122 of v1.14.0)
123 • macaddress (scalar)
125 Device's 6-byte MAC address in the form "XX:XX:XX:XX:XX:XX"
127 or 20 bytes for InfiniBand devices (IPoIB). Globs are not
128 allowed.
129 • driver (scalar or sequence of scalars) – sequence since 0.104
131 Kernel driver name, corresponding to the DRIVER udev proper‐
133 ty. A sequence of globs is supported, any of which must
134 match. Matching on driver is only supported with networkd.
135 Examples:
137 • All cards on second PCI bus:
139 match:
141 name: enp2*
142 • Fixed MAC address:
144 match:
146 macaddress: 11:22:33:AA:BB:FF
147 • First card of driver ixgbe:
149 match:
151 driver: ixgbe
152 name: en*s0
153 • First card with a driver matching bcmgenet or smsc*:
155 match:
157 driver: ["bcmgenet", "smsc*"]
158 name: en*
159 • set-name (scalar)
161 When matching on unique properties such as path or MAC, or
163 with additional assumptions such as "there will only ever be
164 one wifi device", match rules can be written so that they only
165 match one device. Then this property can be used to give that
166 device a more specific/desirable/nicer name than the default
167 from udev's ifnames. Any additional device that satisfies the
168 match rules will then fail to get renamed and keep the origi‐
169 nal kernel name (and dmesg will show an error).
170 • wakeonlan (bool)
172 Enable wake on LAN. Off by default.
174 • emit-lldp (bool) – since 0.99
176 (networkd backend only) Whether to emit LLDP packets. Off by
178 default.
179 • receive-checksum-offload (bool) – since 0.104
181 (networkd backend only) If set to true (false), the hardware
183 offload for checksumming of ingress network packets is enabled
184 (disabled). When unset, the kernel's default will be used.
185 • transmit-checksum-offload (bool) – since 0.104
187 (networkd backend only) If set to true (false), the hardware
189 offload for checksumming of egress network packets is enabled
190 (disabled). When unset, the kernel's default will be used.
191 • tcp-segmentation-offload (bool) – since 0.104
193 (networkd backend only) If set to true (false), the TCP Seg‐
195 mentation Offload (TSO) is enabled (disabled). When unset,
196 the kernel's default will be used.
197 • tcp6-segmentation-offload (bool) – since 0.104
199 (networkd backend only) If set to true (false), the TCP6 Seg‐
201 mentation Offload (tx-tcp6-segmentation) is enabled (dis‐
202 abled). When unset, the kernel's default will be used.
203 • generic-segmentation-offload (bool) – since 0.104
205 (networkd backend only) If set to true (false), the Generic
207 Segmentation Offload (GSO) is enabled (disabled). When unset,
208 the kernel's default will be used.
209 • generic-receive-offload (bool) – since 0.104
211 (networkd backend only) If set to true (false), the Generic
213 Receive Offload (GRO) is enabled (disabled). When unset, the
214 kernel's default will be used.
215 • large-receive-offload (bool) – since 0.104
217 (networkd backend only) If set to true (false), the Large Re‐
219 ceive Offload (LRO) is enabled (disabled). When unset, the
220 kernel's default will be used.
221 • openvswitch (mapping) – since 0.100
223 This provides additional configuration for the openvswitch
225 network device. If Open vSwitch is not available on the sys‐
226 tem, netplan treats the presence of openvswitch configuration
227 as an error.
228 Any supported network device that is declared with the open‐
230 vswitch mapping (or any bond/bridge that includes an interface
231 with an openvswitch configuration) will be created in open‐
232 vswitch instead of the defined renderer. In the case of a
233 vlan definition declared the same way, netplan will create a
234 fake VLAN bridge in openvswitch with the requested vlan prop‐
235 erties.
236 • external-ids (mapping) – since 0.100
238 Passed-through directly to Open vSwitch
240 • other-config (mapping) – since 0.100
242 Passed-through directly to Open vSwitch
244 • lacp (scalar) – since 0.100
246 Valid for bond interfaces. Accepts active, passive or off
248 (the default).
249 • fail-mode (scalar) – since 0.100
251 Valid for bridge interfaces. Accepts secure or standalone
253 (the default).
254 • mcast-snooping (bool) – since 0.100
256 Valid for bridge interfaces. False by default.
258 • protocols (sequence of scalars) – since 0.100
260 Valid for bridge interfaces or the network section. List of
262 protocols to be used when negotiating a connection with the
263 controller. Accepts OpenFlow10, OpenFlow11, OpenFlow12,
264 OpenFlow13, OpenFlow14, OpenFlow15 and OpenFlow16.
265 • rstp (bool) – since 0.100
267 Valid for bridge interfaces. False by default.
269 • controller (mapping) – since 0.100
271 Valid for bridge interfaces. Specify an external OpenFlow
273 controller.
274 • addresses (sequence of scalars)
276 Set the list of addresses to use for the controller tar‐
278 gets. The syntax of these addresses is as defined in ovs-
279 vsctl(8). Example: addresses: [tcp:127.0.0.1:6653,
280 "ssl:[fe80::1234%eth0]:6653"]
281 • connection-mode (scalar)
283 Set the connection mode for the controller. Supported op‐
285 tions are in-band and out-of-band. The default is in-
286 band.
287 • ports (sequence of sequence of scalars) – since 0.100
289 Open vSwitch patch ports. Each port is declared as a pair
291 of names which can be referenced as interfaces in dependent
292 virtual devices (bonds, bridges).
293 Example:
295 openvswitch:
297 ports:
298 - [patch0-1, patch1-0]
299 • ssl (mapping) – since 0.100
301 Valid for global openvswitch settings. Options for config‐
303 uring SSL server endpoint for the switch.
304 • ca-cert (scalar)
306 Path to a file containing the CA certificate to be used.
308 • certificate (scalar)
310 Path to a file containing the server certificate.
312 • private-key (scalar)
314 Path to a file containing the private key for the server.
316 Common properties for all device types
318 • renderer (scalar)
319 Use the given networking backend for this definition. Cur‐
321 rently supported are networkd and NetworkManager. This prop‐
322 erty can be specified globally in network:, for a device type
323 (in e. g. ethernets:) or for a particular device definition.
324 Default is networkd.
325 (Since 0.99) The renderer property has one additional accept‐
327 able value for vlan objects (i. e. defined in vlans:): sri‐
328 ov. If a vlan is defined with the sriov renderer for an SR-
329 IOV Virtual Function interface, this causes netplan to set up
330 a hardware VLAN filter for it. There can be only one defined
331 per VF.
332 • dhcp4 (bool)
334 Enable DHCP for IPv4. Off by default.
336 • dhcp6 (bool)
338 Enable DHCP for IPv6. Off by default. This covers both
340 stateless DHCP - where the DHCP server supplies information
341 like DNS nameservers but not the IP address - and stateful
342 DHCP, where the server provides both the address and the other
343 information.
344 If you are in an IPv6-only environment with completely state‐
346 less auto-configuration (SLAAC with RDNSS), this option can be
347 set to cause the interface to be brought up. (Setting accept-
348 ra alone is not sufficient.) Auto-configuration will still
349 honor the contents of the router advertisement and only use
350 DHCP if requested in the RA.
351 Note that rdnssd(8) is required to use RDNSS with networkd.
353 No extra software is required for NetworkManager.
354 • ipv6-mtu (scalar) – since 0.98 > Set the IPv6 MTU (only supported
356 with networkd backend). Note > that needing to set this is an unusu‐
357 al requirement. > > Requires feature: ipv6-mtu
358 • ipv6-privacy (bool)
360 Enable IPv6 Privacy Extensions (RFC 4941) for the specified
362 interface, and prefer temporary addresses. Defaults to false
363 - no privacy extensions. There is currently no way to have a
364 private address but prefer the public address.
365 • link-local (sequence of scalars)
367 Configure the link-local addresses to bring up. Valid options
369 are 'ipv4' and 'ipv6', which respectively allow enabling IPv4
370 and IPv6 link local addressing. If this field is not defined,
371 the default is to enable only IPv6 link-local addresses. If
372 the field is defined but configured as an empty set, IPv6
373 link-local addresses are disabled as well as IPv4 link- local
374 addresses.
375 This feature enables or disables link-local addresses for a
377 protocol, but the actual implementation differs per backend.
378 On networkd, this directly changes the behavior and may add an
379 extra address on an interface. When using the NetworkManager
380 backend, enabling link-local has no effect if the interface
381 also has DHCP enabled.
382 Examples:
384 • Enable only IPv4 link-local: link-local: [ ipv4 ]
386 • Enable all link-local addresses: link-local: [ ipv4, ipv6 ]
388 • Disable all link-local addresses: link-local: [ ]
390 • ignore-carrier (bool) – since 0.104
392 (networkd backend only) Allow the specified interface to be
394 configured even if it has no carrier.
395 • critical (bool)
397 Designate the connection as "critical to the system", meaning
399 that special care will be taken by to not release the assigned
400 IP when the daemon is restarted. (not recognized by Network‐
401 Manager)
402 • dhcp-identifier (scalar)
404 (networkd backend only) Sets the source of DHCPv4 client iden‐
406 tifier. If mac is specified, the MAC address of the link is
407 used. If this option is omitted, or if duid is specified,
408 networkd will generate an RFC4361-compliant client identifier
409 for the interface by combining the link's IAID and DUID.
410 • dhcp4-overrides (mapping)
412 (networkd backend only) Overrides default DHCP behavior; see
414 the DHCP Overrides section below.
415 • dhcp6-overrides (mapping)
417 (networkd backend only) Overrides default DHCP behavior; see
419 the DHCP Overrides section below.
420 • accept-ra (bool)
422 Accept Router Advertisement that would have the kernel config‐
424 ure IPv6 by itself. When enabled, accept Router Advertise‐
425 ments. When disabled, do not respond to Router Advertise‐
426 ments. If unset use the host kernel default setting.
427 • addresses (sequence of scalars and mappings)
429 Add static addresses to the interface in addition to the ones
431 received through DHCP or RA. Each sequence entry is in CIDR
432 notation, i. e. of the form addr/prefixlen. addr is an IPv4
433 or IPv6 address as recognized by inet_pton(3) and prefixlen
434 the number of bits of the subnet.
435 For virtual devices (bridges, bonds, vlan) if there is no ad‐
437 dress configured and DHCP is disabled, the interface may still
438 be brought online, but will not be addressable from the net‐
439 work.
440 In addition to the addresses themselves one can specify con‐
442 figuration parameters as mappings. Current supported options
443 are:
444 • lifetime (scalar) – since 0.100
446 Default: forever. This can be forever or 0 and corresponds
448 to the PreferredLifetime option in systemd-networkd's Ad‐
449 dress section. Currently supported on the networkd backend
450 only.
451 • label (scalar) – since 0.100
453 An IP address label, equivalent to the ip address label com‐
455 mand. Currently supported on the networkd backend only.
456 Examples:
458 • Simple: addresses: [192.168.14.2/24, "2001:1::1/64"]
460 • Advanced:
462 ethernets:
464 eth0:
465 addresses:
466 - "10.0.0.15/24":
467 lifetime: 0
468 label: "maas"
469 - "2001:1::1/64"
470 • ipv6-address-generation (scalar) – since 0.99
472 Configure method for creating the address for use with RFC4862
474 IPv6 Stateless Address Auto-configuration (only supported with
475 NetworkManager backend). Possible values are eui64 or stable-
476 privacy.
477 • ipv6-address-token (scalar) – since 0.100
479 Define an IPv6 address token for creating a static interface
481 identifier for IPv6 Stateless Address Auto-configuration.
482 This is mutually exclusive with ipv6-address-generation.
483 • gateway4, gateway6 (scalar)
485 Deprecated, see Default routes. Set default gateway for
487 IPv4/6, for manual address configuration. This requires set‐
488 ting addresses too. Gateway IPs must be in a form recognized
489 by inet_pton(3). There should only be a single gateway per IP
490 address family set in your global config, to make it unambigu‐
491 ous. If you need multiple default routes, please define them
492 via routing-policy.
493 Examples
495 • IPv4: gateway4: 172.16.0.1
497 • IPv6: gateway6: "2001:4::1"
499 • nameservers (mapping)
501 Set DNS servers and search domains, for manual address config‐
503 uration. There are two supported fields: addresses: is a list
504 of IPv4 or IPv6 addresses similar to gateway*, and search: is
505 a list of search domains.
506 Example:
508 ethernets:
510 id0:
511 [...]
512 nameservers:
513 search: [lab, home]
514 addresses: [8.8.8.8, "FEDC::1"]
515 • macaddress (scalar)
517 Set the device's MAC address. The MAC address must be in the
519 form "XX:XX:XX:XX:XX:XX".
520 Note: This will not work reliably for devices matched by name
522 only and rendered by networkd, due to interactions with device
523 renaming in udev. Match devices by MAC when setting MAC ad‐
524 dresses.
525 Example:
527 ethernets:
529 id0:
530 match:
531 macaddress: 52:54:00:6b:3c:58
532 [...]
533 macaddress: 52:54:00:6b:3c:59
534 • mtu (scalar)
536 Set the Maximum Transmission Unit for the interface. The de‐
538 fault is 1500. Valid values depend on your network interface.
539 Note: This will not work reliably for devices matched by name
541 only and rendered by networkd, due to interactions with device
542 renaming in udev. Match devices by MAC when setting MTU.
543 • optional (bool)
545 An optional device is not required for booting. Normally,
547 networkd will wait some time for device to become configured
548 before proceeding with booting. However, if a device is
549 marked as optional, networkd will not wait for it. This is
550 only supported by networkd, and the default is false.
551 Example:
553 ethernets:
555 eth7:
556 # this is plugged into a test network that is often
557 # down - don't wait for it to come up during boot.
558 dhcp4: true
559 optional: true
560 • optional-addresses (sequence of scalars)
562 Specify types of addresses that are not required for a device
564 to be considered online. This changes the behavior of back‐
565 ends at boot time to avoid waiting for addresses that are
566 marked optional, and thus consider the interface as "usable"
567 sooner. This does not disable these addresses, which will be
568 brought up anyway.
569 Example:
571 ethernets:
573 eth7:
574 dhcp4: true
575 dhcp6: true
576 optional-addresses: [ ipv4-ll, dhcp6 ]
577 • activation-mode (scalar) – since 0.103
579 Allows specifying the management policy of the selected inter‐
581 face. By default, netplan brings up any configured interface
582 if possible. Using the activation-mode setting users can
583 override that behavior by either specifying manual, to hand
584 over control over the interface state to the administrator or
585 (for networkd backend only) off to force the link in a down
586 state at all times. Any interface with activation-mode de‐
587 fined is implicitly considered optional. Supported officially
588 as of networkd v248+.
589 Example:
591 ethernets:
593 eth1:
594 # this interface will not be put into an UP state automatically
595 dhcp4: true
596 activation-mode: manual
597 • routes (sequence of mappings)
599 Configure static routing for the device; see the Routing sec‐
601 tion below.
602 • routing-policy (sequence of mappings)
604 Configure policy routing for the device; see the Routing sec‐
606 tion below.
607 • neigh-suppress (scalar) – since 0.105
609 Takes a boolean. Configures whether ARP and ND neighbor sup‐
611 pression is enabled for this port. When unset, the kernel's
612 default will be used.
613 DHCP Overrides
615 Several DHCP behavior overrides are available. Most currently only
616 have any effect when using the networkd backend, with the exception of
617 use-routes and route-metric.
618 Overrides only have an effect if the corresponding dhcp4 or dhcp6 is
620 set to true.
621 If both dhcp4 and dhcp6 are true, the networkd backend requires that
623 dhcp4-overrides and dhcp6-overrides contain the same keys and values.
624 If the values do not match, an error will be shown and the network con‐
625 figuration will not be applied.
626 When using the NetworkManager backend, different values may be speci‐
628 fied for dhcp4-overrides and dhcp6-overrides, and will be applied to
629 the DHCP client processes as specified in the netplan YAML.
630 • dhcp4-overrides, dhcp6-overrides (mapping)
632 The dhcp4-overrides and `dhcp6-override`` mappings override
634 the default DHCP behavior.
635 • use-dns (bool)
637 Default: true. When true, the DNS servers received from the
639 DHCP server will be used and take precedence over any stati‐
640 cally configured ones. Currently only has an effect on the
641 networkd backend.
642 • use-ntp (bool)
644 Default: true. When true, the NTP servers received from the
646 DHCP server will be used by systemd-timesyncd and take
647 precedence over any statically configured ones. Currently
648 only has an effect on the networkd backend.
649 • send-hostname (bool)
651 Default: true. When true, the machine's hostname will be
653 sent to the DHCP server. Currently only has an effect on
654 the networkd backend.
655 • use-hostname (bool)
657 Default: true. When true, the hostname received from the
659 DHCP server will be set as the transient hostname of the
660 system. Currently only has an effect on the networkd back‐
661 end.
662 • use-mtu (bool)
664 Default: true. When true, the MTU received from the DHCP
666 server will be set as the MTU of the network interface.
667 When false, the MTU advertised by the DHCP server will be
668 ignored. Currently only has an effect on the networkd back‐
669 end.
670 • hostname (scalar)
672 Use this value for the hostname which is sent to the DHCP
674 server, instead of machine's hostname. Currently only has
675 an effect on the networkd backend.
676 • use-routes (bool)
678 Default: true. When true, the routes received from the DHCP
680 server will be installed in the routing table normally.
681 When set to false, routes from the DHCP server will be ig‐
682 nored: in this case, the user is responsible for adding
683 static routes if necessary for correct network operation.
684 This allows users to avoid installing a default gateway for
685 interfaces configured via DHCP. Available for both the net‐
686 workd and NetworkManager backends.
687 • route-metric (scalar)
689 Use this value for default metric for automatically-added
691 routes. Use this to prioritize routes for devices by set‐
692 ting a lower metric on a preferred interface. Available for
693 both the networkd and NetworkManager backends.
694 • use-domains (scalar) – since 0.98
696 Takes a boolean, or the special value "route". When true,
698 the domain name received from the DHCP server will be used
699 as DNS search domain over this link, similar to the effect
700 of the Domains= setting. If set to "route", the domain name
701 received from the DHCP server will be used for routing DNS
702 queries only, but not for searching, similar to the effect
703 of the Domains= setting when the argument is prefixed with
704 "~".
705 Requires feature: dhcp-use-domains
707 Routing
709 Complex routing is possible with netplan. Standard static routes as
710 well as policy routing using routing tables are supported via the net‐
711 workd backend.
712 These options are available for all types of interfaces.
714 Default routes
716 The most common need for routing concerns the definition of default
717 routes to reach the wider Internet. Those default routes can only de‐
718 fined once per IP family and routing table. A typical example would
719 look like the following:
720 eth0:
722 [...]
723 routes:
724 - to: default # could be 0/0 or 0.0.0.0/0 optionally
725 via: 10.0.0.1
726 metric: 100
727 on-link: true
728 - to: default # could be ::/0 optionally
729 via: cf02:de:ad:be:ef::2
730 eth1:
731 [...]
732 routes:
733 - to: default
734 via: 172.134.67.1
735 metric: 100
736 on-link: true
737 # Not on the main routing table,
738 # does not conflict with the eth0 default route
739 table: 76
740 • routes (mapping)
742 The routes block defines standard static routes for an inter‐
744 face. At least to must be specified. If type is local or nat
745 a default scope of host is assumed. If type is unicast and no
746 gateway (via) is given or type is broadcast, multicast or any‐
747 cast a default scope of link is assumed. Otherwise, a global
748 scope is the default setting.
749 For from, to, and via, both IPv4 and IPv6 addresses are recog‐
751 nized, and must be in the form addr/prefixlen or addr.
752 • from (scalar)
754 Set a source IP address for traffic going through the route.
756 (NetworkManager: as of v1.8.0)
757 • to (scalar)
759 Destination address for the route.
761 • via (scalar)
763 Address to the gateway to use for this route.
765 • on-link (bool)
767 When set to "true", specifies that the route is directly
769 connected to the interface. (NetworkManager: as of v1.12.0
770 for IPv4 and v1.18.0 for IPv6)
771 • metric (scalar)
773 The relative priority of the route. Must be a positive in‐
775 teger value.
776 • type (scalar)
778 The type of route. Valid options are "unicast" (default),
780 "anycast", "blackhole", "broadcast", "local", "multicast",
781 "nat", "prohibit", "throw", "unreachable" or "xresolve".
782 • scope (scalar)
784 The route scope, how wide-ranging it is to the network.
786 Possible values are "global", "link", or "host".
787 • table (scalar)
789 The table number to use for the route. In some scenarios,
791 it may be useful to set routes in a separate routing table.
792 It may also be used to refer to routing policy rules which
793 also accept a table parameter. Allowed values are positive
794 integers starting from 1. Some values are already in use to
795 refer to specific routing tables: see /etc/iproute2/rt_ta‐
796 bles. (NetworkManager: as of v1.10.0)
797 • mtu (scalar) – since 0.101
799 The MTU to be used for the route, in bytes. Must be a posi‐
801 tive integer value.
802 • congestion-window (scalar) – since 0.102
804 The congestion window to be used for the route, represented
806 by number of segments. Must be a positive integer value.
807 • advertised-receive-window (scalar) – since 0.102
809 The receive window to be advertised for the route, repre‐
811 sented by number of segments. Must be a positive integer
812 value.
813 • routing-policy (mapping)
815 The routing-policy block defines extra routing policy for a
817 network, where traffic may be handled specially based on the
818 source IP, firewall marking, etc.
819 For from, to, both IPv4 and IPv6 addresses are recognized, and
821 must be in the form addr/prefixlen or addr.
822 • from (scalar)
824 Set a source IP address to match traffic for this policy
826 rule.
827 • to (scalar)
829 Match on traffic going to the specified destination.
831 • table (scalar)
833 The table number to match for the route. In some scenarios,
835 it may be useful to set routes in a separate routing table.
836 It may also be used to refer to routes which also accept a
837 table parameter. Allowed values are positive integers
838 starting from 1. Some values are already in use to refer to
839 specific routing tables: see /etc/iproute2/rt_tables.
840 • priority (scalar)
842 Specify a priority for the routing policy rule, to influence
844 the order in which routing rules are processed. A higher
845 number means lower priority: rules are processed in order by
846 increasing priority number.
847 • mark (scalar)
849 Have this routing policy rule match on traffic that has been
851 marked by the iptables firewall with this value. Allowed
852 values are positive integers starting from 1.
853 • type-of-service (scalar)
855 Match this policy rule based on the type of service number
857 applied to the traffic.
858 Authentication
860 Netplan supports advanced authentication settings for ethernet and wifi
861 interfaces, as well as individual wifi networks, by means of the auth
862 block.
863 • auth (mapping)
865 Specifies authentication settings for a device of type ether‐
867 nets:, or an access-points: entry on a wifis: device.
868 The auth block supports the following properties:
870 • key-management (scalar)
872 The supported key management modes are none (no key manage‐
874 ment); psk (WPA with pre-shared key, common for home wifi);
875 eap (WPA with EAP, common for enterprise wifi); and 802.1x
876 (used primarily for wired Ethernet connections).
877 • password (scalar)
879 The password string for EAP, or the pre-shared key for WPA-
881 PSK.
882 The following properties can be used if key-management is eap or
884 802.1x:
885 • method (scalar)
887 The EAP method to use. The supported EAP methods are tls
889 (TLS), peap (Protected EAP), and ttls (Tunneled TLS).
890 • identity (scalar)
892 The identity to use for EAP.
894 • anonymous-identity (scalar)
896 The identity to pass over the unencrypted channel if the
898 chosen EAP method supports passing a different tunnelled
899 identity.
900 • ca-certificate (scalar)
902 Path to a file with one or more trusted certificate authori‐
904 ty (CA) certificates.
905 • client-certificate (scalar)
907 Path to a file containing the certificate to be used by the
909 client during authentication.
910 • client-key (scalar)
912 Path to a file containing the private key corresponding to
914 client-certificate.
915 • client-key-password (scalar)
917 Password to use to decrypt the private key specified in
919 client-key if it is encrypted.
920 • phase2-auth (scalar) – since 0.99
922 Phase 2 authentication mechanism.
924 Properties for device type ethernets:
926 Ethernet device definitions, beyond common ones described above, also
927 support some additional properties that can be used for SR-IOV devices.
928 • link (scalar) – since 0.99
930 (SR-IOV devices only) The link property declares the device as
932 a Virtual Function of the selected Physical Function device,
933 as identified by the given netplan id.
934 Example:
936 ethernets:
938 enp1: {...}
939 enp1s16f1:
940 link: enp1
941 • virtual-function-count (scalar) – since 0.99
943 (SR-IOV devices only) In certain special cases VFs might need
945 to be configured outside of netplan. For such configurations
946 virtual-function-count can be optionally used to set an ex‐
947 plicit number of Virtual Functions for the given Physical
948 Function. If unset, the default is to create only as many VFs
949 as are defined in the netplan configuration. This should be
950 used for special cases only.
951 Requires feature: sriov
953 • embedded-switch-mode (scalar) – since 0.104
955 (SR-IOV devices only) Change the operational mode of the em‐
957 bedded switch of a supported SmartNIC PCI device (e.g. Mel‐
958 lanox ConnectX-5). Possible values are switchdev or legacy,
959 if unspecified the vendor's default configuration is used.
960 Requires feature: eswitch-mode
962 • delay-virtual-functions-rebind (bool) – since 0.104
964 (SR-IOV devices only) Delay rebinding of SR-IOV virtual func‐
966 tions to its driver after changing the embedded-switch-mode
967 setting to a later stage. Can be enabled when bonding/VF LAG
968 is in use. Defaults to false.
969 Requires feature: eswitch-mode
971 • infiniband-mode (scalar) – since 0.105
973 (InfiniBand devices only) Change the operational mode of a
975 IPoIB device. Possible values are datagram or connected. If
976 unspecified the kernel's default configuration is used.
977 Requires feature: infiniband
979 Properties for device type modems:
981 GSM/CDMA modem configuration is only supported for the NetworkManager
982 backend. systemd-networkd does not support modems.
983 Requires feature: modems
985 • apn (scalar) – since 0.99
987 Set the carrier APN (Access Point Name). This can be omitted
989 if auto-config is enabled.
990 • auto-config (bool) – since 0.99
992 Specify whether to try and auto-configure the modem by doing a
994 lookup of the carrier against the Mobile Broadband Provider
995 database. This may not work for all carriers.
996 • device-id (scalar) – since 0.99
998 Specify the device ID (as given by the WWAN management ser‐
1000 vice) of the modem to match. This can be found using mmcli.
1001 • network-id (scalar) – since 0.99
1003 Specify the Network ID (GSM LAI format). If this is speci‐
1005 fied, the device will not roam networks.
1006 • number (scalar) – since 0.99
1008 The number to dial to establish the connection to the mobile
1010 broadband network. (Deprecated for GSM)
1011 • password (scalar) – since 0.99
1013 Specify the password used to authenticate with the carrier
1015 network. This can be omitted if auto-config is enabled.
1016 • pin (scalar) – since 0.99
1018 Specify the SIM PIN to allow it to operate if a PIN is set.
1020 • sim-id (scalar) – since 0.99
1022 Specify the SIM unique identifier (as given by the WWAN man‐
1024 agement service) which this connection applies to. If given,
1025 the connection will apply to any device also allowed by de‐
1026 vice-id which contains a SIM card matching the given identifi‐
1027 er.
1028 • sim-operator-id (scalar) – since 0.99
1030 Specify the MCC/MNC string (such as "310260" or "21601") which
1032 identifies the carrier that this connection should apply to.
1033 If given, the connection will apply to any device also allowed
1034 by device-id and sim-id which contains a SIM card provisioned
1035 by the given operator.
1036 • username (scalar) – since 0.99
1038 Specify the username used to authenticate with the carrier
1040 network. This can be omitted if auto-config is enabled.
1041 Properties for device type wifis:
1043 Note that systemd-networkd does not natively support wifi, so you need
1044 wpasupplicant installed if you let the networkd renderer handle wifi.
1045 • access-points (mapping)
1047 This provides pre-configured connections to NetworkManager.
1049 Note that users can of course select other access
1050 points/SSIDs. The keys of the mapping are the SSIDs, and the
1051 values are mappings with the following supported properties:
1052 • password (scalar)
1054 Enable WPA2 authentication and set the passphrase for it.
1056 If neither this nor an auth block are given, the network is
1057 assumed to be open. The setting
1058 password: "S3kr1t"
1060 is equivalent to
1062 auth:
1064 key-management: psk
1065 password: "S3kr1t"
1066 • mode (scalar)
1068 Possible access point modes are infrastructure (the de‐
1070 fault), ap (create an access point to which other devices
1071 can connect), and adhoc (peer to peer networks without a
1072 central access point). ap is only supported with Network‐
1073 Manager.
1074 • bssid (scalar) – since 0.99
1076 If specified, directs the device to only associate with the
1078 given access point.
1079 • band (scalar) – since 0.99
1081 Possible bands are 5GHz (for 5GHz 802.11a) and 2.4GHz (for
1083 2.4GHz 802.11), do not restrict the 802.11 frequency band of
1084 the network if unset (the default).
1085 • channel (scalar) – since 0.99
1087 Wireless channel to use for the Wi-Fi connection. Because
1089 channel numbers overlap between bands, this property takes
1090 effect only if the band property is also set.
1091 • hidden (bool) – since 0.100
1093 Set to true to change the SSID scan technique for connecting
1095 to hidden WiFi networks. Note this may have slower perfor‐
1096 mance compared to false (the default) when connecting to
1097 publicly broadcast SSIDs.
1098 • wakeonwlan (sequence of scalars) – since 0.99
1100 This enables WakeOnWLan on supported devices. Not all drivers
1102 support all options. May be any combination of any, discon‐
1103 nect, magic_pkt, gtk_rekey_failure, eap_identity_req,
1104 four_way_handshake, rfkill_release or tcp (NetworkManager on‐
1105 ly). Or the exclusive default flag (the default).
1106 • regulatory-domain (scalar) – since 0.105
1108 This can be used to define the radio's regulatory domain, to
1110 make use of additional WiFi channels outside the "world do‐
1111 main". Takes an ISO / IEC 3166 country code (like GB) or 00
1112 to reset to the "world domain". See wireless-regdb
1113 (https://git.kernel.org/pub/scm/linux/kernel/git/sfor‐
1114 shee/wireless-regdb.git/tree/db.txt) for available values.
1115 Requires dependency: iw, if it is to be used outside the net‐
1117 workd (wpa_supplicant) backend.
1118 Properties for device type bridges:
1120 • interfaces (sequence of scalars)
1121 All devices matching this ID list will be added to the bridge.
1123 This may be an empty list, in which case the bridge will be
1124 brought online with no member interfaces.
1125 Example:
1127 ethernets:
1129 switchports:
1130 match: {name: "enp2*"}
1131 [...]
1132 bridges:
1133 br0:
1134 interfaces: [switchports]
1135 • parameters (mapping)
1137 Customization parameters for special bridging options. Time
1139 intervals may need to be expressed as a number of seconds or
1140 milliseconds: the default value type is specified below. If
1141 necessary, time intervals can be qualified using a time suffix
1142 (such as "s" for seconds, "ms" for milliseconds) to allow for
1143 more control over its behavior.
1144 • ageing-time, aging-time (scalar)
1146 Set the period of time to keep a MAC address in the forward‐
1148 ing database after a packet is received. This maps to the
1149 AgeingTimeSec= property when the networkd renderer is used.
1150 If no time suffix is specified, the value will be interpret‐
1151 ed as seconds.
1152 • priority (scalar)
1154 Set the priority value for the bridge. This value should be
1156 a number between 0 and 65535. Lower values mean higher pri‐
1157 ority. The bridge with the higher priority will be elected
1158 as the root bridge.
1159 • port-priority (scalar)
1161 Set the port priority to . The priority value is a number
1163 between 0 and 63. This metric is used in the designated
1164 port and root port selection algorithms.
1165 • forward-delay (scalar)
1167 Specify the period of time the bridge will remain in Listen‐
1169 ing and Learning states before getting to the Forwarding
1170 state. This field maps to the ForwardDelaySec= property for
1171 the networkd renderer. If no time suffix is specified, the
1172 value will be interpreted as seconds.
1173 • hello-time (scalar)
1175 Specify the interval between two hello packets being sent
1177 out from the root and designated bridges. Hello packets
1178 communicate information about the network topology. When
1179 the networkd renderer is used, this maps to the Hel‐
1180 loTimeSec= property. If no time suffix is specified, the
1181 value will be interpreted as seconds.
1182 • max-age (scalar)
1184 Set the maximum age of a hello packet. If the last hello
1186 packet is older than that value, the bridge will attempt to
1187 become the root bridge. This maps to the MaxAgeSec= proper‐
1188 ty when the networkd renderer is used. If no time suffix is
1189 specified, the value will be interpreted as seconds.
1190 • path-cost (scalar)
1192 Set the cost of a path on the bridge. Faster interfaces
1194 should have a lower cost. This allows a finer control on
1195 the network topology so that the fastest paths are available
1196 whenever possible.
1197 • stp (bool)
1199 Define whether the bridge should use Spanning Tree Protocol.
1201 The default value is "true", which means that Spanning Tree
1202 should be used.
1203 Properties for device type bonds:
1205 • interfaces (sequence of scalars)
1206 All devices matching this ID list will be added to the bond.
1208 Example:
1210 ethernets:
1212 switchports:
1213 match: {name: "enp2*"}
1214 [...]
1215 bonds:
1216 bond0:
1217 interfaces: [switchports]
1218 • parameters (mapping)
1220 Customization parameters for special bonding options. Time
1222 intervals may need to be expressed as a number of seconds or
1223 milliseconds: the default value type is specified below. If
1224 necessary, time intervals can be qualified using a time suffix
1225 (such as "s" for seconds, "ms" for milliseconds) to allow for
1226 more control over its behavior.
1227 • mode (scalar)
1229 Set the bonding mode used for the interfaces. The default
1231 is balance-rr (round robin). Possible values are balance-
1232 rr, active-backup, balance-xor, broadcast, 802.3ad, balance-
1233 tlb, and balance-alb. For Open vSwitch active-backup and
1234 the additional modes balance-tcp and balance-slb are sup‐
1235 ported.
1236 • lacp-rate (scalar)
1238 Set the rate at which LACPDUs are transmitted. This is only
1240 useful in 802.3ad mode. Possible values are slow (30 sec‐
1241 onds, default), and fast (every second).
1242 • mii-monitor-interval (scalar)
1244 Specifies the interval for MII monitoring (verifying if an
1246 interface of the bond has carrier). The default is 0; which
1247 disables MII monitoring. This is equivalent to the MIIMoni‐
1248 torSec= field for the networkd backend. If no time suffix
1249 is specified, the value will be interpreted as milliseconds.
1250 • min-links (scalar)
1252 The minimum number of links up in a bond to consider the
1254 bond interface to be up.
1255 • transmit-hash-policy (scalar)
1257 Specifies the transmit hash policy for the selection of
1259 slaves. This is only useful in balance-xor, 802.3ad and
1260 balance-tlb modes. Possible values are layer2, layer3+4,
1261 layer2+3, encap2+3, and encap3+4.
1262 • ad-select (scalar)
1264 Set the aggregation selection mode. Possible values are
1266 stable, bandwidth, and count. This option is only used in
1267 802.3ad mode.
1268 • all-slaves-active (bool)
1270 If the bond should drop duplicate frames received on inac‐
1272 tive ports, set this option to false. If they should be de‐
1273 livered, set this option to true. The default value is
1274 false, and is the desirable behavior in most situations.
1275 • arp-interval (scalar)
1277 Set the interval value for how frequently ARP link monitor‐
1279 ing should happen. The default value is 0, which disables
1280 ARP monitoring. For the networkd backend, this maps to the
1281 ARPIntervalSec= property. If no time suffix is specified,
1282 the value will be interpreted as milliseconds.
1283 • arp-ip-targets (sequence of scalars)
1285 IPs of other hosts on the link which should be sent ARP re‐
1287 quests in order to validate that a slave is up. This option
1288 is only used when arp-interval is set to a value other than
1289 0. At least one IP address must be given for ARP link moni‐
1290 toring to function. Only IPv4 addresses are supported. You
1291 can specify up to 16 IP addresses. The default value is an
1292 empty list.
1293 • arp-validate (scalar)
1295 Configure how ARP replies are to be validated when using ARP
1297 link monitoring. Possible values are none, active, backup,
1298 and all.
1299 • arp-all-targets (scalar)
1301 Specify whether to use any ARP IP target being up as suffi‐
1303 cient for a slave to be considered up; or if all the targets
1304 must be up. This is only used for active-backup mode when
1305 arp-validate is enabled. Possible values are any and all.
1306 • up-delay (scalar)
1308 Specify the delay before enabling a link once the link is
1310 physically up. The default value is 0. This maps to the
1311 UpDelaySec= property for the networkd renderer. This option
1312 is only valid for the miimon link monitor. If no time suf‐
1313 fix is specified, the value will be interpreted as millisec‐
1314 onds.
1315 • down-delay (scalar)
1317 Specify the delay before disabling a link once the link has
1319 been lost. The default value is 0. This maps to the Down‐
1320 DelaySec= property for the networkd renderer. This option
1321 is only valid for the miimon link monitor. If no time suf‐
1322 fix is specified, the value will be interpreted as millisec‐
1323 onds.
1324 • fail-over-mac-policy (scalar)
1326 Set whether to set all slaves to the same MAC address when
1328 adding them to the bond, or how else the system should han‐
1329 dle MAC addresses. The possible values are none, active,
1330 and follow.
1331 • gratuitous-arp (scalar)
1333 Specify how many ARP packets to send after failover. Once a
1335 link is up on a new slave, a notification is sent and possi‐
1336 bly repeated if this value is set to a number greater than
1337 1. The default value is 1 and valid values are between 1
1338 and 255. This only affects active-backup mode.
1339 For historical reasons, the misspelling gratuitious-arp is
1341 also accepted and has the same function.
1342 • packets-per-slave (scalar)
1344 In balance-rr mode, specifies the number of packets to
1346 transmit on a slave before switching to the next. When this
1347 value is set to 0, slaves are chosen at random. Allowable
1348 values are between 0 and 65535. The default value is 1.
1349 This setting is only used in balance-rr mode.
1350 • primary-reselect-policy (scalar)
1352 Set the reselection policy for the primary slave. On fail‐
1354 ure of the active slave, the system will use this policy to
1355 decide how the new active slave will be chosen and how re‐
1356 covery will be handled. The possible values are always,
1357 better, and failure.
1358 • resend-igmp (scalar)
1360 In modes balance-rr, active-backup, balance-tlb and balance-
1362 alb, a failover can switch IGMP traffic from one slave to
1363 another.
1364 This parameter specifies how many IGMP membership reports
1366 are issued on a failover event. Values range from 0 to 255.
1367 0 disables sending membership reports. Otherwise, the first
1368 membership report is sent on failover and subsequent reports
1369 are sent at 200ms intervals.
1370 • learn-packet-interval (scalar)
1372 Specify the interval between sending learning packets to
1374 each slave. The value range is between 1 and 0x7fffffff.
1375 The default value is 1. This option only affects balance-
1376 tlb and balance-alb modes. Using the networkd renderer,
1377 this field maps to the LearnPacketIntervalSec= property. If
1378 no time suffix is specified, the value will be interpreted
1379 as seconds.
1380 • primary (scalar)
1382 Specify a device to be used as a primary slave, or preferred
1384 device to use as a slave for the bond (i.e. the preferred
1385 device to send data through), whenever it is available.
1386 This only affects active-backup, balance-alb, and balance-
1387 tlb modes.
1388 Properties for device type tunnels:
1390 Tunnels allow traffic to pass as if it was between systems on the same
1391 local network, although systems may be far from each other but reach‐
1392 able via the Internet. They may be used to support IPv6 traffic on a
1393 network where the ISP does not provide the service, or to extend and
1394 "connect" separate local networks. Please see
1395 <https://en.wikipedia.org/wiki/Tunneling_protocol> for more general in‐
1396 formation about tunnels.
1397 • mode (scalar)
1399 Defines the tunnel mode. Valid options are sit, gre, ip6gre,
1401 ipip, ipip6, ip6ip6, vti, vti6, wireguard and vxlan. Addi‐
1402 tionally, the networkd backend also supports gretap and
1403 ip6gretap modes. In addition, the NetworkManager backend sup‐
1404 ports isatap tunnels.
1405 • local (scalar)
1407 Defines the address of the local endpoint of the tunnel. (For
1409 VXLAN) This should match one of the parent's IP addresses or
1410 make use of the networkd special values.
1411 • remote (scalar)
1413 Defines the address of the remote endpoint of the tunnel or
1415 multicast group IP address for VXLAN.
1416 • ttl (scalar) – since 0.103
1418 Defines the Time To Live (TTL) of the tunnel. Takes a number
1420 in the range 1..255.
1421 • key (scalar or mapping)
1423 Define keys to use for the tunnel. The key can be a number or
1425 a dotted quad (an IPv4 address). For wireguard it can be a
1426 base64-encoded private key or (as of networkd v242+) an abso‐
1427 lute path to a file, containing the private key (since 0.100).
1428 It is used for identification of IP transforms. This is only
1429 required for vti and vti6 when using the networkd backend.
1430 This field may be used as a scalar (meaning that a single key
1432 is specified and to be used for input, output and private
1433 key), or as a mapping, where you can further specify in‐
1434 put/output/private.
1435 • input (scalar)
1437 The input key for the tunnel
1439 • output (scalar)
1441 The output key for the tunnel
1443 • private (scalar) – since 0.100
1445 A base64-encoded private key required for WireGuard tunnels.
1447 When the systemd-networkd backend (v242+) is used, this can
1448 also be an absolute path to a file containing the private
1449 key.
1450 • keys (scalar or mapping)
1452 Alternate name for the key field. See above.
1454 Examples:
1456 tunnels:
1458 tun0:
1459 mode: gre
1460 local: ...
1461 remote: ...
1462 keys:
1463 input: 1234
1464 output: 5678
1465 tunnels:
1467 tun0:
1468 mode: vti6
1469 local: ...
1470 remote: ...
1471 key: 59568549
1472 tunnels:
1474 wg0:
1475 mode: wireguard
1476 addresses: [...]
1477 peers:
1478 - keys:
1479 public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
1480 shared: /path/to/shared.key
1481 ...
1482 key: mNb7OIIXTdgW4khM7OFlzJ+UPs7lmcWHV7xjPgakMkQ=
1483 tunnels:
1485 wg0:
1486 mode: wireguard
1487 addresses: [...]
1488 peers:
1489 - keys:
1490 public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
1491 ...
1492 keys:
1493 private: /path/to/priv.key
1494 WireGuard specific keys:
1496 • mark (scalar) – since 0.100
1498 Firewall mark for outgoing WireGuard packets from this inter‐
1500 face, optional.
1501 • port (scalar) – since 0.100
1503 UDP port to listen at or auto. Optional, defaults to auto.
1505 • peers (sequence of mappings) – since 0.100
1507 A list of peers, each having keys documented below.
1509 Example:
1511 tunnels:
1513 wg0:
1514 mode: wireguard
1515 key: /path/to/private.key
1516 mark: 42
1517 port: 5182
1518 peers:
1519 - keys:
1520 public: rlbInAj0qV69CysWPQY7KEBnKxpYCpaWqOs/dLevdWc=
1521 allowed-ips: [0.0.0.0/0, "2001:fe:ad:de:ad:be:ef:1/24"]
1522 keepalive: 23
1523 endpoint: 1.2.3.4:5
1524 - keys:
1525 public: M9nt4YujIOmNrRmpIRTmYSfMdrpvE7u6WkG8FY8WjG4=
1526 shared: /some/shared.key
1527 allowed-ips: [10.10.10.20/24]
1528 keepalive: 22
1529 endpoint: 5.4.3.2:1
1530 • endpoint (scalar) – since 0.100
1532 Remote endpoint IPv4/IPv6 address or a hostname, followed by
1534 a colon and a port number.
1535 • allowed-ips (sequence of scalars) – since 0.100
1537 A list of IP (v4 or v6) addresses with CIDR masks from which
1539 this peer is allowed to send incoming traffic and to which
1540 outgoing traffic for this peer is directed. The catch-all
1541 0.0.0.0/0 may be specified for matching all IPv4 addresses,
1542 and ::/0 may be specified for matching all IPv6 addresses.
1543 • keepalive (scalar) – since 0.100
1545 An interval in seconds, between 1 and 65535 inclusive, of
1547 how often to send an authenticated empty packet to the peer
1548 for the purpose of keeping a stateful firewall or NAT map‐
1549 ping valid persistently. Optional.
1550 • keys (mapping) – since 0.100
1552 Define keys to use for the WireGuard peers.
1554 This field can be used as a mapping, where you can further
1556 specify the public and shared keys.
1557 • public (scalar) – since 0.100
1559 A base64-encoded public key, required for WireGuard peers.
1561 • shared (scalar) – since 0.100
1563 A base64-encoded preshared key. Optional for WireGuard
1565 peers. When the systemd-networkd backend (v242+) is used,
1566 this can also be an absolute path to a file containing the
1567 preshared key.
1568 VXLAN specific keys:
1570 • id (scalar) – since 0.105
1572 The VXLAN Network Identifier (VNI or VXLAN Segment ID). Takes
1574 a number in the range 1..16777215.
1575 • link (scalar) – since 0.105
1577 netplan ID of the parent device definition to which this VXLAN
1579 gets connected.
1580 • type-of-service (scalar) – since 0.105
1582 The Type Of Service byte value for a vxlan interface.
1584 • mac-learning (scalar) – since 0.105
1586 Takes a boolean. When true, enables dynamic MAC learning to
1588 discover remote MAC addresses.
1589 • ageing, aging (scalar) – since 0.105
1591 The lifetime of Forwarding Database entry learnt by the ker‐
1593 nel, in seconds.
1594 • limit (scalar) – since 0.105
1596 Configures maximum number of FDB entries.
1598 • arp-proxy (scalar) – since 0.105
1600 Takes a boolean. When true, bridge-connected VXLAN tunnel
1602 endpoint answers ARP requests from the local bridge on behalf
1603 of remote Distributed Overlay Virtual Ethernet (DOVE) clients.
1604 Defaults to false.
1605 • notifications (sequence of scalars) – since 0.105
1607 Takes the flags l2-miss and l3-miss to enable netlink LLADDR
1609 and/or netlink IP address miss notifications.
1610 • short-circuit (scalar) – since 0.105
1612 Takes a boolean. When true, route short circuiting is turned
1614 on.
1615 • checksums (sequence of scalars) – since 0.105
1617 Takes the flags udp, zero-udp6-tx, zero-udp6-rx, remote-tx and
1619 remote-rx to enable transmitting UDP checksums in VXLAN/IPv4,
1620 send/receive zero checksums in VXLAN/IPv6 and enable send‐
1621 ing/receiving checksum offloading in VXLAN.
1622 • extensions (sequence of scalars) – since 0.105
1624 Takes the flags group-policy and generic-protocol to enable
1626 the "Group Policy" and/or "Generic Protocol" VXLAN extensions.
1627 • port (scalar) – since 0.105
1629 Configures the default destination UDP port. If the destina‐
1631 tion port is not specified then Linux kernel default will be
1632 used. Set to 4789 to get the IANA assigned value.
1633 • port-range (sequence of scalars) – since 0.105
1635 Configures the source port range for the VXLAN. The kernel
1637 assigns the source UDP port based on the flow to help the re‐
1638 ceiver to do load balancing. When this option is not set, the
1639 normal range of local UDP ports is used. Uses the form [LOW‐
1640 ER, UPPER].
1641 • flow-label (scalar) – since 0.105
1643 Specifies the flow label to use in outgoing packets. The
1645 valid range is 0-1048575.
1646 • do-not-fragment (scalar) – since 0.105
1648 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
1650 packets. Takes a boolean value. When unset, the kernel's de‐
1651 fault will be used.
1652 Properties for device type vlans:
1654 • id (scalar)
1655 VLAN ID, a number between 0 and 4094.
1657 • link (scalar)
1659 netplan ID of the underlying device definition on which this
1661 VLAN gets created.
1662 Example:
1664 ethernets:
1666 eno1: {...}
1667 vlans:
1668 en-intra:
1669 id: 1
1670 link: eno1
1671 dhcp4: yes
1672 en-vpn:
1673 id: 2
1674 link: eno1
1675 addresses: [...]
1676 Properties for device type vrfs:
1678 • table (scalar) – since 0.105
1679 The numeric routing table identifier. This setting is compul‐
1681 sory.
1682 • interfaces (sequence of scalars) – since 0.105
1684 All devices matching this ID list will be added to the vrf.
1686 This may be an empty list, in which case the vrf will be
1687 brought online with no member interfaces.
1688 • routes (sequence of mappings) – since 0.105
1690 Configure static routing for the device; see the Routing sec‐
1692 tion. The table value is implicitly set to the VRF's table.
1693 • routing-policy (sequence of mappings) – since 0.105
1695 Configure policy routing for the device; see the Routing sec‐
1697 tion. The table value is implicitly set to the VRF's table.
1698 Example:
1700 vrfs:
1702 vrf20:
1703 table: 20
1704 interfaces: [ br0 ]
1705 routes:
1706 - to: default
1707 via: 10.10.10.3
1708 routing-policy:
1709 - from: 10.10.10.42
1710 [...]
1711 bridges:
1712 br0:
1713 interfaces: []
1714 Properties for device type nm-devices:
1716 The nm-devices device type is for internal use only and should not be
1717 used in normal configuration files. It enables a fallback mode for un‐
1718 supported settings, using the passthrough mapping.
1719 Backend-specific configuration parameters
1721 In addition to the other fields available to configure interfaces, some
1722 backends may require to record some of their own parameters in netplan,
1723 especially if the netplan definitions are generated automatically by
1724 the consumer of that backend. Currently, this is only used with Net‐
1725 workManager.
1726 • networkmanager (mapping) – since 0.99
1728 Keeps the NetworkManager-specific configuration parameters
1730 used by the daemon to recognize connections.
1731 • name (scalar) – since 0.99
1733 Set the display name for the connection.
1735 • uuid (scalar) – since 0.99
1737 Defines the UUID (unique identifier) for this connection, as
1739 generated by NetworkManager itself.
1740 • stable-id (scalar) – since 0.99
1742 Defines the stable ID (a different form of a connection
1744 name) used by NetworkManager in case the name of the connec‐
1745 tion might otherwise change, such as when sharing connec‐
1746 tions between users.
1747 • device (scalar) – since 0.99
1749 Defines the interface name for which this connection ap‐
1751 plies.
1752 • passthrough (mapping) – since 0.102
1754 Can be used as a fallback mechanism to missing keyfile set‐
1756 tings.
1757
1759 netplan-generate(8), netplan-apply(8), netplan-try(8), netplan-get(8),
1760 netplan-set(8), netplan-dbus(8), systemd-networkd(8), NetworkManager(8)
1761
1763 Mathieu Trudel-Lapierre (<cyphermox@ubuntu.com>); Martin Pitt (<mar‐
1764 tin.pitt@ubuntu.com>); Lukas Märdian (<slyon@ubuntu.com>).
1765 YAML configuration(5)