1IP-LINK(8) Linux IP-LINK(8)
2
6 ip-link - network device configuration
7
9 ip link { COMMAND | help }
10 ip link add [ link DEVICE ] [ name ] NAME
13 [ txqueuelen PACKETS ]
14 [ address LLADDR ] [ broadcast LLADDR ]
15 [ mtu MTU ] [ index IDX ]
16 [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ]
17 [ gso_max_size BYTES ] [ gso_ipv4_max_size BYTES ] [
18 gso_max_segs SEGMENTS ]
19 [ gro_max_size BYTES ] [ gro_ipv4_max_size BYTES ]
20 [ netns { PID | NETNSNAME | NETNSFILE } ]
21 type TYPE [ ARGS ]
22 ip link delete { DEVICE | group GROUP } type TYPE [ ARGS ]
24 ip link set { DEVICE | group GROUP }
26 [ { up | down } ]
27 [ type ETYPE TYPE_ARGS ]
28 [ arp { on | off } ]
29 [ dynamic { on | off } ]
30 [ multicast { on | off } ]
31 [ allmulticast { on | off } ]
32 [ promisc { on | off } ]
33 [ protodown { on | off } ]
34 [ protodown_reason PREASON { on | off } ]
35 [ trailers { on | off } ]
36 [ txqueuelen PACKETS ]
37 [ gso_max_size BYTES ] [ gso_ipv4_max_size BYTES ] [
38 gso_max_segs SEGMENTS ]
39 [ gro_max_size BYTES ] [ gro_ipv4_max_size BYTES ]
40 [ name NEWNAME ]
41 [ address LLADDR ]
42 [ broadcast LLADDR ]
43 [ mtu MTU ]
44 [ netns { PID | NETNSNAME | NETNSFILE } ]
45 [ link-netnsid ID ]
46 [ alias NAME ]
47 [ vf NUM [ mac LLADDR ]
48 [ VFVLAN-LIST ]
49 [ rate TXRATE ]
50 [ max_tx_rate TXRATE ]
51 [ min_tx_rate TXRATE ]
52 [ spoofchk { on | off } ]
53 [ query_rss { on | off } ]
54 [ state { auto | enable | disable } ]
55 [ trust { on | off } ]
56 [ node_guid eui64 ]
57 [ port_guid eui64 ] ]
58 [ { xdp | xdpgeneric | xdpdrv | xdpoffload } { off |
59 object FILE [ { section | program } NAME ] [ verbose ]
60 |
61 pinned FILE } ]
62 [ master DEVICE ]
63 [ nomaster ]
64 [ vrf NAME ]
65 [ addrgenmode { eui64 | none | stable_secret | random } ]
66 [ macaddr [ MACADDR ]
67 [ { flush | add | del } MACADDR ]
68 [ set MACADDR ] ]
69 ip link show [ DEVICE | group GROUP ] [ up ] [ master DEVICE
71 ] [ type ETYPE ] [ vrf NAME ] [ nomaster ]
72 ip link xstats type TYPE [ ARGS ]
74 ip link afstats [ dev DEVICE ]
76 ip link help [ TYPE ]
78 TYPE := [ amt | bareudp | bond | bridge | can | dsa | dummy |
80 erspan | geneve | gre | gretap | gtp | hsr | ifb |
81 ip6erspan | ip6gre | ip6gretap | ip6tnl | ipip |
82 ipoib | ipvlan | ipvtap | lowpan | macsec | macvlan |
83 macvtap | netdevsim | nlmon | rmnet | sit | vcan |
84 veth | virt_wifi | vlan | vrf | vti | vxcan | vxlan |
85 xfrm ]
86 ETYPE := [ TYPE | bridge_slave | bond_slave ]
88 VFVLAN-LIST := [ VFVLAN-LIST ] VFVLAN
90 VFVLAN := [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ]
92 ]
93 ip link property add dev DEVICE [ altname NAME .. ]
95 ip link property del dev DEVICE [ altname NAME .. ]
97
100 ip link add - add virtual link
101 link DEVICE
102 specifies the physical device to act operate on.
103 NAME specifies the name of the new virtual device.
105 TYPE specifies the type of the new device.
107 Link types:
109 amt - Automatic Multicast Tunneling (AMT)
111 bareudp - Bare UDP L3 encapsulation support
113 bond - Bonding device
115 bridge - Ethernet Bridge device
117 can - Controller Area Network
119 dsa - Distributed Switch Architecture
121 dummy - Dummy network interface
123 erspan - Encapsulated Remote SPAN over GRE and IPv4
125 geneve - GEneric NEtwork Virtualization Encapsulation
127 gre - Virtual tunnel interface GRE over IPv4
129 gretap - Virtual L2 tunnel interface GRE over IPv4
131 gtp - GPRS Tunneling Protocol
133 hsr - High-availability Seamless Redundancy device
135 ifb - Intermediate Functional Block device
137 ip6erspan - Encapsulated Remote SPAN over GRE and IPv6
139 ip6gre - Virtual tunnel interface GRE over IPv6
141 ip6gretap - Virtual L2 tunnel interface GRE over IPv6
143 ip6tnl - Virtual tunnel interface IPv4|IPv6 over IPv6
145 ipip - Virtual tunnel interface IPv4 over IPv4
147 ipoib - IP over Infiniband device
149 ipvlan - Interface for L3 (IPv6/IPv4) based VLANs
151 ipvtap - Interface for L3 (IPv6/IPv4) based VLANs and
153 TAP
154 lowpan - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4
156 / Bluetooth
157 macsec - Interface for IEEE 802.1AE MAC Security (MAC‐
159 sec)
160 macvlan - Virtual interface base on link layer address
162 (MAC)
163 macvtap - Virtual interface based on link layer address
165 (MAC) and TAP.
166 netdevsim - Interface for netdev API tests
168 nlmon - Netlink monitoring device
170 rmnet - Qualcomm rmnet device
172 sit - Virtual tunnel interface IPv6 over IPv4
174 vcan - Virtual Controller Area Network interface
176 veth - Virtual ethernet interface
178 virt_wifi - rtnetlink wifi simulation device
180 vlan - 802.1q tagged virtual LAN interface
182 vrf - Interface for L3 VRF domains
184 vti - Virtual tunnel interface
186 vxcan - Virtual Controller Area Network tunnel interface
188 vxlan - Virtual eXtended LAN
190 xfrm - Virtual xfrm interface
192 numtxqueues QUEUE_COUNT
196 specifies the number of transmit queues for new device.
197 numrxqueues QUEUE_COUNT
200 specifies the number of receive queues for new device.
201 gso_max_size BYTES
204 specifies the recommended maximum size of a Generic Segment Off‐
205 load packet the new device should accept. This is also used to
206 enable BIG TCP for IPv6 on this device when the size is greater
207 than 65536.
208 gso_ipv4_max_size BYTES
211 specifies the recommended maximum size of a IPv4 Generic Segment
212 Offload packet the new device should accept. This is especially
213 used to enable BIG TCP for IPv4 on this device by setting to a
214 size greater than 65536.
215 gso_max_segs SEGMENTS
218 specifies the recommended maximum number of a Generic Segment
219 Offload segments the new device should accept.
220 gro_max_size BYTES
223 specifies the maximum size of a packet built by GRO stack on
224 this device. This is also used for BIG TCP to allow the size of
225 a merged IPv6 GSO packet on this device greater than 65536.
226 gro_ipv4_max_size BYTES
229 specifies the maximum size of a IPv4 packet built by GRO stack
230 on this device. This is especially used for BIG TCP to allow the
231 size of a merged IPv4 GSO packet on this device greater than
232 65536.
233 index IDX
236 specifies the desired index of the new virtual device. The link
237 creation fails, if the index is busy.
238 netns { PID | NETNSNAME | NETNSFILE }
241 create the device in the network namespace associated with
242 process PID or the name NETNSNAME or the file NETNSFILE.
243 VLAN Type Support
246 For a link of type VLAN the following additional arguments are
247 supported:
248 ip link add link DEVICE name NAME type vlan [ protocol
250 VLAN_PROTO ] id VLANID [ reorder_hdr { on | off } ] [ gvrp { on
251 | off } ] [ mvrp { on | off } ] [ loose_binding { on | off } ] [
252 bridge_binding { on | off } ] [ ingress-qos-map QOS-MAP ] [
253 egress-qos-map QOS-MAP ]
254 protocol VLAN_PROTO - either 802.1Q or 802.1ad.
257 id VLANID - specifies the VLAN Identifier to use. Note
259 that numbers with a leading " 0 " or " 0x " are inter‐
260 preted as octal or hexadecimal, respectively.
261 reorder_hdr { on | off } - specifies whether ethernet
263 headers are reordered or not (default is on).
264 If reorder_hdr is on then VLAN header will be not
266 inserted immediately but only before passing to the
267 physical device (if this device does not support
268 VLAN offloading), the similar on the RX direction -
269 by default the packet will be untagged before being
270 received by VLAN device. Reordering allows one to
271 accelerate tagging on egress and to hide VLAN header
272 on ingress so the packet looks like regular Ethernet
273 packet, at the same time it might be confusing for
274 packet capture as the VLAN header does not exist
275 within the packet.
276 VLAN offloading can be checked by ethtool(8):
278 ethtool -k <phy_dev> | grep tx-vlan-offload
280 where <phy_dev> is the physical device to which VLAN
282 device is bound.
283 gvrp { on | off } - specifies whether this VLAN should
285 be registered using GARP VLAN Registration Protocol.
286 mvrp { on | off } - specifies whether this VLAN should
288 be registered using Multiple VLAN Registration Protocol.
289 loose_binding { on | off } - specifies whether the VLAN
291 device state is bound to the physical device state.
292 bridge_binding { on | off } - specifies whether the VLAN
294 device link state tracks the state of bridge ports that
295 are members of the VLAN.
296 ingress-qos-map QOS-MAP - defines a mapping of VLAN
298 header prio field to the Linux internal packet priority
299 on incoming frames. The format is FROM:TO with multiple
300 mappings separated by spaces.
301 egress-qos-map QOS-MAP - defines a mapping of Linux in‐
303 ternal packet priority to VLAN header prio field but for
304 outgoing frames. The format is the same as for ingress-
305 qos-map.
306 Linux packet priority can be set by iptables(8):
308 iptables -t mangle -A POSTROUTING [...] -j CLAS‐
310 SIFY --set-class 0:4
311 and this "4" priority can be used in the egress qos
313 mapping to set VLAN prio "5":
314 ip link set veth0.10 type vlan egress 4:5
316 VXLAN Type Support
319 For a link of type VXLAN the following additional arguments are
320 supported:
321 ip link add DEVICE type vxlan id VNI [ dev PHYS_DEV ] [ { group
323 | remote } IPADDR ] [ local { IPADDR | any } ] [ ttl TTL ] [ tos
324 TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [ src‐
325 port MIN MAX ] [ [no]learning ] [ [no]proxy ] [ [no]rsc ] [
326 [no]l2miss ] [ [no]l3miss ] [ [no]udpcsum ] [ [no]udp6zerocsumtx
327 ] [ [no]udp6zerocsumrx ] [ ageing SECONDS ] [ maxaddress NUMBER
328 ] [ [no]external ] [ gbp ] [ gpe ] [ [no]vnifilter ]
329 id VNI - specifies the VXLAN Network Identifier (or
332 VXLAN Segment Identifier) to use.
333 dev PHYS_DEV - specifies the physical device to use for
335 tunnel endpoint communication.
336 group IPADDR - specifies the multicast IP address to
339 join. This parameter cannot be specified with the re‐
340 mote parameter.
341 remote IPADDR - specifies the unicast destination IP ad‐
344 dress to use in outgoing packets when the destination
345 link layer address is not known in the VXLAN device for‐
346 warding database. This parameter cannot be specified
347 with the group parameter.
348 local IPADDR - specifies the source IP address to use in
351 outgoing packets.
352 ttl TTL - specifies the TTL value to use in outgoing
355 packets.
356 tos TOS - specifies the TOS value to use in outgoing
359 packets.
360 df DF - specifies the usage of the Don't Fragment flag
363 (DF) bit in outgoing packets with IPv4 headers. The
364 value inherit causes the bit to be copied from the orig‐
365 inal IP header. The values unset and set cause the bit
366 to be always unset or always set, respectively. By de‐
367 fault, the bit is not set.
368 flowlabel FLOWLABEL - specifies the flow label to use in
371 outgoing packets.
372 dstport PORT - specifies the UDP destination port to
375 communicate to the remote
376 VXLAN tunnel endpoint.
377 srcport MIN MAX - specifies the range of port numbers to
380 use as UDP source ports to communicate to the remote
381 VXLAN tunnel endpoint.
382 [no]learning - specifies if unknown source link layer
385 addresses and IP addresses are entered into the VXLAN
386 device forwarding database.
387 [no]rsc - specifies if route short circuit is turned on.
390 [no]proxy - specifies ARP proxy is turned on.
393 [no]l2miss - specifies if netlink LLADDR miss notifica‐
396 tions are generated.
397 [no]l3miss - specifies if netlink IP ADDR miss notifica‐
400 tions are generated.
401 [no]udpcsum - specifies if UDP checksum is calculated
404 for transmitted packets over IPv4.
405 [no]udp6zerocsumtx - skip UDP checksum calculation for
408 transmitted packets over IPv6.
409 [no]udp6zerocsumrx - allow incoming UDP packets over
412 IPv6 with zero checksum field.
413 ageing SECONDS - specifies the lifetime in seconds of
416 FDB entries learnt by the kernel.
417 maxaddress NUMBER - specifies the maximum number of FDB
420 entries.
421 [no]external - specifies whether an external control
424 plane (e.g. ip route encap) or the internal FDB should
425 be used.
426 [no]vnifilter - specifies whether the vxlan device is
429 capable of vni filtering. Only works with a vxlan device
430 with external flag set. once enabled, bridge vni command
431 is used to manage the vni filtering table on the device.
432 The device can only receive packets with vni's config‐
433 ured in the vni filtering table.
434 gbp - enables the Group Policy extension (VXLAN-GBP).
437 Allows one to transport group policy context across
439 VXLAN network peers. If enabled, includes the mark
440 of a packet in the VXLAN header for outgoing packets
441 and fills the packet mark based on the information
442 found in the VXLAN header for incoming packets.
443 Format of upper 16 bits of packet mark (flags);
445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
447 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
449 D := Don't Learn bit. When set, this bit indicates
451 that the egress VTEP MUST NOT learn the source ad‐
452 dress of the encapsulated frame.
453 A := Indicates that the group policy has already
455 been applied to this packet. Policies MUST NOT be
456 applied by devices when the A bit is set.
457 Format of lower 16 bits of packet mark (policy ID):
459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
461 | Group Policy ID |
462 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
463 Example:
465 iptables -A OUTPUT [...] -j MARK --set-mark
466 0x800FF
467 gpe - enables the Generic Protocol extension (VXLAN-
471 GPE). Currently, this is only supported together with
472 the external keyword.
473 VETH, VXCAN Type Support
477 For a link of types VETH/VXCAN the following additional argu‐
478 ments are supported:
479 ip link add DEVICE type { veth | vxcan } [ peer name NAME ]
481 peer name NAME - specifies the virtual pair device name
484 of the VETH/VXCAN tunnel.
485 IPIP, SIT Type Support
489 For a link of type IPIPorSIT the following additional arguments
490 are supported:
491 ip link add DEVICE type { ipip | sit } remote ADDR local ADDR [
493 encap { fou | gue | none } ] [ encap-sport { PORT | auto } ] [
494 encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-remcsum ] [
495 mode { ip6ip | ipip | mplsip | any } ] [ external ]
496 remote ADDR - specifies the remote address of the tun‐
499 nel.
500 local ADDR - specifies the fixed local address for tun‐
503 neled packets. It must be an address on another inter‐
504 face on this host.
505 encap { fou | gue | none } - specifies type of secondary
508 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
509 indicates Generic UDP Encapsulation.
510 encap-sport { PORT | auto } - specifies the source port
513 in UDP encapsulation. PORT indicates the port by num‐
514 ber, "auto" indicates that the port number should be
515 chosen automatically (the kernel picks a flow based on
516 the flow hash of the encapsulated packet).
517 [no]encap-csum - specifies if UDP checksums are enabled
520 in the secondary encapsulation.
521 [no]encap-remcsum - specifies if Remote Checksum Offload
524 is enabled. This is only applicable for Generic UDP En‐
525 capsulation.
526 mode { ip6ip | ipip | mplsip | any } - specifies mode in
529 which device should run. "ip6ip" indicates IPv6-Over-
530 IPv4, "ipip" indicates "IPv4-Over-IPv4", "mplsip" indi‐
531 cates MPLS-Over-IPv4, "any" indicates IPv6, IPv4 or MPLS
532 Over IPv4. Supported for SIT where the default is
533 "ip6ip" and IPIP where the default is "ipip".
534 IPv6-Over-IPv4 is not supported for IPIP.
535 external - make this tunnel externally controlled (e.g.
538 ip route encap).
539 GRE Type Support
542 For a link of type GRE or GRETAP the following additional argu‐
543 ments are supported:
544 ip link add DEVICE type { gre | gretap } remote ADDR local ADDR
546 [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [ [no][i|o]csum ]
547 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ [no]ignore-df ] [ dev
548 PHYS_DEV ] [ encap { fou | gue | none } ] [ encap-sport { PORT |
549 auto } ] [ encap-dport PORT ] [ [no]encap-csum ] [ [no]encap-
550 remcsum ] [ external ]
551 remote ADDR - specifies the remote address of the tun‐
554 nel.
555 local ADDR - specifies the fixed local address for tun‐
558 neled packets. It must be an address on another inter‐
559 face on this host.
560 [no][i|o]seq - serialize packets. The oseq flag enables
563 sequencing of outgoing packets. The iseq flag requires
564 that all input packets are serialized.
565 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
568 KEY is either a number or an IPv4 address-like dotted
569 quad. The key parameter specifies the same key to use
570 in both directions. The ikey and okey parameters spec‐
571 ify different keys for input and output.
572 [no][i|o]csum - generate/require checksums for tunneled
575 packets. The ocsum flag calculates checksums for outgo‐
576 ing packets. The icsum flag requires that all input
577 packets have the correct checksum. The csum flag is
578 equivalent to the combination icsum ocsum .
579 ttl TTL - specifies the TTL value to use in outgoing
582 packets.
583 tos TOS - specifies the TOS value to use in outgoing
586 packets.
587 [no]pmtudisc - enables/disables Path MTU Discovery on
590 this tunnel. It is enabled by default. Note that a
591 fixed ttl is incompatible with this option: tunneling
592 with a fixed ttl always makes pmtu discovery.
593 [no]ignore-df - enables/disables IPv4 DF suppression on
596 this tunnel. Normally datagrams that exceed the MTU
597 will be fragmented; the presence of the DF flag inhibits
598 this, resulting instead in an ICMP Unreachable (Fragmen‐
599 tation Required) message. Enabling this attribute
600 causes the DF flag to be ignored.
601 dev PHYS_DEV - specifies the physical device to use for
604 tunnel endpoint communication.
605 encap { fou | gue | none } - specifies type of secondary
608 UDP encapsulation. "fou" indicates Foo-Over-UDP, "gue"
609 indicates Generic UDP Encapsulation.
610 encap-sport { PORT | auto } - specifies the source port
613 in UDP encapsulation. PORT indicates the port by num‐
614 ber, "auto" indicates that the port number should be
615 chosen automatically (the kernel picks a flow based on
616 the flow hash of the encapsulated packet).
617 [no]encap-csum - specifies if UDP checksums are enabled
620 in the secondary encapsulation.
621 [no]encap-remcsum - specifies if Remote Checksum Offload
624 is enabled. This is only applicable for Generic UDP En‐
625 capsulation.
626 external - make this tunnel externally controlled (e.g.
629 ip route encap).
630 IP6GRE/IP6GRETAP Type Support
634 For a link of type IP6GRE/IP6GRETAP the following additional ar‐
635 guments are supported:
636 ip link add DEVICE type { ip6gre | ip6gretap } remote ADDR local
638 ADDR [ [no][i|o]seq ] [ [i|o]key KEY | no[i|o]key ] [
639 [no][i|o]csum ] [ hoplimit TTL ] [ encaplimit ELIM ] [ tclass
640 TCLASS ] [ flowlabel FLOWLABEL ] [ dscp inherit ] [ [no]allow-
641 localremote ] [ dev PHYS_DEV ] [ external ]
642 remote ADDR - specifies the remote IPv6 address of the
645 tunnel.
646 local ADDR - specifies the fixed local IPv6 address for
649 tunneled packets. It must be an address on another in‐
650 terface on this host.
651 [no][i|o]seq - serialize packets. The oseq flag enables
654 sequencing of outgoing packets. The iseq flag requires
655 that all input packets are serialized.
656 [i|o]key KEY | no[i|o]key - use keyed GRE with key KEY.
659 KEY is either a number or an IPv4 address-like dotted
660 quad. The key parameter specifies the same key to use
661 in both directions. The ikey and okey parameters spec‐
662 ify different keys for input and output.
663 [no][i|o]csum - generate/require checksums for tunneled
666 packets. The ocsum flag calculates checksums for outgo‐
667 ing packets. The icsum flag requires that all input
668 packets have the correct checksum. The csum flag is
669 equivalent to the combination icsum ocsum.
670 hoplimit TTL - specifies Hop Limit value to use in out‐
673 going packets.
674 encaplimit ELIM - specifies a fixed encapsulation limit.
677 Default is 4.
678 flowlabel FLOWLABEL - specifies a fixed flowlabel.
681 [no]allow-localremote - specifies whether to allow re‐
684 mote endpoint to have an address configured on local
685 host.
686 tclass TCLASS - specifies the traffic class field on
689 tunneled packets, which can be specified as either a
690 two-digit hex value (e.g. c0) or a predefined string
691 (e.g. internet). The value inherit causes the field to
692 be copied from the original IP header. The values in‐
693 herit/STRING or inherit/00..ff will set the field to
694 STRING or 00..ff when tunneling non-IP packets. The de‐
695 fault value is 00.
696 external - make this tunnel externally controlled (or
699 not, which is the default). In the kernel, this is re‐
700 ferred to as collect metadata mode. This flag is mutu‐
701 ally exclusive with the remote, local, seq, key, csum,
702 hoplimit, encaplimit, flowlabel and tclass options.
703 IPoIB Type Support
707 For a link of type IPoIB the following additional arguments are
708 supported:
709 ip link add DEVICE name NAME type ipoib [ pkey PKEY ] [ mode
711 MODE ]
712 pkey PKEY - specifies the IB P-Key to use.
715 mode MODE - specifies the mode (datagram or connected)
717 to use.
718 ERSPAN Type Support
721 For a link of type ERSPAN/IP6ERSPAN the following additional ar‐
722 guments are supported:
723 ip link add DEVICE type { erspan | ip6erspan } remote ADDR local
725 ADDR seq key KEY erspan_ver version [ erspan IDX ] [ erspan_dir
726 { ingress | egress } ] [ erspan_hwid hwid ] [ [no]allow-localre‐
727 mote ] [ external ]
728 remote ADDR - specifies the remote address of the tun‐
731 nel.
732 local ADDR - specifies the fixed local address for tun‐
735 neled packets. It must be an address on another inter‐
736 face on this host.
737 erspan_ver version - specifies the ERSPAN version num‐
740 ber. version indicates the ERSPAN version to be cre‐
741 ated: 0 for version 0 type I, 1 for version 1 (type II)
742 or 2 for version 2 (type III).
743 erspan IDX - specifies the ERSPAN v1 index field. IDX
746 indicates a 20 bit index/port number associated with the
747 ERSPAN traffic's source port and direction.
748 erspan_dir { ingress | egress } - specifies the ERSPAN
751 v2 mirrored traffic's direction.
752 erspan_hwid hwid - an unique identifier of an ERSPAN v2
755 engine within a system. hwid is a 6-bit value for users
756 to configure.
757 [no]allow-localremote - specifies whether to allow re‐
760 mote endpoint to have an address configured on local
761 host.
762 external - make this tunnel externally controlled (or
765 not, which is the default). In the kernel, this is re‐
766 ferred to as collect metadata mode. This flag is mutu‐
767 ally exclusive with the remote, local, erspan_ver,
768 erspan, erspan_dir and erspan_hwid options.
769 GENEVE Type Support
773 For a link of type GENEVE the following additional arguments are
774 supported:
775 ip link add DEVICE type geneve id VNI remote IPADDR [ ttl TTL ]
777 [ tos TOS ] [ df DF ] [ flowlabel FLOWLABEL ] [ dstport PORT ] [
778 [no]external ] [ [no]udpcsum ] [ [no]udp6zerocsumtx ] [
779 [no]udp6zerocsumrx ] [ innerprotoinherit ]
780 id VNI - specifies the Virtual Network Identifier to
783 use.
784 remote IPADDR - specifies the unicast destination IP ad‐
787 dress to use in outgoing packets.
788 ttl TTL - specifies the TTL value to use in outgoing
791 packets. "0" or "auto" means use whatever default value,
792 "inherit" means inherit the inner protocol's ttl. De‐
793 fault option is "0".
794 tos TOS - specifies the TOS value to use in outgoing
797 packets.
798 df DF - specifies the usage of the Don't Fragment flag
801 (DF) bit in outgoing packets with IPv4 headers. The
802 value inherit causes the bit to be copied from the orig‐
803 inal IP header. The values unset and set cause the bit
804 to be always unset or always set, respectively. By de‐
805 fault, the bit is not set.
806 flowlabel FLOWLABEL - specifies the flow label to use in
809 outgoing packets.
810 dstport PORT - select a destination port other than the
813 default of 6081.
814 [no]external - make this tunnel externally controlled
817 (or not, which is the default). This flag is mutually
818 exclusive with the id, remote, ttl, tos and flowlabel
819 options.
820 [no]udpcsum - specifies if UDP checksum is calculated
823 for transmitted packets over IPv4.
824 [no]udp6zerocsumtx - skip UDP checksum calculation for
827 transmitted packets over IPv6.
828 [no]udp6zerocsumrx - allow incoming UDP packets over
831 IPv6 with zero checksum field.
832 innerprotoinherit - use IPv4/IPv6 as inner protocol in‐
835 stead of Ethernet.
836 Bareudp Type Support
840 For a link of type Bareudp the following additional arguments
841 are supported:
842 ip link add DEVICE type bareudp dstport PORT ethertype PROTO [
844 srcportmin PORT ] [ [no]multiproto ]
845 dstport PORT - specifies the destination port for the
848 UDP tunnel.
849 ethertype PROTO - specifies the ethertype of the L3 pro‐
852 tocol being tunnelled. ethertype can be given as plain
853 Ethernet protocol number or using the protocol name
854 ("ipv4", "ipv6", "mpls_uc", etc.).
855 srcportmin PORT - selects the lowest value of the UDP
858 tunnel source port range.
859 [no]multiproto - activates support for protocols similar
862 to the one specified by ethertype. When ethertype is
863 "mpls_uc" (that is, unicast MPLS), this allows the tun‐
864 nel to also handle multicast MPLS. When ethertype is
865 "ipv4", this allows the tunnel to also handle IPv6. This
866 option is disabled by default.
867 AMT Type Support
870 For a link of type AMT the following additional arguments are
871 supported:
872 ip link add DEVICE type AMT discovery IPADDR mode { gateway |
874 relay } local IPADDR dev PHYS_DEV [ relay_port PORT ] [ gate‐
875 way_port PORT ] [ max_tunnels NUMBER ]
876 discovery IPADDR - specifies the unicast discovery IP
879 address to use to find remote IP address.
880 mode { gateway | relay } - specifies the role of AMT,
882 Gateway or Relay
883 local IPADDR - specifies the source IP address to use in
885 outgoing packets.
886 dev PHYS_DEV - specifies the underlying physical inter‐
888 face from which transform traffic is sent and received.
889 relay_port PORT - specifies the UDP Relay port to commu‐
891 nicate to the Relay.
892 gateway_port PORT - specifies the UDP Gateway port to
894 communicate to the Gateway.
895 max_tunnels NUMBER - specifies the maximum number of
897 tunnels.
898 MACVLAN and MACVTAP Type Support
902 For a link of type MACVLAN or MACVTAP the following additional
903 arguments are supported:
904 ip link add link DEVICE name NAME type { macvlan | macvtap }
906 mode { private | vepa | bridge | passthru [ nopromisc ] |
907 source [ nodst ] } [ bcqueuelen { LENGTH } ] [ bclim LIMIT ]
908 type { macvlan | macvtap } - specifies the link type to
911 use. macvlan creates just a virtual interface, while
912 macvtap in addition creates a character device /dev/tapX
913 to be used just like a tuntap device.
914 mode private - Do not allow communication between
916 macvlan instances on the same physical interface, even
917 if the external switch supports hairpin mode.
918 mode vepa - Virtual Ethernet Port Aggregator mode. Data
920 from one macvlan instance to the other on the same phys‐
921 ical interface is transmitted over the physical inter‐
922 face. Either the attached switch needs to support hair‐
923 pin mode, or there must be a TCP/IP router forwarding
924 the packets in order to allow communication. This is the
925 default mode.
926 mode bridge - In bridge mode, all endpoints are directly
928 connected to each other, communication is not redirected
929 through the physical interface's peer.
930 mode passthru [ nopromisc ] - This mode gives more power
932 to a single endpoint, usually in macvtap mode. It is not
933 allowed for more than one endpoint on the same physical
934 interface. All traffic will be forwarded to this end‐
935 point, allowing virtio guests to change MAC address or
936 set promiscuous mode in order to bridge the interface or
937 create vlan interfaces on top of it. By default, this
938 mode forces the underlying interface into promiscuous
939 mode. Passing the nopromisc flag prevents this, so the
940 promisc flag may be controlled using standard tools.
941 mode source [ nodst ] - allows one to set a list of al‐
943 lowed mac address, which is used to match against source
944 mac address from received frames on underlying inter‐
945 face. This allows creating mac based VLAN associations,
946 instead of standard port or tag based. The feature is
947 useful to deploy 802.1x mac based behavior, where driv‐
948 ers of underlying interfaces doesn't allows that. By de‐
949 fault, packets are also considered (duplicated) for des‐
950 tination-based MACVLAN. Passing the nodst flag stops
951 matching packets from also going through the destina‐
952 tion-based flow.
953 bcqueuelen { LENGTH } - Set the length of the RX queue
955 used to process broadcast and multicast packets. LENGTH
956 must be a positive integer in the range [0-4294967295].
957 Setting a length of 0 will effectively drop all broad‐
958 cast/multicast traffic. If not specified the macvlan
959 driver default (1000) is used. Note that all macvlans
960 that share the same underlying device are using the same
961 queue. The parameter here is a request, the actual queue
962 length used will be the maximum length that any macvlan
963 interface has requested. When listing device parameters
964 both the bcqueuelen parameter as well as the actual used
965 bcqueuelen are listed to better help the user understand
966 the setting.
967 bclim LIMIT - Set the threshold for broadcast queueing.
969 LIMIT must be a 32-bit integer. Setting this to -1 dis‐
970 ables broadcast queueing altogether. Otherwise a multi‐
971 cast address will be queued as broadcast if the number
972 of devices using it is greater than the given value.
973 High-availability Seamless Redundancy (HSR) Support
976 For a link of type HSR the following additional arguments are
977 supported:
978 ip link add link DEVICE name NAME type hsr slave1 SLAVE1-IF
980 slave2 SLAVE2-IF [ supervision ADDR-BYTE ] [ version { 0 | 1 } [
981 proto { 0 | 1 } ]
982 type hsr - specifies the link type to use, here HSR.
985 slave1 SLAVE1-IF - Specifies the physical device used
987 for the first of the two ring ports.
988 slave2 SLAVE2-IF - Specifies the physical device used
990 for the second of the two ring ports.
991 supervision ADDR-BYTE - The last byte of the multicast
993 address used for HSR supervision frames. Default option
994 is "0", possible values 0-255.
995 version { 0 | 1 } - Selects the protocol version of the
997 interface. Default option is "0", which corresponds to
998 the 2010 version of the HSR standard. Option "1" acti‐
999 vates the 2012 version.
1000 proto { 0 | 1 } - Selects the protocol at the interface.
1002 Default option is "0", which corresponds to the HSR
1003 standard. Option "1" activates the Parallel Redundancy
1004 Protocol (PRP).
1005 BRIDGE Type Support
1008 For a link of type BRIDGE the following additional arguments are
1009 supported:
1010 ip link add DEVICE type bridge [ ageing_time AGEING_TIME ] [
1012 group_fwd_mask MASK ] [ group_address ADDRESS ] [ forward_delay
1013 FORWARD_DELAY ] [ hello_time HELLO_TIME ] [ max_age MAX_AGE ] [
1014 stp_state STP_STATE ] [ priority PRIORITY ] [ no_linklocal_learn
1015 NO_LINKLOCAL_LEARN ] [ vlan_filtering VLAN_FILTERING ] [
1016 vlan_protocol VLAN_PROTOCOL ] [ vlan_default_pvid VLAN_DE‐
1017 FAULT_PVID ] [ vlan_stats_enabled VLAN_STATS_ENABLED ] [
1018 vlan_stats_per_port VLAN_STATS_PER_PORT ] [ mcast_snooping MUL‐
1019 TICAST_SNOOPING ] [ mcast_vlan_snooping MULTICAST_VLAN_SNOOPING
1020 ] [ mcast_router MULTICAST_ROUTER ] [ mcast_query_use_ifaddr
1021 MCAST_QUERY_USE_IFADDR ] [ mcast_querier MULTICAST_QUERIER ] [
1022 mcast_hash_elasticity HASH_ELASTICITY ] [ mcast_hash_max
1023 HASH_MAX ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
1024 mcast_startup_query_count STARTUP_QUERY_COUNT ] [
1025 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [ mcast_mem‐
1026 bership_interval MEMBERSHIP_INTERVAL ] [ mcast_querier_interval
1027 QUERIER_INTERVAL ] [ mcast_query_interval QUERY_INTERVAL ] [
1028 mcast_query_response_interval QUERY_RESPONSE_INTERVAL ] [
1029 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
1030 mcast_stats_enabled MCAST_STATS_ENABLED ] [ mcast_igmp_version
1031 IGMP_VERSION ] [ mcast_mld_version MLD_VERSION ] [ nf_call_ipta‐
1032 bles NF_CALL_IPTABLES ] [ nf_call_ip6tables NF_CALL_IP6TABLES ]
1033 [ nf_call_arptables NF_CALL_ARPTABLES ]
1034 ageing_time AGEING_TIME - configure the bridge's FDB en‐
1037 tries ageing time, ie the number of seconds a MAC ad‐
1038 dress will be kept in the FDB after a packet has been
1039 received from that address. after this time has passed,
1040 entries are cleaned up.
1041 group_fwd_mask MASK - set the group forward mask. This
1043 is the bitmask that is applied to decide whether to for‐
1044 ward incoming frames destined to link-local addresses,
1045 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1046 0, ie the bridge does not forward any link-local
1047 frames).
1048 group_address ADDRESS - set the MAC address of the mul‐
1050 ticast group this bridge uses for STP. The address must
1051 be a link-local address in standard Ethernet MAC address
1052 format, ie an address of the form 01:80:C2:00:00:0X,
1053 with X
1054 in [0, 4..f].
1055 forward_delay FORWARD_DELAY - set the forwarding delay
1057 in seconds, ie the time spent in LISTENING state (before
1058 moving to LEARNING) and in LEARNING state (before moving
1059 to FORWARDING). Only relevant if STP is enabled. Valid
1060 values are between 2 and 30.
1061 hello_time HELLO_TIME - set the time in seconds between
1063 hello packets sent by the bridge, when it is a root
1064 bridge or a designated bridges. Only relevant if STP is
1065 enabled. Valid values are between 1 and 10.
1066 max_age MAX_AGE - set the hello packet timeout, ie the
1068 time in seconds until another bridge in the spanning
1069 tree is assumed to be dead, after reception of its last
1070 hello message. Only relevant if STP is enabled. Valid
1071 values are between 6 and 40.
1072 stp_state STP_STATE - turn spanning tree protocol on
1074 (STP_STATE > 0) or off (STP_STATE == 0). for this
1075 bridge.
1076 priority PRIORITY - set this bridge's spanning tree pri‐
1078 ority, used during STP root bridge election. PRIORITY
1079 is a 16bit unsigned integer.
1080 no_linklocal_learn NO_LINKLOCAL_LEARN - turn link-local
1082 learning on (NO_LINKLOCAL_LEARN == 0) or off (NO_LINKLO‐
1083 CAL_LEARN > 0). When disabled, the bridge will not
1084 learn from link-local frames (default: enabled).
1085 vlan_filtering VLAN_FILTERING - turn VLAN filtering on
1087 (VLAN_FILTERING > 0) or off (VLAN_FILTERING == 0). When
1088 disabled, the bridge will not consider the VLAN tag when
1089 handling packets.
1090 vlan_protocol { 802.1Q | 802.1ad } - set the protocol
1092 used for VLAN filtering.
1093 vlan_default_pvid VLAN_DEFAULT_PVID - set the default
1095 PVID (native/untagged VLAN ID) for this bridge.
1096 vlan_stats_enabled VLAN_STATS_ENABLED - enable
1098 (VLAN_STATS_ENABLED == 1) or disable (VLAN_STATS_ENABLED
1099 == 0) per-VLAN stats accounting.
1100 vlan_stats_per_port VLAN_STATS_PER_PORT - enable
1102 (VLAN_STATS_PER_PORT == 1) or disable
1103 (VLAN_STATS_PER_PORT == 0) per-VLAN per-port stats ac‐
1104 counting. Can be changed only when there are no port
1105 VLANs configured.
1106 mcast_snooping MULTICAST_SNOOPING - turn multicast
1108 snooping on (MULTICAST_SNOOPING > 0) or off (MULTI‐
1109 CAST_SNOOPING == 0).
1110 mcast_vlan_snooping MULTICAST_VLAN_SNOOPING - turn mul‐
1112 ticast VLAN snooping on (MULTICAST_VLAN_SNOOPING > 0) or
1113 off (MULTICAST_VLAN_SNOOPING == 0).
1114 mcast_router MULTICAST_ROUTER - set bridge's multicast
1116 router if IGMP snooping is enabled. MULTICAST_ROUTER is
1117 an integer value having the following meaning:
1118 0 - disabled.
1120 1 - automatic (queried).
1122 2 - permanently enabled.
1124 mcast_query_use_ifaddr MCAST_QUERY_USE_IFADDR - whether
1126 to use the bridge's own IP address as source address for
1127 IGMP queries (MCAST_QUERY_USE_IFADDR > 0) or the default
1128 of 0.0.0.0 (MCAST_QUERY_USE_IFADDR == 0).
1129 mcast_querier MULTICAST_QUERIER - enable (MULTI‐
1131 CAST_QUERIER > 0) or disable (MULTICAST_QUERIER == 0)
1132 IGMP querier, ie sending of multicast queries by the
1133 bridge (default: disabled).
1134 mcast_querier_interval QUERIER_INTERVAL - interval be‐
1136 tween queries sent by other routers. if no queries are
1137 seen after this delay has passed, the bridge will start
1138 to send its own queries (as if mcast_querier was en‐
1139 abled).
1140 mcast_hash_elasticity HASH_ELASTICITY - set multicast
1142 database hash elasticity, ie the maximum chain length in
1143 the multicast hash table (defaults to 4).
1144 mcast_hash_max HASH_MAX - set maximum size of multicast
1146 hash table (defaults to 512, value must be a power of
1147 2).
1148 mcast_last_member_count LAST_MEMBER_COUNT - set multi‐
1150 cast last member count, ie the number of queries the
1151 bridge will send before stopping forwarding a multicast
1152 group after a "leave" message has been received (de‐
1153 faults to 2).
1154 mcast_last_member_interval LAST_MEMBER_INTERVAL - inter‐
1156 val between queries to find remaining members of a
1157 group, after a "leave" message is received.
1158 mcast_startup_query_count STARTUP_QUERY_COUNT - set the
1160 number of IGMP queries to send during startup phase (de‐
1161 faults to 2).
1162 mcast_startup_query_interval STARTUP_QUERY_INTERVAL -
1164 interval between queries in the startup phase.
1165 mcast_query_interval QUERY_INTERVAL - interval between
1167 queries sent by the bridge after the end of the startup
1168 phase.
1169 mcast_query_response_interval QUERY_RESPONSE_INTERVAL -
1171 set the Max Response Time/Maximum Response Delay for
1172 IGMP/MLD queries sent by the bridge.
1173 mcast_membership_interval MEMBERSHIP_INTERVAL - delay
1175 after which the bridge will leave a group, if no member‐
1176 ship reports for this group are received.
1177 mcast_stats_enabled MCAST_STATS_ENABLED - enable
1179 (MCAST_STATS_ENABLED > 0) or disable (MCAST_STATS_EN‐
1180 ABLED == 0) multicast (IGMP/MLD) stats accounting.
1181 mcast_igmp_version IGMP_VERSION - set the IGMP version.
1183 mcast_mld_version MLD_VERSION - set the MLD version.
1185 nf_call_iptables NF_CALL_IPTABLES - enable (NF_CALL_IPT‐
1187 ABLES > 0) or disable (NF_CALL_IPTABLES == 0) iptables
1188 hooks on the bridge.
1189 nf_call_ip6tables NF_CALL_IP6TABLES - enable
1191 (NF_CALL_IP6TABLES > 0) or disable (NF_CALL_IP6TABLES ==
1192 0) ip6tables hooks on the bridge.
1193 nf_call_arptables NF_CALL_ARPTABLES - enable
1195 (NF_CALL_ARPTABLES > 0) or disable (NF_CALL_ARPTABLES ==
1196 0) arptables hooks on the bridge.
1197 MACsec Type Support
1202 For a link of type MACsec the following additional arguments are
1203 supported:
1204 ip link add link DEVICE name NAME type macsec [ [ address
1206 <lladdr> ] port PORT | sci SCI ] [ cipher CIPHER_SUITE ] [
1207 icvlen { 8..16 } ] [ encrypt { on | off } ] [ send_sci { on |
1208 off } ] [ end_station { on | off } ] [ scb { on | off } ] [ pro‐
1209 tect { on | off } ] [ replay { on | off } window { 0..2^32-1 } ]
1210 [ validate { strict | check | disabled } ] [ encodingsa { 0..3 }
1211 ]
1212 address <lladdr> - sets the system identifier component
1215 of secure channel for this MACsec device.
1216 port PORT - sets the port number component of secure
1219 channel for this MACsec device, in a range from 1 to
1220 65535 inclusive. Numbers with a leading " 0 " or " 0x "
1221 are interpreted as octal and hexadecimal, respectively.
1222 sci SCI - sets the secure channel identifier for this
1225 MACsec device. SCI is a 64bit wide number in hexadeci‐
1226 mal format.
1227 cipher CIPHER_SUITE - defines the cipher suite to use.
1230 icvlen LENGTH - sets the length of the Integrity Check
1233 Value (ICV).
1234 encrypt on or encrypt off - switches between authenti‐
1237 cated encryption, or authenticity mode only.
1238 send_sci on or send_sci off - specifies whether the SCI
1241 is included in every packet, or only when it is neces‐
1242 sary.
1243 end_station on or end_station off - sets the End Station
1246 bit.
1247 scb on or scb off - sets the Single Copy Broadcast bit.
1250 protect on or protect off - enables MACsec protection on
1253 the device.
1254 replay on or replay off - enables replay protection on
1257 the device.
1258 window SIZE - sets the size of the replay win‐
1262 dow.
1263 validate strict or validate check or validate disabled -
1267 sets the validation mode on the device.
1268 encodingsa AN - sets the active secure association for
1271 transmission.
1272 VRF Type Support
1276 For a link of type VRF the following additional arguments are
1277 supported:
1278 ip link add DEVICE type vrf table TABLE
1280 table table id associated with VRF device
1283 RMNET Type Support
1287 For a link of type RMNET the following additional arguments are
1288 supported:
1289 ip link add link DEVICE name NAME type rmnet mux_id MUXID
1291 mux_id MUXID - specifies the mux identifier for the rm‐
1294 net device, possible values 1-254.
1295 XFRM Type Support
1299 For a link of type XFRM the following additional arguments are
1300 supported:
1301 ip link add DEVICE type xfrm dev PHYS_DEV [ if_id IF_ID ] [ ex‐
1303 ternal ]
1304 dev PHYS_DEV - specifies the underlying physical inter‐
1307 face from which transform traffic is sent and received.
1308 if_id IF-ID - specifies the hexadecimal lookup key used
1311 to send traffic to and from specific xfrm policies.
1312 Policies must be configured with the same key. If not
1313 set, the key defaults to 0 and will match any policies
1314 which similarly do not have a lookup key configuration.
1315 external - make this device externally controlled. This
1318 flag is mutually exclusive with the dev and if_id op‐
1319 tions.
1320 GTP Type Support
1324 For a link of type GTP the following additional arguments are
1325 supported:
1326 ip link add DEVICE type gtp role ROLE hsize HSIZE
1328 role ROLE - specifies the role of the GTP device, either
1331 sgsn or ggsn
1332 hsize HSIZE - specifies size of the hashtable which
1335 stores PDP contexts
1336 restart_count RESTART_COUNT - GTP instance restart
1339 counter
1340 ip link delete - delete virtual link
1344 dev DEVICE
1345 specifies the virtual device to act operate on.
1346 group GROUP
1349 specifies the group of virtual links to delete. Group 0 is not
1350 allowed to be deleted since it is the default group.
1351 type TYPE
1354 specifies the type of the device.
1355 ip link set - change device attributes
1358 Warning: If multiple parameter changes are requested, ip aborts immedi‐
1359 ately after any of the changes have failed. This is the only case when
1360 ip can move the system to an unpredictable state. The solution is to
1361 avoid changing several parameters with one ip link set call. The modi‐
1362 fier change is equivalent to set.
1363 dev DEVICE
1367 DEVICE specifies network device to operate on. When configuring
1368 SR-IOV Virtual Function (VF) devices, this keyword should spec‐
1369 ify the associated Physical Function (PF) device.
1370 group GROUP
1373 GROUP has a dual role: If both group and dev are present, then
1374 move the device to the specified group. If only a group is spec‐
1375 ified, then the command operates on all devices in that group.
1376 up and down
1379 change the state of the device to UP or DOWN.
1380 arp on or arp off
1383 change the NOARP flag on the device.
1384 multicast on or multicast off
1387 change the MULTICAST flag on the device.
1388 allmulticast on or allmulticast off
1391 change the ALLMULTI flag on the device. When enabled, instructs
1392 network driver to retrieve all multicast packets from the net‐
1393 work to the kernel for further processing.
1394 promisc on or promisc off
1397 change the PROMISC flag on the device. When enabled, activates
1398 promiscuous operation of the network device.
1399 trailers on or trailers off
1402 change the NOTRAILERS flag on the device, NOT used by the Linux
1403 and exists for BSD compatibility.
1404 protodown on or protodown off
1407 change the PROTODOWN state on the device. Indicates that a pro‐
1408 tocol error has been detected on the port. Switch drivers can
1409 react to this error by doing a phys down on the switch port.
1410 protodown_reason PREASON on or off
1413 set PROTODOWN reasons on the device. protodown reason bit names
1414 can be enumerated under /etc/iproute2/protodown_reasons.d/. pos‐
1415 sible reasons bits 0-31
1416 dynamic on or dynamic off
1419 change the DYNAMIC flag on the device. Indicates that address
1420 can change when interface goes down (currently NOT used by the
1421 Linux).
1422 name NAME
1425 change the name of the device. This operation is not recommended
1426 if the device is running or has some addresses already config‐
1427 ured.
1428 txqueuelen NUMBER
1431 txqlen NUMBER
1433 change the transmit queue length of the device.
1434 mtu NUMBER
1437 change the MTU of the device.
1438 address LLADDRESS
1441 change the station address of the interface.
1442 broadcast LLADDRESS
1445 brd LLADDRESS
1447 peer LLADDRESS
1449 change the link layer broadcast address or the peer address when
1450 the interface is POINTOPOINT.
1451 netns { PID | NETNSNAME | NETNSFILE }
1454 move the device to the network namespace associated with process
1455 PID or the name NETNSNAME or the file NETNSFILE.
1456 Some devices are not allowed to change network namespace: loop‐
1458 back, bridge, wireless. These are network namespace local de‐
1459 vices. In such case ip tool will return "Invalid argument" er‐
1460 ror. It is possible to find out if device is local to a single
1461 network namespace by checking netns-local flag in the output of
1462 the ethtool:
1463 ethtool -k DEVICE
1465 To change network namespace for wireless devices the iw tool can
1467 be used. But it allows one to change network namespace only for
1468 physical devices and by process PID.
1469 alias NAME
1472 give the device a symbolic name for easy reference.
1473 group GROUP
1476 specify the group the device belongs to. The available groups
1477 are listed in file /etc/iproute2/group.
1478 vf NUM specify a Virtual Function device to be configured. The associ‐
1481 ated PF device must be specified using the dev parameter.
1482 mac LLADDRESS - change the station address for the spec‐
1484 ified VF. The vf parameter must be specified.
1485 vlan VLANID - change the assigned VLAN for the specified
1488 VF. When specified, all traffic sent from the VF will be
1489 tagged with the specified VLAN ID. Incoming traffic will
1490 be filtered for the specified VLAN ID, and will have all
1491 VLAN tags stripped before being passed to the VF. Set‐
1492 ting this parameter to 0 disables VLAN tagging and fil‐
1493 tering. The vf parameter must be specified.
1494 qos VLAN-QOS - assign VLAN QOS (priority) bits for the
1497 VLAN tag. When specified, all VLAN tags transmitted by
1498 the VF will include the specified priority bits in the
1499 VLAN tag. If not specified, the value is assumed to be
1500 0. Both the vf and vlan parameters must be specified.
1501 Setting both vlan and qos as 0 disables VLAN tagging and
1502 filtering for the VF.
1503 proto VLAN-PROTO - assign VLAN PROTOCOL for the VLAN
1506 tag, either 802.1Q or 802.1ad. Setting to 802.1ad, all
1507 traffic sent from the VF will be tagged with VLAN S-Tag.
1508 Incoming traffic will have VLAN S-Tags stripped before
1509 being passed to the VF. Setting to 802.1ad also enables
1510 an option to concatenate another VLAN tag, so both S-TAG
1511 and C-TAG will be inserted/stripped for outgoing/incom‐
1512 ing traffic, respectively. If not specified, the value
1513 is assumed to be 802.1Q. Both the vf and vlan parameters
1514 must be specified.
1515 rate TXRATE -- change the allowed transmit bandwidth, in
1518 Mbps, for the specified VF. Setting this parameter to 0
1519 disables rate limiting. vf parameter must be specified.
1520 Please use new API max_tx_rate option instead.
1521 max_tx_rate TXRATE - change the allowed maximum transmit
1524 bandwidth, in Mbps, for the specified VF. Setting this
1525 parameter to 0 disables rate limiting. vf parameter
1526 must be specified.
1527 min_tx_rate TXRATE - change the allowed minimum transmit
1530 bandwidth, in Mbps, for the specified VF. Minimum
1531 TXRATE should be always <= Maximum TXRATE. Setting this
1532 parameter to 0 disables rate limiting. vf parameter
1533 must be specified.
1534 spoofchk on|off - turn packet spoof checking on or off
1537 for the specified VF.
1538 query_rss on|off - toggle the ability of querying the
1540 RSS configuration of a specific VF. VF RSS information
1541 like RSS hash key may be considered sensitive on some
1542 devices where this information is shared between VF and
1543 PF and thus its querying may be prohibited by default.
1544 state auto|enable|disable - set the virtual link state
1546 as seen by the specified VF. Setting to auto means a re‐
1547 flection of the PF link state, enable lets the VF to
1548 communicate with other VFs on this host even if the PF
1549 link state is down, disable causes the HW to drop any
1550 packets sent by the VF.
1551 trust on|off - trust the specified VF user. This enables
1553 that VF user can set a specific feature which may impact
1554 security and/or performance. (e.g. VF multicast promis‐
1555 cuous mode)
1556 node_guid eui64 - configure node GUID for Infiniband
1558 VFs.
1559 port_guid eui64 - configure port GUID for Infiniband
1561 VFs.
1562 xdp object | pinned | off
1565 set (or unset) a XDP ("eXpress Data Path") BPF program to run on
1566 every packet at driver level. ip link output will indicate a
1567 xdp flag for the networking device. If the driver does not have
1568 native XDP support, the kernel will fall back to a slower,
1569 driver-independent "generic" XDP variant. The ip link output
1570 will in that case indicate xdpgeneric instead of xdp only. If
1571 the driver does have native XDP support, but the program is
1572 loaded under xdpgeneric object | pinned then the kernel will use
1573 the generic XDP variant instead of the native one. xdpdrv has
1574 the opposite effect of requestsing that the automatic fallback
1575 to the generic XDP variant be disabled and in case driver is not
1576 XDP-capable error should be returned. xdpdrv also disables
1577 hardware offloads. xdpoffload in ip link output indicates that
1578 the program has been offloaded to hardware and can also be used
1579 to request the "offload" mode, much like xdpgeneric it forces
1580 program to be installed specifically in HW/FW of the apater.
1581 off (or none ) - Detaches any currently attached XDP/BPF program
1583 from the given device.
1584 object FILE - Attaches a XDP/BPF program to the given device.
1586 The FILE points to a BPF ELF file (f.e. generated by LLVM) that
1587 contains the BPF program code, map specifications, etc. If a
1588 XDP/BPF program is already attached to the given device, an er‐
1589 ror will be thrown. If no XDP/BPF program is currently attached,
1590 the device supports XDP and the program from the BPF ELF file
1591 passes the kernel verifier, then it will be attached to the de‐
1592 vice. If the option -force is passed to ip then any prior at‐
1593 tached XDP/BPF program will be atomically overridden and no er‐
1594 ror will be thrown in this case. If no section option is passed,
1595 then the default section name ("prog") will be assumed, other‐
1596 wise the provided section name will be used. If no verbose op‐
1597 tion is passed, then a verifier log will only be dumped on load
1598 error. See also EXAMPLES section for usage examples.
1599 section NAME - Specifies a section name that contains the BPF
1601 program code. If no section name is specified, the default one
1602 ("prog") will be used. This option is to be passed with the ob‐
1603 ject option.
1604 program NAME - Specifies the BPF program name that need to be
1606 attached. When the program name is specified, the section name
1607 parameter will be ignored. This option only works when iproute2
1608 build with libbpf support.
1609 verbose - Act in verbose mode. For example, even in case of suc‐
1611 cess, this will print the verifier log in case a program was
1612 loaded from a BPF ELF file.
1613 pinned FILE - Attaches a XDP/BPF program to the given device.
1615 The FILE points to an already pinned BPF program in the BPF file
1616 system. The option section doesn't apply here, but otherwise se‐
1617 mantics are the same as with the option object described al‐
1618 ready.
1619 master DEVICE
1622 set master device of the device (enslave device).
1623 nomaster
1626 unset master device of the device (release device).
1627 addrgenmode eui64|none|stable_secret|random
1630 set the IPv6 address generation mode
1631 eui64 - use a Modified EUI-64 format interface identifier
1633 none - disable automatic address generation
1635 stable_secret - generate the interface identifier based on a
1637 preset
1638 /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1639 random - like stable_secret, but auto-generate a new random se‐
1641 cret if none is set
1642 link-netnsid
1645 set peer netnsid for a cross-netns interface
1646 type ETYPE TYPE_ARGS
1649 Change type-specific settings. For a list of supported types and
1650 arguments refer to the description of ip link add above. In ad‐
1651 dition to that, it is possible to manipulate settings to slave
1652 devices:
1653 Bridge Slave Support
1656 For a link with master bridge the following additional arguments
1657 are supported:
1658 ip link set type bridge_slave [ fdb_flush ] [ state STATE ] [
1660 priority PRIO ] [ cost COST ] [ guard { on | off } ] [ hairpin {
1661 on | off } ] [ fastleave { on | off } ] [ root_block { on | off
1662 } ] [ learning { on | off } ] [ flood { on | off } ] [ proxy_arp
1663 { on | off } ] [ proxy_arp_wifi { on | off } ] [ mcast_router
1664 MULTICAST_ROUTER ] [ mcast_fast_leave { on | off} ] [
1665 bcast_flood { on | off } ] [ mcast_flood { on | off } ] [
1666 mcast_to_unicast { on | off } ] [ group_fwd_mask MASK ] [
1667 neigh_suppress { on | off } ] [ neigh_vlan_suppress { on | off }
1668 ] [ vlan_tunnel { on | off } ] [ isolated { on | off } ] [
1669 locked { on | off } ] [ mab { on | off } ] [ backup_port DEVICE
1670 ] [ nobackup_port ]
1671 fdb_flush - flush bridge slave's fdb dynamic entries.
1674 state STATE - Set port state. STATE is a number repre‐
1676 senting the following states: 0 (disabled), 1 (listen‐
1677 ing), 2 (learning), 3 (forwarding), 4 (blocking).
1678 priority PRIO - set port priority (allowed values are
1680 between 0 and 63, inclusively).
1681 cost COST - set port cost (allowed values are between 1
1683 and 65535, inclusively).
1684 guard { on | off } - block incoming BPDU packets on this
1686 port.
1687 hairpin { on | off } - enable hairpin mode on this port.
1689 This will allow incoming packets on this port to be re‐
1690 flected back.
1691 fastleave { on | off } - enable multicast fast leave on
1693 this port.
1694 root_block { on | off } - block this port from becoming
1696 the bridge's root port.
1697 learning { on | off } - allow MAC address learning on
1699 this port.
1700 flood { on | off } - open the flood gates on this port,
1702 i.e. forward all unicast frames to this port also. Re‐
1703 quires proxy_arp and proxy_arp_wifi to be turned off.
1704 proxy_arp { on | off } - enable proxy ARP on this port.
1706 proxy_arp_wifi { on | off } - enable proxy ARP on this
1708 port which meets extended requirements by IEEE 802.11
1709 and Hotspot 2.0 specifications.
1710 mcast_router MULTICAST_ROUTER - configure this port for
1712 having multicast routers attached. A port with a multi‐
1713 cast router will receive all multicast traffic. MULTI‐
1714 CAST_ROUTER may be either 0 to disable multicast routers
1715 on this port, 1 to let the system detect the presence of
1716 routers (this is the default), 2 to permanently enable
1717 multicast traffic forwarding on this port or 3 to enable
1718 multicast routers temporarily on this port, not depend‐
1719 ing on incoming queries.
1720 mcast_fast_leave { on | off } - this is a synonym to the
1722 fastleave option above.
1723 bcast_flood { on | off } - controls flooding of broad‐
1725 cast traffic on the given port. By default this flag is
1726 on.
1727 mcast_flood { on | off } - controls whether a given port
1729 will flood multicast traffic for which there is no MDB
1730 entry. By default this flag is on.
1731 mcast_to_unicast { on | off } - controls whether a given
1733 port will replicate packets using unicast instead of
1734 multicast. By default this flag is off.
1735 group_fwd_mask MASK - set the group forward mask. This
1737 is the bitmask that is applied to decide whether to for‐
1738 ward incoming frames destined to link-local addresses,
1739 ie addresses of the form 01:80:C2:00:00:0X (defaults to
1740 0, ie the bridge does not forward any link-local frames
1741 coming on this port).
1742 neigh_suppress { on | off } - controls whether neigh
1744 discovery (arp and nd) proxy and suppression is enabled
1745 on the port. By default this flag is off.
1746 neigh_vlan_suppress { on | off } - controls whether per-
1748 VLAN neigh discovery (arp and nd) proxy and suppression
1749 is enabled on the port. When on, the bridge link option
1750 neigh_suppress has no effect and the per-VLAN state is
1751 set using the bridge vlan option neigh_suppress. By de‐
1752 fault this flag is off.
1753 vlan_tunnel { on | off } - controls whether vlan to tun‐
1755 nel mapping is enabled on the port. By default this flag
1756 is off.
1757 locked { on | off } - controls whether a port is locked
1759 or not. When locked, non-link-local frames received
1760 through the port are dropped unless an FDB entry with
1761 the MAC source address points to the port. The common
1762 use case is IEEE 802.1X where hosts can authenticate
1763 themselves by exchanging EAPOL frames with an authenti‐
1764 cator. After authentication is complete, the user space
1765 control plane can install a matching FDB entry to allow
1766 traffic from the host to be forwarded by the bridge.
1767 When learning is enabled on a locked port, the no_lin‐
1768 klocal_learn bridge option needs to be on to prevent the
1769 bridge from learning from received EAPOL frames. By de‐
1770 fault this flag is off.
1771 mab { on | off } - controls whether MAC Authentication
1773 Bypass (MAB) is enabled on the port or not. MAB can
1774 only be enabled on a locked port that has learning en‐
1775 abled. When enabled, FDB entries are learned from re‐
1776 ceived traffic and have the "locked" FDB flag set. The
1777 flag can only be set by the kernel and it indicates that
1778 the FDB entry cannot be used to authenticate the corre‐
1779 sponding host. User space can decide to authenticate the
1780 host by replacing the FDB entry and clearing the
1781 "locked" FDB flag. Locked FDB entries can roam to un‐
1782 locked (authorized) ports in which case the "locked"
1783 flag is cleared. FDB entries cannot roam to locked ports
1784 regardless of MAB being enabled or not. Therefore,
1785 locked FDB entries are only created if an FDB entry with
1786 the given {MAC, VID} does not already exist. This be‐
1787 havior prevents unauthenticated hosts from disrupting
1788 traffic destined to already authenticated hosts. Locked
1789 FDB entries act like regular dynamic entries with re‐
1790 spect to forwarding and aging. By default this flag is
1791 off.
1792 backup_port DEVICE - if the port loses carrier all traf‐
1794 fic will be redirected to the configured backup port
1795 nobackup_port - removes the currently configured backup
1797 port
1798 Bonding Slave Support
1802 For a link with master bond the following additional arguments
1803 are supported:
1804 ip link set type bond_slave [ queue_id ID ] [ prio PRIORITY ]
1806 queue_id ID - set the slave's queue ID (a 16bit unsigned
1809 value).
1810 prio PRIORITY - set the slave's priority for active
1813 slave re-selection during failover (a 32bit signed
1814 value). This option only valid for active-backup(1),
1815 balance-tlb (5) and balance-alb (6) mode.
1816 MACVLAN and MACVTAP Support
1820 Modify list of allowed macaddr for link in source mode.
1821 ip link set type { macvlan | macvap } [ macaddr COMMAND MACADDR
1823 ... ]
1824 Commands:
1826 add - add MACADDR to allowed list
1827 set - replace allowed list
1829 del - remove MACADDR from allowed list
1831 flush - flush whole allowed list
1833 Update the broadcast/multicast queue length.
1836 ip link set type { macvlan | macvap } [ bcqueuelen LENGTH ] [
1838 bclim LIMIT ]
1839 bcqueuelen LENGTH - Set the length of the RX queue used
1841 to process broadcast and multicast packets. LENGTH must
1842 be a positive integer in the range [0-4294967295]. Set‐
1843 ting a length of 0 will effectively drop all broad‐
1844 cast/multicast traffic. If not specified the macvlan
1845 driver default (1000) is used. Note that all macvlans
1846 that share the same underlying device are using the same
1847 queue. The parameter here is a request, the actual queue
1848 length used will be the maximum length that any macvlan
1849 interface has requested. When listing device parameters
1850 both the bcqueuelen parameter as well as the actual used
1851 bcqueuelen are listed to better help the user understand
1852 the setting.
1853 bclim LIMIT - Set the threshold for broadcast queueing.
1855 LIMIT must be a 32-bit integer. Setting this to -1 dis‐
1856 ables broadcast queueing altogether. Otherwise a multi‐
1857 cast address will be queued as broadcast if the number
1858 of devices using it is greater than the given value.
1859 DSA user port support
1862 For a link having the DSA user port type, the following addi‐
1863 tional arguments are supported:
1864 ip link set type dsa [ conduit DEVICE ]
1866 conduit DEVICE - change the DSA conduit (host network
1869 interface) responsible for handling the locally termi‐
1870 nated traffic for the given DSA switch user port. For a
1871 description of which network interfaces are suitable for
1872 serving as conduit interfaces of this user port, please
1873 see https://www.kernel.org/doc/html/latest/network‐
1874 ing/dsa/configuration.html#affinity-of-user-ports-to-
1875 cpu-ports as well as what is supported by the driver in
1876 use.
1877 master DEVICE - this is a synonym for "conduit".
1880 ip link show - display device attributes
1884 dev NAME (default)
1885 NAME specifies the network device to show.
1886 group GROUP
1889 GROUP specifies what group of devices to show.
1890 up only display running interfaces.
1893 master DEVICE
1896 DEVICE specifies the master device which enslaves devices to
1897 show.
1898 vrf NAME
1901 NAME specifies the VRF which enslaves devices to show.
1902 type TYPE
1905 TYPE specifies the type of devices to show.
1906 Note that the type name is not checked against the list of sup‐
1908 ported types - instead it is sent as-is to the kernel. Later it
1909 is used to filter the returned interface list by comparing it
1910 with the relevant attribute in case the kernel didn't filter al‐
1911 ready. Therefore any string is accepted, but may lead to empty
1912 output.
1913 nomaster
1916 only show devices with no master
1917 ip link xstats - display extended statistics
1920 type TYPE
1921 TYPE specifies the type of devices to display extended statis‐
1922 tics for.
1923 ip link afstats - display address-family specific statistics
1926 dev DEVICE
1927 DEVICE specifies the device to display address-family statistics
1928 for.
1929 ip link help - display help
1932 TYPE specifies which help of link type to display.
1933 GROUP
1936 may be a number or a string from the file /etc/iproute2/group which can
1937 be manually filled.
1938
1941 ip link show
1942 Shows the state of all network interfaces on the system.
1943 ip link show type bridge
1945 Shows the bridge devices.
1946 ip link show type vlan
1948 Shows the vlan devices.
1949 ip link show master br0
1951 Shows devices enslaved by br0
1952 ip link set dev ppp0 mtu 1400
1954 Change the MTU the ppp0 device.
1955 ip link add link eth0 name eth0.10 type vlan id 10
1957 Creates a new vlan device eth0.10 on device eth0.
1958 ip link delete dev eth0.10
1960 Removes vlan device.
1961 ip link help gre
1963 Display help for the gre link type.
1964 ip link add name tun1 type ipip remote 192.168.1.1 local 192.168.1.2
1966 ttl 225 encap gue encap-sport auto encap-dport 5555 encap-csum encap-
1967 remcsum
1968 Creates an IPIP that is encapsulated with Generic UDP Encapsula‐
1969 tion, and the outer UDP checksum and remote checksum offload are
1970 enabled.
1971 ip link set dev eth0 xdp obj prog.o
1973 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1974 cated in prog.o, section "prog" (default section). In case a
1975 XDP/BPF program is already attached, throw an error.
1976 ip -force link set dev eth0 xdp obj prog.o sec foo
1978 Attaches a XDP/BPF program to device eth0, where the program is lo‐
1979 cated in prog.o, section "foo". In case a XDP/BPF program is al‐
1980 ready attached, it will be overridden by the new one.
1981 ip -force link set dev eth0 xdp pinned /sys/fs/bpf/foo
1983 Attaches a XDP/BPF program to device eth0, where the program was
1984 previously pinned as an object node into BPF file system under name
1985 foo.
1986 ip link set dev eth0 xdp off
1988 If a XDP/BPF program is attached on device eth0, detach it and ef‐
1989 fectively turn off XDP for device eth0.
1990 ip link add link wpan0 lowpan0 type lowpan
1992 Creates a 6LoWPAN interface named lowpan0 on the underlying IEEE
1993 802.15.4 device wpan0.
1994 ip link add dev ip6erspan11 type ip6erspan seq key 102 local
1996 fc00:100::2 remote fc00:100::1 erspan_ver 2 erspan_dir ingress
1997 erspan_hwid 17
1998 Creates a IP6ERSPAN version 2 interface named ip6erspan00.
1999 ip link set dev swp0 type dsa conduit eth1
2001 Changes the conduit interface of the swp0 user port to eth1.
2002
2005 ip(8), ip-netns(8), ethtool(8), iptables(8)
2006
2009 Original Manpage by Michail Litvak <mci@owl.openwall.com>
2010iproute2 13 Dec 2012 IP-LINK(8)