1BRIDGE(8) Linux BRIDGE(8)
2
6 bridge - show / manipulate bridge addresses and devices
7
9 bridge [ OPTIONS ] OBJECT { COMMAND | help }
10 OBJECT := { link | fdb | mdb | vlan | vni | monitor }
13 OPTIONS := { -V[ersion] | -s[tatistics] | -n[etns] name | -b[atch]
16 filename | -c[olor] | -p[retty] | -j[son] | -o[neline] }
17 bridge link set dev DEV [ cost COST ] [ priority PRIO ] [ state STATE ]
19 [ guard { on | off } ] [ hairpin { on | off } ] [ fastleave {
20 on | off } ] [ root_block { on | off } ] [ learning { on | off
21 } ] [ learning_sync { on | off } ] [ flood { on | off } ] [ hw‐
22 mode { vepa | veb } ] [ bcast_flood { on | off } ] [
23 mcast_flood { on | off } ] [ mcast_max_groups MAX_GROUPS ] [
24 mcast_router MULTICAST_ROUTER ] [ mcast_to_unicast { on | off }
25 ] [ neigh_suppress { on | off } ] [ neigh_vlan_suppress { on |
26 off } ] [ vlan_tunnel { on | off } ] [ isolated { on | off } ]
27 [ locked { on | off } ] [ mab { on | off } ] [ backup_port DE‐
28 VICE ] [ nobackup_port ] [ self ] [ master ]
29 bridge link [ show ] [ dev DEV ]
31 bridge fdb { add | append | del | replace } LLADDR dev DEV { local |
33 static | dynamic } [ self ] [ master ] [ router ] [ use ] [ ex‐
34 tern_learn ] [ sticky ] [ src_vni VNI ] { [ dst IPADDR ] [ vni
35 VNI ] [ port PORT ] [ via DEVICE ] | nhid NHID }
36 bridge fdb [ [ show ] [ br BRDEV ] [ brport DEV ] [ vlan VID ] [ state
38 STATE ] [ dynamic ] ]
39 bridge fdb get [ to ] LLADDR [ br BRDEV ] { brport | dev } DEV [ vlan
41 VID ] [ vni VNI ] [ self ] [ master ] [ dynamic ]
42 bridge fdb flush dev DEV [ brport DEV ] [ vlan VID ] [ self ] [ master
44 ] [ [no]permanent | [no]static | [no]dynamic ] [
45 [no]added_by_user ] [ [no]extern_learn ] [ [no]sticky ] [
46 [no]offloaded ]
47 bridge mdb { add | del | replace } dev DEV port PORT grp GROUP [ src
49 SOURCE ] [ permanent | temp ] [ vid VID ] [ filter_mode { in‐
50 clude | exclude } ] [ source_list SOURCE_LIST ] [ proto PROTO ]
51 [ dst IPADDR ] [ dst_port DST_PORT ] [ vni VNI ] [ src_vni
52 SRC_VNI ] [ via DEV ]
53 bridge mdb show [ dev DEV ]
55 bridge vlan { add | del } dev DEV vid VID [ tunnel_info TUNNEL_ID ] [
57 pvid ] [ untagged ] [ self ] [ master ]
58 bridge vlan set dev DEV vid VID [ state STP_STATE ] [ mcast_max_groups
60 MAX_GROUPS ] [ mcast_router MULTICAST_ROUTER ] [ neigh_suppress
61 { on | off } ]
62 bridge vlan [ show | tunnelshow ] [ dev DEV ]
64 bridge vlan global set dev DEV vid VID [ mcast_snooping MULTI‐
66 CAST_SNOOPING ] [ mcast_querier MULTICAST_QUERIER ] [
67 mcast_igmp_version IGMP_VERSION ] [ mcast_mld_version MLD_VER‐
68 SION ] [ mcast_last_member_count LAST_MEMBER_COUNT ] [
69 mcast_last_member_interval LAST_MEMBER_INTERVAL ] [
70 mcast_startup_query_count STARTUP_QUERY_COUNT ] [
71 mcast_startup_query_interval STARTUP_QUERY_INTERVAL ] [
72 mcast_membership_interval MEMBERSHIP_INTERVAL ] [
73 mcast_querier_interval QUERIER_INTERVAL ] [ mcast_query_inter‐
74 val QUERY_INTERVAL ] [ mcast_query_response_interval QUERY_RE‐
75 SPONSE_INTERVAL ]
76 bridge vlan global [ show ] [ dev DEV ] [ vid VID ]
78 bridge vlan show [ dev DEV ]
80 bridge vni { add | del } dev DEV vni VNI [ { group | remote } IPADDR ]
82 bridge vni show [ dev DEV ]
84 bridge monitor [ all | neigh | link | mdb | vlan ]
86
89 -V, -Version
90 print the version of the bridge utility and exit.
91 -s, -stats, -statistics
94 output more information. If this option is given multiple times,
95 the amount of information increases. As a rule, the information
96 is statistics or some time values.
97 -d, -details
100 print detailed information about bridge vlan filter entries or
101 MDB router ports.
102 -n, -net, -netns <NETNS>
105 switches bridge to the specified network namespace NETNS. Actu‐
106 ally it just simplifies executing of:
107 ip netns exec NETNS bridge [ OPTIONS ] OBJECT { COMMAND | help }
109 to
111 bridge -n[etns] NETNS [ OPTIONS ] OBJECT { COMMAND | help }
113 -b, -batch <FILENAME>
116 Read commands from provided file or standard input and invoke
117 them. First failure will cause termination of bridge command.
118 -force Don't terminate bridge command on errors in batch mode. If
121 there were any errors during execution of the commands, the ap‐
122 plication return code will be non zero.
123 -c[color][={always|auto|never}
126 Configure color output. If parameter is omitted or always, color
127 output is enabled regardless of stdout state. If parameter is
128 auto, stdout is checked to be a terminal before enabling color
129 output. If parameter is never, color output is disabled. If
130 specified multiple times, the last one takes precedence. This
131 flag is ignored if -json is also given.
132 -j, -json
135 Output results in JavaScript Object Notation (JSON).
136 -p, -pretty
139 When combined with -j generate a pretty JSON output.
140 -o, -oneline
143 output each record on a single line, replacing line feeds with
144 the '\' character. This is convenient when you want to count
145 records with wc(1) or to grep(1) the output.
146
150 OBJECT
151 link - Bridge port.
152 fdb - Forwarding Database entry.
155 mdb - Multicast group database entry.
158 vlan - VLAN filter list.
161 vni - VNI filter list.
164 COMMAND
167 Specifies the action to perform on the object. The set of possible ac‐
168 tions depends on the object type. As a rule, it is possible to add,
169 delete and show (or list ) objects, but some objects do not allow all
170 of these operations or have some additional commands. The help command
171 is available for all objects. It prints out a list of available com‐
172 mands and argument syntax conventions.
173 If no command is given, some default command is assumed. Usually it is
175 list or, if the objects of this class cannot be listed, help.
176
179 link objects correspond to the port devices of the bridge.
180 The corresponding commands set and display port status and bridge spe‐
183 cific attributes.
184 bridge link set - set bridge specific attributes on a port
187 dev NAME
188 interface name of the bridge port
189 cost COST
192 the STP path cost of the specified port.
193 priority PRIO
196 the STP port priority. The priority value is an unsigned 8-bit
197 quantity (number between 0 and 255). This metric is used in the
198 designated port an droot port selection algorithms.
199 state STATE
202 the operation state of the port. Except state 0 (disable STP or
203 BPDU filter feature), this is primarily used by user space
204 STP/RSTP implementation. One may enter port state name (case in‐
205 sensitive), or one of the numbers below. Negative inputs are ig‐
206 nored, and unrecognized names return an error.
207 0 - port is in STP DISABLED state. Make this port completely in‐
209 active for STP. This is also called BPDU filter and could be
210 used to disable STP on an untrusted port, like a leaf virtual
211 devices.
212 1 - port is in STP LISTENING state. Only valid if STP is enabled
215 on the bridge. In this state the port listens for STP BPDUs and
216 drops all other traffic frames.
217 2 - port is in STP LEARNING state. Only valid if STP is enabled
220 on the bridge. In this state the port will accept traffic only
221 for the purpose of updating MAC address tables.
222 3 - port is in STP FORWARDING state. Port is fully active.
225 4 - port is in STP BLOCKING state. Only valid if STP is enabled
228 on the bridge. This state is used during the STP election
229 process. In this state, port will only process STP BPDUs.
230 guard on or guard off
234 Controls whether STP BPDUs will be processed by the bridge port.
235 By default, the flag is turned off allowed BPDU processing.
236 Turning this flag on will disables the bridge port if a STP BPDU
237 packet is received.
238 If running Spanning Tree on bridge, hostile devices on the net‐
240 work may send BPDU on a port and cause network failure. Setting
241 guard on will detect and stop this by disabling the port. The
242 port will be restarted if link is brought down, or removed and
243 reattached. For example if guard is enable on eth0:
244 ip link set dev eth0 down; ip link set dev eth0 up
246 hairpin on or hairpin off
249 Controls whether traffic may be send back out of the port on
250 which it was received. This option is also called reflective re‐
251 lay mode, and is used to support basic VEPA (Virtual Ethernet
252 Port Aggregator) capabilities. By default, this flag is turned
253 off and the bridge will not forward traffic back out of the re‐
254 ceiving port.
255 fastleave on or fastleave off
258 This flag allows the bridge to immediately stop multicast traf‐
259 fic on a port that receives IGMP Leave message. It is only used
260 with IGMP snooping is enabled on the bridge. By default the flag
261 is off.
262 root_block on or root_block off
265 Controls whether a given port is allowed to become root port or
266 not. Only used when STP is enabled on the bridge. By default the
267 flag is off.
268 This feature is also called root port guard. If BPDU is re‐
270 ceived from a leaf (edge) port, it should not be elected as root
271 port. This could be used if using STP on a bridge and the down‐
272 stream bridges are not fully trusted; this prevents a hostile
273 guest from rerouting traffic.
274 learning on or learning off
277 Controls whether a given port will learn MAC addresses from re‐
278 ceived traffic or not. If learning if off, the bridge will end
279 up flooding any traffic for which it has no FDB entry. By de‐
280 fault this flag is on.
281 learning_sync on or learning_sync off
284 Controls whether a given port will sync MAC addresses learned on
285 device port to bridge FDB.
286 flood on or flood off
289 Controls whether unicast traffic for which there is no FDB entry
290 will be flooded towards this given port. By default this flag is
291 on.
292 hwmode Some network interface cards support HW bridge functionality and
295 they may be configured in different modes. Currently support
296 modes are:
297 vepa - Data sent between HW ports is sent on the wire to the ex‐
299 ternal switch.
300 veb - bridging happens in hardware.
302 bcast_flood on or bcast_flood off
305 Controls flooding of broadcast traffic on the given port. By
306 default this flag is on.
307 mcast_flood on or mcast_flood off
310 Controls whether multicast traffic for which there is no MDB en‐
311 try will be flooded towards this given port. By default this
312 flag is on.
313 mcast_max_groups MAX_GROUPS
316 Sets the maximum number of MDB entries that can be registered
317 for a given port. Attempts to register more MDB entries at the
318 port than this limit allows will be rejected, whether they are
319 done through netlink (e.g. the bridge tool), or IGMP or MLD mem‐
320 bership reports. Setting a limit to 0 has the effect of dis‐
321 abling the limit. The default value is 0. See also the ip link
322 option mcast_hash_max.
323 mcast_router MULTICAST_ROUTER
326 This flag is almost the same as the per-VLAN flag, see below,
327 except its value can only be set in the range 0-2. The default
328 is 1 where the bridge figures out automatically where an
329 IGMP/MLD querier, MRDISC capable device, or PIM router, is lo‐
330 cated. Setting this flag to 2 is useful in cases where the mul‐
331 ticast router does not indicate its presence in any meaningful
332 way (e.g. older versions of SMCRoute, or mrouted), or when there
333 is a need for forwarding both known and unknown IP multicast to
334 a secondary/backup router.
335 mcast_to_unicast on or mcast_to_unicast off
338 Controls whether a given port will replicate packets using uni‐
339 cast instead of multicast. By default this flag is off.
340 This is done by copying the packet per host and changing the
342 multicast destination MAC to a unicast one accordingly.
343 mcast_to_unicast works on top of the multicast snooping feature
345 of the bridge. Which means unicast copies are only delivered to
346 hosts which are interested in it and signalized this via
347 IGMP/MLD reports previously.
348 This feature is intended for interface types which have a more
350 reliable and/or efficient way to deliver unicast packets than
351 broadcast ones (e.g. WiFi).
352 However, it should only be enabled on interfaces where no
354 IGMPv2/MLDv1 report suppression takes place. IGMP/MLD report
355 suppression issue is usually overcome by the network daemon
356 (supplicant) enabling AP isolation and by that separating all
357 STAs.
358 Delivery of STA-to-STA IP multicast is made possible again by
360 enabling and utilizing the bridge hairpin mode, which considers
361 the incoming port as a potential outgoing port, too (see hairpin
362 option). Hairpin mode is performed after multicast snooping,
363 therefore leading to only deliver reports to STAs running a mul‐
364 ticast router.
365 neigh_suppress on or neigh_suppress off
368 Controls whether neigh discovery (arp and nd) proxy and suppres‐
369 sion is enabled on the port. By default this flag is off.
370 neigh_vlan_suppress on or neigh_vlan_suppress off
373 Controls whether per-VLAN neigh discovery (arp and nd) proxy and
374 suppression is enabled on the port. When on, the bridge link op‐
375 tion neigh_suppress has no effect and the per-VLAN state is set
376 using the bridge vlan option neigh_suppress. By default this
377 flag is off.
378 vlan_tunnel on or vlan_tunnel off
381 Controls whether vlan to tunnel mapping is enabled on the port.
382 By default this flag is off.
383 isolated on or isolated off
386 Controls whether a given port will be isolated, which means it
387 will be able to communicate with non-isolated ports only. By
388 default this flag is off.
389 locked on or locked off
392 Controls whether a port is locked or not. When locked, non-link-
393 local frames received through the port are dropped unless an FDB
394 entry with the MAC source address points to the port. The common
395 use case is IEEE 802.1X where hosts can authenticate themselves
396 by exchanging EAPOL frames with an authenticator. After authen‐
397 tication is complete, the user space control plane can install a
398 matching FDB entry to allow traffic from the host to be for‐
399 warded by the bridge. When learning is enabled on a locked port,
400 the no_linklocal_learn bridge option needs to be on to prevent
401 the bridge from learning from received EAPOL frames. By default
402 this flag is off.
403 mab on or mab off
406 Controls whether MAC Authentication Bypass (MAB) is enabled on
407 the port or not. MAB can only be enabled on a locked port that
408 has learning enabled. When enabled, FDB entries are learned from
409 received traffic and have the "locked" FDB flag set. The flag
410 can only be set by the kernel and it indicates that the FDB en‐
411 try cannot be used to authenticate the corresponding host. User
412 space can decide to authenticate the host by replacing the FDB
413 entry and clearing the "locked" FDB flag. Locked FDB entries can
414 roam to unlocked (authorized) ports in which case the "locked"
415 flag is cleared. FDB entries cannot roam to locked ports regard‐
416 less of MAB being enabled or not. Therefore, locked FDB entries
417 are only created if an FDB entry with the given {MAC, VID} does
418 not already exist. This behavior prevents unauthenticated hosts
419 from disrupting traffic destined to already authenticated hosts.
420 Locked FDB entries act like regular dynamic entries with respect
421 to forwarding and aging. By default this flag is off.
422 backup_port DEVICE
425 If the port loses carrier all traffic will be redirected to the
426 configured backup port
427 nobackup_port
430 Removes the currently configured backup port
431 self link setting is configured on specified physical device
434 master link setting is configured on the software bridge (default)
437 -t, -timestamp
440 display current time when using monitor option.
441 bridge link show - list ports configuration for all bridges.
444 This command displays port configuration and flags for all bridges.
445 To display port configuration and flags for a specific bridge, use the
447 "ip link show master <bridge_device>" command.
448
451 fdb objects contain known Ethernet addresses on a link.
452 The corresponding commands display fdb entries, add new entries, append
455 entries, and delete old ones.
456 bridge fdb add - add a new fdb entry
459 This command creates a new fdb entry.
460 LLADDR the Ethernet MAC address.
463 dev DEV
466 the interface to which this address is associated.
467 local - is a local permanent fdb entry, which means that the
469 bridge will not forward frames with this destination MAC address
470 and VLAN ID, but terminate them locally. This flag is default
471 unless "static" or "dynamic" are explicitly specified.
472 permanent - this is a synonym for "local"
475 static - is a static (no arp) fdb entry
478 dynamic - is a dynamic reachable age-able fdb entry
481 self - the operation is fulfilled directly by the driver for the
484 specified network device. If the network device belongs to a
485 master like a bridge, then the bridge is bypassed and not noti‐
486 fied of this operation (and if the device does notify the
487 bridge, it is driver-specific behavior and not mandated by this
488 flag, check the driver for more details). The "bridge fdb add"
489 command can also be used on the bridge device itself, and in
490 this case, the added fdb entries will be locally terminated (not
491 forwarded). In the latter case, the "self" flag is mandatory.
492 The flag is set by default if "master" is not specified.
493 master - if the specified network device is a port that belongs
496 to a master device such as a bridge, the operation is fulfilled
497 by the master device's driver, which may in turn notify the port
498 driver too of the address. If the specified device is a master
499 itself, such as a bridge, this flag is invalid.
500 router - the destination address is associated with a router.
503 Valid if the referenced device is a VXLAN type device and has
504 route short circuit enabled.
505 use - the address is in use. User space can use this option to
508 indicate to the kernel that the fdb entry is in use.
509 extern_learn - this entry was learned externally. This option
512 can be used to indicate to the kernel that an entry was hardware
513 or user-space controller learnt dynamic entry. Kernel will not
514 age such an entry.
515 sticky - this entry will not change its port due to learning.
518 The next command line parameters apply only when the specified device
521 DEV is of type VXLAN.
522 dst IPADDR
524 the IP address of the destination VXLAN tunnel endpoint where
525 the Ethernet MAC ADDRESS resides.
526 src_vni VNI
529 the src VNI Network Identifier (or VXLAN Segment ID) this entry
530 belongs to. Used only when the vxlan device is in external or
531 collect metadata mode. If omitted the value specified at vxlan
532 device creation will be used.
533 vni VNI
536 the VXLAN VNI Network Identifier (or VXLAN Segment ID) to use to
537 connect to the remote VXLAN tunnel endpoint. If omitted the
538 value specified at vxlan device creation will be used.
539 port PORT
542 the UDP destination PORT number to use to connect to the remote
543 VXLAN tunnel endpoint. If omitted the default value is used.
544 via DEVICE
547 device name of the outgoing interface for the VXLAN device
548 driver to reach the remote VXLAN tunnel endpoint.
549 nhid NHID
552 ecmp nexthop group for the VXLAN device driver to reach remote
553 VXLAN tunnel endpoints.
554 bridge fdb append - append a forwarding database entry
557 This command adds a new fdb entry with an already known LLADDR. Valid
558 only for multicast link layer addresses. The command adds support for
559 broadcast and multicast Ethernet MAC addresses. The Ethernet MAC ad‐
560 dress is added multiple times into the forwarding database and the
561 vxlan device driver sends a copy of the data packet to each entry
562 found.
563 The arguments are the same as with bridge fdb add.
566 bridge fdb delete - delete a forwarding database entry
569 This command removes an existing fdb entry.
570 The arguments are the same as with bridge fdb add.
573 bridge fdb replace - replace a forwarding database entry
576 If no matching entry is found, a new one will be created instead.
577 The arguments are the same as with bridge fdb add.
580 bridge fdb show - list forwarding entries.
583 This command displays the current forwarding table.
584 With the -statistics option, the command becomes verbose. It prints out
587 the last updated and last used time for each entry.
588 bridge fdb get - get bridge forwarding entry.
591 lookup a bridge forwarding table entry.
592 LLADDR the Ethernet MAC address.
595 dev DEV
598 the interface to which this address is associated.
599 brport DEV
602 the bridge port to which this address is associated. same as dev
603 above.
604 br DEV the bridge to which this address is associated.
607 self - the address is associated with the port drivers fdb. Usually
610 hardware.
611 master - the address is associated with master devices fdb. Usually
614 software (default).
615 bridge fdb flush - flush bridge forwarding table entries.
618 flush the matching bridge forwarding table entries. Some options below
619 have a negated form when "no" is prepended to them (e.g. permanent and
620 nopermanent).
621 dev DEV
624 the target device for the operation. If the device is a bridge
625 port and "master" is set then the operation will be fulfilled by
626 its master device's driver and all entries pointing to that port
627 will be deleted.
628 brport DEV
631 the target bridge port for the operation. If the bridge device
632 is specified then only entries pointing to the bridge itself
633 will be deleted. Note that the target device specified by this
634 option will override the one specified by dev above.
635 vlan VID
638 the target VLAN ID for the operation. Match forwarding table en‐
639 tries only with the specified VLAN ID.
640 self the operation is fulfilled directly by the driver for the speci‐
643 fied network device. If the network device belongs to a master
644 like a bridge, then the bridge is bypassed and not notified of
645 this operation. The "bridge fdb flush" command can also be used
646 on the bridge device itself. The flag is set by default if "mas‐
647 ter" is not specified.
648 master if the specified network device is a port that belongs to a mas‐
651 ter device such as a bridge, the operation is fulfilled by the
652 master device's driver.
653 [no]permanent
656 if specified then only permanent entries will be deleted or re‐
657 spectively if "no" is prepended then only non-permanent entries
658 will be deleted.
659 [no]static
662 if specified then only static entries will be deleted or respec‐
663 tively if "no" is prepended then only non-static entries will be
664 deleted.
665 [no]dynamic
668 if specified then only dynamic entries will be deleted or re‐
669 spectively if "no" is prepended then only non-dynamic (static or
670 permanent) entries will be deleted.
671 [no]added_by_user
674 if specified then only entries with added_by_user flag will be
675 deleted or respectively if "no" is prepended then only entries
676 without added_by_user flag will be deleted.
677 [no]extern_learn
680 if specified then only entries with extern_learn flag will be
681 deleted or respectively if "no" is prepended then only entries
682 without extern_learn flag will be deleted.
683 [no]sticky
686 if specified then only entries with sticky flag will be deleted
687 or respectively if "no" is prepended then only entries without
688 sticky flag will be deleted.
689 [no]offloaded
692 if specified then only entries with offloaded flag will be
693 deleted or respectively if "no" is prepended then only entries
694 without offloaded flag will be deleted.
695
699 mdb objects contain known IP or L2 multicast group addresses on a link.
700 The corresponding commands display mdb entries, add new entries, re‐
703 place entries and delete old ones.
704 bridge mdb add - add a new multicast group database entry
707 This command creates a new mdb entry.
708 dev DEV
711 the interface where this group address is associated.
712 port PORT
715 the port whose link is known to have members of this multicast
716 group.
717 grp GROUP
720 the multicast group address (IPv4, IPv6 or L2 multicast) whose
721 members reside on the link connected to the port.
722 permanent - the mdb entry is permanent. Optional for IPv4 and
724 IPv6, mandatory for L2.
725 temp - the mdb entry is temporary (default)
728 src SOURCE
732 optional source IP address of a sender for this multicast group.
733 If IGMPv3 for IPv4, or MLDv2 for IPv6 respectively, are enabled
734 it will be included in the lookup when forwarding multicast
735 traffic.
736 vid VID
739 the VLAN ID which is known to have members of this multicast
740 group.
741 filter_mode include or filter_mode exclude
744 controls whether the sources in the entry's source list are in
745 INCLUDE or EXCLUDE mode. Can only be set for (*, G) entries.
746 source_list SOURCE_LIST
749 optional list of source IP addresses of senders for this multi‐
750 cast group, separated by a ','. Whether the entry forwards
751 packets from these senders or not is determined by the entry's
752 filter mode, which becomes a mandatory argument. Can only be set
753 for (*, G) entries.
754 proto PROTO
757 the routing protocol identifier of this mdb entry. Can be a num‐
758 ber or a string from the file /etc/iproute2/rt_protos. If the
759 routing protocol is not given, then static is assumed.
760 The next command line parameters apply only when the specified device
762 DEV is of type VXLAN.
763 dst IPADDR
766 the IP address of the destination VXLAN tunnel endpoint where
767 the multicast receivers reside.
768 dst_port DST_PORT
771 the UDP destination port number to use to connect to the remote
772 VXLAN tunnel endpoint. If omitted, the value specified at VXLAN
773 device creation will be used.
774 vni VNI
777 the VXLAN VNI Network Identifier to use to connect to the remote
778 VXLAN tunnel endpoint. If omitted, the value specified at VXLAN
779 device creation will be used or the source VNI when the VXLAN
780 device is in external mode.
781 src_vni SRC_VNI
784 the source VNI Network Identifier this entry belongs to. Used
785 only when the VXLAN device is in external mode. If omitted, the
786 value specified at VXLAN device creation will be used.
787 via DEV
790 device name of the outgoing interface for the VXLAN device to
791 reach the remote VXLAN tunnel endpoint.
792 The 0.0.0.0 and :: MDB entries are special catchall entries used to
794 flood IPv4 and IPv6 unregistered multicast packets, respectively. There‐
795 fore, when these entries are programmed, the catchall 00:00:00:00:00:00
796 FDB entry will only flood broadcast, unknown unicast and link-local mul‐
797 ticast.
798 bridge mdb delete - delete a multicast group database entry
801 This command removes an existing mdb entry.
802 The arguments are the same as with bridge mdb add.
805 bridge mdb replace - replace a multicast group database entry
808 If no matching entry is found, a new one will be created instead.
809 The arguments are the same as with bridge mdb add.
812 bridge mdb show - list multicast group database entries
815 This command displays the current multicast group membership table. The
816 table is populated by IGMP and MLD snooping in the bridge driver auto‐
817 matically. It can be altered by bridge mdb add and bridge mdb del com‐
818 mands manually too.
819 dev DEV
822 the interface only whose entries should be listed. Default is to
823 list all bridge interfaces.
824 With the -details option, the command becomes verbose. It prints out
827 the ports known to have a connected router.
828 With the -statistics option, the command displays timer values for mdb
831 and router port entries.
832
835 vlan objects contain known VLAN IDs for a link.
836 The corresponding commands display vlan filter entries, add new en‐
839 tries, and delete old ones.
840 bridge vlan add - add a new vlan filter entry
843 This command creates a new vlan filter entry.
844 dev NAME
847 the interface with which this vlan is associated.
848 vid VID
851 the VLAN ID that identifies the vlan.
852 tunnel_info TUNNEL_ID
855 the TUNNEL ID that maps to this vlan. The tunnel id is set in
856 dst_metadata for every packet that belongs to this vlan (appli‐
857 cable to bridge ports with vlan_tunnel flag set).
858 pvid the vlan specified is to be considered a PVID at ingress. Any
861 untagged frames will be assigned to this VLAN.
862 untagged
865 the vlan specified is to be treated as untagged on egress.
866 self the vlan is configured on the specified physical device. Re‐
869 quired if the device is the bridge device.
870 master the vlan is configured on the software bridge (default).
873 bridge vlan delete - delete a vlan filter entry
876 This command removes an existing vlan filter entry.
877 The arguments are the same as with bridge vlan add. The pvid and un‐
880 tagged flags are ignored.
881 bridge vlan set - change vlan filter entry's options
884 This command changes vlan filter entry's options.
885 dev NAME
888 the interface with which this vlan is associated.
889 vid VID
892 the VLAN ID that identifies the vlan.
893 state STP_STATE
896 the operation state of the vlan. One may enter STP state name
897 (case insensitive), or one of the numbers below. Negative inputs
898 are ignored, and unrecognized names return an error. Note that
899 the state is set only for the vlan of the specified device, e.g.
900 if it is a bridge port then the state will be set only for the
901 vlan of the port.
902 0 - vlan is in STP DISABLED state. Make this vlan completely in‐
904 active for STP. This is also called BPDU filter and could be
905 used to disable STP on an untrusted vlan.
906 1 - vlan is in STP LISTENING state. Only valid if STP is enabled
909 on the bridge. In this state the vlan listens for STP BPDUs and
910 drops all other traffic frames.
911 2 - vlan is in STP LEARNING state. Only valid if STP is enabled
914 on the bridge. In this state the vlan will accept traffic only
915 for the purpose of updating MAC address tables.
916 3 - vlan is in STP FORWARDING state. This is the default vlan
919 state.
920 4 - vlan is in STP BLOCKING state. Only valid if STP is enabled
923 on the bridge. This state is used during the STP election
924 process. In this state, the vlan will only process STP BPDUs.
925 mcast_max_groups MAX_GROUPS
929 Sets the maximum number of MDB entries that can be registered
930 for a given VLAN on a given port. A VLAN-specific equivalent of
931 the per-port option of the same name, see above for details.
932 Note that this option is only available when ip link option
934 mcast_vlan_snooping is enabled.
935 mcast_router MULTICAST_ROUTER
938 configure this vlan and interface's multicast router mode, note
939 that only modes 0 - 2 are available for bridge devices. A vlan
940 and interface with a multicast router will receive all multicast
941 traffic. MULTICAST_ROUTER may be either
942 0 - to disable multicast router.
944 1 - to let the system detect the presence of routers (default).
947 2 - to permanently enable multicast traffic forwarding on this
950 vlan and interface.
951 3 - to temporarily mark this vlan and port as having a multicast
954 router, i.e. enable multicast traffic forwarding. This mode is
955 available only for ports.
956 neigh_suppress on or neigh_suppress off
960 Controls whether neigh discovery (arp and nd) proxy and suppres‐
961 sion is enabled for a given VLAN on a given port. By default
962 this flag is off.
963 Note that this option only takes effect when bridge link option
965 neigh_vlan_suppress is enabled for a given port.
966 bridge vlan show - list vlan configuration.
969 This command displays the current VLAN filter table.
970 With the -details option, the command becomes verbose. It displays the
973 per-vlan options.
974 With the -statistics option, the command displays per-vlan traffic sta‐
977 tistics.
978 bridge vlan tunnelshow - list vlan tunnel mapping.
981 This command displays the current vlan tunnel info mapping.
982 bridge vlan global set - change vlan filter entry's global options
985 This command changes vlan filter entry's global options.
986 dev NAME
989 the interface with which this vlan is associated. Only bridge
990 devices are supported for global options.
991 vid VID
994 the VLAN ID that identifies the vlan.
995 mcast_snooping MULTICAST_SNOOPING
998 turn multicast snooping for VLAN entry with VLAN ID on (MULTI‐
999 CAST_SNOOPING > 0) or off (MULTICAST_SNOOPING == 0). Default is
1000 on.
1001 mcast_querier MULTICAST_QUERIER
1004 enable (MULTICAST_QUERIER > 0) or disable (MULTICAST_QUERIER ==
1005 0) IGMP/MLD querier, ie sending of multicast queries by the
1006 bridge. Default is disabled.
1007 mcast_igmp_version IGMP_VERSION
1010 set the IGMP version. Default is 2.
1011 mcast_mld_version MLD_VERSION
1014 set the MLD version. Default is 1.
1015 mcast_last_member_count LAST_MEMBER_COUNT
1018 set multicast last member count, ie the number of queries the
1019 bridge will send before stopping forwarding a multicast group
1020 after a "leave" message has been received. Default is 2.
1021 mcast_last_member_interval LAST_MEMBER_INTERVAL
1024 interval between queries to find remaining members of a group,
1025 after a "leave" message is received.
1026 mcast_startup_query_count STARTUP_QUERY_COUNT
1029 set the number of queries to send during startup phase. Default
1030 is 2.
1031 mcast_startup_query_interval STARTUP_QUERY_INTERVAL
1034 interval between queries in the startup phase.
1035 mcast_membership_interval MEMBERSHIP_INTERVAL
1038 delay after which the bridge will leave a group, if no member‐
1039 ship reports for this group are received.
1040 mcast_querier_interval QUERIER_INTERVAL
1043 interval between queries sent by other routers. If no queries
1044 are seen after this delay has passed, the bridge will start to
1045 send its own queries (as if mcast_querier was enabled).
1046 mcast_query_interval QUERY_INTERVAL
1049 interval between queries sent by the bridge after the end of the
1050 startup phase.
1051 mcast_query_response_interval QUERY_RESPONSE_INTERVAL
1054 set the Max Response Time/Maximum Response Delay for IGMP/MLD
1055 queries sent by the bridge.
1056 bridge vlan global show - list global vlan options.
1059 This command displays the global VLAN options for each VLAN entry.
1060 dev DEV
1063 the interface only whose VLAN global options should be listed.
1064 Default is to list all bridge interfaces.
1065 vid VID
1068 the VLAN ID only whose global options should be listed. Default
1069 is to list all vlans.
1070
1073 vni objects contain known VNI IDs for a dst metadata vxlan link.
1074 The corresponding commands display vni filter entries, add new entries,
1077 and delete old ones.
1078 bridge vni add - add a new vni filter entry
1081 This command creates a new vni filter entry.
1082 dev NAME
1085 the interface with which this vni is associated.
1086 vni VNI
1089 the VNI ID that identifies the vni.
1090 remote IPADDR
1093 specifies the unicast destination IP address to use in outgoing
1094 packets when the destination link layer address is not known in
1095 the VXLAN device forwarding database. This parameter cannot be
1096 specified with the group.
1097 group IPADDR
1100 specifies the multicast IP address to join for this VNI
1101 bridge vni del - delete a new vni filter entry
1104 This command removes an existing vni filter entry.
1105 The arguments are the same as with bridge vni add.
1108 bridge vni show - list vni filtering configuration.
1111 This command displays the current vni filter table.
1112 With the -statistics option, the command displays per-vni traffic sta‐
1115 tistics.
1116 dev NAME
1119 shows vni filtering table associated with the vxlan device
1120
1123 The bridge utility can monitor the state of devices and addresses con‐
1124 tinuously. This option has a slightly different format. Namely, the
1125 monitor command is the first in the command line and then the object
1126 list follows:
1127 bridge monitor [ all | OBJECT-LIST ]
1129 OBJECT-LIST is the list of object types that we want to monitor. It
1131 may contain link, fdb, vlan and mdb. If no file argument is given,
1132 bridge opens RTNETLINK, listens on it and dumps state changes in the
1133 format described in previous sections.
1134 If a file name is given, it does not listen on RTNETLINK, but opens the
1137 file containing RTNETLINK messages saved in binary format and dumps
1138 them.
1139
1142 This command uses facilities added in Linux 3.0.
1143 Although the forwarding table is maintained on a per-bridge device ba‐
1145 sis the bridge device is not part of the syntax. This is a limitation
1146 of the underlying netlink neighbour message protocol. When displaying
1147 the forwarding table, entries for all bridges are displayed.
1148 Add/delete/modify commands determine the underlying bridge device based
1149 on the bridge to which the corresponding ethernet device is attached.
1150
1154 ip(8)
1155
1157 Please direct bugreports and patches to: <netdev@vger.kernel.org>
1158
1161 Original Manpage by Stephen Hemminger
1162iproute2 1 August 2012 BRIDGE(8)