1 .TH IP\-LINK 8 "13 Dec 2012" "iproute2" "Linux"
3 ip-link \- network device configuration
10 .RI " { " COMMAND " | "
72 .BR "ip link delete " {
83 .RB "} [ { " up " | " down " } ]"
85 .RB "[ " arp " { " on " | " off " } ]"
87 .RB "[ " dynamic " { " on " | " off " } ]"
89 .RB "[ " multicast " { " on " | " off " } ]"
91 .RB "[ " allmulticast " { " on " | " off " } ]"
93 .RB "[ " promisc " { " on " | " off " } ]"
95 .RB "[ " protodown " { " on " | " off " } ]"
97 .RB "[ " trailers " { " on " | " off " } ]"
115 .IR PID " | " NETNSNAME " } ]"
117 .RB "[ " link-netnsid
143 .RB "[ " spoofchk " { " on " | " off " } ]"
145 .RB "[ " query_rss " { " on " | " off " } ]"
147 .RB "[ " state " { " auto " | " enable " | " disable " } ]"
149 .RB "[ " trust " { " on " | " off " } ] ]"
155 .RB "[ " nomaster " ]"
160 .RB "[ " addrgenmode " { " eui64 " | " none " | " stable_secret " | " random " } ]"
165 .RI "[ " DEVICE " | "
181 .SS ip link add - add virtual link
185 specifies the physical device to act operate on.
188 specifies the name of the new virtual device.
191 specifies the type of the new device.
197 - Ethernet Bridge device
202 - Controller Area Network interface
205 - Dummy network interface
208 - High-availability Seamless Redundancy device
211 - Intermediate Functional Block device
214 - IP over Infiniband device
217 - Virtual interface base on link layer address (MAC)
220 - Virtual interface based on link layer address (MAC) and TAP.
223 - Virtual Controller Area Network interface
226 - Virtual ethernet interface
229 - 802.1q tagged virtual LAN interface
232 - Virtual eXtended LAN
235 - Virtual tunnel interface IPv4|IPv6 over IPv6
238 - Virtual tunnel interface IPv4 over IPv4
241 - Virtual tunnel interface IPv6 over IPv4
244 - Virtual tunnel interface GRE over IPv4
247 - Virtual L2 tunnel interface GRE over IPv4
250 - Virtual tunnel interface GRE over IPv6
253 - Virtual L2 tunnel interface GRE over IPv6
256 - Virtual tunnel interface
259 - Netlink monitoring device
262 - Interface for L3 (IPv6/IPv4) based VLANs
265 - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth
268 - GEneric NEtwork Virtualization Encapsulation
271 - Interface for IEEE 802.1AE MAC Security (MACsec)
274 - Interface for L3 VRF domains
278 .BI numtxqueues " QUEUE_COUNT "
279 specifies the number of transmit queues for new device.
282 .BI numrxqueues " QUEUE_COUNT "
283 specifies the number of receive queues for new device.
287 specifies the desired index of the new virtual device. The link creation fails, if the index is busy.
293 the following additional arguments are supported:
300 .BI protocol " VLAN_PROTO "
304 .BR reorder_hdr " { " on " | " off " } "
307 .BR gvrp " { " on " | " off " } "
310 .BR mvrp " { " on " | " off " } "
313 .BR loose_binding " { " on " | " off " } "
316 .BI ingress-qos-map " QOS-MAP "
319 .BI egress-qos-map " QOS-MAP "
324 .BI protocol " VLAN_PROTO "
325 - either 802.1Q or 802.1ad.
328 - specifies the VLAN Identifer to use. Note that numbers with a leading " 0 " or " 0x " are interpreted as octal or hexadeimal, respectively.
330 .BR reorder_hdr " { " on " | " off " } "
331 - specifies whether ethernet headers are reordered or not (default is
336 .BR reorder_hdr " is " on
337 then VLAN header will be not inserted immediately but only before passing to the
338 physical device (if this device does not support VLAN offloading), the similar
339 on the RX direction - by default the packet will be untagged before being
340 received by VLAN device. Reordering allows to accelerate tagging on egress and
341 to hide VLAN header on ingress so the packet looks like regular Ethernet packet,
342 at the same time it might be confusing for packet capture as the VLAN header
343 does not exist within the packet.
345 VLAN offloading can be checked by
351 .RB grep " tx-vlan-offload"
354 where <phy_dev> is the physical device to which VLAN device is bound.
357 .BR gvrp " { " on " | " off " } "
358 - specifies whether this VLAN should be registered using GARP VLAN Registration Protocol.
360 .BR mvrp " { " on " | " off " } "
361 - specifies whether this VLAN should be registered using Multiple VLAN Registration Protocol.
363 .BR loose_binding " { " on " | " off " } "
364 - specifies whether the VLAN device state is bound to the physical device state.
366 .BI ingress-qos-map " QOS-MAP "
367 - defines a mapping of VLAN header prio field to the Linux internal packet
368 priority on incoming frames. The format is FROM:TO with multiple mappings
371 .BI egress-qos-map " QOS-MAP "
372 - defines a mapping of Linux internal packet priority to VLAN header prio field
373 but for outgoing frames. The format is the same as for ingress-qos-map.
376 Linux packet priority can be set by
381 -t mangle -A POSTROUTING [...] -j CLASSIFY --set-class 0:4
384 and this "4" priority can be used in the egress qos mapping to set VLAN prio "5":
388 link set veth0.10 type vlan egress 4:5
397 the following additional arguments are supported:
399 .BI "ip link add " DEVICE
400 .BI type " vxlan " id " ID"
403 .RB " ] [ { " group " | " remote " } "
407 .RI "{ "IPADDR " | "any " } "
413 .BI flowlabel " FLOWLABEL "
417 .BI srcport " MIN MAX "
431 .I "[no]udp6zerocsumtx "
433 .I "[no]udp6zerocsumrx "
435 .BI ageing " SECONDS "
437 .BI maxaddress " NUMBER "
449 - specifies the VXLAN Network Identifer (or VXLAN Segment
453 - specifies the physical device to use for tunnel endpoint communication.
457 - specifies the multicast IP address to join.
458 This parameter cannot be specified with the
464 - specifies the unicast destination IP address to use in outgoing packets
465 when the destination link layer address is not known in the VXLAN device
466 forwarding database. This parameter cannot be specified with the
472 - specifies the source IP address to use in outgoing packets.
476 - specifies the TTL value to use in outgoing packets.
480 - specifies the TOS value to use in outgoing packets.
483 .BI flowlabel " FLOWLABEL"
484 - specifies the flow label to use in outgoing packets.
488 - specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.
491 .BI srcport " MIN MAX"
492 - specifies the range of port numbers to use as UDP
493 source ports to communicate to the remote VXLAN tunnel endpoint.
497 - specifies if unknown source link layer addresses and IP addresses
498 are entered into the VXLAN device forwarding database.
502 - specifies if route short circuit is turned on.
506 - specifies ARP proxy is turned on.
510 - specifies if netlink LLADDR miss notifications are generated.
514 - specifies if netlink IP ADDR miss notifications are generated.
518 - specifies if UDP checksum is calculated for transmitted packets over IPv4.
521 .I [no]udp6zerocsumtx
522 - skip UDP checksum calculation for transmitted packets over IPv6.
525 .I [no]udp6zerocsumrx
526 - allow incoming UDP packets over IPv6 with zero checksum field.
529 .BI ageing " SECONDS"
530 - specifies the lifetime in seconds of FDB entries learnt by the kernel.
533 .BI maxaddress " NUMBER"
534 - specifies the maximum number of FDB entries.
538 - specifies whether an external control plane
539 .RB "(e.g. " "ip route encap" )
540 or the internal FDB should be used.
544 - enables the Group Policy extension (VXLAN-GBP).
547 Allows to transport group policy context across VXLAN network peers.
548 If enabled, includes the mark of a packet in the VXLAN header for outgoing
549 packets and fills the packet mark based on the information found in the
550 VXLAN header for incomming packets.
552 Format of upper 16 bits of packet mark (flags);
555 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
557 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
562 Don't Learn bit. When set, this bit indicates that the egress
563 VTEP MUST NOT learn the source address of the encapsulated frame.
566 Indicates that the group policy has already been applied to
567 this packet. Policies MUST NOT be applied by devices when the A bit is set.
570 Format of lower 16 bits of packet mark (policy ID):
573 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
577 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
581 iptables -A OUTPUT [...] -j MARK --set-mark 0x800FF
587 - enables the Generic Protocol extension (VXLAN-GPE). Currently, this is
588 only supported together with the
595 GRE, IPIP, SIT Type Support
598 the following additional arguments are supported:
600 .BI "ip link add " DEVICE
601 .BR type " { gre | ipip | sit } "
602 .BI " remote " ADDR " local " ADDR
604 .BR encap " { fou | gue | none } "
606 .BI "encap-sport { " PORT " | auto } "
608 .BI "encap-dport " PORT
610 .I " [no]encap-csum "
612 .I " [no]encap-remcsum "
618 - specifies the remote address of the tunnel.
622 - specifies the fixed local address for tunneled packets.
623 It must be an address on another interface on this host.
626 .BR encap " { fou | gue | none } "
627 - specifies type of secondary UDP encapsulation. "fou" indicates
628 Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation.
631 .BI "encap-sport { " PORT " | auto } "
632 - specifies the source port in UDP encapsulation.
634 indicates the port by number, "auto"
635 indicates that the port number should be chosen automatically
636 (the kernel picks a flow based on the flow hash of the
637 encapsulated packet).
641 - specifies if UDP checksums are enabled in the secondary
646 - specifies if Remote Checksum Offload is enabled. This is only
647 applicable for Generic UDP Encapsulation.
652 IP6GRE/IP6GRETAP Type Support
655 the following additional arguments are supported:
657 .BI "ip link add " DEVICE
658 .BI type " { ip6gre | ip6gretap } " remote " ADDR " local " ADDR
668 .BI encaplimit " ELIM "
670 .BI tclass " TCLASS "
672 .BI flowlabel " FLOWLABEL "
682 - specifies the remote IPv6 address of the tunnel.
686 - specifies the fixed local IPv6 address for tunneled packets.
687 It must be an address on another interface on this host.
694 flag enables sequencing of outgoing packets.
697 flag requires that all input packets are serialized.
701 - use keyed GRE with key
703 is either a number or an IPv4 address-like dotted quad.
706 parameter specifies the same key to use in both directions.
708 .BR ikey " and " okey
709 parameters specify different keys for input and output.
713 - generate/require checksums for tunneled packets.
716 flag calculates checksums for outgoing packets.
719 flag requires that all input packets have the correct
722 flag is equivalent to the combination
727 - specifies Hop Limit value to use in outgoing packets.
730 .BI encaplimit " ELIM"
731 - specifies a fixed encapsulation limit. Default is 4.
734 .BI flowlabel " FLOWLABEL"
735 - specifies a fixed flowlabel.
739 - specifies the traffic class field on
740 tunneled packets, which can be specified as either a two-digit
741 hex value (e.g. c0) or a predefined string (e.g. internet).
744 causes the field to be copied from the original IP header. The
746 .BI "inherit/" STRING
748 .BI "inherit/" 00 ".." ff
749 will set the field to
753 when tunneling non-IP packets. The default value is 00.
761 the following additional arguments are supported:
763 .BI "ip link add " DEVICE " name " NAME
764 .BI type " ipoib [ " pkey " PKEY ] [" mode " MODE " ]
769 - specifies the IB P-Key to use.
772 - specifies the mode (datagram or connected) to use.
778 the following additional arguments are supported:
780 .BI "ip link add " DEVICE
781 .BI type " geneve " id " ID " remote " IPADDR"
787 .BI flowlabel " FLOWLABEL "
793 - specifies the Virtual Network Identifer to use.
797 - specifies the unicast destination IP address to use in outgoing packets.
801 - specifies the TTL value to use in outgoing packets.
805 - specifies the TOS value to use in outgoing packets.
808 .BI flowlabel " FLOWLABEL"
809 - specifies the flow label to use in outgoing packets.
814 MACVLAN and MACVTAP Type Support
819 the following additional arguments are supported:
821 .BI "ip link add link " DEVICE " name " NAME
822 .BR type " { " macvlan " | " macvtap " } "
823 .BR mode " { " private " | " vepa " | " bridge " | " passthru
824 .BR " [ " nopromisc " ] } "
828 .BR type " { " macvlan " | " macvtap " } "
829 - specifies the link type to use.
830 .BR macvlan " creates just a virtual interface, while "
831 .BR macvtap " in addition creates a character device "
832 .BR /dev/tapX " to be used just like a " tuntap " device."
835 - Do not allow communication between
837 instances on the same physical interface, even if the external switch supports
841 - Virtual Ethernet Port Aggregator mode. Data from one
843 instance to the other on the same physical interface is transmitted over the
844 physical interface. Either the attached switch needs to support hairpin mode,
845 or there must be a TCP/IP router forwarding the packets in order to allow
846 communication. This is the default mode.
849 - In bridge mode, all endpoints are directly connected to each other,
850 communication is not redirected through the physical interface's peer.
852 .BR mode " " passthru " [ " nopromisc " ] "
853 - This mode gives more power to a single endpoint, usually in
854 .BR macvtap " mode. It is not allowed for more than one endpoint on the same "
855 physical interface. All traffic will be forwarded to this endpoint, allowing
856 virtio guests to change MAC address or set promiscuous mode in order to bridge
857 the interface or create vlan interfaces on top of it. By default, this mode
858 forces the underlying interface into promiscuous mode. Passing the
859 .BR nopromisc " flag prevents this, so the promisc flag may be controlled "
860 using standard tools.
864 High-availability Seamless Redundancy (HSR) Support
867 the following additional arguments are supported:
869 .BI "ip link add link " DEVICE " name " NAME
871 .BI slave1 " SLAVE1-IF " slave2 " SLAVE2-IF "
872 .BR " [ supervision " ADDR-BYTE " ] "
873 .BR " [ version { " 0 " | " 1 " } ] "
878 - specifies the link type to use, here HSR.
880 .BI slave1 " SLAVE1-IF "
881 - Specifies the physical device used for the first of the two ring ports.
883 .BI slave2 " SLAVE2-IF "
884 - Specifies the physical device used for the second of the two ring ports.
886 .BR "supervision ADDR-BYTE "
887 - The last byte of the multicast address used for HSR supervision frames.
888 Default option is "0", possible values 0-255.
890 .BR "version { 0 | 1 }"
891 - Selects the protocol version of the interface. Default option is "0", which
892 corresponds to the 2010 version of the HSR standard. Option "1" activates the
900 the following additional arguments are supported:
902 .BI "ip link add link " DEVICE " name " NAME " type macsec"
908 .BI cipher " CIPHER_SUITE"
911 .BR on " | " off " } ] [ "
912 .BR send_sci " { " on " | " off " } ] ["
913 .BR es " { " on " | " off " } ] ["
914 .BR scb " { " on " | " off " } ] ["
915 .BR protect " { " on " | " off " } ] ["
916 .BR replay " { " on " | " off " }"
918 .IR 0..2^32-1 " } ] ["
919 .BR validate " { " strict " | " check " | " disabled " } ] ["
926 - sets the port number for this MACsec device.
930 - sets the SCI for this MACsec device.
933 .BI cipher " CIPHER_SUITE "
934 - defines the cipher suite to use.
937 .BR "encrypt on " or " encrypt off"
938 - switches between authenticated encryption, or authenticity mode only.
941 .BR "send_sci on " or " send_sci off"
942 - specifies whether the SCI is included in every packet, or only when it is necessary.
945 .BR "es on " or " es off"
946 - sets the End Station bit.
949 .BR "scb on " or " scb off"
950 - sets the Single Copy Broadcast bit.
953 .BR "protect on " or " protect off"
954 - enables MACsec protection on the device.
957 .BR "replay on " or " replay off"
958 - enables replay protection on the device.
964 - sets the size of the replay window.
969 .BR "validate strict " or " validate check " or " validate disabled"
970 - sets the validation mode on the device.
974 - sets the active secure association for transmission.
982 the following additional arguments are supported:
984 .BI "ip link add " DEVICE " type vrf table " TABLE
988 .BR table " table id associated with VRF device"
992 .SS ip link delete - delete virtual link
996 specifies the virtual device to act operate on.
1000 specifies the group of virtual links to delete. Group 0 is not allowed to be
1001 deleted since it is the default group.
1005 specifies the type of the device.
1007 .SS ip link set - change device attributes
1012 specifies network device to operate on. When configuring SR-IOV Virtual Function
1013 (VF) devices, this keyword should specify the associated Physical Function (PF)
1019 has a dual role: If both group and dev are present, then move the device to the
1020 specified group. If only a group is specified, then the command operates on
1021 all devices in that group.
1025 change the state of the device to
1031 .BR "arp on " or " arp off"
1037 .BR "multicast on " or " multicast off"
1043 .BR "protodown on " or " protodown off"
1046 state on the device. Indicates that a protocol error has been detected on the port. Switch drivers can react to this error by doing a phys down on the switch port.
1049 .BR "dynamic on " or " dynamic off"
1052 flag on the device. Indicates that address can change when interface goes down (currently
1058 change the name of the device. This operation is not
1059 recommended if the device is running or has some addresses
1063 .BI txqueuelen " NUMBER"
1065 .BI txqlen " NUMBER"
1066 change the transmit queue length of the device.
1075 .BI address " LLADDRESS"
1076 change the station address of the interface.
1079 .BI broadcast " LLADDRESS"
1081 .BI brd " LLADDRESS"
1083 .BI peer " LLADDRESS"
1084 change the link layer broadcast address or the peer address when
1089 .BI netns " NETNSNAME " \fR| " PID"
1090 move the device to the network namespace associated with name
1094 Some devices are not allowed to change network namespace: loopback, bridge,
1095 ppp, wireless. These are network namespace local devices. In such case
1097 tool will return "Invalid argument" error. It is possible to find out if device is local
1098 to a single network namespace by checking
1100 flag in the output of the
1108 To change network namespace for wireless devices the
1110 tool can be used. But it allows to change network namespace only for physical devices and by process
1115 give the device a symbolic name for easy reference.
1119 specify the group the device belongs to.
1120 The available groups are listed in file
1121 .BR "@SYSCONFDIR@/group" .
1125 specify a Virtual Function device to be configured. The associated PF device
1126 must be specified using the
1131 .BI mac " LLADDRESS"
1132 - change the station address for the specified VF. The
1134 parameter must be specified.
1138 - change the assigned VLAN for the specified VF. When specified, all traffic
1139 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
1140 will be filtered for the specified VLAN ID, and will have all VLAN tags
1141 stripped before being passed to the VF. Setting this parameter to 0 disables
1142 VLAN tagging and filtering. The
1144 parameter must be specified.
1148 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1149 tags transmitted by the VF will include the specified priority bits in the
1150 VLAN tag. If not specified, the value is assumed to be 0. Both the
1154 parameters must be specified. Setting both
1158 as 0 disables VLAN tagging and filtering for the VF.
1162 -- change the allowed transmit bandwidth, in Mbps, for the specified VF.
1163 Setting this parameter to 0 disables rate limiting.
1165 parameter must be specified.
1171 .BI max_tx_rate " TXRATE"
1172 - change the allowed maximum transmit bandwidth, in Mbps, for the specified VF.
1174 parameter must be specified.
1177 .BI min_tx_rate " TXRATE"
1178 - change the allowed minimum transmit bandwidth, in Mbps, for the specified VF.
1179 Minimum TXRATE should be always <= Maximum TXRATE.
1181 parameter must be specified.
1184 .BI spoofchk " on|off"
1185 - turn packet spoof checking on or off for the specified VF.
1187 .BI query_rss " on|off"
1188 - toggle the ability of querying the RSS configuration of a specific VF. VF RSS information like RSS hash key may be considered sensitive on some devices where this information is shared between VF and PF and thus its querying may be prohibited by default.
1190 .BI state " auto|enable|disable"
1191 - set the virtual link state as seen by the specified VF. Setting to auto means a
1192 reflection of the PF link state, enable lets the VF to communicate with other VFs on
1193 this host even if the PF link state is down, disable causes the HW to drop any packets
1197 - trust the specified VF user. This enables that VF user can set a specific feature
1198 which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
1202 .BI master " DEVICE"
1203 set master device of the device (enslave device).
1207 unset master device of the device (release device).
1210 .BI addrgenmode " eui64|none|stable_secret|random"
1211 set the IPv6 address generation mode
1214 - use a Modified EUI-64 format interface identifier
1217 - disable automatic address generation
1220 - generate the interface identifier based on a preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1223 - like stable_secret, but auto-generate a new random secret if none is set
1227 set peer netnsid for a cross-netns interface
1231 If multiple parameter changes are requested,
1233 aborts immediately after any of the changes have failed.
1234 This is the only case when
1236 can move the system to an unpredictable state. The solution
1237 is to avoid changing several parameters with one
1241 .SS ip link show - display device attributes
1244 .BI dev " NAME " (default)
1246 specifies the network device to show.
1247 If this argument is omitted all devices in the default group are listed.
1252 specifies what group of devices to show.
1256 only display running interfaces.
1259 .BI master " DEVICE "
1261 specifies the master device which enslaves devices to show.
1266 speficies the VRF which enslaves devices to show.
1271 specifies the type of devices to show.
1273 Note that the type name is not checked against the list of supported types -
1274 instead it is sent as-is to the kernel. Later it is used to filter the returned
1275 interface list by comparing it with the relevant attribute in case the kernel
1276 didn't filter already. Therefore any string is accepted, but may lead to empty
1279 .SS ip link help - display help
1283 specifies which help of link type to dislpay.
1287 may be a number or a string from the file
1288 .B @SYSCONFDIR@/group
1289 which can be manually filled.
1295 Shows the state of all network interfaces on the system.
1298 ip link show type bridge
1300 Shows the bridge devices.
1303 ip link show type vlan
1305 Shows the vlan devices.
1308 ip link show master br0
1310 Shows devices enslaved by br0
1313 ip link set dev ppp0 mtu 1400
1315 Change the MTU the ppp0 device.
1318 ip link add link eth0 name eth0.10 type vlan id 10
1320 Creates a new vlan device eth0.10 on device eth0.
1323 ip link delete dev eth0.10
1325 Removes vlan device.
1330 Display help for the gre link type.
1333 ip link add name tun1 type ipip remote 192.168.1.1
1334 local 192.168.1.2 ttl 225 encap gue encap-sport auto
1335 encap-dport 5555 encap-csum encap-remcsum
1337 Creates an IPIP that is encapsulated with Generic UDP Encapsulation,
1338 and the outer UDP checksum and remote checksum offload are enabled.
1342 ip link add link wpan0 lowpan0 type lowpan
1344 Creates a 6LoWPAN interface named lowpan0 on the underlying
1345 IEEE 802.15.4 device wpan0.
1356 Original Manpage by Michail Litvak <mci@owl.openwall.com>