1 .TH IP\-LINK 8 "13 Dec 2012" "iproute2" "Linux"
3 ip-link \- network device configuration
10 .RI " { " COMMAND " | "
71 .BR "ip link delete " {
82 .RB "} [ { " up " | " down " } ]"
84 .RB "[ " arp " { " on " | " off " } ]"
86 .RB "[ " dynamic " { " on " | " off " } ]"
88 .RB "[ " multicast " { " on " | " off " } ]"
90 .RB "[ " allmulticast " { " on " | " off " } ]"
92 .RB "[ " promisc " { " on " | " off " } ]"
94 .RB "[ " protodown " { " on " | " off " } ]"
96 .RB "[ " trailers " { " on " | " off " } ]"
114 .IR PID " | " NETNSNAME " } ]"
116 .RB "[ " link-netnsid
142 .RB "[ " spoofchk " { " on " | " off " } ]"
144 .RB "[ " state " { " auto " | " enable " | " disable " } ]"
146 .RB "[ " trust " { " on " | " off " } ] ]"
152 .RB "[ " nomaster " ]"
154 .RB "[ " addrgenmode " { " eui64 " | " none " | " stable_secret " | " random " } ]"
159 .RI "[ " DEVICE " | "
173 .SS ip link add - add virtual link
177 specifies the physical device to act operate on.
180 specifies the name of the new virtual device.
183 specifies the type of the new device.
189 - Ethernet Bridge device
194 - Controller Area Network interface
197 - Dummy network interface
200 - High-availability Seamless Redundancy device
203 - Intermediate Functional Block device
206 - IP over Infiniband device
209 - Virtual interface base on link layer address (MAC)
212 - Virtual interface based on link layer address (MAC) and TAP.
215 - Virtual Controller Area Network interface
218 - Virtual ethernet interface
221 - 802.1q tagged virtual LAN interface
224 - Virtual eXtended LAN
227 - Virtual tunnel interface IPv4|IPv6 over IPv6
230 - Virtual tunnel interface IPv4 over IPv4
233 - Virtual tunnel interface IPv6 over IPv4
236 - Virtual tunnel interface GRE over IPv4
239 - Virtual L2 tunnel interface GRE over IPv4
242 - Virtual tunnel interface GRE over IPv6
245 - Virtual L2 tunnel interface GRE over IPv6
248 - Virtual tunnel interface
251 - Netlink monitoring device
254 - Interface for L3 (IPv6/IPv4) based VLANs
257 - Interface for 6LoWPAN (IPv6) over IEEE 802.15.4 / Bluetooth
260 - GEneric NEtwork Virtualization Encapsulation
264 .BI numtxqueues " QUEUE_COUNT "
265 specifies the number of transmit queues for new device.
268 .BI numrxqueues " QUEUE_COUNT "
269 specifies the number of receive queues for new device.
273 specifies the desired index of the new virtual device. The link creation fails, if the index is busy.
279 the following additional arguments are supported:
286 .BI protocol " VLAN_PROTO "
290 .BR reorder_hdr " { " on " | " off " } "
293 .BR gvrp " { " on " | " off " } "
296 .BR mvrp " { " on " | " off " } "
299 .BR loose_binding " { " on " | " off " } "
302 .BI ingress-qos-map " QOS-MAP "
305 .BI egress-qos-map " QOS-MAP "
310 .BI protocol " VLAN_PROTO "
311 - either 802.1Q or 802.1ad.
314 - specifies the VLAN Identifer to use. Note that numbers with a leading " 0 " or " 0x " are interpreted as octal or hexadeimal, respectively.
316 .BR reorder_hdr " { " on " | " off " } "
317 - specifies whether ethernet headers are reordered or not (default is
322 .BR reorder_hdr " is " on
323 then VLAN header will be not inserted immediately but only before passing to the
324 physical device (if this device does not support VLAN offloading), the similar
325 on the RX direction - by default the packet will be untagged before being
326 received by VLAN device. Reordering allows to accelerate tagging on egress and
327 to hide VLAN header on ingress so the packet looks like regular Ethernet packet,
328 at the same time it might be confusing for packet capture as the VLAN header
329 does not exist within the packet.
331 VLAN offloading can be checked by
337 .RB grep " tx-vlan-offload"
340 where <phy_dev> is the physical device to which VLAN device is bound.
343 .BR gvrp " { " on " | " off " } "
344 - specifies whether this VLAN should be registered using GARP VLAN Registration Protocol.
346 .BR mvrp " { " on " | " off " } "
347 - specifies whether this VLAN should be registered using Multiple VLAN Registration Protocol.
349 .BR loose_binding " { " on " | " off " } "
350 - specifies whether the VLAN device state is bound to the physical device state.
352 .BI ingress-qos-map " QOS-MAP "
353 - defines a mapping of VLAN header prio field to the Linux internal packet
354 priority on incoming frames. The format is FROM:TO with multiple mappings
357 .BI egress-qos-map " QOS-MAP "
358 - defines a mapping of Linux internal packet priority to VLAN header prio field
359 but for outgoing frames. The format is the same as for ingress-qos-map.
362 Linux packet priority can be set by
367 -t mangle -A POSTROUTING [...] -j CLASSIFY --set-class 0:4
370 and this "4" priority can be used in the egress qos mapping to set VLAN prio "5":
374 link set veth0.10 type vlan egress 4:5
383 the following additional arguments are supported:
385 .BI "ip link add " DEVICE
386 .BI type " vxlan " id " ID"
389 .RB " ] [ { " group " | " remote " } "
393 .RI "{ "IPADDR " | "any " } "
399 .BI flowlabel " FLOWLABEL "
403 .BI srcport " MIN MAX "
417 .I "[no]udp6zerocsumtx "
419 .I "[no]udp6zerocsumrx "
421 .BI ageing " SECONDS "
423 .BI maxaddress " NUMBER "
435 - specifies the VXLAN Network Identifer (or VXLAN Segment
439 - specifies the physical device to use for tunnel endpoint communication.
443 - specifies the multicast IP address to join.
444 This parameter cannot be specified with the
450 - specifies the unicast destination IP address to use in outgoing packets
451 when the destination link layer address is not known in the VXLAN device
452 forwarding database. This parameter cannot be specified with the
458 - specifies the source IP address to use in outgoing packets.
462 - specifies the TTL value to use in outgoing packets.
466 - specifies the TOS value to use in outgoing packets.
469 .BI flowlabel " FLOWLABEL"
470 - specifies the flow label to use in outgoing packets.
474 - specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.
477 .BI srcport " MIN MAX"
478 - specifies the range of port numbers to use as UDP
479 source ports to communicate to the remote VXLAN tunnel endpoint.
483 - specifies if unknown source link layer addresses and IP addresses
484 are entered into the VXLAN device forwarding database.
488 - specifies if route short circuit is turned on.
492 - specifies ARP proxy is turned on.
496 - specifies if netlink LLADDR miss notifications are generated.
500 - specifies if netlink IP ADDR miss notifications are generated.
504 - specifies if UDP checksum is calculated for transmitted packets over IPv4.
507 .I [no]udp6zerocsumtx
508 - skip UDP checksum calculation for transmitted packets over IPv6.
511 .I [no]udp6zerocsumrx
512 - allow incoming UDP packets over IPv6 with zero checksum field.
515 .BI ageing " SECONDS"
516 - specifies the lifetime in seconds of FDB entries learnt by the kernel.
519 .BI maxaddress " NUMBER"
520 - specifies the maximum number of FDB entries.
524 - specifies whether an external control plane
525 .RB "(e.g. " "ip route encap" )
526 or the internal FDB should be used.
530 - enables the Group Policy extension (VXLAN-GBP).
533 Allows to transport group policy context across VXLAN network peers.
534 If enabled, includes the mark of a packet in the VXLAN header for outgoing
535 packets and fills the packet mark based on the information found in the
536 VXLAN header for incomming packets.
538 Format of upper 16 bits of packet mark (flags);
541 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
543 |-|-|-|-|-|-|-|-|-|D|-|-|A|-|-|-|
545 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
548 Don't Learn bit. When set, this bit indicates that the egress
549 VTEP MUST NOT learn the source address of the encapsulated frame.
552 Indicates that the group policy has already been applied to
553 this packet. Policies MUST NOT be applied by devices when the A bit is set.
556 Format of lower 16 bits of packet mark (policy ID):
559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
563 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
567 iptables -A OUTPUT [...] -j MARK --set-mark 0x800FF
573 - enables the Generic Protocol extension (VXLAN-GPE). Currently, this is
574 only supported together with the
581 GRE, IPIP, SIT Type Support
584 the following additional arguments are supported:
586 .BI "ip link add " DEVICE
587 .BR type " { gre | ipip | sit } "
588 .BI " remote " ADDR " local " ADDR
590 .BR encap " { fou | gue | none } "
592 .BI "encap-sport { " PORT " | auto } "
594 .BI "encap-dport " PORT
596 .I " [no]encap-csum "
598 .I " [no]encap-remcsum "
604 - specifies the remote address of the tunnel.
608 - specifies the fixed local address for tunneled packets.
609 It must be an address on another interface on this host.
612 .BR encap " { fou | gue | none } "
613 - specifies type of secondary UDP encapsulation. "fou" indicates
614 Foo-Over-UDP, "gue" indicates Generic UDP Encapsulation.
617 .BI "encap-sport { " PORT " | auto } "
618 - specifies the source port in UDP encapsulation.
620 indicates the port by number, "auto"
621 indicates that the port number should be chosen automatically
622 (the kernel picks a flow based on the flow hash of the
623 encapsulated packet).
627 - specifies if UDP checksums are enabled in the secondary
632 - specifies if Remote Checksum Offload is enabled. This is only
633 applicable for Generic UDP Encapsulation.
638 IP6GRE/IP6GRETAP Type Support
641 the following additional arguments are supported:
643 .BI "ip link add " DEVICE
644 .BI type " { ip6gre | ip6gretap } " remote " ADDR " local " ADDR
654 .BI encaplimit " ELIM "
656 .BI tclass " TCLASS "
658 .BI flowlabel " FLOWLABEL "
668 - specifies the remote IPv6 address of the tunnel.
672 - specifies the fixed local IPv6 address for tunneled packets.
673 It must be an address on another interface on this host.
680 flag enables sequencing of outgoing packets.
683 flag requires that all input packets are serialized.
687 - use keyed GRE with key
689 is either a number or an IPv4 address-like dotted quad.
692 parameter specifies the same key to use in both directions.
694 .BR ikey " and " okey
695 parameters specify different keys for input and output.
699 - generate/require checksums for tunneled packets.
702 flag calculates checksums for outgoing packets.
705 flag requires that all input packets have the correct
708 flag is equivalent to the combination
713 - specifies Hop Limit value to use in outgoing packets.
716 .BI encaplimit " ELIM"
717 - specifies a fixed encapsulation limit. Default is 4.
720 .BI flowlabel " FLOWLABEL"
721 - specifies a fixed flowlabel.
725 - specifies the traffic class field on
726 tunneled packets, which can be specified as either a two-digit
727 hex value (e.g. c0) or a predefined string (e.g. internet).
730 causes the field to be copied from the original IP header. The
732 .BI "inherit/" STRING
734 .BI "inherit/" 00 ".." ff
735 will set the field to
739 when tunneling non-IP packets. The default value is 00.
747 the following additional arguments are supported:
749 .BI "ip link add " DEVICE " name " NAME
750 .BI type " ipoib [ " pkey " PKEY ] [" mode " MODE " ]
755 - specifies the IB P-Key to use.
758 - specifies the mode (datagram or connected) to use.
764 the following additional arguments are supported:
766 .BI "ip link add " DEVICE
767 .BI type " geneve " id " ID " remote " IPADDR"
773 .BI flowlabel " FLOWLABEL "
779 - specifies the Virtual Network Identifer to use.
783 - specifies the unicast destination IP address to use in outgoing packets.
787 - specifies the TTL value to use in outgoing packets.
791 - specifies the TOS value to use in outgoing packets.
794 .BI flowlabel " FLOWLABEL"
795 - specifies the flow label to use in outgoing packets.
800 MACVLAN and MACVTAP Type Support
805 the following additional arguments are supported:
807 .BI "ip link add link " DEVICE " name " NAME
808 .BR type " { " macvlan " | " macvtap " } "
809 .BR mode " { " private " | " vepa " | " bridge " | " passthru
810 .BR " [ " nopromisc " ] } "
814 .BR type " { " macvlan " | " macvtap " } "
815 - specifies the link type to use.
816 .BR macvlan " creates just a virtual interface, while "
817 .BR macvtap " in addition creates a character device "
818 .BR /dev/tapX " to be used just like a " tuntap " device."
821 - Do not allow communication between
823 instances on the same physical interface, even if the external switch supports
827 - Virtual Ethernet Port Aggregator mode. Data from one
829 instance to the other on the same physical interface is transmitted over the
830 physical interface. Either the attached switch needs to support hairpin mode,
831 or there must be a TCP/IP router forwarding the packets in order to allow
832 communication. This is the default mode.
835 - In bridge mode, all endpoints are directly connected to each other,
836 communication is not redirected through the physical interface's peer.
838 .BR mode " " passthru " [ " nopromisc " ] "
839 - This mode gives more power to a single endpoint, usually in
840 .BR macvtap " mode. It is not allowed for more than one endpoint on the same "
841 physical interface. All traffic will be forwarded to this endpoint, allowing
842 virtio guests to change MAC address or set promiscuous mode in order to bridge
843 the interface or create vlan interfaces on top of it. By default, this mode
844 forces the underlying interface into promiscuous mode. Passing the
845 .BR nopromisc " flag prevents this, so the promisc flag may be controlled "
846 using standard tools.
849 .SS ip link delete - delete virtual link
853 specifies the virtual device to act operate on.
857 specifies the group of virtual links to delete. Group 0 is not allowed to be
858 deleted since it is the default group.
862 specifies the type of the device.
864 .SS ip link set - change device attributes
869 specifies network device to operate on. When configuring SR-IOV Virtual Function
870 (VF) devices, this keyword should specify the associated Physical Function (PF)
876 has a dual role: If both group and dev are present, then move the device to the
877 specified group. If only a group is specified, then the command operates on
878 all devices in that group.
882 change the state of the device to
888 .BR "arp on " or " arp off"
894 .BR "multicast on " or " multicast off"
900 .BR "protodown on " or " protodown off"
903 state on the device. Indicates that a protocol error has been detected on the port. Switch drivers can react to this error by doing a phys down on the switch port.
906 .BR "dynamic on " or " dynamic off"
909 flag on the device. Indicates that address can change when interface goes down (currently
915 change the name of the device. This operation is not
916 recommended if the device is running or has some addresses
920 .BI txqueuelen " NUMBER"
923 change the transmit queue length of the device.
932 .BI address " LLADDRESS"
933 change the station address of the interface.
936 .BI broadcast " LLADDRESS"
940 .BI peer " LLADDRESS"
941 change the link layer broadcast address or the peer address when
946 .BI netns " NETNSNAME " \fR| " PID"
947 move the device to the network namespace associated with name
951 Some devices are not allowed to change network namespace: loopback, bridge,
952 ppp, wireless. These are network namespace local devices. In such case
954 tool will return "Invalid argument" error. It is possible to find out if device is local
955 to a single network namespace by checking
957 flag in the output of the
965 To change network namespace for wireless devices the
967 tool can be used. But it allows to change network namespace only for physical devices and by process
972 give the device a symbolic name for easy reference.
976 specify the group the device belongs to.
977 The available groups are listed in file
978 .BR "@SYSCONFDIR@/group" .
982 specify a Virtual Function device to be configured. The associated PF device
983 must be specified using the
989 - change the station address for the specified VF. The
991 parameter must be specified.
995 - change the assigned VLAN for the specified VF. When specified, all traffic
996 sent from the VF will be tagged with the specified VLAN ID. Incoming traffic
997 will be filtered for the specified VLAN ID, and will have all VLAN tags
998 stripped before being passed to the VF. Setting this parameter to 0 disables
999 VLAN tagging and filtering. The
1001 parameter must be specified.
1005 - assign VLAN QOS (priority) bits for the VLAN tag. When specified, all VLAN
1006 tags transmitted by the VF will include the specified priority bits in the
1007 VLAN tag. If not specified, the value is assumed to be 0. Both the
1011 parameters must be specified. Setting both
1015 as 0 disables VLAN tagging and filtering for the VF.
1019 -- change the allowed transmit bandwidth, in Mbps, for the specified VF.
1020 Setting this parameter to 0 disables rate limiting.
1022 parameter must be specified.
1028 .BI max_tx_rate " TXRATE"
1029 - change the allowed maximum transmit bandwidth, in Mbps, for the specified VF.
1031 parameter must be specified.
1034 .BI min_tx_rate " TXRATE"
1035 - change the allowed minimum transmit bandwidth, in Mbps, for the specified VF.
1036 Minimum TXRATE should be always <= Maximum TXRATE.
1038 parameter must be specified.
1041 .BI spoofchk " on|off"
1042 - turn packet spoof checking on or off for the specified VF.
1044 .BI state " auto|enable|disable"
1045 - set the virtual link state as seen by the specified VF. Setting to auto means a
1046 reflection of the PF link state, enable lets the VF to communicate with other VFs on
1047 this host even if the PF link state is down, disable causes the HW to drop any packets
1051 - trust the specified VF user. This enables that VF user can set a specific feature
1052 which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
1056 .BI master " DEVICE"
1057 set master device of the device (enslave device).
1061 unset master device of the device (release device).
1064 .BI addrgenmode " eui64|none|stable_secret|random"
1065 set the IPv6 address generation mode
1068 - use a Modified EUI-64 format interface identifier
1071 - disable automatic address generation
1074 - generate the interface identifier based on a preset /proc/sys/net/ipv6/conf/{default,DEVICE}/stable_secret
1077 - like stable_secret, but auto-generate a new random secret if none is set
1081 set peer netnsid for a cross-netns interface
1085 If multiple parameter changes are requested,
1087 aborts immediately after any of the changes have failed.
1088 This is the only case when
1090 can move the system to an unpredictable state. The solution
1091 is to avoid changing several parameters with one
1095 .SS ip link show - display device attributes
1098 .BI dev " NAME " (default)
1100 specifies the network device to show.
1101 If this argument is omitted all devices in the default group are listed.
1106 specifies what group of devices to show.
1110 only display running interfaces.
1113 .BI master " DEVICE "
1115 specifies the master device which enslaves devices to show.
1120 specifies the type of devices to show.
1122 .SS ip link help - display help
1126 specifies which help of link type to dislpay.
1130 may be a number or a string from the file
1131 .B @SYSCONFDIR@/group
1132 which can be manually filled.
1138 Shows the state of all network interfaces on the system.
1141 ip link show type bridge
1143 Shows the bridge devices.
1146 ip link show type vlan
1148 Shows the vlan devices.
1151 ip link show master br0
1153 Shows devices enslaved by br0
1156 ip link set dev ppp0 mtu 1400
1158 Change the MTU the ppp0 device.
1161 ip link add link eth0 name eth0.10 type vlan id 10
1163 Creates a new vlan device eth0.10 on device eth0.
1166 ip link delete dev eth0.10
1168 Removes vlan device.
1173 Display help for the gre link type.
1176 ip link add name tun1 type ipip remote 192.168.1.1
1177 local 192.168.1.2 ttl 225 encap gue encap-sport auto
1178 encap-dport 5555 encap-csum encap-remcsum
1180 Creates an IPIP that is encapsulated with Generic UDP Encapsulation,
1181 and the outer UDP checksum and remote checksum offload are enabled.
1185 ip link add link wpan0 lowpan0 type lowpan
1187 Creates a 6LoWPAN interface named lowpan0 on the underlying
1188 IEEE 802.15.4 device wpan0.
1199 Original Manpage by Michail Litvak <mci@owl.openwall.com>