bridge.8 - oasis-root - Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/>

bridge.8 (43589B)

.TH BRIDGE 8 "1 August 2012" "iproute2" "Linux"
.SH NAME
bridge \- show / manipulate bridge addresses and devices
.SH SYNOPSIS
.ad l
.in +8
.ti -8
.B bridge
.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
.BR help " }"
.sp
.ti -8
.IR OBJECT " := { "
.BR link " | " fdb " | " mdb " | " vlan " | " vni " | " monitor " }"
.sp
.ti -8
.IR OPTIONS " := { "
\fB\-V\fR[\fIersion\fR] |
\fB\-s\fR[\fItatistics\fR] |
\fB\-n\fR[\fIetns\fR] name |
\fB\-b\fR[\fIatch\fR] filename |
\fB\-c\fR[\fIolor\fR] |
\fB\-p\fR[\fIretty\fR] |
\fB\-j\fR[\fIson\fR] |
\fB\-o\fR[\fIneline\fR] }
.ti -8
.B "bridge link set"
.B dev
.IR DEV " [ "
.B cost
.IR COST " ] [ "
.B priority
.IR PRIO " ] [ "
.B state
.IR STATE " ] [ "
.BR guard " { " on " | " off " } ] [ "
.BR hairpin " { " on " | " off " } ] [ "
.BR fastleave " { " on " | " off " } ] [ "
.BR root_block " { " on " | " off " } ] [ "
.BR learning " { " on " | " off " } ] [ "
.BR learning_sync " { " on " | " off " } ] [ "
.BR flood " { " on " | " off " } ] [ "
.BR hwmode " { " vepa " | " veb " } ] [ "
.BR bcast_flood " { " on " | " off " } ] [ "
.BR mcast_flood " { " on " | " off " } ] [ "
.BR mcast_max_groups
.IR MAX_GROUPS " ] ["
.BR mcast_router
.IR MULTICAST_ROUTER " ] ["
.BR mcast_to_unicast " { " on " | " off " } ] [ "
.BR neigh_suppress " { " on " | " off " } ] [ "
.BR neigh_vlan_suppress " { " on " | " off " } ] [ "
.BR vlan_tunnel " { " on " | " off " } ] [ "
.BR isolated " { " on " | " off " } ] [ "
.BR locked " { " on " | " off " } ] [ "
.BR mab " { " on " | " off " } ] [ "
.B backup_port
.IR DEVICE " ] ["
.BR nobackup_port " ] [ "
.B backup_nhid
.IR NHID " ] ["
.BR self " ] [ " master " ]"
.ti -8
.BR "bridge link" " [ " show " ] [ "
.B dev
.IR DEV " ] ["
.B master
.IR DEVICE " ]"
.ti -8
.BR "bridge fdb" " { " add " | " append " | " del " | " replace " } "
.I LLADDR
.B dev
.IR DEV " { "
.BR local " | " static " | " dynamic " } [ "
.BR self " ] [ " master " ] [ " router " ] [ " use " ] [ " extern_learn " ] [ " sticky " ] [ "
.B src_vni
.IR VNI " ] { ["
.B dst
.IR IPADDR " ] [ "
.B vni
.IR VNI " ] ["
.B port
.IR PORT " ] ["
.B via
.IR DEVICE " ] | "
.B nhid
.IR NHID " } "
.ti -8
.BR "bridge fdb" " [ [ " show " ] [ "
.B br
.IR BRDEV " ] [ "
.B brport
.IR DEV " ] [ "
.B vlan
.IR VID " ] [ "
.B state
.IR STATE " ] ["
.B dynamic
.IR "] ]"
.ti -8
.BR "bridge fdb get" " ["
.B to
.IR "]"
.I LLADDR "[ "
.B br
.IR BRDEV " ]"
.B { brport | dev }
.IR DEV " [ "
.B vlan
.IR VID " ] [ "
.B vni
.IR VNI " ] ["
.BR self " ] [ " master " ] [ " dynamic " ]"
.ti -8
.BR "bridge fdb flush"
.B dev
.IR DEV " [ "
.B brport
.IR DEV " ] [ "
.B vlan
.IR VID " ] [ "
.B src_vni
.IR VNI " ] [ "
.B nhid
.IR NHID " ] ["
.B vni
.IR VNI " ] [ "
.B port
.IR PORT " ] ["
.B dst
.IR IPADDR " ] [ "
.BR self " ] [ " master " ] [ "
.BR [no]permanent " | " [no]static " | " [no]dynamic " ] [ "
.BR [no]added_by_user " ] [ " [no]extern_learn " ] [ "
.BR [no]sticky " ] [ " [no]offloaded " ] [ " [no]router " ]"
.ti -8
.BR "bridge mdb" " { " add " | " del " | " replace " } "
.B dev
.I DEV
.B port
.I PORT
.B grp
.IR GROUP " [ "
.B src
.IR SOURCE " ] [ "
.BR permanent " | " temp " ] [ "
.B vid
.IR VID " ] [ "
.BR filter_mode " { " include " | " exclude " } ] [ "
.B source_list
.IR SOURCE_LIST " ] [ "
.B proto
.IR PROTO " ] [ "
.B dst
.IR IPADDR " ] [ "
.B dst_port
.IR DST_PORT " ] [ "
.B vni
.IR VNI " ] [ "
.B src_vni
.IR SRC_VNI " ] [ "
.B via
.IR DEV " ]
.ti -8
.BR "bridge mdb show" " [ "
.B dev
.IR DEV " ]"
.ti -8
.B "bridge mdb get"
.BI dev " DEV " grp " GROUP "
.RB "[ " src
.IR SOURCE " ]"
.RB "[ " vid
.IR VID " ]"
.RB "[ " src_vni
.IR SRC_VNI " ]"
.ti -8
.B "bridge mdb flush"
.BI dev " DEV "
.RB "[ " port
.IR PORT " ]"
.RB "[ " vid
.IR VID " ]"
.RB "[ " src_vni
.IR SRC_VNI " ]"
.RB "[ " proto
.IR PROTO " ]"
.RB "[ " [no]permanent " ]"
.RB "[ " dst
.IR IPADDR " ]"
.RB "[ " dst_port
.IR DST_PORT " ]"
.RB "[ " vni
.IR VNI " ]"
.ti -8
.BR "bridge vlan" " { " add " | " del " } "
.B dev
.I DEV
.B vid
.IR VID " [ "
.B tunnel_info
.IR TUNNEL_ID " ] [ "
.BR pvid " ] [ " untagged " ] [ "
.BR self " ] [ " master " ] "
.ti -8
.BR "bridge vlan set"
.B dev
.I DEV
.B vid
.IR VID " [ "
.B state
.IR STP_STATE " ] [ "
.B mcast_max_groups
.IR MAX_GROUPS " ] [ "
.B mcast_router
.IR MULTICAST_ROUTER " ] [ "
.BR neigh_suppress " { " on " | " off " } ]"
.ti -8
.BR "bridge vlan" " [ " show " | " tunnelshow " ] [ "
.B dev
.IR DEV " ]"
.ti -8
.BR "bridge vlan global set"
.B dev
.I DEV
.B vid
.IR VID " [ "
.B mcast_snooping
.IR MULTICAST_SNOOPING " ] [ "
.B mcast_querier
.IR MULTICAST_QUERIER " ] [ "
.B mcast_igmp_version
.IR IGMP_VERSION " ] [ "
.B mcast_mld_version
.IR MLD_VERSION " ] [ "
.B mcast_last_member_count
.IR LAST_MEMBER_COUNT " ] [ "
.B mcast_last_member_interval
.IR LAST_MEMBER_INTERVAL " ] [ "
.B mcast_startup_query_count
.IR STARTUP_QUERY_COUNT " ] [ "
.B mcast_startup_query_interval
.IR STARTUP_QUERY_INTERVAL " ] [ "
.B mcast_membership_interval
.IR MEMBERSHIP_INTERVAL " ] [ "
.B mcast_querier_interval
.IR QUERIER_INTERVAL " ] [ "
.B mcast_query_interval
.IR QUERY_INTERVAL " ] [ "
.B mcast_query_response_interval
.IR QUERY_RESPONSE_INTERVAL " ]"
.ti -8
.BR "bridge vlan global" " [ " show " ] [ "
.B dev
.IR DEV " ] [ "
.B vid
.IR VID " ]"
.ti -8
.BR "bridge vlan" " show " [ "
.B dev
.IR DEV " ]"
.ti -8
.BR "bridge vni" " { " add " | " del " } "
.B dev
.I DEV
.B vni
.IR VNI " [ { "
.B group | remote "} "
.IR IPADDR " ] "
.ti -8
.BR "bridge vni" " show " [ "
.B dev
.IR DEV " ]"
.ti -8
.BR "bridge monitor" " [ " all " | " neigh " | " link " | " mdb " | " vlan " ]"
.SH OPTIONS
.TP
.BR "\-V" , " -Version"
print the version of the
.B bridge
utility and exit.
.TP
.BR "\-s" , " \-stats", " \-statistics"
output more information. If this option
is given multiple times, the amount of information increases.
As a rule, the information is statistics or some time values.
.TP
.BR "\-d" , " \-details"
print detailed information about bridge vlan filter entries or MDB router ports.
.TP
.BR "\-n" , " \-net" , " \-netns " <NETNS>
switches
.B bridge
to the specified network namespace
.IR NETNS .
Actually it just simplifies executing of:
.B ip netns exec
.I NETNS
.B bridge
.RI "[ " OPTIONS " ] " OBJECT " { " COMMAND " | "
.BR help " }"
to
.B bridge
.RI "-n[etns] " NETNS " [ " OPTIONS " ] " OBJECT " { " COMMAND " | "
.BR help " }"
.TP
.BR "\-b", " \-batch " <FILENAME>
Read commands from provided file or standard input and invoke them.
First failure will cause termination of bridge command.
.TP
.B "\-force"
Don't terminate bridge command on errors in batch mode.
If there were any errors during execution of the commands, the application
return code will be non zero.
.TP
.BR \-c [ color ][ = { always | auto | never }
Configure color output. If parameter is omitted or
.BR always ,
color output is enabled regardless of stdout state. If parameter is
.BR auto ,
stdout is checked to be a terminal before enabling color output. If parameter is
.BR never ,
color output is disabled. If specified multiple times, the last one takes
precedence. This flag is ignored if
.B \-json
is also given.
.TP
.BR "\-j", " \-json"
Output results in JavaScript Object Notation (JSON).
.TP
.BR "\-p", " \-pretty"
When combined with -j generate a pretty JSON output.
.TP
.BR "\-o", " \-oneline"
output each record on a single line, replacing line feeds
with the
.B '\e'
character. This is convenient when you want to count records
with
.BR wc (1)
or to
.BR grep (1)
the output.
.SH BRIDGE - COMMAND SYNTAX
.SS
.I OBJECT
.TP
.B link
- Bridge port.
.TP
.B fdb
- Forwarding Database entry.
.TP
.B mdb
- Multicast group database entry.
.TP
.B vlan
- VLAN filter list.
.TP
.B vni
- VNI filter list.
.SS
.I COMMAND
Specifies the action to perform on the object.
The set of possible actions depends on the object type.
As a rule, it is possible to
.BR "add" , " delete"
and
.B show
(or
.B list
) objects, but some objects do not allow all of these operations
or have some additional commands. The
.B help
command is available for all objects. It prints
out a list of available commands and argument syntax conventions.
.sp
If no command is given, some default command is assumed.
Usually it is
.B list
or, if the objects of this class cannot be listed,
.BR "help" .
.SH bridge link - bridge port
.B link
objects correspond to the port devices of the bridge.
.P
The corresponding commands set and display port status and bridge specific
attributes.
.SS bridge link set - set bridge specific attributes on a port
.TP
.BI dev " NAME "
interface name of the bridge port
.TP
.BI cost " COST "
the STP path cost of the specified port.
.TP
.BI priority " PRIO "
the STP port priority. The priority value is an unsigned 8-bit quantity
(number between 0 and 255). This metric is used in the designated port an
droot port selection algorithms.
.TP
.BI state " STATE "
the operation state of the port. Except state 0 (disable STP or BPDU filter feature),
this is primarily used by user space STP/RSTP
implementation. One may enter port state name (case insensitive), or one of the
numbers below. Negative inputs are ignored, and unrecognized names return an
error.
.B 0
- port is in STP
.B DISABLED
state. Make this port completely inactive for STP. This is also called
BPDU filter and could be used to disable STP on an untrusted port, like
a leaf virtual devices.
.sp
.B 1
- port is in STP
.B LISTENING
state. Only valid if STP is enabled on the bridge. In this
state the port listens for STP BPDUs and drops all other traffic frames.
.sp
.B 2
- port is in STP
.B LEARNING
state. Only valid if STP is enabled on the bridge. In this
state the port will accept traffic only for the purpose of updating MAC
address tables.
.sp
.B 3
- port is in STP
.B FORWARDING
state. Port is fully active.
.sp
.B 4
- port is in STP
.B BLOCKING
state. Only valid if STP is enabled on the bridge. This state
is used during the STP election process. In this state, port will only process
STP BPDUs.
.sp
.TP
.BR "guard on " or " guard off "
Controls whether STP BPDUs will be processed by the bridge port. By default,
the flag is turned off allowed BPDU processing. Turning this flag on will
disables
the bridge port if a STP BPDU packet is received.
If running Spanning Tree on bridge, hostile devices on the network
may send BPDU on a port and cause network failure. Setting
.B guard on
will detect and stop this by disabling the port.
The port will be restarted if link is brought down, or
removed and reattached. For example if guard is enable on
eth0:
.B ip link set dev eth0 down; ip link set dev eth0 up
.TP
.BR "hairpin on " or " hairpin off "
Controls whether traffic may be send back out of the port on which it was
received. This option is also called reflective relay mode, and is used to support
basic VEPA (Virtual Ethernet Port Aggregator) capabilities.
By default, this flag is turned off and the bridge will not forward
traffic back out of the receiving port.
.TP
.BR "fastleave on " or " fastleave off "
This flag allows the bridge to immediately stop multicast traffic on a port
that receives IGMP Leave message. It is only used with IGMP snooping is
enabled on the bridge. By default the flag is off.
.TP
.BR "root_block on " or " root_block off "
Controls whether a given port is allowed to become root port or not. Only used
when STP is enabled on the bridge. By default the flag is off.
This feature is also called root port guard.
If BPDU is received from a leaf (edge) port, it should not
be elected as root port. This could be used if using STP on a bridge and the downstream bridges are not fully
trusted; this prevents a hostile guest from rerouting traffic.
.TP
.BR "learning on " or " learning off "
Controls whether a given port will learn MAC addresses from received traffic or
not. If learning if off, the bridge will end up flooding any traffic for which
it has no FDB entry. By default this flag is on.
.TP
.BR "learning_sync on " or " learning_sync off "
Controls whether a given port will sync MAC addresses learned on device port to
bridge FDB.
.TP
.BR "flood on " or " flood off "
Controls whether unicast traffic for which there is no FDB entry will be
flooded towards this given port. By default this flag is on.
.TP
.B hwmode
Some network interface cards support HW bridge functionality and they may be
configured in different modes. Currently support modes are:
.B vepa
- Data sent between HW ports is sent on the wire to the external
switch.
.B veb
- bridging happens in hardware.
.TP
.BR "bcast_flood on " or " bcast_flood off "
Controls flooding of broadcast traffic on the given port.
By default this flag is on.
.TP
.BR "mcast_flood on " or " mcast_flood off "
Controls whether multicast traffic for which there is no MDB entry will be
flooded towards this given port. By default this flag is on.
.TP
.BI mcast_max_groups " MAX_GROUPS "
Sets the maximum number of MDB entries that can be registered for a given
port. Attempts to register more MDB entries at the port than this limit
allows will be rejected, whether they are done through netlink (e.g. the
\fBbridge\fR tool), or IGMP or MLD membership reports. Setting a limit to 0
has the effect of disabling the limit. The default value is 0. See also the
\fBip link\fR option \fBmcast_hash_max\fR.
.TP
.BI mcast_router " MULTICAST_ROUTER "
This flag is almost the same as the per-VLAN flag, see below, except its
value can only be set in the range 0-2. The default is
.B 1
where the bridge figures out automatically where an IGMP/MLD querier,
MRDISC capable device, or PIM router, is located. Setting this flag to
.B 2
is useful in cases where the multicast router does not indicate its
presence in any meaningful way (e.g. older versions of SMCRoute, or
mrouted), or when there is a need for forwarding both known and unknown
IP multicast to a secondary/backup router.
.TP
.BR "mcast_to_unicast on " or " mcast_to_unicast off "
Controls whether a given port will replicate packets using unicast
instead of multicast. By default this flag is off.
This is done by copying the packet per host and
changing the multicast destination MAC to a unicast one accordingly.
.B mcast_to_unicast
works on top of the multicast snooping feature of
the bridge. Which means unicast copies are only delivered to hosts which
are interested in it and signalized this via IGMP/MLD reports
previously.
This feature is intended for interface types which have a more reliable
and/or efficient way to deliver unicast packets than broadcast ones
(e.g. WiFi).
However, it should only be enabled on interfaces where no IGMPv2/MLDv1
report suppression takes place. IGMP/MLD report suppression issue is usually
overcome by the network daemon (supplicant) enabling AP isolation and
by that separating all STAs.
Delivery of STA-to-STA IP multicast is made possible again by
enabling and utilizing the bridge hairpin mode, which considers the
incoming port as a potential outgoing port, too (see
.B hairpin
option).
Hairpin mode is performed after multicast snooping, therefore leading to
only deliver reports to STAs running a multicast router.
.TP
.BR "neigh_suppress on " or " neigh_suppress off "
Controls whether neigh discovery (arp and nd) proxy and suppression is
enabled on the port. By default this flag is off.
.TP
.BR "neigh_vlan_suppress on " or " neigh_vlan_suppress off "
Controls whether per-VLAN neigh discovery (arp and nd) proxy and suppression is
enabled on the port. When on, the \fBbridge link\fR option \fBneigh_suppress\fR
has no effect and the per-VLAN state is set using the \fBbridge vlan\fR option
\fBneigh_suppress\fR. By default this flag is off.
.TP
.BR "vlan_tunnel on " or " vlan_tunnel off "
Controls whether vlan to tunnel mapping is enabled on the port. By
default this flag is off.
.TP
.BR "isolated on " or " isolated off "
Controls whether a given port will be isolated, which means it will be
able to communicate with non-isolated ports only. By default this
flag is off.
.TP
.BR "locked on " or " locked off "
Controls whether a port is locked or not. When locked, non-link-local frames
received through the port are dropped unless an FDB entry with the MAC source
address points to the port. The common use case is IEEE 802.1X where hosts can
authenticate themselves by exchanging EAPOL frames with an authenticator. After
authentication is complete, the user space control plane can install a matching
FDB entry to allow traffic from the host to be forwarded by the bridge. When
learning is enabled on a locked port, the
.B no_linklocal_learn
bridge option needs to be on to prevent the bridge from learning from received
EAPOL frames. By default this flag is off.
.TP
.BR "mab on " or " mab off "
Controls whether MAC Authentication Bypass (MAB) is enabled on the port or not.
MAB can only be enabled on a locked port that has learning enabled. When
enabled, FDB entries are learned from received traffic and have the "locked"
FDB flag set. The flag can only be set by the kernel and it indicates that the
FDB entry cannot be used to authenticate the corresponding host. User space can
decide to authenticate the host by replacing the FDB entry and clearing the
"locked" FDB flag. Locked FDB entries can roam to unlocked (authorized) ports
in which case the "locked" flag is cleared. FDB entries cannot roam to locked
ports regardless of MAB being enabled or not. Therefore, locked FDB entries are
only created if an FDB entry with the given {MAC, VID} does not already exist.
This behavior prevents unauthenticated hosts from disrupting traffic destined
to already authenticated hosts. Locked FDB entries act like regular dynamic
entries with respect to forwarding and aging. By default this flag is off.
.TP
.BI backup_port " DEVICE"
If the port loses carrier all traffic will be redirected to the
configured backup port
.TP
.B nobackup_port
Removes the currently configured backup port
.TP
.BI backup_nhid " NHID"
The FDB nexthop object ID (see \fBip-nexthop\fR(8)) to attach to packets being
redirected to a backup port that has VLAN tunnel mapping enabled (via the
\fBvlan_tunnel\fR option). Setting a value of 0 (default) has the effect of not
attaching any ID.
.TP
.B self
link setting is configured on specified physical device
.TP
.B master
link setting is configured on the software bridge (default)
.TP
.BR "\-t" , " \-timestamp"
display current time when using monitor option.
.SS bridge link show - list ports configuration for all bridges.
This command displays ports configuration and flags for all bridges by default.
.TP
.BI dev " DEV"
only display the specific bridge port named DEV.
.TP
.BI master " DEVICE"
only display ports of the bridge named DEVICE. This is similar to
"ip link show master <bridge_device>" command.
.SH bridge fdb - forwarding database management
.B fdb
objects contain known Ethernet addresses on a link.
.P
The corresponding commands display fdb entries, add new entries,
append entries,
and delete old ones.
.SS bridge fdb add - add a new fdb entry
This command creates a new fdb entry.
.TP
.B LLADDR
the Ethernet MAC address.
.TP
.BI dev " DEV"
the interface to which this address is associated.
.B local
- is a local permanent fdb entry, which means that the bridge will not forward
frames with this destination MAC address and VLAN ID, but terminate them
locally. This flag is default unless "static" or "dynamic" are explicitly
specified.
.sp
.B permanent
- this is a synonym for "local"
.sp
.B static
- is a static (no arp) fdb entry
.sp
.B dynamic
- is a dynamic reachable age-able fdb entry
.sp
.B self
- the operation is fulfilled directly by the driver for the specified network
device. If the network device belongs to a master like a bridge, then the
bridge is bypassed and not notified of this operation (and if the device does
notify the bridge, it is driver-specific behavior and not mandated by this
flag, check the driver for more details). The "bridge fdb add" command can also
be used on the bridge device itself, and in this case, the added fdb entries
will be locally terminated (not forwarded). In the latter case, the "self" flag
is mandatory. The flag is set by default if "master" is not specified.
.sp
.B master
- if the specified network device is a port that belongs to a master device
such as a bridge, the operation is fulfilled by the master device's driver,
which may in turn notify the port driver too of the address. If the specified
device is a master itself, such as a bridge, this flag is invalid.
.sp
.B router
- the destination address is associated with a router.
Valid if the referenced device is a VXLAN type device and has
route short circuit enabled.
.sp
.B use
- the address is in use. User space can use this option to
indicate to the kernel that the fdb entry is in use.
.sp
.B extern_learn
- this entry was learned externally. This option can be used to
indicate to the kernel that an entry was hardware or user-space
controller learnt dynamic entry. Kernel will not age such an entry.
.sp
.B sticky
- this entry will not change its port due to learning.
.sp
.in -8
The next command line parameters apply only
when the specified device
.I DEV
is of type VXLAN.
.TP
.BI dst " IPADDR"
the IP address of the destination
VXLAN tunnel endpoint where the Ethernet MAC ADDRESS resides.
.TP
.BI src_vni " VNI"
the src VNI Network Identifier (or VXLAN Segment ID)
this entry belongs to. Used only when the vxlan device is in
external or collect metadata mode. If omitted the value specified at
vxlan device creation will be used.
.TP
.BI vni " VNI"
the VXLAN VNI Network Identifier (or VXLAN Segment ID)
to use to connect to the remote VXLAN tunnel endpoint.
If omitted the value specified at vxlan device creation
will be used.
.TP
.BI port " PORT"
the UDP destination PORT number to use to connect to the
remote VXLAN tunnel endpoint.
If omitted the default value is used.
.TP
.BI via " DEVICE"
device name of the outgoing interface for the
VXLAN device driver to reach the
remote VXLAN tunnel endpoint.
.TP
.BI nhid " NHID "
ecmp nexthop group for the VXLAN device driver
to reach remote VXLAN tunnel endpoints.
.SS bridge fdb append - append a forwarding database entry
This command adds a new fdb entry with an already known
.IR LLADDR .
Valid only for multicast link layer addresses.
The command adds support for broadcast and multicast
Ethernet MAC addresses.
The Ethernet MAC address is added multiple times into
the forwarding database and the vxlan device driver
sends a copy of the data packet to each entry found.
.PP
The arguments are the same as with
.BR "bridge fdb add" .
.SS bridge fdb delete - delete a forwarding database entry
This command removes an existing fdb entry.
.PP
The arguments are the same as with
.BR "bridge fdb add" .
.SS bridge fdb replace - replace a forwarding database entry
If no matching entry is found, a new one will be created instead.
.PP
The arguments are the same as with
.BR "bridge fdb add" .
.SS bridge fdb show - list forwarding entries.
This command displays the current forwarding table.
.PP
With the
.B -statistics
option, the command becomes verbose. It prints out the last updated
and last used time for each entry.
.SS bridge fdb get - get bridge forwarding entry.
lookup a bridge forwarding table entry.
.TP
.B LLADDR
the Ethernet MAC address.
.TP
.BI dev " DEV"
the interface to which this address is associated.
.TP
.BI brport " DEV"
the bridge port to which this address is associated. same as dev above.
.TP
.BI br " DEV"
the bridge to which this address is associated.
.TP
.B self
- the address is associated with the port drivers fdb. Usually hardware.
.TP
.B master
- the address is associated with master devices fdb. Usually software (default).
.SS bridge fdb flush - flush bridge forwarding table entries.
flush the matching bridge forwarding table entries. Some options below have a negated
form when "no" is prepended to them (e.g. permanent and nopermanent).
.TP
.BI dev " DEV"
the target device for the operation. If the device is a bridge port and "master"
is set then the operation will be fulfilled by its master device's driver and
all entries pointing to that port will be deleted.
.TP
.BI brport " DEV"
the target bridge port for the operation. If the bridge device is specified then only
entries pointing to the bridge itself will be deleted. Note that the target device
specified by this option will override the one specified by dev above.
.TP
.BI vlan " VID"
the target VLAN ID for the operation. Match forwarding table entries only with the
specified VLAN ID.
.TP
.BI src_vni " VNI"
the src VNI Network Identifier (or VXLAN Segment ID) for the operation. Match
forwarding table entries only with the specified VNI. Valid if the referenced
device is a VXLAN type device.
.TP
.BI nhid " NHID"
the ECMP nexthop group for the operation. Match forwarding table entries only
with the specified NHID. Valid if the referenced device is a VXLAN type device.
.TP
.BI vni " VNI"
the VXLAN VNI Network Identifier (or VXLAN Segment ID) for the operation. Match
forwarding table entries only with the specified VNI. Valid if the referenced
device is a VXLAN type device.
.TP
.BI port " PORT"
the UDP destination PORT number for the operation. Match forwarding table
entries only with the specified PORT. Valid if the referenced device is a VXLAN
type device.
.TP
.BI dst " IPADDR"
the IP address of the destination VXLAN tunnel endpoint for the operation. Match
forwarding table entries only with the specified IPADDR. Valid if the referenced
device is a VXLAN type device.
.TP
.B self
the operation is fulfilled directly by the driver for the specified network
device. If the network device belongs to a master like a bridge, then the
bridge is bypassed and not notified of this operation. The "bridge fdb flush"
command can also be used on the bridge device itself. The flag is set by default if
"master" is not specified.
.TP
.B master
if the specified network device is a port that belongs to a master device
such as a bridge, the operation is fulfilled by the master device's driver.
Flush with both 'master' and 'self' is not recommended with attributes that are
not supported by all devices (e.g., vlan, vni). Such command will be handled by
bridge or VXLAN driver, but will return an error from the driver that does not
support the attribute. Instead, run flush twice - once with 'self' and once
with 'master', and each one with the supported attributes.
.TP
.B [no]permanent
if specified then only permanent entries will be deleted or respectively if "no"
is prepended then only non-permanent entries will be deleted.
.TP
.B [no]static
if specified then only static entries will be deleted or respectively if "no"
is prepended then only non-static entries will be deleted.
.TP
.B [no]dynamic
if specified then only dynamic entries will be deleted or respectively if "no"
is prepended then only non-dynamic (static or permanent) entries will be deleted.
.TP
.B [no]added_by_user
if specified then only entries with added_by_user flag will be deleted or respectively
if "no" is prepended then only entries without added_by_user flag will be deleted.
.TP
.B [no]extern_learn
if specified then only entries with extern_learn flag will be deleted or respectively
if "no" is prepended then only entries without extern_learn flag will be deleted.
.TP
.B [no]sticky
if specified then only entries with sticky flag will be deleted or respectively
if "no" is prepended then only entries without sticky flag will be deleted.
.TP
.B [no]offloaded
if specified then only entries with offloaded flag will be deleted or respectively
if "no" is prepended then only entries without offloaded flag will be deleted.
.sp
.TP
.B [no]router
if specified then only entries with router flag will be deleted or respectively
if "no" is prepended then only entries without router flag will be deleted. Valid
if the referenced device is a VXLAN type device.
.sp
.SH bridge mdb - multicast group database management
.B mdb
objects contain known IP or L2 multicast group addresses on a link.
.P
The corresponding commands display mdb entries, add new entries, replace
entries and delete old ones.
.SS bridge mdb add - add a new multicast group database entry
This command creates a new mdb entry.
.TP
.BI dev " DEV"
the interface where this group address is associated.
.TP
.BI port " PORT"
the port whose link is known to have members of this multicast group.
.TP
.BI grp " GROUP"
the multicast group address (IPv4, IPv6 or L2 multicast) whose members reside
on the link connected to the port.
.B permanent
- the mdb entry is permanent. Optional for IPv4 and IPv6, mandatory for L2.
.sp
.B temp
- the mdb entry is temporary (default)
.sp
.TP
.BI src " SOURCE"
optional source IP address of a sender for this multicast group. If IGMPv3 for IPv4, or
MLDv2 for IPv6 respectively, are enabled it will be included in the lookup when
forwarding multicast traffic.
.TP
.BI vid " VID"
the VLAN ID which is known to have members of this multicast group.
.TP
.BR "filter_mode include " or " filter_mode exclude "
controls whether the sources in the entry's source list are in INCLUDE or
EXCLUDE mode. Can only be set for (*, G) entries.
.TP
.BI source_list " SOURCE_LIST"
optional list of source IP addresses of senders for this multicast group,
separated by a ','. Whether the entry forwards packets from these senders or
not is determined by the entry's filter mode, which becomes a mandatory
argument. Can only be set for (*, G) entries.
.TP
.BI proto " PROTO"
the routing protocol identifier of this mdb entry. Can be a number or a string
from the file /etc/iproute2/rt_protos. If the routing protocol is not given,
then
.B static
is assumed.
.in -8
The next command line parameters apply only
when the specified device
.I DEV
is of type VXLAN.
.TP
.BI dst " IPADDR"
the IP address of the destination
VXLAN tunnel endpoint where the multicast receivers reside.
.TP
.BI dst_port " DST_PORT"
the UDP destination port number to use to connect to the remote VXLAN tunnel
endpoint. If omitted, the value specified at VXLAN device creation will be
used.
.TP
.BI vni " VNI"
the VXLAN VNI Network Identifier to use to connect to the remote VXLAN tunnel
endpoint. If omitted, the value specified at VXLAN device creation will be used
or the source VNI when the VXLAN device is in external mode.
.TP
.BI src_vni " SRC_VNI"
the source VNI Network Identifier this entry belongs to. Used only when the
VXLAN device is in external mode. If omitted, the value specified at VXLAN
device creation will be used.
.TP
.BI via " DEV"
device name of the outgoing interface for the VXLAN device to reach the remote
VXLAN tunnel endpoint.
.in -8
The 0.0.0.0 and :: MDB entries are special catchall entries used to flood IPv4
and IPv6 unregistered multicast packets, respectively. Therefore, when these
entries are programmed, the catchall 00:00:00:00:00:00 FDB entry will only
flood broadcast, unknown unicast and link-local multicast.
.in -8
.SS bridge mdb delete - delete a multicast group database entry
This command removes an existing mdb entry.
.PP
The arguments are the same as with
.BR "bridge mdb add" .
.SS bridge mdb replace - replace a multicast group database entry
If no matching entry is found, a new one will be created instead.
.PP
The arguments are the same as with
.BR "bridge mdb add" .
.SS bridge mdb show - list multicast group database entries
This command displays the current multicast group membership table. The table
is populated by IGMP and MLD snooping in the bridge driver automatically. It
can be altered by
.B bridge mdb add
and
.B bridge mdb del
commands manually too.
.TP
.BI dev " DEV"
the interface only whose entries should be listed. Default is to list all
bridge interfaces.
.PP
With the
.B -details
option, the command becomes verbose. It prints out the ports known to have
a connected router.
.PP
With the
.B -statistics
option, the command displays timer values for mdb and router port entries.
.SS bridge mdb get - get multicast group database entry.
This command retrieves a multicast group database entry based on its key.
.TP
.BI dev " DEV"
the interface where this group address is associated.
.TP
.BI grp " GROUP"
the multicast group address (IPv4, IPv6 or L2 multicast).
.TP
.BI src " SOURCE"
the source IP address. Only relevant when retrieving an (S, G) entry.
.TP
.BI vid " VID"
the VLAN ID. Only relevant when the bridge is VLAN-aware.
.TP
.BI src_vni " SRC_VNI"
the source VNI Network Identifier. Only relevant when the VXLAN device is in
external mode.
.SS bridge mdb flush - flush multicast group database entries.
This command flushes the matching multicast group database entries.
.TP
.BI dev " DEV"
the interface where this group address is associated.
.TP
.BI port " PORT"
the target port for the operation. If the bridge device is specified then only
entries pointing to the bridge itself will be deleted.
.TP
.BI vid " VID"
the VLAN ID for the operation. Match entries only with the specified VLAN ID.
.TP
.BI src_vni " SRC_VNI"
the source VNI Network Identifier for the operation. Match entries only with
the specified source VNI.
.TP
.BI proto " PROTO"
the routing protocol identifier for the operation. Match entries only with the
specified routing protocol. Can be a number or a string from the file
/etc/iproute2/rt_protos.
.TP
.B [no]permanent
if specified then only permanent entries will be deleted or respectively if
"no" is prepended then only non-permanent (temp) entries will be deleted.
.TP
.BI dst " IPADDR"
the IP address of the destination VXLAN tunnel endpoint where the multicast
receivers reside. Match entries only with the specified destination IP.
.TP
.BI dst_port " DST_PORT"
the UDP destination port number to use to connect to the remote VXLAN tunnel
endpoint. Match entries only with the specified destination port number.
.TP
.BI vni " VNI"
the VXLAN VNI Network Identifier to use to connect to the remote VXLAN tunnel
endpoint. Match entries only with the specified destination VNI.
.SH bridge vlan - VLAN filter list
.B vlan
objects contain known VLAN IDs for a link.
.P
The corresponding commands display vlan filter entries, add new entries,
and delete old ones.
.SS bridge vlan add - add a new vlan filter entry
This command creates a new vlan filter entry.
.TP
.BI dev " NAME"
the interface with which this vlan is associated.
.TP
.BI vid " VID"
the VLAN ID that identifies the vlan.
.TP
.BI tunnel_info " TUNNEL_ID"
the TUNNEL ID that maps to this vlan. The tunnel id is set in
dst_metadata for every packet that belongs to this vlan (applicable to
bridge ports with vlan_tunnel flag set).
.TP
.B pvid
the vlan specified is to be considered a PVID at ingress.
Any untagged frames will be assigned to this VLAN.
.TP
.B untagged
the vlan specified is to be treated as untagged on egress.
.TP
.B self
the vlan is configured on the specified physical device. Required if the
device is the bridge device.
.TP
.B master
the vlan is configured on the software bridge (default).
.SS bridge vlan delete - delete a vlan filter entry
This command removes an existing vlan filter entry.
.PP
The arguments are the same as with
.BR "bridge vlan add".
The
.BR "pvid " and " untagged"
flags are ignored.
.SS bridge vlan set - change vlan filter entry's options
This command changes vlan filter entry's options.
.TP
.BI dev " NAME"
the interface with which this vlan is associated.
.TP
.BI vid " VID"
the VLAN ID that identifies the vlan.
.TP
.BI state " STP_STATE "
the operation state of the vlan. One may enter STP state name (case insensitive), or one of the
numbers below. Negative inputs are ignored, and unrecognized names return an
error. Note that the state is set only for the vlan of the specified device, e.g. if it is
a bridge port then the state will be set only for the vlan of the port.
.B 0
- vlan is in STP
.B DISABLED
state. Make this vlan completely inactive for STP. This is also called
BPDU filter and could be used to disable STP on an untrusted vlan.
.sp
.B 1
- vlan is in STP
.B LISTENING
state. Only valid if STP is enabled on the bridge. In this
state the vlan listens for STP BPDUs and drops all other traffic frames.
.sp
.B 2
- vlan is in STP
.B LEARNING
state. Only valid if STP is enabled on the bridge. In this
state the vlan will accept traffic only for the purpose of updating MAC
address tables.
.sp
.B 3
- vlan is in STP
.B FORWARDING
state. This is the default vlan state.
.sp
.B 4
- vlan is in STP
.B BLOCKING
state. Only valid if STP is enabled on the bridge. This state
is used during the STP election process. In this state, the vlan will only process
STP BPDUs.
.sp
.TP
.BI mcast_max_groups " MAX_GROUPS "
Sets the maximum number of MDB entries that can be registered for a given
VLAN on a given port. A VLAN-specific equivalent of the per-port option of
the same name, see above for details.
Note that this option is only available when \fBip link\fR option
\fBmcast_vlan_snooping\fR is enabled.
.TP
.BI mcast_router " MULTICAST_ROUTER "
configure this vlan and interface's multicast router mode, note that only modes
0 - 2 are available for bridge devices.
A vlan and interface with a multicast router will receive all multicast traffic.
.I MULTICAST_ROUTER
may be either
.sp
.B 0
- to disable multicast router.
.sp
.B 1
- to let the system detect the presence of routers (default).
.sp
.B 2
- to permanently enable multicast traffic forwarding on this vlan and interface.
.sp
.B 3
- to temporarily mark this vlan and port as having a multicast router, i.e.
enable multicast traffic forwarding. This mode is available only for ports.
.sp
.TP
.BR "neigh_suppress on " or " neigh_suppress off "
Controls whether neigh discovery (arp and nd) proxy and suppression is enabled
for a given VLAN on a given port. By default this flag is off.
Note that this option only takes effect when \fBbridge link\fR option
\fBneigh_vlan_suppress\fR is enabled for a given port.
.SS bridge vlan show - list vlan configuration.
This command displays the current VLAN filter table.
.PP
With the
.B -details
option, the command becomes verbose. It displays the per-vlan options.
.PP
With the
.B -statistics
option, the command displays per-vlan traffic statistics.
.SS bridge vlan tunnelshow - list vlan tunnel mapping.
This command displays the current vlan tunnel info mapping.
.SS bridge vlan global set - change vlan filter entry's global options
This command changes vlan filter entry's global options.
.TP
.BI dev " NAME"
the interface with which this vlan is associated. Only bridge devices are
supported for global options.
.TP
.BI vid " VID"
the VLAN ID that identifies the vlan.
.TP
.BI mcast_snooping " MULTICAST_SNOOPING "
turn multicast snooping for VLAN entry with VLAN ID on
.RI ( MULTICAST_SNOOPING " > 0) "
or off
.RI ( MULTICAST_SNOOPING " == 0). Default is on. "
.TP
.BI mcast_querier " MULTICAST_QUERIER "
enable
.RI ( MULTICAST_QUERIER " > 0) "
or disable
.RI ( MULTICAST_QUERIER " == 0) "
IGMP/MLD querier, ie sending of multicast queries by the bridge. Default is disabled.
.TP
.BI mcast_igmp_version " IGMP_VERSION "
set the IGMP version. Default is 2.
.TP
.BI mcast_mld_version " MLD_VERSION "
set the MLD version. Default is 1.
.TP
.BI mcast_last_member_count " LAST_MEMBER_COUNT "
set multicast last member count, ie the number of queries the bridge
will send before stopping forwarding a multicast group after a "leave"
message has been received. Default is 2.
.TP
.BI mcast_last_member_interval " LAST_MEMBER_INTERVAL "
interval between queries to find remaining members of a group,
after a "leave" message is received.
.TP
.BI mcast_startup_query_count " STARTUP_QUERY_COUNT "
set the number of queries to send during startup phase. Default is 2.
.TP
.BI mcast_startup_query_interval " STARTUP_QUERY_INTERVAL "
interval between queries in the startup phase.
.TP
.BI mcast_membership_interval " MEMBERSHIP_INTERVAL "
delay after which the bridge will leave a group,
if no membership reports for this group are received.
.TP
.BI mcast_querier_interval " QUERIER_INTERVAL "
interval between queries sent by other routers. If no queries are seen
after this delay has passed, the bridge will start to send its own queries
(as if
.BI mcast_querier
was enabled).
.TP
.BI mcast_query_interval " QUERY_INTERVAL "
interval between queries sent by the bridge after the end of the
startup phase.
.TP
.BI mcast_query_response_interval " QUERY_RESPONSE_INTERVAL "
set the Max Response Time/Maximum Response Delay for IGMP/MLD
queries sent by the bridge.
.SS bridge vlan global show - list global vlan options.
This command displays the global VLAN options for each VLAN entry.
.TP
.BI dev " DEV"
the interface only whose VLAN global options should be listed. Default is to list
all bridge interfaces.
.TP
.BI vid " VID"
the VLAN ID only whose global options should be listed. Default is to list
all vlans.
.SH bridge vni - VNI filter list
.B vni
objects contain known VNI IDs for a dst metadata vxlan link.
.P
The corresponding commands display vni filter entries, add new entries,
and delete old ones.
.SS bridge vni add - add a new vni filter entry
This command creates a new vni filter entry.
.TP
.BI dev " NAME"
the interface with which this vni is associated.
.TP
.BI vni " VNI"
the VNI ID that identifies the vni.
.TP
.BI remote " IPADDR"
specifies the unicast destination IP address to use in outgoing packets
when the destination link layer address is not known in the VXLAN device
forwarding database. This parameter cannot be specified with the group.
.TP
.BI group " IPADDR"
specifies the multicast IP address to join for this VNI
.SS bridge vni del - delete a new vni filter entry
This command removes an existing vni filter entry.
.PP
The arguments are the same as with
.BR "bridge vni add".
.SS bridge vni show - list vni filtering configuration.
This command displays the current vni filter table.
.PP
With the
.B -statistics
option, the command displays per-vni traffic statistics.
.TP
.BI dev " NAME"
shows vni filtering table associated with the vxlan device
.SH bridge monitor - state monitoring
The
.B bridge
utility can monitor the state of devices and addresses
continuously. This option has a slightly different format.
Namely, the
.B monitor
command is the first in the command line and then the object list follows:
.BR "bridge monitor" " [ " all " |"
.IR OBJECT-LIST " ]"
.I OBJECT-LIST
is the list of object types that we want to monitor.
It may contain
.BR link ", " fdb ", " vlan " and " mdb "."
If no
.B file
argument is given,
.B bridge
opens RTNETLINK, listens on it and dumps state changes in the format
described in previous sections.
.P
If a file name is given, it does not listen on RTNETLINK,
but opens the file containing RTNETLINK messages saved in binary format
and dumps them.
.SH NOTES
This command uses facilities added in Linux 3.0.
Although the forwarding table is maintained on a per-bridge device basis
the bridge device is not part of the syntax. This is a limitation of the
underlying netlink neighbour message protocol. When displaying the
forwarding table, entries for all bridges are displayed.
Add/delete/modify commands determine the underlying bridge device
based on the bridge to which the corresponding ethernet device is attached.
.SH SEE ALSO
.BR ip (8)
.SH BUGS
.RB "Please direct bugreports and patches to: " <netdev@vger.kernel.org>
.SH AUTHOR
Original Manpage by Stephen Hemminger