nmcli examples. nmcli cheatsheet in CentOS/RHEL 7/8. nmcli command exmaples. nmcli con reload. nmcli help. add ethernet connection using nmcli. nmclic command examples cheatsheet in linux. add bond connection using nmcli in linux. add and configure network teaming using nmcli. nmcli command cheatsheet. configure networkmanager using nmcli. nmcli examples. nmclic command examples cheatsheet. exit an existing connection with nmcli. nmcli command examples. nmcli enable dhcp. man nmcli examples. nmcli rename connection. nmcli remove static ipv4 address. nmcle cheat sheet. nmcli remove dns

Understanding nmcli

  • nmcli is a command-line tool for controlling NetworkManager and reporting network status.
  • It can be utilised as a replacement for nm-applet or other graphical clients. nmcli is used to create, display, edit, delete, activate, and deactivate network connections, as well as control and display network device status.
  • Connections are stored in configuration files
  • The NetworkManager service must be running to manage these files

Compare nm-settings with ifcfg-* directives (IPv4)

nmcli con mod ifcfg-* file Effect
ipv4.method manual BOOTPROTO=none IPv4 address configured statically
ipv4.method auto BOOTPROTO=dhcp Will look for configuration settings from a DHCPv4 server
ipv4.address "" IPADDR=
Set static IPv4 address, network prefix
ipv4.gateway GATEWAY= Set IPv4 Gateway
ipv4.dns DNS1= Modify /etc/resolv.conf to use this nameserver
ipv4.dns-search Modify /etc/resolv.conf to use this domain in the search directive
ipv4.ignore-auto-dns true PEERDNS=no Ignore DNS Server information from the DHCP Server
connection.autoconnect yes ONBOOT=yes Automatically activate this connection on boot eth0 NAME=eth0 The name of this connection
connection.interface-name eth0 DEVICE=eth0 The connection is bound to the network interface with this name
802-3-ethernet.mac-address 08:00:27:4b:7a:80 HWADDR=08:00:27:4b:7a:80 The connection is bound to the network interface with this MAC Address
ipv4.never-default no DEFROUTE=yes Never use provided interface’s gateway as default gateway

Compare nm-settings with ifcfg-* directives (IPv6)

nmcli con mod ifcfg-* file Effect
ipv6.method manual IPV6_AUTOCONF=no IPv6 is configured statically
ipv6.method auto IPV6_AUTOCONF=yes Will configure network settings using SLAAC from router advertisements.
ipv6.method dhcp IPV6_AUTOCONF=no
Will configure network settings by using DHCPv6, but not SLAAC
ipv6 . addresses
"2001:db8::a/64 2001:db8::1"
Sets static IPv6 Address and Gateway
ipv6.dns . . . DNS0=. . . Modify /etc/resolv.conf to use this nameserver
ipv6.dns-search Modify /etc/resolv.conf to use to use this domain in the search directive
ipv6.ignore-auto-dns true IPV6_PEERDNS=no Ignore DNS server information from the DHCP server
connection.autoconnect yes ONBOOT=YES Automatically activates the connection at boot eth0 NAME=eth0 The name of this connection
connection.interface-name eth0 DEVICE=eth0 The connection is bound to this network interface with this name
802-3-ethernet.mac-address . . . HWADDR=. . . The connection is bound to the network interface with this MAC Address

Brief list of nmcli commands syntax

Command Purpose
nmcli dev status Show the Network Manager status of all network interfaces
nmcli con show List all connections
nmcli con show name List the current settings for the connection name
nmcli con add con-name name .. Add a new connection named name
nmcli con mod name .. Modify the connection name
nmcli con reload Tell networkManager to reread the configuration files (useful after they have been edited by hand)
nmcli con up name Activate the connection name
nmcli dev dis dev Deactivate and disconnect the current connection on the network interface dev
nmcli con del name Delete the connection name and its configuration file

nmcli command examples (cheatsheet)

Below are some of the chosen nmcli command examples

1. Check if NetworkManager is running

You can use below command to check if NetworkManager is running or not

To get a general status

2. List all the available device

To view and list all the available devices on your Linux system

3. List all the available connections

To list all the available connections

4. List all the configuration of interface

To view all the configured values (default and custom) of an interface


5. Check physical network device status

Now the status of all the connection network devices

6. Change hostname using nmcli

You can ideally change hostname using hostnamectl command, but you can also update hostname using nmcli

To get the current hostname

Next to update the hostname

Verify the same

7. Create a new ethernet connection and assign static IP Address

In this example nmcli configures the eth2 interface statically, using the IPv4 address and network prefix and default gateway, but still auto connects at
startup and saves its configuration into /etc/sysconfig/network-scripts/ifcfg-eth2 file.

8. Create a new ethernet connection and assign DHCP IP Address

The following command will add a new connection for the interface eth2, which will get IPv4 networking information using DHCP and will autoconnect on startup. The configuration will be
saved in /etc/sysconfig/network-scripts/ifcfg-eth2 because the con-name is eth2

We can verify the same in the mapped interface configuration file


9. Create and configure bond connection (active-backup) with two slave interface

You can create bond connection with multiple slave interface using nmcli.

Delete any configuration file which exists for slave interface

Add bond interface using nmcli. This command adds a master bond connection, naming the bonding interface mybond0 and using active-backup mode. I have given some dummy values for MII, UPDELAY and DOWNDELAY. If you wish to add primary interface using “primary=<ifname>

Similarly for round-robin bonding you can use bond.options as “downdelay=5,miimon=100,mode=balance-rr,updelay=10

Next add the slaves for mybond0 using nmcli. This command binds first slave to eth1 interface

This command binds slave 2 to eth2 interface

List the active connections. So we have our bond and slave interface with us.


Here I am setting static IP Address, NetMask, Gateway, DNS and DNS Search to mybond0 using nmcli


To use DHCP IP, use ipv4.method auto and do not provide any IP Address related details in the above command

Verify your mybond0 configuration file

refresh/reload the network configuration change for mybond0

Verify the bond IP Address

Verify the list of available connection

10. Create and configure Network Bridge

I have written another article with detailed steps to create and configure network bridge using nmcli and nmtui separately on RHEL/CentOS 7 and 8 Linux.

11. Create and configure Network Teaming

I have written another article with detailed steps to create and configure NIC teaming with two slaves using nmcli validated on RHEL/CentOS 7/8 Linux

12. Reload connection using nmcli (restart)

Reload all connection files from disk. NetworkManager does not monitor changes to connection files by default. So you need to use this command in order to tell NetworkManager to re-read the connection profiles from disk when a change was made to them.


13. Interactively add/edit a connection

You can use nmcli con edit to Edit an existing connection or add a new one, using an interactive editor. In the below example we will edit eth1’s IP Address

Now verify your changes in eth1’s configuration file

14. Change ethernet connection BOOTPROTO from DHCP to Static

Now to change ethernet connection BOOTPROTO from DHCP to static using nmcli, we must modify ipv4.method directive to use manual

Now verify the network configuration file for eth2

15. Change ethernet connection BOOTPROTO from Static to DHCP

Similarly to change ethernet connection BOOTPROTO from static to DHCP using nmcli, we must modify ipv4.method directive to use auto

Now verify the eth2 network configuration file

As you see we still have IPADDR and other variables from previous command but they are considered null, because you can see my DHCP has assigned to eth2


16. Change ONBOOT directive using nmcli

By default ONBOOT is yes in the interface configuration file. So to disable ONBOOT we must modify connection.autoconnect directive using nmcli

Verify the ONBOOT value before changing this directive

Change ONBOOT directive, disable ONBOOT using nmcli

Re-verify the ONBOOT directive for eth2

17. Change DEFROUTE directive (Never use this network for default route)

By default any gateway we add for any ethernet connection will also be considered as default gateway, to turn off this directive use ipv4.never-default with nmcli

Before we make any change verify DEFROUTE directive in the eth2 configuration file

So by default this directive is ON, we will disable the default gateway option for eth2. To turn off this directive we must select ipv4.never-default as “yes

Next verify the DEFROUTE directive for eth2


18. Disable IPv6 Address for ethernet connection (IPV6INIT)

By default both IPv4 and IPv6 connection type (IPV6INIT) is enabled for any ethernet connection type. To only use IPv4 and disable IPv6 using nmcli

Verify the existing status of IPv6 connection type for eth2

So this is enabled, we will disable IPv6 connection type using ipv6.method directive with nmcli

Now re-verify the IPV6INIT directive from eth2 config file

19. Change “Automatically Connect” Directive

By default any ethernet connection will be allowed to automatically connect, you can modify this using

20. Add or Modify DNS to existing connection

You can use ipv4.dns to add DNS server to an new connection or modify any existing connection using nmcli.
Currently there are no DNS server IP provided for eth1

Next modify connection to add DNS Server IP Address

Verify the eth1 config file

21. Append single/multiple DNS Server to connection

Use + prefix with ipv4.dns to append new DNS IP Addresses to an existing connection using nmcli. In the previous example we added as my DNS server for eth1. Now we will append to the same connection

Verify the eth1 configuration file

22. Remove single/multiple DNS Server from connection

As it is understood, with + we append so with – we remove single/multiple entries of DNS Server from the interface connection using nmcli.

Verify the eth1 configuration file

23. Display selected fields with values of connection

You can list all the configured values of a connection using “nmcli con show <ifname>” but that gives you a long list of details, you can actually also get selected value of the provided directive of an individual connection

To get the IPv4 Address of eth1

You can use -g to print values from specific fields using nmcli

But here as you see we do not get a field to value mapping. You can use -f to specify what fields (column names) should be printed using nmcli. Valid field names differ for specific commands. List available fields by providing an invalid value to the --fields option.

24. Monitor connection and device activity

Using nmcli monitor you can observe NetworkManager activity. Watches for changes in connectivity state, devices or connection profiles. Here in this example we will execute nmcli monitor for eth1 in one terminal, and on the other terminal we will make some modification to eth1 connection

As you see, after the modification, the monitor command gives below output

25. Activate a connection

Just opposite to what we used above, we will use nmcli con up

Verify the list of available connection

26. De-activate a connection

Deactivate a connection from a device without preventing the device from further auto-activation using nmcli con down <ifname>. Multiple connections can be passed to the command.

Verify the list of active connections


If you are connected to your server using this interface then your connection would close once the connection is de-activated

27. Delete connection

lastly in nmcli command examples, you can delete all type of available connection using “nmcli con del <ifname>

Lastly I hope the steps from the article with nmcli command examples (cheatsheet) on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

man page nmcli
man page nmcli-examples

Problem: During installation of CentOS the installer screen goes black. The terminal multiplexer is running in virtual console 1. To switch from the graphical installation environment to tmux, press Ctrl+Alt+F1. To go back to the main installation interface which runs in virtual console 6, press Ctrl+Alt+F6. Available tmux Windows Shortcut Contents Ctrl+b 1 Main installation […]

  1. In /etc/init.d/ is the line if [ -f /forcefsck ] || grep -s -w -i "forcefsck" /proc/cmdline, so providing forcefsck on the kernel command line or generating a /forcefsck file on shutdown should cause an fsck on the next reboot.

    To prevent manual fsck runs, ask fsck to try to automatically fix errors with the -y option by uncommenting and changing no to yes in the following /etc/default/rcS entry, after the edit it should look like:

  1. One option (forcefsck or FSCKFIX) does not imply the other.
  1. according to manpages -c argument for tune2fs counts number of instances of mounts for a partition. Hence, 1 forces to check the fs after every mounting instance. (

Read more

General Approach

To check what setting your system is using, use ‘sysctl name’ (e.g.: ‘sysctl net.ipv4.tcp_rmem’). To change a setting use ‘sysctl -w’. To make the setting permanent add the setting to the file ‘sysctl.conf’.

More Reading:


Using package-cleanup command which is a part of yum-utils package we can uninstall any number of old kernels automatically. As an example using --oldkernels --count=2 option with package-cleanup command the command will remove all unused kernel while keeping last three most recent kernel versions installed.


list installed kernels

remove kernels no longer needed; listed above


By default CentOS will keep last 5 kernels installed on your system. This behavior is defined by installonly_limit=5 line within /etc/yum.conf file. Update the /etc/yum.conf configuration file appropriately to keep desired number of old kernels on your system after update. The minimum value to be set is 2.

Example of /etc/yum.conf configuration file to keep only last two kernel versions:

read more:

A Comparison of Features in Bonding and Team

Feature Bonding Team
broadcast Tx policy Yes Yes
round-robin Tx policy Yes Yes
active-backup Tx policy Yes Yes
LACP (802.3ad) support Yes (active only) Yes
Hash-based Tx policy Yes Yes
User can set hash function No Yes
Tx load-balancing support (TLB) Yes Yes
LACP hash port select Yes Yes
load-balancing for LACP support No Yes
Ethtool link monitoring Yes Yes
ARP link monitoring Yes Yes
NS/NA (IPv6) link monitoring No Yes
ports up/down delays Yes Yes
port priorities and stickiness (“primary” option enhancement) No Yes
separate per-port link monitoring setup No Yes
multiple link monitoring setup Limited Yes
lockless Tx/Rx path No (rwlock) Yes (RCU)
VLAN support Yes Yes
user-space runtime control Limited Full
Logic in user-space No Yes
Extensibility Hard Easy
Modular design No Yes
Performance overhead Low Very Low
D-Bus interface No Yes
multiple device stacking Yes Yes
zero config using LLDP No (in planning)
NetworkManager support Yes Yes

Read More: RHEL

Config Snippets:

  • CentOS 7
  • No NetworkManager

NEXUS vPC Switch A:

NEXUS vPC Switch B:

CentOS 7 Server – Config: nas-a:

CentOS 7 Server – Config: nas-a:

CentOS 7 Server – Show Commands:


iproute2 is the Linux networking toolkit that replaced net-tools (ifconfig, route, arp etc.)

Old style network utilities like ifconfig and route are still there just for backwards compatibility
and do not provide access to new features like policy-based routing or network namespaces.

Note that iproute2 has been a standard Linux tool since the early 2000’s. It’s included in
every distro by default, or at least available from the repos (OpenWRT is one of the cases).

iproute2 was originally written by Alex Kuznetsov and is now maintained by Stephen Hemminger.

This document aims to provide comprehensive but easy to use documentation for the ip command
included in iproute2 package. There are more, such as ss (netstat replacement, fairly straightforward),
tc (QoS management), but documenting them in this style, especially tc, would be a separate big project.

Instead of listing commands and describing what they do, it uses a task-centered approach and gives commands
for tasks that network administrators need to do. It was once called a “cheatsheet”
for this reason, but has long outgrown the size and scope of a cheat sheet for the most common tasks.

Contributions are always welcome, you can find the “source code” at

This document is provided “as is”, without any warranty. The authors are not liable for any
damage related to using it.

General notes

All commands that change any settings (that is, not just display them) require root privileges.

There are configuration files in /etc/iproute2, mainly for assinging symbolic names to network
stack entities such as routing tables. Those files are re-read every time you run the ip command and you don’t need
to do anything to apply the changes.

Typographic conventions

Metasyntactic variables are written in shell-style syntax, ${something}. Optional command parts are in
square brackets.

Table of contents

    Address management

    In this section ${address} value should be a host address in dotted decimal format, and
    ${mask} can be either a dotted decimal subnet mask or a prefix length.
    That is, both and are equally acceptable.

    If you are not sure if something is a correct host address, use ipcalc or similar
    program to check.

    Show all addresses

    All show commands can be used with -4 or -6 options to show only IPv4 or IPv6 addresses.

    Show addresses for a single interface


    Show addresses only for running interfaces

    Show only static or dynamic IPv6 addresses

    Show only statically configured addresses:

    Show only addresses learnt via autoconfiguration:

    Add an address to an interface


    You can add as many addresses as you want.

    If you add more than one address, your machine will accept packets for
    all of them. The first address you added will be used as source address for
    outgoing traffic by default, it’s referred to as primary address.

    All additional addresses you set will become secondary addresses.

    Add an address with human-readable description


    A label must start with the interface name followed by a colon due to some backwards compatibility issues,
    otherwise you’ll get an error.
    Keep the label shorter than sixteen characters, or else you’ll get this error:


    For IPv6 addresses this command has no effect (address will be added, but without a label).

    Delete an address


    Interface name is required. Linux does allow the same address to be configured on multiple interfaces
    and it has valid use cases.

    Remove all addresses from an interface


    By default this command removes both IPv4 and IPv6 addresses. If you want to remove only
    IPv4 or IPv6 addresses, use “ip -4 address flush” or “ip -6 address flush”.


    There is no way to swap primary and secondary addresses or explicitly set the new primary address. Try to always set the primary address first.

    However, if the sysctl variable net.ipv4.conf.${interface}.promote_secondaries is set to 1, when you delete the primary address,
    the first secondary address will become the new primary.

    Note that net.ipv4.conf.default.promote_secondaries=1 is not the universal default setting in all Linux distributions,
    so check yours before trying it. If it’s set to 0, then when you delete the primary address, all addresses will be removed
    from the interface.

    Secondary IPv6 addresses are always promoted to primary if the primary address is deleted so you don’t need to worry about sysctl settings.

    Neighbor (ARP and NDP) table management

    For ladies and gentlemen who prefer the British spelling, this command family supports the “neighbour” spelling too.

    View neighbor tables

    All “show” commands support -4 and -6 options to view only IPv4 (ARP) or IPv6 (NDP) neighbors. By default
    all neighbors are displayed.

    View neighbors for single interface


    Flush table for an interface


    Add a neighbor table entry


    One of the use cases for it is to add static entry for an interface with disabled ARP to
    restrict interface usage only by hosts with specific MAC addresses.

    Delete a neighbor table entry


    Allows to delete a static entry, or get rid of an automatically learnt entry without flushing the table.

    Link management

    Link is another term for a for network interface. Commands from the “ip link” family perform operations
    that are common for all interface types, like viewing link information or changing the MTU.

    Historically “ip link” commands could create all types of interfaces, except for tunnels (IPIP, GRE etc.), L2TPv3, and VXLAN
    interfaces that have their own commands. In newer iproute2 versions (since at least 3.16) they can create interfaces of all
    types except L2TPv3, though using special command families for some of them is more convenient.

    Note that interface name you set with “name ${name}” parameter of “ip link add” and “ip link set”
    commands may be arbitrary, and may even contain unicode characters. However, it’s better to stick with
    ASCII because other programs may not handle unicode correctly.

    Also note that other programs, such as iptables, may have their own link name format and length
    restrictions, so it’s better to use short alphanumeric names, and provide additional information in
    link aliases.

    Show information about all links

    These commands are equivalent and can be used with the same arguments.

    Show information about specific link


    The word “dev” may be omitted.

    Bring a link up or down


    Note: virtual links described below, like VLANs and bridges
    are in down state immediately after creation. You need to bring them up to start using them.

    Set human-readable link description


    Link aliases show up in “ip link show” output, like:

    Rename an interface


    Note that you can’t rename an active interface. You need to bring it down
    before doing it.

    Change link layer address (usually MAC address)

    Link layer address is a pretty broad concept. The most known
    example is MAC address for ethernet devices. To change MAC
    address you would need something like:

    Change link MTU


    MTU stands for “Maximum Transmission Unit”, the maximum size
    of a frame an interface can transmit at once.

    Apart from reducing fragmentation in tunnels like
    in example above, this is also used to increase performance of
    gigabit ethernet links that support so called “jumbo frames”
    (frames up to 9000 bytes large). If all your equipment
    supports gigabit ethernet, you may want to do something like

    Note that you may need to configure it on your L2 switches too,
    some of them have it disabled by default.

    Delete a link

    Obviously, only virtual links like VLANs or bridges can be deleted.

    Enable or disable multicast on an interface

    Unless you really understand what you are doing, better not to touch this.

    Enable or disable ARP on an interface

    One may want to disable ARP to enforce a security policy and allow only specific MACs
    to communicate with the interface. In this case neighbor table entries for whitelisted MACs
    should be created manually (see neighbor table management
    section), or nothing will be able to communicate with that interface.

    In most cases it’s better to configure MAC policy on an access layer switch though.
    Do not change this flag unless you are sure what you are going to do and why.

    Create a VLAN interface


    The only type of VLAN supported in Linux is IEEE 802.1q VLAN, legacy implementations like ISL
    are not supported.

    Once you create a VLAN interface, all frames tagged with ${tag} you specified in id option
    received by ${parent interface} will be processed by that VLAN interface.

    eth0.100 name format is traditional, but not required, you can name the interface as you want,
    just like with other interface types.

    VLANs can be created over bridge, bonding and other interfaces capable of processing ethernet frames too.

    Create a QinQ interface (VLAN stacking)


    VLAN stacking (aka 802.1ad QinQ) is a way to transmit VLAN tagged traffic over another VLAN. The common use case
    for it is like this: suppose you are a service provider and you have a customer who wants to use your network
    infrastructure to connect parts of their network to each other. They use multiple VLANs in their network, so
    an ordinary rented VLAN is not an option. With QinQ you can add a second tag to the customer traffic when it enters your network
    and remove that tag when it exits, so there are no conflicts and you don’t need to waste VLAN numbers.

    The service tag is the VLAN tag the provider uses to carry client traffic through their network. The client tag
    is the tag set by the customer.

    Note that link MTU for the client VLAN interface is not adjusted automatically, you need to take care
    of it yourself and either decrease the client interface MTU by at least 4 bytes, or increase the parent MTU accordingly.

    Standards-compliant QinQ is available since Linux 3.10.

    Create pseudo-ethernet (aka macvlan) interface


    You can think of macvlan interfaces as additional virtual MAC addresses on the parent interface.
    They look like normal ethernet interfaces from user point of view, and handle all traffic for
    MAC address they are assigned with received by their parent interface.

    This is commonly used for testing, or for using several instances of a service identified by
    MAC when only one physical interface is available.

    They also can be used just for IP address separation instead of assigning multiple addresses
    to the same physical interface, especially if some service can’t operate on a secondary address properly.

    Create a dummy interface


    Dummy interfaces work pretty much like loopback interfaces, just there can be as many
    of them as you want.

    The first purpose of them is for communication of programs inside the host.

    The second purpose exploits the fact they are always up (unless administratively taken down).
    This is often used to assign service addresses to them on routers with more than one physical
    interface. As long as the traffic to the address assigned to a loopback or dummy interface
    is routed to the machine that owns it, you can access it through any of its interfaces.

    Create a bridge interface


    Bridge interfaces are virtual ethernet switches. They can be used to relay traffic
    transparently between ethernet interfaces, and, increasingly common, as ethernet switches
    for virtual machines running inside hypervisors.

    You can assign an IP address to a bridge and it will be visible from all bridge ports.

    If this command fails, check if “bridge” module is loaded.

    Add an interface to bridge


    Interface you added to a bridge becomes a virtual switch port. It operates only on datalink
    layer and ceases all network layer operation.

    Remove interface from bridge


    Create a bonding interface


    Note: This is not enough to configure bonding (link aggregation)
    in any meaningful way. You need to set up bonding parameters according to your situation.
    This is far beyond the cheat sheet scope, so consult the documentation.

    Interfaces are added to the bond group the same way to bridge group, just note that you can’t
    add it until you take it down.

    Create an intermediate functional block interface


    Intermediate functional block devices are used for traffic redirection and mirroring
    in conjunction with tc. This is also far beyond the scope of this document, consult tc

    Create a pair of virtual ethernet devices

    Virtual ethernet (veth) devices always come in pairs and work as a bidirectional pipe,
    whatever comes into one of them, comes out of another. They are used in conjunction with
    system partitioning features such as network namespaces and containers (OpenVZ and LXC)
    for connecting one partition to another.


    Note: virtual ethernet devices are created in UP state, no need to
    bring them up manually after creation.

    Link group management

    Link groups are similar to port ranges found in managed switches. You can add network
    interfaces to a numbered group and perform operations on all the interfaces from that group
    at once.

    Links not assigned to any group belong to group 0 aka “default”.

    Add an interface to a group


    Remove an interface from a group

    This can be done by assigning it to the default group.


    Assign a symbolic name to a group

    Group names are stored in /etc/iproute2/group file. Symbolic name “default”
    for group 0 comes exactly from there. You can add your own, one per line,
    following the same “${number} ${name}” format. You can have up to 255 named groups.

    Once you configured a group name, number and name can be used interchangeably
    in ip commands.


    After that you can use that name in all operations, like in

    Perform an operation on a group


    View information about links from specific group

    Use usual information viewing command with “group ${group}” modifier.


    Tun and Tap devices

    Tun and tap devices allow userspace programs to emulate a network
    device. When the userspace program opens them they get a file
    descriptor. Packets routed by the kernel networking stack to the
    device are read from the file descriptor, data the userspace
    program writes to the file descriptor are injected as local
    outgoing packets into the networking stack. The difference between
    the two is:

    • tap sends and receives raw Ethernet frames.
    • tun sends and receives raw IP packets.

    There are two types of tun/tap devices: persistent and transient.
    Transient tun/tap devices are created by userspace programs when they open a special device, and are destroyed
    automatically when the associated file descriptor is closed.
    The commands listed here manipulate persistent devices.

    View tun/tap devices

    Note: this command can be abbreviated to “ip tuntap”.

    This command is the only way to find out if some device is in tun or tap mode.

    Add an tun/tap device useable by the root user


    Add an tun/tap device usable by an ordinary user


    Add an tun/tap device using an alternate packet format

    Add meta information to each packet received over the file
    descriptor. Very few programs expect this information, and
    including it when it isn’t expected will break things.


    Add an tun/tap ignoring flow control

    Normally packets sent to a tun/tap device travel in the same way
    as packets sent to any other device: they are put on a queue handled by the
    traffic control engine (which is configured by the tc command).
    This can be bypassed, thus disabling the traffic control engine
    for this tun/tap device.


    Delete tun/tap device


    Note: you must specify the mode. The mode is not displayed in “ip link show”, so
    if you don’t know if it’s TUN or TAP, consult the output of “ip tuntap show”.

    Tunnel management

    Tunnels are “network wormholes” that look like normal interfaces,
    but packets sent through them are encapsulated into another protocol
    and sent to the other side of tunnel through multiple hosts, then
    decapsulated and processed in usual way, so you can pretend two
    machines have direct connectivity, while they in fact do not.

    This is often used for virtual private networks (in conjunction with
    encrypted transport protocols like IPsec), or connecting networks
    that use some protocol via an intermediate network that does not use it
    (e.g. IPv6 networks separated by an IPv4-only segment).

    Note: tunnels on their own offer zero security.
    They are as secure as their underlying network. So if you need
    security, use them over an encrypted transport, e.g. IPsec.

    Linux currently supports IPIP (IPv4 in IPv4), SIT (IPv6 in IPv4),
    IP6IP6 (IPv6 in IPv6), IPIP6 (IPv4 in IPv6), GRE (virtually anything
    in anything), and, in very recent versions, VTI (IPv4 in IPsec).

    Note that tunnels are created in DOWN state, you need to bring them up.

    In this section ${local endpoint address} and ${remote endpoint address}
    refer to addresses assigned to physical interfaces of endpoint. ${address}
    refers to the address assigned to tunnel interface.

    Create an IPIP tunnel


    Create a SIT tunnel


    This type of tunnels is commonly used to provide an IPv4-connected network with
    IPv6 connectivity. There are so called “tunnel brokers” that provide it to everyone interested,
    e.g. Hurricane Electric

    Create an IPIP6 tunnel


    This type of tunnels will be widely used when transit operators phase IPv4 out (i.e. not any soon).

    Create an IP6IP6 tunnel


    Just like IPIP6 these ones aren’t going to be generally useful any soon.

    Create a gretap (ethernet over GRE) device


    This type of tunnels encapsulates ethernet frames into IPv4 packets.

    Recent kernel and iproute2 versions also support gretap over IPv6, you need to replace the mode with “ip6gretap”
    to create an IPv6-based link.

    This probably should have been in “Links management” section, but as it involves encapsulation, it’s here.
    Tunnel interface created this way looks like an L2 link, and it can be added to a bridge group. This is used
    to connect L2 segments via a routed network.

    Create a GRE tunnel


    GRE can encapsulate both IPv4 and IPv6 at the same time. However, by default it uses IPv4 for transport,
    for GRE over IPv6 there is a separate tunnel mode, “ip6gre”.

    Create multiple GRE tunnels to the same endpoint


    Keyed tunnels can be used at the same time to unkeyed too. Key may be in dotted decimal IPv4-like format.

    Note that key does not add any security to the tunnel. It’s just an identifier used to distinguish one tunnel from another.

    Create a point-to-multipoint GRE tunnel


    Note the absence of ${remote endpoint address}. This is the same to what is called “mode gre multipoint” in Cisco IOS.

    In the absence of remote endpoint address the key is the only way to identify the tunnel traffic, so ${key value} is required.

    This type of tunnels allows you to communicate with multiple endpoints by using the same tunnel interface. It’s commonly used in
    complex VPN setups with multiple endpoints communicating to one another (in Cisco terminology, “dynamic multipoint VPN”).

    As there is no explicit remote endpoint address, obviously it is not enough to just create a tunnel. Your system needs to know
    where the other endpoints are.

    In real life NHRP (Next Hop Resolution Protocol) is used for it. For testing you can add peers manually (given remote endpoint
    uses address on its physical interface and on the tunnel):

    You will have to do it on the remote endpoint too, like:

    Note that link-layer address and neighbor address are both IP addresses, so they are on the same OSI layer.
    This one of the cases where link-layer address concept gets interesting.

    Create a GRE tunnel over IPv6

    Recent kernel and iproute2 versions support GRE over IPv6. Point-to-point with no key:

    It should support all options and features supported by the IPv4 GRE described above.

    Delete a tunnel