1ovs-vsctl(8) Open vSwitch Manual ovs-vsctl(8)
2
6 ovs-vsctl - utility for querying and configuring ovs-vswitchd
7
9 ovs-vsctl [options] -- [options] command [args] [-- [options] command
10 [args]]...
11
13 The ovs-vsctl program configures ovs-vswitchd(8) by providing a
14 high-level interface to its configuration database. See
15 ovs-vswitchd.conf.db(5) for comprehensive documentation of the database
16 schema.
17 ovs-vsctl connects to an ovsdb-server process that maintains an Open
19 vSwitch configuration database. Using this connection, it queries and
20 possibly applies changes to the database, depending on the supplied
21 commands. Then, if it applied any changes, by default it waits until
22 ovs-vswitchd has finished reconfiguring itself before it exits. (If
23 you use ovs-vsctl when ovs-vswitchd is not running, use --no-wait.)
24 ovs-vsctl can perform any number of commands in a single run, imple‐
26 mented as a single atomic transaction against the database.
27 The ovs-vsctl command line begins with global options (see OPTIONS
29 below for details). The global options are followed by one or more
30 commands. Each command should begin with -- by itself as a command-
31 line argument, to separate it from the following commands. (The --
32 before the first command is optional.) The command itself starts with
33 command-specific options, if any, followed by the command name and any
34 arguments. See EXAMPLES below for syntax examples.
35 Linux VLAN Bridging Compatibility
37 The ovs-vsctl program supports the model of a bridge implemented by
38 Open vSwitch, in which a single bridge supports ports on multiple
39 VLANs. In this model, each port on a bridge is either a trunk port
40 that potentially passes packets tagged with 802.1Q headers that desig‐
41 nate VLANs or it is assigned a single implicit VLAN that is never
42 tagged with an 802.1Q header.
43 For compatibility with software designed for the Linux bridge,
45 ovs-vsctl also supports a model in which traffic associated with a
46 given 802.1Q VLAN is segregated into a separate bridge. A special form
47 of the add-br command (see below) creates a ``fake bridge'' within an
48 Open vSwitch bridge to simulate this behavior. When such a ``fake
49 bridge'' is active, ovs-vsctl will treat it much like a bridge separate
50 from its ``parent bridge,'' but the actual implementation in Open
51 vSwitch uses only a single bridge, with ports on the fake bridge
52 assigned the implicit VLAN of the fake bridge of which they are mem‐
53 bers. (A fake bridge for VLAN 0 receives packets that have no 802.1Q
54 tag or a tag with VLAN 0.)
55
57 The following options affect the behavior ovs-vsctl as a whole. Some
58 individual commands also accept their own options, which are given just
59 before the command name. If the first command on the command line has
60 options, then those options must be separated from the global options
61 by --.
62 --db=server
64 Sets server as the database server that ovs-vsctl contacts to
65 query or modify configuration. server may be an OVSDB active or
66 passive connection method, as described in ovsdb(7). The
67 default is unix:/var/run/openvswitch/db.sock.
68 --no-wait
70 Prevents ovs-vsctl from waiting for ovs-vswitchd to reconfigure
71 itself according to the modified database. This option should
72 be used if ovs-vswitchd is not running; otherwise, ovs-vsctl
73 will not exit until ovs-vswitchd starts.
74 This option has no effect if the commands specified do not
76 change the database.
77 --no-syslog
79 By default, ovs-vsctl logs its arguments and the details of any
80 changes that it makes to the system log. This option disables
81 this logging.
82 This option is equivalent to --verbose=vsctl:syslog:warn.
84 --oneline
86 Modifies the output format so that the output for each command
87 is printed on a single line. New-line characters that would
88 otherwise separate lines are printed as \n, and any instances of
89 \ that would otherwise appear in the output are doubled. Prints
90 a blank line for each command that has no output. This option
91 does not affect the formatting of output from the list or find
92 commands; see Table Formatting Options below.
93 --dry-run
95 Prevents ovs-vsctl from actually modifying the database.
96 -t secs
98 --timeout=secs
99 By default, or with a secs of 0, ovs-vsctl waits forever for a
100 response from the database. This option limits runtime to
101 approximately secs seconds. If the timeout expires, ovs-vsctl
102 will exit with a SIGALRM signal. (A timeout would normally hap‐
103 pen only if the database cannot be contacted, or if the system
104 is overloaded.)
105 --retry
107 Without this option, if ovs-vsctl connects outward to the data‐
108 base server (the default) then ovs-vsctl will try to connect
109 once and exit with an error if the connection fails (which usu‐
110 ally means that ovsdb-server is not running).
111 With this option, or if --db specifies that ovs-vsctl should
113 listen for an incoming connection from the database server, then
114 ovs-vsctl will wait for a connection to the database forever.
115 Regardless of this setting, --timeout always limits how long
117 ovs-vsctl will wait.
118 Table Formatting Options
120 These options control the format of output from the list and find com‐
121 mands.
122 -f format
124 --format=format
125 Sets the type of table formatting. The following types of for‐
126 mat are available:
127 table 2-D text tables with aligned columns.
129 list (default)
131 A list with one column per line and rows separated by a
132 blank line.
133 html HTML tables.
135 csv Comma-separated values as defined in RFC 4180.
137 json JSON format as defined in RFC 4627. The output is a
139 sequence of JSON objects, each of which corresponds to
140 one table. Each JSON object has the following members
141 with the noted values:
142 caption
144 The table's caption. This member is omitted if
145 the table has no caption.
146 headings
148 An array with one element per table column. Each
149 array element is a string giving the corresponding
150 column's heading.
151 data An array with one element per table row. Each
153 element is also an array with one element per ta‐
154 ble column. The elements of this second-level
155 array are the cells that constitute the table.
156 Cells that represent OVSDB data or data types are
157 expressed in the format described in the OVSDB
158 specification; other cells are simply expressed as
159 text strings.
160 -d format
162 --data=format
163 Sets the formatting for cells within output tables unless the
164 table format is set to json, in which case json formatting is
165 always used when formatting cells. The following types of for‐
166 mat are available:
167 string (default)
169 The simple format described in the Database Values sec‐
170 tion below.
171 bare The simple format with punctuation stripped off: [] and
173 {} are omitted around sets, maps, and empty columns,
174 items within sets and maps are space-separated, and
175 strings are never quoted. This format may be easier for
176 scripts to parse.
177 json The RFC 4627 JSON format as described above.
179 --no-headings
181 This option suppresses the heading row that otherwise appears in
182 the first row of table output.
183 --pretty
185 By default, JSON in output is printed as compactly as possible.
186 This option causes JSON in output to be printed in a more read‐
187 able fashion. Members of objects and elements of arrays are
188 printed one per line, with indentation.
189 This option does not affect JSON in tables, which is always
191 printed compactly.
192 --bare Equivalent to --format=list --data=bare --no-headings.
194 --max-column-width=n
196 For table output only, limits the width of any column in the
197 output to n columns. Longer cell data is truncated to fit, as
198 necessary. Columns are always wide enough to display the column
199 names, if the heading row is printed.
200 Public Key Infrastructure Options
202 -p privkey.pem
203 --private-key=privkey.pem
204 Specifies a PEM file containing the private key used as
205 ovs-vsctl's identity for outgoing SSL connections.
206 -c cert.pem
208 --certificate=cert.pem
209 Specifies a PEM file containing a certificate that certifies the
210 private key specified on -p or --private-key to be trustworthy.
211 The certificate must be signed by the certificate authority (CA)
212 that the peer in SSL connections will use to verify it.
213 -C cacert.pem
215 --ca-cert=cacert.pem
216 Specifies a PEM file containing the CA certificate that
217 ovs-vsctl should use to verify certificates presented to it by
218 SSL peers. (This may be the same certificate that SSL peers use
219 to verify the certificate specified on -c or --certificate, or
220 it may be a different one, depending on the PKI design in use.)
221 -C none
223 --ca-cert=none
224 Disables verification of certificates presented by SSL peers.
225 This introduces a security risk, because it means that certifi‐
226 cates cannot be verified to be those of known trusted hosts.
227 --bootstrap-ca-cert=cacert.pem
229 When cacert.pem exists, this option has the same effect as -C or
230 --ca-cert. If it does not exist, then ovs-vsctl will attempt to
231 obtain the CA certificate from the SSL peer on its first SSL
232 connection and save it to the named PEM file. If it is success‐
233 ful, it will immediately drop the connection and reconnect, and
234 from then on all SSL connections must be authenticated by a cer‐
235 tificate signed by the CA certificate thus obtained.
236 This option exposes the SSL connection to a man-in-the-middle
238 attack obtaining the initial CA certificate, but it may be use‐
239 ful for bootstrapping.
240 This option is only useful if the SSL peer sends its CA certifi‐
242 cate as part of the SSL certificate chain. The SSL protocol
243 does not require the server to send the CA certificate.
244 This option is mutually exclusive with -C and --ca-cert.
246 --peer-ca-cert=peer-cacert.pem
248 Specifies a PEM file that contains one or more additional cer‐
249 tificates to send to SSL peers. peer-cacert.pem should be the
250 CA certificate used to sign ovs-vsctl's own certificate, that
251 is, the certificate specified on -c or --certificate. If
252 ovs-vsctl's certificate is self-signed, then --certificate and
253 --peer-ca-cert should specify the same file.
254 This option is not useful in normal operation, because the SSL
256 peer must already have the CA certificate for the peer to have
257 any confidence in ovs-vsctl's identity. However, this offers a
258 way for a new installation to bootstrap the CA certificate on
259 its first SSL connection.
260 -v[spec]
262 --verbose=[spec]
263 Sets logging levels. Without any spec, sets the log level for
264 every module and destination to dbg. Otherwise, spec is a list
265 of words separated by spaces or commas or colons, up to one from
266 each category below:
267 · A valid module name, as displayed by the vlog/list com‐
269 mand on ovs-appctl(8), limits the log level change to the
270 specified module.
271 · syslog, console, or file, to limit the log level change
273 to only to the system log, to the console, or to a file,
274 respectively. (If --detach is specified, ovs-vsctl
275 closes its standard file descriptors, so logging to the
276 console will have no effect.)
277 On Windows platform, syslog is accepted as a word and is
279 only useful along with the --syslog-target option (the
280 word has no effect otherwise).
281 · off, emer, err, warn, info, or dbg, to control the log
283 level. Messages of the given severity or higher will be
284 logged, and messages of lower severity will be filtered
285 out. off filters out all messages. See ovs-appctl(8)
286 for a definition of each log level.
287 Case is not significant within spec.
289 Regardless of the log levels set for file, logging to a file
291 will not take place unless --log-file is also specified (see
292 below).
293 For compatibility with older versions of OVS, any is accepted as
295 a word but has no effect.
296 -v
298 --verbose
299 Sets the maximum logging verbosity level, equivalent to --ver‐
300 bose=dbg.
301 -vPATTERN:destination:pattern
303 --verbose=PATTERN:destination:pattern
304 Sets the log pattern for destination to pattern. Refer to
305 ovs-appctl(8) for a description of the valid syntax for pattern.
306 -vFACILITY:facility
308 --verbose=FACILITY:facility
309 Sets the RFC5424 facility of the log message. facility can be
310 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
311 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
312 local3, local4, local5, local6 or local7. If this option is not
313 specified, daemon is used as the default for the local system
314 syslog and local0 is used while sending a message to the target
315 provided via the --syslog-target option.
316 --log-file[=file]
318 Enables logging to a file. If file is specified, then it is
319 used as the exact name for the log file. The default log file
320 name used if file is omitted is /var/log/open‐
321 vswitch/ovs-vsctl.log.
322 --syslog-target=host:port
324 Send syslog messages to UDP port on host, in addition to the
325 system syslog. The host must be a numerical IP address, not a
326 hostname.
327 --syslog-method=method
329 Specify method how syslog messages should be sent to syslog dae‐
330 mon. Following forms are supported:
331 · libc, use libc syslog() function. This is the default
333 behavior. Downside of using this options is that libc
334 adds fixed prefix to every message before it is actually
335 sent to the syslog daemon over /dev/log UNIX domain
336 socket.
337 · unix:file, use UNIX domain socket directly. It is possi‐
339 ble to specify arbitrary message format with this option.
340 However, rsyslogd 8.9 and older versions use hard coded
341 parser function anyway that limits UNIX domain socket
342 use. If you want to use arbitrary message format with
343 older rsyslogd versions, then use UDP socket to localhost
344 IP address instead.
345 · udp:ip:port, use UDP socket. With this method it is pos‐
347 sible to use arbitrary message format also with older
348 rsyslogd. When sending syslog messages over UDP socket
349 extra precaution needs to be taken into account, for
350 example, syslog daemon needs to be configured to listen
351 on the specified UDP port, accidental iptables rules
352 could be interfering with local syslog traffic and there
353 are some security considerations that apply to UDP sock‐
354 ets, but do not apply to UNIX domain sockets.
355 -h
357 --help Prints a brief help message to the console.
358 -V
360 --version
361 Prints version information to the console.
362
364 The commands implemented by ovs-vsctl are described in the sections
365 below.
366 Open vSwitch Commands
368 These commands work with an Open vSwitch as a whole.
369 init Initializes the Open vSwitch database, if it is empty. If the
371 database has already been initialized, this command has no
372 effect.
373 Any successful ovs-vsctl command automatically initializes the
375 Open vSwitch database if it is empty. This command is provided
376 to initialize the database without executing any other command.
377 show Prints a brief overview of the database contents.
379 emer-reset
381 Reset the configuration into a clean state. It deconfigures
382 OpenFlow controllers, OVSDB servers, and SSL, and deletes port
383 mirroring, fail_mode, NetFlow, sFlow, and IPFIX configuration.
384 This command also removes all other-config keys from all data‐
385 base records, except that other-config:hwaddr is preserved if it
386 is present in a Bridge record. Other networking configuration
387 is left as-is.
388 Bridge Commands
390 These commands examine and manipulate Open vSwitch bridges.
391 [--may-exist] add-br bridge
393 Creates a new bridge named bridge. Initially the bridge will
394 have no ports (other than bridge itself).
395 Without --may-exist, attempting to create a bridge that exists
397 is an error. With --may-exist, this command does nothing if
398 bridge already exists as a real bridge.
399 [--may-exist] add-br bridge parent vlan
401 Creates a ``fake bridge'' named bridge within the existing Open
402 vSwitch bridge parent, which must already exist and must not
403 itself be a fake bridge. The new fake bridge will be on 802.1Q
404 VLAN vlan, which must be an integer between 0 and 4095. The
405 parent bridge must not already have a fake bridge for vlan.
406 Initially bridge will have no ports (other than bridge itself).
407 Without --may-exist, attempting to create a bridge that exists
409 is an error. With --may-exist, this command does nothing if
410 bridge already exists as a VLAN bridge under parent for vlan.
411 [--if-exists] del-br bridge
413 Deletes bridge and all of its ports. If bridge is a real
414 bridge, this command also deletes any fake bridges that were
415 created with bridge as parent, including all of their ports.
416 Without --if-exists, attempting to delete a bridge that does not
418 exist is an error. With --if-exists, attempting to delete a
419 bridge that does not exist has no effect.
420 [--real|--fake] list-br
422 Lists all existing real and fake bridges on standard output, one
423 per line. With --real or --fake, only bridges of that type are
424 returned.
425 br-exists bridge
427 Tests whether bridge exists as a real or fake bridge. If so,
428 ovs-vsctl exits successfully with exit code 0. If not,
429 ovs-vsctl exits unsuccessfully with exit code 2.
430 br-to-vlan bridge
432 If bridge is a fake bridge, prints the bridge's 802.1Q VLAN as a
433 decimal integer. If bridge is a real bridge, prints 0.
434 br-to-parent bridge
436 If bridge is a fake bridge, prints the name of its parent
437 bridge. If bridge is a real bridge, print bridge.
438 br-set-external-id bridge key [value]
440 Sets or clears an ``external ID'' value on bridge. These values
441 are intended to identify entities external to Open vSwitch with
442 which bridge is associated, e.g. the bridge's identifier in a
443 virtualization management platform. The Open vSwitch database
444 schema specifies well-known key values, but key and value are
445 otherwise arbitrary strings.
446 If value is specified, then key is set to value for bridge,
448 overwriting any previous value. If value is omitted, then key
449 is removed from bridge's set of external IDs (if it was
450 present).
451 For real bridges, the effect of this command is similar to that
453 of a set or remove command in the external-ids column of the
454 Bridge table. For fake bridges, it actually modifies keys with
455 names prefixed by fake-bridge- in the Port table.
456 br-get-external-id bridge [key]
458 Queries the external IDs on bridge. If key is specified, the
459 output is the value for that key or the empty string if key is
460 unset. If key is omitted, the output is key=value, one per
461 line, for each key-value pair.
462 For real bridges, the effect of this command is similar to that
464 of a get command in the external-ids column of the Bridge table.
465 For fake bridges, it queries keys with names prefixed by
466 fake-bridge- in the Port table.
467 Port Commands
469 These commands examine and manipulate Open vSwitch ports. These com‐
470 mands treat a bonded port as a single entity.
471 list-ports bridge
473 Lists all of the ports within bridge on standard output, one per
474 line. The local port bridge is not included in the list.
475 [--may-exist] add-port bridge port [column[:key]=value]...
477 Creates on bridge a new port named port from the network device
478 of the same name.
479 Optional arguments set values of column in the Port record cre‐
481 ated by the command. For example, tag=9 would make the port an
482 access port for VLAN 9. The syntax is the same as that for the
483 set command (see Database Commands below).
484 Without --may-exist, attempting to create a port that exists is
486 an error. With --may-exist, this command does nothing if port
487 already exists on bridge and is not a bonded port.
488 [--if-exists] del-port [bridge] port
490 Deletes port. If bridge is omitted, port is removed from what‐
491 ever bridge contains it; if bridge is specified, it must be the
492 real or fake bridge that contains port.
493 Without --if-exists, attempting to delete a port that does not
495 exist is an error. With --if-exists, attempting to delete a
496 port that does not exist has no effect.
497 [--if-exists] --with-iface del-port [bridge] iface
499 Deletes the port named iface or that has an interface named
500 iface. If bridge is omitted, the port is removed from whatever
501 bridge contains it; if bridge is specified, it must be the real
502 or fake bridge that contains the port.
503 Without --if-exists, attempting to delete the port for an inter‐
505 face that does not exist is an error. With --if-exists,
506 attempting to delete the port for an interface that does not
507 exist has no effect.
508 port-to-br port
510 Prints the name of the bridge that contains port on standard
511 output.
512 Bond Commands
514 These commands work with ports that have more than one interface, which
515 Open vSwitch calls ``bonds.''
516 [--fake-iface] add-bond bridge port iface... [column[:key]=value]...
518 Creates on bridge a new port named port that bonds together the
519 network devices given as each iface. At least two interfaces
520 must be named. If the interfaces are DPDK enabled then the
521 transaction will need to include operations to explicitly set
522 the interface type to 'dpdk'.
523 Optional arguments set values of column in the Port record cre‐
525 ated by the command. The syntax is the same as that for the set
526 command (see Database Commands below).
527 With --fake-iface, a fake interface with the name port is cre‐
529 ated. This should only be used for compatibility with legacy
530 software that requires it.
531 Without --may-exist, attempting to create a port that exists is
533 an error. With --may-exist, this command does nothing if port
534 already exists on bridge and bonds together exactly the speci‐
535 fied interfaces.
536 [--may-exist] add-bond-iface bond iface
538 Adds iface as a new bond interface to the existing port bond.
539 If bond previously had only one port, this transforms it into a
540 bond.
541 Without --may-exist, attempting to add an iface that is already
543 part of bond is an error. With --may-exist, this command does
544 nothing if iface is already part of bond. (It is still an error
545 if iface is an interface of some other port or bond.)
546 [--if-exists] del-bond-iface [bond] iface
548 Removes iface from its port. If bond is omitted, iface is
549 removed from whatever port contains it; if bond is specified, it
550 must be the port that contains bond.
551 If removing iface causes its port to have only a single inter‐
553 face, then that port transforms from a bond into an ordinary
554 port. It is an error if iface is the only interface in its
555 port.
556 Without --if-exists, attempting to delete an interface that does
558 not exist is an error. With --if-exists, attempting to delete
559 an interface that does not exist has no effect.
560 Interface Commands
562 These commands examine the interfaces attached to an Open vSwitch
563 bridge. These commands treat a bonded port as a collection of two or
564 more interfaces, rather than as a single port.
565 list-ifaces bridge
567 Lists all of the interfaces within bridge on standard output,
568 one per line. The local port bridge is not included in the
569 list.
570 iface-to-br iface
572 Prints the name of the bridge that contains iface on standard
573 output.
574 OpenFlow Controller Connectivity
576 ovs-vswitchd can perform all configured bridging and switching locally,
577 or it can be configured to communicate with one or more external Open‐
578 Flow controllers. The switch is typically configured to connect to a
579 primary controller that takes charge of the bridge's flow table to
580 implement a network policy. In addition, the switch can be configured
581 to listen to connections from service controllers. Service controllers
582 are typically used for occasional support and maintenance, e.g. with
583 ovs-ofctl.
584 get-controller bridge
586 Prints the configured controller target.
587 del-controller bridge
589 Deletes the configured controller target.
590 set-controller bridge target...
592 Sets the configured controller target or targets. Each target
593 may use any of the following forms:
594 ssl:host[:port]
596 tcp:host[:port]
597 The specified port on the given host, which can be
598 expressed either as a DNS name (if built with unbound
599 library) or an IP address in IPv4 or IPv6 address format.
600 Wrap IPv6 addresses in square brackets, e.g.
601 tcp:[::1]:6653. On Linux, use %device to designate a
602 scope for IPv6 link-level addresses, e.g.
603 tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key,
604 --certificate, and --ca-cert options are mandatory.
605 If port is not specified, it defaults to 6653.
607 unix:file
609 On POSIX, a Unix domain server socket named file.
610 On Windows, connect to a local named pipe that is repre‐
612 sented by a file created in the path file to mimic the
613 behavior of a Unix domain socket.
614 pssl:[port][:host]
616 ptcp:[port][:host]
617 Listens for OpenFlow connections on port. The default
618 port is 6653. By default, connections are allowed from
619 any IPv4 address. Specify host as an IPv4 address or a
620 bracketed IPv6 address (e.g. ptcp:6653:[::1]). On Linux,
621 use %device to designate a scope for IPv6 link-level
622 addresses, e.g. ptcp:6653:[fe80::1234%eth0]. DNS names
623 can be used if built with unbound library. For pssl, the
624 --private-key,--certificate, and --ca-cert options are
625 mandatory.
626 punix:file
628 Listens for OpenFlow connections on the Unix domain
629 server socket named file.
630 Controller Failure Settings
632 When a controller is configured, it is, ordinarily, responsible for
634 setting up all flows on the switch. Thus, if the connection to the
635 controller fails, no new network connections can be set up. If the
636 connection to the controller stays down long enough, no packets can
637 pass through the switch at all.
638 If the value is standalone, or if neither of these settings is set,
640 ovs-vswitchd will take over responsibility for setting up flows when no
641 message has been received from the controller for three times the inac‐
642 tivity probe interval. In this mode, ovs-vswitchd causes the datapath
643 to act like an ordinary MAC-learning switch. ovs-vswitchd will con‐
644 tinue to retry connecting to the controller in the background and, when
645 the connection succeeds, it discontinues its standalone behavior.
646 If this option is set to secure, ovs-vswitchd will not set up flows on
648 its own when the controller connection fails.
649 get-fail-mode bridge
651 Prints the configured failure mode.
652 del-fail-mode bridge
654 Deletes the configured failure mode.
655 set-fail-mode bridge standalone|secure
657 Sets the configured failure mode.
658 Manager Connectivity
660 These commands manipulate the manager_options column in the
661 Open_vSwitch table and rows in the Managers table. When ovsdb-server
662 is configured to use the manager_options column for OVSDB connections
663 (as described in the startup scripts provided with Open vSwitch; the
664 corresponding ovsdb-server command option is
665 --remote=db:Open_vSwitch,Open_vSwitch,manager_options), this allows the
666 administrator to use ovs-vsctl to configure database connections.
667 get-manager
669 Prints the configured manager(s).
670 del-manager
672 Deletes the configured manager(s).
673 set-manager target...
675 Sets the configured manager target or targets. Each target may
676 be an OVSDB active or passive connection method, e.g. pssl:6640,
677 as described in ovsdb(7).
678 SSL Configuration
680 When ovs-vswitchd is configured to connect over SSL for management or
681 controller connectivity, the following parameters are required:
682 private-key
684 Specifies a PEM file containing the private key used as the vir‐
685 tual switch's identity for SSL connections to the controller.
686 certificate
688 Specifies a PEM file containing a certificate, signed by the
689 certificate authority (CA) used by the controller and manager,
690 that certifies the virtual switch's private key, identifying a
691 trustworthy switch.
692 ca-cert
694 Specifies a PEM file containing the CA certificate used to ver‐
695 ify that the virtual switch is connected to a trustworthy con‐
696 troller.
697 These files are read only once, at ovs-vswitchd startup time. If their
699 contents change, ovs-vswitchd must be killed and restarted.
700 These SSL settings apply to all SSL connections made by the virtual
702 switch.
703 get-ssl
705 Prints the SSL configuration.
706 del-ssl
708 Deletes the current SSL configuration.
709 [--bootstrap] set-ssl private-key certificate ca-cert
711 Sets the SSL configuration. The --bootstrap option is described
712 below.
713 CA Certificate Bootstrap
715 Ordinarily, all of the files named in the SSL configuration must exist
717 when ovs-vswitchd starts. However, if the ca-cert file does not exist
718 and the --bootstrap option is given, then ovs-vswitchd will attempt to
719 obtain the CA certificate from the controller on its first SSL connec‐
720 tion and save it to the named PEM file. If it is successful, it will
721 immediately drop the connection and reconnect, and from then on all SSL
722 connections must be authenticated by a certificate signed by the CA
723 certificate thus obtained.
724 This option exposes the SSL connection to a man-in-the-middle attack
726 obtaining the initial CA certificate, but it may be useful for boot‐
727 strapping.
728 This option is only useful if the controller sends its CA certificate
730 as part of the SSL certificate chain. The SSL protocol does not
731 require the controller to send the CA certificate.
732 Auto-Attach Commands
734 The IETF Auto-Attach SPBM draft standard describes a compact method of
735 using IEEE 802.1AB Link Layer Discovery Protocol (LLDP) together with a
736 IEEE 802.1aq Shortest Path Bridging (SPB) network to automatically
737 attach network devices to individual services in a SPB network. The
738 intent here is to allow network applications and devices using OVS to
739 be able to easily take advantage of features offered by industry stan‐
740 dard SPB networks. A fundamental element of the Auto-Attach feature is
741 to map traditional VLANs onto SPB I_SIDs. These commands manage the
742 Auto-Attach I-SID/VLAN mappings.
743 add-aa-mapping bridge i-sid vlan
745 Creates a new Auto-Attach mapping on bridge for i-sid and vlan.
746 del-aa-mapping bridge i-sid vlan
748 Deletes an Auto-Attach mapping on bridge for i-sid and vlan.
749 get-aa-mapping bridge
751 Lists all of the Auto-Attach mappings within bridge on standard
752 output.
753 Database Commands
755 These commands query and modify the contents of ovsdb tables. They are
756 a slight abstraction of the ovsdb interface and as such they operate at
757 a lower level than other ovs-vsctl commands.
758 Identifying Tables, Records, and Columns
760 Each of these commands has a table parameter to identify a table within
762 the database. Many of them also take a record parameter that identi‐
763 fies a particular record within a table. The record parameter may be
764 the UUID for a record, and many tables offer additional ways to iden‐
765 tify records. Some commands also take column parameters that identify
766 a particular field within the records in a table.
767 For a list of tables and their columns, see ovs-vswitchd.conf.db(5) or
769 see the table listing from the --help option.
770 Record names must be specified in full and with correct capitalization,
772 except that UUIDs may be abbreviated to their first 4 (or more) hex
773 digits, as long as that is unique within the table. Names of tables
774 and columns are not case-sensitive, and - and _ are treated inter‐
775 changeably. Unique abbreviations of table and column names are accept‐
776 able, e.g. net or n is sufficient to identify the NetFlow table.
777 Database Values
779 Each column in the database accepts a fixed type of data. The cur‐
781 rently defined basic types, and their representations, are:
782 integer
784 A decimal integer in the range -2**63 to 2**63-1, inclusive.
785 real A floating-point number.
787 Boolean
789 True or false, written true or false, respectively.
790 string An arbitrary Unicode string, except that null bytes are not
792 allowed. Quotes are optional for most strings that begin with
793 an English letter or underscore and consist only of letters,
794 underscores, hyphens, and periods. However, true and false and
795 strings that match the syntax of UUIDs (see below) must be
796 enclosed in double quotes to distinguish them from other basic
797 types. When double quotes are used, the syntax is that of
798 strings in JSON, e.g. backslashes may be used to escape special
799 characters. The empty string must be represented as a pair of
800 double quotes ("").
801 UUID Either a universally unique identifier in the style of RFC 4122,
803 e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or an @name defined
804 by a get or create command within the same ovs-vsctl invocation.
805 Multiple values in a single column may be separated by spaces or a sin‐
807 gle comma. When multiple values are present, duplicates are not
808 allowed, and order is not important. Conversely, some database columns
809 can have an empty set of values, represented as [], and square brackets
810 may optionally enclose other non-empty sets or single values as well.
811 For a column accepting a set of integers, database commands accept a
812 range. A range is represented by two integers separated by -. A range
813 is inclusive. A range has a maximum size of 4096 elements. If more ele‐
814 ments are needed, they can be specified in seperate ranges.
815 A few database columns are ``maps'' of key-value pairs, where the key
817 and the value are each some fixed database type. These are specified
818 in the form key=value, where key and value follow the syntax for the
819 column's key type and value type, respectively. When multiple pairs
820 are present (separated by spaces or a comma), duplicate keys are not
821 allowed, and again the order is not important. Duplicate values are
822 allowed. An empty map is represented as {}. Curly braces may option‐
823 ally enclose non-empty maps as well (but use quotes to prevent the
824 shell from expanding other-config={0=x,1=y} into other-config=0=x
825 other-config=1=y, which may not have the desired effect).
826 Database Command Syntax
828 [--if-exists] [--columns=column[,column]...] list table [record]...
830 Lists the data in each specified record. If no records are
831 specified, lists all the records in table.
832 If --columns is specified, only the requested columns are
834 listed, in the specified order. Otherwise, all columns are
835 listed, in alphabetical order by column name.
836 Without --if-exists, it is an error if any specified record does
838 not exist. With --if-exists, the command ignores any record
839 that does not exist, without producing any output.
840 [--columns=column[,column]...] find table [column[:key]=value]...
842 Lists the data in each record in table whose column equals value
843 or, if key is specified, whose column contains a key with the
844 specified value. The following operators may be used where = is
845 written in the syntax summary:
846 = != < > <= >=
848 Selects records in which column[:key] equals, does not
849 equal, is less than, is greater than, is less than or
850 equal to, or is greater than or equal to value, respec‐
851 tively.
852 Consider column[:key] and value as sets of elements.
854 Identical sets are considered equal. Otherwise, if the
855 sets have different numbers of elements, then the set
856 with more elements is considered to be larger. Other‐
857 wise, consider a element from each set pairwise, in
858 increasing order within each set. The first pair that
859 differs determines the result. (For a column that con‐
860 tains key-value pairs, first all the keys are compared,
861 and values are considered only if the two sets contain
862 identical keys.)
863 {=} {!=}
865 Test for set equality or inequality, respectively.
866 {<=} Selects records in which column[:key] is a subset of
868 value. For example, flood-vlans{<=}1,2 selects records
869 in which the flood-vlans column is the empty set or con‐
870 tains 1 or 2 or both.
871 {<} Selects records in which column[:key] is a proper subset
873 of value. For example, flood-vlans{<}1,2 selects records
874 in which the flood-vlans column is the empty set or con‐
875 tains 1 or 2 but not both.
876 {>=} {>}
878 Same as {<=} and {<}, respectively, except that the rela‐
879 tionship is reversed. For example, flood-vlans{>=}1,2
880 selects records in which the flood-vlans column contains
881 both 1 and 2.
882 For arithmetic operators (= != < > <= >=), when key is specified
884 but a particular record's column does not contain key, the
885 record is always omitted from the results. Thus, the condition
886 other-config:mtu!=1500 matches records that have a mtu key whose
887 value is not 1500, but not those that lack an mtu key.
888 For the set operators, when key is specified but a particular
890 record's column does not contain key, the comparison is done
891 against an empty set. Thus, the condition other-con‐
892 fig:mtu{!=}1500 matches records that have a mtu key whose value
893 is not 1500 and those that lack an mtu key.
894 Don't forget to escape < or > from interpretation by the shell.
896 If --columns is specified, only the requested columns are
898 listed, in the specified order. Otherwise all columns are
899 listed, in alphabetical order by column name.
900 The UUIDs shown for rows created in the same ovs-vsctl invoca‐
902 tion will be wrong.
903 [--if-exists] [--id=@name] get table record [column[:key]]...
905 Prints the value of each specified column in the given record in
906 table. For map columns, a key may optionally be specified, in
907 which case the value associated with key in the column is
908 printed, instead of the entire map.
909 Without --if-exists, it is an error if record does not exist or
911 key is specified, if key does not exist in record. With
912 --if-exists, a missing record yields no output and a missing key
913 prints a blank line.
914 If @name is specified, then the UUID for record may be referred
916 to by that name later in the same ovs-vsctl invocation in con‐
917 texts where a UUID is expected.
918 Both --id and the column arguments are optional, but usually at
920 least one or the other should be specified. If both are omit‐
921 ted, then get has no effect except to verify that record exists
922 in table.
923 --id and --if-exists cannot be used together.
925 [--if-exists] set table record column[:key]=value...
927 Sets the value of each specified column in the given record in
928 table to value. For map columns, a key may optionally be speci‐
929 fied, in which case the value associated with key in that column
930 is changed (or added, if none exists), instead of the entire
931 map.
932 Without --if-exists, it is an error if record does not exist.
934 With --if-exists, this command does nothing if record does not
935 exist.
936 [--if-exists] add table record column [key=]value...
938 Adds the specified value or key-value pair to column in record
939 in table. If column is a map, then key is required, otherwise
940 it is prohibited. If key already exists in a map column, then
941 the current value is not replaced (use the set command to
942 replace an existing value).
943 Without --if-exists, it is an error if record does not exist.
945 With --if-exists, this command does nothing if record does not
946 exist.
947 [--if-exists] remove table record column value...
949 [--if-exists] remove table record column key...
950 [--if-exists] remove table record column key=value...
951 Removes the specified values or key-value pairs from column in
952 record in table. The first form applies to columns that are not
953 maps: each specified value is removed from the column. The sec‐
954 ond and third forms apply to map columns: if only a key is spec‐
955 ified, then any key-value pair with the given key is removed,
956 regardless of its value; if a value is given then a pair is
957 removed only if both key and value match.
958 It is not an error if the column does not contain the specified
960 key or value or pair.
961 Without --if-exists, it is an error if record does not exist.
963 With --if-exists, this command does nothing if record does not
964 exist.
965 [--if-exists] clear table record column...
967 Sets each column in record in table to the empty set or empty
968 map, as appropriate. This command applies only to columns that
969 are allowed to be empty.
970 Without --if-exists, it is an error if record does not exist.
972 With --if-exists, this command does nothing if record does not
973 exist.
974 [--id=@name] create table column[:key]=value...
976 Creates a new record in table and sets the initial values of
977 each column. Columns not explicitly set will receive their
978 default values. Outputs the UUID of the new row.
979 If @name is specified, then the UUID for the new row may be
981 referred to by that name elsewhere in the same ovs-vsctl invoca‐
982 tion in contexts where a UUID is expected. Such references may
983 precede or follow the create command.
984 Caution (ovs-vsctl as example)
986 Records in the Open vSwitch database are significant only
987 when they can be reached directly or indirectly from the
988 Open_vSwitch table. Except for records in the QoS or
989 Queue tables, records that are not reachable from the
990 Open_vSwitch table are automatically deleted from the
991 database. This deletion happens immediately, without
992 waiting for additional ovs-vsctl commands or other data‐
993 base activity. Thus, a create command must generally be
994 accompanied by additional commands within the same
995 ovs-vsctl invocation to add a chain of references to the
996 newly created record from the top-level Open_vSwitch
997 record. The EXAMPLES section gives some examples that
998 show how to do this.
999 [--if-exists] destroy table record...
1001 Deletes each specified record from table. Unless --if-exists is
1002 specified, each records must exist.
1003 --all destroy table
1005 Deletes all records from the table.
1006 Caution (ovs-vsctl as example)
1008 The destroy command is only useful for records in the QoS
1009 or Queue tables. Records in other tables are automati‐
1010 cally deleted from the database when they become unreach‐
1011 able from the Open_vSwitch table. This means that delet‐
1012 ing the last reference to a record is sufficient for
1013 deleting the record itself. For records in these tables,
1014 destroy is silently ignored. See the EXAMPLES section
1015 below for more information.
1016 wait-until table record [column[:key]=value]...
1018 Waits until table contains a record named record whose column
1019 equals value or, if key is specified, whose column contains a
1020 key with the specified value. Any of the operators !=, <, >,
1021 <=, or >= may be substituted for = to test for inequality, less
1022 than, greater than, less than or equal to, or greater than or
1023 equal to, respectively. (Don't forget to escape < or > from
1024 interpretation by the shell.)
1025 If no column[:key]=value arguments are given, this command waits
1027 only until record exists. If more than one such argument is
1028 given, the command waits until all of them are satisfied.
1029 Caution (ovs-vsctl as example)
1031 Usually wait-until should be placed at the beginning of a
1032 set of ovs-vsctl commands. For example, wait-until
1033 bridge br0 -- get bridge br0 datapath_id waits until a
1034 bridge named br0 is created, then prints its datapath_id
1035 column, whereas get bridge br0 datapath_id -- wait-until
1036 bridge br0 will abort if no bridge named br0 exists when
1037 ovs-vsctl initially connects to the database.
1038 Consider specifying --timeout=0 along with --wait-until, to pre‐
1040 vent ovs-vsctl from terminating after waiting only at most 5
1041 seconds.
1042 comment [arg]...
1044 This command has no effect on behavior, but any database log
1045 record created by the command will include the command and its
1046 arguments.
1047
1049 Create a new bridge named br0 and add port eth0 to it:
1050 ovs-vsctl add-br br0
1052 ovs-vsctl add-port br0 eth0
1053 Alternatively, perform both operations in a single atomic transaction:
1055 ovs-vsctl add-br br0 -- add-port br0 eth0
1057 Delete bridge br0, reporting an error if it does not exist:
1059 ovs-vsctl del-br br0
1061 Delete bridge br0 if it exists:
1063 ovs-vsctl --if-exists del-br br0
1065 Set the qos column of the Port record for eth0 to point to a new QoS
1067 record, which in turn points with its queue 0 to a new Queue record:
1068 ovs-vsctl -- set port eth0 qos=@newqos -- --id=@newqos create
1070 qos type=linux-htb other-config:max-rate=1000000
1071 queues:0=@newqueue -- --id=@newqueue create queue other-con‐
1072 fig:min-rate=1000000 other-config:max-rate=1000000
1073
1075 Port Configuration
1076 Add an ``internal port'' vlan10 to bridge br0 as a VLAN access port for
1077 VLAN 10, and configure it with an IP address:
1078 ovs-vsctl add-port br0 vlan10 tag=10 -- set Interface vlan10
1080 type=internal
1081 ip addr add 192.168.0.123/24 dev vlan10
1083 Add a GRE tunnel port gre0 to remote IP address 1.2.3.4 to bridge br0:
1085 ovs-vsctl add-port br0 gre0 -- set Interface gre0 type=gre
1087 options:remote_ip=1.2.3.4
1088 Port Mirroring
1090 Mirror all packets received or sent on eth0 or eth1 onto eth2, assuming
1091 that all of those ports exist on bridge br0 (as a side-effect this
1092 causes any packets received on eth2 to be ignored):
1093 ovs-vsctl -- set Bridge br0 mirrors=@m \
1095 -- --id=@eth0 get Port eth0 \
1097 -- --id=@eth1 get Port eth1 \
1099 -- --id=@eth2 get Port eth2 \
1101 -- --id=@m create Mirror name=mymirror select-dst-
1103 port=@eth0,@eth1 select-src-port=@eth0,@eth1 output-port=@eth2
1104 Remove the mirror created above from br0, which also destroys the Mir‐
1106 ror record (since it is now unreferenced):
1107 ovs-vsctl -- --id=@rec get Mirror mymirror \
1109 -- remove Bridge br0 mirrors @rec
1111 The following simpler command also works:
1113 ovs-vsctl clear Bridge br0 mirrors
1115 Quality of Service (QoS)
1117 Create a linux-htb QoS record that points to a few queues and use it on
1118 eth0 and eth1:
1119 ovs-vsctl -- set Port eth0 qos=@newqos \
1121 -- set Port eth1 qos=@newqos \
1123 -- --id=@newqos create QoS type=linux-htb other-con‐
1125 fig:max-rate=1000000000 queues=0=@q0,1=@q1 \
1126 -- --id=@q0 create Queue other-config:min-rate=100000000
1128 other-config:max-rate=100000000 \
1129 -- --id=@q1 create Queue other-config:min-rate=500000000
1131 Deconfigure the QoS record above from eth1 only:
1133 ovs-vsctl clear Port eth1 qos
1135 To deconfigure the QoS record from both eth0 and eth1 and then delete
1137 the QoS record (which must be done explicitly because unreferenced QoS
1138 records are not automatically destroyed):
1139 ovs-vsctl -- destroy QoS eth0 -- clear Port eth0 qos -- clear
1141 Port eth1 qos
1142 (This command will leave two unreferenced Queue records in the data‐
1144 base. To delete them, use "ovs-vsctl list Queue" to find their UUIDs,
1145 then "ovs-vsctl destroy Queue uuid1 uuid2" to destroy each of them or
1146 use "ovs-vsctl -- --all destroy Queue" to delete all records.)
1147 Connectivity Monitoring
1149 Monitor connectivity to a remote maintenance point on eth0.
1150 ovs-vsctl set Interface eth0 cfm_mpid=1
1152 Deconfigure connectivity monitoring from above:
1154 ovs-vsctl clear Interface eth0 cfm_mpid
1156 NetFlow
1158 Configure bridge br0 to send NetFlow records to UDP port 5566 on host
1159 192.168.0.34, with an active timeout of 30 seconds:
1160 ovs-vsctl -- set Bridge br0 netflow=@nf \
1162 -- --id=@nf create NetFlow targets=\"192.168.0.34:5566\"
1164 active-timeout=30
1165 Update the NetFlow configuration created by the previous command to
1167 instead use an active timeout of 60 seconds:
1168 ovs-vsctl set NetFlow br0 active_timeout=60
1170 Deconfigure the NetFlow settings from br0, which also destroys the Net‐
1172 Flow record (since it is now unreferenced):
1173 ovs-vsctl clear Bridge br0 netflow
1175 sFlow
1177 Configure bridge br0 to send sFlow records to a collector on 10.0.0.1
1178 at port 6343, using eth1´s IP address as the source, with specific sam‐
1179 pling parameters:
1180 ovs-vsctl -- --id=@s create sFlow agent=eth1 tar‐
1182 get=\"10.0.0.1:6343\" header=128 sampling=64 polling=10 \
1183 -- set Bridge br0 sflow=@s
1185 Deconfigure sFlow from br0, which also destroys the sFlow record (since
1187 it is now unreferenced):
1188 ovs-vsctl -- clear Bridge br0 sflow
1190 IPFIX
1192 Configure bridge br0 to send one IPFIX flow record per packet sample to
1193 UDP port 4739 on host 192.168.0.34, with Observation Domain ID 123 and
1194 Observation Point ID 456, a flow cache active timeout of 1 minute (60
1195 seconds), maximum flow cache size of 13 flows, and flows sampled on
1196 output port with tunnel info(sampling on input and output port is
1197 enabled by default if not disabled) :
1198 ovs-vsctl -- set Bridge br0 ipfix=@i \
1200 -- --id=@i create IPFIX targets=\"192.168.0.34:4739\"
1202 obs_domain_id=123 obs_point_id=456 cache_active_timeout=60
1203 cache_max_flows=13 \
1204 other_config:enable-input-sampling=false other_config:enable-
1206 tunnel-sampling=true
1207 Deconfigure the IPFIX settings from br0, which also destroys the IPFIX
1209 record (since it is now unreferenced):
1210 ovs-vsctl clear Bridge br0 ipfix
1212 802.1D Spanning Tree Protocol (STP)
1214 Configure bridge br0 to participate in an 802.1D spanning tree:
1215 ovs-vsctl set Bridge br0 stp_enable=true
1217 Set the bridge priority of br0 to 0x7800:
1219 ovs-vsctl set Bridge br0 other_config:stp-priority=0x7800
1221 Set the path cost of port eth0 to 10:
1223 ovs-vsctl set Port eth0 other_config:stp-path-cost=10
1225 Deconfigure STP from above:
1227 ovs-vsctl set Bridge br0 stp_enable=false
1229 Multicast Snooping
1231 Configure bridge br0 to enable multicast snooping:
1232 ovs-vsctl set Bridge br0 mcast_snooping_enable=true
1234 Set the multicast snooping aging time br0 to 300 seconds:
1236 ovs-vsctl set Bridge br0 other_config:mcast-snooping-aging-
1238 time=300
1239 Set the multicast snooping table size br0 to 2048 entries:
1241 ovs-vsctl set Bridge br0 other_config:mcast-snooping-table-
1243 size=2048
1244 Disable flooding of unregistered multicast packets to all ports. When
1246 set to true, the switch will send unregistered multicast packets only
1247 to ports connected to multicast routers. When it is set to false, the
1248 switch will send them to all ports. This command disables the flood of
1249 unregistered packets on bridge br0.
1250 ovs-vsctl set Bridge br0 other_config:mcast-snooping-disable-
1252 flood-unregistered=true
1253 Enable flooding of multicast packets (except Reports) on a specific
1255 port.
1256 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood=true
1258 Enable flooding of Reports on a specific port.
1260 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood-
1262 reports=true
1263 Deconfigure multicasting snooping from above:
1265 ovs-vsctl set Bridge br0 mcast_snooping_enable=false
1267 802.1D-2004 Rapid Spanning Tree Protocol (RSTP)
1269 Configure bridge br0 to participate in an 802.1D-2004 Rapid Spanning
1270 Tree:
1271 ovs-vsctl set Bridge br0 rstp_enable=true
1273 Set the bridge address of br0 to 00:aa:aa:aa:aa:aa :
1275 ovs-vsctl set Bridge br0 other_config:rstp-
1277 address=00:aa:aa:aa:aa:aa
1278 Set the bridge priority of br0 to 0x7000. The value must be specified
1280 in decimal notation and should be a multiple of 4096 (if not, it is
1281 rounded down to the nearest multiple of 4096). The default priority
1282 value is 0x800 (32768).
1283 ovs-vsctl set Bridge br0 other_config:rstp-priority=28672
1285 Set the bridge ageing time of br0 to 1000 s. The ageing time value
1287 should be between 10 s and 1000000 s. The default value is 300 s.
1288 ovs-vsctl set Bridge br0 other_config:rstp-ageing-time=1000
1290 Set the bridge force protocol version of br0 to 0. The force protocol
1292 version has two acceptable values: 0 (STP compatibility mode) and 2
1293 (normal operation).
1294 ovs-vsctl set Bridge br0 other_config:rstp-force-protocol-ver‐
1296 sion=0
1297 Set the bridge max age of br0 to 10 s. The max age value should be
1299 between 6 s and 40 s. The default value is 20 s.
1300 ovs-vsctl set Bridge br0 other_config:rstp-max-age=10
1302 Set the bridge forward delay of br0 to 15 s. This value should be
1304 between 4 s and 30 s. The default value is 15 s.
1305 ovs-vsctl set Bridge br0 other_config:rstp-forward-delay=15
1307 Set the bridge transmit hold count of br0 to 7 s. This value should be
1309 between 1 s and 10 s. The default value is 6 s.
1310 ovs-vsctl set Bridge br0 other_config:rstp-transmit-hold-count=7
1312 Enable RSTP on the Port eth0:
1314 ovs-vsctl set Port eth0 other_config:rstp-enable=true
1316 Disable RSTP on the Port eth0:
1318 ovs-vsctl set Port eth0 other_config:rstp-enable=false
1320 Set the priority of port eth0 to 32. The value must be specified in
1322 decimal notation and should be a multiple of 16 (if not, it is rounded
1323 down to the nearest multiple of 16). The default priority value is 0x80
1324 (128).
1325 ovs-vsctl set Port eth0 other_config:rstp-port-priority=32
1327 Set the port number of port eth0 to 3:
1329 ovs-vsctl set Port eth0 other_config:rstp-port-num=3
1331 Set the path cost of port eth0 to 150:
1333 ovs-vsctl set Port eth0 other_config:rstp-path-cost=150
1335 Set the admin edge value of port eth0:
1337 ovs-vsctl set Port eth0 other_config:rstp-port-admin-edge=true
1339 Set the auto edge value of port eth0:
1341 ovs-vsctl set Port eth0 other_config:rstp-port-auto-edge=true
1343 Set the admin point to point MAC value of port eth0. Acceptable values
1345 are 0 (not point-to-point), 1 (point-to-point, the default value) or 2
1346 (automatic detection). The auto-detection mode is not currently imple‐
1347 mented, and the value 2 has the same effect of 0 (not point-to-point).
1348 ovs-vsctl set Port eth0 other_config:rstp-admin-p2p-mac=1
1350 Set the admin port state value of port eth0. true is the default
1352 value.
1353 ovs-vsctl set Port eth0 other_config:rstp-admin-port-state=false
1355 Set the mcheck value of port eth0:
1357 ovs-vsctl set Port eth0 other_config:rstp-port-mcheck=true
1359 Deconfigure RSTP from above:
1361 ovs-vsctl set Bridge br0 rstp_enable=false
1363 OpenFlow Version
1365 Configure bridge br0 to support OpenFlow versions 1.0, 1.2, and 1.3:
1366 ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow12,Open‐
1368 Flow13
1369 Flow Table Configuration
1371 Make flow table 0 on bridge br0 refuse to accept more than 100 flows:
1372 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1374 flow_policy=refuse -- set Bridge br0 flow_tables=0=@ft
1375 Make flow table 0 on bridge br0 evict flows, with fairness based on the
1377 matched ingress port, when there are more than 100:
1378 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1380 flow_policy=evict groups='"NXM_OF_IN_PORT[]"' -- set Bridge br0
1381 flow_tables:0=@ft
1382
1384 0 Successful program execution.
1385 1 Usage, syntax, or configuration file error.
1387 2 The bridge argument to br-exists specified the name of a bridge
1389 that does not exist.
1390
1392 ovsdb-server(1), ovs-vswitchd(8), ovs-vswitchd.conf.db(5).
1393Open vSwitch 2.10.0 ovs-vsctl(8)