1ovs-vsctl(8)                  Open vSwitch Manual                 ovs-vsctl(8)
2
3
4

NAME

6       ovs-vsctl - utility for querying and configuring ovs-vswitchd
7

SYNOPSIS

9       ovs-vsctl  [options]  -- [options] command [args] [-- [options] command
10       [args]]...
11

DESCRIPTION

13       The  ovs-vsctl  program  configures  ovs-vswitchd(8)  by  providing   a
14       high-level    interface    to    its   configuration   database.    See
15       ovs-vswitchd.conf.db(5) for comprehensive documentation of the database
16       schema.
17
18       ovs-vsctl  connects  to  an ovsdb-server process that maintains an Open
19       vSwitch configuration database.  Using this connection, it queries  and
20       possibly  applies  changes  to  the database, depending on the supplied
21       commands.  Then, if it applied any changes, by default it  waits  until
22       ovs-vswitchd  has  finished  reconfiguring itself before it exits.  (If
23       you use ovs-vsctl when ovs-vswitchd is not running, use --no-wait.)
24
25       ovs-vsctl can perform any number of commands in a  single  run,  imple‐
26       mented as a single atomic transaction against the database.
27
28       The  ovs-vsctl command line begins with global options (see OPTIONS be‐
29       low for details).  The global options are followed by one or more  com‐
30       mands.   Each  command should begin with -- by itself as a command-line
31       argument, to separate it from the following commands.  (The  --  before
32       the  first  command  is optional.)  The command itself starts with com‐
33       mand-specific options, if any, followed by the command name and any ar‐
34       guments.  See EXAMPLES below for syntax examples.
35
36   Linux VLAN Bridging Compatibility
37       The  ovs-vsctl  program  supports  the model of a bridge implemented by
38       Open vSwitch, in which a  single  bridge  supports  ports  on  multiple
39       VLANs.   In  this  model,  each port on a bridge is either a trunk port
40       that potentially passes packets tagged with 802.1Q headers that  desig‐
41       nate  VLANs  or  it  is  assigned  a single implicit VLAN that is never
42       tagged with an 802.1Q header.
43
44       For  compatibility  with  software  designed  for  the  Linux   bridge,
45       ovs-vsctl  also  supports  a  model  in which traffic associated with a
46       given 802.1Q VLAN is segregated into a separate bridge.  A special form
47       of  the  add-br command (see below) creates a ``fake bridge'' within an
48       Open vSwitch bridge to simulate this  behavior.   When  such  a  ``fake
49       bridge'' is active, ovs-vsctl will treat it much like a bridge separate
50       from its ``parent bridge,''  but  the  actual  implementation  in  Open
51       vSwitch  uses  only  a single bridge, with ports on the fake bridge as‐
52       signed the implicit VLAN of the fake bridge of which they are  members.
53       (A fake bridge for VLAN 0 receives packets that have no 802.1Q tag or a
54       tag with VLAN 0.)
55

OPTIONS

57       The following options affect the behavior ovs-vsctl as a  whole.   Some
58       individual commands also accept their own options, which are given just
59       before the command name.  If the first command on the command line  has
60       options,  then  those options must be separated from the global options
61       by --.
62
63       --db=server
64              Sets server as the database server that  ovs-vsctl  contacts  to
65              query or modify configuration.  server may be an OVSDB active or
66              passive connection method, as described in  ovsdb(7).   The  de‐
67              fault is unix:/var/run/openvswitch/db.sock.
68
69       --no-wait
70              Prevents  ovs-vsctl from waiting for ovs-vswitchd to reconfigure
71              itself according to the modified database.  This  option  should
72              be  used  if  ovs-vswitchd  is not running; otherwise, ovs-vsctl
73              will not exit until ovs-vswitchd starts.
74
75              This option has no effect  if  the  commands  specified  do  not
76              change the database.
77
78       --no-syslog
79              By  default, ovs-vsctl logs its arguments and the details of any
80              changes that it makes to the system log.  This  option  disables
81              this logging.
82
83              This option is equivalent to --verbose=vsctl:syslog:warn.
84
85       --oneline
86              Modifies  the  output format so that the output for each command
87              is printed on a single line.   New-line  characters  that  would
88              otherwise separate lines are printed as \n, and any instances of
89              \ that would otherwise appear in the output are doubled.  Prints
90              a  blank  line for each command that has no output.  This option
91              does not affect the formatting of output from the list  or  find
92              commands; see Table Formatting Options below.
93
94       --dry-run
95              Prevents ovs-vsctl from actually modifying the database.
96
97       -t secs
98       --timeout=secs
99              By  default,  or with a secs of 0, ovs-vsctl waits forever for a
100              response from the database.  This option limits runtime  to  ap‐
101              proximately  secs  seconds.   If  the timeout expires, ovs-vsctl
102              will exit with a SIGALRM signal.  (A timeout would normally hap‐
103              pen  only  if the database cannot be contacted, or if the system
104              is overloaded.)
105
106       --retry
107              Without this option, if ovs-vsctl connects outward to the  data‐
108              base  server  (the  default)  then ovs-vsctl will try to connect
109              once and exit with an error if the connection fails (which  usu‐
110              ally means that ovsdb-server is not running).
111
112              With  this  option,  or  if --db specifies that ovs-vsctl should
113              listen for an incoming connection from the database server, then
114              ovs-vsctl will wait for a connection to the database forever.
115
116              Regardless  of  this  setting,  --timeout always limits how long
117              ovs-vsctl will wait.
118
119   Table Formatting Options
120       These options control the format of output from the list and find  com‐
121       mands.
122
123       -f format
124       --format=format
125              Sets  the type of table formatting.  The following types of for‐
126              mat are available:
127
128              table  2-D text tables with aligned columns.
129
130              list (default)
131                     A list with one column per line and rows separated  by  a
132                     blank line.
133
134              html   HTML tables.
135
136              csv    Comma-separated values as defined in RFC 4180.
137
138              json   JSON  format as defined in RFC 4627.  The output is a se‐
139                     quence of JSON objects, each of which corresponds to  one
140                     table.   Each  JSON object has the following members with
141                     the noted values:
142
143                     caption
144                            The table's caption.  This member  is  omitted  if
145                            the table has no caption.
146
147                     headings
148                            An  array with one element per table column.  Each
149                            array element is a string giving the corresponding
150                            column's heading.
151
152                     data   An array with one element per table row.  Each el‐
153                            ement is also an array with one element per  table
154                            column.   The  elements of this second-level array
155                            are the cells that constitute  the  table.   Cells
156                            that  represent  OVSDB  data or data types are ex‐
157                            pressed in the format described in the OVSDB spec‐
158                            ification;  other  cells  are  simply expressed as
159                            text strings.
160
161       -d format
162       --data=format
163              Sets the formatting for cells within output  tables  unless  the
164              table  format  is  set to json, in which case json formatting is
165              always used when formatting cells.  The following types of  for‐
166              mat are available:
167
168              string (default)
169                     The  simple  format described in the Database Values sec‐
170                     tion below.
171
172              bare   The simple format with punctuation stripped off:  []  and
173                     {}  are  omitted  around  sets,  maps, and empty columns,
174                     items within  sets  and  maps  are  space-separated,  and
175                     strings  are never quoted.  This format may be easier for
176                     scripts to parse.
177
178              json   The RFC 4627 JSON format as described above.
179
180       --no-headings
181              This option suppresses the heading row that otherwise appears in
182              the first row of table output.
183
184       --pretty
185              By  default, JSON in output is printed as compactly as possible.
186              This option causes JSON in output to be printed in a more  read‐
187              able  fashion.   Members  of  objects and elements of arrays are
188              printed one per line, with indentation.
189
190              This option does not affect JSON  in  tables,  which  is  always
191              printed compactly.
192
193       --bare Equivalent to --format=list --data=bare --no-headings.
194
195       --max-column-width=n
196              For  table  output  only,  limits the width of any column in the
197              output to n columns.  Longer cell data is truncated to  fit,  as
198              necessary.  Columns are always wide enough to display the column
199              names, if the heading row is printed.
200
201   Public Key Infrastructure Options
202       -p privkey.pem
203       --private-key=privkey.pem
204              Specifies  a  PEM  file  containing  the  private  key  used  as
205              ovs-vsctl's identity for outgoing SSL connections.
206
207       -c cert.pem
208       --certificate=cert.pem
209              Specifies a PEM file containing a certificate that certifies the
210              private key specified on -p or --private-key to be  trustworthy.
211              The certificate must be signed by the certificate authority (CA)
212              that the peer in SSL connections will use to verify it.
213
214       -C cacert.pem
215       --ca-cert=cacert.pem
216              Specifies  a  PEM  file  containing  the  CA  certificate   that
217              ovs-vsctl  should  use to verify certificates presented to it by
218              SSL peers.  (This may be the same certificate that SSL peers use
219              to  verify  the certificate specified on -c or --certificate, or
220              it may be a different one, depending on the PKI design in use.)
221
222       -C none
223       --ca-cert=none
224              Disables verification of certificates presented  by  SSL  peers.
225              This  introduces a security risk, because it means that certifi‐
226              cates cannot be verified to be those of known trusted hosts.
227
228       --bootstrap-ca-cert=cacert.pem
229              When cacert.pem exists, this option has the same effect as -C or
230              --ca-cert.  If it does not exist, then ovs-vsctl will attempt to
231              obtain the CA certificate from the SSL peer  on  its  first  SSL
232              connection and save it to the named PEM file.  If it is success‐
233              ful, it will immediately drop the connection and reconnect,  and
234              from then on all SSL connections must be authenticated by a cer‐
235              tificate signed by the CA certificate thus obtained.
236
237              This option exposes the SSL connection  to  a  man-in-the-middle
238              attack  obtaining the initial CA certificate, but it may be use‐
239              ful for bootstrapping.
240
241              This option is only useful if the SSL peer sends its CA certifi‐
242              cate  as  part  of  the SSL certificate chain.  The SSL protocol
243              does not require the server to send the CA certificate.
244
245              This option is mutually exclusive with -C and --ca-cert.
246
247       --peer-ca-cert=peer-cacert.pem
248              Specifies a PEM file that contains one or more  additional  cer‐
249              tificates  to  send to SSL peers.  peer-cacert.pem should be the
250              CA certificate used to sign ovs-vsctl's  own  certificate,  that
251              is,  the  certificate  specified  on  -c  or  --certificate.  If
252              ovs-vsctl's certificate is self-signed, then  --certificate  and
253              --peer-ca-cert should specify the same file.
254
255              This  option  is not useful in normal operation, because the SSL
256              peer must already have the CA certificate for the peer  to  have
257              any  confidence in ovs-vsctl's identity.  However, this offers a
258              way for a new installation to bootstrap the  CA  certificate  on
259              its first SSL connection.
260
261       -v[spec]
262       --verbose=[spec]
263              Sets  logging  levels.  Without any spec, sets the log level for
264              every module and destination to dbg.  Otherwise, spec is a  list
265              of words separated by spaces or commas or colons, up to one from
266              each category below:
267
268              •      A valid module name, as displayed by the  vlog/list  com‐
269                     mand on ovs-appctl(8), limits the log level change to the
270                     specified module.
271
272syslog, console, or file, to limit the log  level  change
273                     to  only to the system log, to the console, or to a file,
274                     respectively.   (If  --detach  is  specified,   ovs-vsctl
275                     closes  its  standard file descriptors, so logging to the
276                     console will have no effect.)
277
278                     On Windows platform, syslog is accepted as a word and  is
279                     only  useful  along  with the --syslog-target option (the
280                     word has no effect otherwise).
281
282off, emer, err, warn, info, or dbg, to  control  the  log
283                     level.   Messages of the given severity or higher will be
284                     logged, and messages of lower severity will  be  filtered
285                     out.   off  filters  out all messages.  See ovs-appctl(8)
286                     for a definition of each log level.
287
288              Case is not significant within spec.
289
290              Regardless of the log levels set for file,  logging  to  a  file
291              will not take place unless --log-file is also specified (see be‐
292              low).
293
294              For compatibility with older versions of OVS, any is accepted as
295              a word but has no effect.
296
297       -v
298       --verbose
299              Sets  the  maximum logging verbosity level, equivalent to --ver‐
300              bose=dbg.
301
302       -vPATTERN:destination:pattern
303       --verbose=PATTERN:destination:pattern
304              Sets the log pattern  for  destination  to  pattern.   Refer  to
305              ovs-appctl(8) for a description of the valid syntax for pattern.
306
307       -vFACILITY:facility
308       --verbose=FACILITY:facility
309              Sets  the  RFC5424  facility of the log message. facility can be
310              one of kern, user, mail, daemon, auth, syslog, lpr, news,  uucp,
311              clock,  ftp,  ntp, audit, alert, clock2, local0, local1, local2,
312              local3, local4, local5, local6 or local7. If this option is  not
313              specified,  daemon  is  used as the default for the local system
314              syslog and local0 is used while sending a message to the  target
315              provided via the --syslog-target option.
316
317       --log-file[=file]
318              Enables  logging  to  a  file.  If file is specified, then it is
319              used as the exact name for the log file.  The default  log  file
320              name    used    if    file    is   omitted   is   /var/log/open‐
321              vswitch/ovs-vsctl.log.
322
323       --syslog-target=host:port
324              Send syslog messages to UDP port on host,  in  addition  to  the
325              system  syslog.   The host must be a numerical IP address, not a
326              hostname.
327
328       --syslog-method=method
329              Specify method how syslog messages should be sent to syslog dae‐
330              mon.  Following forms are supported:
331
332libc, use libc syslog() function.  Downside of using this
333                     options is that libc adds fixed prefix to  every  message
334                     before  it  is  actually  sent  to the syslog daemon over
335                     /dev/log UNIX domain socket.
336
337unix:file, use UNIX domain socket directly.  It is possi‐
338                     ble to specify arbitrary message format with this option.
339                     However, rsyslogd 8.9 and older versions use  hard  coded
340                     parser  function  anyway  that  limits UNIX domain socket
341                     use.  If you want to use arbitrary  message  format  with
342                     older rsyslogd versions, then use UDP socket to localhost
343                     IP address instead.
344
345udp:ip:port, use UDP socket.  With this method it is pos‐
346                     sible  to  use  arbitrary  message format also with older
347                     rsyslogd.  When sending syslog messages over  UDP  socket
348                     extra  precaution needs to be taken into account, for ex‐
349                     ample, syslog daemon needs to be configured to listen  on
350                     the  specified  UDP port, accidental iptables rules could
351                     be interfering with local syslog traffic  and  there  are
352                     some  security  considerations that apply to UDP sockets,
353                     but do not apply to UNIX domain sockets.
354
355null, discards all messages logged to syslog.
356
357              The default is  taken  from  the  OVS_SYSLOG_METHOD  environment
358              variable; if it is unset, the default is libc.
359
360       -h
361       --help Prints a brief help message to the console.
362
363       -V
364       --version
365              Prints version information to the console.
366

COMMANDS

368       The commands implemented by ovs-vsctl are described in the sections be‐
369       low.
370
371   Open vSwitch Commands
372       These commands work with an Open vSwitch as a whole.
373
374       init   Initializes the Open vSwitch database, if it is empty.   If  the
375              database  has  already been initialized, this command has no ef‐
376              fect.
377
378              Any successful ovs-vsctl command automatically  initializes  the
379              Open  vSwitch database if it is empty.  This command is provided
380              to initialize the database without executing any other command.
381
382       show   Prints a brief overview of the database contents.
383
384       emer-reset
385              Reset the configuration into a  clean  state.   It  deconfigures
386              OpenFlow  controllers,  OVSDB servers, and SSL, and deletes port
387              mirroring, fail_mode, NetFlow, sFlow, and  IPFIX  configuration.
388              This  command  also removes all other-config keys from all data‐
389              base records, except that other-config:hwaddr is preserved if it
390              is  present  in a Bridge record.  Other networking configuration
391              is left as-is.
392
393   Bridge Commands
394       These commands examine and manipulate Open vSwitch bridges.
395
396       [--may-exist] add-br bridge
397              Creates a new bridge named bridge.  Initially  the  bridge  will
398              have no ports (other than bridge itself).
399
400              Without  --may-exist,  attempting to create a bridge that exists
401              is an error.  With --may-exist, this  command  does  nothing  if
402              bridge already exists as a real bridge.
403
404       [--may-exist] add-br bridge parent vlan
405              Creates  a ``fake bridge'' named bridge within the existing Open
406              vSwitch bridge parent, which must already exist and must not it‐
407              self  be  a  fake bridge.  The new fake bridge will be on 802.1Q
408              VLAN vlan, which must be an integer between  0  and  4095.   The
409              parent  bridge  must  not  already  have a fake bridge for vlan.
410              Initially bridge will have no ports (other than bridge itself).
411
412              Without --may-exist, attempting to create a bridge  that  exists
413              is  an  error.   With  --may-exist, this command does nothing if
414              bridge already exists as a VLAN bridge under parent for vlan.
415
416       [--if-exists] del-br bridge
417              Deletes bridge and all of  its  ports.   If  bridge  is  a  real
418              bridge,  this  command  also  deletes any fake bridges that were
419              created with bridge as parent, including all of their ports.
420
421              Without --if-exists, attempting to delete a bridge that does not
422              exist  is  an  error.   With --if-exists, attempting to delete a
423              bridge that does not exist has no effect.
424
425       [--real|--fake] list-br
426              Lists all existing real and fake bridges on standard output, one
427              per  line.  With --real or --fake, only bridges of that type are
428              returned.
429
430       br-exists bridge
431              Tests whether bridge exists as a real or fake  bridge.   If  so,
432              ovs-vsctl   exits  successfully  with  exit  code  0.   If  not,
433              ovs-vsctl exits unsuccessfully with exit code 2.
434
435       br-to-vlan bridge
436              If bridge is a fake bridge, prints the bridge's 802.1Q VLAN as a
437              decimal integer.  If bridge is a real bridge, prints 0.
438
439       br-to-parent bridge
440              If  bridge  is  a  fake  bridge,  prints  the name of its parent
441              bridge.  If bridge is a real bridge, print bridge.
442
443       br-set-external-id bridge key [value]
444              Sets or clears an ``external ID'' value on bridge.  These values
445              are  intended to identify entities external to Open vSwitch with
446              which bridge is associated, e.g. the bridge's  identifier  in  a
447              virtualization  management  platform.  The Open vSwitch database
448              schema specifies well-known key values, but key  and  value  are
449              otherwise arbitrary strings.
450
451              If  value  is  specified,  then  key is set to value for bridge,
452              overwriting any previous value.  If value is omitted,  then  key
453              is  removed  from  bridge's  set  of  external  IDs  (if  it was
454              present).
455
456              For real bridges, the effect of this command is similar to  that
457              of  a  set  or  remove command in the external-ids column of the
458              Bridge table.  For fake bridges, it actually modifies keys  with
459              names prefixed by fake-bridge- in the Port table.
460
461       br-get-external-id bridge [key]
462              Queries  the  external  IDs on bridge.  If key is specified, the
463              output is the value for that key or the empty string if  key  is
464              unset.   If  key  is  omitted,  the output is key=value, one per
465              line, for each key-value pair.
466
467              For real bridges, the effect of this command is similar to  that
468              of a get command in the external-ids column of the Bridge table.
469              For fake  bridges,  it  queries  keys  with  names  prefixed  by
470              fake-bridge- in the Port table.
471
472   Port Commands
473       These  commands  examine and manipulate Open vSwitch ports.  These com‐
474       mands treat a bonded port as a single entity.
475
476       list-ports bridge
477              Lists all of the ports within bridge on standard output, one per
478              line.  The local port bridge is not included in the list.
479
480       [--may-exist] add-port bridge port [column[:key]=value]...
481              Creates  on bridge a new port named port from the network device
482              of the same name.
483
484              Optional arguments set values of column in the Port record  cre‐
485              ated  by the command.  For example, tag=9 would make the port an
486              access port for VLAN 9.  The syntax is the same as that for  the
487              set command (see Database Commands below).
488
489              Without  --may-exist, attempting to create a port that exists is
490              an error.  With --may-exist, this command does nothing  if  port
491              already exists on bridge and is not a bonded port.
492
493       [--if-exists] del-port [bridge] port
494              Deletes  port.  If bridge is omitted, port is removed from what‐
495              ever bridge contains it; if bridge is specified, it must be  the
496              real or fake bridge that contains port.
497
498              Without  --if-exists,  attempting to delete a port that does not
499              exist is an error.  With --if-exists,  attempting  to  delete  a
500              port that does not exist has no effect.
501
502       [--if-exists] --with-iface del-port [bridge] iface
503              Deletes  the  port  named  iface  or that has an interface named
504              iface.  If bridge is omitted, the port is removed from  whatever
505              bridge  contains it; if bridge is specified, it must be the real
506              or fake bridge that contains the port.
507
508              Without --if-exists, attempting to delete the port for an inter‐
509              face  that  does  not  exist is an error.  With --if-exists, at‐
510              tempting to delete the port for an interface that does not exist
511              has no effect.
512
513       port-to-br port
514              Prints  the  name  of  the bridge that contains port on standard
515              output.
516
517   Bond Commands
518       These commands work with ports that have more than one interface, which
519       Open vSwitch calls ``bonds.''
520
521       [--fake-iface] add-bond bridge port iface... [column[:key]=value]...
522              Creates  on bridge a new port named port that bonds together the
523              network devices given as each iface.  At  least  two  interfaces
524              must  be  named.   If  the  interfaces are DPDK enabled then the
525              transaction will need to include operations  to  explicitly  set
526              the interface type to 'dpdk'.
527
528              Optional  arguments set values of column in the Port record cre‐
529              ated by the command.  The syntax is the same as that for the set
530              command (see Database Commands below).
531
532              With  --fake-iface,  a fake interface with the name port is cre‐
533              ated.  This should only be used for  compatibility  with  legacy
534              software that requires it.
535
536              Without  --may-exist, attempting to create a port that exists is
537              an error.  With --may-exist, this command does nothing  if  port
538              already  exists  on bridge and bonds together exactly the speci‐
539              fied interfaces.
540
541       [--may-exist] add-bond-iface bond iface
542              Adds iface as a new bond interface to the  existing  port  bond.
543              If  bond previously had only one port, this transforms it into a
544              bond.
545
546              Without --may-exist, attempting to add an iface that is  already
547              part  of  bond is an error.  With --may-exist, this command does
548              nothing if iface is already part of bond.  (It is still an error
549              if iface is an interface of some other port or bond.)
550
551       [--if-exists] del-bond-iface [bond] iface
552              Removes  iface  from its port.  If bond is omitted, iface is re‐
553              moved from whatever port contains it; if bond is  specified,  it
554              must be the port that contains bond.
555
556              If  removing  iface causes its port to have only a single inter‐
557              face, then that port transforms from a  bond  into  an  ordinary
558              port.   It  is  an  error  if iface is the only interface in its
559              port.
560
561              Without --if-exists, attempting to delete an interface that does
562              not  exist  is an error.  With --if-exists, attempting to delete
563              an interface that does not exist has no effect.
564
565   Interface Commands
566       These commands examine the  interfaces  attached  to  an  Open  vSwitch
567       bridge.   These  commands treat a bonded port as a collection of two or
568       more interfaces, rather than as a single port.
569
570       list-ifaces bridge
571              Lists all of the interfaces within bridge  on  standard  output,
572              one  per  line.   The  local  port bridge is not included in the
573              list.
574
575       iface-to-br iface
576              Prints the name of the bridge that contains  iface  on  standard
577              output.
578
579   Conntrack Zone Commands
580       These commands query and modify datapath CT zones and Timeout Policies.
581
582       [--may-exist] add-zone-tp datapath zone=zone_id policies
583              Creates  a  conntrack  zone timeout policy with zone_id in data‐
584              path.  The policies consist of  key=value  pairs,  separated  by
585              spaces.   For  example,  icmp_first=30 icmp_reply=60 specifies a
586              30-second timeout policy for the first ICMP packet and a 60-sec‐
587              ond  policy  for  ICMP reply packets.  See the CT_Timeout_Policy
588              table in ovs-vswitchd.conf.db(5) for the supported keys.
589
590              Without --may-exist, attempting to add a  zone_id  that  already
591              exists is an error.  With --may-exist, this command does nothing
592              if zone_id already exists.
593
594       [--if-exists] del-zone-tp datapath zone=zone_id
595              Delete the timeout policy associated with zone_id from datapath.
596
597              Without --if-exists, attempting to delete a zone that  does  not
598              exist  is  an  error.   With --if-exists, attempting to delete a
599              zone that does not exist has no effect.
600
601       list-zone-tp datapath
602              Prints the timeout policies of all zones in datapath.
603
604   Datapath Capabilities Command
605       The command query datapath capabilities.
606
607       list-dp-cap datapath
608              Prints the datapath's capabilities.
609
610   OpenFlow Controller Connectivity
611       ovs-vswitchd can perform all configured bridging and switching locally,
612       or  it can be configured to communicate with one or more external Open‐
613       Flow controllers.  The switch is typically configured to connect  to  a
614       primary  controller that takes charge of the bridge's flow table to im‐
615       plement a network policy.  In addition, the switch can be configured to
616       listen  to  connections  from service controllers.  Service controllers
617       are typically used for occasional support and  maintenance,  e.g.  with
618       ovs-ofctl.
619
620       get-controller bridge
621              Prints the configured controller target.
622
623       del-controller bridge
624              Deletes the configured controller target.
625
626       set-controller bridge target...
627              Sets  the  configured controller target or targets.  Each target
628              may use any of the following forms:
629
630              ssl:host[:port]
631              tcp:host[:port]
632                     The specified port on the given host, which  can  be  ex‐
633                     pressed  either  as a DNS name (if built with unbound li‐
634                     brary) or an IP address in IPv4 or IPv6  address  format.
635                     Wrap    IPv6   addresses   in   square   brackets,   e.g.
636                     tcp:[::1]:6653.  On Linux, use  %device  to  designate  a
637                     scope     for    IPv6    link-level    addresses,    e.g.
638                     tcp:[fe80::1234%eth0]:6653.  For ssl, the  --private-key,
639                     --certificate, and --ca-cert options are mandatory.
640
641                     If port is not specified, it defaults to 6653.
642
643              unix:file
644                     On POSIX, a Unix domain server socket named file.
645
646                     On  Windows, connect to a local named pipe that is repre‐
647                     sented by a file created in the path file  to  mimic  the
648                     behavior of a Unix domain socket.
649
650              pssl:[port][:host]
651              ptcp:[port][:host]
652                     Listens  for  OpenFlow  connections on port.  The default
653                     port is 6653.  By default, connections are  allowed  from
654                     any  IPv4  address.  Specify host as an IPv4 address or a
655                     bracketed IPv6 address (e.g. ptcp:6653:[::1]).  On Linux,
656                     use  %device to designate a scope for IPv6 link-level ad‐
657                     dresses, e.g. ptcp:6653:[fe80::1234%eth0].  DNS names can
658                     be  used  if  built  with unbound library.  For pssl, the
659                     --private-key,--certificate, and  --ca-cert  options  are
660                     mandatory.
661
662              punix:file
663                     Listens  for  OpenFlow  connections  on  the  Unix domain
664                     server socket named file.
665
666     Controller Failure Settings
667
668       When a controller is configured, it  is,  ordinarily,  responsible  for
669       setting  up  all  flows  on the switch.  Thus, if the connection to the
670       controller fails, no new network connections can be  set  up.   If  the
671       connection  to  the  controller  stays down long enough, no packets can
672       pass through the switch at all.
673
674       If the value is standalone, or if neither of  these  settings  is  set,
675       ovs-vswitchd will take over responsibility for setting up flows when no
676       message has been received from the controller for three times the inac‐
677       tivity  probe interval.  In this mode, ovs-vswitchd causes the datapath
678       to act like an ordinary MAC-learning switch.   ovs-vswitchd  will  con‐
679       tinue to retry connecting to the controller in the background and, when
680       the connection succeeds, it discontinues its standalone behavior.
681
682       If this option is set to secure, ovs-vswitchd will not set up flows  on
683       its own when the controller connection fails.
684
685       get-fail-mode bridge
686              Prints the configured failure mode.
687
688       del-fail-mode bridge
689              Deletes the configured failure mode.
690
691       set-fail-mode bridge standalone|secure
692              Sets the configured failure mode.
693
694   Manager Connectivity
695       These   commands   manipulate   the   manager_options   column  in  the
696       Open_vSwitch table and rows in the Managers table.   When  ovsdb-server
697       is  configured  to use the manager_options column for OVSDB connections
698       (as described in the startup scripts provided with  Open  vSwitch;  the
699       corresponding      ovsdb-server     command     option     is     --re‐
700       mote=db:Open_vSwitch,Open_vSwitch,manager_options), this allows the ad‐
701       ministrator to use ovs-vsctl to configure database connections.
702
703       get-manager
704              Prints the configured manager(s).
705
706       del-manager
707              Deletes the configured manager(s).
708
709       set-manager target...
710              Sets  the configured manager target or targets.  Each target may
711              be an OVSDB active or passive connection method, e.g. pssl:6640,
712              as described in ovsdb(7).
713
714   SSL Configuration
715       When  ovs-vswitchd  is configured to connect over SSL for management or
716       controller connectivity, the following parameters are required:
717
718       private-key
719              Specifies a PEM file containing the private key used as the vir‐
720              tual switch's identity for SSL connections to the controller.
721
722       certificate
723              Specifies  a  PEM  file  containing a certificate, signed by the
724              certificate authority (CA) used by the controller  and  manager,
725              that  certifies  the virtual switch's private key, identifying a
726              trustworthy switch.
727
728       ca-cert
729              Specifies a PEM file containing the CA certificate used to  ver‐
730              ify  that  the virtual switch is connected to a trustworthy con‐
731              troller.
732
733       These files are read only once, at ovs-vswitchd startup time.  If their
734       contents change, ovs-vswitchd must be killed and restarted.
735
736       These  SSL  settings  apply  to all SSL connections made by the virtual
737       switch.
738
739       get-ssl
740              Prints the SSL configuration.
741
742       del-ssl
743              Deletes the current SSL configuration.
744
745       [--bootstrap] set-ssl private-key certificate ca-cert
746              Sets the SSL configuration.  The --bootstrap option is described
747              below.
748
749     CA Certificate Bootstrap
750
751       Ordinarily,  all of the files named in the SSL configuration must exist
752       when ovs-vswitchd starts.  However, if the ca-cert file does not  exist
753       and  the --bootstrap option is given, then ovs-vswitchd will attempt to
754       obtain the CA certificate from the controller on its first SSL  connec‐
755       tion  and  save it to the named PEM file.  If it is successful, it will
756       immediately drop the connection and reconnect, and from then on all SSL
757       connections  must  be  authenticated  by a certificate signed by the CA
758       certificate thus obtained.
759
760       This option exposes the SSL connection to  a  man-in-the-middle  attack
761       obtaining  the  initial  CA certificate, but it may be useful for boot‐
762       strapping.
763
764       This option is only useful if the controller sends its  CA  certificate
765       as  part  of  the SSL certificate chain.  The SSL protocol does not re‐
766       quire the controller to send the CA certificate.
767
768   Auto-Attach Commands
769       The IETF Auto-Attach SPBM draft standard describes a compact method  of
770       using IEEE 802.1AB Link Layer Discovery Protocol (LLDP) together with a
771       IEEE 802.1aq Shortest Path Bridging (SPB) network to automatically  at‐
772       tach  network devices to individual services in a SPB network.  The in‐
773       tent here is to allow network applications and devices using OVS to  be
774       able  to easily take advantage of features offered by industry standard
775       SPB networks. A fundamental element of the Auto-Attach  feature  is  to
776       map  traditional VLANs onto SPB I_SIDs. These commands manage the Auto-
777       Attach I-SID/VLAN mappings.
778
779       add-aa-mapping bridge i-sid vlan
780              Creates a new Auto-Attach mapping on bridge for i-sid and vlan.
781
782       del-aa-mapping bridge i-sid vlan
783              Deletes an Auto-Attach mapping on bridge for i-sid and vlan.
784
785       get-aa-mapping bridge
786              Lists all of the Auto-Attach mappings within bridge on  standard
787              output.
788
789   Database Commands
790       These commands query and modify the contents of ovsdb tables.  They are
791       a slight abstraction of the ovsdb interface and as such they operate at
792       a lower level than other ovs-vsctl commands.
793
794     Identifying Tables, Records, and Columns
795
796       Each of these commands has a table parameter to identify a table within
797       the database.  Many of them also take a record parameter  that  identi‐
798       fies  a  particular record within a table.  The record parameter may be
799       the UUID for a record, and many tables offer additional ways  to  iden‐
800       tify  records.  Some commands also take column parameters that identify
801       a particular field within the records in a table.
802
803       For a list of tables and their columns, see ovs-vswitchd.conf.db(5)  or
804       see the table listing from the --help option.
805
806       Record names must be specified in full and with correct capitalization,
807       except that UUIDs may be abbreviated to their first  4  (or  more)  hex
808       digits,  as  long  as that is unique within the table.  Names of tables
809       and columns are not case-sensitive, and -  and  _  are  treated  inter‐
810       changeably.  Unique abbreviations of table and column names are accept‐
811       able, e.g. net or n is sufficient to identify the NetFlow table.
812
813     Database Values
814
815       Each column in the database accepts a fixed type  of  data.   The  cur‐
816       rently defined basic types, and their representations, are:
817
818       integer
819              A decimal integer in the range -2**63 to 2**63-1, inclusive.
820
821       real   A floating-point number.
822
823       Boolean
824              True or false, written true or false, respectively.
825
826       string An  arbitrary Unicode string, except that null bytes are not al‐
827              lowed.  Quotes are optional for most strings that begin with  an
828              English letter or underscore and consist only of letters, under‐
829              scores, hyphens, and  periods.   However,  true  and  false  and
830              strings  that  match the syntax of UUIDs (see below) must be en‐
831              closed in double quotes to distinguish  them  from  other  basic
832              types.   When  double  quotes  are  used,  the syntax is that of
833              strings in JSON, e.g. backslashes may be used to escape  special
834              characters.   The  empty string must be represented as a pair of
835              double quotes ("").
836
837       UUID   Either a universally unique identifier in the style of RFC 4122,
838              e.g.  f81d4fae-7dec-11d0-a765-00a0c91e6bf6,  or an @name defined
839              by a get or create command within the same ovs-vsctl invocation.
840
841       Multiple values in a single column may be separated by spaces or a sin‐
842       gle  comma.   When  multiple values are present, duplicates are not al‐
843       lowed, and order is not important.  Conversely, some  database  columns
844       can have an empty set of values, represented as [], and square brackets
845       may optionally enclose other non-empty sets or single values  as  well.
846       For  a  column  accepting a set of integers, database commands accept a
847       range. A range is represented by two integers separated by -.  A  range
848       is inclusive. A range has a maximum size of 4096 elements. If more ele‐
849       ments are needed, they can be specified in separate ranges.
850
851       A few database columns are ``maps'' of key-value pairs, where  the  key
852       and  the  value are each some fixed database type.  These are specified
853       in the form key=value, where key and value follow the  syntax  for  the
854       column's  key  type  and value type, respectively.  When multiple pairs
855       are present (separated by spaces or a comma), duplicate  keys  are  not
856       allowed,  and  again  the order is not important.  Duplicate values are
857       allowed.  An empty map is represented as {}.  Curly braces may  option‐
858       ally  enclose  non-empty  maps  as  well (but use quotes to prevent the
859       shell  from  expanding  other-config={0=x,1=y}  into   other-config=0=x
860       other-config=1=y, which may not have the desired effect).
861
862     Database Command Syntax
863
864       [--if-exists] [--columns=column[,column]...] list table [record]...
865              Lists  the  data  in  each  specified record.  If no records are
866              specified, lists all the records in table.
867
868              If --columns  is  specified,  only  the  requested  columns  are
869              listed,  in  the  specified  order.   Otherwise, all columns are
870              listed, in alphabetical order by column name.
871
872              Without --if-exists, it is an error if any specified record does
873              not  exist.   With  --if-exists,  the command ignores any record
874              that does not exist, without producing any output.
875
876       [--columns=column[,column]...] find table [column[:key]=value]...
877              Lists the data in each record in table whose column equals value
878              or,  if  key  is specified, whose column contains a key with the
879              specified value.  The following operators may be used where = is
880              written in the syntax summary:
881
882              = != < > <= >=
883                     Selects  records  in  which column[:key] equals, does not
884                     equal, is less than, is greater than,  is  less  than  or
885                     equal  to,  or is greater than or equal to value, respec‐
886                     tively.
887
888                     Consider column[:key] and  value  as  sets  of  elements.
889                     Identical  sets  are considered equal.  Otherwise, if the
890                     sets have different numbers of  elements,  then  the  set
891                     with  more  elements  is considered to be larger.  Other‐
892                     wise, consider a element from each set pairwise,  in  in‐
893                     creasing order within each set.  The first pair that dif‐
894                     fers determines the result.  (For a column that  contains
895                     key-value  pairs,  first  all  the keys are compared, and
896                     values are considered only if the two sets contain  iden‐
897                     tical keys.)
898
899              {=} {!=}
900                     Test for set equality or inequality, respectively.
901
902              {<=}   Selects  records  in  which  column[:key]  is a subset of
903                     value.  For example, flood-vlans{<=}1,2  selects  records
904                     in  which the flood-vlans column is the empty set or con‐
905                     tains 1 or 2 or both.
906
907              {<}    Selects records in which column[:key] is a proper  subset
908                     of value.  For example, flood-vlans{<}1,2 selects records
909                     in which the flood-vlans column is the empty set or  con‐
910                     tains 1 or 2 but not both.
911
912              {>=} {>}
913                     Same as {<=} and {<}, respectively, except that the rela‐
914                     tionship is reversed.   For  example,  flood-vlans{>=}1,2
915                     selects  records in which the flood-vlans column contains
916                     both 1 and 2.
917
918              The following operators are available only in Open vSwitch  2.16
919              and later:
920
921              {in}   Selects records in which every element in column[:key] is
922                     also in value.  (This is the same as {<=}.)
923
924              {not-in}
925                     Selects records in which every element in column[:key] is
926                     not in value.
927
928              For arithmetic operators (= != < > <= >=), when key is specified
929              but a particular record's  column  does  not  contain  key,  the
930              record  is always omitted from the results.  Thus, the condition
931              other-config:mtu!=1500 matches records that have a mtu key whose
932              value is not 1500, but not those that lack an mtu key.
933
934              For  the  set  operators, when key is specified but a particular
935              record's column does not contain key,  the  comparison  is  done
936              against   an   empty   set.    Thus,  the  condition  other-con‐
937              fig:mtu{!=}1500 matches records that have a mtu key whose  value
938              is not 1500 and those that lack an mtu key.
939
940              Don't forget to escape < or > from interpretation by the shell.
941
942              If  --columns  is  specified,  only  the  requested  columns are
943              listed, in the  specified  order.   Otherwise  all  columns  are
944              listed, in alphabetical order by column name.
945
946              The  UUIDs  shown for rows created in the same ovs-vsctl invoca‐
947              tion will be wrong.
948
949       [--if-exists] [--id=@name] get table record [column[:key]]...
950              Prints the value of each specified column in the given record in
951              table.   For  map columns, a key may optionally be specified, in
952              which case the value  associated  with  key  in  the  column  is
953              printed, instead of the entire map.
954
955              Without  --if-exists, it is an error if record does not exist or
956              key is specified,  if  key  does  not  exist  in  record.   With
957              --if-exists, a missing record yields no output and a missing key
958              prints a blank line.
959
960              If @name is specified, then the UUID for record may be  referred
961              to  by  that name later in the same ovs-vsctl invocation in con‐
962              texts where a UUID is expected.
963
964              Both --id and the column arguments are optional, but usually  at
965              least  one  or the other should be specified.  If both are omit‐
966              ted, then get has no effect except to verify that record  exists
967              in table.
968
969              --id and --if-exists cannot be used together.
970
971       [--if-exists] set table record column[:key]=value...
972              Sets  the  value of each specified column in the given record in
973              table to value.  For map columns, a key may optionally be speci‐
974              fied, in which case the value associated with key in that column
975              is changed (or added, if none exists),  instead  of  the  entire
976              map.
977
978              Without  --if-exists,  it  is an error if record does not exist.
979              With --if-exists, this command does nothing if record  does  not
980              exist.
981
982       [--if-exists] add table record column [key=]value...
983              Adds  the  specified value or key-value pair to column in record
984              in table.  If column is a map, then key is  required,  otherwise
985              it  is  prohibited.  If key already exists in a map column, then
986              the current value is not replaced (use the set  command  to  re‐
987              place an existing value).
988
989              Without  --if-exists,  it  is an error if record does not exist.
990              With --if-exists, this command does nothing if record  does  not
991              exist.
992
993       [--if-exists] remove table record column value...
994       [--if-exists] remove table record column key...
995       [--if-exists] remove table record column key=value...
996              Removes  the  specified values or key-value pairs from column in
997              record in table.  The first form applies to columns that are not
998              maps: each specified value is removed from the column.  The sec‐
999              ond and third forms apply to map columns: if only a key is spec‐
1000              ified,  then  any  key-value pair with the given key is removed,
1001              regardless of its value; if a value is given then a pair is  re‐
1002              moved only if both key and value match.
1003
1004              It  is not an error if the column does not contain the specified
1005              key or value or pair.
1006
1007              Without --if-exists, it is an error if record  does  not  exist.
1008              With  --if-exists,  this command does nothing if record does not
1009              exist.
1010
1011       [--if-exists] clear table record column...
1012              Sets each column in record in table to the empty  set  or  empty
1013              map,  as appropriate.  This command applies only to columns that
1014              are allowed to be empty.
1015
1016              Without --if-exists, it is an error if record  does  not  exist.
1017              With  --if-exists,  this command does nothing if record does not
1018              exist.
1019
1020       [--id=(@name | uuid] create table column[:key]=value...
1021              Creates a new record in table and sets  the  initial  values  of
1022              each  column.  Columns not explicitly set will receive their de‐
1023              fault values.  Outputs the UUID of the new row.
1024
1025              If @name is specified, then the UUID for the new row may be  re‐
1026              ferred  to  by that name elsewhere in the same ovs-vsctl invoca‐
1027              tion in contexts where a UUID is expected.  Such references  may
1028              precede or follow the create command.
1029
1030              If a valid uuid is specified, then it is used as the UUID of the
1031              new row.
1032
1033              Caution (ovs-vsctl as example)
1034                     Records in the Open vSwitch database are significant only
1035                     when  they can be reached directly or indirectly from the
1036                     Open_vSwitch table.  Except for records  in  the  QoS  or
1037                     Queue  tables,  records  that  are not reachable from the
1038                     Open_vSwitch table are  automatically  deleted  from  the
1039                     database.   This  deletion  happens  immediately, without
1040                     waiting for additional ovs-vsctl commands or other  data‐
1041                     base  activity.  Thus, a create command must generally be
1042                     accompanied  by  additional  commands  within  the   same
1043                     ovs-vsctl  invocation to add a chain of references to the
1044                     newly created  record  from  the  top-level  Open_vSwitch
1045                     record.   The  EXAMPLES  section gives some examples that
1046                     show how to do this.
1047
1048       [--if-exists] destroy table record...
1049              Deletes each specified record from table.  Unless --if-exists is
1050              specified, each records must exist.
1051
1052       --all destroy table
1053              Deletes all records from the table.
1054
1055              Caution (ovs-vsctl as example)
1056                     The destroy command is only useful for records in the QoS
1057                     or Queue tables.  Records in other tables  are  automati‐
1058                     cally deleted from the database when they become unreach‐
1059                     able from the Open_vSwitch table.  This means that delet‐
1060                     ing  the  last  reference  to  a record is sufficient for
1061                     deleting the record itself.  For records in these tables,
1062                     destroy  is  silently  ignored.  See the EXAMPLES section
1063                     below for more information.
1064
1065       wait-until table record [column[:key]=value]...
1066              Waits until table contains a record named  record  whose  column
1067              equals  value  or,  if key is specified, whose column contains a
1068              key with the specified value.  This command  supports  the  same
1069              operators and semantics described for the find command above.
1070
1071              If no column[:key]=value arguments are given, this command waits
1072              only until record exists.  If more than  one  such  argument  is
1073              given, the command waits until all of them are satisfied.
1074
1075              Caution (ovs-vsctl as example)
1076                     Usually wait-until should be placed at the beginning of a
1077                     set  of  ovs-vsctl  commands.   For  example,  wait-until
1078                     bridge  br0  --  get bridge br0 datapath_id waits until a
1079                     bridge named br0 is created, then prints its  datapath_id
1080                     column,  whereas get bridge br0 datapath_id -- wait-until
1081                     bridge br0 will abort if no bridge named br0 exists  when
1082                     ovs-vsctl initially connects to the database.
1083
1084              Consider specifying --timeout=0 along with --wait-until, to pre‐
1085              vent ovs-vsctl from terminating after waiting  only  at  most  5
1086              seconds.
1087
1088       comment [arg]...
1089              This  command  has  no  effect on behavior, but any database log
1090              record created by the command will include the command  and  its
1091              arguments.
1092

EXAMPLES

1094       Create a new bridge named br0 and add port eth0 to it:
1095
1096              ovs-vsctl add-br br0
1097              ovs-vsctl add-port br0 eth0
1098
1099       Alternatively, perform both operations in a single atomic transaction:
1100
1101              ovs-vsctl add-br br0 -- add-port br0 eth0
1102
1103       Delete bridge br0, reporting an error if it does not exist:
1104
1105              ovs-vsctl del-br br0
1106
1107       Delete bridge br0 if it exists:
1108
1109              ovs-vsctl --if-exists del-br br0
1110
1111       Set  the  qos  column of the Port record for eth0 to point to a new QoS
1112       record, which in turn points with its queue 0 to a new Queue record:
1113
1114              ovs-vsctl -- set port eth0 qos=@newqos  --  --id=@newqos  create
1115              qos         type=linux-htb         other-config:max-rate=1000000
1116              queues:0=@newqueue --  --id=@newqueue  create  queue  other-con‐
1117              fig:min-rate=1000000 other-config:max-rate=1000000
1118

CONFIGURATION COOKBOOK

1120   Port Configuration
1121       Add an ``internal port'' vlan10 to bridge br0 as a VLAN access port for
1122       VLAN 10, and configure it with an IP address:
1123
1124              ovs-vsctl add-port br0 vlan10 tag=10  --  set  Interface  vlan10
1125              type=internal
1126
1127              ip addr add 192.168.0.123/24 dev vlan10
1128
1129       Add a GRE tunnel port gre0 to remote IP address 1.2.3.4 to bridge br0:
1130
1131              ovs-vsctl  add-port  br0 gre0 -- set Interface gre0 type=gre op‐
1132              tions:remote_ip=1.2.3.4
1133
1134   Port Mirroring
1135       Mirror all packets received or sent on eth0 or eth1 onto eth2, assuming
1136       that  all  of  those  ports  exist on bridge br0 (as a side-effect this
1137       causes any packets received on eth2 to be ignored):
1138
1139              ovs-vsctl -- set Bridge br0 mirrors=@m \
1140
1141              -- --id=@eth0 get Port eth0 \
1142
1143              -- --id=@eth1 get Port eth1 \
1144
1145              -- --id=@eth2 get Port eth2 \
1146
1147              --   --id=@m    create    Mirror    name=mymirror    select-dst-
1148              port=@eth0,@eth1 select-src-port=@eth0,@eth1 output-port=@eth2
1149
1150       Remove  the mirror created above from br0, which also destroys the Mir‐
1151       ror record (since it is now unreferenced):
1152
1153              ovs-vsctl -- --id=@rec get Mirror mymirror \
1154
1155              -- remove Bridge br0 mirrors @rec
1156
1157       The following simpler command also works:
1158
1159              ovs-vsctl clear Bridge br0 mirrors
1160
1161   Quality of Service (QoS)
1162       Create a linux-htb QoS record that points to a few queues and use it on
1163       eth0 and eth1:
1164
1165              ovs-vsctl -- set Port eth0 qos=@newqos \
1166
1167              -- set Port eth1 qos=@newqos \
1168
1169              --    --id=@newqos    create   QoS   type=linux-htb   other-con‐
1170              fig:max-rate=1000000000 queues=0=@q0,1=@q1 \
1171
1172              --   --id=@q0   create   Queue   other-config:min-rate=100000000
1173              other-config:max-rate=100000000 \
1174
1175              -- --id=@q1 create Queue other-config:min-rate=500000000
1176
1177       Deconfigure the QoS record above from eth1 only:
1178
1179              ovs-vsctl clear Port eth1 qos
1180
1181       To  deconfigure  the QoS record from both eth0 and eth1 and then delete
1182       the QoS record (which must be done explicitly because unreferenced  QoS
1183       records are not automatically destroyed):
1184
1185              ovs-vsctl  --  destroy  QoS eth0 -- clear Port eth0 qos -- clear
1186              Port eth1 qos
1187
1188       (This command will leave two unreferenced Queue records  in  the  data‐
1189       base.   To delete them, use "ovs-vsctl list Queue" to find their UUIDs,
1190       then "ovs-vsctl destroy Queue uuid1 uuid2" to destroy each of  them  or
1191       use "ovs-vsctl -- --all destroy Queue" to delete all records.)
1192
1193   Connectivity Monitoring
1194       Monitor connectivity to a remote maintenance point on eth0.
1195
1196              ovs-vsctl set Interface eth0 cfm_mpid=1
1197
1198       Deconfigure connectivity monitoring from above:
1199
1200              ovs-vsctl clear Interface eth0 cfm_mpid
1201
1202   NetFlow
1203       Configure  bridge  br0 to send NetFlow records to UDP port 5566 on host
1204       192.168.0.34, with an active timeout of 30 seconds:
1205
1206              ovs-vsctl -- set Bridge br0 netflow=@nf \
1207
1208              -- --id=@nf  create  NetFlow  targets=\"192.168.0.34:5566\"  ac‐
1209              tive-timeout=30
1210
1211       Update the NetFlow configuration created by the previous command to in‐
1212       stead use an active timeout of 60 seconds:
1213
1214              ovs-vsctl set NetFlow br0 active_timeout=60
1215
1216       Deconfigure the NetFlow settings from br0, which also destroys the Net‐
1217       Flow record (since it is now unreferenced):
1218
1219              ovs-vsctl clear Bridge br0 netflow
1220
1221   sFlow
1222       Configure  bridge  br0 to send sFlow records to a collector on 10.0.0.1
1223       at port 6343, using eth1's IP address as the source, with specific sam‐
1224       pling parameters:
1225
1226              ovs-vsctl    --    --id=@s    create   sFlow   agent=eth1   tar‐
1227              get=\"10.0.0.1:6343\" header=128 sampling=64 polling=10 \
1228
1229              -- set Bridge br0 sflow=@s
1230
1231       Deconfigure sFlow from br0, which also destroys the sFlow record (since
1232       it is now unreferenced):
1233
1234              ovs-vsctl -- clear Bridge br0 sflow
1235
1236   IPFIX
1237       Configure bridge br0 to send one IPFIX flow record per packet sample to
1238       UDP port 4739 on host 192.168.0.34, with Observation Domain ID 123  and
1239       Observation  Point  ID 456, a flow cache active timeout of 1 minute (60
1240       seconds), maximum flow cache size of 13 flows,  and  flows  sampled  on
1241       output  port  with tunnel info(sampling on input and output port is en‐
1242       abled by default if not disabled) :
1243
1244              ovs-vsctl -- set Bridge br0 ipfix=@i \
1245
1246              -- --id=@i create  IPFIX  targets=\"192.168.0.34:4739\"  obs_do‐
1247              main_id=123       obs_point_id=456       cache_active_timeout=60
1248              cache_max_flows=13 \
1249
1250              other_config:enable-input-sampling=false    other_config:enable-
1251              tunnel-sampling=true
1252
1253       Deconfigure  the IPFIX settings from br0, which also destroys the IPFIX
1254       record (since it is now unreferenced):
1255
1256              ovs-vsctl clear Bridge br0 ipfix
1257
1258   802.1D Spanning Tree Protocol (STP)
1259       Configure bridge br0 to participate in an 802.1D spanning tree:
1260
1261              ovs-vsctl set Bridge br0 stp_enable=true
1262
1263       Set the bridge priority of br0 to 0x7800:
1264
1265              ovs-vsctl set Bridge br0 other_config:stp-priority=0x7800
1266
1267       Set the path cost of port eth0 to 10:
1268
1269              ovs-vsctl set Port eth0 other_config:stp-path-cost=10
1270
1271       Deconfigure STP from above:
1272
1273              ovs-vsctl set Bridge br0 stp_enable=false
1274
1275   Multicast Snooping
1276       Configure bridge br0 to enable multicast snooping:
1277
1278              ovs-vsctl set Bridge br0 mcast_snooping_enable=true
1279
1280       Set the multicast snooping aging time br0 to 300 seconds:
1281
1282              ovs-vsctl  set  Bridge  br0   other_config:mcast-snooping-aging-
1283              time=300
1284
1285       Set the multicast snooping table size br0 to 2048 entries:
1286
1287              ovs-vsctl   set  Bridge  br0  other_config:mcast-snooping-table-
1288              size=2048
1289
1290       Disable flooding of unregistered multicast packets to all  ports.  When
1291       set  to  true, the switch will send unregistered multicast packets only
1292       to ports connected to multicast routers. When it is set to  false,  the
1293       switch  will send them to all ports. This command disables the flood of
1294       unregistered packets on bridge br0.
1295
1296              ovs-vsctl set  Bridge  br0  other_config:mcast-snooping-disable-
1297              flood-unregistered=true
1298
1299       Enable  flooding  of  multicast  packets (except Reports) on a specific
1300       port.
1301
1302              ovs-vsctl set Port eth1 other_config:mcast-snooping-flood=true
1303
1304       Enable flooding of Reports on a specific port.
1305
1306              ovs-vsctl set  Port  eth1  other_config:mcast-snooping-flood-re‐
1307              ports=true
1308
1309       Deconfigure multicasting snooping from above:
1310
1311              ovs-vsctl set Bridge br0 mcast_snooping_enable=false
1312
1313   802.1D-2004 Rapid Spanning Tree Protocol (RSTP)
1314       Configure  bridge  br0  to participate in an 802.1D-2004 Rapid Spanning
1315       Tree:
1316
1317              ovs-vsctl set Bridge br0 rstp_enable=true
1318
1319       Set the bridge address of br0 to 00:aa:aa:aa:aa:aa :
1320
1321              ovs-vsctl     set     Bridge      br0      other_config:rstp-ad‐
1322              dress=00:aa:aa:aa:aa:aa
1323
1324       Set  the  bridge priority of br0 to 0x7000. The value must be specified
1325       in decimal notation and should be a multiple of 4096  (if  not,  it  is
1326       rounded  down  to  the  nearest multiple of 4096). The default priority
1327       value is 0x800 (32768).
1328
1329              ovs-vsctl set Bridge br0 other_config:rstp-priority=28672
1330
1331       Set the bridge ageing time of br0 to 1000  s.  The  ageing  time  value
1332       should be between 10 s and 1000000 s. The default value is 300 s.
1333
1334              ovs-vsctl set Bridge br0 other_config:rstp-ageing-time=1000
1335
1336       Set  the  bridge force protocol version of br0 to 0. The force protocol
1337       version has two acceptable values: 0 (STP  compatibility  mode)  and  2
1338       (normal operation).
1339
1340              ovs-vsctl  set  Bridge br0 other_config:rstp-force-protocol-ver‐
1341              sion=0
1342
1343       Set the bridge max age of br0 to 10 s. The max age value should be  be‐
1344       tween 6 s and 40 s. The default value is 20 s.
1345
1346              ovs-vsctl set Bridge br0 other_config:rstp-max-age=10
1347
1348       Set  the bridge forward delay of br0 to 15 s.  This value should be be‐
1349       tween 4 s and 30 s. The default value is 15 s.
1350
1351              ovs-vsctl set Bridge br0 other_config:rstp-forward-delay=15
1352
1353       Set the bridge transmit hold count of br0 to 7 s. This value should  be
1354       between 1 s and 10 s. The default value is 6 s.
1355
1356              ovs-vsctl set Bridge br0 other_config:rstp-transmit-hold-count=7
1357
1358       Enable RSTP on the Port eth0:
1359
1360              ovs-vsctl set Port eth0 other_config:rstp-enable=true
1361
1362       Disable RSTP on the Port eth0:
1363
1364              ovs-vsctl set Port eth0 other_config:rstp-enable=false
1365
1366       Set  the  priority  of  port eth0 to 32. The value must be specified in
1367       decimal notation and should be a multiple of 16 (if not, it is  rounded
1368       down to the nearest multiple of 16). The default priority value is 0x80
1369       (128).
1370
1371              ovs-vsctl set Port eth0 other_config:rstp-port-priority=32
1372
1373       Set the port number of port eth0 to 3:
1374
1375              ovs-vsctl set Port eth0 other_config:rstp-port-num=3
1376
1377       Set the path cost of port eth0 to 150:
1378
1379              ovs-vsctl set Port eth0 other_config:rstp-path-cost=150
1380
1381       Set the admin edge value of port eth0:
1382
1383              ovs-vsctl set Port eth0 other_config:rstp-port-admin-edge=true
1384
1385       Set the auto edge value of port eth0:
1386
1387              ovs-vsctl set Port eth0 other_config:rstp-port-auto-edge=true
1388
1389       Set the admin point to point MAC value of port eth0.  Acceptable values
1390       are  0 (not point-to-point), 1 (point-to-point, the default value) or 2
1391       (automatic detection).  The auto-detection mode is not currently imple‐
1392       mented, and the value 2 has the same effect of 0 (not point-to-point).
1393
1394              ovs-vsctl set Port eth0 other_config:rstp-admin-p2p-mac=1
1395
1396       Set  the  admin  port  state  value  of port eth0.  true is the default
1397       value.
1398
1399              ovs-vsctl set Port eth0 other_config:rstp-admin-port-state=false
1400
1401       Set the mcheck value of port eth0:
1402
1403              ovs-vsctl set Port eth0 other_config:rstp-port-mcheck=true
1404
1405       Deconfigure RSTP from above:
1406
1407              ovs-vsctl set Bridge br0 rstp_enable=false
1408
1409   OpenFlow Version
1410       Configure bridge br0 to support OpenFlow versions 1.0, 1.2, and 1.3:
1411
1412              ovs-vsctl set bridge  br0  protocols=OpenFlow10,OpenFlow12,Open‐
1413              Flow13
1414
1415   Flow Table Configuration
1416       Make flow table 0 on bridge br0 refuse to accept more than 100 flows:
1417
1418              ovs-vsctl  --  --id=@ft  create  Flow_Table flow_limit=100 over‐
1419              flow_policy=refuse -- set Bridge br0 flow_tables=0=@ft
1420
1421       Make flow table 0 on bridge br0 evict flows, with fairness based on the
1422       matched ingress port, when there are more than 100:
1423
1424              ovs-vsctl  --  --id=@ft  create  Flow_Table flow_limit=100 over‐
1425              flow_policy=evict groups='"NXM_OF_IN_PORT[]"' -- set Bridge  br0
1426              flow_tables:0=@ft
1427

EXIT STATUS

1429       0      Successful program execution.
1430
1431       1      Usage, syntax, or configuration file error.
1432
1433       2      The  bridge argument to br-exists specified the name of a bridge
1434              that does not exist.
1435

SEE ALSO

1437       ovsdb-server(1), ovs-vswitchd(8), ovs-vswitchd.conf.db(5).
1438
1439
1440
1441Open vSwitch                         3.1.1                        ovs-vsctl(8)
Impressum