1ovs-vsctl(8) Open vSwitch Manual ovs-vsctl(8)
2
3
4
6 ovs-vsctl - utility for querying and configuring ovs-vswitchd
7
9 ovs-vsctl [options] -- [options] command [args] [-- [options] command
10 [args]]...
11
13 The ovs-vsctl program configures ovs-vswitchd(8) by providing a
14 high-level interface to its configuration database. See
15 ovs-vswitchd.conf.db(5) for comprehensive documentation of the database
16 schema.
17
18 ovs-vsctl connects to an ovsdb-server process that maintains an Open
19 vSwitch configuration database. Using this connection, it queries and
20 possibly applies changes to the database, depending on the supplied
21 commands. Then, if it applied any changes, by default it waits until
22 ovs-vswitchd has finished reconfiguring itself before it exits. (If
23 you use ovs-vsctl when ovs-vswitchd is not running, use --no-wait.)
24
25 ovs-vsctl can perform any number of commands in a single run, imple‐
26 mented as a single atomic transaction against the database.
27
28 The ovs-vsctl command line begins with global options (see OPTIONS be‐
29 low for details). The global options are followed by one or more com‐
30 mands. Each command should begin with -- by itself as a command-line
31 argument, to separate it from the following commands. (The -- before
32 the first command is optional.) The command itself starts with com‐
33 mand-specific options, if any, followed by the command name and any ar‐
34 guments. See EXAMPLES below for syntax examples.
35
36 Linux VLAN Bridging Compatibility
37 The ovs-vsctl program supports the model of a bridge implemented by
38 Open vSwitch, in which a single bridge supports ports on multiple
39 VLANs. In this model, each port on a bridge is either a trunk port
40 that potentially passes packets tagged with 802.1Q headers that desig‐
41 nate VLANs or it is assigned a single implicit VLAN that is never
42 tagged with an 802.1Q header.
43
44 For compatibility with software designed for the Linux bridge,
45 ovs-vsctl also supports a model in which traffic associated with a
46 given 802.1Q VLAN is segregated into a separate bridge. A special form
47 of the add-br command (see below) creates a ``fake bridge'' within an
48 Open vSwitch bridge to simulate this behavior. When such a ``fake
49 bridge'' is active, ovs-vsctl will treat it much like a bridge separate
50 from its ``parent bridge,'' but the actual implementation in Open
51 vSwitch uses only a single bridge, with ports on the fake bridge as‐
52 signed the implicit VLAN of the fake bridge of which they are members.
53 (A fake bridge for VLAN 0 receives packets that have no 802.1Q tag or a
54 tag with VLAN 0.)
55
57 The following options affect the behavior ovs-vsctl as a whole. Some
58 individual commands also accept their own options, which are given just
59 before the command name. If the first command on the command line has
60 options, then those options must be separated from the global options
61 by --.
62
63 --db=server
64 Sets server as the database server that ovs-vsctl contacts to
65 query or modify configuration. server may be an OVSDB active or
66 passive connection method, as described in ovsdb(7). The de‐
67 fault is unix:/var/run/openvswitch/db.sock.
68
69 --no-wait
70 Prevents ovs-vsctl from waiting for ovs-vswitchd to reconfigure
71 itself according to the modified database. This option should
72 be used if ovs-vswitchd is not running; otherwise, ovs-vsctl
73 will not exit until ovs-vswitchd starts.
74
75 This option has no effect if the commands specified do not
76 change the database.
77
78 --no-syslog
79 By default, ovs-vsctl logs its arguments and the details of any
80 changes that it makes to the system log. This option disables
81 this logging.
82
83 This option is equivalent to --verbose=vsctl:syslog:warn.
84
85 --oneline
86 Modifies the output format so that the output for each command
87 is printed on a single line. New-line characters that would
88 otherwise separate lines are printed as \n, and any instances of
89 \ that would otherwise appear in the output are doubled. Prints
90 a blank line for each command that has no output. This option
91 does not affect the formatting of output from the list or find
92 commands; see Table Formatting Options below.
93
94 --dry-run
95 Prevents ovs-vsctl from actually modifying the database.
96
97 -t secs
98 --timeout=secs
99 By default, or with a secs of 0, ovs-vsctl waits forever for a
100 response from the database. This option limits runtime to ap‐
101 proximately secs seconds. If the timeout expires, ovs-vsctl
102 will exit with a SIGALRM signal. (A timeout would normally hap‐
103 pen only if the database cannot be contacted, or if the system
104 is overloaded.)
105
106 --retry
107 Without this option, if ovs-vsctl connects outward to the data‐
108 base server (the default) then ovs-vsctl will try to connect
109 once and exit with an error if the connection fails (which usu‐
110 ally means that ovsdb-server is not running).
111
112 With this option, or if --db specifies that ovs-vsctl should
113 listen for an incoming connection from the database server, then
114 ovs-vsctl will wait for a connection to the database forever.
115
116 Regardless of this setting, --timeout always limits how long
117 ovs-vsctl will wait.
118
119 Table Formatting Options
120 These options control the format of output from the list and find com‐
121 mands.
122
123 -f format
124 --format=format
125 Sets the type of table formatting. The following types of for‐
126 mat are available:
127
128 table 2-D text tables with aligned columns.
129
130 list (default)
131 A list with one column per line and rows separated by a
132 blank line.
133
134 html HTML tables.
135
136 csv Comma-separated values as defined in RFC 4180.
137
138 json JSON format as defined in RFC 4627. The output is a se‐
139 quence of JSON objects, each of which corresponds to one
140 table. Each JSON object has the following members with
141 the noted values:
142
143 caption
144 The table's caption. This member is omitted if
145 the table has no caption.
146
147 headings
148 An array with one element per table column. Each
149 array element is a string giving the corresponding
150 column's heading.
151
152 data An array with one element per table row. Each el‐
153 ement is also an array with one element per table
154 column. The elements of this second-level array
155 are the cells that constitute the table. Cells
156 that represent OVSDB data or data types are ex‐
157 pressed in the format described in the OVSDB spec‐
158 ification; other cells are simply expressed as
159 text strings.
160
161 -d format
162 --data=format
163 Sets the formatting for cells within output tables unless the
164 table format is set to json, in which case json formatting is
165 always used when formatting cells. The following types of for‐
166 mat are available:
167
168 string (default)
169 The simple format described in the Database Values sec‐
170 tion below.
171
172 bare The simple format with punctuation stripped off: [] and
173 {} are omitted around sets, maps, and empty columns,
174 items within sets and maps are space-separated, and
175 strings are never quoted. This format may be easier for
176 scripts to parse.
177
178 json The RFC 4627 JSON format as described above.
179
180 --no-headings
181 This option suppresses the heading row that otherwise appears in
182 the first row of table output.
183
184 --pretty
185 By default, JSON in output is printed as compactly as possible.
186 This option causes JSON in output to be printed in a more read‐
187 able fashion. Members of objects and elements of arrays are
188 printed one per line, with indentation.
189
190 This option does not affect JSON in tables, which is always
191 printed compactly.
192
193 --bare Equivalent to --format=list --data=bare --no-headings.
194
195 --max-column-width=n
196 For table output only, limits the width of any column in the
197 output to n columns. Longer cell data is truncated to fit, as
198 necessary. Columns are always wide enough to display the column
199 names, if the heading row is printed.
200
201 Public Key Infrastructure Options
202 -p privkey.pem
203 --private-key=privkey.pem
204 Specifies a PEM file containing the private key used as
205 ovs-vsctl's identity for outgoing SSL connections.
206
207 -c cert.pem
208 --certificate=cert.pem
209 Specifies a PEM file containing a certificate that certifies the
210 private key specified on -p or --private-key to be trustworthy.
211 The certificate must be signed by the certificate authority (CA)
212 that the peer in SSL connections will use to verify it.
213
214 -C cacert.pem
215 --ca-cert=cacert.pem
216 Specifies a PEM file containing the CA certificate that
217 ovs-vsctl should use to verify certificates presented to it by
218 SSL peers. (This may be the same certificate that SSL peers use
219 to verify the certificate specified on -c or --certificate, or
220 it may be a different one, depending on the PKI design in use.)
221
222 -C none
223 --ca-cert=none
224 Disables verification of certificates presented by SSL peers.
225 This introduces a security risk, because it means that certifi‐
226 cates cannot be verified to be those of known trusted hosts.
227
228 --bootstrap-ca-cert=cacert.pem
229 When cacert.pem exists, this option has the same effect as -C or
230 --ca-cert. If it does not exist, then ovs-vsctl will attempt to
231 obtain the CA certificate from the SSL peer on its first SSL
232 connection and save it to the named PEM file. If it is success‐
233 ful, it will immediately drop the connection and reconnect, and
234 from then on all SSL connections must be authenticated by a cer‐
235 tificate signed by the CA certificate thus obtained.
236
237 This option exposes the SSL connection to a man-in-the-middle
238 attack obtaining the initial CA certificate, but it may be use‐
239 ful for bootstrapping.
240
241 This option is only useful if the SSL peer sends its CA certifi‐
242 cate as part of the SSL certificate chain. The SSL protocol
243 does not require the server to send the CA certificate.
244
245 This option is mutually exclusive with -C and --ca-cert.
246
247 --peer-ca-cert=peer-cacert.pem
248 Specifies a PEM file that contains one or more additional cer‐
249 tificates to send to SSL peers. peer-cacert.pem should be the
250 CA certificate used to sign ovs-vsctl's own certificate, that
251 is, the certificate specified on -c or --certificate. If
252 ovs-vsctl's certificate is self-signed, then --certificate and
253 --peer-ca-cert should specify the same file.
254
255 This option is not useful in normal operation, because the SSL
256 peer must already have the CA certificate for the peer to have
257 any confidence in ovs-vsctl's identity. However, this offers a
258 way for a new installation to bootstrap the CA certificate on
259 its first SSL connection.
260
261 -v[spec]
262 --verbose=[spec]
263 Sets logging levels. Without any spec, sets the log level for
264 every module and destination to dbg. Otherwise, spec is a list
265 of words separated by spaces or commas or colons, up to one from
266 each category below:
267
268 • A valid module name, as displayed by the vlog/list com‐
269 mand on ovs-appctl(8), limits the log level change to the
270 specified module.
271
272 • syslog, console, or file, to limit the log level change
273 to only to the system log, to the console, or to a file,
274 respectively. (If --detach is specified, ovs-vsctl
275 closes its standard file descriptors, so logging to the
276 console will have no effect.)
277
278 On Windows platform, syslog is accepted as a word and is
279 only useful along with the --syslog-target option (the
280 word has no effect otherwise).
281
282 • off, emer, err, warn, info, or dbg, to control the log
283 level. Messages of the given severity or higher will be
284 logged, and messages of lower severity will be filtered
285 out. off filters out all messages. See ovs-appctl(8)
286 for a definition of each log level.
287
288 Case is not significant within spec.
289
290 Regardless of the log levels set for file, logging to a file
291 will not take place unless --log-file is also specified (see be‐
292 low).
293
294 For compatibility with older versions of OVS, any is accepted as
295 a word but has no effect.
296
297 -v
298 --verbose
299 Sets the maximum logging verbosity level, equivalent to --ver‐
300 bose=dbg.
301
302 -vPATTERN:destination:pattern
303 --verbose=PATTERN:destination:pattern
304 Sets the log pattern for destination to pattern. Refer to
305 ovs-appctl(8) for a description of the valid syntax for pattern.
306
307 -vFACILITY:facility
308 --verbose=FACILITY:facility
309 Sets the RFC5424 facility of the log message. facility can be
310 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
311 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
312 local3, local4, local5, local6 or local7. If this option is not
313 specified, daemon is used as the default for the local system
314 syslog and local0 is used while sending a message to the target
315 provided via the --syslog-target option.
316
317 --log-file[=file]
318 Enables logging to a file. If file is specified, then it is
319 used as the exact name for the log file. The default log file
320 name used if file is omitted is /var/log/open‐
321 vswitch/ovs-vsctl.log.
322
323 --syslog-target=host:port
324 Send syslog messages to UDP port on host, in addition to the
325 system syslog. The host must be a numerical IP address, not a
326 hostname.
327
328 --syslog-method=method
329 Specify method how syslog messages should be sent to syslog dae‐
330 mon. Following forms are supported:
331
332 • libc, use libc syslog() function. Downside of using this
333 options is that libc adds fixed prefix to every message
334 before it is actually sent to the syslog daemon over
335 /dev/log UNIX domain socket.
336
337 • unix:file, use UNIX domain socket directly. It is possi‐
338 ble to specify arbitrary message format with this option.
339 However, rsyslogd 8.9 and older versions use hard coded
340 parser function anyway that limits UNIX domain socket
341 use. If you want to use arbitrary message format with
342 older rsyslogd versions, then use UDP socket to localhost
343 IP address instead.
344
345 • udp:ip:port, use UDP socket. With this method it is pos‐
346 sible to use arbitrary message format also with older
347 rsyslogd. When sending syslog messages over UDP socket
348 extra precaution needs to be taken into account, for ex‐
349 ample, syslog daemon needs to be configured to listen on
350 the specified UDP port, accidental iptables rules could
351 be interfering with local syslog traffic and there are
352 some security considerations that apply to UDP sockets,
353 but do not apply to UNIX domain sockets.
354
355 • null, discards all messages logged to syslog.
356
357 The default is taken from the OVS_SYSLOG_METHOD environment
358 variable; if it is unset, the default is libc.
359
360 -h
361 --help Prints a brief help message to the console.
362
363 -V
364 --version
365 Prints version information to the console.
366
368 The commands implemented by ovs-vsctl are described in the sections be‐
369 low.
370
371 Open vSwitch Commands
372 These commands work with an Open vSwitch as a whole.
373
374 init Initializes the Open vSwitch database, if it is empty. If the
375 database has already been initialized, this command has no ef‐
376 fect.
377
378 Any successful ovs-vsctl command automatically initializes the
379 Open vSwitch database if it is empty. This command is provided
380 to initialize the database without executing any other command.
381
382 show Prints a brief overview of the database contents.
383
384 emer-reset
385 Reset the configuration into a clean state. It deconfigures
386 OpenFlow controllers, OVSDB servers, and SSL, and deletes port
387 mirroring, fail_mode, NetFlow, sFlow, and IPFIX configuration.
388 This command also removes all other-config keys from all data‐
389 base records, except that other-config:hwaddr is preserved if it
390 is present in a Bridge record. Other networking configuration
391 is left as-is.
392
393 Bridge Commands
394 These commands examine and manipulate Open vSwitch bridges.
395
396 [--may-exist] add-br bridge
397 Creates a new bridge named bridge. Initially the bridge will
398 have no ports (other than bridge itself).
399
400 Without --may-exist, attempting to create a bridge that exists
401 is an error. With --may-exist, this command does nothing if
402 bridge already exists as a real bridge.
403
404 [--may-exist] add-br bridge parent vlan
405 Creates a ``fake bridge'' named bridge within the existing Open
406 vSwitch bridge parent, which must already exist and must not it‐
407 self be a fake bridge. The new fake bridge will be on 802.1Q
408 VLAN vlan, which must be an integer between 0 and 4095. The
409 parent bridge must not already have a fake bridge for vlan.
410 Initially bridge will have no ports (other than bridge itself).
411
412 Without --may-exist, attempting to create a bridge that exists
413 is an error. With --may-exist, this command does nothing if
414 bridge already exists as a VLAN bridge under parent for vlan.
415
416 [--if-exists] del-br bridge
417 Deletes bridge and all of its ports. If bridge is a real
418 bridge, this command also deletes any fake bridges that were
419 created with bridge as parent, including all of their ports.
420
421 Without --if-exists, attempting to delete a bridge that does not
422 exist is an error. With --if-exists, attempting to delete a
423 bridge that does not exist has no effect.
424
425 [--real|--fake] list-br
426 Lists all existing real and fake bridges on standard output, one
427 per line. With --real or --fake, only bridges of that type are
428 returned.
429
430 br-exists bridge
431 Tests whether bridge exists as a real or fake bridge. If so,
432 ovs-vsctl exits successfully with exit code 0. If not,
433 ovs-vsctl exits unsuccessfully with exit code 2.
434
435 br-to-vlan bridge
436 If bridge is a fake bridge, prints the bridge's 802.1Q VLAN as a
437 decimal integer. If bridge is a real bridge, prints 0.
438
439 br-to-parent bridge
440 If bridge is a fake bridge, prints the name of its parent
441 bridge. If bridge is a real bridge, print bridge.
442
443 br-set-external-id bridge key [value]
444 Sets or clears an ``external ID'' value on bridge. These values
445 are intended to identify entities external to Open vSwitch with
446 which bridge is associated, e.g. the bridge's identifier in a
447 virtualization management platform. The Open vSwitch database
448 schema specifies well-known key values, but key and value are
449 otherwise arbitrary strings.
450
451 If value is specified, then key is set to value for bridge,
452 overwriting any previous value. If value is omitted, then key
453 is removed from bridge's set of external IDs (if it was
454 present).
455
456 For real bridges, the effect of this command is similar to that
457 of a set or remove command in the external-ids column of the
458 Bridge table. For fake bridges, it actually modifies keys with
459 names prefixed by fake-bridge- in the Port table.
460
461 br-get-external-id bridge [key]
462 Queries the external IDs on bridge. If key is specified, the
463 output is the value for that key or the empty string if key is
464 unset. If key is omitted, the output is key=value, one per
465 line, for each key-value pair.
466
467 For real bridges, the effect of this command is similar to that
468 of a get command in the external-ids column of the Bridge table.
469 For fake bridges, it queries keys with names prefixed by
470 fake-bridge- in the Port table.
471
472 Port Commands
473 These commands examine and manipulate Open vSwitch ports. These com‐
474 mands treat a bonded port as a single entity.
475
476 list-ports bridge
477 Lists all of the ports within bridge on standard output, one per
478 line. The local port bridge is not included in the list.
479
480 [--may-exist] add-port bridge port [column[:key]=value]...
481 Creates on bridge a new port named port from the network device
482 of the same name.
483
484 Optional arguments set values of column in the Port record cre‐
485 ated by the command. For example, tag=9 would make the port an
486 access port for VLAN 9. The syntax is the same as that for the
487 set command (see Database Commands below).
488
489 Without --may-exist, attempting to create a port that exists is
490 an error. With --may-exist, this command does nothing if port
491 already exists on bridge and is not a bonded port.
492
493 [--if-exists] del-port [bridge] port
494 Deletes port. If bridge is omitted, port is removed from what‐
495 ever bridge contains it; if bridge is specified, it must be the
496 real or fake bridge that contains port.
497
498 Without --if-exists, attempting to delete a port that does not
499 exist is an error. With --if-exists, attempting to delete a
500 port that does not exist has no effect.
501
502 [--if-exists] --with-iface del-port [bridge] iface
503 Deletes the port named iface or that has an interface named
504 iface. If bridge is omitted, the port is removed from whatever
505 bridge contains it; if bridge is specified, it must be the real
506 or fake bridge that contains the port.
507
508 Without --if-exists, attempting to delete the port for an inter‐
509 face that does not exist is an error. With --if-exists, at‐
510 tempting to delete the port for an interface that does not exist
511 has no effect.
512
513 port-to-br port
514 Prints the name of the bridge that contains port on standard
515 output.
516
517 Bond Commands
518 These commands work with ports that have more than one interface, which
519 Open vSwitch calls ``bonds.''
520
521 [--fake-iface] add-bond bridge port iface... [column[:key]=value]...
522 Creates on bridge a new port named port that bonds together the
523 network devices given as each iface. At least two interfaces
524 must be named. If the interfaces are DPDK enabled then the
525 transaction will need to include operations to explicitly set
526 the interface type to 'dpdk'.
527
528 Optional arguments set values of column in the Port record cre‐
529 ated by the command. The syntax is the same as that for the set
530 command (see Database Commands below).
531
532 With --fake-iface, a fake interface with the name port is cre‐
533 ated. This should only be used for compatibility with legacy
534 software that requires it.
535
536 Without --may-exist, attempting to create a port that exists is
537 an error. With --may-exist, this command does nothing if port
538 already exists on bridge and bonds together exactly the speci‐
539 fied interfaces.
540
541 [--may-exist] add-bond-iface bond iface
542 Adds iface as a new bond interface to the existing port bond.
543 If bond previously had only one port, this transforms it into a
544 bond.
545
546 Without --may-exist, attempting to add an iface that is already
547 part of bond is an error. With --may-exist, this command does
548 nothing if iface is already part of bond. (It is still an error
549 if iface is an interface of some other port or bond.)
550
551 [--if-exists] del-bond-iface [bond] iface
552 Removes iface from its port. If bond is omitted, iface is re‐
553 moved from whatever port contains it; if bond is specified, it
554 must be the port that contains bond.
555
556 If removing iface causes its port to have only a single inter‐
557 face, then that port transforms from a bond into an ordinary
558 port. It is an error if iface is the only interface in its
559 port.
560
561 Without --if-exists, attempting to delete an interface that does
562 not exist is an error. With --if-exists, attempting to delete
563 an interface that does not exist has no effect.
564
565 Interface Commands
566 These commands examine the interfaces attached to an Open vSwitch
567 bridge. These commands treat a bonded port as a collection of two or
568 more interfaces, rather than as a single port.
569
570 list-ifaces bridge
571 Lists all of the interfaces within bridge on standard output,
572 one per line. The local port bridge is not included in the
573 list.
574
575 iface-to-br iface
576 Prints the name of the bridge that contains iface on standard
577 output.
578
579 Conntrack Zone Commands
580 These commands query and modify datapath CT zones and Timeout Policies.
581
582 [--may-exist] add-zone-tp datapath zone=zone_id policies
583 Creates a conntrack zone timeout policy with zone_id in data‐
584 path. The policies consist of key=value pairs, separated by
585 spaces. For example, icmp_first=30 icmp_reply=60 specifies a
586 30-second timeout policy for the first ICMP packet and a 60-sec‐
587 ond policy for ICMP reply packets. See the CT_Timeout_Policy
588 table in ovs-vswitchd.conf.db(5) for the supported keys.
589
590 Without --may-exist, attempting to add a zone_id that already
591 exists is an error. With --may-exist, this command does nothing
592 if zone_id already exists.
593
594 [--if-exists] del-zone-tp datapath zone=zone_id
595 Delete the timeout policy associated with zone_id from datapath.
596
597 Without --if-exists, attempting to delete a zone that does not
598 exist is an error. With --if-exists, attempting to delete a
599 zone that does not exist has no effect.
600
601 list-zone-tp datapath
602 Prints the timeout policies of all zones in datapath.
603
604 Datapath Capabilities Command
605 The command query datapath capabilities.
606
607 list-dp-cap datapath
608 Prints the datapath's capabilities.
609
610 OpenFlow Controller Connectivity
611 ovs-vswitchd can perform all configured bridging and switching locally,
612 or it can be configured to communicate with one or more external Open‐
613 Flow controllers. The switch is typically configured to connect to a
614 primary controller that takes charge of the bridge's flow table to im‐
615 plement a network policy. In addition, the switch can be configured to
616 listen to connections from service controllers. Service controllers
617 are typically used for occasional support and maintenance, e.g. with
618 ovs-ofctl.
619
620 get-controller bridge
621 Prints the configured controller target.
622
623 del-controller bridge
624 Deletes the configured controller target.
625
626 set-controller bridge target...
627 Sets the configured controller target or targets. Each target
628 may use any of the following forms:
629
630 ssl:host[:port]
631 tcp:host[:port]
632 The specified port on the given host, which can be ex‐
633 pressed either as a DNS name (if built with unbound li‐
634 brary) or an IP address in IPv4 or IPv6 address format.
635 Wrap IPv6 addresses in square brackets, e.g.
636 tcp:[::1]:6653. On Linux, use %device to designate a
637 scope for IPv6 link-level addresses, e.g.
638 tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key,
639 --certificate, and --ca-cert options are mandatory.
640
641 If port is not specified, it defaults to 6653.
642
643 unix:file
644 On POSIX, a Unix domain server socket named file.
645
646 On Windows, connect to a local named pipe that is repre‐
647 sented by a file created in the path file to mimic the
648 behavior of a Unix domain socket.
649
650 pssl:[port][:host]
651 ptcp:[port][:host]
652 Listens for OpenFlow connections on port. The default
653 port is 6653. By default, connections are allowed from
654 any IPv4 address. Specify host as an IPv4 address or a
655 bracketed IPv6 address (e.g. ptcp:6653:[::1]). On Linux,
656 use %device to designate a scope for IPv6 link-level ad‐
657 dresses, e.g. ptcp:6653:[fe80::1234%eth0]. DNS names can
658 be used if built with unbound library. For pssl, the
659 --private-key,--certificate, and --ca-cert options are
660 mandatory.
661
662 punix:file
663 Listens for OpenFlow connections on the Unix domain
664 server socket named file.
665
666 Controller Failure Settings
667
668 When a controller is configured, it is, ordinarily, responsible for
669 setting up all flows on the switch. Thus, if the connection to the
670 controller fails, no new network connections can be set up. If the
671 connection to the controller stays down long enough, no packets can
672 pass through the switch at all.
673
674 If the value is standalone, or if neither of these settings is set,
675 ovs-vswitchd will take over responsibility for setting up flows when no
676 message has been received from the controller for three times the inac‐
677 tivity probe interval. In this mode, ovs-vswitchd causes the datapath
678 to act like an ordinary MAC-learning switch. ovs-vswitchd will con‐
679 tinue to retry connecting to the controller in the background and, when
680 the connection succeeds, it discontinues its standalone behavior.
681
682 If this option is set to secure, ovs-vswitchd will not set up flows on
683 its own when the controller connection fails.
684
685 get-fail-mode bridge
686 Prints the configured failure mode.
687
688 del-fail-mode bridge
689 Deletes the configured failure mode.
690
691 set-fail-mode bridge standalone|secure
692 Sets the configured failure mode.
693
694 Manager Connectivity
695 These commands manipulate the manager_options column in the
696 Open_vSwitch table and rows in the Managers table. When ovsdb-server
697 is configured to use the manager_options column for OVSDB connections
698 (as described in the startup scripts provided with Open vSwitch; the
699 corresponding ovsdb-server command option is --re‐
700 mote=db:Open_vSwitch,Open_vSwitch,manager_options), this allows the ad‐
701 ministrator to use ovs-vsctl to configure database connections.
702
703 get-manager
704 Prints the configured manager(s).
705
706 del-manager
707 Deletes the configured manager(s).
708
709 set-manager target...
710 Sets the configured manager target or targets. Each target may
711 be an OVSDB active or passive connection method, e.g. pssl:6640,
712 as described in ovsdb(7).
713
714 SSL Configuration
715 When ovs-vswitchd is configured to connect over SSL for management or
716 controller connectivity, the following parameters are required:
717
718 private-key
719 Specifies a PEM file containing the private key used as the vir‐
720 tual switch's identity for SSL connections to the controller.
721
722 certificate
723 Specifies a PEM file containing a certificate, signed by the
724 certificate authority (CA) used by the controller and manager,
725 that certifies the virtual switch's private key, identifying a
726 trustworthy switch.
727
728 ca-cert
729 Specifies a PEM file containing the CA certificate used to ver‐
730 ify that the virtual switch is connected to a trustworthy con‐
731 troller.
732
733 These files are read only once, at ovs-vswitchd startup time. If their
734 contents change, ovs-vswitchd must be killed and restarted.
735
736 These SSL settings apply to all SSL connections made by the virtual
737 switch.
738
739 get-ssl
740 Prints the SSL configuration.
741
742 del-ssl
743 Deletes the current SSL configuration.
744
745 [--bootstrap] set-ssl private-key certificate ca-cert
746 Sets the SSL configuration. The --bootstrap option is described
747 below.
748
749 CA Certificate Bootstrap
750
751 Ordinarily, all of the files named in the SSL configuration must exist
752 when ovs-vswitchd starts. However, if the ca-cert file does not exist
753 and the --bootstrap option is given, then ovs-vswitchd will attempt to
754 obtain the CA certificate from the controller on its first SSL connec‐
755 tion and save it to the named PEM file. If it is successful, it will
756 immediately drop the connection and reconnect, and from then on all SSL
757 connections must be authenticated by a certificate signed by the CA
758 certificate thus obtained.
759
760 This option exposes the SSL connection to a man-in-the-middle attack
761 obtaining the initial CA certificate, but it may be useful for boot‐
762 strapping.
763
764 This option is only useful if the controller sends its CA certificate
765 as part of the SSL certificate chain. The SSL protocol does not re‐
766 quire the controller to send the CA certificate.
767
768 Auto-Attach Commands
769 The IETF Auto-Attach SPBM draft standard describes a compact method of
770 using IEEE 802.1AB Link Layer Discovery Protocol (LLDP) together with a
771 IEEE 802.1aq Shortest Path Bridging (SPB) network to automatically at‐
772 tach network devices to individual services in a SPB network. The in‐
773 tent here is to allow network applications and devices using OVS to be
774 able to easily take advantage of features offered by industry standard
775 SPB networks. A fundamental element of the Auto-Attach feature is to
776 map traditional VLANs onto SPB I_SIDs. These commands manage the Auto-
777 Attach I-SID/VLAN mappings.
778
779 add-aa-mapping bridge i-sid vlan
780 Creates a new Auto-Attach mapping on bridge for i-sid and vlan.
781
782 del-aa-mapping bridge i-sid vlan
783 Deletes an Auto-Attach mapping on bridge for i-sid and vlan.
784
785 get-aa-mapping bridge
786 Lists all of the Auto-Attach mappings within bridge on standard
787 output.
788
789 Database Commands
790 These commands query and modify the contents of ovsdb tables. They are
791 a slight abstraction of the ovsdb interface and as such they operate at
792 a lower level than other ovs-vsctl commands.
793
794 Identifying Tables, Records, and Columns
795
796 Each of these commands has a table parameter to identify a table within
797 the database. Many of them also take a record parameter that identi‐
798 fies a particular record within a table. The record parameter may be
799 the UUID for a record, and many tables offer additional ways to iden‐
800 tify records. Some commands also take column parameters that identify
801 a particular field within the records in a table.
802
803 For a list of tables and their columns, see ovs-vswitchd.conf.db(5) or
804 see the table listing from the --help option.
805
806 Record names must be specified in full and with correct capitalization,
807 except that UUIDs may be abbreviated to their first 4 (or more) hex
808 digits, as long as that is unique within the table. Names of tables
809 and columns are not case-sensitive, and - and _ are treated inter‐
810 changeably. Unique abbreviations of table and column names are accept‐
811 able, e.g. net or n is sufficient to identify the NetFlow table.
812
813 Database Values
814
815 Each column in the database accepts a fixed type of data. The cur‐
816 rently defined basic types, and their representations, are:
817
818 integer
819 A decimal integer in the range -2**63 to 2**63-1, inclusive.
820
821 real A floating-point number.
822
823 Boolean
824 True or false, written true or false, respectively.
825
826 string An arbitrary Unicode string, except that null bytes are not al‐
827 lowed. Quotes are optional for most strings that begin with an
828 English letter or underscore and consist only of letters, under‐
829 scores, hyphens, and periods. However, true and false and
830 strings that match the syntax of UUIDs (see below) must be en‐
831 closed in double quotes to distinguish them from other basic
832 types. When double quotes are used, the syntax is that of
833 strings in JSON, e.g. backslashes may be used to escape special
834 characters. The empty string must be represented as a pair of
835 double quotes ("").
836
837 UUID Either a universally unique identifier in the style of RFC 4122,
838 e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or an @name defined
839 by a get or create command within the same ovs-vsctl invocation.
840
841 Multiple values in a single column may be separated by spaces or a sin‐
842 gle comma. When multiple values are present, duplicates are not al‐
843 lowed, and order is not important. Conversely, some database columns
844 can have an empty set of values, represented as [], and square brackets
845 may optionally enclose other non-empty sets or single values as well.
846 For a column accepting a set of integers, database commands accept a
847 range. A range is represented by two integers separated by -. A range
848 is inclusive. A range has a maximum size of 4096 elements. If more ele‐
849 ments are needed, they can be specified in separate ranges.
850
851 A few database columns are ``maps'' of key-value pairs, where the key
852 and the value are each some fixed database type. These are specified
853 in the form key=value, where key and value follow the syntax for the
854 column's key type and value type, respectively. When multiple pairs
855 are present (separated by spaces or a comma), duplicate keys are not
856 allowed, and again the order is not important. Duplicate values are
857 allowed. An empty map is represented as {}. Curly braces may option‐
858 ally enclose non-empty maps as well (but use quotes to prevent the
859 shell from expanding other-config={0=x,1=y} into other-config=0=x
860 other-config=1=y, which may not have the desired effect).
861
862 Database Command Syntax
863
864 [--if-exists] [--columns=column[,column]...] list table [record]...
865 Lists the data in each specified record. If no records are
866 specified, lists all the records in table.
867
868 If --columns is specified, only the requested columns are
869 listed, in the specified order. Otherwise, all columns are
870 listed, in alphabetical order by column name.
871
872 Without --if-exists, it is an error if any specified record does
873 not exist. With --if-exists, the command ignores any record
874 that does not exist, without producing any output.
875
876 [--columns=column[,column]...] find table [column[:key]=value]...
877 Lists the data in each record in table whose column equals value
878 or, if key is specified, whose column contains a key with the
879 specified value. The following operators may be used where = is
880 written in the syntax summary:
881
882 = != < > <= >=
883 Selects records in which column[:key] equals, does not
884 equal, is less than, is greater than, is less than or
885 equal to, or is greater than or equal to value, respec‐
886 tively.
887
888 Consider column[:key] and value as sets of elements.
889 Identical sets are considered equal. Otherwise, if the
890 sets have different numbers of elements, then the set
891 with more elements is considered to be larger. Other‐
892 wise, consider a element from each set pairwise, in in‐
893 creasing order within each set. The first pair that dif‐
894 fers determines the result. (For a column that contains
895 key-value pairs, first all the keys are compared, and
896 values are considered only if the two sets contain iden‐
897 tical keys.)
898
899 {=} {!=}
900 Test for set equality or inequality, respectively.
901
902 {<=} Selects records in which column[:key] is a subset of
903 value. For example, flood-vlans{<=}1,2 selects records
904 in which the flood-vlans column is the empty set or con‐
905 tains 1 or 2 or both.
906
907 {<} Selects records in which column[:key] is a proper subset
908 of value. For example, flood-vlans{<}1,2 selects records
909 in which the flood-vlans column is the empty set or con‐
910 tains 1 or 2 but not both.
911
912 {>=} {>}
913 Same as {<=} and {<}, respectively, except that the rela‐
914 tionship is reversed. For example, flood-vlans{>=}1,2
915 selects records in which the flood-vlans column contains
916 both 1 and 2.
917
918 The following operators are available only in Open vSwitch 2.16
919 and later:
920
921 {in} Selects records in which every element in column[:key] is
922 also in value. (This is the same as {<=}.)
923
924 {not-in}
925 Selects records in which every element in column[:key] is
926 not in value.
927
928 For arithmetic operators (= != < > <= >=), when key is specified
929 but a particular record's column does not contain key, the
930 record is always omitted from the results. Thus, the condition
931 other-config:mtu!=1500 matches records that have a mtu key whose
932 value is not 1500, but not those that lack an mtu key.
933
934 For the set operators, when key is specified but a particular
935 record's column does not contain key, the comparison is done
936 against an empty set. Thus, the condition other-con‐
937 fig:mtu{!=}1500 matches records that have a mtu key whose value
938 is not 1500 and those that lack an mtu key.
939
940 Don't forget to escape < or > from interpretation by the shell.
941
942 If --columns is specified, only the requested columns are
943 listed, in the specified order. Otherwise all columns are
944 listed, in alphabetical order by column name.
945
946 The UUIDs shown for rows created in the same ovs-vsctl invoca‐
947 tion will be wrong.
948
949 [--if-exists] [--id=@name] get table record [column[:key]]...
950 Prints the value of each specified column in the given record in
951 table. For map columns, a key may optionally be specified, in
952 which case the value associated with key in the column is
953 printed, instead of the entire map.
954
955 Without --if-exists, it is an error if record does not exist or
956 key is specified, if key does not exist in record. With
957 --if-exists, a missing record yields no output and a missing key
958 prints a blank line.
959
960 If @name is specified, then the UUID for record may be referred
961 to by that name later in the same ovs-vsctl invocation in con‐
962 texts where a UUID is expected.
963
964 Both --id and the column arguments are optional, but usually at
965 least one or the other should be specified. If both are omit‐
966 ted, then get has no effect except to verify that record exists
967 in table.
968
969 --id and --if-exists cannot be used together.
970
971 [--if-exists] set table record column[:key]=value...
972 Sets the value of each specified column in the given record in
973 table to value. For map columns, a key may optionally be speci‐
974 fied, in which case the value associated with key in that column
975 is changed (or added, if none exists), instead of the entire
976 map.
977
978 Without --if-exists, it is an error if record does not exist.
979 With --if-exists, this command does nothing if record does not
980 exist.
981
982 [--if-exists] add table record column [key=]value...
983 Adds the specified value or key-value pair to column in record
984 in table. If column is a map, then key is required, otherwise
985 it is prohibited. If key already exists in a map column, then
986 the current value is not replaced (use the set command to re‐
987 place an existing value).
988
989 Without --if-exists, it is an error if record does not exist.
990 With --if-exists, this command does nothing if record does not
991 exist.
992
993 [--if-exists] remove table record column value...
994 [--if-exists] remove table record column key...
995 [--if-exists] remove table record column key=value...
996 Removes the specified values or key-value pairs from column in
997 record in table. The first form applies to columns that are not
998 maps: each specified value is removed from the column. The sec‐
999 ond and third forms apply to map columns: if only a key is spec‐
1000 ified, then any key-value pair with the given key is removed,
1001 regardless of its value; if a value is given then a pair is re‐
1002 moved only if both key and value match.
1003
1004 It is not an error if the column does not contain the specified
1005 key or value or pair.
1006
1007 Without --if-exists, it is an error if record does not exist.
1008 With --if-exists, this command does nothing if record does not
1009 exist.
1010
1011 [--if-exists] clear table record column...
1012 Sets each column in record in table to the empty set or empty
1013 map, as appropriate. This command applies only to columns that
1014 are allowed to be empty.
1015
1016 Without --if-exists, it is an error if record does not exist.
1017 With --if-exists, this command does nothing if record does not
1018 exist.
1019
1020 [--id=(@name | uuid] create table column[:key]=value...
1021 Creates a new record in table and sets the initial values of
1022 each column. Columns not explicitly set will receive their de‐
1023 fault values. Outputs the UUID of the new row.
1024
1025 If @name is specified, then the UUID for the new row may be re‐
1026 ferred to by that name elsewhere in the same ovs-vsctl invoca‐
1027 tion in contexts where a UUID is expected. Such references may
1028 precede or follow the create command.
1029
1030 If a valid uuid is specified, then it is used as the UUID of the
1031 new row.
1032
1033 Caution (ovs-vsctl as example)
1034 Records in the Open vSwitch database are significant only
1035 when they can be reached directly or indirectly from the
1036 Open_vSwitch table. Except for records in the QoS or
1037 Queue tables, records that are not reachable from the
1038 Open_vSwitch table are automatically deleted from the
1039 database. This deletion happens immediately, without
1040 waiting for additional ovs-vsctl commands or other data‐
1041 base activity. Thus, a create command must generally be
1042 accompanied by additional commands within the same
1043 ovs-vsctl invocation to add a chain of references to the
1044 newly created record from the top-level Open_vSwitch
1045 record. The EXAMPLES section gives some examples that
1046 show how to do this.
1047
1048 [--if-exists] destroy table record...
1049 Deletes each specified record from table. Unless --if-exists is
1050 specified, each records must exist.
1051
1052 --all destroy table
1053 Deletes all records from the table.
1054
1055 Caution (ovs-vsctl as example)
1056 The destroy command is only useful for records in the QoS
1057 or Queue tables. Records in other tables are automati‐
1058 cally deleted from the database when they become unreach‐
1059 able from the Open_vSwitch table. This means that delet‐
1060 ing the last reference to a record is sufficient for
1061 deleting the record itself. For records in these tables,
1062 destroy is silently ignored. See the EXAMPLES section
1063 below for more information.
1064
1065 wait-until table record [column[:key]=value]...
1066 Waits until table contains a record named record whose column
1067 equals value or, if key is specified, whose column contains a
1068 key with the specified value. This command supports the same
1069 operators and semantics described for the find command above.
1070
1071 If no column[:key]=value arguments are given, this command waits
1072 only until record exists. If more than one such argument is
1073 given, the command waits until all of them are satisfied.
1074
1075 Caution (ovs-vsctl as example)
1076 Usually wait-until should be placed at the beginning of a
1077 set of ovs-vsctl commands. For example, wait-until
1078 bridge br0 -- get bridge br0 datapath_id waits until a
1079 bridge named br0 is created, then prints its datapath_id
1080 column, whereas get bridge br0 datapath_id -- wait-until
1081 bridge br0 will abort if no bridge named br0 exists when
1082 ovs-vsctl initially connects to the database.
1083
1084 Consider specifying --timeout=0 along with --wait-until, to pre‐
1085 vent ovs-vsctl from terminating after waiting only at most 5
1086 seconds.
1087
1088 comment [arg]...
1089 This command has no effect on behavior, but any database log
1090 record created by the command will include the command and its
1091 arguments.
1092
1094 Create a new bridge named br0 and add port eth0 to it:
1095
1096 ovs-vsctl add-br br0
1097 ovs-vsctl add-port br0 eth0
1098
1099 Alternatively, perform both operations in a single atomic transaction:
1100
1101 ovs-vsctl add-br br0 -- add-port br0 eth0
1102
1103 Delete bridge br0, reporting an error if it does not exist:
1104
1105 ovs-vsctl del-br br0
1106
1107 Delete bridge br0 if it exists:
1108
1109 ovs-vsctl --if-exists del-br br0
1110
1111 Set the qos column of the Port record for eth0 to point to a new QoS
1112 record, which in turn points with its queue 0 to a new Queue record:
1113
1114 ovs-vsctl -- set port eth0 qos=@newqos -- --id=@newqos create
1115 qos type=linux-htb other-config:max-rate=1000000
1116 queues:0=@newqueue -- --id=@newqueue create queue other-con‐
1117 fig:min-rate=1000000 other-config:max-rate=1000000
1118
1120 Port Configuration
1121 Add an ``internal port'' vlan10 to bridge br0 as a VLAN access port for
1122 VLAN 10, and configure it with an IP address:
1123
1124 ovs-vsctl add-port br0 vlan10 tag=10 -- set Interface vlan10
1125 type=internal
1126
1127 ip addr add 192.168.0.123/24 dev vlan10
1128
1129 Add a GRE tunnel port gre0 to remote IP address 1.2.3.4 to bridge br0:
1130
1131 ovs-vsctl add-port br0 gre0 -- set Interface gre0 type=gre op‐
1132 tions:remote_ip=1.2.3.4
1133
1134 Port Mirroring
1135 Mirror all packets received or sent on eth0 or eth1 onto eth2, assuming
1136 that all of those ports exist on bridge br0 (as a side-effect this
1137 causes any packets received on eth2 to be ignored):
1138
1139 ovs-vsctl -- set Bridge br0 mirrors=@m \
1140
1141 -- --id=@eth0 get Port eth0 \
1142
1143 -- --id=@eth1 get Port eth1 \
1144
1145 -- --id=@eth2 get Port eth2 \
1146
1147 -- --id=@m create Mirror name=mymirror select-dst-
1148 port=@eth0,@eth1 select-src-port=@eth0,@eth1 output-port=@eth2
1149
1150 Remove the mirror created above from br0, which also destroys the Mir‐
1151 ror record (since it is now unreferenced):
1152
1153 ovs-vsctl -- --id=@rec get Mirror mymirror \
1154
1155 -- remove Bridge br0 mirrors @rec
1156
1157 The following simpler command also works:
1158
1159 ovs-vsctl clear Bridge br0 mirrors
1160
1161 Quality of Service (QoS)
1162 Create a linux-htb QoS record that points to a few queues and use it on
1163 eth0 and eth1:
1164
1165 ovs-vsctl -- set Port eth0 qos=@newqos \
1166
1167 -- set Port eth1 qos=@newqos \
1168
1169 -- --id=@newqos create QoS type=linux-htb other-con‐
1170 fig:max-rate=1000000000 queues=0=@q0,1=@q1 \
1171
1172 -- --id=@q0 create Queue other-config:min-rate=100000000
1173 other-config:max-rate=100000000 \
1174
1175 -- --id=@q1 create Queue other-config:min-rate=500000000
1176
1177 Deconfigure the QoS record above from eth1 only:
1178
1179 ovs-vsctl clear Port eth1 qos
1180
1181 To deconfigure the QoS record from both eth0 and eth1 and then delete
1182 the QoS record (which must be done explicitly because unreferenced QoS
1183 records are not automatically destroyed):
1184
1185 ovs-vsctl -- destroy QoS eth0 -- clear Port eth0 qos -- clear
1186 Port eth1 qos
1187
1188 (This command will leave two unreferenced Queue records in the data‐
1189 base. To delete them, use "ovs-vsctl list Queue" to find their UUIDs,
1190 then "ovs-vsctl destroy Queue uuid1 uuid2" to destroy each of them or
1191 use "ovs-vsctl -- --all destroy Queue" to delete all records.)
1192
1193 Connectivity Monitoring
1194 Monitor connectivity to a remote maintenance point on eth0.
1195
1196 ovs-vsctl set Interface eth0 cfm_mpid=1
1197
1198 Deconfigure connectivity monitoring from above:
1199
1200 ovs-vsctl clear Interface eth0 cfm_mpid
1201
1202 NetFlow
1203 Configure bridge br0 to send NetFlow records to UDP port 5566 on host
1204 192.168.0.34, with an active timeout of 30 seconds:
1205
1206 ovs-vsctl -- set Bridge br0 netflow=@nf \
1207
1208 -- --id=@nf create NetFlow targets=\"192.168.0.34:5566\" ac‐
1209 tive-timeout=30
1210
1211 Update the NetFlow configuration created by the previous command to in‐
1212 stead use an active timeout of 60 seconds:
1213
1214 ovs-vsctl set NetFlow br0 active_timeout=60
1215
1216 Deconfigure the NetFlow settings from br0, which also destroys the Net‐
1217 Flow record (since it is now unreferenced):
1218
1219 ovs-vsctl clear Bridge br0 netflow
1220
1221 sFlow
1222 Configure bridge br0 to send sFlow records to a collector on 10.0.0.1
1223 at port 6343, using eth1's IP address as the source, with specific sam‐
1224 pling parameters:
1225
1226 ovs-vsctl -- --id=@s create sFlow agent=eth1 tar‐
1227 get=\"10.0.0.1:6343\" header=128 sampling=64 polling=10 \
1228
1229 -- set Bridge br0 sflow=@s
1230
1231 Deconfigure sFlow from br0, which also destroys the sFlow record (since
1232 it is now unreferenced):
1233
1234 ovs-vsctl -- clear Bridge br0 sflow
1235
1236 IPFIX
1237 Configure bridge br0 to send one IPFIX flow record per packet sample to
1238 UDP port 4739 on host 192.168.0.34, with Observation Domain ID 123 and
1239 Observation Point ID 456, a flow cache active timeout of 1 minute (60
1240 seconds), maximum flow cache size of 13 flows, and flows sampled on
1241 output port with tunnel info(sampling on input and output port is en‐
1242 abled by default if not disabled) :
1243
1244 ovs-vsctl -- set Bridge br0 ipfix=@i \
1245
1246 -- --id=@i create IPFIX targets=\"192.168.0.34:4739\" obs_do‐
1247 main_id=123 obs_point_id=456 cache_active_timeout=60
1248 cache_max_flows=13 \
1249
1250 other_config:enable-input-sampling=false other_config:enable-
1251 tunnel-sampling=true
1252
1253 Deconfigure the IPFIX settings from br0, which also destroys the IPFIX
1254 record (since it is now unreferenced):
1255
1256 ovs-vsctl clear Bridge br0 ipfix
1257
1258 802.1D Spanning Tree Protocol (STP)
1259 Configure bridge br0 to participate in an 802.1D spanning tree:
1260
1261 ovs-vsctl set Bridge br0 stp_enable=true
1262
1263 Set the bridge priority of br0 to 0x7800:
1264
1265 ovs-vsctl set Bridge br0 other_config:stp-priority=0x7800
1266
1267 Set the path cost of port eth0 to 10:
1268
1269 ovs-vsctl set Port eth0 other_config:stp-path-cost=10
1270
1271 Deconfigure STP from above:
1272
1273 ovs-vsctl set Bridge br0 stp_enable=false
1274
1275 Multicast Snooping
1276 Configure bridge br0 to enable multicast snooping:
1277
1278 ovs-vsctl set Bridge br0 mcast_snooping_enable=true
1279
1280 Set the multicast snooping aging time br0 to 300 seconds:
1281
1282 ovs-vsctl set Bridge br0 other_config:mcast-snooping-aging-
1283 time=300
1284
1285 Set the multicast snooping table size br0 to 2048 entries:
1286
1287 ovs-vsctl set Bridge br0 other_config:mcast-snooping-table-
1288 size=2048
1289
1290 Disable flooding of unregistered multicast packets to all ports. When
1291 set to true, the switch will send unregistered multicast packets only
1292 to ports connected to multicast routers. When it is set to false, the
1293 switch will send them to all ports. This command disables the flood of
1294 unregistered packets on bridge br0.
1295
1296 ovs-vsctl set Bridge br0 other_config:mcast-snooping-disable-
1297 flood-unregistered=true
1298
1299 Enable flooding of multicast packets (except Reports) on a specific
1300 port.
1301
1302 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood=true
1303
1304 Enable flooding of Reports on a specific port.
1305
1306 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood-re‐
1307 ports=true
1308
1309 Deconfigure multicasting snooping from above:
1310
1311 ovs-vsctl set Bridge br0 mcast_snooping_enable=false
1312
1313 802.1D-2004 Rapid Spanning Tree Protocol (RSTP)
1314 Configure bridge br0 to participate in an 802.1D-2004 Rapid Spanning
1315 Tree:
1316
1317 ovs-vsctl set Bridge br0 rstp_enable=true
1318
1319 Set the bridge address of br0 to 00:aa:aa:aa:aa:aa :
1320
1321 ovs-vsctl set Bridge br0 other_config:rstp-ad‐
1322 dress=00:aa:aa:aa:aa:aa
1323
1324 Set the bridge priority of br0 to 0x7000. The value must be specified
1325 in decimal notation and should be a multiple of 4096 (if not, it is
1326 rounded down to the nearest multiple of 4096). The default priority
1327 value is 0x800 (32768).
1328
1329 ovs-vsctl set Bridge br0 other_config:rstp-priority=28672
1330
1331 Set the bridge ageing time of br0 to 1000 s. The ageing time value
1332 should be between 10 s and 1000000 s. The default value is 300 s.
1333
1334 ovs-vsctl set Bridge br0 other_config:rstp-ageing-time=1000
1335
1336 Set the bridge force protocol version of br0 to 0. The force protocol
1337 version has two acceptable values: 0 (STP compatibility mode) and 2
1338 (normal operation).
1339
1340 ovs-vsctl set Bridge br0 other_config:rstp-force-protocol-ver‐
1341 sion=0
1342
1343 Set the bridge max age of br0 to 10 s. The max age value should be be‐
1344 tween 6 s and 40 s. The default value is 20 s.
1345
1346 ovs-vsctl set Bridge br0 other_config:rstp-max-age=10
1347
1348 Set the bridge forward delay of br0 to 15 s. This value should be be‐
1349 tween 4 s and 30 s. The default value is 15 s.
1350
1351 ovs-vsctl set Bridge br0 other_config:rstp-forward-delay=15
1352
1353 Set the bridge transmit hold count of br0 to 7 s. This value should be
1354 between 1 s and 10 s. The default value is 6 s.
1355
1356 ovs-vsctl set Bridge br0 other_config:rstp-transmit-hold-count=7
1357
1358 Enable RSTP on the Port eth0:
1359
1360 ovs-vsctl set Port eth0 other_config:rstp-enable=true
1361
1362 Disable RSTP on the Port eth0:
1363
1364 ovs-vsctl set Port eth0 other_config:rstp-enable=false
1365
1366 Set the priority of port eth0 to 32. The value must be specified in
1367 decimal notation and should be a multiple of 16 (if not, it is rounded
1368 down to the nearest multiple of 16). The default priority value is 0x80
1369 (128).
1370
1371 ovs-vsctl set Port eth0 other_config:rstp-port-priority=32
1372
1373 Set the port number of port eth0 to 3:
1374
1375 ovs-vsctl set Port eth0 other_config:rstp-port-num=3
1376
1377 Set the path cost of port eth0 to 150:
1378
1379 ovs-vsctl set Port eth0 other_config:rstp-path-cost=150
1380
1381 Set the admin edge value of port eth0:
1382
1383 ovs-vsctl set Port eth0 other_config:rstp-port-admin-edge=true
1384
1385 Set the auto edge value of port eth0:
1386
1387 ovs-vsctl set Port eth0 other_config:rstp-port-auto-edge=true
1388
1389 Set the admin point to point MAC value of port eth0. Acceptable values
1390 are 0 (not point-to-point), 1 (point-to-point, the default value) or 2
1391 (automatic detection). The auto-detection mode is not currently imple‐
1392 mented, and the value 2 has the same effect of 0 (not point-to-point).
1393
1394 ovs-vsctl set Port eth0 other_config:rstp-admin-p2p-mac=1
1395
1396 Set the admin port state value of port eth0. true is the default
1397 value.
1398
1399 ovs-vsctl set Port eth0 other_config:rstp-admin-port-state=false
1400
1401 Set the mcheck value of port eth0:
1402
1403 ovs-vsctl set Port eth0 other_config:rstp-port-mcheck=true
1404
1405 Deconfigure RSTP from above:
1406
1407 ovs-vsctl set Bridge br0 rstp_enable=false
1408
1409 OpenFlow Version
1410 Configure bridge br0 to support OpenFlow versions 1.0, 1.2, and 1.3:
1411
1412 ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow12,Open‐
1413 Flow13
1414
1415 Flow Table Configuration
1416 Make flow table 0 on bridge br0 refuse to accept more than 100 flows:
1417
1418 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1419 flow_policy=refuse -- set Bridge br0 flow_tables=0=@ft
1420
1421 Make flow table 0 on bridge br0 evict flows, with fairness based on the
1422 matched ingress port, when there are more than 100:
1423
1424 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1425 flow_policy=evict groups='"NXM_OF_IN_PORT[]"' -- set Bridge br0
1426 flow_tables:0=@ft
1427
1429 0 Successful program execution.
1430
1431 1 Usage, syntax, or configuration file error.
1432
1433 2 The bridge argument to br-exists specified the name of a bridge
1434 that does not exist.
1435
1437 ovsdb-server(1), ovs-vswitchd(8), ovs-vswitchd.conf.db(5).
1438
1439
1440
1441Open vSwitch 3.1.1 ovs-vsctl(8)