1ovs-vsctl(8) Open vSwitch Manual ovs-vsctl(8)
2
6 ovs-vsctl - utility for querying and configuring ovs-vswitchd
7
9 ovs-vsctl [options] -- [options] command [args] [-- [options] command
10 [args]]...
11
13 The ovs-vsctl program configures ovs-vswitchd(8) by providing a
14 high-level interface to its configuration database. See
15 ovs-vswitchd.conf.db(5) for comprehensive documentation of the database
16 schema.
17 ovs-vsctl connects to an ovsdb-server process that maintains an Open
19 vSwitch configuration database. Using this connection, it queries and
20 possibly applies changes to the database, depending on the supplied
21 commands. Then, if it applied any changes, by default it waits until
22 ovs-vswitchd has finished reconfiguring itself before it exits. (If
23 you use ovs-vsctl when ovs-vswitchd is not running, use --no-wait.)
24 ovs-vsctl can perform any number of commands in a single run, imple‐
26 mented as a single atomic transaction against the database.
27 The ovs-vsctl command line begins with global options (see OPTIONS be‐
29 low for details). The global options are followed by one or more com‐
30 mands. Each command should begin with -- by itself as a command-line
31 argument, to separate it from the following commands. (The -- before
32 the first command is optional.) The command itself starts with com‐
33 mand-specific options, if any, followed by the command name and any ar‐
34 guments. See EXAMPLES below for syntax examples.
35 Linux VLAN Bridging Compatibility
37 The ovs-vsctl program supports the model of a bridge implemented by
38 Open vSwitch, in which a single bridge supports ports on multiple
39 VLANs. In this model, each port on a bridge is either a trunk port
40 that potentially passes packets tagged with 802.1Q headers that desig‐
41 nate VLANs or it is assigned a single implicit VLAN that is never
42 tagged with an 802.1Q header.
43 For compatibility with software designed for the Linux bridge,
45 ovs-vsctl also supports a model in which traffic associated with a
46 given 802.1Q VLAN is segregated into a separate bridge. A special form
47 of the add-br command (see below) creates a ``fake bridge'' within an
48 Open vSwitch bridge to simulate this behavior. When such a ``fake
49 bridge'' is active, ovs-vsctl will treat it much like a bridge separate
50 from its ``parent bridge,'' but the actual implementation in Open
51 vSwitch uses only a single bridge, with ports on the fake bridge as‐
52 signed the implicit VLAN of the fake bridge of which they are members.
53 (A fake bridge for VLAN 0 receives packets that have no 802.1Q tag or a
54 tag with VLAN 0.)
55
57 The following options affect the behavior ovs-vsctl as a whole. Some
58 individual commands also accept their own options, which are given just
59 before the command name. If the first command on the command line has
60 options, then those options must be separated from the global options
61 by --.
62 --db=server
64 Sets server as the database server that ovs-vsctl contacts to
65 query or modify configuration. server may be an OVSDB active or
66 passive connection method, as described in ovsdb(7). The de‐
67 fault is unix:/var/run/openvswitch/db.sock.
68 --no-wait
70 Prevents ovs-vsctl from waiting for ovs-vswitchd to reconfigure
71 itself according to the modified database. This option should
72 be used if ovs-vswitchd is not running; otherwise, ovs-vsctl
73 will not exit until ovs-vswitchd starts.
74 This option has no effect if the commands specified do not
76 change the database.
77 --no-syslog
79 By default, ovs-vsctl logs its arguments and the details of any
80 changes that it makes to the system log. This option disables
81 this logging.
82 This option is equivalent to --verbose=vsctl:syslog:warn.
84 --oneline
86 Modifies the output format so that the output for each command
87 is printed on a single line. New-line characters that would
88 otherwise separate lines are printed as \n, and any instances of
89 \ that would otherwise appear in the output are doubled. Prints
90 a blank line for each command that has no output. This option
91 does not affect the formatting of output from the list or find
92 commands; see Table Formatting Options below.
93 --dry-run
95 Prevents ovs-vsctl from actually modifying the database.
96 -t secs
98 --timeout=secs
99 By default, or with a secs of 0, ovs-vsctl waits forever for a
100 response from the database. This option limits runtime to ap‐
101 proximately secs seconds. If the timeout expires, ovs-vsctl
102 will exit with a SIGALRM signal. (A timeout would normally hap‐
103 pen only if the database cannot be contacted, or if the system
104 is overloaded.)
105 --retry
107 Without this option, if ovs-vsctl connects outward to the data‐
108 base server (the default) then ovs-vsctl will try to connect
109 once and exit with an error if the connection fails (which usu‐
110 ally means that ovsdb-server is not running).
111 With this option, or if --db specifies that ovs-vsctl should
113 listen for an incoming connection from the database server, then
114 ovs-vsctl will wait for a connection to the database forever.
115 Regardless of this setting, --timeout always limits how long
117 ovs-vsctl will wait.
118 Table Formatting Options
120 These options control the format of output from the list and find com‐
121 mands.
122 -f format
124 --format=format
125 Sets the type of table formatting. The following types of for‐
126 mat are available:
127 table 2-D text tables with aligned columns.
129 list (default)
131 A list with one column per line and rows separated by a
132 blank line.
133 html HTML tables.
135 csv Comma-separated values as defined in RFC 4180.
137 json JSON format as defined in RFC 4627. The output is a se‐
139 quence of JSON objects, each of which corresponds to one
140 table. Each JSON object has the following members with
141 the noted values:
142 caption
144 The table's caption. This member is omitted if
145 the table has no caption.
146 headings
148 An array with one element per table column. Each
149 array element is a string giving the corresponding
150 column's heading.
151 data An array with one element per table row. Each el‐
153 ement is also an array with one element per table
154 column. The elements of this second-level array
155 are the cells that constitute the table. Cells
156 that represent OVSDB data or data types are ex‐
157 pressed in the format described in the OVSDB spec‐
158 ification; other cells are simply expressed as
159 text strings.
160 -d format
162 --data=format
163 Sets the formatting for cells within output tables unless the
164 table format is set to json, in which case json formatting is
165 always used when formatting cells. The following types of for‐
166 mat are available:
167 string (default)
169 The simple format described in the Database Values sec‐
170 tion below.
171 bare The simple format with punctuation stripped off: [] and
173 {} are omitted around sets, maps, and empty columns,
174 items within sets and maps are space-separated, and
175 strings are never quoted. This format may be easier for
176 scripts to parse.
177 json The RFC 4627 JSON format as described above.
179 --no-headings
181 This option suppresses the heading row that otherwise appears in
182 the first row of table output.
183 --pretty
185 By default, JSON in output is printed as compactly as possible.
186 This option causes JSON in output to be printed in a more read‐
187 able fashion. Members of objects and elements of arrays are
188 printed one per line, with indentation.
189 This option does not affect JSON in tables, which is always
191 printed compactly.
192 --bare Equivalent to --format=list --data=bare --no-headings.
194 --max-column-width=n
196 For table output only, limits the width of any column in the
197 output to n columns. Longer cell data is truncated to fit, as
198 necessary. Columns are always wide enough to display the column
199 names, if the heading row is printed.
200 Public Key Infrastructure Options
202 -p privkey.pem
203 --private-key=privkey.pem
204 Specifies a PEM file containing the private key used as
205 ovs-vsctl's identity for outgoing SSL connections.
206 -c cert.pem
208 --certificate=cert.pem
209 Specifies a PEM file containing a certificate that certifies the
210 private key specified on -p or --private-key to be trustworthy.
211 The certificate must be signed by the certificate authority (CA)
212 that the peer in SSL connections will use to verify it.
213 -C cacert.pem
215 --ca-cert=cacert.pem
216 Specifies a PEM file containing the CA certificate that
217 ovs-vsctl should use to verify certificates presented to it by
218 SSL peers. (This may be the same certificate that SSL peers use
219 to verify the certificate specified on -c or --certificate, or
220 it may be a different one, depending on the PKI design in use.)
221 -C none
223 --ca-cert=none
224 Disables verification of certificates presented by SSL peers.
225 This introduces a security risk, because it means that certifi‐
226 cates cannot be verified to be those of known trusted hosts.
227 --bootstrap-ca-cert=cacert.pem
229 When cacert.pem exists, this option has the same effect as -C or
230 --ca-cert. If it does not exist, then ovs-vsctl will attempt to
231 obtain the CA certificate from the SSL peer on its first SSL
232 connection and save it to the named PEM file. If it is success‐
233 ful, it will immediately drop the connection and reconnect, and
234 from then on all SSL connections must be authenticated by a cer‐
235 tificate signed by the CA certificate thus obtained.
236 This option exposes the SSL connection to a man-in-the-middle
238 attack obtaining the initial CA certificate, but it may be use‐
239 ful for bootstrapping.
240 This option is only useful if the SSL peer sends its CA certifi‐
242 cate as part of the SSL certificate chain. The SSL protocol
243 does not require the server to send the CA certificate.
244 This option is mutually exclusive with -C and --ca-cert.
246 --peer-ca-cert=peer-cacert.pem
248 Specifies a PEM file that contains one or more additional cer‐
249 tificates to send to SSL peers. peer-cacert.pem should be the
250 CA certificate used to sign ovs-vsctl's own certificate, that
251 is, the certificate specified on -c or --certificate. If
252 ovs-vsctl's certificate is self-signed, then --certificate and
253 --peer-ca-cert should specify the same file.
254 This option is not useful in normal operation, because the SSL
256 peer must already have the CA certificate for the peer to have
257 any confidence in ovs-vsctl's identity. However, this offers a
258 way for a new installation to bootstrap the CA certificate on
259 its first SSL connection.
260 -v[spec]
262 --verbose=[spec]
263 Sets logging levels. Without any spec, sets the log level for
264 every module and destination to dbg. Otherwise, spec is a list
265 of words separated by spaces or commas or colons, up to one from
266 each category below:
267 • A valid module name, as displayed by the vlog/list com‐
269 mand on ovs-appctl(8), limits the log level change to the
270 specified module.
271 • syslog, console, or file, to limit the log level change
273 to only to the system log, to the console, or to a file,
274 respectively. (If --detach is specified, ovs-vsctl
275 closes its standard file descriptors, so logging to the
276 console will have no effect.)
277 On Windows platform, syslog is accepted as a word and is
279 only useful along with the --syslog-target option (the
280 word has no effect otherwise).
281 • off, emer, err, warn, info, or dbg, to control the log
283 level. Messages of the given severity or higher will be
284 logged, and messages of lower severity will be filtered
285 out. off filters out all messages. See ovs-appctl(8)
286 for a definition of each log level.
287 Case is not significant within spec.
289 Regardless of the log levels set for file, logging to a file
291 will not take place unless --log-file is also specified (see be‐
292 low).
293 For compatibility with older versions of OVS, any is accepted as
295 a word but has no effect.
296 -v
298 --verbose
299 Sets the maximum logging verbosity level, equivalent to --ver‐
300 bose=dbg.
301 -vPATTERN:destination:pattern
303 --verbose=PATTERN:destination:pattern
304 Sets the log pattern for destination to pattern. Refer to
305 ovs-appctl(8) for a description of the valid syntax for pattern.
306 -vFACILITY:facility
308 --verbose=FACILITY:facility
309 Sets the RFC5424 facility of the log message. facility can be
310 one of kern, user, mail, daemon, auth, syslog, lpr, news, uucp,
311 clock, ftp, ntp, audit, alert, clock2, local0, local1, local2,
312 local3, local4, local5, local6 or local7. If this option is not
313 specified, daemon is used as the default for the local system
314 syslog and local0 is used while sending a message to the target
315 provided via the --syslog-target option.
316 --log-file[=file]
318 Enables logging to a file. If file is specified, then it is
319 used as the exact name for the log file. The default log file
320 name used if file is omitted is /var/log/open‐
321 vswitch/ovs-vsctl.log.
322 --syslog-target=host:port
324 Send syslog messages to UDP port on host, in addition to the
325 system syslog. The host must be a numerical IP address, not a
326 hostname.
327 --syslog-method=method
329 Specify method how syslog messages should be sent to syslog dae‐
330 mon. Following forms are supported:
331 • libc, use libc syslog() function. Downside of using this
333 options is that libc adds fixed prefix to every message
334 before it is actually sent to the syslog daemon over
335 /dev/log UNIX domain socket.
336 • unix:file, use UNIX domain socket directly. It is possi‐
338 ble to specify arbitrary message format with this option.
339 However, rsyslogd 8.9 and older versions use hard coded
340 parser function anyway that limits UNIX domain socket
341 use. If you want to use arbitrary message format with
342 older rsyslogd versions, then use UDP socket to localhost
343 IP address instead.
344 • udp:ip:port, use UDP socket. With this method it is pos‐
346 sible to use arbitrary message format also with older
347 rsyslogd. When sending syslog messages over UDP socket
348 extra precaution needs to be taken into account, for ex‐
349 ample, syslog daemon needs to be configured to listen on
350 the specified UDP port, accidental iptables rules could
351 be interfering with local syslog traffic and there are
352 some security considerations that apply to UDP sockets,
353 but do not apply to UNIX domain sockets.
354 • null, discards all messages logged to syslog.
356 The default is taken from the OVS_SYSLOG_METHOD environment
358 variable; if it is unset, the default is libc.
359 -h
361 --help Prints a brief help message to the console.
362 -V
364 --version
365 Prints version information to the console.
366
368 The commands implemented by ovs-vsctl are described in the sections be‐
369 low.
370 Open vSwitch Commands
372 These commands work with an Open vSwitch as a whole.
373 init Initializes the Open vSwitch database, if it is empty. If the
375 database has already been initialized, this command has no ef‐
376 fect.
377 Any successful ovs-vsctl command automatically initializes the
379 Open vSwitch database if it is empty. This command is provided
380 to initialize the database without executing any other command.
381 show Prints a brief overview of the database contents.
383 emer-reset
385 Reset the configuration into a clean state. It deconfigures
386 OpenFlow controllers, OVSDB servers, and SSL, and deletes port
387 mirroring, fail_mode, NetFlow, sFlow, and IPFIX configuration.
388 This command also removes all other-config keys from all data‐
389 base records, except that other-config:hwaddr is preserved if it
390 is present in a Bridge record. Other networking configuration
391 is left as-is.
392 Bridge Commands
394 These commands examine and manipulate Open vSwitch bridges.
395 [--may-exist] add-br bridge
397 Creates a new bridge named bridge. Initially the bridge will
398 have no ports (other than bridge itself).
399 Without --may-exist, attempting to create a bridge that exists
401 is an error. With --may-exist, this command does nothing if
402 bridge already exists as a real bridge.
403 [--may-exist] add-br bridge parent vlan
405 Creates a ``fake bridge'' named bridge within the existing Open
406 vSwitch bridge parent, which must already exist and must not it‐
407 self be a fake bridge. The new fake bridge will be on 802.1Q
408 VLAN vlan, which must be an integer between 0 and 4095. The
409 parent bridge must not already have a fake bridge for vlan.
410 Initially bridge will have no ports (other than bridge itself).
411 Without --may-exist, attempting to create a bridge that exists
413 is an error. With --may-exist, this command does nothing if
414 bridge already exists as a VLAN bridge under parent for vlan.
415 [--if-exists] del-br bridge
417 Deletes bridge and all of its ports. If bridge is a real
418 bridge, this command also deletes any fake bridges that were
419 created with bridge as parent, including all of their ports.
420 Without --if-exists, attempting to delete a bridge that does not
422 exist is an error. With --if-exists, attempting to delete a
423 bridge that does not exist has no effect.
424 [--real|--fake] list-br
426 Lists all existing real and fake bridges on standard output, one
427 per line. With --real or --fake, only bridges of that type are
428 returned.
429 br-exists bridge
431 Tests whether bridge exists as a real or fake bridge. If so,
432 ovs-vsctl exits successfully with exit code 0. If not,
433 ovs-vsctl exits unsuccessfully with exit code 2.
434 br-to-vlan bridge
436 If bridge is a fake bridge, prints the bridge's 802.1Q VLAN as a
437 decimal integer. If bridge is a real bridge, prints 0.
438 br-to-parent bridge
440 If bridge is a fake bridge, prints the name of its parent
441 bridge. If bridge is a real bridge, print bridge.
442 br-set-external-id bridge key [value]
444 Sets or clears an ``external ID'' value on bridge. These values
445 are intended to identify entities external to Open vSwitch with
446 which bridge is associated, e.g. the bridge's identifier in a
447 virtualization management platform. The Open vSwitch database
448 schema specifies well-known key values, but key and value are
449 otherwise arbitrary strings.
450 If value is specified, then key is set to value for bridge,
452 overwriting any previous value. If value is omitted, then key
453 is removed from bridge's set of external IDs (if it was
454 present).
455 For real bridges, the effect of this command is similar to that
457 of a set or remove command in the external-ids column of the
458 Bridge table. For fake bridges, it actually modifies keys with
459 names prefixed by fake-bridge- in the Port table.
460 br-get-external-id bridge [key]
462 Queries the external IDs on bridge. If key is specified, the
463 output is the value for that key or the empty string if key is
464 unset. If key is omitted, the output is key=value, one per
465 line, for each key-value pair.
466 For real bridges, the effect of this command is similar to that
468 of a get command in the external-ids column of the Bridge table.
469 For fake bridges, it queries keys with names prefixed by
470 fake-bridge- in the Port table.
471 Port Commands
473 These commands examine and manipulate Open vSwitch ports. These com‐
474 mands treat a bonded port as a single entity.
475 list-ports bridge
477 Lists all of the ports within bridge on standard output, one per
478 line. The local port bridge is not included in the list.
479 [--may-exist] add-port bridge port [column[:key]=value]...
481 Creates on bridge a new port named port from the network device
482 of the same name.
483 Optional arguments set values of column in the Port record cre‐
485 ated by the command. For example, tag=9 would make the port an
486 access port for VLAN 9. The syntax is the same as that for the
487 set command (see Database Commands below).
488 Without --may-exist, attempting to create a port that exists is
490 an error. With --may-exist, this command does nothing if port
491 already exists on bridge and is not a bonded port.
492 [--if-exists] del-port [bridge] port
494 Deletes port. If bridge is omitted, port is removed from what‐
495 ever bridge contains it; if bridge is specified, it must be the
496 real or fake bridge that contains port.
497 Without --if-exists, attempting to delete a port that does not
499 exist is an error. With --if-exists, attempting to delete a
500 port that does not exist has no effect.
501 [--if-exists] --with-iface del-port [bridge] iface
503 Deletes the port named iface or that has an interface named
504 iface. If bridge is omitted, the port is removed from whatever
505 bridge contains it; if bridge is specified, it must be the real
506 or fake bridge that contains the port.
507 Without --if-exists, attempting to delete the port for an inter‐
509 face that does not exist is an error. With --if-exists, at‐
510 tempting to delete the port for an interface that does not exist
511 has no effect.
512 port-to-br port
514 Prints the name of the bridge that contains port on standard
515 output.
516 Bond Commands
518 These commands work with ports that have more than one interface, which
519 Open vSwitch calls ``bonds.''
520 [--fake-iface] add-bond bridge port iface... [column[:key]=value]...
522 Creates on bridge a new port named port that bonds together the
523 network devices given as each iface. At least two interfaces
524 must be named. If the interfaces are DPDK enabled then the
525 transaction will need to include operations to explicitly set
526 the interface type to 'dpdk'.
527 Optional arguments set values of column in the Port record cre‐
529 ated by the command. The syntax is the same as that for the set
530 command (see Database Commands below).
531 With --fake-iface, a fake interface with the name port is cre‐
533 ated. This should only be used for compatibility with legacy
534 software that requires it.
535 Without --may-exist, attempting to create a port that exists is
537 an error. With --may-exist, this command does nothing if port
538 already exists on bridge and bonds together exactly the speci‐
539 fied interfaces.
540 [--may-exist] add-bond-iface bond iface
542 Adds iface as a new bond interface to the existing port bond.
543 If bond previously had only one port, this transforms it into a
544 bond.
545 Without --may-exist, attempting to add an iface that is already
547 part of bond is an error. With --may-exist, this command does
548 nothing if iface is already part of bond. (It is still an error
549 if iface is an interface of some other port or bond.)
550 [--if-exists] del-bond-iface [bond] iface
552 Removes iface from its port. If bond is omitted, iface is re‐
553 moved from whatever port contains it; if bond is specified, it
554 must be the port that contains bond.
555 If removing iface causes its port to have only a single inter‐
557 face, then that port transforms from a bond into an ordinary
558 port. It is an error if iface is the only interface in its
559 port.
560 Without --if-exists, attempting to delete an interface that does
562 not exist is an error. With --if-exists, attempting to delete
563 an interface that does not exist has no effect.
564 Interface Commands
566 These commands examine the interfaces attached to an Open vSwitch
567 bridge. These commands treat a bonded port as a collection of two or
568 more interfaces, rather than as a single port.
569 list-ifaces bridge
571 Lists all of the interfaces within bridge on standard output,
572 one per line. The local port bridge is not included in the
573 list.
574 iface-to-br iface
576 Prints the name of the bridge that contains iface on standard
577 output.
578 Conntrack Zone Commands
580 These commands query and modify datapath CT zones and Timeout Policies.
581 [--may-exist] add-zone-tp datapath zone=zone_id policies
583 Creates a conntrack zone timeout policy with zone_id in data‐
584 path. The policies consist of key=value pairs, separated by
585 spaces. For example, icmp_first=30 icmp_reply=60 specifies a
586 30-second timeout policy for the first ICMP packet and a 60-sec‐
587 ond policy for ICMP reply packets. See the CT_Timeout_Policy
588 table in ovs-vswitchd.conf.db(5) for the supported keys.
589 Without --may-exist, attempting to add a zone_id that already
591 exists is an error. With --may-exist, this command does nothing
592 if zone_id already exists.
593 [--if-exists] del-zone-tp datapath zone=zone_id
595 Delete the timeout policy associated with zone_id from datapath.
596 Without --if-exists, attempting to delete a zone that does not
598 exist is an error. With --if-exists, attempting to delete a
599 zone that does not exist has no effect.
600 list-zone-tp datapath
602 Prints the timeout policies of all zones in datapath.
603 Datapath Capabilities Command
605 The command query datapath capabilities.
606 list-dp-cap datapath
608 Prints the datapath's capabilities.
609 OpenFlow Controller Connectivity
611 ovs-vswitchd can perform all configured bridging and switching locally,
612 or it can be configured to communicate with one or more external Open‐
613 Flow controllers. The switch is typically configured to connect to a
614 primary controller that takes charge of the bridge's flow table to im‐
615 plement a network policy. In addition, the switch can be configured to
616 listen to connections from service controllers. Service controllers
617 are typically used for occasional support and maintenance, e.g. with
618 ovs-ofctl.
619 get-controller bridge
621 Prints the configured controller target.
622 del-controller bridge
624 Deletes the configured controller target.
625 set-controller bridge target...
627 Sets the configured controller target or targets. Each target
628 may use any of the following forms:
629 ssl:host[:port]
631 tcp:host[:port]
632 The specified port on the given host, which can be ex‐
633 pressed either as a DNS name (if built with unbound li‐
634 brary) or an IP address in IPv4 or IPv6 address format.
635 Wrap IPv6 addresses in square brackets, e.g.
636 tcp:[::1]:6653. On Linux, use %device to designate a
637 scope for IPv6 link-level addresses, e.g.
638 tcp:[fe80::1234%eth0]:6653. For ssl, the --private-key,
639 --certificate, and --ca-cert options are mandatory.
640 If port is not specified, it defaults to 6653.
642 unix:file
644 On POSIX, a Unix domain server socket named file.
645 On Windows, connect to a local named pipe that is repre‐
647 sented by a file created in the path file to mimic the
648 behavior of a Unix domain socket.
649 pssl:[port][:host]
651 ptcp:[port][:host]
652 Listens for OpenFlow connections on port. The default
653 port is 6653. By default, connections are allowed from
654 any IPv4 address. Specify host as an IPv4 address or a
655 bracketed IPv6 address (e.g. ptcp:6653:[::1]). On Linux,
656 use %device to designate a scope for IPv6 link-level ad‐
657 dresses, e.g. ptcp:6653:[fe80::1234%eth0]. DNS names can
658 be used if built with unbound library. For pssl, the
659 --private-key,--certificate, and --ca-cert options are
660 mandatory.
661 punix:file
663 Listens for OpenFlow connections on the Unix domain
664 server socket named file.
665 Controller Failure Settings
667 When a controller is configured, it is, ordinarily, responsible for
669 setting up all flows on the switch. Thus, if the connection to the
670 controller fails, no new network connections can be set up. If the
671 connection to the controller stays down long enough, no packets can
672 pass through the switch at all.
673 If the value is standalone, or if neither of these settings is set,
675 ovs-vswitchd will take over responsibility for setting up flows when no
676 message has been received from the controller for three times the inac‐
677 tivity probe interval. In this mode, ovs-vswitchd causes the datapath
678 to act like an ordinary MAC-learning switch. ovs-vswitchd will con‐
679 tinue to retry connecting to the controller in the background and, when
680 the connection succeeds, it discontinues its standalone behavior.
681 If this option is set to secure, ovs-vswitchd will not set up flows on
683 its own when the controller connection fails.
684 get-fail-mode bridge
686 Prints the configured failure mode.
687 del-fail-mode bridge
689 Deletes the configured failure mode.
690 set-fail-mode bridge standalone|secure
692 Sets the configured failure mode.
693 Manager Connectivity
695 These commands manipulate the manager_options column in the
696 Open_vSwitch table and rows in the Managers table. When ovsdb-server
697 is configured to use the manager_options column for OVSDB connections
698 (as described in the startup scripts provided with Open vSwitch; the
699 corresponding ovsdb-server command option is --re‐
700 mote=db:Open_vSwitch,Open_vSwitch,manager_options), this allows the ad‐
701 ministrator to use ovs-vsctl to configure database connections.
702 get-manager
704 Prints the configured manager(s).
705 del-manager
707 Deletes the configured manager(s).
708 set-manager target...
710 Sets the configured manager target or targets. Each target may
711 be an OVSDB active or passive connection method, e.g. pssl:6640,
712 as described in ovsdb(7).
713 SSL Configuration
715 When ovs-vswitchd is configured to connect over SSL for management or
716 controller connectivity, the following parameters are required:
717 private-key
719 Specifies a PEM file containing the private key used as the vir‐
720 tual switch's identity for SSL connections to the controller.
721 certificate
723 Specifies a PEM file containing a certificate, signed by the
724 certificate authority (CA) used by the controller and manager,
725 that certifies the virtual switch's private key, identifying a
726 trustworthy switch.
727 ca-cert
729 Specifies a PEM file containing the CA certificate used to ver‐
730 ify that the virtual switch is connected to a trustworthy con‐
731 troller.
732 These files are read only once, at ovs-vswitchd startup time. If their
734 contents change, ovs-vswitchd must be killed and restarted.
735 These SSL settings apply to all SSL connections made by the virtual
737 switch.
738 get-ssl
740 Prints the SSL configuration.
741 del-ssl
743 Deletes the current SSL configuration.
744 [--bootstrap] set-ssl private-key certificate ca-cert
746 Sets the SSL configuration. The --bootstrap option is described
747 below.
748 CA Certificate Bootstrap
750 Ordinarily, all of the files named in the SSL configuration must exist
752 when ovs-vswitchd starts. However, if the ca-cert file does not exist
753 and the --bootstrap option is given, then ovs-vswitchd will attempt to
754 obtain the CA certificate from the controller on its first SSL connec‐
755 tion and save it to the named PEM file. If it is successful, it will
756 immediately drop the connection and reconnect, and from then on all SSL
757 connections must be authenticated by a certificate signed by the CA
758 certificate thus obtained.
759 This option exposes the SSL connection to a man-in-the-middle attack
761 obtaining the initial CA certificate, but it may be useful for boot‐
762 strapping.
763 This option is only useful if the controller sends its CA certificate
765 as part of the SSL certificate chain. The SSL protocol does not re‐
766 quire the controller to send the CA certificate.
767 Auto-Attach Commands
769 The IETF Auto-Attach SPBM draft standard describes a compact method of
770 using IEEE 802.1AB Link Layer Discovery Protocol (LLDP) together with a
771 IEEE 802.1aq Shortest Path Bridging (SPB) network to automatically at‐
772 tach network devices to individual services in a SPB network. The in‐
773 tent here is to allow network applications and devices using OVS to be
774 able to easily take advantage of features offered by industry standard
775 SPB networks. A fundamental element of the Auto-Attach feature is to
776 map traditional VLANs onto SPB I_SIDs. These commands manage the Auto-
777 Attach I-SID/VLAN mappings.
778 add-aa-mapping bridge i-sid vlan
780 Creates a new Auto-Attach mapping on bridge for i-sid and vlan.
781 del-aa-mapping bridge i-sid vlan
783 Deletes an Auto-Attach mapping on bridge for i-sid and vlan.
784 get-aa-mapping bridge
786 Lists all of the Auto-Attach mappings within bridge on standard
787 output.
788 Database Commands
790 These commands query and modify the contents of ovsdb tables. They are
791 a slight abstraction of the ovsdb interface and as such they operate at
792 a lower level than other ovs-vsctl commands.
793 Identifying Tables, Records, and Columns
795 Each of these commands has a table parameter to identify a table within
797 the database. Many of them also take a record parameter that identi‐
798 fies a particular record within a table. The record parameter may be
799 the UUID for a record, and many tables offer additional ways to iden‐
800 tify records. Some commands also take column parameters that identify
801 a particular field within the records in a table.
802 For a list of tables and their columns, see ovs-vswitchd.conf.db(5) or
804 see the table listing from the --help option.
805 Record names must be specified in full and with correct capitalization,
807 except that UUIDs may be abbreviated to their first 4 (or more) hex
808 digits, as long as that is unique within the table. Names of tables
809 and columns are not case-sensitive, and - and _ are treated inter‐
810 changeably. Unique abbreviations of table and column names are accept‐
811 able, e.g. net or n is sufficient to identify the NetFlow table.
812 Database Values
814 Each column in the database accepts a fixed type of data. The cur‐
816 rently defined basic types, and their representations, are:
817 integer
819 A decimal integer in the range -2**63 to 2**63-1, inclusive.
820 real A floating-point number.
822 Boolean
824 True or false, written true or false, respectively.
825 string An arbitrary Unicode string, except that null bytes are not al‐
827 lowed. Quotes are optional for most strings that begin with an
828 English letter or underscore and consist only of letters, under‐
829 scores, hyphens, and periods. However, true and false and
830 strings that match the syntax of UUIDs (see below) must be en‐
831 closed in double quotes to distinguish them from other basic
832 types. When double quotes are used, the syntax is that of
833 strings in JSON, e.g. backslashes may be used to escape special
834 characters. The empty string must be represented as a pair of
835 double quotes ("").
836 UUID Either a universally unique identifier in the style of RFC 4122,
838 e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or an @name defined
839 by a get or create command within the same ovs-vsctl invocation.
840 Multiple values in a single column may be separated by spaces or a sin‐
842 gle comma. When multiple values are present, duplicates are not al‐
843 lowed, and order is not important. Conversely, some database columns
844 can have an empty set of values, represented as [], and square brackets
845 may optionally enclose other non-empty sets or single values as well.
846 For a column accepting a set of integers, database commands accept a
847 range. A range is represented by two integers separated by -. A range
848 is inclusive. A range has a maximum size of 4096 elements. If more ele‐
849 ments are needed, they can be specified in separate ranges.
850 A few database columns are ``maps'' of key-value pairs, where the key
852 and the value are each some fixed database type. These are specified
853 in the form key=value, where key and value follow the syntax for the
854 column's key type and value type, respectively. When multiple pairs
855 are present (separated by spaces or a comma), duplicate keys are not
856 allowed, and again the order is not important. Duplicate values are
857 allowed. An empty map is represented as {}. Curly braces may option‐
858 ally enclose non-empty maps as well (but use quotes to prevent the
859 shell from expanding other-config={0=x,1=y} into other-config=0=x
860 other-config=1=y, which may not have the desired effect).
861 Database Command Syntax
863 [--if-exists] [--columns=column[,column]...] list table [record]...
865 Lists the data in each specified record. If no records are
866 specified, lists all the records in table.
867 If --columns is specified, only the requested columns are
869 listed, in the specified order. Otherwise, all columns are
870 listed, in alphabetical order by column name.
871 Without --if-exists, it is an error if any specified record does
873 not exist. With --if-exists, the command ignores any record
874 that does not exist, without producing any output.
875 [--columns=column[,column]...] find table [column[:key]=value]...
877 Lists the data in each record in table whose column equals value
878 or, if key is specified, whose column contains a key with the
879 specified value. The following operators may be used where = is
880 written in the syntax summary:
881 = != < > <= >=
883 Selects records in which column[:key] equals, does not
884 equal, is less than, is greater than, is less than or
885 equal to, or is greater than or equal to value, respec‐
886 tively.
887 Consider column[:key] and value as sets of elements.
889 Identical sets are considered equal. Otherwise, if the
890 sets have different numbers of elements, then the set
891 with more elements is considered to be larger. Other‐
892 wise, consider a element from each set pairwise, in in‐
893 creasing order within each set. The first pair that dif‐
894 fers determines the result. (For a column that contains
895 key-value pairs, first all the keys are compared, and
896 values are considered only if the two sets contain iden‐
897 tical keys.)
898 {=} {!=}
900 Test for set equality or inequality, respectively.
901 {<=} Selects records in which column[:key] is a subset of
903 value. For example, flood-vlans{<=}1,2 selects records
904 in which the flood-vlans column is the empty set or con‐
905 tains 1 or 2 or both.
906 {<} Selects records in which column[:key] is a proper subset
908 of value. For example, flood-vlans{<}1,2 selects records
909 in which the flood-vlans column is the empty set or con‐
910 tains 1 or 2 but not both.
911 {>=} {>}
913 Same as {<=} and {<}, respectively, except that the rela‐
914 tionship is reversed. For example, flood-vlans{>=}1,2
915 selects records in which the flood-vlans column contains
916 both 1 and 2.
917 The following operators are available only in Open vSwitch 2.16
919 and later:
920 {in} Selects records in which every element in column[:key] is
922 also in value. (This is the same as {<=}.)
923 {not-in}
925 Selects records in which every element in column[:key] is
926 not in value.
927 For arithmetic operators (= != < > <= >=), when key is specified
929 but a particular record's column does not contain key, the
930 record is always omitted from the results. Thus, the condition
931 other-config:mtu!=1500 matches records that have a mtu key whose
932 value is not 1500, but not those that lack an mtu key.
933 For the set operators, when key is specified but a particular
935 record's column does not contain key, the comparison is done
936 against an empty set. Thus, the condition other-con‐
937 fig:mtu{!=}1500 matches records that have a mtu key whose value
938 is not 1500 and those that lack an mtu key.
939 Don't forget to escape < or > from interpretation by the shell.
941 If --columns is specified, only the requested columns are
943 listed, in the specified order. Otherwise all columns are
944 listed, in alphabetical order by column name.
945 The UUIDs shown for rows created in the same ovs-vsctl invoca‐
947 tion will be wrong.
948 [--if-exists] [--id=@name] get table record [column[:key]]...
950 Prints the value of each specified column in the given record in
951 table. For map columns, a key may optionally be specified, in
952 which case the value associated with key in the column is
953 printed, instead of the entire map.
954 Without --if-exists, it is an error if record does not exist or
956 key is specified, if key does not exist in record. With
957 --if-exists, a missing record yields no output and a missing key
958 prints a blank line.
959 If @name is specified, then the UUID for record may be referred
961 to by that name later in the same ovs-vsctl invocation in con‐
962 texts where a UUID is expected.
963 Both --id and the column arguments are optional, but usually at
965 least one or the other should be specified. If both are omit‐
966 ted, then get has no effect except to verify that record exists
967 in table.
968 --id and --if-exists cannot be used together.
970 [--if-exists] set table record column[:key]=value...
972 Sets the value of each specified column in the given record in
973 table to value. For map columns, a key may optionally be speci‐
974 fied, in which case the value associated with key in that column
975 is changed (or added, if none exists), instead of the entire
976 map.
977 Without --if-exists, it is an error if record does not exist.
979 With --if-exists, this command does nothing if record does not
980 exist.
981 [--if-exists] add table record column [key=]value...
983 Adds the specified value or key-value pair to column in record
984 in table. If column is a map, then key is required, otherwise
985 it is prohibited. If key already exists in a map column, then
986 the current value is not replaced (use the set command to re‐
987 place an existing value).
988 Without --if-exists, it is an error if record does not exist.
990 With --if-exists, this command does nothing if record does not
991 exist.
992 [--if-exists] remove table record column value...
994 [--if-exists] remove table record column key...
995 [--if-exists] remove table record column key=value...
996 Removes the specified values or key-value pairs from column in
997 record in table. The first form applies to columns that are not
998 maps: each specified value is removed from the column. The sec‐
999 ond and third forms apply to map columns: if only a key is spec‐
1000 ified, then any key-value pair with the given key is removed,
1001 regardless of its value; if a value is given then a pair is re‐
1002 moved only if both key and value match.
1003 It is not an error if the column does not contain the specified
1005 key or value or pair.
1006 Without --if-exists, it is an error if record does not exist.
1008 With --if-exists, this command does nothing if record does not
1009 exist.
1010 [--if-exists] clear table record column...
1012 Sets each column in record in table to the empty set or empty
1013 map, as appropriate. This command applies only to columns that
1014 are allowed to be empty.
1015 Without --if-exists, it is an error if record does not exist.
1017 With --if-exists, this command does nothing if record does not
1018 exist.
1019 [--id=(@name | uuid] create table column[:key]=value...
1021 Creates a new record in table and sets the initial values of
1022 each column. Columns not explicitly set will receive their de‐
1023 fault values. Outputs the UUID of the new row.
1024 If @name is specified, then the UUID for the new row may be re‐
1026 ferred to by that name elsewhere in the same ovs-vsctl invoca‐
1027 tion in contexts where a UUID is expected. Such references may
1028 precede or follow the create command.
1029 If a valid uuid is specified, then it is used as the UUID of the
1031 new row.
1032 Caution (ovs-vsctl as example)
1034 Records in the Open vSwitch database are significant only
1035 when they can be reached directly or indirectly from the
1036 Open_vSwitch table. Except for records in the QoS or
1037 Queue tables, records that are not reachable from the
1038 Open_vSwitch table are automatically deleted from the
1039 database. This deletion happens immediately, without
1040 waiting for additional ovs-vsctl commands or other data‐
1041 base activity. Thus, a create command must generally be
1042 accompanied by additional commands within the same
1043 ovs-vsctl invocation to add a chain of references to the
1044 newly created record from the top-level Open_vSwitch
1045 record. The EXAMPLES section gives some examples that
1046 show how to do this.
1047 [--if-exists] destroy table record...
1049 Deletes each specified record from table. Unless --if-exists is
1050 specified, each records must exist.
1051 --all destroy table
1053 Deletes all records from the table.
1054 Caution (ovs-vsctl as example)
1056 The destroy command is only useful for records in the QoS
1057 or Queue tables. Records in other tables are automati‐
1058 cally deleted from the database when they become unreach‐
1059 able from the Open_vSwitch table. This means that delet‐
1060 ing the last reference to a record is sufficient for
1061 deleting the record itself. For records in these tables,
1062 destroy is silently ignored. See the EXAMPLES section
1063 below for more information.
1064 wait-until table record [column[:key]=value]...
1066 Waits until table contains a record named record whose column
1067 equals value or, if key is specified, whose column contains a
1068 key with the specified value. This command supports the same
1069 operators and semantics described for the find command above.
1070 If no column[:key]=value arguments are given, this command waits
1072 only until record exists. If more than one such argument is
1073 given, the command waits until all of them are satisfied.
1074 Caution (ovs-vsctl as example)
1076 Usually wait-until should be placed at the beginning of a
1077 set of ovs-vsctl commands. For example, wait-until
1078 bridge br0 -- get bridge br0 datapath_id waits until a
1079 bridge named br0 is created, then prints its datapath_id
1080 column, whereas get bridge br0 datapath_id -- wait-until
1081 bridge br0 will abort if no bridge named br0 exists when
1082 ovs-vsctl initially connects to the database.
1083 Consider specifying --timeout=0 along with --wait-until, to pre‐
1085 vent ovs-vsctl from terminating after waiting only at most 5
1086 seconds.
1087 comment [arg]...
1089 This command has no effect on behavior, but any database log
1090 record created by the command will include the command and its
1091 arguments.
1092
1094 Create a new bridge named br0 and add port eth0 to it:
1095 ovs-vsctl add-br br0
1097 ovs-vsctl add-port br0 eth0
1098 Alternatively, perform both operations in a single atomic transaction:
1100 ovs-vsctl add-br br0 -- add-port br0 eth0
1102 Delete bridge br0, reporting an error if it does not exist:
1104 ovs-vsctl del-br br0
1106 Delete bridge br0 if it exists:
1108 ovs-vsctl --if-exists del-br br0
1110 Set the qos column of the Port record for eth0 to point to a new QoS
1112 record, which in turn points with its queue 0 to a new Queue record:
1113 ovs-vsctl -- set port eth0 qos=@newqos -- --id=@newqos create
1115 qos type=linux-htb other-config:max-rate=1000000
1116 queues:0=@newqueue -- --id=@newqueue create queue other-con‐
1117 fig:min-rate=1000000 other-config:max-rate=1000000
1118
1120 Port Configuration
1121 Add an ``internal port'' vlan10 to bridge br0 as a VLAN access port for
1122 VLAN 10, and configure it with an IP address:
1123 ovs-vsctl add-port br0 vlan10 tag=10 -- set Interface vlan10
1125 type=internal
1126 ip addr add 192.168.0.123/24 dev vlan10
1128 Add a GRE tunnel port gre0 to remote IP address 1.2.3.4 to bridge br0:
1130 ovs-vsctl add-port br0 gre0 -- set Interface gre0 type=gre op‐
1132 tions:remote_ip=1.2.3.4
1133 Port Mirroring
1135 Mirror all packets received or sent on eth0 or eth1 onto eth2, assuming
1136 that all of those ports exist on bridge br0 (as a side-effect this
1137 causes any packets received on eth2 to be ignored):
1138 ovs-vsctl -- set Bridge br0 mirrors=@m \
1140 -- --id=@eth0 get Port eth0 \
1142 -- --id=@eth1 get Port eth1 \
1144 -- --id=@eth2 get Port eth2 \
1146 -- --id=@m create Mirror name=mymirror select-dst-
1148 port=@eth0,@eth1 select-src-port=@eth0,@eth1 output-port=@eth2
1149 Remove the mirror created above from br0, which also destroys the Mir‐
1151 ror record (since it is now unreferenced):
1152 ovs-vsctl -- --id=@rec get Mirror mymirror \
1154 -- remove Bridge br0 mirrors @rec
1156 The following simpler command also works:
1158 ovs-vsctl clear Bridge br0 mirrors
1160 Quality of Service (QoS)
1162 Create a linux-htb QoS record that points to a few queues and use it on
1163 eth0 and eth1:
1164 ovs-vsctl -- set Port eth0 qos=@newqos \
1166 -- set Port eth1 qos=@newqos \
1168 -- --id=@newqos create QoS type=linux-htb other-con‐
1170 fig:max-rate=1000000000 queues=0=@q0,1=@q1 \
1171 -- --id=@q0 create Queue other-config:min-rate=100000000
1173 other-config:max-rate=100000000 \
1174 -- --id=@q1 create Queue other-config:min-rate=500000000
1176 Deconfigure the QoS record above from eth1 only:
1178 ovs-vsctl clear Port eth1 qos
1180 To deconfigure the QoS record from both eth0 and eth1 and then delete
1182 the QoS record (which must be done explicitly because unreferenced QoS
1183 records are not automatically destroyed):
1184 ovs-vsctl -- destroy QoS eth0 -- clear Port eth0 qos -- clear
1186 Port eth1 qos
1187 (This command will leave two unreferenced Queue records in the data‐
1189 base. To delete them, use "ovs-vsctl list Queue" to find their UUIDs,
1190 then "ovs-vsctl destroy Queue uuid1 uuid2" to destroy each of them or
1191 use "ovs-vsctl -- --all destroy Queue" to delete all records.)
1192 Connectivity Monitoring
1194 Monitor connectivity to a remote maintenance point on eth0.
1195 ovs-vsctl set Interface eth0 cfm_mpid=1
1197 Deconfigure connectivity monitoring from above:
1199 ovs-vsctl clear Interface eth0 cfm_mpid
1201 NetFlow
1203 Configure bridge br0 to send NetFlow records to UDP port 5566 on host
1204 192.168.0.34, with an active timeout of 30 seconds:
1205 ovs-vsctl -- set Bridge br0 netflow=@nf \
1207 -- --id=@nf create NetFlow targets=\"192.168.0.34:5566\" ac‐
1209 tive-timeout=30
1210 Update the NetFlow configuration created by the previous command to in‐
1212 stead use an active timeout of 60 seconds:
1213 ovs-vsctl set NetFlow br0 active_timeout=60
1215 Deconfigure the NetFlow settings from br0, which also destroys the Net‐
1217 Flow record (since it is now unreferenced):
1218 ovs-vsctl clear Bridge br0 netflow
1220 sFlow
1222 Configure bridge br0 to send sFlow records to a collector on 10.0.0.1
1223 at port 6343, using eth1's IP address as the source, with specific sam‐
1224 pling parameters:
1225 ovs-vsctl -- --id=@s create sFlow agent=eth1 tar‐
1227 get=\"10.0.0.1:6343\" header=128 sampling=64 polling=10 \
1228 -- set Bridge br0 sflow=@s
1230 Deconfigure sFlow from br0, which also destroys the sFlow record (since
1232 it is now unreferenced):
1233 ovs-vsctl -- clear Bridge br0 sflow
1235 IPFIX
1237 Configure bridge br0 to send one IPFIX flow record per packet sample to
1238 UDP port 4739 on host 192.168.0.34, with Observation Domain ID 123 and
1239 Observation Point ID 456, a flow cache active timeout of 1 minute (60
1240 seconds), maximum flow cache size of 13 flows, and flows sampled on
1241 output port with tunnel info(sampling on input and output port is en‐
1242 abled by default if not disabled) :
1243 ovs-vsctl -- set Bridge br0 ipfix=@i \
1245 -- --id=@i create IPFIX targets=\"192.168.0.34:4739\" obs_do‐
1247 main_id=123 obs_point_id=456 cache_active_timeout=60
1248 cache_max_flows=13 \
1249 other_config:enable-input-sampling=false other_config:enable-
1251 tunnel-sampling=true
1252 Deconfigure the IPFIX settings from br0, which also destroys the IPFIX
1254 record (since it is now unreferenced):
1255 ovs-vsctl clear Bridge br0 ipfix
1257 802.1D Spanning Tree Protocol (STP)
1259 Configure bridge br0 to participate in an 802.1D spanning tree:
1260 ovs-vsctl set Bridge br0 stp_enable=true
1262 Set the bridge priority of br0 to 0x7800:
1264 ovs-vsctl set Bridge br0 other_config:stp-priority=0x7800
1266 Set the path cost of port eth0 to 10:
1268 ovs-vsctl set Port eth0 other_config:stp-path-cost=10
1270 Deconfigure STP from above:
1272 ovs-vsctl set Bridge br0 stp_enable=false
1274 Multicast Snooping
1276 Configure bridge br0 to enable multicast snooping:
1277 ovs-vsctl set Bridge br0 mcast_snooping_enable=true
1279 Set the multicast snooping aging time br0 to 300 seconds:
1281 ovs-vsctl set Bridge br0 other_config:mcast-snooping-aging-
1283 time=300
1284 Set the multicast snooping table size br0 to 2048 entries:
1286 ovs-vsctl set Bridge br0 other_config:mcast-snooping-table-
1288 size=2048
1289 Disable flooding of unregistered multicast packets to all ports. When
1291 set to true, the switch will send unregistered multicast packets only
1292 to ports connected to multicast routers. When it is set to false, the
1293 switch will send them to all ports. This command disables the flood of
1294 unregistered packets on bridge br0.
1295 ovs-vsctl set Bridge br0 other_config:mcast-snooping-disable-
1297 flood-unregistered=true
1298 Enable flooding of multicast packets (except Reports) on a specific
1300 port.
1301 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood=true
1303 Enable flooding of Reports on a specific port.
1305 ovs-vsctl set Port eth1 other_config:mcast-snooping-flood-re‐
1307 ports=true
1308 Deconfigure multicasting snooping from above:
1310 ovs-vsctl set Bridge br0 mcast_snooping_enable=false
1312 802.1D-2004 Rapid Spanning Tree Protocol (RSTP)
1314 Configure bridge br0 to participate in an 802.1D-2004 Rapid Spanning
1315 Tree:
1316 ovs-vsctl set Bridge br0 rstp_enable=true
1318 Set the bridge address of br0 to 00:aa:aa:aa:aa:aa :
1320 ovs-vsctl set Bridge br0 other_config:rstp-ad‐
1322 dress=00:aa:aa:aa:aa:aa
1323 Set the bridge priority of br0 to 0x7000. The value must be specified
1325 in decimal notation and should be a multiple of 4096 (if not, it is
1326 rounded down to the nearest multiple of 4096). The default priority
1327 value is 0x800 (32768).
1328 ovs-vsctl set Bridge br0 other_config:rstp-priority=28672
1330 Set the bridge ageing time of br0 to 1000 s. The ageing time value
1332 should be between 10 s and 1000000 s. The default value is 300 s.
1333 ovs-vsctl set Bridge br0 other_config:rstp-ageing-time=1000
1335 Set the bridge force protocol version of br0 to 0. The force protocol
1337 version has two acceptable values: 0 (STP compatibility mode) and 2
1338 (normal operation).
1339 ovs-vsctl set Bridge br0 other_config:rstp-force-protocol-ver‐
1341 sion=0
1342 Set the bridge max age of br0 to 10 s. The max age value should be be‐
1344 tween 6 s and 40 s. The default value is 20 s.
1345 ovs-vsctl set Bridge br0 other_config:rstp-max-age=10
1347 Set the bridge forward delay of br0 to 15 s. This value should be be‐
1349 tween 4 s and 30 s. The default value is 15 s.
1350 ovs-vsctl set Bridge br0 other_config:rstp-forward-delay=15
1352 Set the bridge transmit hold count of br0 to 7 s. This value should be
1354 between 1 s and 10 s. The default value is 6 s.
1355 ovs-vsctl set Bridge br0 other_config:rstp-transmit-hold-count=7
1357 Enable RSTP on the Port eth0:
1359 ovs-vsctl set Port eth0 other_config:rstp-enable=true
1361 Disable RSTP on the Port eth0:
1363 ovs-vsctl set Port eth0 other_config:rstp-enable=false
1365 Set the priority of port eth0 to 32. The value must be specified in
1367 decimal notation and should be a multiple of 16 (if not, it is rounded
1368 down to the nearest multiple of 16). The default priority value is 0x80
1369 (128).
1370 ovs-vsctl set Port eth0 other_config:rstp-port-priority=32
1372 Set the port number of port eth0 to 3:
1374 ovs-vsctl set Port eth0 other_config:rstp-port-num=3
1376 Set the path cost of port eth0 to 150:
1378 ovs-vsctl set Port eth0 other_config:rstp-path-cost=150
1380 Set the admin edge value of port eth0:
1382 ovs-vsctl set Port eth0 other_config:rstp-port-admin-edge=true
1384 Set the auto edge value of port eth0:
1386 ovs-vsctl set Port eth0 other_config:rstp-port-auto-edge=true
1388 Set the admin point to point MAC value of port eth0. Acceptable values
1390 are 0 (not point-to-point), 1 (point-to-point, the default value) or 2
1391 (automatic detection). The auto-detection mode is not currently imple‐
1392 mented, and the value 2 has the same effect of 0 (not point-to-point).
1393 ovs-vsctl set Port eth0 other_config:rstp-admin-p2p-mac=1
1395 Set the admin port state value of port eth0. true is the default
1397 value.
1398 ovs-vsctl set Port eth0 other_config:rstp-admin-port-state=false
1400 Set the mcheck value of port eth0:
1402 ovs-vsctl set Port eth0 other_config:rstp-port-mcheck=true
1404 Deconfigure RSTP from above:
1406 ovs-vsctl set Bridge br0 rstp_enable=false
1408 OpenFlow Version
1410 Configure bridge br0 to support OpenFlow versions 1.0, 1.2, and 1.3:
1411 ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow12,Open‐
1413 Flow13
1414 Flow Table Configuration
1416 Make flow table 0 on bridge br0 refuse to accept more than 100 flows:
1417 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1419 flow_policy=refuse -- set Bridge br0 flow_tables=0=@ft
1420 Make flow table 0 on bridge br0 evict flows, with fairness based on the
1422 matched ingress port, when there are more than 100:
1423 ovs-vsctl -- --id=@ft create Flow_Table flow_limit=100 over‐
1425 flow_policy=evict groups='"NXM_OF_IN_PORT[]"' -- set Bridge br0
1426 flow_tables:0=@ft
1427
1429 0 Successful program execution.
1430 1 Usage, syntax, or configuration file error.
1432 2 The bridge argument to br-exists specified the name of a bridge
1434 that does not exist.
1435
1437 ovsdb-server(1), ovs-vswitchd(8), ovs-vswitchd.conf.db(5).
1438Open vSwitch 3.1.1 ovs-vsctl(8)