Provided by: openvswitch-switch_2.0.2-0ubuntu0.14.04.3_amd64
NAME
Open_vSwitch - Open_vSwitch database schema A database with this schema holds the configuration for one Open vSwitch daemon. The top- level configuration for the daemon is the Open_vSwitch table, which must have exactly one record. Records in other tables are significant only when they can be reached directly or indirectly from the Open_vSwitch table. Records that are not reachable from the Open_vSwitch table are automatically deleted from the database, except for records in a few distinguished ``root set’’ tables. Common Columns Most tables contain two special columns, named other_config and external_ids. These columns have the same form and purpose each place that they appear, so we describe them here to save space later. other_config: map of string-string pairs Key-value pairs for configuring rarely used features. Supported keys, along with the forms taken by their values, are documented individually for each table. A few tables do not have other_config columns because no key-value pairs have yet been defined for them. external_ids: map of string-string pairs Key-value pairs for use by external frameworks that integrate with Open vSwitch, rather than by Open vSwitch itself. System integrators should either use the Open vSwitch development mailing list to coordinate on common key-value definitions, or choose key names that are likely to be unique. In some cases, where key-value pairs have been defined that are likely to be widely useful, they are documented individually for each table.
TABLE SUMMARY
The following list summarizes the purpose of each of the tables in the Open_vSwitch database. Each table is described in more detail on a later page. Table Purpose Open_vSwitch Open vSwitch configuration. Bridge Bridge configuration. Port Port configuration. Interface One physical network device in a Port. Flow_Table OpenFlow table configuration QoS Quality of Service configuration Queue QoS output queue. Mirror Port mirroring. Controller OpenFlow controller configuration. Manager OVSDB management connection. NetFlow NetFlow configuration. SSL SSL configuration. sFlow sFlow configuration. IPFIX IPFIX configuration. Flow_Sample_Collector_Set Flow_Sample_Collector_Set configuration.
Open_vSwitch TABLE
Configuration for an Open vSwitch daemon. There must be exactly one record in the Open_vSwitch table. Summary: Configuration: bridges set of Bridges ssl optional SSL external_ids : system-id optional string external_ids : xs-system-uuid optional string other_config : flow-restore-wait optional string, either true or false other_config : flow-eviction-threshold optional string, containing an integer, at least 0 other_config : force-miss-model optional string other_config : n-handler-threads optional string, containing an integer, at least 1 Status: next_cfg integer cur_cfg integer Statistics: other_config : enable-statistics optional string, either true or false statistics : cpu optional string, containing an integer, at least 1 statistics : load_average optional string statistics : memory optional string statistics : process_NAME optional string statistics : file_systems optional string Version Reporting: ovs_version optional string db_version optional string system_type optional string system_version optional string Database Configuration: manager_options set of Managers Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: Configuration: bridges: set of Bridges Set of bridges managed by the daemon. ssl: optional SSL SSL used globally by the daemon. external_ids : system-id: optional string A unique identifier for the Open vSwitch’s physical host. The form of the identifier depends on the type of the host. On a Citrix XenServer, this will likely be the same as external_ids:xs-system-uuid. external_ids : xs-system-uuid: optional string The Citrix XenServer universally unique identifier for the physical host as displayed by xe host-list. other_config : flow-restore-wait: optional string, either true or false When ovs-vswitchd starts up, it has an empty flow table and therefore it handles all arriving packets in its default fashion according to its configuration, by dropping them or sending them to an OpenFlow controller or switching them as a standalone switch. This behavior is ordinarily desirable. However, if ovs-vswitchd is restarting as part of a ``hot-upgrade,’’ then this leads to a relatively long period during which packets are mishandled. This option allows for improvement. When ovs-vswitchd starts with this value set as true, it will neither flush or expire previously set datapath flows nor will it send and receive any packets to or from the datapath. When this value is later set to false, ovs-vswitchd will start receiving packets from the datapath and re-setup the flows. Thus, with this option, the procedure for a hot-upgrade of ovs-vswitchd becomes roughly the following: 1. Stop ovs-vswitchd. 2. Set other_config:flow-restore-wait to true. 3. Start ovs-vswitchd. 4. Use ovs-ofctl (or some other program, such as an OpenFlow controller) to restore the OpenFlow flow table to the desired state. 5. Set other_config:flow-restore-wait to false (or remove it entirely from the database). The ovs-ctl’s ``restart’’ and ``force-reload-kmod’’ functions use the above config option during hot upgrades. other_config : flow-eviction-threshold: optional string, containing an integer, at least 0 A number of flows as a nonnegative integer. This sets number of flows at which eviction from the datapath flow table will be triggered. If there are a large number of flows then increasing this value to around the number of flows present can result in reduced CPU usage and packet loss. The default is 2500. Values below 100 will be rounded up to 100. other_config : force-miss-model: optional string Specifies userspace behaviour for handling flow misses. This takes precedence over flow-eviction-threshold. auto Handle automatically based on the flow-eviction-threshold and the flow setup governer (default, recommended). with-facets Always create facets. Expensive kernel flow creation and statistics tracking is always performed, even on flows with only a small number of packets. without-facets Always handle without facets. Forces flow misses to be handled in userspace. May cause an increase in CPU usage and packet loss on high throughput. other_config : n-handler-threads: optional string, containing an integer, at least 1 Specifies the number of threads for software datapaths to use for handling new flows. The default is two less than the number of online CPU cores (but at least 1). This configuration is per datapath. If you have more than one software datapath (e.g. some system bridges and some netdev bridges), then the total number of threads is n-handler-threads times the number of software datapaths. Status: next_cfg: integer Sequence number for client to increment. When a client modifies any part of the database configuration and wishes to wait for Open vSwitch to finish applying the changes, it may increment this sequence number. cur_cfg: integer Sequence number that Open vSwitch sets to the current value of next_cfg after it finishes applying a set of configuration changes. Statistics: The statistics column contains key-value pairs that report statistics about a system running an Open vSwitch. These are updated periodically (currently, every 5 seconds). Key-value pairs that cannot be determined or that do not apply to a platform are omitted. other_config : enable-statistics: optional string, either true or false Statistics are disabled by default to avoid overhead in the common case when statistics gathering is not useful. Set this value to true to enable populating the statistics column or to false to explicitly disable it. statistics : cpu: optional string, containing an integer, at least 1 Number of CPU processors, threads, or cores currently online and available to the operating system on which Open vSwitch is running, as an integer. This may be less than the number installed, if some are not online or if they are not available to the operating system. Open vSwitch userspace processes are not multithreaded, but the Linux kernel-based datapath is. statistics : load_average: optional string A comma-separated list of three floating-point numbers, representing the system load average over the last 1, 5, and 15 minutes, respectively. statistics : memory: optional string A comma-separated list of integers, each of which represents a quantity of memory in kilobytes that describes the operating system on which Open vSwitch is running. In respective order, these values are: 1. Total amount of RAM allocated to the OS. 2. RAM allocated to the OS that is in use. 3. RAM that can be flushed out to disk or otherwise discarded if that space is needed for another purpose. This number is necessarily less than or equal to the previous value. 4. Total disk space allocated for swap. 5. Swap space currently in use. On Linux, all five values can be determined and are included. On other operating systems, only the first two values can be determined, so the list will only have two values. statistics : process_NAME: optional string One such key-value pair, with NAME replaced by a process name, will exist for each running Open vSwitch daemon process, with name replaced by the daemon’s name (e.g. process_ovs-vswitchd). The value is a comma-separated list of integers. The integers represent the following, with memory measured in kilobytes and durations in milliseconds: 1. The process’s virtual memory size. 2. The process’s resident set size. 3. The amount of user and system CPU time consumed by the process. 4. The number of times that the process has crashed and been automatically restarted by the monitor. 5. The duration since the process was started. 6. The duration for which the process has been running. The interpretation of some of these values depends on whether the process was started with the --monitor. If it was not, then the crash count will always be 0 and the two durations will always be the same. If --monitor was given, then the crash count may be positive; if it is, the latter duration is the amount of time since the most recent crash and restart. There will be one key-value pair for each file in Open vSwitch’s ``run directory’’ (usually /var/run/openvswitch) whose name ends in .pid, whose contents are a process ID, and which is locked by a running process. The name is taken from the pidfile’s name. Currently Open vSwitch is only able to obtain all of the above detail on Linux systems. On other systems, the same key-value pairs will be present but the values will always be the empty string. statistics : file_systems: optional string A space-separated list of information on local, writable file systems. Each item in the list describes one file system and consists in turn of a comma-separated list of the following: 1. Mount point, e.g. / or /var/log. Any spaces or commas in the mount point are replaced by underscores. 2. Total size, in kilobytes, as an integer. 3. Amount of storage in use, in kilobytes, as an integer. This key-value pair is omitted if there are no local, writable file systems or if Open vSwitch cannot obtain the needed information. Version Reporting: These columns report the types and versions of the hardware and software running Open vSwitch. We recommend in general that software should test whether specific features are supported instead of relying on version number checks. These values are primarily intended for reporting to human administrators. ovs_version: optional string The Open vSwitch version number, e.g. 1.1.0. db_version: optional string The database schema version number in the form major.minor.tweak, e.g. 1.2.3. Whenever the database schema is changed in a non-backward compatible way (e.g. deleting a column or a table), major is incremented. When the database schema is changed in a backward compatible way (e.g. adding a new column), minor is incremented. When the database schema is changed cosmetically (e.g. reindenting its syntax), tweak is incremented. The schema version is part of the database schema, so it can also be retrieved by fetching the schema using the Open vSwitch database protocol. system_type: optional string An identifier for the type of system on top of which Open vSwitch runs, e.g. XenServer or KVM. System integrators are responsible for choosing and setting an appropriate value for this column. system_version: optional string The version of the system identified by system_type, e.g. 5.6.100-39265p on XenServer 5.6.100 build 39265. System integrators are responsible for choosing and setting an appropriate value for this column. Database Configuration: These columns primarily configure the Open vSwitch database (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The OVSDB database also uses the ssl settings. The Open vSwitch switch does read the database configuration to determine remote IP addresses to which in-band control should apply. manager_options: set of Managers Database clients to which the Open vSwitch database server should connect or to which it should listen, along with options for how these connection should be configured. See the Manager table for more information. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Bridge TABLE
Configuration for a bridge within an Open_vSwitch. A Bridge record represents an Ethernet switch with one or more ``ports,’’ which are the Port records pointed to by the Bridge’s ports column. Summary: Core Features: name string (must be unique within table) ports set of Ports mirrors set of Mirrors netflow optional NetFlow sflow optional sFlow ipfix optional IPFIX flood_vlans set of up to 4,096 integers, in range 0 to 4,095 OpenFlow Configuration: controller set of Controllers flow_tables map of integer-Flow_Table pairs, key in range 0 to 254 fail_mode optional string, either secure or standalone datapath_id optional string other_config : datapath-id optional string other_config : dp-desc optional string other_config : disable-in-band optional string, either true or false other_config : in-band-queue optional string, containing an integer, in range 0 to 4,294,967,295 protocols set of strings, one of OpenFlow11, OpenFlow10, OpenFlow13, or OpenFlow12 Spanning Tree Configuration: stp_enable boolean other_config : stp-system-id optional string other_config : stp-priority optional string, containing an integer, in range 0 to 65,535 other_config : stp-hello-time optional string, containing an integer, in range 1 to 10 other_config : stp-max-age optional string, containing an integer, in range 6 to 40 other_config : stp-forward-delay optional string, containing an integer, in range 4 to 30 Other Features: datapath_type string external_ids : bridge-id optional string external_ids : xs-network-uuids optional string other_config : hwaddr optional string other_config : forward-bpdu optional string, either true or false other_config : mac-aging-time optional string, containing an integer, at least 1 other_config : mac-table-size optional string, containing an integer, at least 1 Bridge Status: status map of string-string pairs status : stp_bridge_id optional string status : stp_designated_root optional string status : stp_root_path_cost optional string Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: Core Features: name: string (must be unique within table) Bridge identifier. Should be alphanumeric and no more than about 8 bytes long. Must be unique among the names of ports, interfaces, and bridges on a host. ports: set of Ports Ports included in the bridge. mirrors: set of Mirrors Port mirroring configuration. netflow: optional NetFlow NetFlow configuration. sflow: optional sFlow sFlow(R) configuration. ipfix: optional IPFIX IPFIX configuration. flood_vlans: set of up to 4,096 integers, in range 0 to 4,095 VLAN IDs of VLANs on which MAC address learning should be disabled, so that packets are flooded instead of being sent to specific ports that are believed to contain packets’ destination MACs. This should ordinarily be used to disable MAC learning on VLANs used for mirroring (RSPAN VLANs). It may also be useful for debugging. SLB bonding (see the bond_mode column in the Port table) is incompatible with flood_vlans. Consider using another bonding mode or a different type of mirror instead. OpenFlow Configuration: controller: set of Controllers OpenFlow controller set. If unset, then no OpenFlow controllers will be used. If there are primary controllers, removing all of them clears the flow table. If there are no primary controllers, adding one also clears the flow table. Other changes to the set of controllers, such as adding or removing a service controller, adding another primary controller to supplement an existing primary controller, or removing only one of two primary controllers, have no effect on the flow table. flow_tables: map of integer-Flow_Table pairs, key in range 0 to 254 Configuration for OpenFlow tables. Each pair maps from an OpenFlow table ID to configuration for that table. fail_mode: optional string, either secure or standalone When a controller is configured, it is, ordinarily, responsible for setting up all flows on the switch. Thus, if the connection to the controller fails, no new network connections can be set up. If the connection to the controller stays down long enough, no packets can pass through the switch at all. This setting determines the switch’s response to such a situation. It may be set to one of the following: standalone If no message is received from the controller for three times the inactivity probe interval (see inactivity_probe), then Open vSwitch will take over responsibility for setting up flows. In this mode, Open vSwitch causes the bridge to act like an ordinary MAC-learning switch. Open vSwitch will continue to retry connecting to the controller in the background and, when the connection succeeds, it will discontinue its standalone behavior. secure Open vSwitch will not set up flows on its own when the controller connection fails or when no controllers are defined. The bridge will continue to retry connecting to any defined controllers forever. The default is standalone if the value is unset, but future versions of Open vSwitch may change the default. The standalone mode can create forwarding loops on a bridge that has more than one uplink port unless STP is enabled. To avoid loops on such a bridge, configure secure mode or enable STP (see stp_enable). When more than one controller is configured, fail_mode is considered only when none of the configured controllers can be contacted. Changing fail_mode when no primary controllers are configured clears the flow table. datapath_id: optional string Reports the OpenFlow datapath ID in use. Exactly 16 hex digits. (Setting this column has no useful effect. Set other-config:datapath-id instead.) other_config : datapath-id: optional string Exactly 16 hex digits to set the OpenFlow datapath ID to a specific value. May not be all-zero. other_config : dp-desc: optional string Human readable description of datapath. It it a maximum 256 byte-long free-form string to describe the datapath for debugging purposes, e.g. switch3 in room 3120. other_config : disable-in-band: optional string, either true or false If set to true, disable in-band control on the bridge regardless of controller and manager settings. other_config : in-band-queue: optional string, containing an integer, in range 0 to 4,294,967,295 A queue ID as a nonnegative integer. This sets the OpenFlow queue ID that will be used by flows set up by in-band control on this bridge. If unset, or if the port used by an in-band control flow does not have QoS configured, or if the port does not have a queue with the specified ID, the default queue is used instead. protocols: set of strings, one of OpenFlow11, OpenFlow10, OpenFlow13, or OpenFlow12 List of OpenFlow protocols that may be used when negotiating a connection with a controller. A default value of OpenFlow10 will be used if this column is empty. Spanning Tree Configuration: The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol that ensures loop-free topologies. It allows redundant links to be included in the network to provide automatic backup paths if the active links fails. stp_enable: boolean Enable spanning tree on the bridge. By default, STP is disabled on bridges. Bond, internal, and mirror ports are not supported and will not participate in the spanning tree. other_config : stp-system-id: optional string The bridge’s STP identifier (the lower 48 bits of the bridge-id) in the form xx:xx:xx:xx:xx:xx. By default, the identifier is the MAC address of the bridge. other_config : stp-priority: optional string, containing an integer, in range 0 to 65,535 The bridge’s relative priority value for determining the root bridge (the upper 16 bits of the bridge-id). A bridge with the lowest bridge-id is elected the root. By default, the priority is 0x8000. other_config : stp-hello-time: optional string, containing an integer, in range 1 to 10 The interval between transmissions of hello messages by designated ports, in seconds. By default the hello interval is 2 seconds. other_config : stp-max-age: optional string, containing an integer, in range 6 to 40 The maximum age of the information transmitted by the bridge when it is the root bridge, in seconds. By default, the maximum age is 20 seconds. other_config : stp-forward-delay: optional string, containing an integer, in range 4 to 30 The delay to wait between transitioning root and designated ports to forwarding, in seconds. By default, the forwarding delay is 15 seconds. Other Features: datapath_type: string Name of datapath provider. The kernel datapath has type system. The userspace datapath has type netdev. external_ids : bridge-id: optional string A unique identifier of the bridge. On Citrix XenServer this will commonly be the same as external_ids:xs-network-uuids. external_ids : xs-network-uuids: optional string Semicolon-delimited set of universally unique identifier(s) for the network with which this bridge is associated on a Citrix XenServer host. The network identifiers are RFC 4122 UUIDs as displayed by, e.g., xe network-list. other_config : hwaddr: optional string An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the hardware address of the local port and influence the datapath ID. other_config : forward-bpdu: optional string, either true or false Option to allow forwarding of BPDU frames when NORMAL action is invoked. Frames with reserved Ethernet addresses (e.g. STP BPDU) will be forwarded when this option is enabled and the switch is not providing that functionality. If STP is enabled on the port, STP BPDUs will never be forwarded. If the Open vSwitch bridge is used to connect different Ethernet networks, and if Open vSwitch node does not run STP, then this option should be enabled. Default is disabled, set to true to enable. The following destination MAC addresss will not be forwarded when this option is enabled. 01:80:c2:00:00:00 IEEE 802.1D Spanning Tree Protocol (STP). 01:80:c2:00:00:01 IEEE Pause frame. 01:80:c2:00:00:0x Other reserved protocols. 00:e0:2b:00:00:00 Extreme Discovery Protocol (EDP). 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06 Ethernet Automatic Protection Switching (EAPS). 01:00:0c:cc:cc:cc Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), Port Aggregation Protocol (PAgP), and others. 01:00:0c:cc:cc:cd Cisco Shared Spanning Tree Protocol PVSTP+. 01:00:0c:cd:cd:cd Cisco STP Uplink Fast. 01:00:0c:00:00:00 Cisco Inter Switch Link. 01:00:0c:cc:cc:cx Cisco CFM. other_config : mac-aging-time: optional string, containing an integer, at least 1 The maximum number of seconds to retain a MAC learning entry for which no packets have been seen. The default is currently 300 seconds (5 minutes). The value, if specified, is forced into a reasonable range, currently 15 to 3600 seconds. A short MAC aging time allows a network to more quickly detect that a host is no longer connected to a switch port. However, it also makes it more likely that packets will be flooded unnecessarily, when they are addressed to a connected host that rarely transmits packets. To reduce the incidence of unnecessary flooding, use a MAC aging time longer than the maximum interval at which a host will ordinarily transmit packets. other_config : mac-table-size: optional string, containing an integer, at least 1 The maximum number of MAC addresses to learn. The default is currently 2048. The value, if specified, is forced into a reasonable range, currently 10 to 1,000,000. Bridge Status: Status information about bridges. status: map of string-string pairs Key-value pairs that report bridge status. status : stp_bridge_id: optional string The bridge-id (in hex) used in spanning tree advertisements. Configuring the bridge-id is described in the stp-system-id and stp-priority keys of the other_config section earlier. status : stp_designated_root: optional string The designated root (in hex) for this spanning tree. status : stp_root_path_cost: optional string The path cost of reaching the designated bridge. A lower number is better. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Port TABLE
A port within a Bridge. Most commonly, a port has exactly one ``interface,’’ pointed to by its interfaces column. Such a port logically corresponds to a port on a physical Ethernet switch. A port with more than one interface is a ``bonded port’’ (see Bonding Configuration). Some properties that one might think as belonging to a port are actually part of the port’s Interface members. Summary: name string (must be unique within table) interfaces set of 1 or more Interfaces VLAN Configuration: vlan_mode optional string, one of access, native-tagged, native-untagged, or trunk tag optional integer, in range 0 to 4,095 trunks set of up to 4,096 integers, in range 0 to 4,095 other_config : priority-tags optional string, either true or false Bonding Configuration: bond_mode optional string, one of active-backup, balance-tcp, or balance-slb other_config : bond-hash-basis optional string, containing an integer Link Failure Detection: other_config : bond-detect-mode optional string, either miimon or carrier other_config : bond-miimon-interval optional string, containing an integer bond_updelay integer bond_downdelay integer LACP Configuration: lacp optional string, one of active, passive, or off other_config : lacp-system-id optional string other_config : lacp-system-priority optional string, containing an integer, in range 1 to 65,535 other_config : lacp-time optional string, either slow or fast Rebalancing Configuration: other_config : bond-rebalance-interval optional string, containing an integer, in range 0 to 10,000 bond_fake_iface boolean Spanning Tree Configuration: other_config : stp-enable optional string, either true or false other_config : stp-port-num optional string, containing an integer, in range 1 to 255 other_config : stp-port-priority optional string, containing an integer, in range 0 to 255 other_config : stp-path-cost optional string, containing an integer, in range 0 to 65,535 Other Features: qos optional QoS mac optional string fake_bridge boolean external_ids : fake-bridge-id-* optional string Port Status: status map of string-string pairs status : stp_port_id optional string status : stp_state optional string, one of disabled, forwarding, learning, listening, or blocking status : stp_sec_in_state optional string, containing an integer, at least 0 status : stp_role optional string, one of designated, alternate, or root Port Statistics: Statistics: STP transmit and receive counters: statistics : stp_tx_count optional integer statistics : stp_rx_count optional integer statistics : stp_error_count optional integer Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: name: string (must be unique within table) Port name. Should be alphanumeric and no more than about 8 bytes long. May be the same as the interface name, for non-bonded ports. Must otherwise be unique among the names of ports, interfaces, and bridges on a host. interfaces: set of 1 or more Interfaces The port’s interfaces. If there is more than one, this is a bonded Port. VLAN Configuration: Bridge ports support the following types of VLAN configuration: trunk A trunk port carries packets on one or more specified VLANs specified in the trunks column (often, on every VLAN). A packet that ingresses on a trunk port is in the VLAN specified in its 802.1Q header, or VLAN 0 if the packet has no 802.1Q header. A packet that egresses through a trunk port will have an 802.1Q header if it has a nonzero VLAN ID. Any packet that ingresses on a trunk port tagged with a VLAN that the port does not trunk is dropped. access An access port carries packets on exactly one VLAN specified in the tag column. Packets egressing on an access port have no 802.1Q header. Any packet with an 802.1Q header with a nonzero VLAN ID that ingresses on an access port is dropped, regardless of whether the VLAN ID in the header is the access port’s VLAN ID. native-tagged A native-tagged port resembles a trunk port, with the exception that a packet without an 802.1Q header that ingresses on a native-tagged port is in the ``native VLAN’’ (specified in the tag column). native-untagged A native-untagged port resembles a native-tagged port, with the exception that a packet that egresses on a native-untagged port in the native VLAN will not have an 802.1Q header. A packet will only egress through bridge ports that carry the VLAN of the packet, as described by the rules above. vlan_mode: optional string, one of access, native-tagged, native-untagged, or trunk The VLAN mode of the port, as described above. When this column is empty, a default mode is selected as follows: • If tag contains a value, the port is an access port. The trunks column should be empty. • Otherwise, the port is a trunk port. The trunks column value is honored if it is present. tag: optional integer, in range 0 to 4,095 For an access port, the port’s implicitly tagged VLAN. For a native-tagged or native-untagged port, the port’s native VLAN. Must be empty if this is a trunk port. trunks: set of up to 4,096 integers, in range 0 to 4,095 For a trunk, native-tagged, or native-untagged port, the 802.1Q VLAN or VLANs that this port trunks; if it is empty, then the port trunks all VLANs. Must be empty if this is an access port. A native-tagged or native-untagged port always trunks its native VLAN, regardless of whether trunks includes that VLAN. other_config : priority-tags: optional string, either true or false An 802.1Q header contains two important pieces of information: a VLAN ID and a priority. A frame with a zero VLAN ID, called a ``priority-tagged’’ frame, is supposed to be treated the same way as a frame without an 802.1Q header at all (except for the priority). However, some network elements ignore any frame that has 802.1Q header at all, even when the VLAN ID is zero. Therefore, by default Open vSwitch does not output priority-tagged frames, instead omitting the 802.1Q header entirely if the VLAN ID is zero. Set this key to true to enable priority-tagged frames on a port. Regardless of this setting, Open vSwitch omits the 802.1Q header on output if both the VLAN ID and priority would be zero. All frames output to native-tagged ports have a nonzero VLAN ID, so this setting is not meaningful on native-tagged ports. Bonding Configuration: A port that has more than one interface is a ``bonded port.’’ Bonding allows for load balancing and fail-over. The following types of bonding will work with any kind of upstream switch. On the upstream switch, do not configure the interfaces as a bond: balance-slb Balances flows among slaves based on source MAC address and output VLAN, with periodic rebalancing as traffic patterns change. active-backup Assigns all flows to one slave, failing over to a backup slave when the active slave is disabled. This is the only bonding mode in which interfaces may be plugged into different upstream switches. The following modes require the upstream switch to support 802.3ad with successful LACP negotiation: balance-tcp Balances flows among slaves based on L2, L3, and L4 protocol information such as destination MAC address, IP address, and TCP port. These columns apply only to bonded ports. Their values are otherwise ignored. bond_mode: optional string, one of active-backup, balance-tcp, or balance-slb The type of bonding used for a bonded port. Defaults to active-backup if unset. other_config : bond-hash-basis: optional string, containing an integer An integer hashed along with flows when choosing output slaves in load balanced bonds. When changed, all flows will be assigned different hash values possibly causing slave selection decisions to change. Does not affect bonding modes which do not employ load balancing such as active-backup. Link Failure Detection: An important part of link bonding is detecting that links are down so that they may be disabled. These settings determine how Open vSwitch detects link failure. other_config : bond-detect-mode: optional string, either miimon or carrier The means used to detect link failures. Defaults to carrier which uses each interface’s carrier to detect failures. When set to miimon, will check for failures by polling each interface’s MII. other_config : bond-miimon-interval: optional string, containing an integer The interval, in milliseconds, between successive attempts to poll each interface’s MII. Relevant only when other_config:bond-detect-mode is miimon. bond_updelay: integer The number of milliseconds for which the link must stay up on an interface before the interface is considered to be up. Specify 0 to enable the interface immediately. This setting is honored only when at least one bonded interface is already enabled. When no interfaces are enabled, then the first bond interface to come up is enabled immediately. bond_downdelay: integer The number of milliseconds for which the link must stay down on an interface before the interface is considered to be down. Specify 0 to disable the interface immediately. LACP Configuration: LACP, the Link Aggregation Control Protocol, is an IEEE standard that allows switches to automatically detect that they are connected by multiple links and aggregate across those links. These settings control LACP behavior. lacp: optional string, one of active, passive, or off Configures LACP on this port. LACP allows directly connected switches to negotiate which links may be bonded. LACP may be enabled on non-bonded ports for the benefit of any switches they may be connected to. active ports are allowed to initiate LACP negotiations. passive ports are allowed to participate in LACP negotiations initiated by a remote switch, but not allowed to initiate such negotiations themselves. If LACP is enabled on a port whose partner switch does not support LACP, the bond will be disabled. Defaults to off if unset. other_config : lacp-system-id: optional string The LACP system ID of this Port. The system ID of a LACP bond is used to identify itself to its partners. Must be a nonzero MAC address. Defaults to the bridge Ethernet address if unset. other_config : lacp-system-priority: optional string, containing an integer, in range 1 to 65,535 The LACP system priority of this Port. In LACP negotiations, link status decisions are made by the system with the numerically lower priority. other_config : lacp-time: optional string, either slow or fast The LACP timing which should be used on this Port. By default slow is used. When configured to be fast LACP heartbeats are requested at a rate of once per second causing connectivity problems to be detected more quickly. In slow mode, heartbeats are requested at a rate of once every 30 seconds. Rebalancing Configuration: These settings control behavior when a bond is in balance-slb or balance-tcp mode. other_config : bond-rebalance-interval: optional string, containing an integer, in range 0 to 10,000 For a load balanced bonded port, the number of milliseconds between successive attempts to rebalance the bond, that is, to move flows from one interface on the bond to another in an attempt to keep usage of each interface roughly equal. If zero, load balancing is disabled on the bond (link failure still cause flows to move). If less than 1000ms, the rebalance interval will be 1000ms. bond_fake_iface: boolean For a bonded port, whether to create a fake internal interface with the name of the port. Use only for compatibility with legacy software that requires this. Spanning Tree Configuration: other_config : stp-enable: optional string, either true or false If spanning tree is enabled on the bridge, member ports are enabled by default (with the exception of bond, internal, and mirror ports which do not work with STP). If this column’s value is false spanning tree is disabled on the port. other_config : stp-port-num: optional string, containing an integer, in range 1 to 255 The port number used for the lower 8 bits of the port-id. By default, the numbers will be assigned automatically. If any port’s number is manually configured on a bridge, then they must all be. other_config : stp-port-priority: optional string, containing an integer, in range 0 to 255 The port’s relative priority value for determining the root port (the upper 8 bits of the port-id). A port with a lower port-id will be chosen as the root port. By default, the priority is 0x80. other_config : stp-path-cost: optional string, containing an integer, in range 0 to 65,535 Spanning tree path cost for the port. A lower number indicates a faster link. By default, the cost is based on the maximum speed of the link. Other Features: qos: optional QoS Quality of Service configuration for this port. mac: optional string The MAC address to use for this port for the purpose of choosing the bridge’s MAC address. This column does not necessarily reflect the port’s actual MAC address, nor will setting it change the port’s actual MAC address. fake_bridge: boolean Does this port represent a sub-bridge for its tagged VLAN within the Bridge? See ovs-vsctl(8) for more information. external_ids : fake-bridge-id-*: optional string External IDs for a fake bridge (see the fake_bridge column) are defined by prefixing a Bridge external_ids key with fake-bridge-, e.g. fake-bridge-xs-network-uuids. Port Status: Status information about ports attached to bridges. status: map of string-string pairs Key-value pairs that report port status. status : stp_port_id: optional string The port-id (in hex) used in spanning tree advertisements for this port. Configuring the port-id is described in the stp-port-num and stp-port-priority keys of the other_config section earlier. status : stp_state: optional string, one of disabled, forwarding, learning, listening, or blocking STP state of the port. status : stp_sec_in_state: optional string, containing an integer, at least 0 The amount of time (in seconds) port has been in the current STP state. status : stp_role: optional string, one of designated, alternate, or root STP role of the port. Port Statistics: Key-value pairs that report port statistics. Statistics: STP transmit and receive counters: statistics : stp_tx_count: optional integer Number of STP BPDUs sent on this port by the spanning tree library. statistics : stp_rx_count: optional integer Number of STP BPDUs received on this port and accepted by the spanning tree library. statistics : stp_error_count: optional integer Number of bad STP BPDUs received on this port. Bad BPDUs include runt packets and those with an unexpected protocol ID. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Interface TABLE
An interface within a Port. Summary: Core Features: name string (must be unique within table) ifindex optional integer, in range 0 to 4,294,967,295 mac_in_use optional string mac optional string ofport optional integer ofport_request optional integer, in range 1 to 65,279 System-Specific Details: type string Tunnel Options: options : remote_ip optional string options : local_ip optional string options : in_key optional string options : out_key optional string options : key optional string options : tos optional string options : ttl optional string options : df_default optional string, either true or false Tunnel Options: gre and ipsec_gre only: options : csum optional string, either true or false Tunnel Options: ipsec_gre only: options : peer_cert optional string options : certificate optional string options : private_key optional string options : psk optional string Patch Options: options : peer optional string Interface Status: admin_state optional string, either down or up link_state optional string, either down or up link_resets optional integer link_speed optional integer duplex optional string, either full or half mtu optional integer lacp_current optional boolean status map of string-string pairs status : driver_name optional string status : driver_version optional string status : firmware_version optional string status : source_ip optional string status : tunnel_egress_iface optional string status : tunnel_egress_iface_carrier optional string, either down or up Statistics: Statistics: Successful transmit and receive counters: statistics : rx_packets optional integer statistics : rx_bytes optional integer statistics : tx_packets optional integer statistics : tx_bytes optional integer Statistics: Receive errors: statistics : rx_dropped optional integer statistics : rx_frame_err optional integer statistics : rx_over_err optional integer statistics : rx_crc_err optional integer statistics : rx_errors optional integer Statistics: Transmit errors: statistics : tx_dropped optional integer statistics : collisions optional integer statistics : tx_errors optional integer Ingress Policing: ingress_policing_rate integer, at least 0 ingress_policing_burst integer, at least 0 Bidirectional Forwarding Detection (BFD): bfd : enable optional string bfd : min_rx optional string, containing an integer, at least 1 bfd : min_tx optional string, containing an integer, at least 1 bfd : decay_min_rx optional string, containing an integer bfd : forwarding_if_rx optional string, either true or false bfd : cpath_down optional string, either true or false bfd : check_tnl_key optional string, either true or false bfd : bfd_dst_mac optional string bfd_status : state optional string, one of down, init, up, or admin_down bfd_status : forwarding optional string, either true or false bfd_status : diagnostic optional string bfd_status : remote_state optional string, one of down, init, up, or admin_down bfd_status : remote_diagnostic optional string Connectivity Fault Management: cfm_mpid optional integer cfm_fault optional boolean cfm_fault_status : recv none cfm_fault_status : rdi none cfm_fault_status : maid none cfm_fault_status : loopback none cfm_fault_status : overflow none cfm_fault_status : override none cfm_fault_status : interval none cfm_remote_opstate optional string, either down or up cfm_health optional integer, in range 0 to 100 cfm_remote_mpids set of integers other_config : cfm_interval optional string, containing an integer other_config : cfm_extended optional string, either true or false other_config : cfm_demand optional string, either true or false other_config : cfm_opstate optional string, either down or up other_config : cfm_ccm_vlan optional string, containing an integer, in range 1 to 4,095 other_config : cfm_ccm_pcp optional string, containing an integer, in range 1 to 7 Bonding Configuration: other_config : lacp-port-id optional string, containing an integer, in range 1 to 65,535 other_config : lacp-port-priority optional string, containing an integer, in range 1 to 65,535 other_config : lacp-aggregation-key optional string, containing an integer, in range 1 to 65,535 Virtual Machine Identifiers: external_ids : attached-mac optional string external_ids : iface-id optional string external_ids : iface-status optional string, either active or inactive external_ids : xs-vif-uuid optional string external_ids : xs-network-uuid optional string external_ids : vm-id optional string external_ids : xs-vm-uuid optional string VLAN Splinters: other_config : enable-vlan-splinters optional string, either true or false Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: Core Features: name: string (must be unique within table) Interface name. Should be alphanumeric and no more than about 8 bytes long. May be the same as the port name, for non-bonded ports. Must otherwise be unique among the names of ports, interfaces, and bridges on a host. ifindex: optional integer, in range 0 to 4,294,967,295 A positive interface index as defined for SNMP MIB-II in RFCs 1213 and 2863, if the interface has one, otherwise 0. The ifindex is useful for seamless integration with protocols such as SNMP and sFlow. mac_in_use: optional string The MAC address in use by this interface. mac: optional string Ethernet address to set for this interface. If unset then the default MAC address is used: • For the local interface, the default is the lowest-numbered MAC address among the other bridge ports, either the value of the mac in its Port record, if set, or its actual MAC (for bonded ports, the MAC of its slave whose name is first in alphabetical order). Internal ports and bridge ports that are used as port mirroring destinations (see the Mirror table) are ignored. • For other internal interfaces, the default MAC is randomly generated. • External interfaces typically have a MAC address associated with their hardware. Some interfaces may not have a software-controllable MAC address. ofport: optional integer OpenFlow port number for this interface. Unlike most columns, this column’s value should be set only by Open vSwitch itself. Other clients should set this column to an empty set (the default) when creating an Interface. Open vSwitch populates this column when the port number becomes known. If the interface is successfully added, ofport will be set to a number between 1 and 65535 (generally either in the range 1 to 65279, inclusive, or 65534, the port number for the OpenFlow ``local port’’). If the interface cannot be added then Open vSwitch sets this column to -1. When ofport_request is not set, Open vSwitch picks an appropriate value for this column and then tries to keep the value constant across restarts. ofport_request: optional integer, in range 1 to 65,279 Requested OpenFlow port number for this interface. The port number must be between 1 and 65279, inclusive. Some datapaths cannot satisfy all requests for particular port numbers. When this column is empty or the request cannot be fulfilled, the system will choose a free port. The ofport column reports the assigned OpenFlow port number. The port number must be requested in the same transaction that creates the port. System-Specific Details: type: string The interface type, one of: system An ordinary network device, e.g. eth0 on Linux. Sometimes referred to as ``external interfaces’’ since they are generally connected to hardware external to that on which the Open vSwitch is running. The empty string is a synonym for system. internal A simulated network device that sends and receives traffic. An internal interface whose name is the same as its bridge’s name is called the ``local interface.’’ It does not make sense to bond an internal interface, so the terms ``port’’ and ``interface’’ are often used imprecisely for internal interfaces. tap A TUN/TAP device managed by Open vSwitch. gre An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4 tunnel. ipsec_gre An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4 IPsec tunnel. gre64 It is same as GRE, but it allows 64 bit key. To store higher 32-bits of key, it uses GRE protocol sequence number field. This is non standard use of GRE protocol since OVS does not increment sequence number for every packet at time of encap as expected by standard GRE implementation. See Tunnel Options for information on configuring GRE tunnels. ipsec_gre64 Same as IPSEC_GRE except 64 bit key. vxlan An Ethernet tunnel over the experimental, UDP-based VXLAN protocol described at http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-03. Open vSwitch uses UDP destination port 4789. The source port used for VXLAN traffic varies on a per-flow basis and is in the ephemeral port range. lisp A layer 3 tunnel over the experimental, UDP-based Locator/ID Separation Protocol (RFC 6830). patch A pair of virtual devices that act as a patch cable. null An ignored interface. Deprecated and slated for removal in February 2013. Tunnel Options: These options apply to interfaces with type of gre, ipsec_gre, gre64, ipsec_gre64, vxlan, and lisp. Each tunnel must be uniquely identified by the combination of type, options:remote_ip, options:local_ip, and options:in_key. If two ports are defined that are the same except one has an optional identifier and the other does not, the more specific one is matched first. options:in_key is considered more specific than options:local_ip if a port defines one and another port defines the other. options : remote_ip: optional string Required. The remote tunnel endpoint, one of: • An IPv4 address (not a DNS name), e.g. 192.168.0.123. Only unicast endpoints are supported. • The word flow. The tunnel accepts packets from any remote tunnel endpoint. To process only packets from a specific remote tunnel endpoint, the flow entries may match on the tun_src field. When sending packets to a remote_ip=flow tunnel, the flow actions must explicitly set the tun_dst field to the IP address of the desired remote tunnel endpoint, e.g. with a set_field action. The remote tunnel endpoint for any packet received from a tunnel is available in the tun_src field for matching in the flow table. options : local_ip: optional string Optional. The tunnel destination IP that received packets must match. Default is to match all addresses. If specified, may be one of: • An IPv4 address (not a DNS name), e.g. 192.168.12.3. • The word flow. The tunnel accepts packets sent to any of the local IP addresses of the system running OVS. To process only packets sent to a specific IP address, the flow entries may match on the tun_dst field. When sending packets to a local_ip=flow tunnel, the flow actions may explicitly set the tun_src field to the desired IP address, e.g. with a set_field action. However, while routing the tunneled packet out, the local system may override the specified address with the local IP address configured for the outgoing system interface. This option is valid only for tunnels also configured with the remote_ip=flow option. The tunnel destination IP address for any packet received from a tunnel is available in the tun_dst field for matching in the flow table. options : in_key: optional string Optional. The key that received packets must contain, one of: • 0. The tunnel receives packets with no key or with a key of 0. This is equivalent to specifying no options:in_key at all. • A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit (for GRE64) number. The tunnel receives only packets with the specified key. • The word flow. The tunnel accepts packets with any key. The key will be placed in the tun_id field for matching in the flow table. The ovs-ofctl manual page contains additional information about matching fields in OpenFlow flows. options : out_key: optional string Optional. The key to be set on outgoing packets, one of: • 0. Packets sent through the tunnel will have no key. This is equivalent to specifying no options:out_key at all. • A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit (for GRE64) number. Packets sent through the tunnel will have the specified key. • The word flow. Packets sent through the tunnel will have the key set using the set_tunnel Nicira OpenFlow vendor extension (0 is used in the absence of an action). The ovs-ofctl manual page contains additional information about the Nicira OpenFlow vendor extensions. options : key: optional string Optional. Shorthand to set in_key and out_key at the same time. options : tos: optional string Optional. The value of the ToS bits to be set on the encapsulating packet. ToS is interpreted as DSCP and ECN bits, ECN part must be zero. It may also be the word inherit, in which case the ToS will be copied from the inner packet if it is IPv4 or IPv6 (otherwise it will be 0). The ECN fields are always inherited. Default is 0. options : ttl: optional string Optional. The TTL to be set on the encapsulating packet. It may also be the word inherit, in which case the TTL will be copied from the inner packet if it is IPv4 or IPv6 (otherwise it will be the system default, typically 64). Default is the system default TTL. options : df_default: optional string, either true or false Optional. If enabled, the Don’t Fragment bit will be set on tunnel outer headers to allow path MTU discovery. Default is enabled; set to false to disable. Tunnel Options: gre and ipsec_gre only: Only gre and ipsec_gre interfaces support these options. options : csum: optional string, either true or false Optional. Compute GRE checksums on outgoing packets. Default is disabled, set to true to enable. Checksums present on incoming packets will be validated regardless of this setting. GRE checksums impose a significant performance penalty because they cover the entire packet. The encapsulated L3, L4, and L7 packet contents typically have their own checksums, so this additional checksum only adds value for the GRE and encapsulated L2 headers. This option is supported for ipsec_gre, but not useful because GRE checksums are weaker than, and redundant with, IPsec payload authentication. Tunnel Options: ipsec_gre only: Only ipsec_gre interfaces support these options. options : peer_cert: optional string Required for certificate authentication. A string containing the peer’s certificate in PEM format. Additionally the host’s certificate must be specified with the certificate option. options : certificate: optional string Required for certificate authentication. The name of a PEM file containing a certificate that will be presented to the peer during authentication. options : private_key: optional string Optional for certificate authentication. The name of a PEM file containing the private key associated with certificate. If certificate contains the private key, this option may be omitted. options : psk: optional string Required for pre-shared key authentication. Specifies a pre-shared key for authentication that must be identical on both sides of the tunnel. Patch Options: Only patch interfaces support these options. options : peer: optional string The name of the Interface for the other side of the patch. The named Interface’s own peer option must specify this Interface’s name. That is, the two patch interfaces must have reversed name and peer values. Interface Status: Status information about interfaces attached to bridges, updated every 5 seconds. Not all interfaces have all of these properties; virtual interfaces don’t have a link speed, for example. Non-applicable columns will have empty values. admin_state: optional string, either down or up The administrative state of the physical network link. link_state: optional string, either down or up The observed state of the physical network link. This is ordinarily the link’s carrier status. If the interface’s Port is a bond configured for miimon monitoring, it is instead the network link’s miimon status. link_resets: optional integer The number of times Open vSwitch has observed the link_state of this Interface change. link_speed: optional integer The negotiated speed of the physical network link. Valid values are positive integers greater than 0. duplex: optional string, either full or half The duplex mode of the physical network link. mtu: optional integer The MTU (maximum transmission unit); i.e. the largest amount of data that can fit into a single Ethernet frame. The standard Ethernet MTU is 1500 bytes. Some physical media and many kinds of virtual interfaces can be configured with higher MTUs. This column will be empty for an interface that does not have an MTU as, for example, some kinds of tunnels do not. lacp_current: optional boolean Boolean value indicating LACP status for this interface. If true, this interface has current LACP information about its LACP partner. This information may be used to monitor the health of interfaces in a LACP enabled port. This column will be empty if LACP is not enabled. status: map of string-string pairs Key-value pairs that report port status. Supported status values are type- dependent; some interfaces may not have a valid status:driver_name, for example. status : driver_name: optional string The name of the device driver controlling the network adapter. status : driver_version: optional string The version string of the device driver controlling the network adapter. status : firmware_version: optional string The version string of the network adapter’s firmware, if available. status : source_ip: optional string The source IP address used for an IPv4 tunnel end-point, such as gre. status : tunnel_egress_iface: optional string Egress interface for tunnels. Currently only relevant for GRE tunnels On Linux systems, this column will show the name of the interface which is responsible for routing traffic destined for the configured options:remote_ip. This could be an internal interface such as a bridge port. status : tunnel_egress_iface_carrier: optional string, either down or up Whether carrier is detected on status:tunnel_egress_iface. Statistics: Key-value pairs that report interface statistics. The current implementation updates these counters periodically. Future implementations may update them when an interface is created, when they are queried (e.g. using an OVSDB select operation), and just before an interface is deleted due to virtual interface hot-unplug or VM shutdown, and perhaps at other times, but not on any regular periodic basis. These are the same statistics reported by OpenFlow in its struct ofp_port_stats structure. If an interface does not support a given statistic, then that pair is omitted. Statistics: Successful transmit and receive counters: statistics : rx_packets: optional integer Number of received packets. statistics : rx_bytes: optional integer Number of received bytes. statistics : tx_packets: optional integer Number of transmitted packets. statistics : tx_bytes: optional integer Number of transmitted bytes. Statistics: Receive errors: statistics : rx_dropped: optional integer Number of packets dropped by RX. statistics : rx_frame_err: optional integer Number of frame alignment errors. statistics : rx_over_err: optional integer Number of packets with RX overrun. statistics : rx_crc_err: optional integer Number of CRC errors. statistics : rx_errors: optional integer Total number of receive errors, greater than or equal to the sum of the above. Statistics: Transmit errors: statistics : tx_dropped: optional integer Number of packets dropped by TX. statistics : collisions: optional integer Number of collisions. statistics : tx_errors: optional integer Total number of transmit errors, greater than or equal to the sum of the above. Ingress Policing: These settings control ingress policing for packets received on this interface. On a physical interface, this limits the rate at which traffic is allowed into the system from the outside; on a virtual interface (one connected to a virtual machine), this limits the rate at which the VM is able to transmit. Policing is a simple form of quality-of-service that simply drops packets received in excess of the configured rate. Due to its simplicity, policing is usually less accurate and less effective than egress QoS (which is configured using the QoS and Queue tables). Policing is currently implemented only on Linux. The Linux implementation uses a simple ``token bucket’’ approach: • The size of the bucket corresponds to ingress_policing_burst. Initially the bucket is full. • Whenever a packet is received, its size (converted to tokens) is compared to the number of tokens currently in the bucket. If the required number of tokens are available, they are removed and the packet is forwarded. Otherwise, the packet is dropped. • Whenever it is not full, the bucket is refilled with tokens at the rate specified by ingress_policing_rate. Policing interacts badly with some network protocols, and especially with fragmented IP packets. Suppose that there is enough network activity to keep the bucket nearly empty all the time. Then this token bucket algorithm will forward a single packet every so often, with the period depending on packet size and on the configured rate. All of the fragments of an IP packets are normally transmitted back-to-back, as a group. In such a situation, therefore, only one of these fragments will be forwarded and the rest will be dropped. IP does not provide any way for the intended recipient to ask for only the remaining fragments. In such a case there are two likely possibilities for what will happen next: either all of the fragments will eventually be retransmitted (as TCP will do), in which case the same problem will recur, or the sender will not realize that its packet has been dropped and data will simply be lost (as some UDP-based protocols will do). Either way, it is possible that no forward progress will ever occur. ingress_policing_rate: integer, at least 0 Maximum rate for data received on this interface, in kbps. Data received faster than this rate is dropped. Set to 0 (the default) to disable policing. ingress_policing_burst: integer, at least 0 Maximum burst size for data received on this interface, in kb. The default burst size if set to 0 is 1000 kb. This value has no effect if ingress_policing_rate is 0. Specifying a larger burst size lets the algorithm be more forgiving, which is important for protocols like TCP that react severely to dropped packets. The burst size should be at least the size of the interface’s MTU. Specifying a value that is numerically at least as large as 10% of ingress_policing_rate helps TCP come closer to achieving the full rate. Bidirectional Forwarding Detection (BFD): BFD, defined in RFC 5880 and RFC 5881, allows point to point detection of connectivity failures by occasional transmission of BFD control messages. It is implemented in Open vSwitch to serve as a more popular and standards compliant alternative to CFM. BFD operates by regularly transmitting BFD control messages at a rate negotiated independently in each direction. Each endpoint specifies the rate at which it expects to receive control messages, and the rate at which it’s willing to transmit them. Open vSwitch uses a detection multiplier of three, meaning that an endpoint which fails to receive BFD control messages for a period of three times the expected reception rate, will signal a connectivity fault. In the case of a unidirectional connectivity issue, the system not receiving BFD control messages will signal the problem to its peer in the messages it transmits. The Open vSwitch implementation of BFD aims to comply faithfully with the requirements put forth in RFC 5880. Currently, the only known omission is ``Demand Mode’’, which we hope to include in future. Open vSwitch does not implement the optional Authentication or ``Echo Mode’’ features. bfd : enable: optional string When true BFD is enabled on this Interface, otherwise it’s disabled. Defaults to false. bfd : min_rx: optional string, containing an integer, at least 1 The fastest rate, in milliseconds, at which this BFD session is willing to receive BFD control messages. The actual rate may be slower if the remote endpoint isn’t willing to transmit as quickly as specified. Defaults to 1000. bfd : min_tx: optional string, containing an integer, at least 1 The fastest rate, in milliseconds, at which this BFD session is willing to transmit BFD control messages. The actual rate may be slower if the remote endpoint isn’t willing to receive as quickly as specified. Defaults to 100. bfd : decay_min_rx: optional string, containing an integer decay_min_rx is used to set the min_rx, when there is no obvious incoming data traffic at the interface. It cannot be set less than the min_rx. The decay feature is disabled by setting the decay_min_rx to 0. And the feature is reset everytime itself or min_rx is reconfigured. bfd : forwarding_if_rx: optional string, either true or false When forwarding_if_rx is true the interface will be considered capable of packet I/O as long as there is packet received at interface. This is important in that when link becomes temporarily conjested, consecutive BFD control packets can be lost. And the forwarding_if_rx can prevent link failover by detecting non-control packets received at interface. bfd : cpath_down: optional string, either true or false Concatenated path down may be used when the local system should not have traffic forwarded to it for some reason other than a connectivty failure on the interface being monitored. When a controller thinks this may be the case, it may set cpath_down to true which may cause the remote BFD session not to forward traffic to this Interface. Defaults to false. bfd : check_tnl_key: optional string, either true or false When set to true, Check Tunnel Key will make BFD only accept control messages with an in_key of zero. Defaults to false. bfd : bfd_dst_mac: optional string An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the destination mac address of the bfd packet. If this field is set, it is assumed that all the bfd packets destined to this interface also has the same destination mac address. If not set, a default value of 00:23:20:00:00:01 is used. bfd_status : state: optional string, one of down, init, up, or admin_down State of the BFD session. The BFD session is fully healthy and negotiated if UP. bfd_status : forwarding: optional string, either true or false True if the BFD session believes this Interface may be used to forward traffic. Typically this means the local session is signaling UP, and the remote system isn’t signaling a problem such as concatenated path down. bfd_status : diagnostic: optional string A short message indicating what the BFD session thinks is wrong in case of a problem. bfd_status : remote_state: optional string, one of down, init, up, or admin_down State of the remote endpoint’s BFD session. bfd_status : remote_diagnostic: optional string A short message indicating what the remote endpoint’s BFD session thinks is wrong in case of a problem. Connectivity Fault Management: 802.1ag Connectivity Fault Management (CFM) allows a group of Maintenance Points (MPs) called a Maintenance Association (MA) to detect connectivity problems with each other. MPs within a MA should have complete and exclusive interconnectivity. This is verified by occasionally broadcasting Continuity Check Messages (CCMs) at a configurable transmission interval. According to the 802.1ag specification, each Maintenance Point should be configured out- of-band with a list of Remote Maintenance Points it should have connectivity to. Open vSwitch differs from the specification in this area. It simply assumes the link is faulted if no Remote Maintenance Points are reachable, and considers it not faulted otherwise. When operating over tunnels which have no in_key, or an in_key of flow. CFM will only accept CCMs with a tunnel key of zero. cfm_mpid: optional integer A Maintenance Point ID (MPID) uniquely identifies each endpoint within a Maintenance Association. The MPID is used to identify this endpoint to other Maintenance Points in the MA. Each end of a link being monitored should have a different MPID. Must be configured to enable CFM on this Interface. cfm_fault: optional boolean Indicates a connectivity fault triggered by an inability to receive heartbeats from any remote endpoint. When a fault is triggered on Interfaces participating in bonds, they will be disabled. Faults can be triggered for several reasons. Most importantly they are triggered when no CCMs are received for a period of 3.5 times the transmission interval. Faults are also triggered when any CCMs indicate that a Remote Maintenance Point is not receiving CCMs but able to send them. Finally, a fault is triggered if a CCM is received which indicates unexpected configuration. Notably, this case arises when a CCM is received which advertises the local MPID. cfm_fault_status : recv: none Indicates a CFM fault was triggered due to a lack of CCMs received on the Interface. cfm_fault_status : rdi: none Indicates a CFM fault was triggered due to the reception of a CCM with the RDI bit flagged. Endpoints set the RDI bit in their CCMs when they are not receiving CCMs themselves. This typically indicates a unidirectional connectivity failure. cfm_fault_status : maid: none Indicates a CFM fault was triggered due to the reception of a CCM with a MAID other than the one Open vSwitch uses. CFM broadcasts are tagged with an identification number in addition to the MPID called the MAID. Open vSwitch only supports receiving CCM broadcasts tagged with the MAID it uses internally. cfm_fault_status : loopback: none Indicates a CFM fault was triggered due to the reception of a CCM advertising the same MPID configured in the cfm_mpid column of this Interface. This may indicate a loop in the network. cfm_fault_status : overflow: none Indicates a CFM fault was triggered because the CFM module received CCMs from more remote endpoints than it can keep track of. cfm_fault_status : override: none Indicates a CFM fault was manually triggered by an administrator using an ovs-appctl command. cfm_fault_status : interval: none Indicates a CFM fault was triggered due to the reception of a CCM frame having an invalid interval. cfm_remote_opstate: optional string, either down or up When in extended mode, indicates the operational state of the remote endpoint as either up or down. See other_config:cfm_opstate. cfm_health: optional integer, in range 0 to 100 Indicates the health of the interface as a percentage of CCM frames received over 21 other_config:cfm_intervals. The health of an interface is undefined if it is communicating with more than one cfm_remote_mpids. It reduces if healthy heartbeats are not received at the expected rate, and gradually improves as healthy heartbeats are received at the desired rate. Every 21 other_config:cfm_intervals, the health of the interface is refreshed. As mentioned above, the faults can be triggered for several reasons. The link health will deteriorate even if heartbeats are received but they are reported to be unhealthy. An unhealthy heartbeat in this context is a heartbeat for which either some fault is set or is out of sequence. The interface health can be 100 only on receiving healthy heartbeats at the desired rate. cfm_remote_mpids: set of integers When CFM is properly configured, Open vSwitch will occasionally receive CCM broadcasts. These broadcasts contain the MPID of the sending Maintenance Point. The list of MPIDs from which this Interface is receiving broadcasts from is regularly collected and written to this column. other_config : cfm_interval: optional string, containing an integer The interval, in milliseconds, between transmissions of CFM heartbeats. Three missed heartbeat receptions indicate a connectivity fault. In standard operation only intervals of 3, 10, 100, 1,000, 10,000, 60,000, or 600,000 ms are supported. Other values will be rounded down to the nearest value on the list. Extended mode (see other_config:cfm_extended) supports any interval up to 65,535 ms. In either mode, the default is 1000 ms. We do not recommend using intervals less than 100 ms. other_config : cfm_extended: optional string, either true or false When true, the CFM module operates in extended mode. This causes it to use a nonstandard destination address to avoid conflicting with compliant implementations which may be running concurrently on the network. Furthermore, extended mode increases the accuracy of the cfm_interval configuration parameter by breaking wire compatibility with 802.1ag compliant implementations. Defaults to false. other_config : cfm_demand: optional string, either true or false When true, and other_config:cfm_extended is true, the CFM module operates in demand mode. When in demand mode, traffic received on the Interface is used to indicate liveness. CCMs are still transmitted and received, but if the Interface is receiving traffic, their absence does not cause a connectivity fault. Demand mode has a couple of caveats: • To ensure that ovs-vswitchd has enough time to pull statistics from the datapath, the fault detection interval is set to 3.5 * MAX(other_config:cfm_interval, 500) ms. • To avoid ambiguity, demand mode disables itself when there are multiple remote maintenance points. • If the Interface is heavily congested, CCMs containing the other_config:cfm_opstate status may be dropped causing changes in the operational state to be delayed. Similarly, if CCMs containing the RDI bit are not received, unidirectional link failures may not be detected. other_config : cfm_opstate: optional string, either down or up When down, the CFM module marks all CCMs it generates as operationally down without triggering a fault. This allows remote maintenance points to choose not to forward traffic to the Interface on which this CFM module is running. Currently, in Open vSwitch, the opdown bit of CCMs affects Interfaces participating in bonds, and the bundle OpenFlow action. This setting is ignored when CFM is not in extended mode. Defaults to up. other_config : cfm_ccm_vlan: optional string, containing an integer, in range 1 to 4,095 When set, the CFM module will apply a VLAN tag to all CCMs it generates with the given value. May be the string random in which case each CCM will be tagged with a different randomly generated VLAN. other_config : cfm_ccm_pcp: optional string, containing an integer, in range 1 to 7 When set, the CFM module will apply a VLAN tag to all CCMs it generates with the given PCP value, the VLAN ID of the tag is governed by the value of other_config:cfm_ccm_vlan. If other_config:cfm_ccm_vlan is unset, a VLAN ID of zero is used. Bonding Configuration: other_config : lacp-port-id: optional string, containing an integer, in range 1 to 65,535 The LACP port ID of this Interface. Port IDs are used in LACP negotiations to identify individual ports participating in a bond. other_config : lacp-port-priority: optional string, containing an integer, in range 1 to 65,535 The LACP port priority of this Interface. In LACP negotiations Interfaces with numerically lower priorities are preferred for aggregation. other_config : lacp-aggregation-key: optional string, containing an integer, in range 1 to 65,535 The LACP aggregation key of this Interface. Interfaces with different aggregation keys may not be active within a given Port at the same time. Virtual Machine Identifiers: These key-value pairs specifically apply to an interface that represents a virtual Ethernet interface connected to a virtual machine. These key-value pairs should not be present for other types of interfaces. Keys whose names end in -uuid have values that uniquely identify the entity in question. For a Citrix XenServer hypervisor, these values are UUIDs in RFC 4122 format. Other hypervisors may use other formats. external_ids : attached-mac: optional string The MAC address programmed into the ``virtual hardware’’ for this interface, in the form xx:xx:xx:xx:xx:xx. For Citrix XenServer, this is the value of the MAC field in the VIF record for this interface. external_ids : iface-id: optional string A system-unique identifier for the interface. On XenServer, this will commonly be the same as external_ids:xs-vif-uuid. external_ids : iface-status: optional string, either active or inactive Hypervisors may sometimes have more than one interface associated with a given external_ids:iface-id, only one of which is actually in use at a given time. For example, in some circumstances XenServer has both a ``tap’’ and a ``vif’’ interface for a single external_ids:iface-id, but only uses one of them at a time. A hypervisor that behaves this way must mark the currently in use interface active and the others inactive. A hypervisor that never has more than one interface for a given external_ids:iface-id may mark that interface active or omit external_ids:iface-status entirely. During VM migration, a given external_ids:iface-id might transiently be marked active on two different hypervisors. That is, active means that this external_ids:iface-id is the active instance within a single hypervisor, not in a broader scope. There is one exception: some hypervisors support ``migration’’ from a given hypervisor to itself (most often for test purposes). During such a ``migration,’’ two instances of a single external_ids:iface-id might both be briefly marked active on a single hypervisor. external_ids : xs-vif-uuid: optional string The virtual interface associated with this interface. external_ids : xs-network-uuid: optional string The virtual network to which this interface is attached. external_ids : vm-id: optional string The VM to which this interface belongs. On XenServer, this will be the same as external_ids:xs-vm-uuid. external_ids : xs-vm-uuid: optional string The VM to which this interface belongs. VLAN Splinters: The ``VLAN splinters’’ feature increases Open vSwitch compatibility with buggy network drivers in old versions of Linux that do not properly support VLANs when VLAN devices are not used, at some cost in memory and performance. When VLAN splinters are enabled on a particular interface, Open vSwitch creates a VLAN device for each in-use VLAN. For sending traffic tagged with a VLAN on the interface, it substitutes the VLAN device. Traffic received on the VLAN device is treated as if it had been received on the interface on the particular VLAN. VLAN splinters consider a VLAN to be in use if: • The VLAN is the tag value in any Port record. • The VLAN is listed within the trunks column of the Port record of an interface on which VLAN splinters are enabled. An empty trunks does not influence the in-use VLANs: creating 4,096 VLAN devices is impractical because it will exceed the current 1,024 port per datapath limit. • An OpenFlow flow within any bridge matches the VLAN. The same set of in-use VLANs applies to every interface on which VLAN splinters are enabled. That is, the set is not chosen separately for each interface but selected once as the union of all in-use VLANs based on the rules above. It does not make sense to enable VLAN splinters on an interface for an access port, or on an interface that is not a physical port. VLAN splinters are deprecated. When broken device drivers are no longer in widespread use, we will delete this feature. other_config : enable-vlan-splinters: optional string, either true or false Set to true to enable VLAN splinters on this interface. Defaults to false. VLAN splinters increase kernel and userspace memory overhead, so do not use them unless they are needed. VLAN splinters do not support 802.1p priority tags. Received priorities will appear to be 0, regardless of their actual values, and priorities on transmitted packets will also be cleared to 0. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Flow_Table TABLE
Configuration for a particular OpenFlow table. Summary: name optional string flow_limit optional integer, at least 0 overflow_policy optional string, either refuse or evict groups set of strings Details: name: optional string The table’s name. Set this column to change the name that controllers will receive when they request table statistics, e.g. ovs-ofctl dump-tables. The name does not affect switch behavior. flow_limit: optional integer, at least 0 If set, limits the number of flows that may be added to the table. Open vSwitch may limit the number of flows in a table for other reasons, e.g. due to hardware limitations or for resource availability or performance reasons. overflow_policy: optional string, either refuse or evict Controls the switch’s behavior when an OpenFlow flow table modification request would add flows in excess of flow_limit. The supported values are: refuse Refuse to add the flow or flows. This is also the default policy when overflow_policy is unset. evict Delete the flow that will expire soonest. See groups for details. groups: set of strings When overflow_policy is evict, this controls how flows are chosen for eviction when the flow table would otherwise exceed flow_limit flows. Its value is a set of NXM fields or sub-fields, each of which takes one of the forms field[] or field[start..end], e.g. NXM_OF_IN_PORT[]. Please see nicira-ext.h for a complete list of NXM field names. When a flow must be evicted due to overflow, the flow to evict is chosen through an approximation of the following algorithm: 1. Divide the flows in the table into groups based on the values of the specified fields or subfields, so that all of the flows in a given group have the same values for those fields. If a flow does not specify a given field, that field’s value is treated as 0. 2. Consider the flows in the largest group, that is, the group that contains the greatest number of flows. If two or more groups all have the same largest number of flows, consider the flows in all of those groups. 3. Among the flows under consideration, choose the flow that expires soonest for eviction. The eviction process only considers flows that have an idle timeout or a hard timeout. That is, eviction never deletes permanent flows. (Permanent flows do count against flow_limit.) Open vSwitch ignores any invalid or unknown field specifications. When overflow_policy is not evict, this column has no effect.
QoS TABLE
Quality of Service (QoS) configuration for each Port that references it. Summary: type string queues map of integer-Queue pairs, key in range 0 to 4,294,967,295 Configuration for linux-htb and linux-hfsc: other_config : max-rate optional string, containing an integer Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: type: string The type of QoS to implement. The currently defined types are listed below: linux-htb Linux ``hierarchy token bucket’’ classifier. See tc-htb(8) (also at http://linux.die.net/man/8/tc-htb) and the HTB manual (http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm) for information on how this classifier works and how to configure it. linux-hfsc Linux "Hierarchical Fair Service Curve" classifier. See http://linux-ip.net/articles/hfsc.en/ for information on how this classifier works. queues: map of integer-Queue pairs, key in range 0 to 4,294,967,295 A map from queue numbers to Queue records. The supported range of queue numbers depend on type. The queue numbers are the same as the queue_id used in OpenFlow in struct ofp_action_enqueue and other structures. Queue 0 is the ``default queue.’’ It is used by OpenFlow output actions when no specific queue has been set. When no configuration for queue 0 is present, it is automatically configured as if a Queue record with empty dscp and other_config columns had been specified. (Before version 1.6, Open vSwitch would leave queue 0 unconfigured in this case. With some queuing disciplines, this dropped all packets destined for the default queue.) Configuration for linux-htb and linux-hfsc: The linux-htb and linux-hfsc classes support the following key-value pair: other_config : max-rate: optional string, containing an integer Maximum rate shared by all queued traffic, in bit/s. Optional. If not specified, for physical interfaces, the default is the link rate. For other interfaces or if the link rate cannot be determined, the default is currently 100 Mbps. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Queue TABLE
A configuration for a port output queue, used in configuring Quality of Service (QoS) features. May be referenced by queues column in QoS table. Summary: dscp optional integer, in range 0 to 63 Configuration for linux-htb QoS: other_config : min-rate optional string, containing an integer, at least 1 other_config : max-rate optional string, containing an integer, at least 1 other_config : burst optional string, containing an integer, at least 1 other_config : priority optional string, containing an integer, in range 0 to 4,294,967,295 Configuration for linux-hfsc QoS: other_config : min-rate optional string, containing an integer, at least 1 other_config : max-rate optional string, containing an integer, at least 1 Common Columns: other_config map of string-string pairs external_ids map of string-string pairs Details: dscp: optional integer, in range 0 to 63 If set, Open vSwitch will mark all traffic egressing this Queue with the given DSCP bits. Traffic egressing the default Queue is only marked if it was explicitly selected as the Queue at the time the packet was output. If unset, the DSCP bits of traffic egressing this Queue will remain unchanged. Configuration for linux-htb QoS: QoS type linux-htb may use queue_ids less than 61440. It has the following key-value pairs defined. other_config : min-rate: optional string, containing an integer, at least 1 Minimum guaranteed bandwidth, in bit/s. other_config : max-rate: optional string, containing an integer, at least 1 Maximum allowed bandwidth, in bit/s. Optional. If specified, the queue’s rate will not be allowed to exceed the specified value, even if excess bandwidth is available. If unspecified, defaults to no limit. other_config : burst: optional string, containing an integer, at least 1 Burst size, in bits. This is the maximum amount of ``credits’’ that a queue can accumulate while it is idle. Optional. Details of the linux-htb implementation require a minimum burst size, so a too-small burst will be silently ignored. other_config : priority: optional string, containing an integer, in range 0 to 4,294,967,295 A queue with a smaller priority will receive all the excess bandwidth that it can use before a queue with a larger value receives any. Specific priority values are unimportant; only relative ordering matters. Defaults to 0 if unspecified. Configuration for linux-hfsc QoS: QoS type linux-hfsc may use queue_ids less than 61440. It has the following key-value pairs defined. other_config : min-rate: optional string, containing an integer, at least 1 Minimum guaranteed bandwidth, in bit/s. other_config : max-rate: optional string, containing an integer, at least 1 Maximum allowed bandwidth, in bit/s. Optional. If specified, the queue’s rate will not be allowed to exceed the specified value, even if excess bandwidth is available. If unspecified, defaults to no limit. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. other_config: map of string-string pairs external_ids: map of string-string pairs
Mirror TABLE
A port mirror within a Bridge. A port mirror configures a bridge to send selected frames to special ``mirrored’’ ports, in addition to their normal destinations. Mirroring traffic may also be referred to as SPAN or RSPAN, depending on how the mirrored traffic is sent. Summary: name string Selecting Packets for Mirroring: select_all boolean select_dst_port set of weak reference to Ports select_src_port set of weak reference to Ports select_vlan set of up to 4,096 integers, in range 0 to 4,095 Mirroring Destination Configuration: output_port optional weak reference to Port output_vlan optional integer, in range 1 to 4,095 Statistics: Mirror counters: statistics : tx_packets optional integer statistics : tx_bytes optional integer Common Columns: external_ids map of string-string pairs Details: name: string Arbitrary identifier for the Mirror. Selecting Packets for Mirroring: To be selected for mirroring, a given packet must enter or leave the bridge through a selected port and it must also be in one of the selected VLANs. select_all: boolean If true, every packet arriving or departing on any port is selected for mirroring. select_dst_port: set of weak reference to Ports Ports on which departing packets are selected for mirroring. select_src_port: set of weak reference to Ports Ports on which arriving packets are selected for mirroring. select_vlan: set of up to 4,096 integers, in range 0 to 4,095 VLANs on which packets are selected for mirroring. An empty set selects packets on all VLANs. Mirroring Destination Configuration: These columns are mutually exclusive. Exactly one of them must be nonempty. output_port: optional weak reference to Port Output port for selected packets, if nonempty. Specifying a port for mirror output reserves that port exclusively for mirroring. No frames other than those selected for mirroring via this column will be forwarded to the port, and any frames received on the port will be discarded. The output port may be any kind of port supported by Open vSwitch. It may be, for example, a physical port (sometimes called SPAN) or a GRE tunnel. output_vlan: optional integer, in range 1 to 4,095 Output VLAN for selected packets, if nonempty. The frames will be sent out all ports that trunk output_vlan, as well as any ports with implicit VLAN output_vlan. When a mirrored frame is sent out a trunk port, the frame’s VLAN tag will be set to output_vlan, replacing any existing tag; when it is sent out an implicit VLAN port, the frame will not be tagged. This type of mirroring is sometimes called RSPAN. See the documentation for other_config:forward-bpdu in the Interface table for a list of destination MAC addresses which will not be mirrored to a VLAN to avoid confusing switches that interpret the protocols that they represent. Please note: Mirroring to a VLAN can disrupt a network that contains unmanaged switches. Consider an unmanaged physical switch with two ports: port 1, connected to an end host, and port 2, connected to an Open vSwitch configured to mirror received packets into VLAN 123 on port 2. Suppose that the end host sends a packet on port 1 that the physical switch forwards to port 2. The Open vSwitch forwards this packet to its destination and then reflects it back on port 2 in VLAN 123. This reflected packet causes the unmanaged physical switch to replace the MAC learning table entry, which correctly pointed to port 1, with one that incorrectly points to port 2. Afterward, the physical switch will direct packets destined for the end host to the Open vSwitch on port 2, instead of to the end host on port 1, disrupting connectivity. If mirroring to a VLAN is desired in this scenario, then the physical switch must be replaced by one that learns Ethernet addresses on a per-VLAN basis. In addition, learning should be disabled on the VLAN containing mirrored traffic. If this is not done then intermediate switches will learn the MAC address of each end host from the mirrored traffic. If packets being sent to that end host are also mirrored, then they will be dropped since the switch will attempt to send them out the input port. Disabling learning for the VLAN will cause the switch to correctly send the packet out all ports configured for that VLAN. If Open vSwitch is being used as an intermediate switch, learning can be disabled by adding the mirrored VLAN to flood_vlans in the appropriate Bridge table or tables. Mirroring to a GRE tunnel has fewer caveats than mirroring to a VLAN and should generally be preferred. Statistics: Mirror counters: Key-value pairs that report mirror statistics. statistics : tx_packets: optional integer Number of packets transmitted through this mirror. statistics : tx_bytes: optional integer Number of bytes transmitted through this mirror. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs
Controller TABLE
An OpenFlow controller. Open vSwitch supports two kinds of OpenFlow controllers: Primary controllers This is the kind of controller envisioned by the OpenFlow 1.0 specification. Usually, a primary controller implements a network policy by taking charge of the switch’s flow table. Open vSwitch initiates and maintains persistent connections to primary controllers, retrying the connection each time it fails or drops. The fail_mode column in the Bridge table applies to primary controllers. Open vSwitch permits a bridge to have any number of primary controllers. When multiple controllers are configured, Open vSwitch connects to all of them simultaneously. Because OpenFlow 1.0 does not specify how multiple controllers coordinate in interacting with a single switch, more than one primary controller should be specified only if the controllers are themselves designed to coordinate with each other. (The Nicira-defined NXT_ROLE OpenFlow vendor extension may be useful for this.) Service controllers These kinds of OpenFlow controller connections are intended for occasional support and maintenance use, e.g. with ovs-ofctl. Usually a service controller connects only briefly to inspect or modify some of a switch’s state. Open vSwitch listens for incoming connections from service controllers. The service controllers initiate and, if necessary, maintain the connections from their end. The fail_mode column in the Bridge table does not apply to service controllers. Open vSwitch supports configuring any number of service controllers. The target determines the type of controller. Summary: Core Features: target string connection_mode optional string, either in-band or out-of-band Controller Failure Detection and Handling: max_backoff optional integer, at least 1,000 inactivity_probe optional integer Asynchronous Message Configuration: enable_async_messages optional boolean controller_rate_limit optional integer, at least 100 controller_burst_limit optional integer, at least 25 Additional In-Band Configuration: local_ip optional string local_netmask optional string local_gateway optional string Controller Status: is_connected boolean role optional string, one of slave, other, or master status : last_error optional string status : state optional string, one of ACTIVE, VOID, CONNECTING, IDLE, or BACKOFF status : sec_since_connect optional string, containing an integer, at least 0 status : sec_since_disconnect optional string, containing an integer, at least 1 Connection Parameters: other_config : dscp optional string, containing an integer Common Columns: external_ids map of string-string pairs other_config map of string-string pairs Details: Core Features: target: string Connection method for controller. The following connection methods are currently supported for primary controllers: ssl:ip[:port] The specified SSL port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). The ssl column in the Open_vSwitch table must point to a valid SSL configuration when this form is used. SSL support is an optional feature that is not always built as part of Open vSwitch. tcp:ip[:port] The specified TCP port (default: 6633) on the host at the given ip, which must be expressed as an IP address (not a DNS name). The following connection methods are currently supported for service controllers: pssl:[port][:ip] Listens for SSL connections on the specified TCP port (default: 6633). If ip, which must be expressed as an IP address (not a DNS name), is specified, then connections are restricted to the specified local IP address. The ssl column in the Open_vSwitch table must point to a valid SSL configuration when this form is used. SSL support is an optional feature that is not always built as part of Open vSwitch. ptcp:[port][:ip] Listens for connections on the specified TCP port (default: 6633). If ip, which must be expressed as an IP address (not a DNS name), is specified, then connections are restricted to the specified local IP address. When multiple controllers are configured for a single bridge, the target values must be unique. Duplicate target values yield unspecified results. connection_mode: optional string, either in-band or out-of-band If it is specified, this setting must be one of the following strings that describes how Open vSwitch contacts this OpenFlow controller over the network: in-band In this mode, this controller’s OpenFlow traffic travels over the bridge associated with the controller. With this setting, Open vSwitch allows traffic to and from the controller regardless of the contents of the OpenFlow flow table. (Otherwise, Open vSwitch would never be able to connect to the controller, because it did not have a flow to enable it.) This is the most common connection mode because it is not necessary to maintain two independent networks. out-of-band In this mode, OpenFlow traffic uses a control network separate from the bridge associated with this controller, that is, the bridge does not use any of its own network devices to communicate with the controller. The control network must be configured separately, before or after ovs-vswitchd is started. If not specified, the default is implementation-specific. Controller Failure Detection and Handling: max_backoff: optional integer, at least 1,000 Maximum number of milliseconds to wait between connection attempts. Default is implementation-specific. inactivity_probe: optional integer Maximum number of milliseconds of idle time on connection to controller before sending an inactivity probe message. If Open vSwitch does not communicate with the controller for the specified number of seconds, it will send a probe. If a response is not received for the same additional amount of time, Open vSwitch assumes the connection has been broken and attempts to reconnect. Default is implementation-specific. A value of 0 disables inactivity probes. Asynchronous Message Configuration: OpenFlow switches send certain messages to controllers spontanenously, that is, not in response to any request from the controller. These messages are called ``asynchronous messages.’’ These columns allow asynchronous messages to be limited or disabled to ensure the best use of network resources. enable_async_messages: optional boolean The OpenFlow protocol enables asynchronous messages at time of connection establishment, which means that a controller can receive asynchronous messages, potentially many of them, even if it turns them off immediately after connecting. Set this column to false to change Open vSwitch behavior to disable, by default, all asynchronous messages. The controller can use the NXT_SET_ASYNC_CONFIG Nicira extension to OpenFlow to turn on any messages that it does want to receive, if any. controller_rate_limit: optional integer, at least 100 The maximum rate at which the switch will forward packets to the OpenFlow controller, in packets per second. This feature prevents a single bridge from overwhelming the controller. If not specified, the default is implementation- specific. In addition, when a high rate triggers rate-limiting, Open vSwitch queues controller packets for each port and transmits them to the controller at the configured rate. The controller_burst_limit value limits the number of queued packets. Ports on a bridge share the packet queue fairly. Open vSwitch maintains two such packet rate-limiters per bridge: one for packets sent up to the controller because they do not correspond to any flow, and the other for packets sent up to the controller by request through flow actions. When both rate-limiters are filled with packets, the actual rate that packets are sent to the controller is up to twice the specified rate. controller_burst_limit: optional integer, at least 25 In conjunction with controller_rate_limit, the maximum number of unused packet credits that the bridge will allow to accumulate, in packets. If not specified, the default is implementation-specific. Additional In-Band Configuration: These values are considered only in in-band control mode (see connection_mode). When multiple controllers are configured on a single bridge, there should be only one set of unique values in these columns. If different values are set for these columns in different controllers, the effect is unspecified. local_ip: optional string The IP address to configure on the local port, e.g. 192.168.0.123. If this value is unset, then local_netmask and local_gateway are ignored. local_netmask: optional string The IP netmask to configure on the local port, e.g. 255.255.255.0. If local_ip is set but this value is unset, then the default is chosen based on whether the IP address is class A, B, or C. local_gateway: optional string The IP address of the gateway to configure on the local port, as a string, e.g. 192.168.0.1. Leave this column unset if this network has no gateway. Controller Status: is_connected: boolean true if currently connected to this controller, false otherwise. role: optional string, one of slave, other, or master The level of authority this controller has on the associated bridge. Possible values are: other Allows the controller access to all OpenFlow features. master Equivalent to other, except that there may be at most one master controller at a time. When a controller configures itself as master, any existing master is demoted to the slaverole. slave Allows the controller read-only access to OpenFlow features. Attempts to modify the flow table will be rejected with an error. Slave controllers do not receive OFPT_PACKET_IN or OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS messages. status : last_error: optional string A human-readable description of the last error on the connection to the controller; i.e. strerror(errno). This key will exist only if an error has occurred. status : state: optional string, one of ACTIVE, VOID, CONNECTING, IDLE, or BACKOFF The state of the connection to the controller: VOID Connection is disabled. BACKOFF Attempting to reconnect at an increasing period. CONNECTING Attempting to connect. ACTIVE Connected, remote host responsive. IDLE Connection is idle. Waiting for response to keep-alive. These values may change in the future. They are provided only for human consumption. status : sec_since_connect: optional string, containing an integer, at least 0 The amount of time since this controller last successfully connected to the switch (in seconds). Value is empty if controller has never successfully connected. status : sec_since_disconnect: optional string, containing an integer, at least 1 The amount of time since this controller last disconnected from the switch (in seconds). Value is empty if controller has never disconnected. Connection Parameters: Additional configuration for a connection between the controller and the Open vSwitch. other_config : dscp: optional string, containing an integer The Differentiated Service Code Point (DSCP) is specified using 6 bits in the Type of Service (TOS) field in the IP header. DSCP provides a mechanism to classify the network traffic and provide Quality of Service (QoS) on IP networks. The DSCP value specified here is used when establishing the connection between the controller and the Open vSwitch. If no value is specified, a default value of 48 is chosen. Valid DSCP values must be in the range 0 to 63. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs other_config: map of string-string pairs
Manager TABLE
Configuration for a database connection to an Open vSwitch database (OVSDB) client. This table primarily configures the Open vSwitch database (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The switch does read the table to determine what connections should be treated as in-band. The Open vSwitch database server can initiate and maintain active connections to remote clients. It can also listen for database connections. Summary: Core Features: target string (must be unique within table) connection_mode optional string, either in-band or out-of-band Client Failure Detection and Handling: max_backoff optional integer, at least 1,000 inactivity_probe optional integer Status: is_connected boolean status : last_error optional string status : state optional string, one of ACTIVE, VOID, CONNECTING, IDLE, or BACKOFF status : sec_since_connect optional string, containing an integer, at least 0 status : sec_since_disconnect optional string, containing an integer, at least 0 status : locks_held optional string status : locks_waiting optional string status : locks_lost optional string status : n_connections optional string, containing an integer, at least 2 status : bound_port optional string, containing an integer Connection Parameters: other_config : dscp optional string, containing an integer Common Columns: external_ids map of string-string pairs other_config map of string-string pairs Details: Core Features: target: string (must be unique within table) Connection method for managers. The following connection methods are currently supported: ssl:ip[:port] The specified SSL port (default: 6632) on the host at the given ip, which must be expressed as an IP address (not a DNS name). The ssl column in the Open_vSwitch table must point to a valid SSL configuration when this form is used. SSL support is an optional feature that is not always built as part of Open vSwitch. tcp:ip[:port] The specified TCP port (default: 6632) on the host at the given ip, which must be expressed as an IP address (not a DNS name). pssl:[port][:ip] Listens for SSL connections on the specified TCP port (default: 6632). Specify 0 for port to have the kernel automatically choose an available port. If ip, which must be expressed as an IP address (not a DNS name), is specified, then connections are restricted to the specified local IP address. The ssl column in the Open_vSwitch table must point to a valid SSL configuration when this form is used. SSL support is an optional feature that is not always built as part of Open vSwitch. ptcp:[port][:ip] Listens for connections on the specified TCP port (default: 6632). Specify 0 for port to have the kernel automatically choose an available port. If ip, which must be expressed as an IP address (not a DNS name), is specified, then connections are restricted to the specified local IP address. When multiple managers are configured, the target values must be unique. Duplicate target values yield unspecified results. connection_mode: optional string, either in-band or out-of-band If it is specified, this setting must be one of the following strings that describes how Open vSwitch contacts this OVSDB client over the network: in-band In this mode, this connection’s traffic travels over a bridge managed by Open vSwitch. With this setting, Open vSwitch allows traffic to and from the client regardless of the contents of the OpenFlow flow table. (Otherwise, Open vSwitch would never be able to connect to the client, because it did not have a flow to enable it.) This is the most common connection mode because it is not necessary to maintain two independent networks. out-of-band In this mode, the client’s traffic uses a control network separate from that managed by Open vSwitch, that is, Open vSwitch does not use any of its own network devices to communicate with the client. The control network must be configured separately, before or after ovs-vswitchd is started. If not specified, the default is implementation-specific. Client Failure Detection and Handling: max_backoff: optional integer, at least 1,000 Maximum number of milliseconds to wait between connection attempts. Default is implementation-specific. inactivity_probe: optional integer Maximum number of milliseconds of idle time on connection to the client before sending an inactivity probe message. If Open vSwitch does not communicate with the client for the specified number of seconds, it will send a probe. If a response is not received for the same additional amount of time, Open vSwitch assumes the connection has been broken and attempts to reconnect. Default is implementation- specific. A value of 0 disables inactivity probes. Status: is_connected: boolean true if currently connected to this manager, false otherwise. status : last_error: optional string A human-readable description of the last error on the connection to the manager; i.e. strerror(errno). This key will exist only if an error has occurred. status : state: optional string, one of ACTIVE, VOID, CONNECTING, IDLE, or BACKOFF The state of the connection to the manager: VOID Connection is disabled. BACKOFF Attempting to reconnect at an increasing period. CONNECTING Attempting to connect. ACTIVE Connected, remote host responsive. IDLE Connection is idle. Waiting for response to keep-alive. These values may change in the future. They are provided only for human consumption. status : sec_since_connect: optional string, containing an integer, at least 0 The amount of time since this manager last successfully connected to the database (in seconds). Value is empty if manager has never successfully connected. status : sec_since_disconnect: optional string, containing an integer, at least 0 The amount of time since this manager last disconnected from the database (in seconds). Value is empty if manager has never disconnected. status : locks_held: optional string Space-separated list of the names of OVSDB locks that the connection holds. Omitted if the connection does not hold any locks. status : locks_waiting: optional string Space-separated list of the names of OVSDB locks that the connection is currently waiting to acquire. Omitted if the connection is not waiting for any locks. status : locks_lost: optional string Space-separated list of the names of OVSDB locks that the connection has had stolen by another OVSDB client. Omitted if no locks have been stolen from this connection. status : n_connections: optional string, containing an integer, at least 2 When target specifies a connection method that listens for inbound connections (e.g. ptcp: or pssl:) and more than one connection is actually active, the value is the number of active connections. Otherwise, this key-value pair is omitted. When multiple connections are active, status columns and key-value pairs (other than this one) report the status of one arbitrarily chosen connection. status : bound_port: optional string, containing an integer When target is ptcp: or pssl:, this is the TCP port on which the OVSDB server is listening. (This is is particularly useful when target specifies a port of 0, allowing the kernel to choose any available port.) Connection Parameters: Additional configuration for a connection between the manager and the Open vSwitch Database. other_config : dscp: optional string, containing an integer The Differentiated Service Code Point (DSCP) is specified using 6 bits in the Type of Service (TOS) field in the IP header. DSCP provides a mechanism to classify the network traffic and provide Quality of Service (QoS) on IP networks. The DSCP value specified here is used when establishing the connection between the manager and the Open vSwitch. If no value is specified, a default value of 48 is chosen. Valid DSCP values must be in the range 0 to 63. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs other_config: map of string-string pairs
NetFlow TABLE
A NetFlow target. NetFlow is a protocol that exports a number of details about terminating IP flows, such as the principals involved and duration. Summary: targets set of 1 or more strings engine_id optional integer, in range 0 to 255 engine_type optional integer, in range 0 to 255 active_timeout integer, at least -1 add_id_to_interface boolean Common Columns: external_ids map of string-string pairs Details: targets: set of 1 or more strings NetFlow targets in the form ip:port. The ip must be specified numerically, not as a DNS name. engine_id: optional integer, in range 0 to 255 Engine ID to use in NetFlow messages. Defaults to datapath index if not specified. engine_type: optional integer, in range 0 to 255 Engine type to use in NetFlow messages. Defaults to datapath index if not specified. active_timeout: integer, at least -1 The interval at which NetFlow records are sent for flows that are still active, in seconds. A value of 0 requests the default timeout (currently 600 seconds); a value of -1 disables active timeouts. add_id_to_interface: boolean If this column’s value is false, the ingress and egress interface fields of NetFlow flow records are derived from OpenFlow port numbers. When it is true, the 7 most significant bits of these fields will be replaced by the least significant 7 bits of the engine id. This is useful because many NetFlow collectors do not expect multiple switches to be sending messages from the same host, so they do not store the engine information which could be used to disambiguate the traffic. When this option is enabled, a maximum of 508 ports are supported. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs
SSL TABLE
SSL configuration for an Open_vSwitch. Summary: private_key string certificate string ca_cert string bootstrap_ca_cert boolean Common Columns: external_ids map of string-string pairs Details: private_key: string Name of a PEM file containing the private key used as the switch’s identity for SSL connections to the controller. certificate: string Name of a PEM file containing a certificate, signed by the certificate authority (CA) used by the controller and manager, that certifies the switch’s private key, identifying a trustworthy switch. ca_cert: string Name of a PEM file containing the CA certificate used to verify that the switch is connected to a trustworthy controller. bootstrap_ca_cert: boolean If set to true, then Open vSwitch will attempt to obtain the CA certificate from the controller on its first SSL connection and save it to the named PEM file. If it is successful, it will immediately drop the connection and reconnect, and from then on all SSL connections must be authenticated by a certificate signed by the CA certificate thus obtained. This option exposes the SSL connection to a man-in-the-middle attack obtaining the initial CA certificate. It may still be useful for bootstrapping. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs
sFlow TABLE
A set of sFlow(R) targets. sFlow is a protocol for remote monitoring of switches. Summary: agent optional string header optional integer polling optional integer sampling optional integer targets set of 1 or more strings Common Columns: external_ids map of string-string pairs Details: agent: optional string Name of the network device whose IP address should be reported as the ``agent address’’ to collectors. If not specified, the agent device is figured from the first target address and the routing table. If the routing table does not contain a route to the target, the IP address defaults to the local_ip in the collector’s Controller. If an agent IP address cannot be determined any of these ways, sFlow is disabled. header: optional integer Number of bytes of a sampled packet to send to the collector. If not specified, the default is 128 bytes. polling: optional integer Polling rate in seconds to send port statistics to the collector. If not specified, defaults to 30 seconds. sampling: optional integer Rate at which packets should be sampled and sent to the collector. If not specified, defaults to 400, which means one out of 400 packets, on average, will be sent to the collector. targets: set of 1 or more strings sFlow targets in the form ip:port. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs
IPFIX TABLE
A set of IPFIX collectors. IPFIX is a protocol that exports a number of details about flows. Summary: targets set of 1 or more strings sampling optional integer, in range 1 to 4,294,967,295 obs_domain_id optional integer, in range 0 to 4,294,967,295 obs_point_id optional integer, in range 0 to 4,294,967,295 cache_active_timeout optional integer, in range 0 to 4,200 cache_max_flows optional integer, in range 0 to 4,294,967,295 Common Columns: external_ids map of string-string pairs Details: targets: set of 1 or more strings IPFIX target collectors in the form ip:port. sampling: optional integer, in range 1 to 4,294,967,295 For per-bridge packet sampling, i.e. when this row is referenced from a Bridge, the rate at which packets should be sampled and sent to each target collector. If not specified, defaults to 400, which means one out of 400 packets, on average, will be sent to each target collector. Ignored for per-flow sampling, i.e. when this row is referenced from a Flow_Sample_Collector_Set. obs_domain_id: optional integer, in range 0 to 4,294,967,295 For per-bridge packet sampling, i.e. when this row is referenced from a Bridge, the IPFIX Observation Domain ID sent in each IPFIX packet. If not specified, defaults to 0. Ignored for per-flow sampling, i.e. when this row is referenced from a Flow_Sample_Collector_Set. obs_point_id: optional integer, in range 0 to 4,294,967,295 For per-bridge packet sampling, i.e. when this row is referenced from a Bridge, the IPFIX Observation Point ID sent in each IPFIX flow record. If not specified, defaults to 0. Ignored for per-flow sampling, i.e. when this row is referenced from a Flow_Sample_Collector_Set. cache_active_timeout: optional integer, in range 0 to 4,200 The maximum period in seconds for which an IPFIX flow record is cached and aggregated before being sent. If not specified, defaults to 0. If 0, caching is disabled. cache_max_flows: optional integer, in range 0 to 4,294,967,295 The maximum number of IPFIX flow records that can be cached at a time. If not specified, defaults to 0. If 0, caching is disabled. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs
Flow_Sample_Collector_Set TABLE
A set of IPFIX collectors of packet samples generated by OpenFlow sample actions. Summary: id integer, in range 0 to 4,294,967,295 bridge Bridge ipfix optional IPFIX Common Columns: external_ids map of string-string pairs Details: id: integer, in range 0 to 4,294,967,295 The ID of this collector set, unique among the bridge’s collector sets, to be used as the collector_set_id in OpenFlow sample actions. bridge: Bridge The bridge into which OpenFlow sample actions can be added to send packet samples to this set of IPFIX collectors. ipfix: optional IPFIX Configuration of the set of IPFIX collectors to send one flow record per sampled packet to. Common Columns: The overall purpose of these columns is described under Common Columns at the beginning of this document. external_ids: map of string-string pairs