Openwrt-EcoNet/TP-Link_Archer-XR500v
Archived
1
0
Fork 0
Code
This repository has been archived on 2024-07-22. You can view files and clone it, but cannot push or open issues or pull requests.
TP-Link_Archer-XR500v/EN7526G_3.18Kernel_SDK/apps/public/openvswitch-2.5.0/vswitchd/vswitch.xml
Matheus Sampaio Queiroga aaca98136a Add gpl
2024-07-22 01:58:46 -03:00

4725 lines
196 KiB
XML
Executable File
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<database name="ovs-vswitchd.conf.db" title="Open vSwitch Configuration Database">
<p>
A database with this schema holds the configuration for one Open
vSwitch daemon. The top-level configuration for the daemon is the
<ref table="Open_vSwitch"/> table, which must have exactly one
record. Records in other tables are significant only when they
can be reached directly or indirectly from the <ref
table="Open_vSwitch"/> table. Records that are not reachable from
the <ref table="Open_vSwitch"/> table are automatically deleted
from the database, except for records in a few distinguished
``root set'' tables.
</p>
<h2>Common Columns</h2>
<p>
Most tables contain two special columns, named <code>other_config</code>
and <code>external_ids</code>. These columns have the same form and
purpose each place that they appear, so we describe them here to save space
later.
</p>
<dl>
<dt><code>other_config</code>: map of string-string pairs</dt>
<dd>
<p>
Key-value pairs for configuring rarely used features. Supported keys,
along with the forms taken by their values, are documented individually
for each table.
</p>
<p>
A few tables do not have <code>other_config</code> columns because no
key-value pairs have yet been defined for them.
</p>
</dd>
<dt><code>external_ids</code>: map of string-string pairs</dt>
<dd>
Key-value pairs for use by external frameworks that integrate with Open
vSwitch, rather than by Open vSwitch itself. System integrators should
either use the Open vSwitch development mailing list to coordinate on
common key-value definitions, or choose key names that are likely to be
unique. In some cases, where key-value pairs have been defined that are
likely to be widely useful, they are documented individually for each
table.
</dd>
</dl>
<table name="Open_vSwitch" title="Open vSwitch configuration.">
Configuration for an Open vSwitch daemon. There must be exactly
one record in the <ref table="Open_vSwitch"/> table.
<group title="Configuration">
<column name="bridges">
Set of bridges managed by the daemon.
</column>
<column name="ssl">
SSL used globally by the daemon.
</column>
<column name="external_ids" key="system-id">
A unique identifier for the Open vSwitch's physical host.
The form of the identifier depends on the type of the host.
On a Citrix XenServer, this will likely be the same as
<ref column="external_ids" key="xs-system-uuid"/>.
</column>
<column name="external_ids" key="xs-system-uuid">
The Citrix XenServer universally unique identifier for the physical
host as displayed by <code>xe host-list</code>.
</column>
<column name="other_config" key="stats-update-interval"
type='{"type": "integer", "minInteger": 5000}'>
<p>
Interval for updating statistics to the database, in milliseconds.
This option will affect the update of the <code>statistics</code>
column in the following tables: <code>Port</code>, <code>Interface
</code>, <code>Mirror</code>.
</p>
<p>
Default value is 5000 ms.
</p>
<p>
Getting statistics more frequently can be achieved via OpenFlow.
</p>
</column>
<column name="other_config" key="flow-restore-wait"
type='{"type": "boolean"}'>
<p>
When <code>ovs-vswitchd</code> starts up, it has an empty flow table
and therefore it handles all arriving packets in its default fashion
according to its configuration, by dropping them or sending them to
an OpenFlow controller or switching them as a standalone switch.
This behavior is ordinarily desirable. However, if
<code>ovs-vswitchd</code> is restarting as part of a ``hot-upgrade,''
then this leads to a relatively long period during which packets are
mishandled.
</p>
<p>
This option allows for improvement. When <code>ovs-vswitchd</code>
starts with this value set as <code>true</code>, it will neither
flush or expire previously set datapath flows nor will it send and
receive any packets to or from the datapath. When this value is
later set to <code>false</code>, <code>ovs-vswitchd</code> will
start receiving packets from the datapath and re-setup the flows.
</p>
<p>
Thus, with this option, the procedure for a hot-upgrade of
<code>ovs-vswitchd</code> becomes roughly the following:
</p>
<ol>
<li>
Stop <code>ovs-vswitchd</code>.
</li>
<li>
Set <ref column="other_config" key="flow-restore-wait"/>
to <code>true</code>.
</li>
<li>
Start <code>ovs-vswitchd</code>.
</li>
<li>
Use <code>ovs-ofctl</code> (or some other program, such as an
OpenFlow controller) to restore the OpenFlow flow table
to the desired state.
</li>
<li>
Set <ref column="other_config" key="flow-restore-wait"/>
to <code>false</code> (or remove it entirely from the database).
</li>
</ol>
<p>
The <code>ovs-ctl</code>'s ``restart'' and ``force-reload-kmod''
functions use the above config option during hot upgrades.
</p>
</column>
<column name="other_config" key="flow-limit"
type='{"type": "integer", "minInteger": 0}'>
<p>
The maximum
number of flows allowed in the datapath flow table. Internally OVS
will choose a flow limit which will likely be lower than this number,
based on real time network conditions. Tweaking this value is
discouraged unless you know exactly what you're doing.
</p>
<p>
The default is 200000.
</p>
</column>
<column name="other_config" key="max-idle"
type='{"type": "integer", "minInteger": 500}'>
<p>
The maximum time (in ms) that idle flows will remain cached in the
datapath. Internally OVS will check the validity and activity for
datapath flows regularly and may expire flows quicker than this
number, based on real time network conditions. Tweaking this
value is discouraged unless you know exactly what you're doing.
</p>
<p>
The default is 10000.
</p>
</column>
<column name="other_config" key="n-dpdk-rxqs"
type='{"type": "integer", "minInteger": 1}'>
<p>
Specifies the maximum number of rx queues to be created for each dpdk
interface. If not specified or specified to 0, one rx queue will
be created for each dpdk interface by default.
</p>
</column>
<column name="other_config" key="pmd-cpu-mask">
<p>
Specifies CPU mask for setting the cpu affinity of PMD (Poll
Mode Driver) threads. Value should be in the form of hex string,
similar to the dpdk EAL '-c COREMASK' option input or the 'taskset'
mask input.
</p>
<p>
The lowest order bit corresponds to the first CPU core. A set bit
means the corresponding core is available and a pmd thread will be
created and pinned to it. If the input does not cover all cores,
those uncovered cores are considered not set.
</p>
<p>
If not specified, one pmd thread will be created for each numa node
and pinned to any available core on the numa node by default.
</p>
</column>
<column name="other_config" key="n-handler-threads"
type='{"type": "integer", "minInteger": 1}'>
<p>
Specifies the number of threads for software datapaths to use for
handling new flows. The default the number of online CPU cores minus
the number of revalidators.
</p>
<p>
This configuration is per datapath. If you have more than one
software datapath (e.g. some <code>system</code> bridges and some
<code>netdev</code> bridges), then the total number of threads is
<code>n-handler-threads</code> times the number of software
datapaths.
</p>
</column>
<column name="other_config" key="n-revalidator-threads"
type='{"type": "integer", "minInteger": 1}'>
<p>
Specifies the number of threads for software datapaths to use for
revalidating flows in the datapath. Typically, there is a direct
correlation between the number of revalidator threads, and the number
of flows allowed in the datapath. The default is the number of cpu
cores divided by four plus one. If <code>n-handler-threads</code> is
set, the default changes to the number of cpu cores minus the number
of handler threads.
</p>
<p>
This configuration is per datapath. If you have more than one
software datapath (e.g. some <code>system</code> bridges and some
<code>netdev</code> bridges), then the total number of threads is
<code>n-handler-threads</code> times the number of software
datapaths.
</p>
</column>
</group>
<group title="Status">
<column name="next_cfg">
Sequence number for client to increment. When a client modifies
any part of the database configuration and wishes to wait for
Open vSwitch to finish applying the changes, it may increment
this sequence number.
</column>
<column name="cur_cfg">
Sequence number that Open vSwitch sets to the current value of
<ref column="next_cfg"/> after it finishes applying a set of
configuration changes.
</column>
<group title="Statistics">
<p>
The <code>statistics</code> column contains key-value pairs that
report statistics about a system running an Open vSwitch. These are
updated periodically (currently, every 5 seconds). Key-value pairs
that cannot be determined or that do not apply to a platform are
omitted.
</p>
<column name="other_config" key="enable-statistics"
type='{"type": "boolean"}'>
Statistics are disabled by default to avoid overhead in the common
case when statistics gathering is not useful. Set this value to
<code>true</code> to enable populating the <ref column="statistics"/>
column or to <code>false</code> to explicitly disable it.
</column>
<column name="statistics" key="cpu"
type='{"type": "integer", "minInteger": 1}'>
<p>
Number of CPU processors, threads, or cores currently online and
available to the operating system on which Open vSwitch is running,
as an integer. This may be less than the number installed, if some
are not online or if they are not available to the operating
system.
</p>
<p>
Open vSwitch userspace processes are not multithreaded, but the
Linux kernel-based datapath is.
</p>
</column>
<column name="statistics" key="load_average">
A comma-separated list of three floating-point numbers,
representing the system load average over the last 1, 5, and 15
minutes, respectively.
</column>
<column name="statistics" key="memory">
<p>
A comma-separated list of integers, each of which represents a
quantity of memory in kilobytes that describes the operating
system on which Open vSwitch is running. In respective order,
these values are:
</p>
<ol>
<li>Total amount of RAM allocated to the OS.</li>
<li>RAM allocated to the OS that is in use.</li>
<li>RAM that can be flushed out to disk or otherwise discarded
if that space is needed for another purpose. This number is
necessarily less than or equal to the previous value.</li>
<li>Total disk space allocated for swap.</li>
<li>Swap space currently in use.</li>
</ol>
<p>
On Linux, all five values can be determined and are included. On
other operating systems, only the first two values can be
determined, so the list will only have two values.
</p>
</column>
<column name="statistics" key="process_NAME">
<p>
One such key-value pair, with <code>NAME</code> replaced by
a process name, will exist for each running Open vSwitch
daemon process, with <var>name</var> replaced by the
daemon's name (e.g. <code>process_ovs-vswitchd</code>). The
value is a comma-separated list of integers. The integers
represent the following, with memory measured in kilobytes
and durations in milliseconds:
</p>
<ol>
<li>The process's virtual memory size.</li>
<li>The process's resident set size.</li>
<li>The amount of user and system CPU time consumed by the
process.</li>
<li>The number of times that the process has crashed and been
automatically restarted by the monitor.</li>
<li>The duration since the process was started.</li>
<li>The duration for which the process has been running.</li>
</ol>
<p>
The interpretation of some of these values depends on whether the
process was started with the <option>--monitor</option>. If it
was not, then the crash count will always be 0 and the two
durations will always be the same. If <option>--monitor</option>
was given, then the crash count may be positive; if it is, the
latter duration is the amount of time since the most recent crash
and restart.
</p>
<p>
There will be one key-value pair for each file in Open vSwitch's
``run directory'' (usually <code>/var/run/openvswitch</code>)
whose name ends in <code>.pid</code>, whose contents are a
process ID, and which is locked by a running process. The
<var>name</var> is taken from the pidfile's name.
</p>
<p>
Currently Open vSwitch is only able to obtain all of the above
detail on Linux systems. On other systems, the same key-value
pairs will be present but the values will always be the empty
string.
</p>
</column>
<column name="statistics" key="file_systems">
<p>
A space-separated list of information on local, writable file
systems. Each item in the list describes one file system and
consists in turn of a comma-separated list of the following:
</p>
<ol>
<li>Mount point, e.g. <code>/</code> or <code>/var/log</code>.
Any spaces or commas in the mount point are replaced by
underscores.</li>
<li>Total size, in kilobytes, as an integer.</li>
<li>Amount of storage in use, in kilobytes, as an integer.</li>
</ol>
<p>
This key-value pair is omitted if there are no local, writable
file systems or if Open vSwitch cannot obtain the needed
information.
</p>
</column>
</group>
</group>
<group title="Version Reporting">
<p>
These columns report the types and versions of the hardware and
software running Open vSwitch. We recommend in general that software
should test whether specific features are supported instead of relying
on version number checks. These values are primarily intended for
reporting to human administrators.
</p>
<column name="ovs_version">
The Open vSwitch version number, e.g. <code>1.1.0</code>.
</column>
<column name="db_version">
<p>
The database schema version number in the form
<code><var>major</var>.<var>minor</var>.<var>tweak</var></code>,
e.g. <code>1.2.3</code>. Whenever the database schema is changed in
a non-backward compatible way (e.g. deleting a column or a table),
<var>major</var> is incremented. When the database schema is changed
in a backward compatible way (e.g. adding a new column),
<var>minor</var> is incremented. When the database schema is changed
cosmetically (e.g. reindenting its syntax), <var>tweak</var> is
incremented.
</p>
<p>
The schema version is part of the database schema, so it can also be
retrieved by fetching the schema using the Open vSwitch database
protocol.
</p>
</column>
<column name="system_type">
<p>
An identifier for the type of system on top of which Open vSwitch
runs, e.g. <code>XenServer</code> or <code>KVM</code>.
</p>
<p>
System integrators are responsible for choosing and setting an
appropriate value for this column.
</p>
</column>
<column name="system_version">
<p>
The version of the system identified by <ref column="system_type"/>,
e.g. <code>5.6.100-39265p</code> on XenServer 5.6.100 build 39265.
</p>
<p>
System integrators are responsible for choosing and setting an
appropriate value for this column.
</p>
</column>
</group>
<group title="Capabilities">
<p>
These columns report capabilities of the Open vSwitch instance.
</p>
<column name="datapath_types">
<p>
This column reports the different dpifs registered with the system.
These are the values that this instance supports in the <ref
column="datapath_type" table="Bridge"/> column of the <ref
table="Bridge"/> table.
</p>
</column>
<column name="iface_types">
<p>
This column reports the different netdevs registered with the system.
These are the values that this instance supports in the <ref
column="type" table="Interface"/> column of the <ref
table="Interface"/> table.
</p>
</column>
</group>
<group title="Database Configuration">
<p>
These columns primarily configure the Open vSwitch database
(<code>ovsdb-server</code>), not the Open vSwitch switch
(<code>ovs-vswitchd</code>). The OVSDB database also uses the <ref
column="ssl"/> settings.
</p>
<p>
The Open vSwitch switch does read the database configuration to
determine remote IP addresses to which in-band control should apply.
</p>
<column name="manager_options">
Database clients to which the Open vSwitch database server should
connect or to which it should listen, along with options for how these
connection should be configured. See the <ref table="Manager"/> table
for more information.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Bridge">
<p>
Configuration for a bridge within an
<ref table="Open_vSwitch"/>.
</p>
<p>
A <ref table="Bridge"/> record represents an Ethernet switch with one or
more ``ports,'' which are the <ref table="Port"/> records pointed to by
the <ref table="Bridge"/>'s <ref column="ports"/> column.
</p>
<group title="Core Features">
<column name="name">
Bridge identifier. Should be alphanumeric and no more than about 8
bytes long. Must be unique among the names of ports, interfaces, and
bridges on a host.
</column>
<column name="ports">
Ports included in the bridge.
</column>
<column name="mirrors">
Port mirroring configuration.
</column>
<column name="netflow">
NetFlow configuration.
</column>
<column name="sflow">
sFlow(R) configuration.
</column>
<column name="ipfix">
IPFIX configuration.
</column>
<column name="flood_vlans">
<p>
VLAN IDs of VLANs on which MAC address learning should be disabled,
so that packets are flooded instead of being sent to specific ports
that are believed to contain packets' destination MACs. This should
ordinarily be used to disable MAC learning on VLANs used for
mirroring (RSPAN VLANs). It may also be useful for debugging.
</p>
<p>
SLB bonding (see the <ref table="Port" column="bond_mode"/> column in
the <ref table="Port"/> table) is incompatible with
<code>flood_vlans</code>. Consider using another bonding mode or
a different type of mirror instead.
</p>
</column>
<column name="auto_attach">
Auto Attach configuration.
</column>
</group>
<group title="OpenFlow Configuration">
<column name="controller">
<p>
OpenFlow controller set. If unset, then no OpenFlow controllers
will be used.
</p>
<p>
If there are primary controllers, removing all of them clears the
flow table. If there are no primary controllers, adding one also
clears the flow table. Other changes to the set of controllers, such
as adding or removing a service controller, adding another primary
controller to supplement an existing primary controller, or removing
only one of two primary controllers, have no effect on the flow
table.
</p>
</column>
<column name="flow_tables">
Configuration for OpenFlow tables. Each pair maps from an OpenFlow
table ID to configuration for that table.
</column>
<column name="fail_mode">
<p>When a controller is configured, it is, ordinarily, responsible
for setting up all flows on the switch. Thus, if the connection to
the controller fails, no new network connections can be set up.
If the connection to the controller stays down long enough,
no packets can pass through the switch at all. This setting
determines the switch's response to such a situation. It may be set
to one of the following:
<dl>
<dt><code>standalone</code></dt>
<dd>If no message is received from the controller for three
times the inactivity probe interval
(see <ref column="inactivity_probe"/>), then Open vSwitch
will take over responsibility for setting up flows. In
this mode, Open vSwitch causes the bridge to act like an
ordinary MAC-learning switch. Open vSwitch will continue
to retry connecting to the controller in the background
and, when the connection succeeds, it will discontinue its
standalone behavior.</dd>
<dt><code>secure</code></dt>
<dd>Open vSwitch will not set up flows on its own when the
controller connection fails or when no controllers are
defined. The bridge will continue to retry connecting to
any defined controllers forever.</dd>
</dl>
</p>
<p>
The default is <code>standalone</code> if the value is unset, but
future versions of Open vSwitch may change the default.
</p>
<p>
The <code>standalone</code> mode can create forwarding loops on a
bridge that has more than one uplink port unless STP is enabled. To
avoid loops on such a bridge, configure <code>secure</code> mode or
enable STP (see <ref column="stp_enable"/>).
</p>
<p>When more than one controller is configured,
<ref column="fail_mode"/> is considered only when none of the
configured controllers can be contacted.</p>
<p>
Changing <ref column="fail_mode"/> when no primary controllers are
configured clears the flow table.
</p>
</column>
<column name="datapath_id">
Reports the OpenFlow datapath ID in use. Exactly 16 hex digits.
(Setting this column has no useful effect. Set <ref
column="other-config" key="datapath-id"/> instead.)
</column>
<column name="datapath_version">
<p>
Reports the version number of the Open vSwitch datapath in use.
This allows management software to detect and report discrepancies
between Open vSwitch userspace and datapath versions. (The <ref
column="ovs_version" table="Open_vSwitch"/> column in the <ref
table="Open_vSwitch"/> reports the Open vSwitch userspace version.)
The version reported depends on the datapath in use:
</p>
<ul>
<li>
When the kernel module included in the Open vSwitch source tree is
used, this column reports the Open vSwitch version from which the
module was taken.
</li>
<li>
When the kernel module that is part of the upstream Linux kernel is
used, this column reports <code>&lt;unknown&gt;</code>.
</li>
<li>
When the datapath is built into the <code>ovs-vswitchd</code>
binary, this column reports <code>&lt;built-in&gt;</code>. A
built-in datapath is by definition the same version as the rest of
the Open VSwitch userspace.
</li>
<li>
Other datapaths (such as the Hyper-V kernel datapath) currently
report <code>&lt;unknown&gt;</code>.
</li>
</ul>
<p>
A version discrepancy between <code>ovs-vswitchd</code> and the
datapath in use is not normally cause for alarm. The Open vSwitch
kernel datapaths for Linux and Hyper-V, in particular, are designed
for maximum inter-version compatibility: any userspace version works
with with any kernel version. Some reasons do exist to insist on
particular user/kernel pairings. First, newer kernel versions add
new features, that can only be used by new-enough userspace, e.g.
VXLAN tunneling requires certain minimal userspace and kernel
versions. Second, as an extension to the first reason, some newer
kernel versions add new features for enhancing performance that only
new-enough userspace versions can take advantage of.
</p>
</column>
<column name="other_config" key="datapath-id">
Exactly 16 hex digits to set the OpenFlow datapath ID to a specific
value. May not be all-zero.
</column>
<column name="other_config" key="dp-desc">
Human readable description of datapath. It it a maximum 256
byte-long free-form string to describe the datapath for
debugging purposes, e.g. <code>switch3 in room 3120</code>.
</column>
<column name="other_config" key="disable-in-band"
type='{"type": "boolean"}'>
If set to <code>true</code>, disable in-band control on the bridge
regardless of controller and manager settings.
</column>
<column name="other_config" key="in-band-queue"
type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
A queue ID as a nonnegative integer. This sets the OpenFlow queue ID
that will be used by flows set up by in-band control on this bridge.
If unset, or if the port used by an in-band control flow does not have
QoS configured, or if the port does not have a queue with the specified
ID, the default queue is used instead.
</column>
<column name="protocols">
<p>
List of OpenFlow protocols that may be used when negotiating
a connection with a controller. OpenFlow 1.0, 1.1, 1.2, and
1.3 are enabled by default if this column is empty.
</p>
<p>
OpenFlow 1.4 is not enabled by default because its implementation is
missing features.
</p>
<p>
OpenFlow 1.5 has the same risks as OpenFlow 1.4, but it is even more
experimental because the OpenFlow 1.5 specification is still under
development and thus subject to change. Pass
<code>--enable-of15</code> to <code>ovs-vswitchd</code> to allow
OpenFlow 1.5 to be enabled.
</p>
</column>
</group>
<group title="Spanning Tree Configuration">
<p>
The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol
that ensures loop-free topologies. It allows redundant links to
be included in the network to provide automatic backup paths if
the active links fails.
</p>
<p>
These settings configure the slower-to-converge but still widely
supported version of Spanning Tree Protocol, sometimes known as
802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree
Protocol (RSTP), documented later in the section titled <code>Rapid
Spanning Tree Configuration</code>.
</p>
<group title="STP Configuration">
<column name="stp_enable" type='{"type": "boolean"}'>
<p>
Enable spanning tree on the bridge. By default, STP is disabled
on bridges. Bond, internal, and mirror ports are not supported
and will not participate in the spanning tree.
</p>
<p>
STP and RSTP are mutually exclusive. If both are enabled, RSTP
will be used.
</p>
</column>
<column name="other_config" key="stp-system-id">
The bridge's STP identifier (the lower 48 bits of the bridge-id)
in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
By default, the identifier is the MAC address of the bridge.
</column>
<column name="other_config" key="stp-priority"
type='{"type": "integer", "minInteger": 0, "maxInteger": 65535}'>
The bridge's relative priority value for determining the root
bridge (the upper 16 bits of the bridge-id). A bridge with the
lowest bridge-id is elected the root. By default, the priority
is 0x8000.
</column>
<column name="other_config" key="stp-hello-time"
type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
The interval between transmissions of hello messages by
designated ports, in seconds. By default the hello interval is
2 seconds.
</column>
<column name="other_config" key="stp-max-age"
type='{"type": "integer", "minInteger": 6, "maxInteger": 40}'>
The maximum age of the information transmitted by the bridge
when it is the root bridge, in seconds. By default, the maximum
age is 20 seconds.
</column>
<column name="other_config" key="stp-forward-delay"
type='{"type": "integer", "minInteger": 4, "maxInteger": 30}'>
The delay to wait between transitioning root and designated
ports to <code>forwarding</code>, in seconds. By default, the
forwarding delay is 15 seconds.
</column>
<column name="other_config" key="mcast-snooping-aging-time"
type='{"type": "integer", "minInteger": 1}'>
<p>
The maximum number of seconds to retain a multicast snooping entry for
which no packets have been seen. The default is currently 300
seconds (5 minutes). The value, if specified, is forced into a
reasonable range, currently 15 to 3600 seconds.
</p>
</column>
<column name="other_config" key="mcast-snooping-table-size"
type='{"type": "integer", "minInteger": 1}'>
<p>
The maximum number of multicast snooping addresses to learn. The
default is currently 2048. The value, if specified, is forced into
a reasonable range, currently 10 to 1,000,000.
</p>
</column>
<column name="other_config" key="mcast-snooping-disable-flood-unregistered"
type='{"type": "boolean"}'>
<p>
If set to <code>false</code>, unregistered multicast packets are forwarded
to all ports.
If set to <code>true</code>, unregistered multicast packets are forwarded
to ports connected to multicast routers.
</p>
</column>
</group>
<group title="STP Status">
<p>
These key-value pairs report the status of 802.1D-1998. They are
present only if STP is enabled (via the <ref column="stp_enable"/>
column).
</p>
<column name="status" key="stp_bridge_id">
The bridge ID used in spanning tree advertisements, in the form
<var>xxxx</var>.<var>yyyyyyyyyyyy</var> where the <var>x</var>s are
the STP priority, the <var>y</var>s are the STP system ID, and each
<var>x</var> and <var>y</var> is a hex digit.
</column>
<column name="status" key="stp_designated_root">
The designated root for this spanning tree, in the same form as <ref
column="status" key="stp_bridge_id"/>. If this bridge is the root,
this will have the same value as <ref column="status"
key="stp_bridge_id"/>, otherwise it will differ.
</column>
<column name="status" key="stp_root_path_cost">
The path cost of reaching the designated bridge. A lower number is
better. The value is 0 if this bridge is the root, otherwise it is
higher.
</column>
</group>
</group>
<group title="Rapid Spanning Tree">
<p>
Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
that ensures loop-free topologies. RSTP superseded STP with the
publication of 802.1D-2004. Compared to STP, RSTP converges more
quickly and recovers more quickly from failures.
</p>
<group title="RSTP Configuration">
<column name="rstp_enable" type='{"type": "boolean"}'>
<p>
Enable Rapid Spanning Tree on the bridge. By default, RSTP is disabled
on bridges. Bond, internal, and mirror ports are not supported
and will not participate in the spanning tree.
</p>
<p>
STP and RSTP are mutually exclusive. If both are enabled, RSTP
will be used.
</p>
</column>
<column name="other_config" key="rstp-address">
The bridge's RSTP address (the lower 48 bits of the bridge-id)
in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
By default, the address is the MAC address of the bridge.
</column>
<column name="other_config" key="rstp-priority"
type='{"type": "integer", "minInteger": 0, "maxInteger": 61440}'>
The bridge's relative priority value for determining the root
bridge (the upper 16 bits of the bridge-id). A bridge with the
lowest bridge-id is elected the root. By default, the priority
is 0x8000 (32768). This value needs to be a multiple of 4096,
otherwise it's rounded to the nearest inferior one.
</column>
<column name="other_config" key="rstp-ageing-time"
type='{"type": "integer", "minInteger": 10, "maxInteger": 1000000}'>
The Ageing Time parameter for the Bridge. The default value
is 300 seconds.
</column>
<column name="other_config" key="rstp-force-protocol-version"
type='{"type": "integer"}'>
The Force Protocol Version parameter for the Bridge. This
can take the value 0 (STP Compatibility mode) or 2
(the default, normal operation).
</column>
<column name="other_config" key="rstp-max-age"
type='{"type": "integer", "minInteger": 6, "maxInteger": 40}'>
The maximum age of the information transmitted by the Bridge
when it is the Root Bridge. The default value is 20.
</column>
<column name="other_config" key="rstp-forward-delay"
type='{"type": "integer", "minInteger": 4, "maxInteger": 30}'>
The delay used by STP Bridges to transition Root and Designated
Ports to Forwarding. The default value is 15.
</column>
<column name="other_config" key="rstp-transmit-hold-count"
type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
The Transmit Hold Count used by the Port Transmit state machine
to limit transmission rate. The default value is 6.
</column>
</group>
<group title="RSTP Status">
<p>
These key-value pairs report the status of 802.1D-2004. They are
present only if RSTP is enabled (via the <ref column="rstp_enable"/>
column).
</p>
<column name="rstp_status" key="rstp_bridge_id">
The bridge ID used in rapid spanning tree advertisements, in the form
<var>x</var>.<var>yyy</var>.<var>zzzzzzzzzzzz</var> where
<var>x</var> is the RSTP priority, the <var>y</var>s are a locally
assigned system ID extension, the <var>z</var>s are the STP system
ID, and each <var>x</var>, <var>y</var>, or <var>z</var> is a hex
digit.
</column>
<column name="rstp_status" key="rstp_root_id">
The root of this spanning tree, in the same form as <ref
column="rstp_status" key="rstp_bridge_id"/>. If this bridge is the
root, this will have the same value as <ref column="rstp_status"
key="rstp_bridge_id"/>, otherwise it will differ.
</column>
<column name="rstp_status" key="rstp_root_path_cost"
type='{"type": "integer", "minInteger": 0}'>
The path cost of reaching the root. A lower number is better. The
value is 0 if this bridge is the root, otherwise it is higher.
</column>
<column name="rstp_status" key="rstp_designated_id">
The RSTP designated ID, in the same form as <ref column="rstp_status"
key="rstp_bridge_id"/>.
</column>
<column name="rstp_status" key="rstp_designated_port_id">
The RSTP designated port ID, as a 4-digit hex number.
</column>
<column name="rstp_status" key="rstp_bridge_port_id">
The RSTP bridge port ID, as a 4-digit hex number.
</column>
</group>
</group>
<group title="Multicast Snooping Configuration">
Multicast snooping (RFC 4541) monitors the Internet Group Management
Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
and multicast routers. The switch uses what IGMP and MLD snooping
learns to forward multicast traffic only to interfaces that are connected
to interested receivers. Currently it supports IGMPv1, IGMPv2, IGMPv3,
MLDv1 and MLDv2 protocols.
<column name="mcast_snooping_enable">
Enable multicast snooping on the bridge. For now, the default
is disabled.
</column>
</group>
<group title="Other Features">
<column name="datapath_type">
Name of datapath provider. The kernel datapath has type
<code>system</code>. The userspace datapath has type
<code>netdev</code>. A manager may refer to the <ref
table="Open_vSwitch" column="datapath_types"/> column of the <ref
table="Open_vSwitch"/> table for a list of the types accepted by this
Open vSwitch instance.
</column>
<column name="external_ids" key="bridge-id">
A unique identifier of the bridge. On Citrix XenServer this will
commonly be the same as
<ref column="external_ids" key="xs-network-uuids"/>.
</column>
<column name="external_ids" key="xs-network-uuids">
Semicolon-delimited set of universally unique identifier(s) for the
network with which this bridge is associated on a Citrix XenServer
host. The network identifiers are RFC 4122 UUIDs as displayed by,
e.g., <code>xe network-list</code>.
</column>
<column name="other_config" key="hwaddr">
An Ethernet address in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
to set the hardware address of the local port and influence the
datapath ID.
</column>
<column name="other_config" key="forward-bpdu"
type='{"type": "boolean"}'>
<p>
Controls forwarding of BPDUs and other network control frames when
NORMAL action is invoked. When this option is <code>false</code> or
unset, frames with reserved Ethernet addresses (see table below) will
not be forwarded. When this option is <code>true</code>, such frames
will not be treated specially.
</p>
<p>
The above general rule has the following exceptions:
</p>
<ul>
<li>
If STP is enabled on the bridge (see the <ref column="stp_enable"
table="Bridge"/> column in the <ref table="Bridge"/> table), the
bridge processes all received STP packets and never passes them to
OpenFlow or forwards them. This is true even if STP is disabled on
an individual port.
</li>
<li>
If LLDP is enabled on an interface (see the <ref column="lldp"
table="Interface"/> column in the <ref table="Interface"/> table),
the interface processes received LLDP packets and never passes them
to OpenFlow or forwards them.
</li>
</ul>
<p>
Set this option to <code>true</code> if the Open vSwitch bridge
connects different Ethernet networks and is not configured to
participate in STP.
</p>
<p>
This option affects packets with the following destination MAC
addresses:
</p>
<dl>
<dt><code>01:80:c2:00:00:00</code></dt>
<dd>IEEE 802.1D Spanning Tree Protocol (STP).</dd>
<dt><code>01:80:c2:00:00:01</code></dt>
<dd>IEEE Pause frame.</dd>
<dt><code>01:80:c2:00:00:0<var>x</var></code></dt>
<dd>Other reserved protocols.</dd>
<dt><code>00:e0:2b:00:00:00</code></dt>
<dd>Extreme Discovery Protocol (EDP).</dd>
<dt>
<code>00:e0:2b:00:00:04</code> and <code>00:e0:2b:00:00:06</code>
</dt>
<dd>Ethernet Automatic Protection Switching (EAPS).</dd>
<dt><code>01:00:0c:cc:cc:cc</code></dt>
<dd>
Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP),
Dynamic Trunking Protocol (DTP), Port Aggregation Protocol (PAgP),
and others.
</dd>
<dt><code>01:00:0c:cc:cc:cd</code></dt>
<dd>Cisco Shared Spanning Tree Protocol PVSTP+.</dd>
<dt><code>01:00:0c:cd:cd:cd</code></dt>
<dd>Cisco STP Uplink Fast.</dd>
<dt><code>01:00:0c:00:00:00</code></dt>
<dd>Cisco Inter Switch Link.</dd>
<dt><code>01:00:0c:cc:cc:c<var>x</var></code></dt>
<dd>Cisco CFM.</dd>
</dl>
</column>
<column name="other_config" key="mac-aging-time"
type='{"type": "integer", "minInteger": 1}'>
<p>
The maximum number of seconds to retain a MAC learning entry for
which no packets have been seen. The default is currently 300
seconds (5 minutes). The value, if specified, is forced into a
reasonable range, currently 15 to 3600 seconds.
</p>
<p>
A short MAC aging time allows a network to more quickly detect that a
host is no longer connected to a switch port. However, it also makes
it more likely that packets will be flooded unnecessarily, when they
are addressed to a connected host that rarely transmits packets. To
reduce the incidence of unnecessary flooding, use a MAC aging time
longer than the maximum interval at which a host will ordinarily
transmit packets.
</p>
</column>
<column name="other_config" key="mac-table-size"
type='{"type": "integer", "minInteger": 1}'>
<p>
The maximum number of MAC addresses to learn. The default is
currently 2048. The value, if specified, is forced into a reasonable
range, currently 10 to 1,000,000.
</p>
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Port" table="Port or bond configuration.">
<p>A port within a <ref table="Bridge"/>.</p>
<p>Most commonly, a port has exactly one ``interface,'' pointed to by its
<ref column="interfaces"/> column. Such a port logically
corresponds to a port on a physical Ethernet switch. A port
with more than one interface is a ``bonded port'' (see
<ref group="Bonding Configuration"/>).</p>
<p>Some properties that one might think as belonging to a port are actually
part of the port's <ref table="Interface"/> members.</p>
<column name="name">
Port name. Should be alphanumeric and no more than about 8
bytes long. May be the same as the interface name, for
non-bonded ports. Must otherwise be unique among the names of
ports, interfaces, and bridges on a host.
</column>
<column name="interfaces">
The port's interfaces. If there is more than one, this is a
bonded Port.
</column>
<group title="VLAN Configuration">
<p>Bridge ports support the following types of VLAN configuration:</p>
<dl>
<dt>trunk</dt>
<dd>
<p>
A trunk port carries packets on one or more specified VLANs
specified in the <ref column="trunks"/> column (often, on every
VLAN). A packet that ingresses on a trunk port is in the VLAN
specified in its 802.1Q header, or VLAN 0 if the packet has no
802.1Q header. A packet that egresses through a trunk port will
have an 802.1Q header if it has a nonzero VLAN ID.
</p>
<p>
Any packet that ingresses on a trunk port tagged with a VLAN that
the port does not trunk is dropped.
</p>
</dd>
<dt>access</dt>
<dd>
<p>
An access port carries packets on exactly one VLAN specified in the
<ref column="tag"/> column. Packets egressing on an access port
have no 802.1Q header.
</p>
<p>
Any packet with an 802.1Q header with a nonzero VLAN ID that
ingresses on an access port is dropped, regardless of whether the
VLAN ID in the header is the access port's VLAN ID.
</p>
</dd>
<dt>native-tagged</dt>
<dd>
A native-tagged port resembles a trunk port, with the exception that
a packet without an 802.1Q header that ingresses on a native-tagged
port is in the ``native VLAN'' (specified in the <ref column="tag"/>
column).
</dd>
<dt>native-untagged</dt>
<dd>
A native-untagged port resembles a native-tagged port, with the
exception that a packet that egresses on a native-untagged port in
the native VLAN will not have an 802.1Q header.
</dd>
</dl>
<p>
A packet will only egress through bridge ports that carry the VLAN of
the packet, as described by the rules above.
</p>
<column name="vlan_mode">
<p>
The VLAN mode of the port, as described above. When this column is
empty, a default mode is selected as follows:
</p>
<ul>
<li>
If <ref column="tag"/> contains a value, the port is an access
port. The <ref column="trunks"/> column should be empty.
</li>
<li>
Otherwise, the port is a trunk port. The <ref column="trunks"/>
column value is honored if it is present.
</li>
</ul>
</column>
<column name="tag">
<p>
For an access port, the port's implicitly tagged VLAN. For a
native-tagged or native-untagged port, the port's native VLAN. Must
be empty if this is a trunk port.
</p>
</column>
<column name="trunks">
<p>
For a trunk, native-tagged, or native-untagged port, the 802.1Q VLAN
or VLANs that this port trunks; if it is empty, then the port trunks
all VLANs. Must be empty if this is an access port.
</p>
<p>
A native-tagged or native-untagged port always trunks its native
VLAN, regardless of whether <ref column="trunks"/> includes that
VLAN.
</p>
</column>
<column name="other_config" key="priority-tags"
type='{"type": "boolean"}'>
<p>
An 802.1Q header contains two important pieces of information: a VLAN
ID and a priority. A frame with a zero VLAN ID, called a
``priority-tagged'' frame, is supposed to be treated the same way as
a frame without an 802.1Q header at all (except for the priority).
</p>
<p>
However, some network elements ignore any frame that has 802.1Q
header at all, even when the VLAN ID is zero. Therefore, by default
Open vSwitch does not output priority-tagged frames, instead omitting
the 802.1Q header entirely if the VLAN ID is zero. Set this key to
<code>true</code> to enable priority-tagged frames on a port.
</p>
<p>
Regardless of this setting, Open vSwitch omits the 802.1Q header on
output if both the VLAN ID and priority would be zero.
</p>
<p>
All frames output to native-tagged ports have a nonzero VLAN ID, so
this setting is not meaningful on native-tagged ports.
</p>
</column>
</group>
<group title="Bonding Configuration">
<p>A port that has more than one interface is a ``bonded port.'' Bonding
allows for load balancing and fail-over.</p>
<p>
The following types of bonding will work with any kind of upstream
switch. On the upstream switch, do not configure the interfaces as a
bond:
</p>
<dl>
<dt><code>balance-slb</code></dt>
<dd>
Balances flows among slaves based on source MAC address and output
VLAN, with periodic rebalancing as traffic patterns change.
</dd>
<dt><code>active-backup</code></dt>
<dd>
Assigns all flows to one slave, failing over to a backup slave when
the active slave is disabled. This is the only bonding mode in which
interfaces may be plugged into different upstream switches.
</dd>
</dl>
<p>
The following modes require the upstream switch to support 802.3ad with
successful LACP negotiation. If LACP negotiation fails and
other-config:lacp-fallback-ab is true, then <code>active-backup</code>
mode is used:
</p>
<dl>
<dt><code>balance-tcp</code></dt>
<dd>
Balances flows among slaves based on L2, L3, and L4 protocol
information such as destination MAC address, IP address, and TCP
port.
</dd>
</dl>
<p>These columns apply only to bonded ports. Their values are
otherwise ignored.</p>
<column name="bond_mode">
<p>The type of bonding used for a bonded port. Defaults to
<code>active-backup</code> if unset.
</p>
</column>
<column name="other_config" key="bond-hash-basis"
type='{"type": "integer"}'>
An integer hashed along with flows when choosing output slaves in load
balanced bonds. When changed, all flows will be assigned different
hash values possibly causing slave selection decisions to change. Does
not affect bonding modes which do not employ load balancing such as
<code>active-backup</code>.
</column>
<group title="Link Failure Detection">
<p>
An important part of link bonding is detecting that links are down so
that they may be disabled. These settings determine how Open vSwitch
detects link failure.
</p>
<column name="other_config" key="bond-detect-mode"
type='{"type": "string", "enum": ["set", ["carrier", "miimon"]]}'>
The means used to detect link failures. Defaults to
<code>carrier</code> which uses each interface's carrier to detect
failures. When set to <code>miimon</code>, will check for failures
by polling each interface's MII.
</column>
<column name="other_config" key="bond-miimon-interval"
type='{"type": "integer"}'>
The interval, in milliseconds, between successive attempts to poll
each interface's MII. Relevant only when <ref column="other_config"
key="bond-detect-mode"/> is <code>miimon</code>.
</column>
<column name="bond_updelay">
<p>
The number of milliseconds for which the link must stay up on an
interface before the interface is considered to be up. Specify
<code>0</code> to enable the interface immediately.
</p>
<p>
This setting is honored only when at least one bonded interface is
already enabled. When no interfaces are enabled, then the first
bond interface to come up is enabled immediately.
</p>
</column>
<column name="bond_downdelay">
The number of milliseconds for which the link must stay down on an
interface before the interface is considered to be down. Specify
<code>0</code> to disable the interface immediately.
</column>
</group>
<group title="LACP Configuration">
<p>
LACP, the Link Aggregation Control Protocol, is an IEEE standard that
allows switches to automatically detect that they are connected by
multiple links and aggregate across those links. These settings
control LACP behavior.
</p>
<column name="lacp">
Configures LACP on this port. LACP allows directly connected
switches to negotiate which links may be bonded. LACP may be enabled
on non-bonded ports for the benefit of any switches they may be
connected to. <code>active</code> ports are allowed to initiate LACP
negotiations. <code>passive</code> ports are allowed to participate
in LACP negotiations initiated by a remote switch, but not allowed to
initiate such negotiations themselves. If LACP is enabled on a port
whose partner switch does not support LACP, the bond will be
disabled, unless other-config:lacp-fallback-ab is set to true.
Defaults to <code>off</code> if unset.
</column>
<column name="other_config" key="lacp-system-id">
The LACP system ID of this <ref table="Port"/>. The system ID of a
LACP bond is used to identify itself to its partners. Must be a
nonzero MAC address. Defaults to the bridge Ethernet address if
unset.
</column>
<column name="other_config" key="lacp-system-priority"
type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
The LACP system priority of this <ref table="Port"/>. In LACP
negotiations, link status decisions are made by the system with the
numerically lower priority.
</column>
<column name="other_config" key="lacp-time"
type='{"type": "string", "enum": ["set", ["fast", "slow"]]}'>
<p>
The LACP timing which should be used on this <ref table="Port"/>.
By default <code>slow</code> is used. When configured to be
<code>fast</code> LACP heartbeats are requested at a rate of once
per second causing connectivity problems to be detected more
quickly. In <code>slow</code> mode, heartbeats are requested at a
rate of once every 30 seconds.
</p>
</column>
<column name="other_config" key="lacp-fallback-ab"
type='{"type": "boolean"}'>
<p>
Determines the behavior of openvswitch bond in LACP mode. If
the partner switch does not support LACP, setting this option
to <code>true</code> allows openvswitch to fallback to
active-backup. If the option is set to <code>false</code>, the
bond will be disabled. In both the cases, once the partner switch
is configured to LACP mode, the bond will use LACP.
</p>
</column>
</group>
<group title="Rebalancing Configuration">
<p>
These settings control behavior when a bond is in
<code>balance-slb</code> or <code>balance-tcp</code> mode.
</p>
<column name="other_config" key="bond-rebalance-interval"
type='{"type": "integer", "minInteger": 0, "maxInteger": 10000}'>
For a load balanced bonded port, the number of milliseconds between
successive attempts to rebalance the bond, that is, to move flows
from one interface on the bond to another in an attempt to keep usage
of each interface roughly equal. If zero, load balancing is disabled
on the bond (link failure still cause flows to move). If
less than 1000ms, the rebalance interval will be 1000ms.
</column>
</group>
<column name="bond_fake_iface">
For a bonded port, whether to create a fake internal interface with the
name of the port. Use only for compatibility with legacy software that
requires this.
</column>
</group>
<group title="Spanning Tree Protocol">
<p>
The configuration here is only meaningful, and the status is only
populated, when 802.1D-1998 Spanning Tree Protocol is enabled on the
port's <ref column="Bridge"/> with its <ref column="stp_enable"/>
column.
</p>
<group title="STP Configuration">
<column name="other_config" key="stp-enable"
type='{"type": "boolean"}'>
When STP is enabled on a bridge, it is enabled by default on all of
the bridge's ports except bond, internal, and mirror ports (which do
not work with STP). If this column's value is <code>false</code>,
STP is disabled on the port.
</column>
<column name="other_config" key="stp-port-num"
type='{"type": "integer", "minInteger": 1, "maxInteger": 255}'>
The port number used for the lower 8 bits of the port-id. By
default, the numbers will be assigned automatically. If any
port's number is manually configured on a bridge, then they
must all be.
</column>
<column name="other_config" key="stp-port-priority"
type='{"type": "integer", "minInteger": 0, "maxInteger": 255}'>
The port's relative priority value for determining the root
port (the upper 8 bits of the port-id). A port with a lower
port-id will be chosen as the root port. By default, the
priority is 0x80.
</column>
<column name="other_config" key="stp-path-cost"
type='{"type": "integer", "minInteger": 0, "maxInteger": 65535}'>
Spanning tree path cost for the port. A lower number indicates
a faster link. By default, the cost is based on the maximum
speed of the link.
</column>
</group>
<group title="STP Status">
<column name="status" key="stp_port_id">
The port ID used in spanning tree advertisements for this port, as 4
hex digits. Configuring the port ID is described in the
<code>stp-port-num</code> and <code>stp-port-priority</code> keys of
the <code>other_config</code> section earlier.
</column>
<column name="status" key="stp_state"
type='{"type": "string", "enum": ["set",
["disabled", "listening", "learning",
"forwarding", "blocking"]]}'>
STP state of the port.
</column>
<column name="status" key="stp_sec_in_state"
type='{"type": "integer", "minInteger": 0}'>
The amount of time this port has been in the current STP state, in
seconds.
</column>
<column name="status" key="stp_role"
type='{"type": "string", "enum": ["set",
["root", "designated", "alternate"]]}'>
STP role of the port.
</column>
</group>
</group>
<group title="Rapid Spanning Tree Protocol">
<p>
The configuration here is only meaningful, and the status and
statistics are only populated, when 802.1D-1998 Spanning Tree Protocol
is enabled on the port's <ref column="Bridge"/> with its <ref
column="stp_enable"/> column.
</p>
<group title="RSTP Configuration">
<column name="other_config" key="rstp-enable"
type='{"type": "boolean"}'>
When RSTP is enabled on a bridge, it is enabled by default on all of
the bridge's ports except bond, internal, and mirror ports (which do
not work with RSTP). If this column's value is <code>false</code>,
RSTP is disabled on the port.
</column>
<column name="other_config" key="rstp-port-priority"
type='{"type": "integer", "minInteger": 0, "maxInteger": 240}'>
The port's relative priority value for determining the root port, in
multiples of 16. By default, the port priority is 0x80 (128). Any
value in the lower 4 bits is rounded off. The significant upper 4
bits become the upper 4 bits of the port-id. A port with the lowest
port-id is elected as the root.
</column>
<column name="other_config" key="rstp-port-num"
type='{"type": "integer", "minInteger": 1, "maxInteger": 4095}'>
The local RSTP port number, used as the lower 12 bits of the port-id.
By default the port numbers are assigned automatically, and typically
may not correspond to the OpenFlow port numbers. A port with the
lowest port-id is elected as the root.
</column>
<column name="other_config" key="rstp-port-path-cost"
type='{"type": "integer"}'>
The port path cost. The Port's contribution, when it is
the Root Port, to the Root Path Cost for the Bridge. By default the
cost is automatically calculated from the port's speed.
</column>
<column name="other_config" key="rstp-port-admin-edge"
type='{"type": "boolean"}'>
The admin edge port parameter for the Port. Default is
<code>false</code>.
</column>
<column name="other_config" key="rstp-port-auto-edge"
type='{"type": "boolean"}'>
The auto edge port parameter for the Port. Default is
<code>true</code>.
</column>
<column name="other_config" key="rstp-port-mcheck"
type='{"type": "boolean"}'>
<p>
The mcheck port parameter for the Port. Default is
<code>false</code>. May be set to force the Port Protocol
Migration state machine to transmit RST BPDUs for a
MigrateTime period, to test whether all STP Bridges on the
attached LAN have been removed and the Port can continue to
transmit RSTP BPDUs. Setting mcheck has no effect if the
Bridge is operating in STP Compatibility mode.
</p>
<p>
Changing the value from <code>true</code> to
<code>false</code> has no effect, but needs to be done if
this behavior is to be triggered again by subsequently
changing the value from <code>false</code> to
<code>true</code>.
</p>
</column>
</group>
<group title="RSTP Status">
<column name="rstp_status" key="rstp_port_id">
The port ID used in spanning tree advertisements for this port, as 4
hex digits. Configuring the port ID is described in the
<code>rstp-port-num</code> and <code>rstp-port-priority</code> keys
of the <code>other_config</code> section earlier.
</column>
<column name="rstp_status" key="rstp_port_role"
type='{"type": "string", "enum": ["set",
["Root", "Designated", "Alternate", "Backup", "Disabled"]]}'>
RSTP role of the port.
</column>
<column name="rstp_status" key="rstp_port_state"
type='{"type": "string", "enum": ["set",
["Disabled", "Learning", "Forwarding", "Discarding"]]}'>
RSTP state of the port.
</column>
<column name="rstp_status" key="rstp_designated_bridge_id">
The port's RSTP designated bridge ID, in the same form as <ref
column="rstp_status" key="rstp_bridge_id"/> in the <ref
table="Bridge"/> table.
</column>
<column name="rstp_status" key="rstp_designated_port_id">
The port's RSTP designated port ID, as 4 hex digits.
</column>
<column name="rstp_status" key="rstp_designated_path_cost"
type='{"type": "integer"}'>
The port's RSTP designated path cost. Lower is better.
</column>
</group>
<group title="RSTP Statistics">
<column name="rstp_statistics" key="rstp_tx_count">
Number of RSTP BPDUs transmitted through this port.
</column>
<column name="rstp_statistics" key="rstp_rx_count">
Number of valid RSTP BPDUs received by this port.
</column>
<column name="rstp_statistics" key="rstp_error_count">
Number of invalid RSTP BPDUs received by this port.
</column>
<column name="rstp_statistics" key="rstp_uptime">
The duration covered by the other RSTP statistics, in seconds.
</column>
</group>
</group>
<group title="Multicast Snooping">
<column name="other_config" key="mcast-snooping-flood"
type='{"type": "boolean"}'>
<p>
If set to <code>true</code>, multicast packets (except Reports) are
unconditionally forwarded to the specific port.
</p>
</column>
<column name="other_config" key="mcast-snooping-flood-reports"
type='{"type": "boolean"}'>
<p>
If set to <code>true</code>, multicast Reports are unconditionally
forwarded to the specific port.
</p>
</column>
</group>
<group title="Other Features">
<column name="qos">
Quality of Service configuration for this port.
</column>
<column name="mac">
The MAC address to use for this port for the purpose of choosing the
bridge's MAC address. This column does not necessarily reflect the
port's actual MAC address, nor will setting it change the port's actual
MAC address.
</column>
<column name="fake_bridge">
Does this port represent a sub-bridge for its tagged VLAN within the
Bridge? See ovs-vsctl(8) for more information.
</column>
<column name="external_ids" key="fake-bridge-id-*">
External IDs for a fake bridge (see the <ref column="fake_bridge"/>
column) are defined by prefixing a <ref table="Bridge"/> <ref
table="Bridge" column="external_ids"/> key with
<code>fake-bridge-</code>,
e.g. <code>fake-bridge-xs-network-uuids</code>.
</column>
<column name="other_config" key="transient"
type='{"type": "boolean"}'>
<p>
If set to <code>true</code>, the port will be removed when
<code>ovs-ctl start --delete-transient-ports</code> is used.
</p>
</column>
</group>
<column name="bond_active_slave">
For a bonded port, record the mac address of the current active slave.
</column>
<group title="Port Statistics">
<p>
Key-value pairs that report port statistics. The update period
is controlled by <ref column="other_config"
key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
</p>
<group title="Statistics: STP transmit and receive counters">
<column name="statistics" key="stp_tx_count">
Number of STP BPDUs sent on this port by the spanning
tree library.
</column>
<column name="statistics" key="stp_rx_count">
Number of STP BPDUs received on this port and accepted by the
spanning tree library.
</column>
<column name="statistics" key="stp_error_count">
Number of bad STP BPDUs received on this port. Bad BPDUs
include runt packets and those with an unexpected protocol ID.
</column>
</group>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Interface" title="One physical network device in a Port.">
An interface within a <ref table="Port"/>.
<group title="Core Features">
<column name="name">
Interface name. Should be alphanumeric and no more than about 8 bytes
long. May be the same as the port name, for non-bonded ports. Must
otherwise be unique among the names of ports, interfaces, and bridges
on a host.
</column>
<column name="ifindex">
A positive interface index as defined for SNMP MIB-II in RFCs 1213 and
2863, if the interface has one, otherwise 0. The ifindex is useful for
seamless integration with protocols such as SNMP and sFlow.
</column>
<column name="mac_in_use">
The MAC address in use by this interface.
</column>
<column name="mac">
<p>Ethernet address to set for this interface. If unset then the
default MAC address is used:</p>
<ul>
<li>For the local interface, the default is the lowest-numbered MAC
address among the other bridge ports, either the value of the
<ref table="Port" column="mac"/> in its <ref table="Port"/> record,
if set, or its actual MAC (for bonded ports, the MAC of its slave
whose name is first in alphabetical order). Internal ports and
bridge ports that are used as port mirroring destinations (see the
<ref table="Mirror"/> table) are ignored.</li>
<li>For other internal interfaces, the default MAC is randomly
generated.</li>
<li>External interfaces typically have a MAC address associated with
their hardware.</li>
</ul>
<p>Some interfaces may not have a software-controllable MAC
address.</p>
</column>
<column name="error">
If the configuration of the port failed, as indicated by -1 in <ref
column="ofport"/>, Open vSwitch sets this column to an error
description in human readable form. Otherwise, Open vSwitch clears
this column.
</column>
<group title="OpenFlow Port Number">
<p>
When a client adds a new interface, Open vSwitch chooses an OpenFlow
port number for the new port. If the client that adds the port fills
in <ref column="ofport_request"/>, then Open vSwitch tries to use its
value as the OpenFlow port number. Otherwise, or if the requested
port number is already in use or cannot be used for another reason,
Open vSwitch automatically assigns a free port number. Regardless of
how the port number was obtained, Open vSwitch then reports in <ref
column="ofport"/> the port number actually assigned.
</p>
<p>
Open vSwitch limits the port numbers that it automatically assigns to
the range 1 through 32,767, inclusive. Controllers therefore have
free use of ports 32,768 and up.
</p>
<column name="ofport">
<p>
OpenFlow port number for this interface. Open vSwitch sets this
column's value, so other clients should treat it as read-only.
</p>
<p>
The OpenFlow ``local'' port (<code>OFPP_LOCAL</code>) is 65,534.
The other valid port numbers are in the range 1 to 65,279,
inclusive. Value -1 indicates an error adding the interface.
</p>
</column>
<column name="ofport_request"
type='{"type": "integer", "minInteger": 1, "maxInteger": 65279}'>
<p>
Requested OpenFlow port number for this interface.
</p>
<p>
A client should ideally set this column's value in the same
database transaction that it uses to create the interface. Open
vSwitch version 2.1 and later will honor a later request for a
specific port number, althuogh it might confuse some controllers:
OpenFlow does not have a way to announce a port number change, so
Open vSwitch represents it over OpenFlow as a port deletion
followed immediately by a port addition.
</p>
<p>
If <ref column="ofport_request"/> is set or changed to some other
port's automatically assigned port number, Open vSwitch chooses a
new port number for the latter port.
</p>
</column>
</group>
</group>
<group title="System-Specific Details">
<column name="type">
<p>
The interface type. The types supported by a particular instance of
Open vSwitch are listed in the <ref table="Open_vSwitch"
column="iface_types"/> column in the <ref table="Open_vSwitch"/>
table. The following types are defined:
</p>
<dl>
<dt><code>system</code></dt>
<dd>An ordinary network device, e.g. <code>eth0</code> on Linux.
Sometimes referred to as ``external interfaces'' since they are
generally connected to hardware external to that on which the Open
vSwitch is running. The empty string is a synonym for
<code>system</code>.</dd>
<dt><code>internal</code></dt>
<dd>A simulated network device that sends and receives traffic. An
internal interface whose <ref column="name"/> is the same as its
bridge's <ref table="Open_vSwitch" column="name"/> is called the
``local interface.'' It does not make sense to bond an internal
interface, so the terms ``port'' and ``interface'' are often used
imprecisely for internal interfaces.</dd>
<dt><code>tap</code></dt>
<dd>A TUN/TAP device managed by Open vSwitch.</dd>
<dt><code>geneve</code></dt>
<dd>
An Ethernet over Geneve (<code>http://tools.ietf.org/html/draft-ietf-nvo3-geneve-00</code>)
IPv4 tunnel.
A description of how to match and set Geneve options can be found
in the <code>ovs-ofctl</code> manual page.
</dd>
<dt><code>gre</code></dt>
<dd>
An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4
tunnel.
</dd>
<dt><code>ipsec_gre</code></dt>
<dd>
An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4
IPsec tunnel.
</dd>
<dt><code>vxlan</code></dt>
<dd>
<p>
An Ethernet tunnel over the UDP-based VXLAN protocol described in
RFC 7348.
</p>
<p>
Open vSwitch uses UDP destination port 4789. The source port used for
VXLAN traffic varies on a per-flow basis and is in the ephemeral port
range.
</p>
</dd>
<dt><code>lisp</code></dt>
<dd>
<p>
A layer 3 tunnel over the experimental, UDP-based Locator/ID
Separation Protocol (RFC 6830).
</p>
<p>
Only IPv4 and IPv6 packets are supported by the protocol, and
they are sent and received without an Ethernet header. Traffic
to/from LISP ports is expected to be configured explicitly, and
the ports are not intended to participate in learning based
switching. As such, they are always excluded from packet
flooding.
</p>
</dd>
<dt><code>stt</code></dt>
<dd>
The Stateless TCP Tunnel (STT) is particularly useful when tunnel
endpoints are in end-systems, as it utilizes the capabilities of
standard network interface cards to improve performance. STT utilizes
a TCP-like header inside the IP header. It is stateless, i.e., there is
no TCP connection state of any kind associated with the tunnel. The
TCP-like header is used to leverage the capabilities of existing
network interface cards, but should not be interpreted as implying
any sort of connection state between endpoints.
Since the STT protocol does not engage in the usual TCP 3-way handshake,
so it will have difficulty traversing stateful firewalls.
The protocol is documented at
http://www.ietf.org/archive/id/draft-davie-stt-06.txt
All traffic uses a default destination port of 7471. STT is only
available in kernel datapath on kernel 3.5 or newer.
</dd>
<dt><code>patch</code></dt>
<dd>
A pair of virtual devices that act as a patch cable.
</dd>
<dt><code>null</code></dt>
<dd>An ignored interface. Deprecated and slated for removal in
February 2013.</dd>
</dl>
</column>
</group>
<group title="Tunnel Options">
<p>
These options apply to interfaces with <ref column="type"/> of
<code>geneve</code>, <code>gre</code>, <code>ipsec_gre</code>,
<code>vxlan</code>, <code>lisp</code> and <code>stt</code>.
</p>
<p>
Each tunnel must be uniquely identified by the combination of <ref
column="type"/>, <ref column="options" key="remote_ip"/>, <ref
column="options" key="local_ip"/>, and <ref column="options"
key="in_key"/>. If two ports are defined that are the same except one
has an optional identifier and the other does not, the more specific
one is matched first. <ref column="options" key="in_key"/> is
considered more specific than <ref column="options" key="local_ip"/> if
a port defines one and another port defines the other.
</p>
<column name="options" key="remote_ip">
<p>Required. The remote tunnel endpoint, one of:</p>
<ul>
<li>
An IPv4 address (not a DNS name), e.g. <code>192.168.0.123</code>.
Only unicast endpoints are supported.
</li>
<li>
The word <code>flow</code>. The tunnel accepts packets from any
remote tunnel endpoint. To process only packets from a specific
remote tunnel endpoint, the flow entries may match on the
<code>tun_src</code> field. When sending packets to a
<code>remote_ip=flow</code> tunnel, the flow actions must
explicitly set the <code>tun_dst</code> field to the IP address of
the desired remote tunnel endpoint, e.g. with a
<code>set_field</code> action.
</li>
</ul>
<p>
The remote tunnel endpoint for any packet received from a tunnel
is available in the <code>tun_src</code> field for matching in the
flow table.
</p>
</column>
<column name="options" key="local_ip">
<p>
Optional. The tunnel destination IP that received packets must
match. Default is to match all addresses. If specified, may be one
of:
</p>
<ul>
<li>
An IPv4 address (not a DNS name), e.g. <code>192.168.12.3</code>.
</li>
<li>
The word <code>flow</code>. The tunnel accepts packets sent to any
of the local IP addresses of the system running OVS. To process
only packets sent to a specific IP address, the flow entries may
match on the <code>tun_dst</code> field. When sending packets to a
<code>local_ip=flow</code> tunnel, the flow actions may
explicitly set the <code>tun_src</code> field to the desired IP
address, e.g. with a <code>set_field</code> action. However, while
routing the tunneled packet out, the local system may override the
specified address with the local IP address configured for the
outgoing system interface.
<p>
This option is valid only for tunnels also configured with the
<code>remote_ip=flow</code> option.
</p>
</li>
</ul>
<p>
The tunnel destination IP address for any packet received from a
tunnel is available in the <code>tun_dst</code> field for matching in
the flow table.
</p>
</column>
<column name="options" key="in_key">
<p>Optional. The key that received packets must contain, one of:</p>
<ul>
<li>
<code>0</code>. The tunnel receives packets with no key or with a
key of 0. This is equivalent to specifying no <ref column="options"
key="in_key"/> at all.
</li>
<li>
A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE)
or 64-bit (for STT) number. The tunnel receives only
packets with the specified key.
</li>
<li>
The word <code>flow</code>. The tunnel accepts packets with any
key. The key will be placed in the <code>tun_id</code> field for
matching in the flow table. The <code>ovs-ofctl</code> manual page
contains additional information about matching fields in OpenFlow
flows.
</li>
</ul>
<p>
</p>
</column>
<column name="options" key="out_key">
<p>Optional. The key to be set on outgoing packets, one of:</p>
<ul>
<li>
<code>0</code>. Packets sent through the tunnel will have no key.
This is equivalent to specifying no <ref column="options"
key="out_key"/> at all.
</li>
<li>
A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or
64-bit (for STT) number. Packets sent through the tunnel
will have the specified key.
</li>
<li>
The word <code>flow</code>. Packets sent through the tunnel will
have the key set using the <code>set_tunnel</code> Nicira OpenFlow
vendor extension (0 is used in the absence of an action). The
<code>ovs-ofctl</code> manual page contains additional information
about the Nicira OpenFlow vendor extensions.
</li>
</ul>
</column>
<column name="options" key="key">
Optional. Shorthand to set <code>in_key</code> and
<code>out_key</code> at the same time.
</column>
<column name="options" key="tos">
Optional. The value of the ToS bits to be set on the encapsulating
packet. ToS is interpreted as DSCP and ECN bits, ECN part must be
zero. It may also be the word <code>inherit</code>, in which case
the ToS will be copied from the inner packet if it is IPv4 or IPv6
(otherwise it will be 0). The ECN fields are always inherited.
Default is 0.
</column>
<column name="options" key="ttl">
Optional. The TTL to be set on the encapsulating packet. It may also
be the word <code>inherit</code>, in which case the TTL will be copied
from the inner packet if it is IPv4 or IPv6 (otherwise it will be the
system default, typically 64). Default is the system default TTL.
</column>
<column name="options" key="df_default"
type='{"type": "boolean"}'>
Optional. If enabled, the Don't Fragment bit will be set on tunnel
outer headers to allow path MTU discovery. Default is enabled; set
to <code>false</code> to disable.
</column>
<group title="Tunnel Options: vxlan only">
<column name="options" key="exts">
<p>Optional. Comma separated list of optional VXLAN extensions to
enable. The following extensions are supported:</p>
<ul>
<li>
<code>gbp</code>: VXLAN-GBP allows to transport the group policy
context of a packet across the VXLAN tunnel to other network
peers. See the field description of <code>tun_gbp_id</code> and
<code>tun_gbp_flags</code> in ovs-ofctl(8) for additional
information.
(<code>https://tools.ietf.org/html/draft-smith-vxlan-group-policy</code>)
</li>
</ul>
</column>
</group>
<group title="Tunnel Options: gre, ipsec_gre, geneve, and vxlan">
<p>
<code>gre</code>, <code>ipsec_gre</code>, <code>geneve</code>, and
<code>vxlan</code> interfaces support these options.
</p>
<column name="options" key="csum" type='{"type": "boolean"}'>
<p>
Optional. Compute encapsulation header (either GRE or UDP)
checksums on outgoing packets. Default is disabled, set to
<code>true</code> to enable. Checksums present on incoming
packets will be validated regardless of this setting.
</p>
<p>
When using the upstream Linux kernel module, computation of
checksums for <code>geneve</code> and <code>vxlan</code> requires
Linux kernel version 4.0 or higher. <code>gre</code> supports
checksums for all versions of Open vSwitch that support GRE.
The out of tree kernel module distributed as part of OVS
can compute all tunnel checksums on any kernel version that it
is compatible with.
</p>
<p>
This option is supported for <code>ipsec_gre</code>, but not useful
because GRE checksums are weaker than, and redundant with, IPsec
payload authentication.
</p>
</column>
</group>
<group title="Tunnel Options: ipsec_gre only">
<p>
Only <code>ipsec_gre</code> interfaces support these options.
</p>
<column name="options" key="peer_cert">
Required for certificate authentication. A string containing the
peer's certificate in PEM format. Additionally the host's
certificate must be specified with the <code>certificate</code>
option.
</column>
<column name="options" key="certificate">
Required for certificate authentication. The name of a PEM file
containing a certificate that will be presented to the peer during
authentication.
</column>
<column name="options" key="private_key">
Optional for certificate authentication. The name of a PEM file
containing the private key associated with <code>certificate</code>.
If <code>certificate</code> contains the private key, this option may
be omitted.
</column>
<column name="options" key="psk">
Required for pre-shared key authentication. Specifies a pre-shared
key for authentication that must be identical on both sides of the
tunnel.
</column>
</group>
</group>
<group title="Patch Options">
<p>
Only <code>patch</code> interfaces support these options.
</p>
<column name="options" key="peer">
The <ref column="name"/> of the <ref table="Interface"/> for the other
side of the patch. The named <ref table="Interface"/>'s own
<code>peer</code> option must specify this <ref table="Interface"/>'s
name. That is, the two patch interfaces must have reversed <ref
column="name"/> and <code>peer</code> values.
</column>
</group>
<group title="Interface Status">
<p>
Status information about interfaces attached to bridges, updated every
5 seconds. Not all interfaces have all of these properties; virtual
interfaces don't have a link speed, for example. Non-applicable
columns will have empty values.
</p>
<column name="admin_state">
<p>
The administrative state of the physical network link.
</p>
</column>
<column name="link_state">
<p>
The observed state of the physical network link. This is ordinarily
the link's carrier status. If the interface's <ref table="Port"/> is
a bond configured for miimon monitoring, it is instead the network
link's miimon status.
</p>
</column>
<column name="link_resets">
<p>
The number of times Open vSwitch has observed the
<ref column="link_state"/> of this <ref table="Interface"/> change.
</p>
</column>
<column name="link_speed">
<p>
The negotiated speed of the physical network link.
Valid values are positive integers greater than 0.
</p>
</column>
<column name="duplex">
<p>
The duplex mode of the physical network link.
</p>
</column>
<column name="mtu">
<p>
The MTU (maximum transmission unit); i.e. the largest
amount of data that can fit into a single Ethernet frame.
The standard Ethernet MTU is 1500 bytes. Some physical media
and many kinds of virtual interfaces can be configured with
higher MTUs.
</p>
<p>
This column will be empty for an interface that does not
have an MTU as, for example, some kinds of tunnels do not.
</p>
</column>
<column name="lacp_current">
Boolean value indicating LACP status for this interface. If true, this
interface has current LACP information about its LACP partner. This
information may be used to monitor the health of interfaces in a LACP
enabled port. This column will be empty if LACP is not enabled.
</column>
<column name="status">
Key-value pairs that report port status. Supported status values are
<ref column="type"/>-dependent; some interfaces may not have a valid
<ref column="status" key="driver_name"/>, for example.
</column>
<column name="status" key="driver_name">
The name of the device driver controlling the network adapter.
</column>
<column name="status" key="driver_version">
The version string of the device driver controlling the network
adapter.
</column>
<column name="status" key="firmware_version">
The version string of the network adapter's firmware, if available.
</column>
<column name="status" key="source_ip">
The source IP address used for an IPv4 tunnel end-point, such as
<code>gre</code>.
</column>
<column name="status" key="tunnel_egress_iface">
Egress interface for tunnels. Currently only relevant for tunnels
on Linux systems, this column will show the name of the interface
which is responsible for routing traffic destined for the configured
<ref column="options" key="remote_ip"/>. This could be an internal
interface such as a bridge port.
</column>
<column name="status" key="tunnel_egress_iface_carrier"
type='{"type": "string", "enum": ["set", ["down", "up"]]}'>
Whether carrier is detected on <ref column="status"
key="tunnel_egress_iface"/>.
</column>
</group>
<group title="Statistics">
<p>
Key-value pairs that report interface statistics. The current
implementation updates these counters periodically. The update period
is controlled by <ref column="other_config"
key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
Future implementations may update them when an interface is created,
when they are queried (e.g. using an OVSDB <code>select</code>
operation), and just before an interface is deleted due to virtual
interface hot-unplug or VM shutdown, and perhaps at other times, but
not on any regular periodic basis.
</p>
<p>
These are the same statistics reported by OpenFlow in its <code>struct
ofp_port_stats</code> structure. If an interface does not support a
given statistic, then that pair is omitted.
</p>
<group title="Statistics: Successful transmit and receive counters">
<column name="statistics" key="rx_packets">
Number of received packets.
</column>
<column name="statistics" key="rx_bytes">
Number of received bytes.
</column>
<column name="statistics" key="tx_packets">
Number of transmitted packets.
</column>
<column name="statistics" key="tx_bytes">
Number of transmitted bytes.
</column>
</group>
<group title="Statistics: Receive errors">
<column name="statistics" key="rx_dropped">
Number of packets dropped by RX.
</column>
<column name="statistics" key="rx_frame_err">
Number of frame alignment errors.
</column>
<column name="statistics" key="rx_over_err">
Number of packets with RX overrun.
</column>
<column name="statistics" key="rx_crc_err">
Number of CRC errors.
</column>
<column name="statistics" key="rx_errors">
Total number of receive errors, greater than or equal to the sum of
the above.
</column>
</group>
<group title="Statistics: Transmit errors">
<column name="statistics" key="tx_dropped">
Number of packets dropped by TX.
</column>
<column name="statistics" key="collisions">
Number of collisions.
</column>
<column name="statistics" key="tx_errors">
Total number of transmit errors, greater than or equal to the sum of
the above.
</column>
</group>
</group>
<group title="Ingress Policing">
<p>
These settings control ingress policing for packets received on this
interface. On a physical interface, this limits the rate at which
traffic is allowed into the system from the outside; on a virtual
interface (one connected to a virtual machine), this limits the rate at
which the VM is able to transmit.
</p>
<p>
Policing is a simple form of quality-of-service that simply drops
packets received in excess of the configured rate. Due to its
simplicity, policing is usually less accurate and less effective than
egress QoS (which is configured using the <ref table="QoS"/> and <ref
table="Queue"/> tables).
</p>
<p>
Policing is currently implemented only on Linux. The Linux
implementation uses a simple ``token bucket'' approach:
</p>
<ul>
<li>
The size of the bucket corresponds to <ref
column="ingress_policing_burst"/>. Initially the bucket is full.
</li>
<li>
Whenever a packet is received, its size (converted to tokens) is
compared to the number of tokens currently in the bucket. If the
required number of tokens are available, they are removed and the
packet is forwarded. Otherwise, the packet is dropped.
</li>
<li>
Whenever it is not full, the bucket is refilled with tokens at the
rate specified by <ref column="ingress_policing_rate"/>.
</li>
</ul>
<p>
Policing interacts badly with some network protocols, and especially
with fragmented IP packets. Suppose that there is enough network
activity to keep the bucket nearly empty all the time. Then this token
bucket algorithm will forward a single packet every so often, with the
period depending on packet size and on the configured rate. All of the
fragments of an IP packets are normally transmitted back-to-back, as a
group. In such a situation, therefore, only one of these fragments
will be forwarded and the rest will be dropped. IP does not provide
any way for the intended recipient to ask for only the remaining
fragments. In such a case there are two likely possibilities for what
will happen next: either all of the fragments will eventually be
retransmitted (as TCP will do), in which case the same problem will
recur, or the sender will not realize that its packet has been dropped
and data will simply be lost (as some UDP-based protocols will do).
Either way, it is possible that no forward progress will ever occur.
</p>
<column name="ingress_policing_rate">
<p>
Maximum rate for data received on this interface, in kbps. Data
received faster than this rate is dropped. Set to <code>0</code>
(the default) to disable policing.
</p>
</column>
<column name="ingress_policing_burst">
<p>Maximum burst size for data received on this interface, in kb. The
default burst size if set to <code>0</code> is 1000 kb. This value
has no effect if <ref column="ingress_policing_rate"/>
is <code>0</code>.</p>
<p>
Specifying a larger burst size lets the algorithm be more forgiving,
which is important for protocols like TCP that react severely to
dropped packets. The burst size should be at least the size of the
interface's MTU. Specifying a value that is numerically at least as
large as 10% of <ref column="ingress_policing_rate"/> helps TCP come
closer to achieving the full rate.
</p>
</column>
</group>
<group title="Bidirectional Forwarding Detection (BFD)">
<p>
BFD, defined in RFC 5880 and RFC 5881, allows point-to-point
detection of connectivity failures by occasional transmission of
BFD control messages. Open vSwitch implements BFD to serve
as a more popular and standards compliant alternative to CFM.
</p>
<p>
BFD operates by regularly transmitting BFD control messages at a rate
negotiated independently in each direction. Each endpoint specifies
the rate at which it expects to receive control messages, and the rate
at which it is willing to transmit them. Open vSwitch uses a detection
multiplier of three, meaning that an endpoint signals a connectivity
fault if three consecutive BFD control messages fail to arrive. In the
case of a unidirectional connectivity issue, the system not receiving
BFD control messages signals the problem to its peer in the messages it
transmits.
</p>
<p>
The Open vSwitch implementation of BFD aims to comply faithfully
with RFC 5880 requirements. Open vSwitch does not implement the
optional Authentication or ``Echo Mode'' features.
</p>
<group title="BFD Configuration">
<p>
A controller sets up key-value pairs in the <ref column="bfd"/>
column to enable and configure BFD.
</p>
<column name="bfd" key="enable" type='{"type": "boolean"}'>
True to enable BFD on this <ref table="Interface"/>. If not
specified, BFD will not be enabled by default.
</column>
<column name="bfd" key="min_rx"
type='{"type": "integer", "minInteger": 1}'>
The shortest interval, in milliseconds, at which this BFD session
offers to receive BFD control messages. The remote endpoint may
choose to send messages at a slower rate. Defaults to
<code>1000</code>.
</column>
<column name="bfd" key="min_tx"
type='{"type": "integer", "minInteger": 1}'>
The shortest interval, in milliseconds, at which this BFD session is
willing to transmit BFD control messages. Messages will actually be
transmitted at a slower rate if the remote endpoint is not willing to
receive as quickly as specified. Defaults to <code>100</code>.
</column>
<column name="bfd" key="decay_min_rx" type='{"type": "integer"}'>
An alternate receive interval, in milliseconds, that must be greater
than or equal to <ref column="bfd" key="min_rx"/>. The
implementation switches from <ref column="bfd" key="min_rx"/> to <ref
column="bfd" key="decay_min_rx"/> when there is no obvious incoming
data traffic at the interface, to reduce the CPU and bandwidth cost
of monitoring an idle interface. This feature may be disabled by
setting a value of 0. This feature is reset whenever <ref
column="bfd" key="decay_min_rx"/> or <ref column="bfd" key="min_rx"/>
changes.
</column>
<column name="bfd" key="forwarding_if_rx" type='{"type": "boolean"}'>
When <code>true</code>, traffic received on the
<ref table="Interface"/> is used to indicate the capability of packet
I/O. BFD control packets are still transmitted and received. At
least one BFD control packet must be received every 100 * <ref
column="bfd" key="min_rx"/> amount of time. Otherwise, even if
traffic are received, the <ref column="bfd" key="forwarding"/>
will be <code>false</code>.
</column>
<column name="bfd" key="cpath_down" type='{"type": "boolean"}'>
Set to true to notify the remote endpoint that traffic should not be
forwarded to this system for some reason other than a connectivty
failure on the interface being monitored. The typical underlying
reason is ``concatenated path down,'' that is, that connectivity
beyond the local system is down. Defaults to false.
</column>
<column name="bfd" key="check_tnl_key" type='{"type": "boolean"}'>
Set to true to make BFD accept only control messages with a tunnel
key of zero. By default, BFD accepts control messages with any
tunnel key.
</column>
<column name="bfd" key="bfd_local_src_mac">
Set to an Ethernet address in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
to set the MAC used as source for transmitted BFD packets. The
default is the mac address of the BFD enabled interface.
</column>
<column name="bfd" key="bfd_local_dst_mac">
Set to an Ethernet address in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
to set the MAC used as destination for transmitted BFD packets. The
default is <code>00:23:20:00:00:01</code>.
</column>
<column name="bfd" key="bfd_remote_dst_mac">
Set to an Ethernet address in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
to set the MAC used for checking the destination of received BFD packets.
Packets with different destination MAC will not be considered as BFD packets.
If not specified the destination MAC address of received BFD packets
are not checked.
</column>
<column name="bfd" key="bfd_src_ip">
Set to an IPv4 address to set the IP address used as source for
transmitted BFD packets. The default is <code>169.254.1.1</code>.
</column>
<column name="bfd" key="bfd_dst_ip">
Set to an IPv4 address to set the IP address used as destination
for transmitted BFD packets. The default is <code>169.254.1.0</code>.
</column>
</group>
<group title="BFD Status">
<p>
The switch sets key-value pairs in the <ref column="bfd_status"/>
column to report the status of BFD on this interface. When BFD is
not enabled, with <ref column="bfd" key="enable"/>, the switch clears
all key-value pairs from <ref column="bfd_status"/>.
</p>
<column name="bfd_status" key="state"
type='{"type": "string",
"enum": ["set", ["admin_down", "down", "init", "up"]]}'>
Reports the state of the BFD session. The BFD session is fully
healthy and negotiated if <code>UP</code>.
</column>
<column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
Reports whether the BFD session believes this <ref
table="Interface"/> may be used to forward traffic. Typically this
means the local session is signaling <code>UP</code>, and the remote
system isn't signaling a problem such as concatenated path down.
</column>
<column name="bfd_status" key="diagnostic">
A diagnostic code specifying the local system's reason for the
last change in session state. The error messages are defined in
section 4.1 of [RFC 5880].
</column>
<column name="bfd_status" key="remote_state"
type='{"type": "string",
"enum": ["set", ["admin_down", "down", "init", "up"]]}'>
Reports the state of the remote endpoint's BFD session.
</column>
<column name="bfd_status" key="remote_diagnostic">
A diagnostic code specifying the remote system's reason for the
last change in session state. The error messages are defined in
section 4.1 of [RFC 5880].
</column>
<column name="bfd_status" key="flap_count"
type='{"type": "integer", "minInteger": 0}'>
Counts the number of <ref column="bfd_status" key="forwarding" />
flaps since start. A flap is considered as a change of the
<ref column="bfd_status" key="forwarding" /> value.
</column>
</group>
</group>
<group title="Connectivity Fault Management">
<p>
802.1ag Connectivity Fault Management (CFM) allows a group of
Maintenance Points (MPs) called a Maintenance Association (MA) to
detect connectivity problems with each other. MPs within a MA should
have complete and exclusive interconnectivity. This is verified by
occasionally broadcasting Continuity Check Messages (CCMs) at a
configurable transmission interval.
</p>
<p>
According to the 802.1ag specification, each Maintenance Point should
be configured out-of-band with a list of Remote Maintenance Points it
should have connectivity to. Open vSwitch differs from the
specification in this area. It simply assumes the link is faulted if
no Remote Maintenance Points are reachable, and considers it not
faulted otherwise.
</p>
<p>
When operating over tunnels which have no <code>in_key</code>, or an
<code>in_key</code> of <code>flow</code>. CFM will only accept CCMs
with a tunnel key of zero.
</p>
<column name="cfm_mpid">
<p>
A Maintenance Point ID (MPID) uniquely identifies each endpoint
within a Maintenance Association. The MPID is used to identify this
endpoint to other Maintenance Points in the MA. Each end of a link
being monitored should have a different MPID. Must be configured to
enable CFM on this <ref table="Interface"/>.
</p>
<p>
According to the 802.1ag specification, MPIDs can only range between
[1, 8191]. However, extended mode (see <ref column="other_config"
key="cfm_extended"/>) supports eight byte MPIDs.
</p>
</column>
<column name="cfm_flap_count">
Counts the number of cfm fault flapps since boot. A flap is
considered to be a change of the <ref column="cfm_fault"/> value.
</column>
<column name="cfm_fault">
<p>
Indicates a connectivity fault triggered by an inability to receive
heartbeats from any remote endpoint. When a fault is triggered on
<ref table="Interface"/>s participating in bonds, they will be
disabled.
</p>
<p>
Faults can be triggered for several reasons. Most importantly they
are triggered when no CCMs are received for a period of 3.5 times the
transmission interval. Faults are also triggered when any CCMs
indicate that a Remote Maintenance Point is not receiving CCMs but
able to send them. Finally, a fault is triggered if a CCM is
received which indicates unexpected configuration. Notably, this
case arises when a CCM is received which advertises the local MPID.
</p>
</column>
<column name="cfm_fault_status" key="recv">
Indicates a CFM fault was triggered due to a lack of CCMs received on
the <ref table="Interface"/>.
</column>
<column name="cfm_fault_status" key="rdi">
Indicates a CFM fault was triggered due to the reception of a CCM with
the RDI bit flagged. Endpoints set the RDI bit in their CCMs when they
are not receiving CCMs themselves. This typically indicates a
unidirectional connectivity failure.
</column>
<column name="cfm_fault_status" key="maid">
Indicates a CFM fault was triggered due to the reception of a CCM with
a MAID other than the one Open vSwitch uses. CFM broadcasts are tagged
with an identification number in addition to the MPID called the MAID.
Open vSwitch only supports receiving CCM broadcasts tagged with the
MAID it uses internally.
</column>
<column name="cfm_fault_status" key="loopback">
Indicates a CFM fault was triggered due to the reception of a CCM
advertising the same MPID configured in the <ref column="cfm_mpid"/>
column of this <ref table="Interface"/>. This may indicate a loop in
the network.
</column>
<column name="cfm_fault_status" key="overflow">
Indicates a CFM fault was triggered because the CFM module received
CCMs from more remote endpoints than it can keep track of.
</column>
<column name="cfm_fault_status" key="override">
Indicates a CFM fault was manually triggered by an administrator using
an <code>ovs-appctl</code> command.
</column>
<column name="cfm_fault_status" key="interval">
Indicates a CFM fault was triggered due to the reception of a CCM
frame having an invalid interval.
</column>
<column name="cfm_remote_opstate">
<p>When in extended mode, indicates the operational state of the
remote endpoint as either <code>up</code> or <code>down</code>. See
<ref column="other_config" key="cfm_opstate"/>.
</p>
</column>
<column name="cfm_health">
<p>
Indicates the health of the interface as a percentage of CCM frames
received over 21 <ref column="other_config" key="cfm_interval"/>s.
The health of an interface is undefined if it is communicating with
more than one <ref column="cfm_remote_mpids"/>. It reduces if
healthy heartbeats are not received at the expected rate, and
gradually improves as healthy heartbeats are received at the desired
rate. Every 21 <ref column="other_config" key="cfm_interval"/>s, the
health of the interface is refreshed.
</p>
<p>
As mentioned above, the faults can be triggered for several reasons.
The link health will deteriorate even if heartbeats are received but
they are reported to be unhealthy. An unhealthy heartbeat in this
context is a heartbeat for which either some fault is set or is out
of sequence. The interface health can be 100 only on receiving
healthy heartbeats at the desired rate.
</p>
</column>
<column name="cfm_remote_mpids">
When CFM is properly configured, Open vSwitch will occasionally
receive CCM broadcasts. These broadcasts contain the MPID of the
sending Maintenance Point. The list of MPIDs from which this
<ref table="Interface"/> is receiving broadcasts from is regularly
collected and written to this column.
</column>
<column name="other_config" key="cfm_interval"
type='{"type": "integer"}'>
<p>
The interval, in milliseconds, between transmissions of CFM
heartbeats. Three missed heartbeat receptions indicate a
connectivity fault.
</p>
<p>
In standard operation only intervals of 3, 10, 100, 1,000, 10,000,
60,000, or 600,000 ms are supported. Other values will be rounded
down to the nearest value on the list. Extended mode (see <ref
column="other_config" key="cfm_extended"/>) supports any interval up
to 65,535 ms. In either mode, the default is 1000 ms.
</p>
<p>We do not recommend using intervals less than 100 ms.</p>
</column>
<column name="other_config" key="cfm_extended"
type='{"type": "boolean"}'>
When <code>true</code>, the CFM module operates in extended mode. This
causes it to use a nonstandard destination address to avoid conflicting
with compliant implementations which may be running concurrently on the
network. Furthermore, extended mode increases the accuracy of the
<code>cfm_interval</code> configuration parameter by breaking wire
compatibility with 802.1ag compliant implementations. And extended
mode allows eight byte MPIDs. Defaults to <code>false</code>.
</column>
<column name="other_config" key="cfm_demand" type='{"type": "boolean"}'>
<p>
When <code>true</code>, and
<ref column="other_config" key="cfm_extended"/> is true, the CFM
module operates in demand mode. When in demand mode, traffic
received on the <ref table="Interface"/> is used to indicate
liveness. CCMs are still transmitted and received. At least one
CCM must be received every 100 * <ref column="other_config"
key="cfm_interval"/> amount of time. Otherwise, even if traffic
are received, the CFM module will raise the connectivity fault.
</p>
<p>
Demand mode has a couple of caveats:
<ul>
<li>
To ensure that ovs-vswitchd has enough time to pull statistics
from the datapath, the fault detection interval is set to
3.5 * MAX(<ref column="other_config" key="cfm_interval"/>, 500)
ms.
</li>
<li>
To avoid ambiguity, demand mode disables itself when there are
multiple remote maintenance points.
</li>
<li>
If the <ref table="Interface"/> is heavily congested, CCMs
containing the <ref column="other_config" key="cfm_opstate"/>
status may be dropped causing changes in the operational state to
be delayed. Similarly, if CCMs containing the RDI bit are not
received, unidirectional link failures may not be detected.
</li>
</ul>
</p>
</column>
<column name="other_config" key="cfm_opstate"
type='{"type": "string", "enum": ["set", ["down", "up"]]}'>
When <code>down</code>, the CFM module marks all CCMs it generates as
operationally down without triggering a fault. This allows remote
maintenance points to choose not to forward traffic to the
<ref table="Interface"/> on which this CFM module is running.
Currently, in Open vSwitch, the opdown bit of CCMs affects
<ref table="Interface"/>s participating in bonds, and the bundle
OpenFlow action. This setting is ignored when CFM is not in extended
mode. Defaults to <code>up</code>.
</column>
<column name="other_config" key="cfm_ccm_vlan"
type='{"type": "integer", "minInteger": 1, "maxInteger": 4095}'>
When set, the CFM module will apply a VLAN tag to all CCMs it generates
with the given value. May be the string <code>random</code> in which
case each CCM will be tagged with a different randomly generated VLAN.
</column>
<column name="other_config" key="cfm_ccm_pcp"
type='{"type": "integer", "minInteger": 1, "maxInteger": 7}'>
When set, the CFM module will apply a VLAN tag to all CCMs it generates
with the given PCP value, the VLAN ID of the tag is governed by the
value of <ref column="other_config" key="cfm_ccm_vlan"/>. If
<ref column="other_config" key="cfm_ccm_vlan"/> is unset, a VLAN ID of
zero is used.
</column>
</group>
<group title="Bonding Configuration">
<column name="other_config" key="lacp-port-id"
type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
The LACP port ID of this <ref table="Interface"/>. Port IDs are
used in LACP negotiations to identify individual ports
participating in a bond.
</column>
<column name="other_config" key="lacp-port-priority"
type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
The LACP port priority of this <ref table="Interface"/>. In LACP
negotiations <ref table="Interface"/>s with numerically lower
priorities are preferred for aggregation.
</column>
<column name="other_config" key="lacp-aggregation-key"
type='{"type": "integer", "minInteger": 1, "maxInteger": 65535}'>
The LACP aggregation key of this <ref table="Interface"/>. <ref
table="Interface"/>s with different aggregation keys may not be active
within a given <ref table="Port"/> at the same time.
</column>
</group>
<group title="Virtual Machine Identifiers">
<p>
These key-value pairs specifically apply to an interface that
represents a virtual Ethernet interface connected to a virtual
machine. These key-value pairs should not be present for other types
of interfaces. Keys whose names end in <code>-uuid</code> have
values that uniquely identify the entity in question. For a Citrix
XenServer hypervisor, these values are UUIDs in RFC 4122 format.
Other hypervisors may use other formats.
</p>
<column name="external_ids" key="attached-mac">
The MAC address programmed into the ``virtual hardware'' for this
interface, in the form
<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>.
For Citrix XenServer, this is the value of the <code>MAC</code> field
in the VIF record for this interface.
</column>
<column name="external_ids" key="iface-id">
A system-unique identifier for the interface. On XenServer, this will
commonly be the same as <ref column="external_ids" key="xs-vif-uuid"/>.
</column>
<column name="external_ids" key="iface-status"
type='{"type": "string",
"enum": ["set", ["active", "inactive"]]}'>
<p>
Hypervisors may sometimes have more than one interface associated
with a given <ref column="external_ids" key="iface-id"/>, only one of
which is actually in use at a given time. For example, in some
circumstances XenServer has both a ``tap'' and a ``vif'' interface
for a single <ref column="external_ids" key="iface-id"/>, but only
uses one of them at a time. A hypervisor that behaves this way must
mark the currently in use interface <code>active</code> and the
others <code>inactive</code>. A hypervisor that never has more than
one interface for a given <ref column="external_ids" key="iface-id"/>
may mark that interface <code>active</code> or omit <ref
column="external_ids" key="iface-status"/> entirely.
</p>
<p>
During VM migration, a given <ref column="external_ids"
key="iface-id"/> might transiently be marked <code>active</code> on
two different hypervisors. That is, <code>active</code> means that
this <ref column="external_ids" key="iface-id"/> is the active
instance within a single hypervisor, not in a broader scope.
There is one exception: some hypervisors support ``migration'' from a
given hypervisor to itself (most often for test purposes). During
such a ``migration,'' two instances of a single <ref
column="external_ids" key="iface-id"/> might both be briefly marked
<code>active</code> on a single hypervisor.
</p>
</column>
<column name="external_ids" key="xs-vif-uuid">
The virtual interface associated with this interface.
</column>
<column name="external_ids" key="xs-network-uuid">
The virtual network to which this interface is attached.
</column>
<column name="external_ids" key="vm-id">
The VM to which this interface belongs. On XenServer, this will be the
same as <ref column="external_ids" key="xs-vm-uuid"/>.
</column>
<column name="external_ids" key="xs-vm-uuid">
The VM to which this interface belongs.
</column>
</group>
<group title="VLAN Splinters">
<p>
The ``VLAN splinters'' feature increases Open vSwitch compatibility
with buggy network drivers in old versions of Linux that do not
properly support VLANs when VLAN devices are not used, at some cost
in memory and performance.
</p>
<p>
When VLAN splinters are enabled on a particular interface, Open vSwitch
creates a VLAN device for each in-use VLAN. For sending traffic tagged
with a VLAN on the interface, it substitutes the VLAN device. Traffic
received on the VLAN device is treated as if it had been received on
the interface on the particular VLAN.
</p>
<p>
VLAN splinters consider a VLAN to be in use if:
</p>
<ul>
<li>
The VLAN is the <ref table="Port" column="tag"/> value in any <ref
table="Port"/> record.
</li>
<li>
The VLAN is listed within the <ref table="Port" column="trunks"/>
column of the <ref table="Port"/> record of an interface on which
VLAN splinters are enabled.
An empty <ref table="Port" column="trunks"/> does not influence the
in-use VLANs: creating 4,096 VLAN devices is impractical because it
will exceed the current 1,024 port per datapath limit.
</li>
<li>
An OpenFlow flow within any bridge matches the VLAN.
</li>
</ul>
<p>
The same set of in-use VLANs applies to every interface on which VLAN
splinters are enabled. That is, the set is not chosen separately for
each interface but selected once as the union of all in-use VLANs based
on the rules above.
</p>
<p>
It does not make sense to enable VLAN splinters on an interface for an
access port, or on an interface that is not a physical port.
</p>
<p>
VLAN splinters are deprecated. When broken device drivers are no
longer in widespread use, we will delete this feature.
</p>
<column name="other_config" key="enable-vlan-splinters"
type='{"type": "boolean"}'>
<p>
Set to <code>true</code> to enable VLAN splinters on this interface.
Defaults to <code>false</code>.
</p>
<p>
VLAN splinters increase kernel and userspace memory overhead, so do
not use them unless they are needed.
</p>
<p>
VLAN splinters do not support 802.1p priority tags. Received
priorities will appear to be 0, regardless of their actual values,
and priorities on transmitted packets will also be cleared to 0.
</p>
</column>
</group>
<group title="Auto Attach Configuration">
<p>
Auto Attach configuration for a particular interface.
</p>
<column name="lldp" key="enable" type='{"type": "boolean"}'>
True to enable LLDP on this <ref table="Interface"/>. If not
specified, LLDP will be disabled by default.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Flow_Table" title="OpenFlow table configuration">
<p>Configuration for a particular OpenFlow table.</p>
<column name="name">
The table's name. Set this column to change the name that controllers
will receive when they request table statistics, e.g. <code>ovs-ofctl
dump-tables</code>. The name does not affect switch behavior.
</column>
<group title="Eviction Policy">
<p>
Open vSwitch supports limiting the number of flows that may be
installed in a flow table, via the <ref column="flow_limit"/> column.
When adding a flow would exceed this limit, by default Open vSwitch
reports an error, but there are two ways to configure Open vSwitch to
instead delete (``evict'') a flow to make room for the new one:
</p>
<ul>
<li>
Set the <ref column="overflow_policy"/> column to <code>evict</code>.
</li>
<li>
Send an OpenFlow 1.4+ ``table mod request'' to enable eviction for
the flow table (e.g. <code>ovs-ofctl -O OpenFlow14 mod-table br0 0
evict</code> to enable eviction on flow table 0 of bridge
<code>br0</code>).
</li>
</ul>
<p>
When a flow must be evicted due to overflow, the flow to evict is
chosen through an approximation of the following algorithm. This
algorithm is used regardless of how eviction was enabled:
</p>
<ol>
<li>
Divide the flows in the table into groups based on the values of the
fields or subfields specified in the <ref column="groups"/> column,
so that all of the flows in a given group have the same values for
those fields. If a flow does not specify a given field, that field's
value is treated as 0. If <ref column="groups"/> is empty, then all
of the flows in the flow table are treated as a single group.
</li>
<li>
Consider the flows in the largest group, that is, the group that
contains the greatest number of flows. If two or more groups all
have the same largest number of flows, consider the flows in all of
those groups.
</li>
<li>
If the flows under consideration have different importance values,
eliminate from consideration any flows except those with the lowest
importance. (``Importance,'' a 16-bit integer value attached to each
flow, was introduced in OpenFlow 1.4. Flows inserted with older
versions of OpenFlow always have an importance of 0.)
</li>
<li>
Among the flows under consideration, choose the flow that expires
soonest for eviction.
</li>
</ol>
<p>
The eviction process only considers flows that have an idle timeout
or a hard timeout. That is, eviction never deletes permanent flows.
(Permanent flows do count against <ref column="flow_limit"/>.)
</p>
<column name="flow_limit">
If set, limits the number of flows that may be added to the table.
Open vSwitch may limit the number of flows in a table for other
reasons, e.g. due to hardware limitations or for resource availability
or performance reasons.
</column>
<column name="overflow_policy">
<p>
Controls the switch's behavior when an OpenFlow flow table
modification request would add flows in excess of <ref
column="flow_limit"/>. The supported values are:
</p>
<dl>
<dt><code>refuse</code></dt>
<dd>
Refuse to add the flow or flows. This is also the default policy
when <ref column="overflow_policy"/> is unset.
</dd>
<dt><code>evict</code></dt>
<dd>
Delete a flow chosen according to the algorithm described above.
</dd>
</dl>
</column>
<column name="groups">
<p>
When <ref column="overflow_policy"/> is <code>evict</code>, this
controls how flows are chosen for eviction when the flow table would
otherwise exceed <ref column="flow_limit"/> flows. Its value is a
set of NXM fields or sub-fields, each of which takes one of the forms
<code><var>field</var>[]</code> or
<code><var>field</var>[<var>start</var>..<var>end</var>]</code>,
e.g. <code>NXM_OF_IN_PORT[]</code>. Please see
<code>nicira-ext.h</code> for a complete list of NXM field names.
</p>
<p>
Open vSwitch ignores any invalid or unknown field specifications.
</p>
<p>
When eviction is not enabled, via <ref column="overflow_policy"/> or
an OpenFlow 1.4+ ``table mod,'' this column has no effect.
</p>
</column>
</group>
<group title="Classifier Optimization">
<column name="prefixes">
<p>
This string set specifies which fields should be used for
address prefix tracking. Prefix tracking allows the
classifier to skip rules with longer than necessary prefixes,
resulting in better wildcarding for datapath flows.
</p>
<p>
Prefix tracking may be beneficial when a flow table contains
matches on IP address fields with different prefix lengths.
For example, when a flow table contains IP address matches on
both full addresses and proper prefixes, the full address
matches will typically cause the datapath flow to un-wildcard
the whole address field (depending on flow entry priorities).
In this case each packet with a different address gets handed
to the userspace for flow processing and generates its own
datapath flow. With prefix tracking enabled for the address
field in question packets with addresses matching shorter
prefixes would generate datapath flows where the irrelevant
address bits are wildcarded, allowing the same datapath flow
to handle all the packets within the prefix in question. In
this case many userspace upcalls can be avoided and the
overall performance can be better.
</p>
<p>
This is a performance optimization only, so packets will
receive the same treatment with or without prefix tracking.
</p>
<p>
The supported fields are: <code>tun_id</code>,
<code>tun_src</code>, <code>tun_dst</code>,
<code>nw_src</code>, <code>nw_dst</code> (or aliases
<code>ip_src</code> and <code>ip_dst</code>),
<code>ipv6_src</code>, and <code>ipv6_dst</code>. (Using this
feature for <code>tun_id</code> would only make sense if the
tunnel IDs have prefix structure similar to IP addresses.)
</p>
<p>
By default, the <code>prefixes=ip_dst,ip_src</code> are used
on each flow table. This instructs the flow classifier to
track the IP destination and source addresses used by the
rules in this specific flow table.
</p>
<p>
The keyword <code>none</code> is recognized as an explicit
override of the default values, causing no prefix fields to be
tracked.
</p>
<p>
To set the prefix fields, the flow table record needs to
exist:
</p>
<dl>
<dt><code>ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0</code></dt>
<dd>
Creates a flow table record for the OpenFlow table number 0.
</dd>
<dt><code>ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src</code></dt>
<dd>
Enables prefix tracking for IP source and destination
address fields.
</dd>
</dl>
<p>
There is a maximum number of fields that can be enabled for any
one flow table. Currently this limit is 3.
</p>
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="QoS" title="Quality of Service configuration">
<p>Quality of Service (QoS) configuration for each Port that
references it.</p>
<column name="type">
<p>The type of QoS to implement. The currently defined types are
listed below:</p>
<dl>
<dt><code>linux-htb</code></dt>
<dd>
Linux ``hierarchy token bucket'' classifier. See tc-htb(8) (also at
<code>http://linux.die.net/man/8/tc-htb</code>) and the HTB manual
(<code>http://luxik.cdi.cz/~devik/qos/htb/manual/userg.htm</code>)
for information on how this classifier works and how to configure it.
</dd>
</dl>
<dl>
<dt><code>linux-hfsc</code></dt>
<dd>
Linux "Hierarchical Fair Service Curve" classifier.
See <code>http://linux-ip.net/articles/hfsc.en/</code> for
information on how this classifier works.
</dd>
</dl>
<dl>
<dt><code>linux-sfq</code></dt>
<dd>
Linux ``Stochastic Fairness Queueing'' classifier. See
<code>tc-sfq</code>(8) (also at
<code>http://linux.die.net/man/8/tc-sfq</code>) for information on
how this classifier works.
</dd>
</dl>
<dl>
<dt><code>linux-codel</code></dt>
<dd>
Linux ``Controlled Delay'' classifier. See <code>tc-codel</code>(8)
(also at
<code>http://man7.org/linux/man-pages/man8/tc-codel.8.html</code>)
for information on how this classifier works.
</dd>
</dl>
<dl>
<dt><code>linux-fq_codel</code></dt>
<dd>
Linux ``Fair Queuing with Controlled Delay'' classifier. See
<code>tc-fq_codel</code>(8) (also at
<code>http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html</code>)
for information on how this classifier works.
</dd>
</dl>
</column>
<column name="queues">
<p>A map from queue numbers to <ref table="Queue"/> records. The
supported range of queue numbers depend on <ref column="type"/>. The
queue numbers are the same as the <code>queue_id</code> used in
OpenFlow in <code>struct ofp_action_enqueue</code> and other
structures.</p>
<p>
Queue 0 is the ``default queue.'' It is used by OpenFlow output
actions when no specific queue has been set. When no configuration for
queue 0 is present, it is automatically configured as if a <ref
table="Queue"/> record with empty <ref table="Queue" column="dscp"/>
and <ref table="Queue" column="other_config"/> columns had been
specified.
(Before version 1.6, Open vSwitch would leave queue 0 unconfigured in
this case. With some queuing disciplines, this dropped all packets
destined for the default queue.)
</p>
</column>
<group title="Configuration for linux-htb and linux-hfsc">
<p>
The <code>linux-htb</code> and <code>linux-hfsc</code> classes support
the following key-value pair:
</p>
<column name="other_config" key="max-rate" type='{"type": "integer"}'>
Maximum rate shared by all queued traffic, in bit/s. Optional. If not
specified, for physical interfaces, the default is the link rate. For
other interfaces or if the link rate cannot be determined, the default
is currently 100 Mbps.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Queue" title="QoS output queue.">
<p>A configuration for a port output queue, used in configuring Quality of
Service (QoS) features. May be referenced by <ref column="queues"
table="QoS"/> column in <ref table="QoS"/> table.</p>
<column name="dscp">
If set, Open vSwitch will mark all traffic egressing this
<ref table="Queue"/> with the given DSCP bits. Traffic egressing the
default <ref table="Queue"/> is only marked if it was explicitly selected
as the <ref table="Queue"/> at the time the packet was output. If unset,
the DSCP bits of traffic egressing this <ref table="Queue"/> will remain
unchanged.
</column>
<group title="Configuration for linux-htb QoS">
<p>
<ref table="QoS"/> <ref table="QoS" column="type"/>
<code>linux-htb</code> may use <code>queue_id</code>s less than 61440.
It has the following key-value pairs defined.
</p>
<column name="other_config" key="min-rate"
type='{"type": "integer", "minInteger": 1}'>
Minimum guaranteed bandwidth, in bit/s.
</column>
<column name="other_config" key="max-rate"
type='{"type": "integer", "minInteger": 1}'>
Maximum allowed bandwidth, in bit/s. Optional. If specified, the
queue's rate will not be allowed to exceed the specified value, even
if excess bandwidth is available. If unspecified, defaults to no
limit.
</column>
<column name="other_config" key="burst"
type='{"type": "integer", "minInteger": 1}'>
Burst size, in bits. This is the maximum amount of ``credits'' that a
queue can accumulate while it is idle. Optional. Details of the
<code>linux-htb</code> implementation require a minimum burst size, so
a too-small <code>burst</code> will be silently ignored.
</column>
<column name="other_config" key="priority"
type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
A queue with a smaller <code>priority</code> will receive all the
excess bandwidth that it can use before a queue with a larger value
receives any. Specific priority values are unimportant; only relative
ordering matters. Defaults to 0 if unspecified.
</column>
</group>
<group title="Configuration for linux-hfsc QoS">
<p>
<ref table="QoS"/> <ref table="QoS" column="type"/>
<code>linux-hfsc</code> may use <code>queue_id</code>s less than 61440.
It has the following key-value pairs defined.
</p>
<column name="other_config" key="min-rate"
type='{"type": "integer", "minInteger": 1}'>
Minimum guaranteed bandwidth, in bit/s.
</column>
<column name="other_config" key="max-rate"
type='{"type": "integer", "minInteger": 1}'>
Maximum allowed bandwidth, in bit/s. Optional. If specified, the
queue's rate will not be allowed to exceed the specified value, even if
excess bandwidth is available. If unspecified, defaults to no
limit.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="other_config"/>
<column name="external_ids"/>
</group>
</table>
<table name="Mirror" title="Port mirroring.">
<p>A port mirror within a <ref table="Bridge"/>.</p>
<p>A port mirror configures a bridge to send selected frames to special
``mirrored'' ports, in addition to their normal destinations. Mirroring
traffic may also be referred to as SPAN or RSPAN, depending on how
the mirrored traffic is sent.</p>
<p>
When a packet enters an Open vSwitch bridge, it becomes eligible for
mirroring based on its ingress port and VLAN. As the packet travels
through the flow tables, each time it is output to a port, it becomes
eligible for mirroring based on the egress port and VLAN. In Open
vSwitch 2.5 and later, mirroring occurs just after a packet first becomes
eligible, using the packet as it exists at that point; in Open vSwitch
2.4 and earlier, mirroring occurs only after a packet has traversed all
the flow tables, using the original packet as it entered the bridge.
This makes a difference only when the flow table modifies the packet: in
Open vSwitch 2.4, the modifications are never visible to mirrors, whereas
in Open vSwitch 2.5 and later modifications made before the first output
that makes it eligible for mirroring to a particular destination are
visible.
</p>
<p>
A packet that enters an Open vSwitch bridge is mirrored to a particular
destination only once, even if it is eligible for multiple reasons. For
example, a packet would be mirrored to a particular <ref
column="output_port"/> only once, even if it is selected for mirroring to
that port by <ref column="select_dst_port"/> and <ref
column="select_src_port"/> in the same or different <ref table="Mirror"/>
records.
</p>
<column name="name">
Arbitrary identifier for the <ref table="Mirror"/>.
</column>
<group title="Selecting Packets for Mirroring">
<p>
To be selected for mirroring, a given packet must enter or leave the
bridge through a selected port and it must also be in one of the
selected VLANs.
</p>
<column name="select_all">
If true, every packet arriving or departing on any port is
selected for mirroring.
</column>
<column name="select_dst_port">
Ports on which departing packets are selected for mirroring.
</column>
<column name="select_src_port">
Ports on which arriving packets are selected for mirroring.
</column>
<column name="select_vlan">
VLANs on which packets are selected for mirroring. An empty set
selects packets on all VLANs.
</column>
</group>
<group title="Mirroring Destination Configuration">
<p>
These columns are mutually exclusive. Exactly one of them must be
nonempty.
</p>
<column name="output_port">
<p>Output port for selected packets, if nonempty.</p>
<p>Specifying a port for mirror output reserves that port exclusively
for mirroring. No frames other than those selected for mirroring
via this column
will be forwarded to the port, and any frames received on the port
will be discarded.</p>
<p>
The output port may be any kind of port supported by Open vSwitch.
It may be, for example, a physical port (sometimes called SPAN) or a
GRE tunnel.
</p>
</column>
<column name="output_vlan">
<p>Output VLAN for selected packets, if nonempty.</p>
<p>The frames will be sent out all ports that trunk
<ref column="output_vlan"/>, as well as any ports with implicit VLAN
<ref column="output_vlan"/>. When a mirrored frame is sent out a
trunk port, the frame's VLAN tag will be set to
<ref column="output_vlan"/>, replacing any existing tag; when it is
sent out an implicit VLAN port, the frame will not be tagged. This
type of mirroring is sometimes called RSPAN.</p>
<p>
See the documentation for
<ref column="other_config" key="forward-bpdu"/> in the
<ref table="Interface"/> table for a list of destination MAC
addresses which will not be mirrored to a VLAN to avoid confusing
switches that interpret the protocols that they represent.
</p>
<p><em>Please note:</em> Mirroring to a VLAN can disrupt a network that
contains unmanaged switches. Consider an unmanaged physical switch
with two ports: port 1, connected to an end host, and port 2,
connected to an Open vSwitch configured to mirror received packets
into VLAN 123 on port 2. Suppose that the end host sends a packet on
port 1 that the physical switch forwards to port 2. The Open vSwitch
forwards this packet to its destination and then reflects it back on
port 2 in VLAN 123. This reflected packet causes the unmanaged
physical switch to replace the MAC learning table entry, which
correctly pointed to port 1, with one that incorrectly points to port
2. Afterward, the physical switch will direct packets destined for
the end host to the Open vSwitch on port 2, instead of to the end
host on port 1, disrupting connectivity. If mirroring to a VLAN is
desired in this scenario, then the physical switch must be replaced
by one that learns Ethernet addresses on a per-VLAN basis. In
addition, learning should be disabled on the VLAN containing mirrored
traffic. If this is not done then intermediate switches will learn
the MAC address of each end host from the mirrored traffic. If
packets being sent to that end host are also mirrored, then they will
be dropped since the switch will attempt to send them out the input
port. Disabling learning for the VLAN will cause the switch to
correctly send the packet out all ports configured for that VLAN. If
Open vSwitch is being used as an intermediate switch, learning can be
disabled by adding the mirrored VLAN to <ref column="flood_vlans"/>
in the appropriate <ref table="Bridge"/> table or tables.</p>
<p>
Mirroring to a GRE tunnel has fewer caveats than mirroring to a
VLAN and should generally be preferred.
</p>
</column>
</group>
<group title="Statistics: Mirror counters">
<p>
Key-value pairs that report mirror statistics. The update period
is controlled by <ref column="other_config"
key="stats-update-interval"/> in the <code>Open_vSwitch</code> table.
</p>
<column name="statistics" key="tx_packets">
Number of packets transmitted through this mirror.
</column>
<column name="statistics" key="tx_bytes">
Number of bytes transmitted through this mirror.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="Controller" title="OpenFlow controller configuration.">
<p>An OpenFlow controller.</p>
<p>
Open vSwitch supports two kinds of OpenFlow controllers:
</p>
<dl>
<dt>Primary controllers</dt>
<dd>
<p>
This is the kind of controller envisioned by the OpenFlow 1.0
specification. Usually, a primary controller implements a network
policy by taking charge of the switch's flow table.
</p>
<p>
Open vSwitch initiates and maintains persistent connections to
primary controllers, retrying the connection each time it fails or
drops. The <ref table="Bridge" column="fail_mode"/> column in the
<ref table="Bridge"/> table applies to primary controllers.
</p>
<p>
Open vSwitch permits a bridge to have any number of primary
controllers. When multiple controllers are configured, Open
vSwitch connects to all of them simultaneously. Because
OpenFlow 1.0 does not specify how multiple controllers
coordinate in interacting with a single switch, more than
one primary controller should be specified only if the
controllers are themselves designed to coordinate with each
other. (The Nicira-defined <code>NXT_ROLE</code> OpenFlow
vendor extension may be useful for this.)
</p>
</dd>
<dt>Service controllers</dt>
<dd>
<p>
These kinds of OpenFlow controller connections are intended for
occasional support and maintenance use, e.g. with
<code>ovs-ofctl</code>. Usually a service controller connects only
briefly to inspect or modify some of a switch's state.
</p>
<p>
Open vSwitch listens for incoming connections from service
controllers. The service controllers initiate and, if necessary,
maintain the connections from their end. The <ref table="Bridge"
column="fail_mode"/> column in the <ref table="Bridge"/> table does
not apply to service controllers.
</p>
<p>
Open vSwitch supports configuring any number of service controllers.
</p>
</dd>
</dl>
<p>
The <ref column="target"/> determines the type of controller.
</p>
<group title="Core Features">
<column name="target">
<p>Connection method for controller.</p>
<p>
The following connection methods are currently supported for primary
controllers:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>The specified SSL <var>port</var> on the host at the
given <var>ip</var>, which must be expressed as an IP
address (not a DNS name). The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this form
is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p>
<p>SSL support is an optional feature that is not always built as
part of Open vSwitch.</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6653</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
</p>
</dd>
</dl>
<p>
The following connection methods are currently supported for service
controllers:
</p>
<dl>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
If <var>ip</var>, which must be expressed as an IP address (not a
DNS name), is specified, then connections are restricted to the
specified local IP address (either IPv4 or IPv6). If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>pssl:6653:[::1]</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to
6653. If <var>ip</var> is not specified then it listens only on
IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a
valid SSL configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it currently to 6653.
</p>
<p>
SSL support is an optional feature that is not always built as
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>. If
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), is specified, then connections are restricted to the
specified local IP address (either IPv4 or IPv6). If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>ptcp:6653:[::1]</code>. If <var>ip</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6653.
</p>
</dd>
</dl>
<p>When multiple controllers are configured for a single bridge, the
<ref column="target"/> values must be unique. Duplicate
<ref column="target"/> values yield unspecified results.</p>
</column>
<column name="connection_mode">
<p>If it is specified, this setting must be one of the following
strings that describes how Open vSwitch contacts this OpenFlow
controller over the network:</p>
<dl>
<dt><code>in-band</code></dt>
<dd>In this mode, this controller's OpenFlow traffic travels over the
bridge associated with the controller. With this setting, Open
vSwitch allows traffic to and from the controller regardless of the
contents of the OpenFlow flow table. (Otherwise, Open vSwitch
would never be able to connect to the controller, because it did
not have a flow to enable it.) This is the most common connection
mode because it is not necessary to maintain two independent
networks.</dd>
<dt><code>out-of-band</code></dt>
<dd>In this mode, OpenFlow traffic uses a control network separate
from the bridge associated with this controller, that is, the
bridge does not use any of its own network devices to communicate
with the controller. The control network must be configured
separately, before or after <code>ovs-vswitchd</code> is started.
</dd>
</dl>
<p>If not specified, the default is implementation-specific.</p>
</column>
</group>
<group title="Controller Failure Detection and Handling">
<column name="max_backoff">
Maximum number of milliseconds to wait between connection attempts.
Default is implementation-specific.
</column>
<column name="inactivity_probe">
Maximum number of milliseconds of idle time on connection to
controller before sending an inactivity probe message. If Open
vSwitch does not communicate with the controller for the specified
number of seconds, it will send a probe. If a response is not
received for the same additional amount of time, Open vSwitch
assumes the connection has been broken and attempts to reconnect.
Default is implementation-specific. A value of 0 disables
inactivity probes.
</column>
</group>
<group title="Asynchronous Messages">
<p>
OpenFlow switches send certain messages to controllers spontanenously,
that is, not in response to any request from the controller. These
messages are called ``asynchronous messages.'' These columns allow
asynchronous messages to be limited or disabled to ensure the best use
of network resources.
</p>
<column name="enable_async_messages">
The OpenFlow protocol enables asynchronous messages at time of
connection establishment, which means that a controller can receive
asynchronous messages, potentially many of them, even if it turns them
off immediately after connecting. Set this column to
<code>false</code> to change Open vSwitch behavior to disable, by
default, all asynchronous messages. The controller can use the
<code>NXT_SET_ASYNC_CONFIG</code> Nicira extension to OpenFlow to turn
on any messages that it does want to receive, if any.
</column>
<group title="Controller Rate Limiting">
<p>
A switch can forward packets to a controller over the OpenFlow
protocol. Forwarding packets this way at too high a rate can
overwhelm a controller, frustrate use of the OpenFlow connection for
other purposes, increase the latency of flow setup, and use an
unreasonable amount of bandwidth. Therefore, Open vSwitch supports
limiting the rate of packet forwarding to a controller.
</p>
<p>
There are two main reasons in OpenFlow for a packet to be sent to a
controller: either the packet ``misses'' in the flow table, that is,
there is no matching flow, or a flow table action says to send the
packet to the controller. Open vSwitch limits the rate of each kind
of packet separately at the configured rate. Therefore, the actual
rate that packets are sent to the controller can be up to twice the
configured rate, when packets are sent for both reasons.
</p>
<p>
This feature is specific to forwarding packets over an OpenFlow
connection. It is not general-purpose QoS. See the <ref
table="QoS"/> table for quality of service configuration, and <ref
column="ingress_policing_rate" table="Interface"/> in the <ref
table="Interface"/> table for ingress policing configuration.
</p>
<column name="controller_rate_limit">
<p>
The maximum rate at which the switch will forward packets to the
OpenFlow controller, in packets per second. If no value is
specified, rate limiting is disabled.
</p>
</column>
<column name="controller_burst_limit">
<p>
When a high rate triggers rate-limiting, Open vSwitch queues
packets to the controller for each port and transmits them to the
controller at the configured rate. This value limits the number of
queued packets. Ports on a bridge share the packet queue fairly.
</p>
<p>
This value has no effect unless <ref
column="controller_rate_limit"/> is configured. The current
default when this value is not specified is one-quarter of <ref
column="controller_rate_limit"/>, meaning that queuing can delay
forwarding a packet to the controller by up to 250 ms.
</p>
</column>
<group title="Controller Rate Limiting Statistics">
<p>
These values report the effects of rate limiting. Their values are
relative to establishment of the most recent OpenFlow connection,
or since rate limiting was enabled, whichever happened more
recently. Each consists of two values, one with <code>TYPE</code>
replaced by <code>miss</code> for rate limiting flow table misses,
and the other with <code>TYPE</code> replaced by
<code>action</code> for rate limiting packets sent by OpenFlow
actions.
</p>
<p>
These statistics are reported only when controller rate limiting is
enabled.
</p>
<column name="status" key="packet-in-TYPE-bypassed"
type='{"type": "integer", "minInteger": 0}'>
Number of packets sent directly to the controller, without queuing,
because the rate did not exceed the configured maximum.
</column>
<column name="status" key="packet-in-TYPE-queued"
type='{"type": "integer", "minInteger": 0}'>
Number of packets added to the queue to send later.
</column>
<column name="status" key="packet-in-TYPE-dropped"
type='{"type": "integer", "minInteger": 0}'>
Number of packets added to the queue that were later dropped due to
overflow. This value is less than or equal to <ref column="status"
key="packet-in-TYPE-queued"/>.
</column>
<column name="status" key="packet-in-TYPE-backlog"
type='{"type": "integer", "minInteger": 0}'>
Number of packets currently queued. The other statistics increase
monotonically, but this one fluctuates between 0 and the <ref
column="controller_burst_limit"/> as conditions change.
</column>
</group>
</group>
</group>
<group title="Additional In-Band Configuration">
<p>These values are considered only in in-band control mode (see
<ref column="connection_mode"/>).</p>
<p>When multiple controllers are configured on a single bridge, there
should be only one set of unique values in these columns. If different
values are set for these columns in different controllers, the effect
is unspecified.</p>
<column name="local_ip">
The IP address to configure on the local port,
e.g. <code>192.168.0.123</code>. If this value is unset, then
<ref column="local_netmask"/> and <ref column="local_gateway"/> are
ignored.
</column>
<column name="local_netmask">
The IP netmask to configure on the local port,
e.g. <code>255.255.255.0</code>. If <ref column="local_ip"/> is set
but this value is unset, then the default is chosen based on whether
the IP address is class A, B, or C.
</column>
<column name="local_gateway">
The IP address of the gateway to configure on the local port, as a
string, e.g. <code>192.168.0.1</code>. Leave this column unset if
this network has no gateway.
</column>
</group>
<group title="Controller Status">
<column name="is_connected">
<code>true</code> if currently connected to this controller,
<code>false</code> otherwise.
</column>
<column name="role"
type='{"type": "string", "enum": ["set", ["other", "master", "slave"]]}'>
<p>The level of authority this controller has on the associated
bridge. Possible values are:</p>
<dl>
<dt><code>other</code></dt>
<dd>Allows the controller access to all OpenFlow features.</dd>
<dt><code>master</code></dt>
<dd>Equivalent to <code>other</code>, except that there may be at
most one master controller at a time. When a controller configures
itself as <code>master</code>, any existing master is demoted to
the <code>slave</code> role.</dd>
<dt><code>slave</code></dt>
<dd>Allows the controller read-only access to OpenFlow features.
Attempts to modify the flow table will be rejected with an
error. Slave controllers do not receive OFPT_PACKET_IN or
OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS
messages.</dd>
</dl>
</column>
<column name="status" key="last_error">
A human-readable description of the last error on the connection
to the controller; i.e. <code>strerror(errno)</code>. This key
will exist only if an error has occurred.
</column>
<column name="status" key="state"
type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
<p>
The state of the connection to the controller:
</p>
<dl>
<dt><code>VOID</code></dt>
<dd>Connection is disabled.</dd>
<dt><code>BACKOFF</code></dt>
<dd>Attempting to reconnect at an increasing period.</dd>
<dt><code>CONNECTING</code></dt>
<dd>Attempting to connect.</dd>
<dt><code>ACTIVE</code></dt>
<dd>Connected, remote host responsive.</dd>
<dt><code>IDLE</code></dt>
<dd>Connection is idle. Waiting for response to keep-alive.</dd>
</dl>
<p>
These values may change in the future. They are provided only for
human consumption.
</p>
</column>
<column name="status" key="sec_since_connect"
type='{"type": "integer", "minInteger": 0}'>
The amount of time since this controller last successfully connected to
the switch (in seconds). Value is empty if controller has never
successfully connected.
</column>
<column name="status" key="sec_since_disconnect"
type='{"type": "integer", "minInteger": 1}'>
The amount of time since this controller last disconnected from
the switch (in seconds). Value is empty if controller has never
disconnected.
</column>
</group>
<group title="Connection Parameters">
<p>
Additional configuration for a connection between the controller
and the Open vSwitch.
</p>
<column name="other_config" key="dscp"
type='{"type": "integer"}'>
The Differentiated Service Code Point (DSCP) is specified using 6 bits
in the Type of Service (TOS) field in the IP header. DSCP provides a
mechanism to classify the network traffic and provide Quality of
Service (QoS) on IP networks.
The DSCP value specified here is used when establishing the connection
between the controller and the Open vSwitch. If no value is specified,
a default value of 48 is chosen. Valid DSCP values must be in the
range 0 to 63.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
<column name="other_config"/>
</group>
</table>
<table name="Manager" title="OVSDB management connection.">
<p>
Configuration for a database connection to an Open vSwitch database
(OVSDB) client.
</p>
<p>
This table primarily configures the Open vSwitch database
(<code>ovsdb-server</code>), not the Open vSwitch switch
(<code>ovs-vswitchd</code>). The switch does read the table to determine
what connections should be treated as in-band.
</p>
<p>
The Open vSwitch database server can initiate and maintain active
connections to remote clients. It can also listen for database
connections.
</p>
<group title="Core Features">
<column name="target">
<p>Connection method for managers.</p>
<p>
The following connection methods are currently supported:
</p>
<dl>
<dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address
(not a DNS name). The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this
form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always
built as part of Open vSwitch.
</p>
</dd>
<dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified TCP <var>port</var> on the host at the given
<var>ip</var>, which must be expressed as an IP address (not a
DNS name), where <var>ip</var> can be IPv4 or IPv6 address. If
<var>ip</var> is an IPv6 address, wrap it in square brackets,
e.g. <code>tcp:[::1]:6640</code>.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
table="Open_vSwitch"/> table must point to a valid SSL
configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always built as
part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
<dd>
<p>
Listens for connections on the specified TCP <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>ip</var>, which must be
expressed as an IP address (not a DNS name), is specified, then
connections are restricted to the specified local IP address
(either IPv4 or IPv6 address). If <var>ip</var> is an IPv6
address, wrap it in square brackets,
e.g. <code>ptcp:6640:[::1]</code>. If <var>ip</var> is not
specified then it listens only on IPv4 addresses.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
</dd>
</dl>
<p>When multiple managers are configured, the <ref column="target"/>
values must be unique. Duplicate <ref column="target"/> values yield
unspecified results.</p>
</column>
<column name="connection_mode">
<p>
If it is specified, this setting must be one of the following strings
that describes how Open vSwitch contacts this OVSDB client over the
network:
</p>
<dl>
<dt><code>in-band</code></dt>
<dd>
In this mode, this connection's traffic travels over a bridge
managed by Open vSwitch. With this setting, Open vSwitch allows
traffic to and from the client regardless of the contents of the
OpenFlow flow table. (Otherwise, Open vSwitch would never be able
to connect to the client, because it did not have a flow to enable
it.) This is the most common connection mode because it is not
necessary to maintain two independent networks.
</dd>
<dt><code>out-of-band</code></dt>
<dd>
In this mode, the client's traffic uses a control network separate
from that managed by Open vSwitch, that is, Open vSwitch does not
use any of its own network devices to communicate with the client.
The control network must be configured separately, before or after
<code>ovs-vswitchd</code> is started.
</dd>
</dl>
<p>
If not specified, the default is implementation-specific.
</p>
</column>
</group>
<group title="Client Failure Detection and Handling">
<column name="max_backoff">
Maximum number of milliseconds to wait between connection attempts.
Default is implementation-specific.
</column>
<column name="inactivity_probe">
Maximum number of milliseconds of idle time on connection to the client
before sending an inactivity probe message. If Open vSwitch does not
communicate with the client for the specified number of seconds, it
will send a probe. If a response is not received for the same
additional amount of time, Open vSwitch assumes the connection has been
broken and attempts to reconnect. Default is implementation-specific.
A value of 0 disables inactivity probes.
</column>
</group>
<group title="Status">
<column name="is_connected">
<code>true</code> if currently connected to this manager,
<code>false</code> otherwise.
</column>
<column name="status" key="last_error">
A human-readable description of the last error on the connection
to the manager; i.e. <code>strerror(errno)</code>. This key
will exist only if an error has occurred.
</column>
<column name="status" key="state"
type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
<p>
The state of the connection to the manager:
</p>
<dl>
<dt><code>VOID</code></dt>
<dd>Connection is disabled.</dd>
<dt><code>BACKOFF</code></dt>
<dd>Attempting to reconnect at an increasing period.</dd>
<dt><code>CONNECTING</code></dt>
<dd>Attempting to connect.</dd>
<dt><code>ACTIVE</code></dt>
<dd>Connected, remote host responsive.</dd>
<dt><code>IDLE</code></dt>
<dd>Connection is idle. Waiting for response to keep-alive.</dd>
</dl>
<p>
These values may change in the future. They are provided only for
human consumption.
</p>
</column>
<column name="status" key="sec_since_connect"
type='{"type": "integer", "minInteger": 0}'>
The amount of time since this manager last successfully connected
to the database (in seconds). Value is empty if manager has never
successfully connected.
</column>
<column name="status" key="sec_since_disconnect"
type='{"type": "integer", "minInteger": 0}'>
The amount of time since this manager last disconnected from the
database (in seconds). Value is empty if manager has never
disconnected.
</column>
<column name="status" key="locks_held">
Space-separated list of the names of OVSDB locks that the connection
holds. Omitted if the connection does not hold any locks.
</column>
<column name="status" key="locks_waiting">
Space-separated list of the names of OVSDB locks that the connection is
currently waiting to acquire. Omitted if the connection is not waiting
for any locks.
</column>
<column name="status" key="locks_lost">
Space-separated list of the names of OVSDB locks that the connection
has had stolen by another OVSDB client. Omitted if no locks have been
stolen from this connection.
</column>
<column name="status" key="n_connections"
type='{"type": "integer", "minInteger": 2}'>
<p>
When <ref column="target"/> specifies a connection method that
listens for inbound connections (e.g. <code>ptcp:</code> or
<code>pssl:</code>) and more than one connection is actually active,
the value is the number of active connections. Otherwise, this
key-value pair is omitted.
</p>
<p>
When multiple connections are active, status columns and key-value
pairs (other than this one) report the status of one arbitrarily
chosen connection.
</p>
</column>
<column name="status" key="bound_port" type='{"type": "integer"}'>
When <ref column="target"/> is <code>ptcp:</code> or
<code>pssl:</code>, this is the TCP port on which the OVSDB server is
listening. (This is is particularly useful when <ref
column="target"/> specifies a port of 0, allowing the kernel to
choose any available port.)
</column>
</group>
<group title="Connection Parameters">
<p>
Additional configuration for a connection between the manager
and the Open vSwitch Database.
</p>
<column name="other_config" key="dscp"
type='{"type": "integer"}'>
The Differentiated Service Code Point (DSCP) is specified using 6 bits
in the Type of Service (TOS) field in the IP header. DSCP provides a
mechanism to classify the network traffic and provide Quality of
Service (QoS) on IP networks.
The DSCP value specified here is used when establishing the connection
between the manager and the Open vSwitch. If no value is specified, a
default value of 48 is chosen. Valid DSCP values must be in the range
0 to 63.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
<column name="other_config"/>
</group>
</table>
<table name="NetFlow">
A NetFlow target. NetFlow is a protocol that exports a number of
details about terminating IP flows, such as the principals involved
and duration.
<column name="targets">
NetFlow targets in the form
<code><var>ip</var>:<var>port</var></code>. The <var>ip</var>
must be specified numerically, not as a DNS name.
</column>
<column name="engine_id">
Engine ID to use in NetFlow messages. Defaults to datapath index
if not specified.
</column>
<column name="engine_type">
Engine type to use in NetFlow messages. Defaults to datapath
index if not specified.
</column>
<column name="active_timeout">
<p>
The interval at which NetFlow records are sent for flows that
are still active, in seconds. A value of <code>0</code>
requests the default timeout (currently 600 seconds); a value
of <code>-1</code> disables active timeouts.
</p>
<p>
The NetFlow passive timeout, for flows that become inactive,
is not configurable. It will vary depending on the Open
vSwitch version, the forms and contents of the OpenFlow flow
tables, CPU and memory usage, and network activity. A typical
passive timeout is about a second.
</p>
</column>
<column name="add_id_to_interface">
<p>If this column's value is <code>false</code>, the ingress and egress
interface fields of NetFlow flow records are derived from OpenFlow port
numbers. When it is <code>true</code>, the 7 most significant bits of
these fields will be replaced by the least significant 7 bits of the
engine id. This is useful because many NetFlow collectors do not
expect multiple switches to be sending messages from the same host, so
they do not store the engine information which could be used to
disambiguate the traffic.</p>
<p>When this option is enabled, a maximum of 508 ports are supported.</p>
</column>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="SSL">
SSL configuration for an Open_vSwitch.
<column name="private_key">
Name of a PEM file containing the private key used as the switch's
identity for SSL connections to the controller.
</column>
<column name="certificate">
Name of a PEM file containing a certificate, signed by the
certificate authority (CA) used by the controller and manager,
that certifies the switch's private key, identifying a trustworthy
switch.
</column>
<column name="ca_cert">
Name of a PEM file containing the CA certificate used to verify
that the switch is connected to a trustworthy controller.
</column>
<column name="bootstrap_ca_cert">
If set to <code>true</code>, then Open vSwitch will attempt to
obtain the CA certificate from the controller on its first SSL
connection and save it to the named PEM file. If it is successful,
it will immediately drop the connection and reconnect, and from then
on all SSL connections must be authenticated by a certificate signed
by the CA certificate thus obtained. <em>This option exposes the
SSL connection to a man-in-the-middle attack obtaining the initial
CA certificate.</em> It may still be useful for bootstrapping.
</column>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="sFlow">
<p>A set of sFlow(R) targets. sFlow is a protocol for remote
monitoring of switches.</p>
<column name="agent">
Name of the network device whose IP address should be reported as the
``agent address'' to collectors. If not specified, the agent device is
figured from the first target address and the routing table. If the
routing table does not contain a route to the target, the IP address
defaults to the <ref table="Controller" column="local_ip"/> in the
collector's <ref table="Controller"/>. If an agent IP address cannot be
determined any of these ways, sFlow is disabled.
</column>
<column name="header">
Number of bytes of a sampled packet to send to the collector.
If not specified, the default is 128 bytes.
</column>
<column name="polling">
Polling rate in seconds to send port statistics to the collector.
If not specified, defaults to 30 seconds.
</column>
<column name="sampling">
Rate at which packets should be sampled and sent to the collector.
If not specified, defaults to 400, which means one out of 400
packets, on average, will be sent to the collector.
</column>
<column name="targets">
sFlow targets in the form
<code><var>ip</var>:<var>port</var></code>.
</column>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="IPFIX">
<p>Configuration for sending packets to IPFIX collectors.</p>
<p>
IPFIX is a protocol that exports a number of details about flows. The
IPFIX implementation in Open vSwitch samples packets at a configurable
rate, extracts flow information from those packets, optionally caches and
aggregates the flow information, and sends the result to one or more
collectors.
</p>
<p>
IPFIX in Open vSwitch can be configured two different ways:
</p>
<ul>
<li>
With <em>per-bridge sampling</em>, Open vSwitch performs IPFIX sampling
automatically on all packets that pass through a bridge. To configure
per-bridge sampling, create an <ref table="IPFIX"/> record and point a
<ref table="Bridge"/> table's <ref table="Bridge" column="ipfix"/>
column to it. The <ref table="Flow_Sample_Collector_Set"/> table is
not used for per-bridge sampling.
</li>
<li>
<p>
With <em>flow-based sampling</em>, <code>sample</code> actions in the
OpenFlow flow table drive IPFIX sampling. See
<code>ovs-ofctl</code>(8) for a description of the
<code>sample</code> action.
</p>
<p>
Flow-based sampling also requires database configuration: create a
<ref table="IPFIX"/> record that describes the IPFIX configuration
and a <ref table="Flow_Sample_Collector_Set"/> record that points to
the <ref table="Bridge"/> whose flow table holds the
<code>sample</code> actions and to <ref table="IPFIX"/> record. The
<ref table="Bridge" column="ipfix"/> in the <ref table="Bridge"/>
table is not used for flow-based sampling.
</p>
</li>
</ul>
<column name="targets">
IPFIX target collectors in the form
<code><var>ip</var>:<var>port</var></code>.
</column>
<column name="cache_active_timeout">
The maximum period in seconds for which an IPFIX flow record is
cached and aggregated before being sent. If not specified,
defaults to 0. If 0, caching is disabled.
</column>
<column name="cache_max_flows">
The maximum number of IPFIX flow records that can be cached at a
time. If not specified, defaults to 0. If 0, caching is
disabled.
</column>
<group title="Per-Bridge Sampling">
<p>
These values affect only per-bridge sampling. See above for a
description of the differences between per-bridge and flow-based
sampling.
</p>
<column name="sampling">
The rate at which packets should be sampled and sent to each target
collector. If not specified, defaults to 400, which means one out of
400 packets, on average, will be sent to each target collector.
</column>
<column name="obs_domain_id">
The IPFIX Observation Domain ID sent in each IPFIX packet. If not
specified, defaults to 0.
</column>
<column name="obs_point_id">
The IPFIX Observation Point ID sent in each IPFIX flow record. If not
specified, defaults to 0.
</column>
<column name="other_config" key="enable-tunnel-sampling"
type='{"type": "boolean"}'>
<p>
Set to <code>true</code> to enable sampling and reporting tunnel
header 7-tuples in IPFIX flow records. Tunnel sampling is disabled
by default.
</p>
<p>
The following enterprise entities report the sampled tunnel info:
</p>
<dl>
<dt>tunnelType:</dt>
<dd>
<p>ID: 891, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 8-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: Identifier of the layer 2 network overlay network
encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE,
0x07 GENEVE.</p>
</dd>
<dt>tunnelKey:</dt>
<dd>
<p>ID: 892, and enterprise ID 6876 (VMware).</p>
<p>type: variable-length octetarray.</p>
<p>data type semantics: identifier.</p>
<p>description: Key which is used for identifying an individual
traffic flow within a VxLAN (24-bit VNI), GENEVE (24-bit VNI),
GRE (32-bit key), or LISP (24-bit instance ID) tunnel. The
key is encoded in this octetarray as a 3-, 4-, or 8-byte integer
ID in network byte order.</p>
</dd>
<dt>tunnelSourceIPv4Address:</dt>
<dd>
<p>ID: 893, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 32-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: The IPv4 source address in the tunnel IP packet
header.</p>
</dd>
<dt>tunnelDestinationIPv4Address:</dt>
<dd>
<p>ID: 894, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 32-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: The IPv4 destination address in the tunnel IP
packet header.</p>
</dd>
<dt>tunnelProtocolIdentifier:</dt>
<dd>
<p>ID: 895, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 8-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: The value of the protocol number in the tunnel
IP packet header. The protocol number identifies the tunnel IP
packet payload type.</p>
</dd>
<dt>tunnelSourceTransportPort:</dt>
<dd>
<p>ID: 896, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 16-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: The source port identifier in the tunnel transport
header. For the transport protocols UDP, TCP, and SCTP, this is
the source port number given in the respective header.</p>
</dd>
<dt>tunnelDestinationTransportPort:</dt>
<dd>
<p>ID: 897, and enterprise ID 6876 (VMware).</p>
<p>type: unsigned 16-bit integer.</p>
<p>data type semantics: identifier.</p>
<p>description: The destination port identifier in the tunnel
transport header. For the transport protocols UDP, TCP, and SCTP,
this is the destination port number given in the respective header.
</p>
</dd>
</dl>
</column>
<column name="other_config" key="enable-input-sampling"
type='{"type": "boolean"}'>
By default, Open vSwitch samples and reports flows at bridge port input
in IPFIX flow records. Set this column to <code>false</code> to
disable input sampling.
</column>
<column name="other_config" key="enable-output-sampling"
type='{"type": "boolean"}'>
By default, Open vSwitch samples and reports flows at bridge port
output in IPFIX flow records. Set this column to <code>false</code> to
disable output sampling.
</column>
</group>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="Flow_Sample_Collector_Set">
<p>
A set of IPFIX collectors of packet samples generated by OpenFlow
<code>sample</code> actions. This table is used only for IPFIX
flow-based sampling, not for per-bridge sampling (see the <ref
table="IPFIX"/> table for a description of the two forms).
</p>
<column name="id">
The ID of this collector set, unique among the bridge's
collector sets, to be used as the <code>collector_set_id</code>
in OpenFlow <code>sample</code> actions.
</column>
<column name="bridge">
The bridge into which OpenFlow <code>sample</code> actions can
be added to send packet samples to this set of IPFIX collectors.
</column>
<column name="ipfix">
Configuration of the set of IPFIX collectors to send one flow
record per sampled packet to.
</column>
<group title="Common Columns">
The overall purpose of these columns is described under <code>Common
Columns</code> at the beginning of this document.
<column name="external_ids"/>
</group>
</table>
<table name="AutoAttach">
<p>
Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM
draft standard describes a compact method of using IEEE 802.1AB Link
Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
Path Bridging (SPB) network to automatically attach network devices
to individual services in a SPB network. The intent here is to allow
network applications and devices using OVS to be able to easily take
advantage of features offered by industry standard SPB networks.
</p>
<p>
Auto Attach (AA) uses LLDP to communicate between a directly connected
Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP protocol
is extended to add two new Type-Length-Value tuples (TLVs). The first
new TLV supports the ongoing discovery of directly connected AA
correspondents. Auto Attach operates by regularly transmitting AA
discovery TLVs between the AA client and AA server. By exchanging these
discovery messages, both the AAC and AAS learn the system name and
system description of their peer. In the OVS context, OVS operates as
the AA client and the AA server resides on a switch at the edge of the
SPB network.
</p>
<p>
Once AA discovery has been completed the AAC then uses the second new TLV
to deliver identifier mappings from the AAC to the AAS. A primary feature
of Auto Attach is to facilitate the mapping of VLANs defined outside the
SPB network onto service ids (ISIDs) defined within the SPM network. By
doing so individual external VLANs can be mapped onto specific SPB
network services. These VLAN id to ISID mappings can be configured and
managed locally using new options added to the ovs-vsctl command.
</p>
<p>
The Auto Attach OVS feature does not provide a full implementation of
the LLDP protocol. Support for the mandatory TLVs as defined by the LLDP
standard and support for the AA TLV extensions is provided. LLDP
protocol support in OVS can be enabled or disabled on a port by port
basis. LLDP support is disabled by default.
</p>
<column name="system_name">
The system_name string is exported in LLDP messages. It should uniquely
identify the bridge in the network.
</column>
<column name="system_description">
The system_description string is exported in LLDP messages. It should
describe the type of software and hardware.
</column>
<column name="mappings">
A mapping from SPB network Individual Service Identifier (ISID) to VLAN
id.
</column>
</table>
</database>
View Git Blame Copy Permalink