1ovs-vswitchd.conf.db(5) Open vSwitch Manual ovs-vswitchd.conf.db(5)
2
6 ovs-vswitchd.conf.db - Open_vSwitch database schema
7 A database with this schema holds the configuration for one Open
9 vSwitch daemon. The top-level configuration for the daemon is the
10 Open_vSwitch table, which must have exactly one record. Records in
11 other tables are significant only when they can be reached directly or
12 indirectly from the Open_vSwitch table. Records that are not reachable
13 from the Open_vSwitch table are automatically deleted from the data‐
14 base, except for records in a few distinguished ``root set’’ tables.
15 Common Columns
17 Most tables contain two special columns, named other_config and exter‐
18 nal_ids. These columns have the same form and purpose each place that
19 they appear, so we describe them here to save space later.
20 other_config: map of string-string pairs
22 Key-value pairs for configuring rarely used features.
23 Supported keys, along with the forms taken by their val‐
24 ues, are documented individually for each table.
25 A few tables do not have other_config columns because no
27 key-value pairs have yet been defined for them.
28 external_ids: map of string-string pairs
30 Key-value pairs for use by external frameworks that inte‐
31 grate with Open vSwitch, rather than by Open vSwitch it‐
32 self. System integrators should either use the Open
33 vSwitch development mailing list to coordinate on common
34 key-value definitions, or choose key names that are
35 likely to be unique. In some cases, where key-value pairs
36 have been defined that are likely to be widely useful,
37 they are documented individually for each table.
38
40 The following list summarizes the purpose of each of the tables in the
41 Open_vSwitch database. Each table is described in more detail on a
42 later page.
43 Table Purpose
45 Open_vSwitch
46 Open vSwitch configuration.
47 Bridge Bridge configuration.
48 Port Port configuration.
49 Interface One physical network device in a Port.
50 Flow_Table
51 OpenFlow table configuration
52 QoS Quality of Service configuration
53 Queue QoS output queue.
54 Mirror Port mirroring.
55 Controller
56 OpenFlow controller configuration.
57 Manager OVSDB management connection.
58 NetFlow NetFlow configuration.
59 Datapath Datapath configuration.
60 CT_Zone CT_Zone configuration.
61 CT_Timeout_Policy
62 CT_Timeout_Policy configuration.
63 SSL SSL configuration.
64 sFlow sFlow configuration.
65 IPFIX IPFIX configuration.
66 Flow_Sample_Collector_Set
67 Flow_Sample_Collector_Set configuration.
68 AutoAttach
69 AutoAttach configuration.
70
72 Configuration for an Open vSwitch daemon. There must be exactly one
73 record in the Open_vSwitch table.
74 Summary:
76 Configuration:
77 datapaths map of string-Datapath pairs
78 bridges set of Bridges
79 ssl optional SSL
80 external_ids : system-id optional string
81 external_ids : hostname optional string
82 external_ids : rundir optional string
83 other_config : stats-update-interval
84 optional string, containing an integer,
85 at least 5,000
86 other_config : flow-restore-wait
87 optional string, either true or false
88 other_config : flow-limit optional string, containing an integer,
89 at least 0
90 other_config : max-idle optional string, containing an integer,
91 at least 500
92 other_config : max-revalidator
93 optional string, containing an integer,
94 at least 100
95 other_config : min-revalidate-pps
96 optional string, containing an integer,
97 at least 0
98 other_config : offloaded-stats-delay
99 optional string, containing an integer,
100 at least 0
101 other_config : hw-offload optional string, either true or false
102 other_config : n-offload-threads
103 optional string, containing an integer,
104 in range 1 to 10
105 other_config : tc-policy optional string, one of none, skip_hw, or
106 skip_sw
107 other_config : dpdk-init optional string, one of false, true, or
108 try
109 other_config : dpdk-lcore-mask
110 optional string, containing an integer,
111 at least 1
112 other_config : pmd-cpu-mask
113 optional string
114 other_config : dpdk-alloc-mem
115 optional string, containing an integer,
116 at least 0
117 other_config : dpdk-socket-mem
118 optional string
119 other_config : dpdk-socket-limit
120 optional string
121 other_config : dpdk-hugepage-dir
122 optional string
123 other_config : dpdk-extra optional string
124 other_config : vhost-sock-dir
125 optional string
126 other_config : vhost-iommu-support
127 optional string, either true or false
128 other_config : vhost-postcopy-support
129 optional string, either true or false
130 other_config : per-port-memory
131 optional string, either true or false
132 other_config : shared-mempool-config
133 optional string
134 other_config : tx-flush-interval
135 optional string, containing an integer,
136 in range 0 to 1,000,000
137 other_config : pmd-perf-metrics
138 optional string, either true or false
139 other_config : smc-enable optional string, either true or false
140 other_config : pmd-rxq-assign
141 optional string, one of cycles, group, or
142 roundrobin
143 other_config : pmd-rxq-isolate
144 optional string, either true or false
145 other_config : n-handler-threads
146 optional string, containing an integer,
147 at least 1
148 other_config : n-revalidator-threads
149 optional string, containing an integer,
150 at least 1
151 other_config : emc-insert-inv-prob
152 optional string, containing an integer,
153 in range 0 to 4,294,967,295
154 other_config : vlan-limit optional string, containing an integer,
155 at least 0
156 other_config : bundle-idle-timeout
157 optional string, containing an integer,
158 at least 1
159 other_config : offload-rebalance
160 optional string, either true or false
161 other_config : pmd-auto-lb optional string, either true or false
162 other_config : pmd-auto-lb-rebal-interval
163 optional string, containing an integer,
164 in range 0 to 20,000
165 other_config : pmd-auto-lb-load-threshold
166 optional string, containing an integer,
167 in range 0 to 100
168 other_config : pmd-auto-lb-improvement-threshold
169 optional string, containing an integer,
170 in range 0 to 100
171 other_config : pmd-sleep-max
172 optional string, containing an integer,
173 in range 0 to 10,000
174 other_config : userspace-tso-enable
175 optional string, either true or false
176 Status:
177 next_cfg integer
178 cur_cfg integer
179 dpdk_initialized boolean
180 Statistics:
181 other_config : enable-statistics
182 optional string, either true or false
183 statistics : cpu optional string, containing an integer,
184 at least 1
185 statistics : load_average
186 optional string
187 statistics : memory optional string
188 statistics : process_NAME
189 optional string
190 statistics : file_systems
191 optional string
192 Version Reporting:
193 ovs_version optional string
194 db_version optional string
195 system_type optional string
196 system_version optional string
197 dpdk_version optional string
198 Capabilities:
199 datapath_types set of strings
200 iface_types set of strings
201 Database Configuration:
202 manager_options set of Managers
203 IPsec:
204 other_config : private_key optional string
205 other_config : certificate optional string
206 other_config : ca_cert optional string
207 Plaintext Tunnel Policy:
208 other_config : ipsec_skb_mark
209 optional string
210 Common Columns:
211 other_config map of string-string pairs
212 external_ids map of string-string pairs
213 Details:
215 Configuration:
216 datapaths: map of string-Datapath pairs
218 Map of datapath types to datapaths. The datapath_type column of
219 the Bridge table is used as a key for this map. The value points
220 to a row in the Datapath table.
221 bridges: set of Bridges
223 Set of bridges managed by the daemon.
224 ssl: optional SSL
226 SSL used globally by the daemon.
227 external_ids : system-id: optional string
229 A unique identifier for the Open vSwitch’s physical host. The
230 form of the identifier depends on the type of the host.
231 external_ids : hostname: optional string
233 The hostname for the host running Open vSwitch. This is a fully
234 qualified domain name since version 2.6.2.
235 external_ids : rundir: optional string
237 In Open vSwitch 2.8 and later, the run directory of the running
238 Open vSwitch daemon. This directory is used for runtime state
239 such as control and management sockets. The value of other_con‐
240 fig:vhost-sock-dir is relative to this directory.
241 other_config : stats-update-interval: optional string, containing an
243 integer, at least 5,000
244 Interval for updating statistics to the database, in millisec‐
245 onds. This option will affect the update of the statistics col‐
246 umn in the following tables: Port, Interface , Mirror.
247 Default value is 5000 ms.
249 Getting statistics more frequently can be achieved via OpenFlow.
251 other_config : flow-restore-wait: optional string, either true or false
253 When ovs-vswitchd starts up, it has an empty flow table and
254 therefore it handles all arriving packets in its default fashion
255 according to its configuration, by dropping them or sending them
256 to an OpenFlow controller or switching them as a standalone
257 switch. This behavior is ordinarily desirable. However, if
258 ovs-vswitchd is restarting as part of a ``hot-upgrade,’’ then
259 this leads to a relatively long period during which packets are
260 mishandled.
261 This option allows for improvement. When ovs-vswitchd starts
263 with this value set as true, it will neither flush or expire
264 previously set datapath flows nor will it send and receive any
265 packets to or from the datapath. When this value is later set to
266 false, ovs-vswitchd will start receiving packets from the data‐
267 path and re-setup the flows.
268 Additionally, ovs-vswitchd is prevented from connecting to con‐
270 trollers when this value is set to true. This prevents con‐
271 trollers from making changes to the flow table in the middle of
272 flow restoration, which could result in undesirable intermediate
273 states. Once this value has been set to false and the desired
274 flow state has been restored, ovs-vswitchd will be able to re‐
275 connect to controllers and process any new flow table modifica‐
276 tions.
277 Thus, with this option, the procedure for a hot-upgrade of
279 ovs-vswitchd becomes roughly the following:
280 1. Stop ovs-vswitchd.
282 2. Set other_config:flow-restore-wait to true.
284 3. Start ovs-vswitchd.
286 4. Use ovs-ofctl (or some other program, such as an OpenFlow
288 controller) to restore the OpenFlow flow table to the de‐
289 sired state.
290 5. Set other_config:flow-restore-wait to false (or remove it
292 entirely from the database).
293 The ovs-ctl’s ``restart’’ and ``force-reload-kmod’’ functions
295 use the above config option during hot upgrades.
296 other_config : flow-limit: optional string, containing an integer, at
298 least 0
299 The maximum number of flows allowed in the datapath flow table.
300 Internally OVS will choose a flow limit which will likely be
301 lower than this number, based on real time network conditions.
302 Tweaking this value is discouraged unless you know exactly what
303 you’re doing.
304 The default is 200000.
306 other_config : max-idle: optional string, containing an integer, at
308 least 500
309 The maximum time (in ms) that idle flows will remain cached in
310 the datapath. Internally OVS will check the validity and activ‐
311 ity for datapath flows regularly and may expire flows quicker
312 than this number, based on real time network conditions. Tweak‐
313 ing this value is discouraged unless you know exactly what
314 you’re doing.
315 The default is 10000.
317 other_config : max-revalidator: optional string, containing an integer,
319 at least 100
320 The maximum time (in ms) that revalidator threads will wait be‐
321 fore executing flow revalidation. Note that this is maximum al‐
322 lowed value. Actual timeout used by OVS is minimum of max-idle
323 and max-revalidator values. Tweaking this value is discouraged
324 unless you know exactly what you’re doing.
325 The default is 500.
327 other_config : min-revalidate-pps: optional string, containing an inte‐
329 ger, at least 0
330 Set minimum pps that flow must have in order to be revalidated
331 when revalidation duration exceeds half of max-revalidator con‐
332 fig variable. Setting to 0 means always revalidate flows regard‐
333 less of pps.
334 The default is 5.
336 other_config : offloaded-stats-delay: optional string, containing an
338 integer, at least 0
339 Set worst case delay (in ms) it might take before statistics of
340 offloaded flows are updated. Offloaded flows younger than this
341 delay will always be revalidated regardless of other_config:min-
342 revalidate-pps.
343 The default is 2000.
345 other_config : hw-offload: optional string, either true or false
347 Set this value to true to enable netdev flow offload.
348 The default value is false. Changing this value requires
350 restarting the daemon
351 Currently Open vSwitch supports hardware offloading on Linux
353 systems. On other systems, this value is ignored. This function‐
354 ality is considered ’experimental’. Depending on which OpenFlow
355 matches and actions are configured, which kernel version is
356 used, and what hardware is available, Open vSwitch may not be
357 able to offload functionality to hardware.
358 In order to dump HW offloaded flows use ovs-appctl
360 dpctl/dump-flows, ovs-dpctl doesn’t support this functionality.
361 See ovs-vswitchd(8) for details.
362 other_config : n-offload-threads: optional string, containing an inte‐
364 ger, in range 1 to 10
365 Set this value to the number of threads created to manage hard‐
366 ware offloads.
367 The default value is 1. Changing this value requires restarting
369 the daemon.
370 This is only relevant for userspace datapath and only if
372 other_config:hw-offload is enabled.
373 other_config : tc-policy: optional string, one of none, skip_hw, or
375 skip_sw
376 Specified the policy used with HW offloading. Options:
377 none Add software rule and offload rule to HW.
379 skip_sw
381 Offload rule to HW only.
382 skip_hw
384 Add software rule without offloading rule to HW.
385 This is only relevant if other_config:hw-offload is enabled.
387 The default value is none.
389 other_config : dpdk-init: optional string, one of false, true, or try
391 Set this value to true or try to enable runtime support for DPDK
392 ports. The vswitch must have compile-time support for DPDK as
393 well.
394 A value of true will cause the ovs-vswitchd process to abort if
396 DPDK cannot be initialized. A value of try will allow the ovs-
397 vswitchd process to continue running even if DPDK cannot be ini‐
398 tialized.
399 The default value is false. Changing this value requires
401 restarting the daemon
402 If this value is false at startup, any dpdk ports which are con‐
404 figured in the bridge will fail due to memory errors.
405 other_config : dpdk-lcore-mask: optional string, containing an integer,
407 at least 1
408 Specifies the CPU cores where dpdk lcore threads should be
409 spawned. The DPDK lcore threads are used for DPDK library tasks,
410 such as library internal message processing, logging, etc. Value
411 should be in the form of a hex string (so ’0x123’) similar to
412 the ’taskset’ mask input.
413 The lowest order bit corresponds to the first CPU core. A set
415 bit means the corresponding core is available and an lcore
416 thread will be created and pinned to it. If the input does not
417 cover all cores, those uncovered cores are considered not set.
418 For performance reasons, it is best to set this to a single core
420 on the system, rather than allow lcore threads to float.
421 If not specified, the value will be determined by choosing the
423 lowest CPU core from initial cpu affinity list. Otherwise, the
424 value will be passed directly to the DPDK library.
425 other_config : pmd-cpu-mask: optional string
427 Specifies CPU mask for setting the cpu affinity of PMD (Poll
428 Mode Driver) threads. Value should be in the form of hex string,
429 similar to the dpdk EAL ’-c COREMASK’ option input or the
430 ’taskset’ mask input.
431 The lowest order bit corresponds to the first CPU core. A set
433 bit means the corresponding core is available and a pmd thread
434 will be created and pinned to it. If the input does not cover
435 all cores, those uncovered cores are considered not set.
436 If not specified, one pmd thread will be created for each numa
438 node and pinned to any available core on the numa node by de‐
439 fault.
440 other_config : dpdk-alloc-mem: optional string, containing an integer,
442 at least 0
443 Specifies the amount of memory to preallocate from the hugepage
444 pool, regardless of socket. It is recommended that dpdk-socket-
445 mem is used instead.
446 other_config : dpdk-socket-mem: optional string
448 Specifies the amount of memory to preallocate from the hugepage
449 pool, on a per-socket basis.
450 The specifier is a comma-separated string, in ascending order of
452 CPU socket. E.g. On a four socket system 1024,0,2048 would set
453 socket 0 to preallocate 1024MB, socket 1 to preallocate 0MB,
454 socket 2 to preallocate 2048MB and socket 3 (no value given) to
455 preallocate 0MB.
456 If other_config:dpdk-socket-mem and other_config:dpdk-alloc-mem
458 are not specified, neither will be used and there will be no de‐
459 fault value for each numa node. DPDK defaults will be used in‐
460 stead. If other_config:dpdk-socket-mem and other_config:dpdk-al‐
461 loc-mem are specified at the same time, other_config:dpdk-
462 socket-mem will be used as default. Changing this value requires
463 restarting the daemon.
464 other_config : dpdk-socket-limit: optional string
466 Limits the maximum amount of memory that can be used from the
467 hugepage pool, on a per-socket basis.
468 The specifier is a comma-separated list of memory limits per
470 socket. 0 will disable the limit for a particular socket.
471 If not specified, OVS will not configure limits by default.
473 Changing this value requires restarting the daemon.
474 other_config : dpdk-hugepage-dir: optional string
476 Specifies the path to the hugetlbfs mount point.
477 If not specified, this will be guessed by the DPDK library (de‐
479 fault is /dev/hugepages). Changing this value requires restart‐
480 ing the daemon.
481 other_config : dpdk-extra: optional string
483 Specifies additional eal command line arguments for DPDK.
484 The default is empty. Changing this value requires restarting
486 the daemon
487 other_config : vhost-sock-dir: optional string
489 Specifies a relative path from external_ids:rundir to the vhost-
490 user unix domain socket files. If this value is unset, the sock‐
491 ets are put directly in external_ids:rundir.
492 Changing this value requires restarting the daemon.
494 other_config : vhost-iommu-support: optional string, either true or
496 false
497 vHost IOMMU is a security feature, which restricts the vhost
498 memory that a virtio device may access. vHost IOMMU support is
499 disabled by default, due to a bug in QEMU implementations of the
500 vhost REPLY_ACK protocol, (on which vHost IOMMU relies) prior to
501 v2.9.1. Setting this value to true enables vHost IOMMU support
502 for vHost User Client ports in OvS-DPDK, starting from DPDK
503 v17.11.
504 Changing this value requires restarting the daemon.
506 other_config : vhost-postcopy-support: optional string, either true or
508 false
509 vHost post-copy is a feature which allows switching live migra‐
510 tion of VM attached to dpdkvhostuserclient port to post-copy
511 mode if default pre-copy migration can not be converged or takes
512 too long to converge. Setting this value to true enables vHost
513 post-copy support for all dpdkvhostuserclient ports. Available
514 starting from DPDK v18.11 and QEMU 2.12.
515 Changing this value requires restarting the daemon.
517 other_config : per-port-memory: optional string, either true or false
519 By default OVS DPDK uses a shared memory model wherein devices
520 that have the same MTU and socket values can share the same mem‐
521 pool. Setting this value to true changes this behaviour. Per
522 port memory allow DPDK devices to use private memory per device.
523 This can provide greater transparency as regards memory usage
524 but potentially at the cost of greater memory requirements.
525 Changing this value requires restarting the daemon if dpdk-init
527 has already been set to true.
528 other_config : shared-mempool-config: optional string
530 Specifies dpdk shared mempool config.
531 Value should be set in the following form:
533 other_config:shared-mempool-config=< user-shared-mem‐
535 pool-mtu-list>
536 where
538 • <user-shared-mempool-mtu-list> ::= NULL | <non-empty-
540 list>
541 • <non-empty-list> ::= <user-mtus> | <user-mtus> , <non-
543 empty-list>
544 • <user-mtus> ::= <mtu-all-socket> | <mtu-socket-pair>
546 • <mtu-all-socket> ::= <mtu>
548 • <mtu-socket-pair> ::= <mtu> : <socket-id>
550 Changing this value requires restarting the daemon if dpdk-init
552 has already been set to true.
553 other_config : tx-flush-interval: optional string, containing an inte‐
555 ger, in range 0 to 1,000,000
556 Specifies the time in microseconds that a packet can wait in
557 output batch for sending i.e. amount of time that packet can
558 spend in an intermediate output queue before sending to netdev.
559 This option can be used to configure balance between throughput
560 and latency. Lower values decreases latency while higher values
561 may be useful to achieve higher performance.
562 Defaults to 0 i.e. instant packet sending (latency optimized).
564 other_config : pmd-perf-metrics: optional string, either true or false
566 Enables recording of detailed PMD performance metrics for analy‐
567 sis and trouble-shooting. This can have a performance impact in
568 the order of 1%.
569 Defaults to false but can be changed at any time.
571 other_config : smc-enable: optional string, either true or false
573 Signature match cache or SMC is a cache between EMC and megaflow
574 cache. It does not store the full key of the flow, so it is more
575 memory efficient comparing to EMC cache. SMC is especially use‐
576 ful when flow count is larger than EMC capacity.
577 Defaults to false but can be changed at any time.
579 other_config : pmd-rxq-assign: optional string, one of cycles, group,
581 or roundrobin
582 Specifies how RX queues will be automatically assigned to CPU
583 cores. Options:
584 cycles Rxqs will be sorted by order of measured processing cy‐
586 cles before being assigned to CPU cores.
587 roundrobin
589 Rxqs will be round-robined across CPU cores.
590 group Rxqs will be sorted by order of measured processing cy‐
592 cles before being assigned to CPU cores with lowest esti‐
593 mated load.
594 The default value is cycles.
596 Changing this value will affect an automatic re-assignment of
598 Rxqs to CPUs. Note: Rxqs mapped to CPU cores with pmd-rxq-affin‐
599 ity are unaffected.
600 other_config : pmd-rxq-isolate: optional string, either true or false
602 Specifies if a CPU core will be isolated after being pinned with
603 an Rx queue.
604 Set this value to false to non-isolate a CPU core after it is
606 pinned with an Rxq using pmd-rxq-affinity. This will allow OVS
607 to assign other Rxqs to that CPU core.
608 The default value is true.
610 This can only be false when pmd-rxq-assign is set to group.
612 other_config : n-handler-threads: optional string, containing an inte‐
614 ger, at least 1
615 Attempts to specify the number of threads for software datapaths
616 to use for handling new flows. Some datapaths may choose to ig‐
617 nore this and it will be set to a sensible option for the data‐
618 path type.
619 This configuration is per datapath. If you have more than one
621 software datapath (e.g. some system bridges and some netdev
622 bridges), then the total number of threads is n-handler-threads
623 times the number of software datapaths.
624 other_config : n-revalidator-threads: optional string, containing an
626 integer, at least 1
627 Attempts to specify the number of threads for software datapaths
628 to use for revalidating flows in the datapath. Some datapaths
629 may choose to ignore this and will set to a sensible option for
630 the datapath type.
631 Typically, there is a direct correlation between the number of
633 revalidator threads, and the number of flows allowed in the
634 datapath. The default is the number of cpu cores divided by four
635 plus one. If n-handler-threads is set, the default changes to
636 the number of cpu cores minus the number of handler threads.
637 This configuration is per datapath. If you have more than one
639 software datapath (e.g. some system bridges and some netdev
640 bridges), then the total number of threads is n-handler-threads
641 times the number of software datapaths.
642 other_config : emc-insert-inv-prob: optional string, containing an in‐
644 teger, in range 0 to 4,294,967,295
645 Specifies the inverse probability (1/emc-insert-inv-prob) of a
646 flow being inserted into the Exact Match Cache (EMC). On average
647 one in every emc-insert-inv-prob packets that generate a unique
648 flow will cause an insertion into the EMC. A value of 1 will re‐
649 sult in an insertion for every flow (1/1 = 100%) whereas a value
650 of zero will result in no insertions and essentially disable the
651 EMC.
652 Defaults to 100 ie. there is (1/100 =) 1% chance of EMC inser‐
654 tion.
655 other_config : vlan-limit: optional string, containing an integer, at
657 least 0
658 Limits the number of VLAN headers that can be matched to the
659 specified number. Further VLAN headers will be treated as pay‐
660 load, e.g. a packet with more 802.1q headers will match Ethernet
661 type 0x8100.
662 Open vSwitch userspace currently supports at most 2 VLANs, and
664 each datapath has its own limit. If vlan-limit is nonzero, it
665 acts as a further limit.
666 If this value is absent, the default is currently 1. This main‐
668 tains backward compatibility with controllers that were designed
669 for use with Open vSwitch versions earlier than 2.8, which only
670 supported one VLAN.
671 other_config : bundle-idle-timeout: optional string, containing an in‐
673 teger, at least 1
674 The maximum time (in seconds) that idle bundles will wait to be
675 expired since it was either opened, modified or closed.
676 OpenFlow specification mandates the timeout to be at least one
678 second. The default is 10 seconds.
679 other_config : offload-rebalance: optional string, either true or false
681 Configures HW offload rebalancing, that allows to dynamically
682 offload and un-offload flows while an offload-device is out of
683 resources (OOR). This policy allows flows to be selected for of‐
684 floading based on the packets-per-second (pps) rate of flows.
685 Set this value to true to enable this option.
687 The default value is false. Changing this value requires
689 restarting the daemon.
690 This is only relevant if HW offloading is enabled (hw-offload).
692 When this policy is enabled, it also requires ’tc-policy’ to be
693 set to ’skip_sw’.
694 other_config : pmd-auto-lb: optional string, either true or false
696 Configures PMD Auto Load Balancing that allows automatic assign‐
697 ment of RX queues to PMDs if any of PMDs is overloaded (i.e. a
698 processing cycles > other_config:pmd-auto-lb-load-threshold).
699 It uses current scheme of cycle based assignment of RX queues
701 that are not statically pinned to PMDs.
702 The default value is false.
704 Set this value to true to enable this option. It is currently
706 disabled by default and an experimental feature.
707 This only comes in effect if cycle based assignment is enabled
709 and there are more than one non-isolated PMDs present and at
710 least one of it polls more than one queue.
711 other_config : pmd-auto-lb-rebal-interval: optional string, containing
713 an integer, in range 0 to 20,000
714 The minimum time (in minutes) 2 consecutive PMD Auto Load Bal‐
715 ancing iterations.
716 The default value is 1 min. If configured to 0 then it would be
718 converted to default value i.e. 1 min
719 This option can be configured to avoid frequent trigger of auto
721 load balancing of PMDs. For e.g. set the value (in min) such
722 that it occurs once in few hours or a day or a week.
723 other_config : pmd-auto-lb-load-threshold: optional string, containing
725 an integer, in range 0 to 100
726 Specifies the minimum PMD thread load threshold (% of used cy‐
727 cles) of any non-isolated PMD threads when a PMD Auto Load Bal‐
728 ance may be triggered.
729 The default value is 95%.
731 other_config : pmd-auto-lb-improvement-threshold: optional string, con‐
733 taining an integer, in range 0 to 100
734 Specifies the minimum evaluated % improvement in load distribu‐
735 tion across the non-isolated PMD threads that will allow a PMD
736 Auto Load Balance to occur.
737 Note, setting this parameter to 0 will always allow an auto load
739 balance to occur regardless of estimated improvement or not.
740 The default value is 25%.
742 other_config : pmd-sleep-max: optional string, containing an integer,
744 in range 0 to 10,000
745 Specifies the maximum sleep time that will be requested in mi‐
746 croseconds per iteration for a PMD thread which has received
747 zero or a small amount of packets from the Rx queues it is
748 polling.
749 The actual sleep time requested is based on the load of the Rx
751 queues that the PMD polls and may be less than the maximum
752 value.
753 The default value is 0 microseconds, which means that the PMD
755 will not sleep regardless of the load from the Rx queues that it
756 polls.
757 The maximum value is 10000 microseconds.
759 other_config : userspace-tso-enable: optional string, either true or
761 false
762 Set this value to true to enable userspace support for TCP Seg‐
763 mentation Offloading (TSO). When it is enabled, the interfaces
764 can provide an oversized TCP segment to the datapath and the
765 datapath will offload the TCP segmentation and checksum calcula‐
766 tion to the interfaces when necessary.
767 The default value is false. Changing this value requires
769 restarting the daemon.
770 The feature only works if Open vSwitch is built with DPDK sup‐
772 port.
773 The feature is considered experimental.
775 Status:
777 next_cfg: integer
779 Sequence number for client to increment. When a client modifies
780 any part of the database configuration and wishes to wait for
781 Open vSwitch to finish applying the changes, it may increment
782 this sequence number.
783 cur_cfg: integer
785 Sequence number that Open vSwitch sets to the current value of
786 next_cfg after it finishes applying a set of configuration
787 changes.
788 dpdk_initialized: boolean
790 True if other_config:dpdk-init is set to true and the DPDK li‐
791 brary is successfully initialized.
792 Statistics:
794 The statistics column contains key-value pairs that report statistics
796 about a system running an Open vSwitch. These are updated periodically
797 (currently, every 5 seconds). Key-value pairs that cannot be determined
798 or that do not apply to a platform are omitted.
799 other_config : enable-statistics: optional string, either true or false
801 Statistics are disabled by default to avoid overhead in the com‐
802 mon case when statistics gathering is not useful. Set this value
803 to true to enable populating the statistics column or to false
804 to explicitly disable it.
805 statistics : cpu: optional string, containing an integer, at least 1
807 Number of CPU processors, threads, or cores currently online and
808 available to the operating system on which Open vSwitch is run‐
809 ning, as an integer. This may be less than the number installed,
810 if some are not online or if they are not available to the oper‐
811 ating system.
812 Open vSwitch userspace processes are not multithreaded, but the
814 Linux kernel-based datapath is.
815 statistics : load_average: optional string
817 A comma-separated list of three floating-point numbers, repre‐
818 senting the system load average over the last 1, 5, and 15 min‐
819 utes, respectively.
820 statistics : memory: optional string
822 A comma-separated list of integers, each of which represents a
823 quantity of memory in kilobytes that describes the operating
824 system on which Open vSwitch is running. In respective order,
825 these values are:
826 1. Total amount of RAM allocated to the OS.
828 2. RAM allocated to the OS that is in use.
830 3. RAM that can be flushed out to disk or otherwise discarded
832 if that space is needed for another purpose. This number is
833 necessarily less than or equal to the previous value.
834 4. Total disk space allocated for swap.
836 5. Swap space currently in use.
838 On Linux, all five values can be determined and are included. On
840 other operating systems, only the first two values can be deter‐
841 mined, so the list will only have two values.
842 statistics : process_NAME: optional string
844 One such key-value pair, with NAME replaced by a process name,
845 will exist for each running Open vSwitch daemon process, with
846 name replaced by the daemon’s name (e.g. process_ovs-vswitchd).
847 The value is a comma-separated list of integers. The integers
848 represent the following, with memory measured in kilobytes and
849 durations in milliseconds:
850 1. The process’s virtual memory size.
852 2. The process’s resident set size.
854 3. The amount of user and system CPU time consumed by the
856 process.
857 4. The number of times that the process has crashed and been
859 automatically restarted by the monitor.
860 5. The duration since the process was started.
862 6. The duration for which the process has been running.
864 The interpretation of some of these values depends on whether
866 the process was started with the --monitor. If it was not, then
867 the crash count will always be 0 and the two durations will al‐
868 ways be the same. If --monitor was given, then the crash count
869 may be positive; if it is, the latter duration is the amount of
870 time since the most recent crash and restart.
871 There will be one key-value pair for each file in Open vSwitch’s
873 ``run directory’’ (usually /var/run/openvswitch) whose name ends
874 in .pid, whose contents are a process ID, and which is locked by
875 a running process. The name is taken from the pidfile’s name.
876 Currently Open vSwitch is only able to obtain all of the above
878 detail on Linux systems. On other systems, the same key-value
879 pairs will be present but the values will always be the empty
880 string.
881 statistics : file_systems: optional string
883 A space-separated list of information on local, writable file
884 systems. Each item in the list describes one file system and
885 consists in turn of a comma-separated list of the following:
886 1. Mount point, e.g. / or /var/log. Any spaces or commas in the
888 mount point are replaced by underscores.
889 2. Total size, in kilobytes, as an integer.
891 3. Amount of storage in use, in kilobytes, as an integer.
893 This key-value pair is omitted if there are no local, writable
895 file systems or if Open vSwitch cannot obtain the needed infor‐
896 mation.
897 Version Reporting:
899 These columns report the types and versions of the hardware and soft‐
901 ware running Open vSwitch. We recommend in general that software should
902 test whether specific features are supported instead of relying on ver‐
903 sion number checks. These values are primarily intended for reporting
904 to human administrators.
905 ovs_version: optional string
907 The Open vSwitch version number, e.g. 1.1.0.
908 db_version: optional string
910 The database schema version number, e.g. 1.2.3. See ovsdb-
911 tool(1) for an explanation of the numbering scheme.
912 The schema version is part of the database schema, so it can
914 also be retrieved by fetching the schema using the Open vSwitch
915 database protocol.
916 system_type: optional string
918 An identifier for the type of system on top of which Open
919 vSwitch runs, e.g. KVM.
920 System integrators are responsible for choosing and setting an
922 appropriate value for this column.
923 system_version: optional string
925 The version of the system identified by system_type, e.g.
926 4.18.0-372.19.1.el8_6 on RHEL 8.6 with kernel 4.18.0-372.19.1.
927 System integrators are responsible for choosing and setting an
929 appropriate value for this column.
930 dpdk_version: optional string
932 The version of the linked DPDK library.
933 Capabilities:
935 These columns report capabilities of the Open vSwitch instance.
937 datapath_types: set of strings
939 This column reports the different dpifs registered with the sys‐
940 tem. These are the values that this instance supports in the
941 datapath_type column of the Bridge table.
942 iface_types: set of strings
944 This column reports the different netdevs registered with the
945 system. These are the values that this instance supports in the
946 type column of the Interface table.
947 Database Configuration:
949 These columns primarily configure the Open vSwitch database
951 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The OVSDB
952 database also uses the ssl settings.
953 The Open vSwitch switch does read the database configuration to deter‐
955 mine remote IP addresses to which in-band control should apply.
956 manager_options: set of Managers
958 Database clients to which the Open vSwitch database server
959 should connect or to which it should listen, along with options
960 for how these connections should be configured. See the Manager
961 table for more information.
962 For this column to serve its purpose, ovsdb-server must be con‐
964 figured to honor it. The easiest way to do this is to invoke
965 ovsdb-server with the option --re‐
966 mote=db:Open_vSwitch,Open_vSwitch,manager_options The startup
967 scripts that accompany Open vSwitch do this by default.
968 IPsec:
970 These settings control the global configuration of IPsec tunnels. The
972 options column of the Interface table configures IPsec for individual
973 tunnels. The options column also allows for custom options prefixed
974 with ipsec_ to be passed to the individual connections.
975 OVS IPsec supports the following three forms of authentication. Cur‐
977 rently, all IPsec tunnels must use the same form:
978 1. Pre-shared keys: Omit the global settings. On each tunnel,
980 set options:psk.
981 2. Self-signed certificates: Set the private_key and certifi‐
983 cate global settings. On each tunnel, set options:re‐
984 mote_cert. The remote certificate can be self-signed.
985 3. CA-signed certificates: Set all of the global settings. On
987 each tunnel, set options:remote_name to the common name (CN)
988 of the remote certificate. The remote certificate must be
989 signed by the CA.
990 other_config : private_key: optional string
992 Name of a PEM file containing the private key used as the
993 switch’s identity for IPsec tunnels.
994 other_config : certificate: optional string
996 Name of a PEM file containing a certificate that certifies the
997 switch’s private key, and identifies a trustworthy switch for
998 IPsec tunnels. The certificate must be x.509 version 3 and with
999 the string in common name (CN) also set in the subject alterna‐
1000 tive name (SAN).
1001 other_config : ca_cert: optional string
1003 Name of a PEM file containing the CA certificate used to verify
1004 that a remote switch of the IPsec tunnel is trustworthy.
1005 Plaintext Tunnel Policy:
1007 When an IPsec tunnel is configured in this database, multiple indepen‐
1009 dent components take responsibility for implementing it. ovs-vswitchd
1010 and its datapath handle packet forwarding to the tunnel and a separate
1011 daemon pushes the tunnel’s IPsec policy configuration to the kernel or
1012 other entity that implements it. There is a race: if the former config‐
1013 uration completes before the latter, then packets sent by the local
1014 host over the tunnel can be transmitted in plaintext. Using this set‐
1015 ting, OVS users can avoid this undesirable situation.
1016 other_config : ipsec_skb_mark: optional string
1018 This setting takes the form value/mask. If it is specified, then
1019 the skb_mark field in every outgoing tunneled packet sent in
1020 plaintext is compared against it and, if it matches, the packet
1021 is dropped. This is a global setting that is applied to every
1022 tunneled packet, regardless of whether IPsec encryption is en‐
1023 abled for the tunnel, the type of tunnel, or whether OVS is in‐
1024 volved.
1025 Example policies:
1027 1/1 Drop all unencrypted tunneled packets in which the least-
1029 significant bit of skb_mark is 1. This would be a useful
1030 policy given an OpenFlow flow table that sets skb_mark to
1031 1 for traffic that should be encrypted. The default
1032 skb_mark is 0, so this would not affect other traffic.
1033 0/1 Drop all unencrypted tunneled packets in which the least-
1035 significant bit of skb_mark is 0. This would be a useful
1036 policy if no unencrypted tunneled traffic should exit the
1037 system without being specially permitted by setting
1038 skb_mark to 1.
1039 (empty)
1041 If this setting is empty or unset, then all unencrypted
1042 tunneled packets are transmitted in the usual way.
1043 Common Columns:
1045 The overall purpose of these columns is described under Common Columns
1047 at the beginning of this document.
1048 other_config: map of string-string pairs
1050 external_ids: map of string-string pairs
1052
1054 Configuration for a bridge within an Open_vSwitch.
1055 A Bridge record represents an Ethernet switch with one or more
1057 ``ports,’’ which are the Port records pointed to by the Bridge’s ports
1058 column.
1059 Summary:
1061 Core Features:
1062 name immutable string (must be unique within
1063 table)
1064 ports set of Ports
1065 mirrors set of Mirrors
1066 netflow optional NetFlow
1067 sflow optional sFlow
1068 ipfix optional IPFIX
1069 flood_vlans set of up to 4,096 integers, in range 0
1070 to 4,095
1071 auto_attach optional AutoAttach
1072 OpenFlow Configuration:
1073 controller set of Controllers
1074 flow_tables map of integer-Flow_Table pairs, key in
1075 range 0 to 254
1076 fail_mode optional string, either secure or stand‐
1077 alone
1078 datapath_id optional string
1079 datapath_version string
1080 other_config : datapath-id optional string
1081 other_config : dp-desc optional string
1082 other_config : dp-sn optional string
1083 other_config : disable-in-band
1084 optional string, either true or false
1085 other_config : in-band-queue
1086 optional string, containing an integer,
1087 in range 0 to 4,294,967,295
1088 other_config : controller-queue-size
1089 optional string, containing an integer,
1090 in range 1 to 512
1091 protocols set of strings, one of OpenFlow10, Open‐
1092 Flow11, OpenFlow12, OpenFlow13, Open‐
1093 Flow14, or OpenFlow15
1094 Spanning Tree Configuration:
1095 STP Configuration:
1096 stp_enable boolean
1097 other_config : stp-system-id
1098 optional string
1099 other_config : stp-priority
1100 optional string, containing an integer,
1101 in range 0 to 65,535
1102 other_config : stp-hello-time
1103 optional string, containing an integer,
1104 in range 1 to 10
1105 other_config : stp-max-age
1106 optional string, containing an integer,
1107 in range 6 to 40
1108 other_config : stp-forward-delay
1109 optional string, containing an integer,
1110 in range 4 to 30
1111 other_config : mcast-snooping-aging-time
1112 optional string, containing an integer,
1113 at least 1
1114 other_config : mcast-snooping-table-size
1115 optional string, containing an integer,
1116 at least 1
1117 other_config : mcast-snooping-disable-flood-unregistered
1118 optional string, either true or false
1119 STP Status:
1120 status : stp_bridge_id optional string
1121 status : stp_designated_root
1122 optional string
1123 status : stp_root_path_cost
1124 optional string
1125 Rapid Spanning Tree:
1126 RSTP Configuration:
1127 rstp_enable boolean
1128 other_config : rstp-address
1129 optional string
1130 other_config : rstp-priority
1131 optional string, containing an integer,
1132 in range 0 to 61,440
1133 other_config : rstp-ageing-time
1134 optional string, containing an integer,
1135 in range 10 to 1,000,000
1136 other_config : rstp-force-protocol-version
1137 optional string, containing an integer
1138 other_config : rstp-max-age
1139 optional string, containing an integer,
1140 in range 6 to 40
1141 other_config : rstp-forward-delay
1142 optional string, containing an integer,
1143 in range 4 to 30
1144 other_config : rstp-transmit-hold-count
1145 optional string, containing an integer,
1146 in range 1 to 10
1147 RSTP Status:
1148 rstp_status : rstp_bridge_id
1149 optional string
1150 rstp_status : rstp_root_id
1151 optional string
1152 rstp_status : rstp_root_path_cost
1153 optional string, containing an integer,
1154 at least 0
1155 rstp_status : rstp_designated_id
1156 optional string
1157 rstp_status : rstp_designated_port_id
1158 optional string
1159 rstp_status : rstp_bridge_port_id
1160 optional string
1161 Multicast Snooping Configuration:
1162 mcast_snooping_enable boolean
1163 Other Features:
1164 datapath_type string
1165 external_ids : bridge-id optional string
1166 other_config : hwaddr optional string
1167 other_config : forward-bpdu
1168 optional string, either true or false
1169 other_config : mac-aging-time
1170 optional string, containing an integer,
1171 at least 1
1172 other_config : mac-table-size
1173 optional string, containing an integer,
1174 at least 1
1175 Common Columns:
1176 other_config map of string-string pairs
1177 external_ids map of string-string pairs
1178 Details:
1180 Core Features:
1181 name: immutable string (must be unique within table)
1183 Bridge identifier. Must be unique among the names of ports, in‐
1184 terfaces, and bridges on a host.
1185 The name must be alphanumeric and must not contain forward or
1187 backward slashes. The name of a bridge is also the name of an
1188 Interface (and a Port) within the bridge, so the restrictions on
1189 the name column in the Interface table, particularly on length,
1190 also apply to bridge names. Refer to the documentation for In‐
1191 terface names for details.
1192 ports: set of Ports
1194 Ports included in the bridge.
1195 mirrors: set of Mirrors
1197 Port mirroring configuration.
1198 netflow: optional NetFlow
1200 NetFlow configuration.
1201 sflow: optional sFlow
1203 sFlow(R) configuration.
1204 ipfix: optional IPFIX
1206 IPFIX configuration.
1207 flood_vlans: set of up to 4,096 integers, in range 0 to 4,095
1209 VLAN IDs of VLANs on which MAC address learning should be dis‐
1210 abled, so that packets are flooded instead of being sent to spe‐
1211 cific ports that are believed to contain packets’ destination
1212 MACs. This should ordinarily be used to disable MAC learning on
1213 VLANs used for mirroring (RSPAN VLANs). It may also be useful
1214 for debugging.
1215 SLB bonding (see the bond_mode column in the Port table) is in‐
1217 compatible with flood_vlans. Consider using another bonding mode
1218 or a different type of mirror instead.
1219 auto_attach: optional AutoAttach
1221 Auto Attach configuration.
1222 OpenFlow Configuration:
1224 controller: set of Controllers
1226 OpenFlow controller set. If unset, then no OpenFlow controllers
1227 will be used.
1228 If there are primary controllers, removing all of them clears
1230 the OpenFlow flow tables, group table, and meter table. If there
1231 are no primary controllers, adding one also clears these tables.
1232 Other changes to the set of controllers, such as adding or re‐
1233 moving a service controller, adding another primary controller
1234 to supplement an existing primary controller, or removing only
1235 one of two primary controllers, have no effect on these tables.
1236 flow_tables: map of integer-Flow_Table pairs, key in range 0 to 254
1238 Configuration for OpenFlow tables. Each pair maps from an Open‐
1239 Flow table ID to configuration for that table.
1240 fail_mode: optional string, either secure or standalone
1242 When a controller is configured, it is, ordinarily, responsible
1243 for setting up all flows on the switch. Thus, if the connection
1244 to the controller fails, no new network connections can be set
1245 up. If the connection to the controller stays down long enough,
1246 no packets can pass through the switch at all. This setting de‐
1247 termines the switch’s response to such a situation. It may be
1248 set to one of the following:
1249 standalone
1251 If no message is received from the controller for three
1252 times the inactivity probe interval (see inactiv‐
1253 ity_probe), then Open vSwitch will take over responsibil‐
1254 ity for setting up flows. In this mode, Open vSwitch
1255 causes the bridge to act like an ordinary MAC-learning
1256 switch. Open vSwitch will continue to retry connecting to
1257 the controller in the background and, when the connection
1258 succeeds, it will discontinue its standalone behavior.
1259 secure Open vSwitch will not set up flows on its own when the
1261 controller connection fails or when no controllers are
1262 defined. The bridge will continue to retry connecting to
1263 any defined controllers forever.
1264 The default is standalone if the value is unset, but future ver‐
1266 sions of Open vSwitch may change the default.
1267 The standalone mode can create forwarding loops on a bridge that
1269 has more than one uplink port unless STP is enabled. To avoid
1270 loops on such a bridge, configure secure mode or enable STP (see
1271 stp_enable).
1272 The fail_mode setting applies only to primary controllers. When
1274 more than one primary controller is configured, fail_mode is
1275 considered only when none of the configured controllers can be
1276 contacted.
1277 Changing fail_mode when no primary controllers are configured
1279 clears the OpenFlow flow tables, group table, and meter table.
1280 datapath_id: optional string
1282 Reports the OpenFlow datapath ID in use. Exactly 16 hex digits.
1283 (Setting this column has no useful effect. Set other-con‐
1284 fig:datapath-id instead.)
1285 datapath_version: string
1287 Reports the datapath version. This column is maintained for
1288 backwards compatibility. The preferred locatation is the data‐
1289 path_id column of the Datapath table. The full documentation for
1290 this column is there.
1291 other_config : datapath-id: optional string
1293 Overrides the default OpenFlow datapath ID, setting it to the
1294 specified value specified in hex. The value must either have a
1295 0x prefix or be exactly 16 hex digits long. May not be all-zero.
1296 other_config : dp-desc: optional string
1298 Human readable description of datapath. It is a maximum 256
1299 byte-long free-form string to describe the datapath for debug‐
1300 ging purposes, e.g. switch3 in room 3120. The value is returned
1301 by the switch as a part of reply to OFPMP_DESC request
1302 (ofp_desc). The OpenFlow specification (e.g. 1.3.5) describes
1303 the ofp_desc structure to contaion "NULL terminated ASCII
1304 strings". For the compatibility reasons no more than 255 ASCII
1305 characters should be used.
1306 other_config : dp-sn: optional string
1308 Serial number. It is a maximum 32 byte-long free-form string to
1309 provide an additional switch identification. The value is re‐
1310 turned by the switch as a part of reply to OFPMP_DESC request
1311 (ofp_desc). Same as mentioned in the description of other-con‐
1312 fig:dp-desc, the string should be no more than 31 ASCII charac‐
1313 ters for the compatibility.
1314 other_config : disable-in-band: optional string, either true or false
1316 If set to true, disable in-band control on the bridge regardless
1317 of controller and manager settings.
1318 other_config : in-band-queue: optional string, containing an integer,
1320 in range 0 to 4,294,967,295
1321 A queue ID as a nonnegative integer. This sets the OpenFlow
1322 queue ID that will be used by flows set up by in-band control on
1323 this bridge. If unset, or if the port used by an in-band control
1324 flow does not have QoS configured, or if the port does not have
1325 a queue with the specified ID, the default queue is used in‐
1326 stead.
1327 other_config : controller-queue-size: optional string, containing an
1329 integer, in range 1 to 512
1330 This sets the maximum size of the queue of packets that need to
1331 be sent to the OpenFlow management controller. The value must be
1332 less than 512. If not specified the queue size is limited to 100
1333 packets by default. Note: increasing the queue size might have a
1334 negative impact on latency.
1335 protocols: set of strings, one of OpenFlow10, OpenFlow11, OpenFlow12,
1337 OpenFlow13, OpenFlow14, or OpenFlow15
1338 List of OpenFlow protocols that may be used when negotiating a
1339 connection with a controller. OpenFlow 1.0, 1.1, 1.2, 1.3, 1.4,
1340 and 1.5 are enabled by default if this column is empty.
1341 Spanning Tree Configuration:
1343 The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol that
1345 ensures loop-free topologies. It allows redundant links to be included
1346 in the network to provide automatic backup paths if the active links
1347 fails.
1348 These settings configure the slower-to-converge but still widely sup‐
1350 ported version of Spanning Tree Protocol, sometimes known as
1351 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree
1352 Protocol (RSTP), documented later in the section titled Rapid Spanning
1353 Tree Configuration.
1354 STP Configuration:
1356 stp_enable: boolean
1358 Enable spanning tree on the bridge. By default, STP is disabled
1359 on bridges. Bond, internal, and mirror ports are not supported
1360 and will not participate in the spanning tree.
1361 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1363 will be used.
1364 other_config : stp-system-id: optional string
1366 The bridge’s STP identifier (the lower 48 bits of the bridge-id)
1367 in the form xx:xx:xx:xx:xx:xx. By default, the identifier is the
1368 MAC address of the bridge.
1369 other_config : stp-priority: optional string, containing an integer, in
1371 range 0 to 65,535
1372 The bridge’s relative priority value for determining the root
1373 bridge (the upper 16 bits of the bridge-id). A bridge with the
1374 lowest bridge-id is elected the root. By default, the priority
1375 is 0x8000.
1376 other_config : stp-hello-time: optional string, containing an integer,
1378 in range 1 to 10
1379 The interval between transmissions of hello messages by desig‐
1380 nated ports, in seconds. By default the hello interval is 2 sec‐
1381 onds.
1382 other_config : stp-max-age: optional string, containing an integer, in
1384 range 6 to 40
1385 The maximum age of the information transmitted by the bridge
1386 when it is the root bridge, in seconds. By default, the maximum
1387 age is 20 seconds.
1388 other_config : stp-forward-delay: optional string, containing an inte‐
1390 ger, in range 4 to 30
1391 The delay to wait between transitioning root and designated
1392 ports to forwarding, in seconds. By default, the forwarding de‐
1393 lay is 15 seconds.
1394 other_config : mcast-snooping-aging-time: optional string, containing
1396 an integer, at least 1
1397 The maximum number of seconds to retain a multicast snooping en‐
1398 try for which no packets have been seen. The default is cur‐
1399 rently 300 seconds (5 minutes). The value, if specified, is
1400 forced into a reasonable range, currently 15 to 3600 seconds.
1401 other_config : mcast-snooping-table-size: optional string, containing
1403 an integer, at least 1
1404 The maximum number of multicast snooping addresses to learn. The
1405 default is currently 2048. The value, if specified, is forced
1406 into a reasonable range, currently 10 to 1,000,000.
1407 other_config : mcast-snooping-disable-flood-unregistered: optional
1409 string, either true or false
1410 If set to false, unregistered multicast packets are forwarded to
1411 all ports. If set to true, unregistered multicast packets are
1412 forwarded to ports connected to multicast routers.
1413 STP Status:
1415 These key-value pairs report the status of 802.1D-1998. They are
1417 present only if STP is enabled (via the stp_enable column).
1418 status : stp_bridge_id: optional string
1420 The bridge ID used in spanning tree advertisements, in the form
1421 xxxx.yyyyyyyyyyyy where the xs are the STP priority, the ys are
1422 the STP system ID, and each x and y is a hex digit.
1423 status : stp_designated_root: optional string
1425 The designated root for this spanning tree, in the same form as
1426 status:stp_bridge_id. If this bridge is the root, this will have
1427 the same value as status:stp_bridge_id, otherwise it will dif‐
1428 fer.
1429 status : stp_root_path_cost: optional string
1431 The path cost of reaching the designated bridge. A lower number
1432 is better. The value is 0 if this bridge is the root, otherwise
1433 it is higher.
1434 Rapid Spanning Tree:
1436 Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
1438 that ensures loop-free topologies. RSTP superseded STP with the publi‐
1439 cation of 802.1D-2004. Compared to STP, RSTP converges more quickly and
1440 recovers more quickly from failures.
1441 RSTP Configuration:
1443 rstp_enable: boolean
1445 Enable Rapid Spanning Tree on the bridge. By default, RSTP is
1446 disabled on bridges. Bond, internal, and mirror ports are not
1447 supported and will not participate in the spanning tree.
1448 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1450 will be used.
1451 other_config : rstp-address: optional string
1453 The bridge’s RSTP address (the lower 48 bits of the bridge-id)
1454 in the form xx:xx:xx:xx:xx:xx. By default, the address is the
1455 MAC address of the bridge.
1456 other_config : rstp-priority: optional string, containing an integer,
1458 in range 0 to 61,440
1459 The bridge’s relative priority value for determining the root
1460 bridge (the upper 16 bits of the bridge-id). A bridge with the
1461 lowest bridge-id is elected the root. By default, the priority
1462 is 0x8000 (32768). This value needs to be a multiple of 4096,
1463 otherwise it’s rounded to the nearest inferior one.
1464 other_config : rstp-ageing-time: optional string, containing an inte‐
1466 ger, in range 10 to 1,000,000
1467 The Ageing Time parameter for the Bridge. The default value is
1468 300 seconds.
1469 other_config : rstp-force-protocol-version: optional string, containing
1471 an integer
1472 The Force Protocol Version parameter for the Bridge. This can
1473 take the value 0 (STP Compatibility mode) or 2 (the default,
1474 normal operation).
1475 other_config : rstp-max-age: optional string, containing an integer, in
1477 range 6 to 40
1478 The maximum age of the information transmitted by the Bridge
1479 when it is the Root Bridge. The default value is 20.
1480 other_config : rstp-forward-delay: optional string, containing an inte‐
1482 ger, in range 4 to 30
1483 The delay used by STP Bridges to transition Root and Designated
1484 Ports to Forwarding. The default value is 15.
1485 other_config : rstp-transmit-hold-count: optional string, containing an
1487 integer, in range 1 to 10
1488 The Transmit Hold Count used by the Port Transmit state machine
1489 to limit transmission rate. The default value is 6.
1490 RSTP Status:
1492 These key-value pairs report the status of 802.1D-2004. They are
1494 present only if RSTP is enabled (via the rstp_enable column).
1495 rstp_status : rstp_bridge_id: optional string
1497 The bridge ID used in rapid spanning tree advertisements, in the
1498 form x.yyy.zzzzzzzzzzzz where x is the RSTP priority, the ys are
1499 a locally assigned system ID extension, the zs are the STP sys‐
1500 tem ID, and each x, y, or z is a hex digit.
1501 rstp_status : rstp_root_id: optional string
1503 The root of this spanning tree, in the same form as rstp_sta‐
1504 tus:rstp_bridge_id. If this bridge is the root, this will have
1505 the same value as rstp_status:rstp_bridge_id, otherwise it will
1506 differ.
1507 rstp_status : rstp_root_path_cost: optional string, containing an inte‐
1509 ger, at least 0
1510 The path cost of reaching the root. A lower number is better.
1511 The value is 0 if this bridge is the root, otherwise it is
1512 higher.
1513 rstp_status : rstp_designated_id: optional string
1515 The RSTP designated ID, in the same form as rstp_sta‐
1516 tus:rstp_bridge_id.
1517 rstp_status : rstp_designated_port_id: optional string
1519 The RSTP designated port ID, as a 4-digit hex number.
1520 rstp_status : rstp_bridge_port_id: optional string
1522 The RSTP bridge port ID, as a 4-digit hex number.
1523 Multicast Snooping Configuration:
1525 Multicast snooping (RFC 4541) monitors the Internet Group Management
1527 Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
1528 and multicast routers. The switch uses what IGMP and MLD snooping
1529 learns to forward multicast traffic only to interfaces that are con‐
1530 nected to interested receivers. Currently it supports IGMPv1, IGMPv2,
1531 IGMPv3, MLDv1 and MLDv2 protocols.
1532 mcast_snooping_enable: boolean
1534 Enable multicast snooping on the bridge. For now, the default is
1535 disabled.
1536 Other Features:
1538 datapath_type: string
1540 Name of datapath provider. The kernel datapath has type system.
1541 The userspace datapath has type netdev. A manager may refer to
1542 the datapath_types column of the Open_vSwitch table for a list
1543 of the types accepted by this Open vSwitch instance.
1544 external_ids : bridge-id: optional string
1546 A unique identifier of the bridge.
1547 other_config : hwaddr: optional string
1549 An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the
1550 hardware address of the local port and influence the datapath
1551 ID.
1552 other_config : forward-bpdu: optional string, either true or false
1554 Controls forwarding of BPDUs and other network control frames
1555 when NORMAL action is invoked. When this option is false or un‐
1556 set, frames with reserved Ethernet addresses (see table below)
1557 will not be forwarded. When this option is true, such frames
1558 will not be treated specially.
1559 The above general rule has the following exceptions:
1561 • If STP is enabled on the bridge (see the stp_enable col‐
1563 umn in the Bridge table), the bridge processes all re‐
1564 ceived STP packets and never passes them to OpenFlow or
1565 forwards them. This is true even if STP is disabled on an
1566 individual port.
1567 • If LLDP is enabled on an interface (see the lldp column
1569 in the Interface table), the interface processes received
1570 LLDP packets and never passes them to OpenFlow or for‐
1571 wards them.
1572 Set this option to true if the Open vSwitch bridge connects dif‐
1574 ferent Ethernet networks and is not configured to participate in
1575 STP.
1576 This option affects packets with the following destination MAC
1578 addresses:
1579 01:80:c2:00:00:00
1581 IEEE 802.1D Spanning Tree Protocol (STP).
1582 01:80:c2:00:00:01
1584 IEEE Pause frame.
1585 01:80:c2:00:00:0x
1587 Other reserved protocols.
1588 00:e0:2b:00:00:00
1590 Extreme Discovery Protocol (EDP).
1591 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06
1593 Ethernet Automatic Protection Switching (EAPS).
1594 01:00:0c:cc:cc:cc
1596 Cisco Discovery Protocol (CDP), VLAN Trunking Protocol
1597 (VTP), Dynamic Trunking Protocol (DTP), Port Aggregation
1598 Protocol (PAgP), and others.
1599 01:00:0c:cc:cc:cd
1601 Cisco Shared Spanning Tree Protocol PVSTP+.
1602 01:00:0c:cd:cd:cd
1604 Cisco STP Uplink Fast.
1605 01:00:0c:00:00:00
1607 Cisco Inter Switch Link.
1608 01:00:0c:cc:cc:cx
1610 Cisco CFM.
1611 other_config : mac-aging-time: optional string, containing an integer,
1613 at least 1
1614 The maximum number of seconds to retain a MAC learning entry for
1615 which no packets have been seen. The default is currently 300
1616 seconds (5 minutes). The value, if specified, is forced into a
1617 reasonable range, currently 15 to 3600 seconds.
1618 A short MAC aging time allows a network to more quickly detect
1620 that a host is no longer connected to a switch port. However, it
1621 also makes it more likely that packets will be flooded unneces‐
1622 sarily, when they are addressed to a connected host that rarely
1623 transmits packets. To reduce the incidence of unnecessary flood‐
1624 ing, use a MAC aging time longer than the maximum interval at
1625 which a host will ordinarily transmit packets.
1626 other_config : mac-table-size: optional string, containing an integer,
1628 at least 1
1629 The maximum number of MAC addresses to learn. The default is
1630 currently 8192. The value, if specified, is forced into a rea‐
1631 sonable range, currently 10 to 1,000,000.
1632 Common Columns:
1634 The overall purpose of these columns is described under Common Columns
1636 at the beginning of this document.
1637 other_config: map of string-string pairs
1639 external_ids: map of string-string pairs
1641
1643 A port within a Bridge.
1644 Most commonly, a port has exactly one ``interface,’’ pointed to by its
1646 interfaces column. Such a port logically corresponds to a port on a
1647 physical Ethernet switch. A port with more than one interface is a
1648 ``bonded port’’ (see Bonding Configuration).
1649 Some properties that one might think as belonging to a port are actu‐
1651 ally part of the port’s Interface members.
1652 Summary:
1654 name immutable string (must be unique within
1655 table)
1656 interfaces set of 1 or more Interfaces
1657 VLAN Configuration:
1658 vlan_mode optional string, one of access,
1659 dot1q-tunnel, native-tagged, native-un‐
1660 tagged, or trunk
1661 tag optional integer, in range 0 to 4,095
1662 trunks set of up to 4,096 integers, in range 0
1663 to 4,095
1664 cvlans set of up to 4,096 integers, in range 0
1665 to 4,095
1666 other_config : qinq-ethtype
1667 optional string, either 802.1ad or 802.1q
1668 other_config : priority-tags
1669 optional string, one of always, if-non‐
1670 zero, or never
1671 Bonding Configuration:
1672 bond_mode optional string, one of active-backup,
1673 balance-slb, or balance-tcp
1674 other_config : bond-hash-basis
1675 optional string, containing an integer
1676 other_config : lb-output-action
1677 optional string, either true or false
1678 other_config : bond-primary
1679 optional string
1680 other_config : all-members-active
1681 optional string, either true or false
1682 Link Failure Detection:
1683 other_config : bond-detect-mode
1684 optional string, either carrier or miimon
1685 other_config : bond-miimon-interval
1686 optional string, containing an integer
1687 bond_updelay integer
1688 bond_downdelay integer
1689 LACP Configuration:
1690 lacp optional string, one of active, off, or
1691 passive
1692 other_config : lacp-system-id
1693 optional string
1694 other_config : lacp-system-priority
1695 optional string, containing an integer,
1696 in range 1 to 65,535
1697 other_config : lacp-time optional string, either fast or slow
1698 other_config : lacp-fallback-ab
1699 optional string, either true or false
1700 Rebalancing Configuration:
1701 other_config : bond-rebalance-interval
1702 optional string, containing an integer,
1703 in range 0 to 2,147,483,647
1704 bond_fake_iface boolean
1705 Spanning Tree Protocol:
1706 STP Configuration:
1707 other_config : stp-enable
1708 optional string, either true or false
1709 other_config : stp-port-num
1710 optional string, containing an integer,
1711 in range 1 to 255
1712 other_config : stp-port-priority
1713 optional string, containing an integer,
1714 in range 0 to 255
1715 other_config : stp-path-cost
1716 optional string, containing an integer,
1717 in range 0 to 65,535
1718 STP Status:
1719 status : stp_port_id optional string
1720 status : stp_state optional string, one of blocking, dis‐
1721 abled, forwarding, learning, or listening
1722 status : stp_sec_in_state
1723 optional string, containing an integer,
1724 at least 0
1725 status : stp_role optional string, one of alternate, desig‐
1726 nated, or root
1727 Rapid Spanning Tree Protocol:
1728 RSTP Configuration:
1729 other_config : rstp-enable
1730 optional string, either true or false
1731 other_config : rstp-port-priority
1732 optional string, containing an integer,
1733 in range 0 to 240
1734 other_config : rstp-port-num
1735 optional string, containing an integer,
1736 in range 1 to 4,095
1737 other_config : rstp-path-cost
1738 optional string, containing an integer
1739 other_config : rstp-port-admin-edge
1740 optional string, either true or false
1741 other_config : rstp-port-auto-edge
1742 optional string, either true or false
1743 other_config : rstp-port-mcheck
1744 optional string, either true or false
1745 RSTP Status:
1746 rstp_status : rstp_port_id
1747 optional string
1748 rstp_status : rstp_port_role
1749 optional string, one of Alternate,
1750 Backup, Designated, Disabled, or Root
1751 rstp_status : rstp_port_state
1752 optional string, one of Disabled, Dis‐
1753 carding, Forwarding, or Learning
1754 rstp_status : rstp_designated_bridge_id
1755 optional string
1756 rstp_status : rstp_designated_port_id
1757 optional string
1758 rstp_status : rstp_designated_path_cost
1759 optional string, containing an integer
1760 RSTP Statistics:
1761 rstp_statistics : rstp_tx_count
1762 optional integer
1763 rstp_statistics : rstp_rx_count
1764 optional integer
1765 rstp_statistics : rstp_error_count
1766 optional integer
1767 rstp_statistics : rstp_uptime
1768 optional integer
1769 Multicast Snooping:
1770 other_config : mcast-snooping-flood
1771 optional string, either true or false
1772 other_config : mcast-snooping-flood-reports
1773 optional string, either true or false
1774 Other Features:
1775 qos optional QoS
1776 mac optional string
1777 fake_bridge boolean
1778 protected boolean
1779 external_ids : fake-bridge-*
1780 optional string
1781 other_config : transient optional string, either true or false
1782 bond_active_slave optional string
1783 Port Statistics:
1784 Statistics: STP transmit and receive counters:
1785 statistics : stp_tx_count
1786 optional integer
1787 statistics : stp_rx_count
1788 optional integer
1789 statistics : stp_error_count
1790 optional integer
1791 Common Columns:
1792 other_config map of string-string pairs
1793 external_ids map of string-string pairs
1794 Details:
1796 name: immutable string (must be unique within table)
1797 Port name. For a non-bonded port, this should be the same as its
1798 interface’s name. Port names must otherwise be unique among the
1799 names of ports, interfaces, and bridges on a host. Because port
1800 and interfaces names are usually the same, the restrictions on
1801 the name column in the Interface table, particularly on length,
1802 also apply to port names. Refer to the documentation for Inter‐
1803 face names for details.
1804 interfaces: set of 1 or more Interfaces
1806 The port’s interfaces. If there is more than one, this is a
1807 bonded Port.
1808 VLAN Configuration:
1810 In short, a VLAN (short for ``virtual LAN’’) is a way to partition a
1812 single switch into multiple switches. VLANs can be confusing, so for an
1813 introduction, please refer to the question ``What’s a VLAN?’’ in the
1814 Open vSwitch FAQ.
1815 A VLAN is sometimes encoded into a packet using a 802.1Q or 802.1ad
1817 VLAN header, but every packet is part of some VLAN whether or not it is
1818 encoded in the packet. (A packet that appears to have no VLAN is part
1819 of VLAN 0, by default.) As a result, it’s useful to think of a VLAN as
1820 a metadata property of a packet, separate from how the VLAN is encoded.
1821 For a given port, this column determines how the encoding of a packet
1822 that ingresses or egresses the port maps to the packet’s VLAN. When a
1823 packet enters the switch, its VLAN is determined based on its setting
1824 in this column and its VLAN headers, if any, and then, conceptually,
1825 the VLAN headers are then stripped off. Conversely, when a packet exits
1826 the switch, its VLAN and the settings in this column determine what
1827 VLAN headers, if any, are pushed onto the packet before it egresses the
1828 port.
1829 The VLAN configuration in this column affects Open vSwitch only when it
1831 is doing ``normal switching.’’ It does not affect flows set up by an
1832 OpenFlow controller, outside of the OpenFlow ``normal action.’’
1833 Bridge ports support the following types of VLAN configuration:
1835 trunk A trunk port carries packets on one or more specified
1837 VLANs specified in the trunks column (often, on every
1838 VLAN). A packet that ingresses on a trunk port is in the
1839 VLAN specified in its 802.1Q header, or VLAN 0 if the
1840 packet has no 802.1Q header. A packet that egresses
1841 through a trunk port will have an 802.1Q header if it has
1842 a nonzero VLAN ID.
1843 Any packet that ingresses on a trunk port tagged with a
1845 VLAN that the port does not trunk is dropped.
1846 access An access port carries packets on exactly one VLAN speci‐
1848 fied in the tag column. Packets egressing on an access
1849 port have no 802.1Q header.
1850 Any packet with an 802.1Q header with a nonzero VLAN ID
1852 that ingresses on an access port is dropped, regardless
1853 of whether the VLAN ID in the header is the access port’s
1854 VLAN ID.
1855 native-tagged
1857 A native-tagged port resembles a trunk port, with the ex‐
1858 ception that a packet without an 802.1Q header that in‐
1859 gresses on a native-tagged port is in the ``native VLAN’’
1860 (specified in the tag column).
1861 native-untagged
1863 A native-untagged port resembles a native-tagged port,
1864 with the exception that a packet that egresses on a na‐
1865 tive-untagged port in the native VLAN will not have an
1866 802.1Q header.
1867 dot1q-tunnel
1869 A dot1q-tunnel port is somewhat like an access port. Like
1870 an access port, it carries packets on the single VLAN
1871 specified in the tag column and this VLAN, called the
1872 service VLAN, does not appear in an 802.1Q header for
1873 packets that ingress or egress on the port. The main dif‐
1874 ference lies in the behavior when packets that include a
1875 802.1Q header ingress on the port. Whereas an access port
1876 drops such packets, a dot1q-tunnel port treats these as
1877 double-tagged with the outer service VLAN tag and the in‐
1878 ner customer VLAN taken from the 802.1Q header. Corre‐
1879 spondingly, to egress on the port, a packet outer VLAN
1880 (or only VLAN) must be tag, which is removed before
1881 egress, which exposes the inner (customer) VLAN if one is
1882 present.
1883 If cvlans is set, only allows packets in the specified
1885 customer VLANs.
1886 A packet will only egress through bridge ports that carry the VLAN of
1888 the packet, as described by the rules above.
1889 vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
1891 native-untagged, or trunk
1892 The VLAN mode of the port, as described above. When this column
1893 is empty, a default mode is selected as follows:
1894 • If tag contains a value, the port is an access port. The
1896 trunks column should be empty.
1897 • Otherwise, the port is a trunk port. The trunks column
1899 value is honored if it is present.
1900 tag: optional integer, in range 0 to 4,095
1902 For an access port, the port’s implicitly tagged VLAN. For a na‐
1903 tive-tagged or native-untagged port, the port’s native VLAN.
1904 Must be empty if this is a trunk port.
1905 trunks: set of up to 4,096 integers, in range 0 to 4,095
1907 For a trunk, native-tagged, or native-untagged port, the 802.1Q
1908 VLAN or VLANs that this port trunks; if it is empty, then the
1909 port trunks all VLANs. Must be empty if this is an access port.
1910 A native-tagged or native-untagged port always trunks its native
1912 VLAN, regardless of whether trunks includes that VLAN.
1913 cvlans: set of up to 4,096 integers, in range 0 to 4,095
1915 For a dot1q-tunnel port, the customer VLANs that this port in‐
1916 cludes. If this is empty, the port includes all customer VLANs.
1917 For other kinds of ports, this setting is ignored.
1919 other_config : qinq-ethtype: optional string, either 802.1ad or 802.1q
1921 For a dot1q-tunnel port, this is the TPID for the service tag,
1922 that is, for the 802.1Q header that contains the service VLAN
1923 ID. Because packets that actually ingress and egress a dot1q-
1924 tunnel port do not include an 802.1Q header for the service
1925 VLAN, this does not affect packets on the dot1q-tunnel port it‐
1926 self. Rather, it determines the service VLAN for a packet that
1927 ingresses on a dot1q-tunnel port and egresses on a trunk port.
1928 The value 802.1ad specifies TPID 0x88a8, which is also the de‐
1930 fault if the setting is omitted. The value 802.1q specifies TPID
1931 0x8100.
1932 For other kinds of ports, this setting is ignored.
1934 other_config : priority-tags: optional string, one of always, if-non‐
1936 zero, or never
1937 An 802.1Q header contains two important pieces of information: a
1938 VLAN ID and a priority. A frame with a zero VLAN ID, called a
1939 ``priority-tagged’’ frame, is supposed to be treated the same
1940 way as a frame without an 802.1Q header at all (except for the
1941 priority).
1942 However, some network elements ignore any frame that has 802.1Q
1944 header at all, even when the VLAN ID is zero. Therefore, by de‐
1945 fault Open vSwitch does not output priority-tagged frames, in‐
1946 stead omitting the 802.1Q header entirely if the VLAN ID is
1947 zero. Set this key to if-nonzero to enable priority-tagged
1948 frames on a port.
1949 For if-nonzero Open vSwitch omits the 802.1Q header on output if
1951 both the VLAN ID and priority would be zero. Set to always to
1952 retain the 802.1Q header in such frames as well.
1953 All frames output to native-tagged ports have a nonzero VLAN ID,
1955 so this setting is not meaningful on native-tagged ports.
1956 Bonding Configuration:
1958 A port that has more than one interface is a ``bonded port.’’ Bonding
1960 allows for load balancing and fail-over.
1961 The following types of bonding will work with any kind of upstream
1963 switch. On the upstream switch, do not configure the interfaces as a
1964 bond:
1965 balance-slb
1967 Balances flows among members based on source MAC address
1968 and output VLAN, with periodic rebalancing as traffic
1969 patterns change.
1970 active-backup
1972 Assigns all flows to one member, failing over to a backup
1973 member when the active member is disabled. This is the
1974 only bonding mode in which interfaces may be plugged into
1975 different upstream switches.
1976 The following modes require the upstream switch to support 802.3ad with
1978 successful LACP negotiation. If LACP negotiation fails and other-con‐
1979 fig:lacp-fallback-ab is true, then active-backup mode is used:
1980 balance-tcp
1982 Balances flows among members based on L3 and L4 protocol
1983 information such as IP addresses and TCP/UDP ports.
1984 These columns apply only to bonded ports. Their values are otherwise
1986 ignored.
1987 bond_mode: optional string, one of active-backup, balance-slb, or bal‐
1989 ance-tcp
1990 The type of bonding used for a bonded port. Defaults to ac‐
1991 tive-backup if unset.
1992 other_config : bond-hash-basis: optional string, containing an integer
1994 An integer hashed along with flows when choosing output members
1995 in load balanced bonds. When changed, all flows will be assigned
1996 different hash values possibly causing member selection deci‐
1997 sions to change. Does not affect bonding modes which do not em‐
1998 ploy load balancing such as active-backup.
1999 other_config : lb-output-action: optional string, either true or false
2001 Enable/disable usage of optimized lb_output action for balancing
2002 flows among output members in load balanced bonds in bal‐
2003 ance-tcp. When enabled, it uses optimized path for balance-tcp
2004 mode by using rss hash and avoids recirculation. This knob does
2005 not affect other balancing modes.
2006 other_config : bond-primary: optional string
2008 If a slave interface with this name exists in the bond and is
2009 up, it will be made active. Relevant only when other_con‐
2010 fig:bond_mode is active-backup or if balance-tcp falls back to
2011 active-backup (e.g., LACP negotiation fails and other_con‐
2012 fig:lacp-fallback-ab is true).
2013 other_config : all-members-active: optional string, either true or
2015 false
2016 Enable/Disable delivery of broadcast/multicast packets on sec‐
2017 ondary interface of a balance-slb bond. Relevant only when lacp
2018 is off.
2019 This parameter is identical to all_slaves_active for Linux ker‐
2021 nel bonds. Disabled by default as it is not a desirable configu‐
2022 ration for most users.
2023 Link Failure Detection:
2025 An important part of link bonding is detecting that links are down so
2027 that they may be disabled. These settings determine how Open vSwitch
2028 detects link failure.
2029 other_config : bond-detect-mode: optional string, either carrier or mi‐
2031 imon
2032 The means used to detect link failures. Defaults to carrier
2033 which uses each interface’s carrier to detect failures. When set
2034 to miimon, will check for failures by polling each interface’s
2035 MII.
2036 other_config : bond-miimon-interval: optional string, containing an in‐
2038 teger
2039 The interval, in milliseconds, between successive attempts to
2040 poll each interface’s MII. Relevant only when other_config:bond-
2041 detect-mode is miimon.
2042 bond_updelay: integer
2044 The number of milliseconds for which the link must stay up on an
2045 interface before the interface is considered to be up. Specify 0
2046 to enable the interface immediately.
2047 This setting is honored only when at least one bonded interface
2049 is already enabled. When no interfaces are enabled, then the
2050 first bond interface to come up is enabled immediately.
2051 bond_downdelay: integer
2053 The number of milliseconds for which the link must stay down on
2054 an interface before the interface is considered to be down.
2055 Specify 0 to disable the interface immediately.
2056 LACP Configuration:
2058 LACP, the Link Aggregation Control Protocol, is an IEEE standard that
2060 allows switches to automatically detect that they are connected by mul‐
2061 tiple links and aggregate across those links. These settings control
2062 LACP behavior.
2063 lacp: optional string, one of active, off, or passive
2065 Configures LACP on this port. LACP allows directly connected
2066 switches to negotiate which links may be bonded. LACP may be en‐
2067 abled on non-bonded ports for the benefit of any switches they
2068 may be connected to. active ports are allowed to initiate LACP
2069 negotiations. passive ports are allowed to participate in LACP
2070 negotiations initiated by a remote switch, but not allowed to
2071 initiate such negotiations themselves. If LACP is enabled on a
2072 port whose partner switch does not support LACP, the bond will
2073 be disabled, unless other-config:lacp-fallback-ab is set to
2074 true. Defaults to off if unset.
2075 other_config : lacp-system-id: optional string
2077 The LACP system ID of this Port. The system ID of a LACP bond is
2078 used to identify itself to its partners. Must be a nonzero MAC
2079 address. Defaults to the bridge Ethernet address if unset.
2080 other_config : lacp-system-priority: optional string, containing an in‐
2082 teger, in range 1 to 65,535
2083 The LACP system priority of this Port. In LACP negotiations,
2084 link status decisions are made by the system with the numeri‐
2085 cally lower priority.
2086 other_config : lacp-time: optional string, either fast or slow
2088 The LACP timing which should be used on this Port. By default
2089 slow is used. When configured to be fast LACP heartbeats are re‐
2090 quested at a rate of once per second causing connectivity prob‐
2091 lems to be detected more quickly. In slow mode, heartbeats are
2092 requested at a rate of once every 30 seconds.
2093 other_config : lacp-fallback-ab: optional string, either true or false
2095 Determines the behavior of openvswitch bond in LACP mode. If the
2096 partner switch does not support LACP, setting this option to
2097 true allows openvswitch to fallback to active-backup. If the op‐
2098 tion is set to false, the bond will be disabled. In both the
2099 cases, once the partner switch is configured to LACP mode, the
2100 bond will use LACP.
2101 Rebalancing Configuration:
2103 These settings control behavior when a bond is in balance-slb or bal‐
2105 ance-tcp mode.
2106 other_config : bond-rebalance-interval: optional string, containing an
2108 integer, in range 0 to 2,147,483,647
2109 For a load balanced bonded port, the number of milliseconds be‐
2110 tween successive attempts to rebalance the bond, that is, to
2111 move flows from one interface on the bond to another in an at‐
2112 tempt to keep usage of each interface roughly equal. If zero,
2113 load balancing is disabled on the bond (link failure still cause
2114 flows to move). If less than 1000ms, the rebalance interval will
2115 be 1000ms.
2116 bond_fake_iface: boolean
2118 For a bonded port, whether to create a fake internal interface
2119 with the name of the port. Use only for compatibility with
2120 legacy software that requires this.
2121 Spanning Tree Protocol:
2123 The configuration here is only meaningful, and the status is only popu‐
2125 lated, when 802.1D-1998 Spanning Tree Protocol is enabled on the port’s
2126 Bridge with its stp_enable column.
2127 STP Configuration:
2129 other_config : stp-enable: optional string, either true or false
2131 When STP is enabled on a bridge, it is enabled by default on all
2132 of the bridge’s ports except bond, internal, and mirror ports
2133 (which do not work with STP). If this column’s value is false,
2134 STP is disabled on the port.
2135 other_config : stp-port-num: optional string, containing an integer, in
2137 range 1 to 255
2138 The port number used for the lower 8 bits of the port-id. By de‐
2139 fault, the numbers will be assigned automatically. If any port’s
2140 number is manually configured on a bridge, then they must all
2141 be.
2142 other_config : stp-port-priority: optional string, containing an inte‐
2144 ger, in range 0 to 255
2145 The port’s relative priority value for determining the root port
2146 (the upper 8 bits of the port-id). A port with a lower port-id
2147 will be chosen as the root port. By default, the priority is
2148 0x80.
2149 other_config : stp-path-cost: optional string, containing an integer,
2151 in range 0 to 65,535
2152 Spanning tree path cost for the port. A lower number indicates a
2153 faster link. By default, the cost is based on the maximum speed
2154 of the link.
2155 STP Status:
2157 status : stp_port_id: optional string
2159 The port ID used in spanning tree advertisements for this port,
2160 as 4 hex digits. Configuring the port ID is described in the
2161 stp-port-num and stp-port-priority keys of the other_config sec‐
2162 tion earlier.
2163 status : stp_state: optional string, one of blocking, disabled, for‐
2165 warding, learning, or listening
2166 STP state of the port.
2167 status : stp_sec_in_state: optional string, containing an integer, at
2169 least 0
2170 The amount of time this port has been in the current STP state,
2171 in seconds.
2172 status : stp_role: optional string, one of alternate, designated, or
2174 root
2175 STP role of the port.
2176 Rapid Spanning Tree Protocol:
2178 The configuration here is only meaningful, and the status and statis‐
2180 tics are only populated, when 802.1D-1998 Spanning Tree Protocol is en‐
2181 abled on the port’s Bridge with its stp_enable column.
2182 RSTP Configuration:
2184 other_config : rstp-enable: optional string, either true or false
2186 When RSTP is enabled on a bridge, it is enabled by default on
2187 all of the bridge’s ports except bond, internal, and mirror
2188 ports (which do not work with RSTP). If this column’s value is
2189 false, RSTP is disabled on the port.
2190 other_config : rstp-port-priority: optional string, containing an inte‐
2192 ger, in range 0 to 240
2193 The port’s relative priority value for determining the root
2194 port, in multiples of 16. By default, the port priority is 0x80
2195 (128). Any value in the lower 4 bits is rounded off. The signif‐
2196 icant upper 4 bits become the upper 4 bits of the port-id. A
2197 port with the lowest port-id is elected as the root.
2198 other_config : rstp-port-num: optional string, containing an integer,
2200 in range 1 to 4,095
2201 The local RSTP port number, used as the lower 12 bits of the
2202 port-id. By default the port numbers are assigned automatically,
2203 and typically may not correspond to the OpenFlow port numbers. A
2204 port with the lowest port-id is elected as the root.
2205 other_config : rstp-path-cost: optional string, containing an integer
2207 The port path cost. The Port’s contribution, when it is the Root
2208 Port, to the Root Path Cost for the Bridge. By default the cost
2209 is automatically calculated from the port’s speed.
2210 other_config : rstp-port-admin-edge: optional string, either true or
2212 false
2213 The admin edge port parameter for the Port. Default is false.
2214 other_config : rstp-port-auto-edge: optional string, either true or
2216 false
2217 The auto edge port parameter for the Port. Default is true.
2218 other_config : rstp-port-mcheck: optional string, either true or false
2220 The mcheck port parameter for the Port. Default is false. May be
2221 set to force the Port Protocol Migration state machine to trans‐
2222 mit RST BPDUs for a MigrateTime period, to test whether all STP
2223 Bridges on the attached LAN have been removed and the Port can
2224 continue to transmit RSTP BPDUs. Setting mcheck has no effect if
2225 the Bridge is operating in STP Compatibility mode.
2226 Changing the value from true to false has no effect, but needs
2228 to be done if this behavior is to be triggered again by subse‐
2229 quently changing the value from false to true.
2230 RSTP Status:
2232 rstp_status : rstp_port_id: optional string
2234 The port ID used in spanning tree advertisements for this port,
2235 as 4 hex digits. Configuring the port ID is described in the
2236 rstp-port-num and rstp-port-priority keys of the other_config
2237 section earlier.
2238 rstp_status : rstp_port_role: optional string, one of Alternate,
2240 Backup, Designated, Disabled, or Root
2241 RSTP role of the port.
2242 rstp_status : rstp_port_state: optional string, one of Disabled, Dis‐
2244 carding, Forwarding, or Learning
2245 RSTP state of the port.
2246 rstp_status : rstp_designated_bridge_id: optional string
2248 The port’s RSTP designated bridge ID, in the same form as
2249 rstp_status:rstp_bridge_id in the Bridge table.
2250 rstp_status : rstp_designated_port_id: optional string
2252 The port’s RSTP designated port ID, as 4 hex digits.
2253 rstp_status : rstp_designated_path_cost: optional string, containing an
2255 integer
2256 The port’s RSTP designated path cost. Lower is better.
2257 RSTP Statistics:
2259 rstp_statistics : rstp_tx_count: optional integer
2261 Number of RSTP BPDUs transmitted through this port.
2262 rstp_statistics : rstp_rx_count: optional integer
2264 Number of valid RSTP BPDUs received by this port.
2265 rstp_statistics : rstp_error_count: optional integer
2267 Number of invalid RSTP BPDUs received by this port.
2268 rstp_statistics : rstp_uptime: optional integer
2270 The duration covered by the other RSTP statistics, in seconds.
2271 Multicast Snooping:
2273 other_config : mcast-snooping-flood: optional string, either true or
2275 false
2276 If set to true, multicast packets (except Reports) are uncondi‐
2277 tionally forwarded to the specific port.
2278 other_config : mcast-snooping-flood-reports: optional string, either
2280 true or false
2281 If set to true, multicast Reports are unconditionally forwarded
2282 to the specific port.
2283 Other Features:
2285 qos: optional QoS
2287 Quality of Service configuration for this port.
2288 mac: optional string
2290 The MAC address to use for this port for the purpose of choosing
2291 the bridge’s MAC address. This column does not necessarily re‐
2292 flect the port’s actual MAC address, nor will setting it change
2293 the port’s actual MAC address.
2294 fake_bridge: boolean
2296 Does this port represent a sub-bridge for its tagged VLAN within
2297 the Bridge? See ovs-vsctl(8) for more information.
2298 protected: boolean
2300 The protected ports feature allows certain ports to be desig‐
2301 nated as protected. Traffic between protected ports is blocked.
2302 Protected ports can send traffic to unprotected ports. Unpro‐
2303 tected ports can send traffic to any port. Default is false.
2304 external_ids : fake-bridge-*: optional string
2306 External IDs for a fake bridge (see the fake_bridge column) are
2307 defined by prefixing a Bridge external_ids key with
2308 fake-bridge-, e.g. fake-bridge-bridge-id.
2309 other_config : transient: optional string, either true or false
2311 If set to true, the port will be removed when ovs-ctl start
2312 --delete-transient-ports is used.
2313 bond_active_slave: optional string
2315 For a bonded port, record the MAC address of the current active
2316 member.
2317 Port Statistics:
2319 Key-value pairs that report port statistics. The update period is con‐
2321 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
2322 ble.
2323 Statistics: STP transmit and receive counters:
2325 statistics : stp_tx_count: optional integer
2327 Number of STP BPDUs sent on this port by the spanning tree li‐
2328 brary.
2329 statistics : stp_rx_count: optional integer
2331 Number of STP BPDUs received on this port and accepted by the
2332 spanning tree library.
2333 statistics : stp_error_count: optional integer
2335 Number of bad STP BPDUs received on this port. Bad BPDUs include
2336 runt packets and those with an unexpected protocol ID.
2337 Common Columns:
2339 The overall purpose of these columns is described under Common Columns
2341 at the beginning of this document.
2342 other_config: map of string-string pairs
2344 external_ids: map of string-string pairs
2346
2348 An interface within a Port.
2349 Summary:
2351 Core Features:
2352 name immutable string (must be unique within
2353 table)
2354 ifindex optional integer, in range 0 to
2355 4,294,967,295
2356 mac_in_use optional string
2357 mac optional string
2358 error optional string
2359 OpenFlow Port Number:
2360 ofport optional integer
2361 ofport_request optional integer, in range 1 to 65,279
2362 System-Specific Details:
2363 type string
2364 Tunnel Options:
2365 options : remote_ip optional string
2366 options : local_ip optional string
2367 options : in_key optional string
2368 options : out_key optional string
2369 options : dst_port optional string
2370 options : key optional string
2371 options : tos optional string
2372 options : ttl optional string
2373 options : df_default optional string, either true or false
2374 options : egress_pkt_mark optional string
2375 Tunnel Options: lisp only:
2376 options : packet_type optional string, either legacy_l3 or ptap
2377 Tunnel Options: vxlan only:
2378 options : exts optional string
2379 options : packet_type optional string, one of legacy_l2,
2380 legacy_l3, or ptap
2381 Tunnel Options: gre only:
2382 options : packet_type optional string, one of legacy_l2,
2383 legacy_l3, or ptap
2384 options : seq optional string, either true or false
2385 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2386 options : csum optional string, either true or false
2387 Tunnel Options: IPsec:
2388 options : psk optional string
2389 options : remote_cert optional string
2390 options : remote_name optional string
2391 Tunnel Options: erspan only:
2392 options : erspan_idx optional string
2393 options : erspan_ver optional string
2394 options : erspan_dir optional string
2395 options : erspan_hwid optional string
2396 Tunnel Options: Bareudp only:
2397 options : payload_type optional string
2398 Tunnel Options: srv6 only:
2399 options : srv6_segs optional string
2400 options : srv6_flowlabel optional string, one of compute, copy, or
2401 zero
2402 Patch Options:
2403 options : peer optional string
2404 PMD (Poll Mode Driver) Options:
2405 options : n_rxq optional string, containing an integer,
2406 at least 1
2407 options : dpdk-devargs optional string
2408 other_config : pmd-rxq-affinity
2409 optional string
2410 options : xdp-mode optional string, one of best-effort,
2411 generic, native-with-zerocopy, or native
2412 options : use-need-wakeup optional string, either true or false
2413 options : vhost-server-path
2414 optional string
2415 options : tx-retries-max optional string, containing an integer,
2416 in range 0 to 32
2417 options : n_rxq_desc optional string, containing an integer,
2418 in range 1 to 4,096
2419 options : n_txq_desc optional string, containing an integer,
2420 in range 1 to 4,096
2421 options : dpdk-vf-mac optional string
2422 options : rx-steering optional string, either rss+lacp or rss
2423 other_config : tx-steering optional string, either hash or thread
2424 EMC (Exact Match Cache) Configuration:
2425 other_config : emc-enable optional string, either true or false
2426 MTU:
2427 mtu optional integer
2428 mtu_request optional integer, at least 1
2429 Interface Status:
2430 admin_state optional string, either down or up
2431 link_state optional string, either down or up
2432 link_resets optional integer
2433 link_speed optional integer
2434 duplex optional string, either full or half
2435 lacp_current optional boolean
2436 status map of string-string pairs
2437 status : driver_name optional string
2438 status : driver_version optional string
2439 status : firmware_version optional string
2440 status : source_ip optional string
2441 status : tunnel_egress_iface
2442 optional string
2443 status : tunnel_egress_iface_carrier
2444 optional string, either down or up
2445 dpdk:
2446 status : port_no optional string
2447 status : numa_id optional string
2448 status : min_rx_bufsize optional string
2449 status : max_rx_pktlen optional string
2450 status : max_rx_queues optional string
2451 status : max_tx_queues optional string
2452 status : max_mac_addrs optional string
2453 status : max_hash_mac_addrs
2454 optional string
2455 status : max_vfs optional string
2456 status : max_vmdq_pools optional string
2457 status : if_type optional string
2458 status : if_descr optional string
2459 status : pci-vendor_id optional string
2460 status : pci-device_id optional string
2461 Statistics:
2462 Statistics: Successful transmit and receive counters:
2463 statistics : rx_packets optional integer
2464 statistics : rx_bytes optional integer
2465 statistics : tx_packets optional integer
2466 statistics : tx_bytes optional integer
2467 Statistics: Receive errors:
2468 statistics : rx_dropped optional integer
2469 statistics : rx_frame_err
2470 optional integer
2471 statistics : rx_over_err optional integer
2472 statistics : rx_crc_err optional integer
2473 statistics : rx_errors optional integer
2474 Statistics: Transmit errors:
2475 statistics : tx_dropped optional integer
2476 statistics : collisions optional integer
2477 statistics : tx_errors optional integer
2478 Ingress Policing:
2479 ingress_policing_rate integer, at least 0
2480 ingress_policing_kpkts_rate
2481 integer, at least 0
2482 ingress_policing_burst integer, at least 0
2483 ingress_policing_kpkts_burst
2484 integer, at least 0
2485 Bidirectional Forwarding Detection (BFD):
2486 BFD Configuration:
2487 bfd : enable optional string, either true or false
2488 bfd : min_rx optional string, containing an integer,
2489 at least 1
2490 bfd : min_tx optional string, containing an integer,
2491 at least 1
2492 bfd : decay_min_rx optional string, containing an integer
2493 bfd : forwarding_if_rx optional string, either true or false
2494 bfd : cpath_down optional string, either true or false
2495 bfd : check_tnl_key optional string, either true or false
2496 bfd : bfd_local_src_mac optional string
2497 bfd : bfd_local_dst_mac optional string
2498 bfd : bfd_remote_dst_mac optional string
2499 bfd : bfd_src_ip optional string
2500 bfd : bfd_dst_ip optional string
2501 bfd : oam optional string
2502 bfd : mult optional string, containing an integer,
2503 in range 1 to 255
2504 BFD Status:
2505 bfd_status : state optional string, one of admin_down, down,
2506 init, or up
2507 bfd_status : forwarding optional string, either true or false
2508 bfd_status : diagnostic optional string
2509 bfd_status : remote_state
2510 optional string, one of admin_down, down,
2511 init, or up
2512 bfd_status : remote_diagnostic
2513 optional string
2514 bfd_status : flap_count optional string, containing an integer,
2515 at least 0
2516 Connectivity Fault Management:
2517 cfm_mpid optional integer
2518 cfm_flap_count optional integer
2519 cfm_fault optional boolean
2520 cfm_fault_status : recv none
2521 cfm_fault_status : rdi none
2522 cfm_fault_status : maid none
2523 cfm_fault_status : loopback
2524 none
2525 cfm_fault_status : overflow
2526 none
2527 cfm_fault_status : override
2528 none
2529 cfm_fault_status : interval
2530 none
2531 cfm_remote_opstate optional string, either down or up
2532 cfm_health optional integer, in range 0 to 100
2533 cfm_remote_mpids set of integers
2534 other_config : cfm_interval
2535 optional string, containing an integer
2536 other_config : cfm_extended
2537 optional string, either true or false
2538 other_config : cfm_demand optional string, either true or false
2539 other_config : cfm_opstate optional string, either down or up
2540 other_config : cfm_ccm_vlan
2541 optional string, containing an integer,
2542 in range 1 to 4,095
2543 other_config : cfm_ccm_pcp optional string, containing an integer,
2544 in range 1 to 7
2545 Bonding Configuration:
2546 other_config : lacp-port-id
2547 optional string, containing an integer,
2548 in range 1 to 65,535
2549 other_config : lacp-port-priority
2550 optional string, containing an integer,
2551 in range 1 to 65,535
2552 other_config : lacp-aggregation-key
2553 optional string, containing an integer,
2554 in range 1 to 65,535
2555 Virtual Machine Identifiers:
2556 external_ids : attached-mac
2557 optional string
2558 external_ids : iface-id optional string
2559 external_ids : iface-status
2560 optional string, either active or inac‐
2561 tive
2562 external_ids : vm-id optional string
2563 Auto Attach Configuration:
2564 lldp : enable optional string, either true or false
2565 Flow control Configuration:
2566 options : rx-flow-ctrl optional string, either true or false
2567 options : tx-flow-ctrl optional string, either true or false
2568 options : flow-ctrl-autoneg
2569 optional string, either true or false
2570 Link State Change detection mode:
2571 options : dpdk-lsc-interrupt
2572 optional string, either true or false
2573 Common Columns:
2574 other_config map of string-string pairs
2575 external_ids map of string-string pairs
2576 Details:
2578 Core Features:
2579 name: immutable string (must be unique within table)
2581 Interface name. Should be alphanumeric. For non-bonded port,
2582 this should be the same as the port name. It must otherwise be
2583 unique among the names of ports, interfaces, and bridges on a
2584 host.
2585 The maximum length of an interface name depends on the underly‐
2587 ing datapath:
2588 • The names of interfaces implemented as Linux and BSD net‐
2590 work devices, including interfaces with type internal,
2591 tap, or system plus the different types of tunnel ports,
2592 are limited to 15 bytes. Windows limits these names to
2593 255 bytes.
2594 • The names of patch ports are not used in the underlying
2596 datapath, so operating system restrictions do not apply.
2597 Thus, they may have arbitrary length.
2598 Regardless of other restrictions, OpenFlow only supports 15-byte
2600 names, which means that ovs-ofctl and OpenFlow controllers will
2601 show names truncated to 15 bytes.
2602 ifindex: optional integer, in range 0 to 4,294,967,295
2604 A positive interface index as defined for SNMP MIB-II in RFCs
2605 1213 and 2863, if the interface has one, otherwise 0. The
2606 ifindex is useful for seamless integration with protocols such
2607 as SNMP and sFlow.
2608 mac_in_use: optional string
2610 The MAC address in use by this interface.
2611 mac: optional string
2613 Ethernet address to set for this interface. If unset then the
2614 default MAC address is used:
2615 • For the local interface, the default is the lowest-num‐
2617 bered MAC address among the other bridge ports, either
2618 the value of the mac in its Port record, if set, or its
2619 actual MAC (for bonded ports, the MAC of its member whose
2620 name is first in alphabetical order). Internal ports and
2621 bridge ports that are used as port mirroring destinations
2622 (see the Mirror table) are ignored.
2623 • For other internal interfaces, the default MAC is ran‐
2625 domly generated.
2626 • External interfaces typically have a MAC address associ‐
2628 ated with their hardware.
2629 Some interfaces may not have a software-controllable MAC ad‐
2631 dress. This option only affects internal ports. For other type
2632 ports, you can change the MAC address outside Open vSwitch, us‐
2633 ing ip command.
2634 error: optional string
2636 If the configuration of the port failed, as indicated by -1 in
2637 ofport, Open vSwitch sets this column to an error description in
2638 human readable form. Otherwise, Open vSwitch clears this column.
2639 OpenFlow Port Number:
2641 When a client adds a new interface, Open vSwitch chooses an OpenFlow
2643 port number for the new port. If the client that adds the port fills in
2644 ofport_request, then Open vSwitch tries to use its value as the Open‐
2645 Flow port number. Otherwise, or if the requested port number is already
2646 in use or cannot be used for another reason, Open vSwitch automatically
2647 assigns a free port number. Regardless of how the port number was ob‐
2648 tained, Open vSwitch then reports in ofport the port number actually
2649 assigned.
2650 Open vSwitch limits the port numbers that it automatically assigns to
2652 the range 1 through 32,767, inclusive. Controllers therefore have free
2653 use of ports 32,768 and up.
2654 ofport: optional integer
2656 OpenFlow port number for this interface. Open vSwitch sets this
2657 column’s value, so other clients should treat it as read-only.
2658 The OpenFlow ``local’’ port (OFPP_LOCAL) is 65,534. The other
2660 valid port numbers are in the range 1 to 65,279, inclusive.
2661 Value -1 indicates an error adding the interface.
2662 ofport_request: optional integer, in range 1 to 65,279
2664 Requested OpenFlow port number for this interface.
2665 A client should ideally set this column’s value in the same
2667 database transaction that it uses to create the interface. Open
2668 vSwitch version 2.1 and later will honor a later request for a
2669 specific port number, althuogh it might confuse some con‐
2670 trollers: OpenFlow does not have a way to announce a port number
2671 change, so Open vSwitch represents it over OpenFlow as a port
2672 deletion followed immediately by a port addition.
2673 If ofport_request is set or changed to some other port’s auto‐
2675 matically assigned port number, Open vSwitch chooses a new port
2676 number for the latter port.
2677 System-Specific Details:
2679 type: string
2681 The interface type. The types supported by a particular instance
2682 of Open vSwitch are listed in the iface_types column in the
2683 Open_vSwitch table. The following types are defined:
2684 system An ordinary network device, e.g. eth0 on Linux. Sometimes
2686 referred to as ``external interfaces’’ since they are
2687 generally connected to hardware external to that on which
2688 the Open vSwitch is running. The empty string is a syn‐
2689 onym for system.
2690 internal
2692 A simulated network device that sends and receives traf‐
2693 fic. An internal interface whose name is the same as its
2694 bridge’s name is called the ``local interface.’’ It does
2695 not make sense to bond an internal interface, so the
2696 terms ``port’’ and ``interface’’ are often used impre‐
2697 cisely for internal interfaces.
2698 tap A TUN/TAP device managed by Open vSwitch.
2700 Open vSwitch checks the interface state before send pack‐
2702 ets to the device. When it is down, the packets are
2703 dropped and the tx_dropped statistic is updated accord‐
2704 ingly. Older versions of Open vSwitch did not check the
2705 interface state and then the tx_packets was incremented
2706 along with tx_dropped.
2707 geneve An Ethernet over Geneve
2709 (http://tools.ietf.org/html/draft-ietf-nvo3-geneve)
2710 IPv4/IPv6 tunnel. A description of how to match and set
2711 Geneve options can be found in the ovs-ofctl manual page.
2712 gre Generic Routing Encapsulation (GRE) over IPv4 tunnel,
2714 configurable to encapsulate layer 2 or layer 3 traffic.
2715 ip6gre Generic Routing Encapsulation (GRE) over IPv6 tunnel, en‐
2717 capsulate layer 2 traffic.
2718 vxlan An Ethernet tunnel over the UDP-based VXLAN protocol de‐
2720 scribed in RFC 7348.
2721 Open vSwitch uses IANA-assigned UDP destination port
2723 4789. The source port used for VXLAN traffic varies on a
2724 per-flow basis and is in the ephemeral port range.
2725 lisp A layer 3 tunnel over the experimental, UDP-based Loca‐
2727 tor/ID Separation Protocol (RFC 6830).
2728 Only IPv4 and IPv6 packets are supported by the protocol,
2730 and they are sent and received without an Ethernet
2731 header. Traffic to/from LISP ports is expected to be con‐
2732 figured explicitly, and the ports are not intended to
2733 participate in learning based switching. As such, they
2734 are always excluded from packet flooding.
2735 stt The Stateless TCP Tunnel (STT) is particularly useful
2737 when tunnel endpoints are in end-systems, as it utilizes
2738 the capabilities of standard network interface cards to
2739 improve performance. STT utilizes a TCP-like header in‐
2740 side the IP header. It is stateless, i.e., there is no
2741 TCP connection state of any kind associated with the tun‐
2742 nel. The TCP-like header is used to leverage the capabil‐
2743 ities of existing network interface cards, but should not
2744 be interpreted as implying any sort of connection state
2745 between endpoints. Since the STT protocol does not engage
2746 in the usual TCP 3-way handshake, so it will have diffi‐
2747 culty traversing stateful firewalls. The protocol is doc‐
2748 umented at https://tools.ietf.org/html/draft-davie-stt
2749 All traffic uses a default destination port of 7471.
2750 patch A pair of virtual devices that act as a patch cable.
2752 gtpu GPRS Tunneling Protocol (GTP) is a group of IP-based com‐
2754 munications protocols used to carry general packet radio
2755 service (GPRS) within GSM, UMTS and LTE networks. GTP-U
2756 is used for carrying user data within the GPRS core net‐
2757 work and between the radio access network and the core
2758 network. The user data transported can be packets in any
2759 of IPv4, IPv6, or PPP formats.
2760 The protocol is documented at http://www.3gpp.org/DynaRe‐
2762 port/29281.htm
2763 Open vSwitch uses UDP destination port 2152. The source
2765 port used for GTP traffic varies on a per-flow basis and
2766 is in the ephemeral port range.
2767 Bareudp
2769 The Bareudp tunnel provides a generic L3 encapsulation
2770 support for tunnelling different L3 protocols like MPLS,
2771 IP, NSH etc. inside a UDP tunnel.
2772 srv6 Segment Routing IPv6 (SRv6) tunnel encapsulates L3 traf‐
2774 fic as "IPv6 in IPv6" or "IPv4 in IPv6" with Segment
2775 Routing Header (SRH) defined in RFC 8754. The segment
2776 list in SRH can be set using a SRv6 specific option.
2777 Tunnel Options:
2779 These options apply to interfaces with type of geneve, bareudp, gre,
2781 ip6gre, vxlan, lisp, stt and srv6.
2782 Each tunnel must be uniquely identified by the combination of type, op‐
2784 tions:remote_ip, options:local_ip, and options:in_key. If two ports are
2785 defined that are the same except one has an optional identifier and the
2786 other does not, the more specific one is matched first. options:in_key
2787 is considered more specific than options:local_ip if a port defines one
2788 and another port defines the other. options:in_key is not applicable
2789 for bareudp and srv6 tunnels. Hence it is not considered while identi‐
2790 fying bareudp or srv6 tunnels.
2791 options : remote_ip: optional string
2793 Required. The remote tunnel endpoint, one of:
2794 • An IPv4 or IPv6 address (not a DNS name), e.g.
2796 192.168.0.123. Only unicast endpoints are supported.
2797 • The word flow. The tunnel accepts packets from any remote
2799 tunnel endpoint. To process only packets from a specific
2800 remote tunnel endpoint, the flow entries may match on the
2801 tun_src or tun_ipv6_srcfield. When sending packets to a
2802 remote_ip=flow tunnel, the flow actions must explicitly
2803 set the tun_dst or tun_ipv6_dst field to the IP address
2804 of the desired remote tunnel endpoint, e.g. with a
2805 set_field action.
2806 The remote tunnel endpoint for any packet received from a tunnel
2808 is available in the tun_src field for matching in the flow ta‐
2809 ble.
2810 options : local_ip: optional string
2812 Optional. The tunnel destination IP that received packets must
2813 match. Default is to match all addresses. If specified, may be
2814 one of:
2815 • An IPv4/IPv6 address (not a DNS name), e.g. 192.168.12.3.
2817 • The word flow. The tunnel accepts packets sent to any of
2819 the local IP addresses of the system running OVS. To
2820 process only packets sent to a specific IP address, the
2821 flow entries may match on the tun_dst or tun_ipv6_dst
2822 field. When sending packets to a local_ip=flow tunnel,
2823 the flow actions may explicitly set the tun_src or
2824 tun_ipv6_src field to the desired IP address, e.g. with a
2825 set_field action. However, while routing the tunneled
2826 packet out, the local system may override the specified
2827 address with the local IP address configured for the out‐
2828 going system interface.
2829 This option is valid only for tunnels also configured
2831 with the remote_ip=flow option.
2832 The tunnel destination IP address for any packet received from a
2834 tunnel is available in the tun_dst or tun_ipv6_dst field for
2835 matching in the flow table.
2836 options : in_key: optional string
2838 Optional, not applicable for bareudp and srv6. The key that re‐
2839 ceived packets must contain, one of:
2840 • 0. The tunnel receives packets with no key or with a key
2842 of 0. This is equivalent to specifying no options:in_key
2843 at all.
2844 • A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit
2846 (for GRE) or 64-bit (for STT) number. The tunnel receives
2847 only packets with the specified key.
2848 • The word flow. The tunnel accepts packets with any key.
2850 The key will be placed in the tun_id field for matching
2851 in the flow table. The ovs-fields(7) manual page contains
2852 additional information about matching fields in OpenFlow
2853 flows.
2854 options : out_key: optional string
2856 Optional, not applicable for bareudp and srv6. The key to be set
2857 on outgoing packets, one of:
2858 • 0. Packets sent through the tunnel will have no key. This
2860 is equivalent to specifying no options:out_key at all.
2861 • A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit
2863 (for GRE) or 64-bit (for STT) number. Packets sent
2864 through the tunnel will have the specified key.
2865 • The word flow. Packets sent through the tunnel will have
2867 the key set using the set_tunnel Nicira OpenFlow vendor
2868 extension (0 is used in the absence of an action). The
2869 ovs-fields(7) manual page contains additional information
2870 about the Nicira OpenFlow vendor extensions.
2871 options : dst_port: optional string
2873 Optional. The tunnel transport layer destination port, for UDP
2874 and TCP based tunnel protocols (Geneve, VXLAN, LISP, and STT).
2875 options : key: optional string
2877 Optional. Shorthand to set in_key and out_key at the same time.
2878 options : tos: optional string
2880 Optional. The value of the ToS bits to be set on the encapsulat‐
2881 ing packet. ToS is interpreted as DSCP and ECN bits, ECN part
2882 must be zero. It may also be the word inherit, in which case the
2883 ToS will be copied from the inner packet if it is IPv4 or IPv6
2884 (otherwise it will be 0). The ECN fields are always inherited.
2885 Default is 0.
2886 options : ttl: optional string
2888 Optional. The TTL to be set on the encapsulating packet. It may
2889 also be the word inherit, in which case the TTL will be copied
2890 from the inner packet if it is IPv4 or IPv6 (otherwise it will
2891 be the system default, typically 64). Default is the system de‐
2892 fault TTL.
2893 options : df_default: optional string, either true or false
2895 Optional. If enabled, the Don’t Fragment bit will be set on tun‐
2896 nel outer headers to allow path MTU discovery. Default is en‐
2897 abled; set to false to disable.
2898 options : egress_pkt_mark: optional string
2900 Optional. The pkt_mark to be set on the encapsulating packet.
2901 This option sets packet mark for the tunnel endpoint for all
2902 tunnel packets including tunnel monitoring.
2903 Tunnel Options: lisp only:
2905 options : packet_type: optional string, either legacy_l3 or ptap
2907 A LISP tunnel sends and receives only IPv4 and IPv6 packets.
2908 This option controls what how the tunnel represents the packets
2909 that it sends and receives:
2910 • By default, or if this option is legacy_l3, the tunnel
2912 represents packets as Ethernet frames for compatibility
2913 with legacy OpenFlow controllers that expect this behav‐
2914 ior.
2915 • If this option is ptap, the tunnel represents packets us‐
2917 ing the packet_type mechanism introduced in OpenFlow 1.5.
2918 Tunnel Options: vxlan only:
2920 options : exts: optional string
2922 Optional. Comma separated list of optional VXLAN extensions to
2923 enable. The following extensions are supported:
2924 • gbp: VXLAN-GBP allows to transport the group policy con‐
2926 text of a packet across the VXLAN tunnel to other network
2927 peers. See the description of tun_gbp_id and
2928 tun_gbp_flags in ovs-fields(7) for additional informa‐
2929 tion.
2930 (https://tools.ietf.org/html/draft-smith-vxlan-group-pol‐
2931 icy)
2932 • gpe: Support for Generic Protocol Encapsulation in accor‐
2934 dance with IETF draft
2935 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe.
2936 Without this option, a VXLAN packet always encapsulates
2937 an Ethernet frame. With this option, an VXLAN packet may
2938 also encapsulate an IPv4, IPv6, NSH, or MPLS packet.
2939 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2941 ptap
2942 This option controls what types of packets the tunnel sends and
2943 receives and how it represents them:
2944 • By default, or if this option is legacy_l2, the tunnel
2946 sends and receives only Ethernet frames.
2947 • If this option is legacy_l3, the tunnel sends and re‐
2949 ceives only non-Ethernet (L3) packet, but the packets are
2950 represented as Ethernet frames for compatibility with
2951 legacy OpenFlow controllers that expect this behavior.
2952 This requires enabling gpe in options:exts.
2953 • If this option is ptap, Open vSwitch represents packets
2955 in the tunnel using the packet_type mechanism introduced
2956 in OpenFlow 1.5. This mechanism supports any kind of
2957 packet, but actually sending and receiving non-Ethernet
2958 packets requires additionally enabling gpe in op‐
2959 tions:exts.
2960 Tunnel Options: gre only:
2962 gre interfaces support these options.
2964 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2966 ptap
2967 This option controls what types of packets the tunnel sends and
2968 receives and how it represents them:
2969 • By default, or if this option is legacy_l2, the tunnel
2971 sends and receives only Ethernet frames.
2972 • If this option is legacy_l3, the tunnel sends and re‐
2974 ceives only non-Ethernet (L3) packet, but the packets are
2975 represented as Ethernet frames for compatibility with
2976 legacy OpenFlow controllers that expect this behavior.
2977 • The legacy_l3 option is only available via the user space
2979 datapath. The OVS kernel datapath does not support de‐
2980 vices of type ARPHRD_IPGRE which is the requirement for
2981 legacy_l3 type packets.
2982 • If this option is ptap, the tunnel sends and receives any
2984 kind of packet. Open vSwitch represents packets in the
2985 tunnel using the packet_type mechanism introduced in
2986 OpenFlow 1.5.
2987 options : seq: optional string, either true or false
2989 Optional. A 4-byte sequence number field for GRE tunnel only.
2990 Default is disabled, set to true to enable. Sequence number is
2991 incremented by one on each outgoing packet.
2992 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2994 gre, ip6gre, geneve, bareudp and vxlan interfaces support these op‐
2996 tions.
2997 options : csum: optional string, either true or false
2999 Optional. Compute encapsulation header (either GRE or UDP)
3000 checksums on outgoing packets. Default is disabled, set to true
3001 to enable. Checksums present on incoming packets will be vali‐
3002 dated regardless of this setting.
3003 When using the upstream Linux kernel module, computation of
3005 checksums for geneve and vxlan requires Linux kernel version 4.0
3006 or higher. gre and ip6gre support checksums for all versions of
3007 Open vSwitch that support GRE. The out of tree kernel module
3008 distributed as part of OVS can compute all tunnel checksums on
3009 any kernel version that it is compatible with.
3010 Tunnel Options: IPsec:
3012 Setting any of these options enables IPsec support for a given tunnel.
3014 gre, geneve, vxlan and stt interfaces support these options. See the
3015 IPsec section in the Open_vSwitch table for a description of each mode.
3016 options : psk: optional string
3018 In PSK mode only, the preshared secret to negotiate tunnel. This
3019 value must match on both tunnel ends.
3020 options : remote_cert: optional string
3022 In self-signed certificate mode only, name of a PEM file con‐
3023 taining a certificate of the remote switch. The certificate must
3024 be x.509 version 3 and with the string in common name (CN) also
3025 set in the subject alternative name (SAN).
3026 options : remote_name: optional string
3028 In CA-signed certificate mode only, common name (CN) of the re‐
3029 mote certificate.
3030 Tunnel Options: erspan only:
3032 Only erspan interfaces support these options.
3034 options : erspan_idx: optional string
3036 20 bit index/port number associated with the ERSPAN traffic’s
3037 source port and direction (ingress/egress). This field is plat‐
3038 form dependent.
3039 options : erspan_ver: optional string
3041 ERSPAN version: 1 for version 1 (type II) or 2 for version 2
3042 (type III).
3043 options : erspan_dir: optional string
3045 Specifies the ERSPAN v2 mirrored traffic’s direction. 1 for
3046 egress traffic, and 0 for ingress traffic.
3047 options : erspan_hwid: optional string
3049 ERSPAN hardware ID is a 6-bit unique identifier of an ERSPAN v2
3050 engine within a system.
3051 Tunnel Options: Bareudp only:
3053 options : payload_type: optional string
3055 Specifies the ethertype of the l3 protocol the bareudp device is
3056 tunnelling. For the tunnels which supports multiple ethertypes
3057 of a l3 protocol (IP, MPLS) this field specifies the protocol
3058 name as a string.
3059 Tunnel Options: srv6 only:
3061 options : srv6_segs: optional string
3063 Specifies the segment list in Segment Routing Header (SRH). It
3064 consists of a comma-separated list of segments represented in
3065 IPv6 format, e.g. "fc00:100::1,fc00:200::1,fc00:300::1". Note
3066 that the first segment must be the same as options:remote_ip.
3067 options : srv6_flowlabel: optional string, one of compute, copy, or
3069 zero
3070 Optional. This option controls how flowlabel in outer IPv6
3071 header is configured. It gives the benefit of IPv6 flow label
3072 based load balancing, which is supported by some popular vendor
3073 appliances. Like net.ipv6.seg6_flowlabel sysconfig, it is one of
3074 the three values below:
3075 • By default, or if this option is copy, copy the flowlabel
3077 of inner IPv6 header to the flowlabel of outer IPv6
3078 header. If inner header is not IPv6, it is set to 0.
3079 • If this option is zero, simply set flowlabel to 0.
3081 • If this option is compute, set flowlabel to a hash over
3083 the L3/L4 fields of the inner packet.
3084 Patch Options:
3086 These options apply only to patch ports, that is, interfaces whose type
3088 column is patch. Patch ports are mainly a way to connect otherwise in‐
3089 dependent bridges to one another, similar to how one might plug an Eth‐
3090 ernet cable (a ``patch cable’’) into two physical switches to connect
3091 those switches. The effect of plugging a patch port into two switches
3092 is conceptually similar to that of plugging the two ends of a Linux
3093 veth device into those switches, but the implementation of patch ports
3094 makes them much more efficient.
3095 Patch ports may connect two different bridges (the usual case) or the
3097 same bridge. In the latter case, take special care to avoid loops, e.g.
3098 by programming appropriate flows with OpenFlow. Patch ports do not work
3099 if its ends are attached to bridges on different datapaths, e.g. to
3100 connect bridges in system and netdev datapaths.
3101 The following command creates and connects patch ports p0 and p1 and
3103 adds them to bridges br0 and br1, respectively:
3104 ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
3106 -- add-port br1 p1 -- set Interface p1 type=patch options:peer=p0
3107 options : peer: optional string
3110 The name of the Interface for the other side of the patch. The
3111 named Interface’s own peer option must specify this Interface’s
3112 name. That is, the two patch interfaces must have reversed name
3113 and peer values.
3114 PMD (Poll Mode Driver) Options:
3116 Only PMD netdevs support these options.
3118 options : n_rxq: optional string, containing an integer, at least 1
3120 Specifies the maximum number of rx queues to be created for PMD
3121 netdev. If not specified or specified to 0, one rx queue will be
3122 created by default. Not supported by DPDK vHost interfaces.
3123 options : dpdk-devargs: optional string
3125 Specifies the PCI address associated with the port for physical
3126 devices, or the virtual driver to be used for the port when a
3127 virtual PMD is intended to be used. For the latter, the argument
3128 string typically takes the form of eth_driver_namex, where
3129 driver_name is a valid virtual DPDK PMD driver name and x is a
3130 unique identifier of your choice for the given port. Only sup‐
3131 ported by the dpdk port type.
3132 other_config : pmd-rxq-affinity: optional string
3134 Specifies mapping of RX queues of this interface to CPU cores.
3135 Value should be set in the following form:
3137 other_config:pmd-rxq-affinity=<rxq-affinity-list>
3139 where
3141 • <rxq-affinity-list> ::= NULL | <non-empty-list>
3143 • <non-empty-list> ::= <affinity-pair> | <affinity-pair> ,
3145 <non-empty-list>
3146 • <affinity-pair> ::= <queue-id> : <core-id>
3148 options : xdp-mode: optional string, one of best-effort, generic, na‐
3150 tive-with-zerocopy, or native
3151 Specifies the operational mode of the XDP program.
3152 In native-with-zerocopy mode the XDP program is loaded into the
3154 device driver with zero-copy RX and TX enabled. This mode re‐
3155 quires device driver support and has the best performance be‐
3156 cause there should be no copying of packets.
3157 native is the same as native-with-zerocopy, but without zero-
3159 copy capability. This requires at least one copy between kernel
3160 and the userspace. This mode also requires support from device
3161 driver.
3162 In generic case the XDP program in kernel works after skb allo‐
3164 cation on early stages of packet processing inside the network
3165 stack. This mode doesn’t require driver support, but has much
3166 lower performance.
3167 best-effort tries to detect and choose the best (fastest) from
3169 the available modes for current interface.
3170 Note that this option is specific to netdev-afxdp. Defaults to
3172 best-effort mode.
3173 options : use-need-wakeup: optional string, either true or false
3175 Specifies whether to use need_wakeup feature in afxdp netdev. If
3176 enabled, OVS explicitly wakes up the kernel RX, using poll()
3177 syscall and wakes up TX, using sendto() syscall. For physical
3178 devices, this feature improves the performance by avoiding un‐
3179 necessary sendto syscalls. Defaults to true if supported by
3180 libbpf.
3181 options : vhost-server-path: optional string
3183 The value specifies the path to the socket associated with a
3184 vHost User client mode device that has been or will be created
3185 by QEMU. Only supported by dpdkvhostuserclient interfaces.
3186 options : tx-retries-max: optional string, containing an integer, in
3188 range 0 to 32
3189 The value specifies the maximum amount of vhost tx retries that
3190 can be made while trying to send a batch of packets to an inter‐
3191 face. Only supported by dpdkvhostuserclient interfaces.
3192 Default value is 8.
3194 options : n_rxq_desc: optional string, containing an integer, in range
3196 1 to 4,096
3197 Specifies the rx queue size (number rx descriptors) for dpdk
3198 ports. The value must be a power of 2, less than 4096 and sup‐
3199 ported by the hardware of the device being configured. If not
3200 specified or an incorrect value is specified, 2048 rx descrip‐
3201 tors will be used by default.
3202 options : n_txq_desc: optional string, containing an integer, in range
3204 1 to 4,096
3205 Specifies the tx queue size (number tx descriptors) for dpdk
3206 ports. The value must be a power of 2, less than 4096 and sup‐
3207 ported by the hardware of the device being configured. If not
3208 specified or an incorrect value is specified, 2048 tx descrip‐
3209 tors will be used by default.
3210 options : dpdk-vf-mac: optional string
3212 Ethernet address to set for this VF interface. If unset then the
3213 default MAC address is used:
3214 • For most drivers, the default MAC address assigned by
3216 their hardware.
3217 • For bifurcated drivers, the MAC currently used by the
3219 kernel netdevice.
3220 This option may only be used with dpdk VF representors.
3222 options : rx-steering: optional string, either rss+lacp or rss
3224 Configure hardware Rx queue steering policy.
3225 This option takes one of the following values:
3227 rss Distribution of ingress packets in all Rx queues accord‐
3229 ing to the RSS algorithm. This is the default behaviour.
3230 rss+lacp
3232 Distribution of ingress packets according to the RSS al‐
3233 gorithm on all but the last Rx queue. An extra Rx queue
3234 is allocated for LACP packets.
3235 If the user has already configured multiple options:n_rxq on the
3237 port, an additional one will be allocated for the specified pro‐
3238 tocols. Even if the hardware cannot satisfy the requested number
3239 of requested Rx queues, the last Rx queue will be used. If only
3240 one Rx queue is available or if the hardware does not support
3241 the rte_flow matchers/actions required to redirect the selected
3242 protocols, custom rx-steering will fall back to default rss
3243 mode.
3244 This feature is mutually exclusive with other_config:hw-offload
3246 as it may conflict with the offloaded flows. If both are en‐
3247 abled, rx-steering will fall back to default rss mode.
3248 This option is only applicable to interfaces with type dpdk.
3250 other_config : tx-steering: optional string, either hash or thread
3252 Specifies the Tx steering mode for the interface.
3253 thread enables static (1:1) thread-to-txq mapping when the num‐
3255 ber of Tx queues is greater than number of PMD threads, and dy‐
3256 namic (N:1) mapping if equal or lower. In this mode a single
3257 thread can not use more than 1 transmit queue of a given port.
3258 hash enables hash-based Tx steering, which distributes the pack‐
3260 ets on all the transmit queues based on their 5-tuples hashes.
3261 Defaults to thread.
3263 EMC (Exact Match Cache) Configuration:
3265 These settings controls behaviour of EMC lookups/insertions for packets
3267 received from the interface.
3268 other_config : emc-enable: optional string, either true or false
3270 Specifies if Exact Match Cache (EMC) should be used while pro‐
3271 cessing packets received from this interface. If true,
3272 other_config:emc-insert-inv-prob will have effect on this inter‐
3273 face.
3274 Defaults to true.
3276 MTU:
3278 The MTU (maximum transmission unit) is the largest amount of data that
3280 can fit into a single Ethernet frame. The standard Ethernet MTU is 1500
3281 bytes. Some physical media and many kinds of virtual interfaces can be
3282 configured with higher MTUs.
3283 A client may change an interface MTU by filling in mtu_request. Open
3285 vSwitch then reports in mtu the currently configured value.
3286 mtu: optional integer
3288 The currently configured MTU for the interface.
3289 This column will be empty for an interface that does not have an
3291 MTU as, for example, some kinds of tunnels do not.
3292 Open vSwitch sets this column’s value, so other clients should
3294 treat it as read-only.
3295 mtu_request: optional integer, at least 1
3297 Requested MTU (Maximum Transmission Unit) for the interface. A
3298 client can fill this column to change the MTU of an interface.
3299 RFC 791 requires every internet module to be able to forward a
3301 datagram of 68 octets without further fragmentation. The maximum
3302 size of an IP packet is 65535 bytes.
3303 If this is not set and if the interface has internal type, Open
3305 vSwitch will change the MTU to match the minimum of the other
3306 interfaces in the bridge.
3307 Interface Status:
3309 Status information about interfaces attached to bridges, updated every
3311 5 seconds. Not all interfaces have all of these properties; virtual in‐
3312 terfaces don’t have a link speed, for example. Non-applicable columns
3313 will have empty values.
3314 admin_state: optional string, either down or up
3316 The administrative state of the physical network link.
3317 link_state: optional string, either down or up
3319 The observed state of the physical network link. This is ordi‐
3320 narily the link’s carrier status. If the interface’s Port is a
3321 bond configured for miimon monitoring, it is instead the network
3322 link’s miimon status.
3323 link_resets: optional integer
3325 The number of times Open vSwitch has observed the link_state of
3326 this Interface change.
3327 link_speed: optional integer
3329 The negotiated speed of the physical network link. Valid values
3330 are positive integers greater than 0.
3331 duplex: optional string, either full or half
3333 The duplex mode of the physical network link.
3334 lacp_current: optional boolean
3336 Boolean value indicating LACP status for this interface. If
3337 true, this interface has current LACP information about its LACP
3338 partner. This information may be used to monitor the health of
3339 interfaces in a LACP enabled port. This column will be empty if
3340 LACP is not enabled.
3341 status: map of string-string pairs
3343 Key-value pairs that report port status. Supported status values
3344 are type-dependent; some interfaces may not have a valid sta‐
3345 tus:driver_name, for example.
3346 status : driver_name: optional string
3348 The name of the device driver controlling the network adapter.
3349 status : driver_version: optional string
3351 The version string of the device driver controlling the network
3352 adapter.
3353 status : firmware_version: optional string
3355 The version string of the network adapter’s firmware, if avail‐
3356 able.
3357 status : source_ip: optional string
3359 The source IP address used for an IPv4/IPv6 tunnel end-point,
3360 such as gre.
3361 status : tunnel_egress_iface: optional string
3363 Egress interface for tunnels. Currently only relevant for tun‐
3364 nels on Linux systems, this column will show the name of the in‐
3365 terface which is responsible for routing traffic destined for
3366 the configured options:remote_ip. This could be an internal in‐
3367 terface such as a bridge port.
3368 status : tunnel_egress_iface_carrier: optional string, either down or
3370 up
3371 Whether carrier is detected on status:tunnel_egress_iface.
3372 dpdk:
3374 DPDK specific interface status options.
3376 status : port_no: optional string
3378 DPDK port ID.
3379 status : numa_id: optional string
3381 NUMA socket ID to which an Ethernet device is connected.
3382 status : min_rx_bufsize: optional string
3384 Minimum size of RX buffer.
3385 status : max_rx_pktlen: optional string
3387 Maximum configurable length of RX pkt.
3388 status : max_rx_queues: optional string
3390 Maximum number of RX queues.
3391 status : max_tx_queues: optional string
3393 Maximum number of TX queues.
3394 status : max_mac_addrs: optional string
3396 Maximum number of MAC addresses.
3397 status : max_hash_mac_addrs: optional string
3399 Maximum number of hash MAC addresses for MTA and UTA.
3400 status : max_vfs: optional string
3402 Maximum number of hash MAC addresses for MTA and UTA. Maximum
3403 number of VFs.
3404 status : max_vmdq_pools: optional string
3406 Maximum number of VMDq pools.
3407 status : if_type: optional string
3409 Interface type ID according to IANA ifTYPE MIB definitions.
3410 status : if_descr: optional string
3412 Interface description string.
3413 status : pci-vendor_id: optional string
3415 Vendor ID of PCI device.
3416 status : pci-device_id: optional string
3418 Device ID of PCI device.
3419 Statistics:
3421 Key-value pairs that report interface statistics. The current implemen‐
3423 tation updates these counters periodically. The update period is con‐
3424 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
3425 ble. Future implementations may update them when an interface is cre‐
3426 ated, when they are queried (e.g. using an OVSDB select operation), and
3427 just before an interface is deleted due to virtual interface hot-unplug
3428 or VM shutdown, and perhaps at other times, but not on any regular pe‐
3429 riodic basis.
3430 These are the same statistics reported by OpenFlow in its struct
3432 ofp_port_stats structure. If an interface does not support a given
3433 statistic, then that pair is omitted.
3434 Statistics: Successful transmit and receive counters:
3436 statistics : rx_packets: optional integer
3438 Number of received packets.
3439 statistics : rx_bytes: optional integer
3441 Number of received bytes.
3442 statistics : tx_packets: optional integer
3444 Number of transmitted packets.
3445 statistics : tx_bytes: optional integer
3447 Number of transmitted bytes.
3448 Statistics: Receive errors:
3450 statistics : rx_dropped: optional integer
3452 Number of packets dropped by RX.
3453 statistics : rx_frame_err: optional integer
3455 Number of frame alignment errors.
3456 statistics : rx_over_err: optional integer
3458 Number of packets with RX overrun.
3459 statistics : rx_crc_err: optional integer
3461 Number of CRC errors.
3462 statistics : rx_errors: optional integer
3464 Total number of receive errors, greater than or equal to the sum
3465 of the above.
3466 Statistics: Transmit errors:
3468 statistics : tx_dropped: optional integer
3470 Number of packets dropped by TX.
3471 statistics : collisions: optional integer
3473 Number of collisions.
3474 statistics : tx_errors: optional integer
3476 Total number of transmit errors, greater than or equal to the
3477 sum of the above.
3478 Ingress Policing:
3480 These settings control ingress policing for packets received on this
3482 interface. On a physical interface, this limits the rate at which traf‐
3483 fic is allowed into the system from the outside; on a virtual interface
3484 (one connected to a virtual machine), this limits the rate at which the
3485 VM is able to transmit.
3486 Policing is a simple form of quality-of-service that simply drops pack‐
3488 ets received in excess of the configured rate. Due to its simplicity,
3489 policing is usually less accurate and less effective than egress QoS
3490 (which is configured using the QoS and Queue tables).
3491 Policing settings can be set with byte rate or packet rate, and they
3493 can be configured together, in which case they take effect together,
3494 that means the smaller speed limit of them is in effect.
3495 Currently, byte rate policing is implemented on Linux and OVS with
3497 DPDK, while packet rate policing is only implemented on Linux. Both
3498 Linux and OVS DPDK implementations use a simple ``token bucket’’ ap‐
3499 proach.
3500 Byte rate policing:
3502 • The size of the bucket corresponds to ingress_polic‐
3504 ing_burst. Initially the bucket is full.
3505 • Whenever a packet is received, its size (converted to to‐
3507 kens) is compared to the number of tokens currently in
3508 the bucket. If the required number of tokens are avail‐
3509 able, they are removed and the packet is forwarded. Oth‐
3510 erwise, the packet is dropped.
3511 • Whenever it is not full, the bucket is refilled with to‐
3513 kens at the rate specified by ingress_policing_rate.
3514 Packet rate policing:
3516 • The size of the bucket corresponds to ingress_polic‐
3518 ing_kpkts_burst. Initially the bucket is full.
3519 • Whenever a packet is received, it will consume one token
3521 from the current bucket. If the token is available in the
3522 bucket, it’s removed and the packet is forwarded. Other‐
3523 wise, the packet is dropped.
3524 • Whenever it is not full, the bucket is refilled with to‐
3526 kens at the rate specified by ingress_policing_kp‐
3527 kts_rate.
3528 Policing interacts badly with some network protocols, and especially
3530 with fragmented IP packets. Suppose that there is enough network activ‐
3531 ity to keep the bucket nearly empty all the time. Then this token
3532 bucket algorithm will forward a single packet every so often, with the
3533 period depending on packet size and on the configured rate. All of the
3534 fragments of an IP packets are normally transmitted back-to-back, as a
3535 group. In such a situation, therefore, only one of these fragments will
3536 be forwarded and the rest will be dropped. IP does not provide any way
3537 for the intended recipient to ask for only the remaining fragments. In
3538 such a case there are two likely possibilities for what will happen
3539 next: either all of the fragments will eventually be retransmitted (as
3540 TCP will do), in which case the same problem will recur, or the sender
3541 will not realize that its packet has been dropped and data will simply
3542 be lost (as some UDP-based protocols will do). Either way, it is possi‐
3543 ble that no forward progress will ever occur.
3544 ingress_policing_rate: integer, at least 0
3546 Maximum rate for data received on this interface, in kbps. Data
3547 received faster than this rate is dropped. Set to 0 (the de‐
3548 fault) to disable policing.
3549 ingress_policing_kpkts_rate: integer, at least 0
3551 Maximum rate for data received on this interface, in kpps (1
3552 kpps is 1000 pps). Data received faster than this rate is
3553 dropped. Set to 0 (the default) to disable policing.
3554 ingress_policing_burst: integer, at least 0
3556 Maximum burst size for data received on this interface, in kb.
3557 The default burst size if set to 0 is 8000 kbit. This value has
3558 no effect if ingress_policing_rate is 0.
3559 Specifying a larger burst size lets the algorithm be more for‐
3561 giving, which is important for protocols like TCP that react se‐
3562 verely to dropped packets. The burst size should be at least the
3563 size of the interface’s MTU. Specifying a value that is numeri‐
3564 cally at least as large as 80% of ingress_policing_rate helps
3565 TCP come closer to achieving the full rate.
3566 ingress_policing_kpkts_burst: integer, at least 0
3568 Maximum burst size for data received on this interface, in kpkts
3569 (1 kpkts is 1000 packets). The default burst size if set to 0 is
3570 16 kpkts. This value has no effect if ingress_policing_kp‐
3571 kts_rate is 0.
3572 Specifying a larger burst size lets the algorithm be more for‐
3574 giving, which is important for protocols like TCP that react se‐
3575 verely to dropped packets. Specifying a value that is numeri‐
3576 cally at least as large as 80% of ingress_policing_kpkts_rate
3577 helps TCP come closer to achieving the full rate.
3578 Bidirectional Forwarding Detection (BFD):
3580 BFD, defined in RFC 5880 and RFC 5881, allows point-to-point detection
3582 of connectivity failures by occasional transmission of BFD control mes‐
3583 sages. Open vSwitch implements BFD to serve as a more popular and stan‐
3584 dards compliant alternative to CFM.
3585 BFD operates by regularly transmitting BFD control messages at a rate
3587 negotiated independently in each direction. Each endpoint specifies the
3588 rate at which it expects to receive control messages, and the rate at
3589 which it is willing to transmit them. By default, Open vSwitch uses a
3590 detection multiplier of three, meaning that an endpoint signals a con‐
3591 nectivity fault if three consecutive BFD control messages fail to ar‐
3592 rive. In the case of a unidirectional connectivity issue, the system
3593 not receiving BFD control messages signals the problem to its peer in
3594 the messages it transmits.
3595 The Open vSwitch implementation of BFD aims to comply faithfully with
3597 RFC 5880 requirements. Open vSwitch does not implement the optional Au‐
3598 thentication or ``Echo Mode’’ features.
3599 OVS 2.13 and earlier intercepted and processed all BFD packets. OVS
3601 2.14 and later only intercept and process BFD packets destined to a
3602 configured BFD instance, and other BFD packets are made available to
3603 the OVS flow table for forwarding.
3604 BFD Configuration:
3606 A controller sets up key-value pairs in the bfd column to enable and
3608 configure BFD.
3609 bfd : enable: optional string, either true or false
3611 True to enable BFD on this Interface. If not specified, BFD will
3612 not be enabled by default.
3613 bfd : min_rx: optional string, containing an integer, at least 1
3615 The shortest interval, in milliseconds, at which this BFD ses‐
3616 sion offers to receive BFD control messages. The remote endpoint
3617 may choose to send messages at a slower rate. Defaults to 1000.
3618 bfd : min_tx: optional string, containing an integer, at least 1
3620 The shortest interval, in milliseconds, at which this BFD ses‐
3621 sion is willing to transmit BFD control messages. Messages will
3622 actually be transmitted at a slower rate if the remote endpoint
3623 is not willing to receive as quickly as specified. Defaults to
3624 100.
3625 bfd : decay_min_rx: optional string, containing an integer
3627 An alternate receive interval, in milliseconds, that must be
3628 greater than or equal to bfd:min_rx. The implementation switches
3629 from bfd:min_rx to bfd:decay_min_rx when there is no obvious in‐
3630 coming data traffic at the interface, to reduce the CPU and
3631 bandwidth cost of monitoring an idle interface. This feature may
3632 be disabled by setting a value of 0. This feature is reset when‐
3633 ever bfd:decay_min_rx or bfd:min_rx changes.
3634 bfd : forwarding_if_rx: optional string, either true or false
3636 When true, traffic received on the Interface is used to indicate
3637 the capability of packet I/O. BFD control packets are still
3638 transmitted and received. At least one BFD control packet must
3639 be received every 100 * bfd:min_rx amount of time. Otherwise,
3640 even if traffic are received, the bfd:forwarding will be false.
3641 bfd : cpath_down: optional string, either true or false
3643 Set to true to notify the remote endpoint that traffic should
3644 not be forwarded to this system for some reason other than a
3645 connectivty failure on the interface being monitored. The typi‐
3646 cal underlying reason is ``concatenated path down,’’ that is,
3647 that connectivity beyond the local system is down. Defaults to
3648 false.
3649 bfd : check_tnl_key: optional string, either true or false
3651 Set to true to make BFD accept only control messages with a tun‐
3652 nel key of zero. By default, BFD accepts control messages with
3653 any tunnel key.
3654 bfd : bfd_local_src_mac: optional string
3656 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3657 the MAC used as source for transmitted BFD packets. The default
3658 is the mac address of the BFD enabled interface.
3659 bfd : bfd_local_dst_mac: optional string
3661 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3662 the MAC used as destination for transmitted BFD packets. The de‐
3663 fault is 00:23:20:00:00:01.
3664 bfd : bfd_remote_dst_mac: optional string
3666 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3667 the MAC used for checking the destination of received BFD pack‐
3668 ets. Packets with different destination MAC will not be consid‐
3669 ered as BFD packets. If not specified the destination MAC ad‐
3670 dress of received BFD packets are not checked.
3671 bfd : bfd_src_ip: optional string
3673 Set to an IPv4 address to set the IP address used as source for
3674 transmitted BFD packets. The default is 169.254.1.1.
3675 bfd : bfd_dst_ip: optional string
3677 Set to an IPv4 address to set the IP address used as destination
3678 for transmitted BFD packets. The default is 169.254.1.0.
3679 bfd : oam: optional string
3681 Some tunnel protocols (such as Geneve) include a bit in the
3682 header to indicate that the encapsulated packet is an OAM frame.
3683 By setting this to true, BFD packets will be marked as OAM if
3684 encapsulated in one of these tunnels.
3685 bfd : mult: optional string, containing an integer, in range 1 to 255
3687 The BFD detection multiplier, which defaults to 3. An endpoint
3688 signals a connectivity fault if the given number of consecutive
3689 BFD control messages fail to arrive.
3690 BFD Status:
3692 The switch sets key-value pairs in the bfd_status column to report the
3694 status of BFD on this interface. When BFD is not enabled, with bfd:en‐
3695 able, the switch clears all key-value pairs from bfd_status.
3696 bfd_status : state: optional string, one of admin_down, down, init, or
3698 up
3699 Reports the state of the BFD session. The BFD session is fully
3700 healthy and negotiated if UP.
3701 bfd_status : forwarding: optional string, either true or false
3703 Reports whether the BFD session believes this Interface may be
3704 used to forward traffic. Typically this means the local session
3705 is signaling UP, and the remote system isn’t signaling a problem
3706 such as concatenated path down.
3707 bfd_status : diagnostic: optional string
3709 A diagnostic code specifying the local system’s reason for the
3710 last change in session state. The error messages are defined in
3711 section 4.1 of [RFC 5880].
3712 bfd_status : remote_state: optional string, one of admin_down, down,
3714 init, or up
3715 Reports the state of the remote endpoint’s BFD session.
3716 bfd_status : remote_diagnostic: optional string
3718 A diagnostic code specifying the remote system’s reason for the
3719 last change in session state. The error messages are defined in
3720 section 4.1 of [RFC 5880].
3721 bfd_status : flap_count: optional string, containing an integer, at
3723 least 0
3724 Counts the number of bfd_status:forwarding flaps since start. A
3725 flap is considered as a change of the bfd_status:forwarding
3726 value.
3727 Connectivity Fault Management:
3729 802.1ag Connectivity Fault Management (CFM) allows a group of Mainte‐
3731 nance Points (MPs) called a Maintenance Association (MA) to detect con‐
3732 nectivity problems with each other. MPs within a MA should have com‐
3733 plete and exclusive interconnectivity. This is verified by occasionally
3734 broadcasting Continuity Check Messages (CCMs) at a configurable trans‐
3735 mission interval.
3736 According to the 802.1ag specification, each Maintenance Point should
3738 be configured out-of-band with a list of Remote Maintenance Points it
3739 should have connectivity to. Open vSwitch differs from the specifica‐
3740 tion in this area. It simply assumes the link is faulted if no Remote
3741 Maintenance Points are reachable, and considers it not faulted other‐
3742 wise.
3743 When operating over tunnels which have no in_key, or an in_key of flow.
3745 CFM will only accept CCMs with a tunnel key of zero.
3746 cfm_mpid: optional integer
3748 A Maintenance Point ID (MPID) uniquely identifies each endpoint
3749 within a Maintenance Association. The MPID is used to identify
3750 this endpoint to other Maintenance Points in the MA. Each end of
3751 a link being monitored should have a different MPID. Must be
3752 configured to enable CFM on this Interface.
3753 According to the 802.1ag specification, MPIDs can only range be‐
3755 tween [1, 8191]. However, extended mode (see other_con‐
3756 fig:cfm_extended) supports eight byte MPIDs.
3757 cfm_flap_count: optional integer
3759 Counts the number of cfm fault flapps since boot. A flap is con‐
3760 sidered to be a change of the cfm_fault value.
3761 cfm_fault: optional boolean
3763 Indicates a connectivity fault triggered by an inability to re‐
3764 ceive heartbeats from any remote endpoint. When a fault is trig‐
3765 gered on Interfaces participating in bonds, they will be dis‐
3766 abled.
3767 Faults can be triggered for several reasons. Most importantly
3769 they are triggered when no CCMs are received for a period of 3.5
3770 times the transmission interval. Faults are also triggered when
3771 any CCMs indicate that a Remote Maintenance Point is not receiv‐
3772 ing CCMs but able to send them. Finally, a fault is triggered if
3773 a CCM is received which indicates unexpected configuration. No‐
3774 tably, this case arises when a CCM is received which advertises
3775 the local MPID.
3776 cfm_fault_status : recv: none
3778 Indicates a CFM fault was triggered due to a lack of CCMs re‐
3779 ceived on the Interface.
3780 cfm_fault_status : rdi: none
3782 Indicates a CFM fault was triggered due to the reception of a
3783 CCM with the RDI bit flagged. Endpoints set the RDI bit in their
3784 CCMs when they are not receiving CCMs themselves. This typically
3785 indicates a unidirectional connectivity failure.
3786 cfm_fault_status : maid: none
3788 Indicates a CFM fault was triggered due to the reception of a
3789 CCM with a MAID other than the one Open vSwitch uses. CFM broad‐
3790 casts are tagged with an identification number in addition to
3791 the MPID called the MAID. Open vSwitch only supports receiving
3792 CCM broadcasts tagged with the MAID it uses internally.
3793 cfm_fault_status : loopback: none
3795 Indicates a CFM fault was triggered due to the reception of a
3796 CCM advertising the same MPID configured in the cfm_mpid column
3797 of this Interface. This may indicate a loop in the network.
3798 cfm_fault_status : overflow: none
3800 Indicates a CFM fault was triggered because the CFM module re‐
3801 ceived CCMs from more remote endpoints than it can keep track
3802 of.
3803 cfm_fault_status : override: none
3805 Indicates a CFM fault was manually triggered by an administrator
3806 using an ovs-appctl command.
3807 cfm_fault_status : interval: none
3809 Indicates a CFM fault was triggered due to the reception of a
3810 CCM frame having an invalid interval.
3811 cfm_remote_opstate: optional string, either down or up
3813 When in extended mode, indicates the operational state of the
3814 remote endpoint as either up or down. See other_config:cfm_op‐
3815 state.
3816 cfm_health: optional integer, in range 0 to 100
3818 Indicates the health of the interface as a percentage of CCM
3819 frames received over 21 other_config:cfm_intervals. The health
3820 of an interface is undefined if it is communicating with more
3821 than one cfm_remote_mpids. It reduces if healthy heartbeats are
3822 not received at the expected rate, and gradually improves as
3823 healthy heartbeats are received at the desired rate. Every 21
3824 other_config:cfm_intervals, the health of the interface is re‐
3825 freshed.
3826 As mentioned above, the faults can be triggered for several rea‐
3828 sons. The link health will deteriorate even if heartbeats are
3829 received but they are reported to be unhealthy. An unhealthy
3830 heartbeat in this context is a heartbeat for which either some
3831 fault is set or is out of sequence. The interface health can be
3832 100 only on receiving healthy heartbeats at the desired rate.
3833 cfm_remote_mpids: set of integers
3835 When CFM is properly configured, Open vSwitch will occasionally
3836 receive CCM broadcasts. These broadcasts contain the MPID of the
3837 sending Maintenance Point. The list of MPIDs from which this In‐
3838 terface is receiving broadcasts from is regularly collected and
3839 written to this column.
3840 other_config : cfm_interval: optional string, containing an integer
3842 The interval, in milliseconds, between transmissions of CFM
3843 heartbeats. Three missed heartbeat receptions indicate a connec‐
3844 tivity fault.
3845 In standard operation only intervals of 3, 10, 100, 1,000,
3847 10,000, 60,000, or 600,000 ms are supported. Other values will
3848 be rounded down to the nearest value on the list. Extended mode
3849 (see other_config:cfm_extended) supports any interval up to
3850 65,535 ms. In either mode, the default is 1000 ms.
3851 We do not recommend using intervals less than 100 ms.
3853 other_config : cfm_extended: optional string, either true or false
3855 When true, the CFM module operates in extended mode. This causes
3856 it to use a nonstandard destination address to avoid conflicting
3857 with compliant implementations which may be running concurrently
3858 on the network. Furthermore, extended mode increases the accu‐
3859 racy of the cfm_interval configuration parameter by breaking
3860 wire compatibility with 802.1ag compliant implementations. And
3861 extended mode allows eight byte MPIDs. Defaults to false.
3862 other_config : cfm_demand: optional string, either true or false
3864 When true, and other_config:cfm_extended is true, the CFM module
3865 operates in demand mode. When in demand mode, traffic received
3866 on the Interface is used to indicate liveness. CCMs are still
3867 transmitted and received. At least one CCM must be received ev‐
3868 ery 100 * other_config:cfm_interval amount of time. Otherwise,
3869 even if traffic are received, the CFM module will raise the con‐
3870 nectivity fault.
3871 Demand mode has a couple of caveats:
3873 • To ensure that ovs-vswitchd has enough time to pull sta‐
3875 tistics from the datapath, the fault detection interval
3876 is set to 3.5 * MAX(other_config:cfm_interval, 500) ms.
3877 • To avoid ambiguity, demand mode disables itself when
3879 there are multiple remote maintenance points.
3880 • If the Interface is heavily congested, CCMs containing
3882 the other_config:cfm_opstate status may be dropped caus‐
3883 ing changes in the operational state to be delayed. Simi‐
3884 larly, if CCMs containing the RDI bit are not received,
3885 unidirectional link failures may not be detected.
3886 other_config : cfm_opstate: optional string, either down or up
3888 When down, the CFM module marks all CCMs it generates as opera‐
3889 tionally down without triggering a fault. This allows remote
3890 maintenance points to choose not to forward traffic to the In‐
3891 terface on which this CFM module is running. Currently, in Open
3892 vSwitch, the opdown bit of CCMs affects Interfaces participating
3893 in bonds, and the bundle OpenFlow action. This setting is ig‐
3894 nored when CFM is not in extended mode. Defaults to up.
3895 other_config : cfm_ccm_vlan: optional string, containing an integer, in
3897 range 1 to 4,095
3898 When set, the CFM module will apply a VLAN tag to all CCMs it
3899 generates with the given value. May be the string random in
3900 which case each CCM will be tagged with a different randomly
3901 generated VLAN.
3902 other_config : cfm_ccm_pcp: optional string, containing an integer, in
3904 range 1 to 7
3905 When set, the CFM module will apply a VLAN tag to all CCMs it
3906 generates with the given PCP value, the VLAN ID of the tag is
3907 governed by the value of other_config:cfm_ccm_vlan. If
3908 other_config:cfm_ccm_vlan is unset, a VLAN ID of zero is used.
3909 Bonding Configuration:
3911 other_config : lacp-port-id: optional string, containing an integer, in
3913 range 1 to 65,535
3914 The LACP port ID of this Interface. Port IDs are used in LACP
3915 negotiations to identify individual ports participating in a
3916 bond.
3917 other_config : lacp-port-priority: optional string, containing an inte‐
3919 ger, in range 1 to 65,535
3920 The LACP port priority of this Interface. In LACP negotiations
3921 Interfaces with numerically lower priorities are preferred for
3922 aggregation.
3923 other_config : lacp-aggregation-key: optional string, containing an in‐
3925 teger, in range 1 to 65,535
3926 The LACP aggregation key of this Interface. Interfaces with dif‐
3927 ferent aggregation keys may not be active within a given Port at
3928 the same time.
3929 Virtual Machine Identifiers:
3931 These key-value pairs specifically apply to an interface that repre‐
3933 sents a virtual Ethernet interface connected to a virtual machine.
3934 These key-value pairs should not be present for other types of inter‐
3935 faces. Keys whose names end in -uuid have values that uniquely identify
3936 the entity in question.
3937 external_ids : attached-mac: optional string
3939 The MAC address programmed into the ``virtual hardware’’ for
3940 this interface, in the form xx:xx:xx:xx:xx:xx.
3941 external_ids : iface-id: optional string
3943 A system-unique identifier for the interface.
3944 external_ids : iface-status: optional string, either active or inactive
3946 Hypervisors may sometimes have more than one interface associ‐
3947 ated with a given external_ids:iface-id, only one of which is
3948 actually in use at a given time. For example, in some circum‐
3949 stances hypervisor may have both a ``tap’’ and a ``vif’’ inter‐
3950 face for a single external_ids:iface-id, but only uses one of
3951 them at a time. A hypervisor that behaves this way must mark the
3952 currently in use interface active and the others inactive. A hy‐
3953 pervisor that never has more than one interface for a given ex‐
3954 ternal_ids:iface-id may mark that interface active or omit ex‐
3955 ternal_ids:iface-status entirely.
3956 During VM migration, a given external_ids:iface-id might tran‐
3958 siently be marked active on two different hypervisors. That is,
3959 active means that this external_ids:iface-id is the active in‐
3960 stance within a single hypervisor, not in a broader scope. There
3961 is one exception: some hypervisors support ``migration’’ from a
3962 given hypervisor to itself (most often for test purposes). Dur‐
3963 ing such a ``migration,’’ two instances of a single exter‐
3964 nal_ids:iface-id might both be briefly marked active on a single
3965 hypervisor.
3966 external_ids : vm-id: optional string
3968 The VM to which this interface belongs.
3969 Auto Attach Configuration:
3971 Auto Attach configuration for a particular interface.
3973 lldp : enable: optional string, either true or false
3975 True to enable LLDP on this Interface. If not specified, LLDP
3976 will be disabled by default.
3977 Flow control Configuration:
3979 Ethernet flow control defined in IEEE 802.1Qbb provides link level flow
3981 control using MAC pause frames. Implemented only for interfaces with
3982 type dpdk.
3983 options : rx-flow-ctrl: optional string, either true or false
3985 Set to true to enable Rx flow control on physical ports. By de‐
3986 fault, Rx flow control is disabled.
3987 options : tx-flow-ctrl: optional string, either true or false
3989 Set to true to enable Tx flow control on physical ports. By de‐
3990 fault, Tx flow control is disabled.
3991 options : flow-ctrl-autoneg: optional string, either true or false
3993 Set to true to enable flow control auto negotiation on physical
3994 ports. By default, auto-neg is disabled.
3995 Link State Change detection mode:
3997 options : dpdk-lsc-interrupt: optional string, either true or false
3999 Set this value to true to configure interrupt mode for Link
4000 State Change (LSC) detection instead of poll mode for the DPDK
4001 interface.
4002 If this value is not set, poll mode is configured.
4004 This parameter has an effect only on netdev dpdk interfaces.
4006 Common Columns:
4008 The overall purpose of these columns is described under Common Columns
4010 at the beginning of this document.
4011 other_config: map of string-string pairs
4013 external_ids: map of string-string pairs
4015
4017 Configuration for a particular OpenFlow table.
4018 Summary:
4020 name optional string
4021 Eviction Policy:
4022 flow_limit optional integer, at least 0
4023 overflow_policy optional string, either evict or refuse
4024 groups set of strings
4025 Classifier Optimization:
4026 prefixes set of up to 3 strings
4027 Common Columns:
4028 external_ids map of string-string pairs
4029 Details:
4031 name: optional string
4032 The table’s name. Set this column to change the name that con‐
4033 trollers will receive when they request table statistics, e.g.
4034 ovs-ofctl dump-tables. The name does not affect switch behavior.
4035 Eviction Policy:
4037 Open vSwitch supports limiting the number of flows that may be in‐
4039 stalled in a flow table, via the flow_limit column. When adding a flow
4040 would exceed this limit, by default Open vSwitch reports an error, but
4041 there are two ways to configure Open vSwitch to instead delete
4042 (``evict’’) a flow to make room for the new one:
4043 • Set the overflow_policy column to evict.
4045 • Send an OpenFlow 1.4+ ``table mod request’’ to enable
4047 eviction for the flow table (e.g. ovs-ofctl -O OpenFlow14
4048 mod-table br0 0 evict to enable eviction on flow table 0
4049 of bridge br0).
4050 When a flow must be evicted due to overflow, the flow to evict is cho‐
4052 sen through an approximation of the following algorithm. This algorithm
4053 is used regardless of how eviction was enabled:
4054 1. Divide the flows in the table into groups based on the val‐
4056 ues of the fields or subfields specified in the groups col‐
4057 umn, so that all of the flows in a given group have the same
4058 values for those fields. If a flow does not specify a given
4059 field, that field’s value is treated as 0. If groups is
4060 empty, then all of the flows in the flow table are treated
4061 as a single group.
4062 2. Consider the flows in the largest group, that is, the group
4064 that contains the greatest number of flows. If two or more
4065 groups all have the same largest number of flows, consider
4066 the flows in all of those groups.
4067 3. If the flows under consideration have different importance
4069 values, eliminate from consideration any flows except those
4070 with the lowest importance. (``Importance,’’ a 16-bit inte‐
4071 ger value attached to each flow, was introduced in OpenFlow
4072 1.4. Flows inserted with older versions of OpenFlow always
4073 have an importance of 0.)
4074 4. Among the flows under consideration, choose the flow that
4076 expires soonest for eviction.
4077 The eviction process only considers flows that have an idle timeout or
4079 a hard timeout. That is, eviction never deletes permanent flows. (Per‐
4080 manent flows do count against flow_limit.)
4081 flow_limit: optional integer, at least 0
4083 If set, limits the number of flows that may be added to the ta‐
4084 ble. Open vSwitch may limit the number of flows in a table for
4085 other reasons, e.g. due to hardware limitations or for resource
4086 availability or performance reasons.
4087 overflow_policy: optional string, either evict or refuse
4089 Controls the switch’s behavior when an OpenFlow flow table modi‐
4090 fication request would add flows in excess of flow_limit. The
4091 supported values are:
4092 refuse Refuse to add the flow or flows. This is also the default
4094 policy when overflow_policy is unset.
4095 evict Delete a flow chosen according to the algorithm described
4097 above.
4098 groups: set of strings
4100 When overflow_policy is evict, this controls how flows are cho‐
4101 sen for eviction when the flow table would otherwise exceed
4102 flow_limit flows. Its value is a set of NXM fields or sub-
4103 fields, each of which takes one of the forms field[] or
4104 field[start..end], e.g. NXM_OF_IN_PORT[]. Please see meta-flow.h
4105 for a complete list of NXM field names.
4106 Open vSwitch ignores any invalid or unknown field specifica‐
4108 tions.
4109 When eviction is not enabled, via overflow_policy or an OpenFlow
4111 1.4+ ``table mod,’’ this column has no effect.
4112 Classifier Optimization:
4114 prefixes: set of up to 3 strings
4116 This string set specifies which fields should be used for ad‐
4117 dress prefix tracking. Prefix tracking allows the classifier to
4118 skip rules with longer than necessary prefixes, resulting in
4119 better wildcarding for datapath flows.
4120 Prefix tracking may be beneficial when a flow table contains
4122 matches on IP address fields with different prefix lengths. For
4123 example, when a flow table contains IP address matches on both
4124 full addresses and proper prefixes, the full address matches
4125 will typically cause the datapath flow to un-wildcard the whole
4126 address field (depending on flow entry priorities). In this case
4127 each packet with a different address gets handed to the
4128 userspace for flow processing and generates its own datapath
4129 flow. With prefix tracking enabled for the address field in
4130 question packets with addresses matching shorter prefixes would
4131 generate datapath flows where the irrelevant address bits are
4132 wildcarded, allowing the same datapath flow to handle all the
4133 packets within the prefix in question. In this case many
4134 userspace upcalls can be avoided and the overall performance can
4135 be better.
4136 This is a performance optimization only, so packets will receive
4138 the same treatment with or without prefix tracking.
4139 The supported fields are: tun_id, tun_src, tun_dst,
4141 tun_ipv6_src, tun_ipv6_dst, nw_src, nw_dst (or aliases ip_src
4142 and ip_dst), ipv6_src, and ipv6_dst. (Using this feature for
4143 tun_id would only make sense if the tunnel IDs have prefix
4144 structure similar to IP addresses.)
4145 By default, the prefixes=ip_dst,ip_src are used on each flow ta‐
4147 ble. This instructs the flow classifier to track the IP destina‐
4148 tion and source addresses used by the rules in this specific
4149 flow table.
4150 The keyword none is recognized as an explicit override of the
4152 default values, causing no prefix fields to be tracked.
4153 To set the prefix fields, the flow table record needs to exist:
4155 ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create
4157 Flow_Table name=table0
4158 Creates a flow table record for the OpenFlow table number
4159 0.
4160 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
4162 Enables prefix tracking for IP source and destination ad‐
4163 dress fields.
4164 There is a maximum number of fields that can be enabled for any
4166 one flow table. Currently this limit is 3.
4167 Common Columns:
4169 The overall purpose of these columns is described under Common Columns
4171 at the beginning of this document.
4172 external_ids: map of string-string pairs
4174
4176 Quality of Service (QoS) configuration for each Port that references
4177 it.
4178 Summary:
4180 type string
4181 queues map of integer-Queue pairs, key in range
4182 0 to 4,294,967,295
4183 Configuration for linux-htb and linux-hfsc:
4184 other_config : max-rate optional string, containing an integer
4185 Configuration for egress-policer QoS:
4186 other_config : cir optional string, containing an integer
4187 other_config : cbs optional string, containing an integer
4188 other_config : eir optional string, containing an integer
4189 other_config : ebs optional string, containing an integer
4190 Configuration for linux-sfq:
4191 other_config : perturb optional string, containing an integer
4192 other_config : quantum optional string, containing an integer
4193 Configuration for linux-netem:
4194 other_config : latency optional string, containing an integer
4195 other_config : limit optional string, containing an integer
4196 other_config : loss optional string, containing an integer
4197 other_config : jitter optional string, containing an integer
4198 Common Columns:
4199 other_config map of string-string pairs
4200 external_ids map of string-string pairs
4201 Details:
4203 type: string
4204 The type of QoS to implement. The currently defined types are
4205 listed below:
4206 linux-htb
4208 Linux ``hierarchy token bucket’’ classifier. See tc-
4209 htb(8) (also at http://linux.die.net/man/8/tc-htb) and
4210 the HTB manual (http://luxik.cdi.cz/~devik/qos/htb/man‐
4211 ual/userg.htm) for information on how this classifier
4212 works and how to configure it.
4213 linux-hfsc
4215 Linux "Hierarchical Fair Service Curve" classifier. See
4216 http://linux-ip.net/articles/hfsc.en/ for information on
4217 how this classifier works.
4218 linux-sfq
4220 Linux ``Stochastic Fairness Queueing’’ classifier. See
4221 tc-sfq(8) (also at http://linux.die.net/man/8/tc-sfq) for
4222 information on how this classifier works.
4223 linux-codel
4225 Linux ``Controlled Delay’’ classifier. See tc-codel(8)
4226 (also at
4227 http://man7.org/linux/man-pages/man8/tc-codel.8.html) for
4228 information on how this classifier works.
4229 linux-fq_codel
4231 Linux ``Fair Queuing with Controlled Delay’’ classifier.
4232 See tc-fq_codel(8) (also at
4233 http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html)
4234 for information on how this classifier works.
4235 linux-netem
4237 Linux ``Network Emulator’’ classifier. See tc-netem(8)
4238 (also at
4239 http://man7.org/linux/man-pages/man8/tc-netem.8.html) for
4240 information on how this classifier works.
4241 linux-noop
4243 Linux ``No operation.’’ By default, Open vSwitch manages
4244 quality of service on all of its configured ports. This
4245 can be helpful, but sometimes administrators prefer to
4246 use other software to manage QoS. This type prevents Open
4247 vSwitch from changing the QoS configuration for a port.
4248 egress-policer
4250 A DPDK egress policer algorithm using the DPDK rte_meter
4251 library. The rte_meter library provides an implementation
4252 which allows the metering and policing of traffic. The
4253 implementation in OVS essentially creates a single token
4254 bucket used to police traffic. It should be noted that
4255 when the rte_meter is configured as part of QoS there
4256 will be a performance overhead as the rte_meter itself
4257 will consume CPU cycles in order to police traffic. These
4258 CPU cycles ordinarily are used for packet proccessing. As
4259 such the drop in performance will be noticed in terms of
4260 overall aggregate traffic throughput.
4261 trtcm-policer
4263 A DPDK egress policer algorithm using RFC 4115’s Two-
4264 Rate, Three-Color marker. It’s a two-level hierarchical
4265 policer which first does a color-blind marking of the
4266 traffic at the queue level, followed by a color-aware
4267 marking at the port level. At the end traffic marked as
4268 Green or Yellow is forwarded, Red is dropped. For details
4269 on how traffic is marked, see RFC 4115. If the ``default
4270 queue’’, 0, is not configured it’s automatically created
4271 with the same other_config values as the physical port.
4272 queues: map of integer-Queue pairs, key in range 0 to 4,294,967,295
4274 A map from queue numbers to Queue records. The supported range
4275 of queue numbers depend on type. The queue numbers are the same
4276 as the queue_id used in OpenFlow in struct ofp_action_enqueue
4277 and other structures.
4278 Queue 0 is the ``default queue.’’ It is used by OpenFlow output
4280 actions when no specific queue has been set. When no configura‐
4281 tion for queue 0 is present, it is automatically configured as
4282 if a Queue record with empty dscp and other_config columns had
4283 been specified. (Before version 1.6, Open vSwitch would leave
4284 queue 0 unconfigured in this case. With some queuing disci‐
4285 plines, this dropped all packets destined for the default
4286 queue.)
4287 Configuration for linux-htb and linux-hfsc:
4289 The linux-htb and linux-hfsc classes support the following key-value
4291 pair:
4292 other_config : max-rate: optional string, containing an integer
4294 Maximum rate shared by all queued traffic, in bit/s. Optional.
4295 If not specified, for physical interfaces, the default is the
4296 link rate. For other interfaces or if the link rate cannot be
4297 determined, the default is currently 10 Gbps.
4298 Configuration for egress-policer QoS:
4300 QoS type egress-policer provides egress policing for userspace port
4302 types with DPDK. It has the following key-value pairs defined.
4303 other_config : cir: optional string, containing an integer
4305 The Committed Information Rate (CIR) is measured in bytes of IP
4306 packets per second, i.e. it includes the IP header, but not link
4307 specific (e.g. Ethernet) headers. This represents the bytes per
4308 second rate at which the token bucket will be updated. The cir
4309 value is calculated by (pps x packet data size). For example as‐
4310 suming a user wishes to limit a stream consisting of 64 byte
4311 packets to 1 million packets per second the CIR would be set to
4312 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4313 Where 1,000,000 is the policing rate for the number of packets
4314 per second and 46 represents the size of the packet data for a
4315 64 bytes IP packet without 14 bytes Ethernet and 4 bytes FCS
4316 header.
4317 other_config : cbs: optional string, containing an integer
4319 The Committed Burst Size (CBS) is measured in bytes and repre‐
4320 sents a token bucket. At a minimum this value should be be set
4321 to the expected largest size packet in the traffic stream. In
4322 practice larger values may be used to increase the size of the
4323 token bucket. If a packet can be transmitted then the cbs will
4324 be decremented by the number of bytes/tokens of the packet. If
4325 there are not enough tokens in the cbs bucket the packet will be
4326 dropped.
4327 other_config : eir: optional string, containing an integer
4329 The Excess Information Rate (EIR) is measured in bytes of IP
4330 packets per second, i.e. it includes the IP header, but not link
4331 specific (e.g. Ethernet) headers. This represents the bytes per
4332 second rate at which the token bucket will be updated. The eir
4333 value is calculated by (pps x packet data size). For example as‐
4334 suming a user wishes to limit a stream consisting of 64 byte
4335 packets to 1 million packets per second the EIR would be set to
4336 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4337 Where 1,000,000 is the policing rate for the number of packets
4338 per second and 46 represents the size of the packet data for a
4339 64 bytes IP packet without 14 bytes Ethernet and 4 bytes FCS
4340 header.
4341 other_config : ebs: optional string, containing an integer
4343 The Excess Burst Size (EBS) is measured in bytes and represents
4344 a token bucket. At a minimum this value should be be set to the
4345 expected largest size packet in the traffic stream. In practice
4346 larger values may be used to increase the size of the token
4347 bucket. If a packet can be transmitted then the ebs will be
4348 decremented by the number of bytes/tokens of the packet. If
4349 there are not enough tokens in the cbs bucket the packet might
4350 be dropped.
4351 Configuration for linux-sfq:
4353 The linux-sfq QoS supports the following key-value pairs:
4355 other_config : perturb: optional string, containing an integer
4357 Number of seconds between consecutive perturbations in hashing
4358 algorithm. Different flows can end up in the same hash bucket
4359 causing unfairness. Perturbation’s goal is to remove possible
4360 unfairness. The default and recommended value is 10. Too low a
4361 value is discouraged because each perturbation can cause packet
4362 reordering.
4363 other_config : quantum: optional string, containing an integer
4365 Number of bytes linux-sfq QoS can dequeue in one turn in round-
4366 robin from one flow. The default and recommended value is equal
4367 to interface’s MTU.
4368 Configuration for linux-netem:
4370 The linux-netem QoS supports the following key-value pairs:
4372 other_config : latency: optional string, containing an integer
4374 Adds the chosen delay to the packets outgoing to chosen network
4375 interface. The latency value expressed in us.
4376 other_config : limit: optional string, containing an integer
4378 Maximum number of packets the qdisc may hold queued at a time.
4379 The default value is 1000.
4380 other_config : loss: optional string, containing an integer
4382 Adds an independent loss probability to the packets outgoing
4383 from the chosen network interface.
4384 other_config : jitter: optional string, containing an integer
4386 Adds the provided jitter to the latency outgoing to the chosen
4387 network interface. The jitter value expressed in us.
4388 Common Columns:
4390 The overall purpose of these columns is described under Common Columns
4392 at the beginning of this document.
4393 other_config: map of string-string pairs
4395 external_ids: map of string-string pairs
4397
4399 A configuration for a port output queue, used in configuring Quality of
4400 Service (QoS) features. May be referenced by queues column in QoS ta‐
4401 ble.
4402 Summary:
4404 dscp optional integer, in range 0 to 63
4405 Configuration for linux-htb QoS:
4406 other_config : min-rate optional string, containing an integer,
4407 at least 1
4408 other_config : max-rate optional string, containing an integer,
4409 at least 1
4410 other_config : burst optional string, containing an integer,
4411 at least 1
4412 other_config : priority optional string, containing an integer,
4413 in range 0 to 4,294,967,295
4414 Configuration for linux-hfsc QoS:
4415 other_config : min-rate optional string, containing an integer,
4416 at least 1
4417 other_config : max-rate optional string, containing an integer,
4418 at least 1
4419 Common Columns:
4420 other_config map of string-string pairs
4421 external_ids map of string-string pairs
4422 Details:
4424 dscp: optional integer, in range 0 to 63
4425 If set, Open vSwitch will mark all traffic egressing this Queue
4426 with the given DSCP bits. Traffic egressing the default Queue is
4427 only marked if it was explicitly selected as the Queue at the
4428 time the packet was output. If unset, the DSCP bits of traffic
4429 egressing this Queue will remain unchanged.
4430 Configuration for linux-htb QoS:
4432 QoS type linux-htb may use queue_ids less than 61440. It has the fol‐
4434 lowing key-value pairs defined.
4435 other_config : min-rate: optional string, containing an integer, at
4437 least 1
4438 Minimum guaranteed bandwidth, in bit/s.
4439 other_config : max-rate: optional string, containing an integer, at
4441 least 1
4442 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4443 queue’s rate will not be allowed to exceed the specified value,
4444 even if excess bandwidth is available. If unspecified, defaults
4445 to no limit.
4446 other_config : burst: optional string, containing an integer, at least
4448 1
4449 Burst size, in bits. This is the maximum amount of ``credits’’
4450 that a queue can accumulate while it is idle. Optional. Details
4451 of the linux-htb implementation require a minimum burst size, so
4452 a too-small burst will be silently ignored.
4453 other_config : priority: optional string, containing an integer, in
4455 range 0 to 4,294,967,295
4456 A queue with a smaller priority will receive all the excess
4457 bandwidth that it can use before a queue with a larger value re‐
4458 ceives any. Specific priority values are unimportant; only rela‐
4459 tive ordering matters. Defaults to 0 if unspecified.
4460 Configuration for linux-hfsc QoS:
4462 QoS type linux-hfsc may use queue_ids less than 61440. It has the fol‐
4464 lowing key-value pairs defined.
4465 other_config : min-rate: optional string, containing an integer, at
4467 least 1
4468 Minimum guaranteed bandwidth, in bit/s.
4469 other_config : max-rate: optional string, containing an integer, at
4471 least 1
4472 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4473 queue’s rate will not be allowed to exceed the specified value,
4474 even if excess bandwidth is available. If unspecified, defaults
4475 to no limit.
4476 Common Columns:
4478 The overall purpose of these columns is described under Common Columns
4480 at the beginning of this document.
4481 other_config: map of string-string pairs
4483 external_ids: map of string-string pairs
4485
4487 A port mirror within a Bridge.
4488 A port mirror configures a bridge to send selected frames to special
4490 ``mirrored’’ ports, in addition to their normal destinations. Mirroring
4491 traffic may also be referred to as SPAN or RSPAN, depending on how the
4492 mirrored traffic is sent.
4493 When a packet enters an Open vSwitch bridge, it becomes eligible for
4495 mirroring based on its ingress port and VLAN. As the packet travels
4496 through the flow tables, each time it is output to a port, it becomes
4497 eligible for mirroring based on the egress port and VLAN. In Open
4498 vSwitch 2.5 and later, mirroring occurs just after a packet first be‐
4499 comes eligible, using the packet as it exists at that point; in Open
4500 vSwitch 2.4 and earlier, mirroring occurs only after a packet has tra‐
4501 versed all the flow tables, using the original packet as it entered the
4502 bridge. This makes a difference only when the flow table modifies the
4503 packet: in Open vSwitch 2.4, the modifications are never visible to
4504 mirrors, whereas in Open vSwitch 2.5 and later modifications made be‐
4505 fore the first output that makes it eligible for mirroring to a partic‐
4506 ular destination are visible.
4507 A packet that enters an Open vSwitch bridge is mirrored to a particular
4509 destination only once, even if it is eligible for multiple reasons. For
4510 example, a packet would be mirrored to a particular output_port only
4511 once, even if it is selected for mirroring to that port by se‐
4512 lect_dst_port and select_src_port in the same or different Mirror
4513 records.
4514 Summary:
4516 name string
4517 Selecting Packets for Mirroring:
4518 select_all boolean
4519 select_dst_port set of weak reference to Ports
4520 select_src_port set of weak reference to Ports
4521 select_vlan set of up to 4,096 integers, in range 0
4522 to 4,095
4523 Mirroring Destination Configuration:
4524 output_port optional weak reference to Port
4525 output_vlan optional integer, in range 1 to 4,095
4526 snaplen optional integer, in range 14 to 65,535
4527 Statistics: Mirror counters:
4528 statistics : tx_packets optional integer
4529 statistics : tx_bytes optional integer
4530 Common Columns:
4531 external_ids map of string-string pairs
4532 Details:
4534 name: string
4535 Arbitrary identifier for the Mirror.
4536 Selecting Packets for Mirroring:
4538 To be selected for mirroring, a given packet must enter or leave the
4540 bridge through a selected port and it must also be in one of the se‐
4541 lected VLANs.
4542 select_all: boolean
4544 If true, every packet arriving or departing on any port is se‐
4545 lected for mirroring.
4546 select_dst_port: set of weak reference to Ports
4548 Ports on which departing packets are selected for mirroring.
4549 select_src_port: set of weak reference to Ports
4551 Ports on which arriving packets are selected for mirroring.
4552 select_vlan: set of up to 4,096 integers, in range 0 to 4,095
4554 VLANs on which packets are selected for mirroring. An empty set
4555 selects packets on all VLANs.
4556 Mirroring Destination Configuration:
4558 These columns are mutually exclusive. Exactly one of them must be
4560 nonempty.
4561 output_port: optional weak reference to Port
4563 Output port for selected packets, if nonempty.
4564 Specifying a port for mirror output reserves that port exclu‐
4566 sively for mirroring. No frames other than those selected for
4567 mirroring via this column will be forwarded to the port, and any
4568 frames received on the port will be discarded.
4569 The output port may be any kind of port supported by Open
4571 vSwitch. It may be, for example, a physical port (sometimes
4572 called SPAN) or a GRE tunnel.
4573 output_vlan: optional integer, in range 1 to 4,095
4575 Output VLAN for selected packets, if nonempty.
4576 The frames will be sent out all ports that trunk output_vlan, as
4578 well as any ports with implicit VLAN output_vlan. When a mir‐
4579 rored frame is sent out a trunk port, the frame’s VLAN tag will
4580 be set to output_vlan, replacing any existing tag; when it is
4581 sent out an implicit VLAN port, the frame will not be tagged.
4582 This type of mirroring is sometimes called RSPAN.
4583 See the documentation for other_config:forward-bpdu in the In‐
4585 terface table for a list of destination MAC addresses which will
4586 not be mirrored to a VLAN to avoid confusing switches that in‐
4587 terpret the protocols that they represent.
4588 Please note: Mirroring to a VLAN can disrupt a network that con‐
4590 tains unmanaged switches. Consider an unmanaged physical switch
4591 with two ports: port 1, connected to an end host, and port 2,
4592 connected to an Open vSwitch configured to mirror received pack‐
4593 ets into VLAN 123 on port 2. Suppose that the end host sends a
4594 packet on port 1 that the physical switch forwards to port 2.
4595 The Open vSwitch forwards this packet to its destination and
4596 then reflects it back on port 2 in VLAN 123. This reflected
4597 packet causes the unmanaged physical switch to replace the MAC
4598 learning table entry, which correctly pointed to port 1, with
4599 one that incorrectly points to port 2. Afterward, the physical
4600 switch will direct packets destined for the end host to the Open
4601 vSwitch on port 2, instead of to the end host on port 1, dis‐
4602 rupting connectivity. If mirroring to a VLAN is desired in this
4603 scenario, then the physical switch must be replaced by one that
4604 learns Ethernet addresses on a per-VLAN basis. In addition,
4605 learning should be disabled on the VLAN containing mirrored
4606 traffic. If this is not done then intermediate switches will
4607 learn the MAC address of each end host from the mirrored traf‐
4608 fic. If packets being sent to that end host are also mirrored,
4609 then they will be dropped since the switch will attempt to send
4610 them out the input port. Disabling learning for the VLAN will
4611 cause the switch to correctly send the packet out all ports con‐
4612 figured for that VLAN. If Open vSwitch is being used as an in‐
4613 termediate switch, learning can be disabled by adding the mir‐
4614 rored VLAN to flood_vlans in the appropriate Bridge table or ta‐
4615 bles.
4616 Mirroring to a GRE tunnel has fewer caveats than mirroring to a
4618 VLAN and should generally be preferred.
4619 snaplen: optional integer, in range 14 to 65,535
4621 Maximum per-packet number of bytes to mirror.
4622 A mirrored packet with size larger than snaplen will be trun‐
4624 cated in datapath to snaplen bytes before sending to the mirror
4625 output port. If omitted, packets are not truncated.
4626 Statistics: Mirror counters:
4628 Key-value pairs that report mirror statistics. The update period is
4630 controlled by other_config:stats-update-interval in the Open_vSwitch
4631 table.
4632 statistics : tx_packets: optional integer
4634 Number of packets transmitted through this mirror.
4635 statistics : tx_bytes: optional integer
4637 Number of bytes transmitted through this mirror.
4638 Common Columns:
4640 The overall purpose of these columns is described under Common Columns
4642 at the beginning of this document.
4643 external_ids: map of string-string pairs
4645
4647 An OpenFlow controller.
4648 Summary:
4650 Core Features:
4651 type optional string, either primary or ser‐
4652 vice
4653 target string
4654 connection_mode optional string, either in-band or
4655 out-of-band
4656 Controller Failure Detection and Handling:
4657 max_backoff optional integer, at least 1,000
4658 inactivity_probe optional integer
4659 Asynchronous Messages:
4660 enable_async_messages optional boolean
4661 Controller Rate Limiting:
4662 controller_queue_size optional integer, in range 1 to 512
4663 controller_rate_limit optional integer, at least 100
4664 controller_burst_limit optional integer, at least 25
4665 Controller Rate Limiting Statistics:
4666 status : packet-in-TYPE-bypassed
4667 optional string, containing an integer,
4668 at least 0
4669 status : packet-in-TYPE-queued
4670 optional string, containing an integer,
4671 at least 0
4672 status : packet-in-TYPE-dropped
4673 optional string, containing an integer,
4674 at least 0
4675 status : packet-in-TYPE-backlog
4676 optional string, containing an integer,
4677 at least 0
4678 Additional In-Band Configuration:
4679 local_ip optional string
4680 local_netmask optional string
4681 local_gateway optional string
4682 Controller Status:
4683 is_connected boolean
4684 role optional string, one of master, other, or
4685 slave
4686 status : last_error optional string
4687 status : state optional string, one of ACTIVE, BACKOFF,
4688 CONNECTING, IDLE, or VOID
4689 status : sec_since_connect optional string, containing an integer,
4690 at least 0
4691 status : sec_since_disconnect
4692 optional string, containing an integer,
4693 at least 1
4694 Connection Parameters:
4695 other_config : dscp optional string, containing an integer
4696 Common Columns:
4697 external_ids map of string-string pairs
4698 other_config map of string-string pairs
4699 Details:
4701 Core Features:
4702 type: optional string, either primary or service
4704 Open vSwitch supports two kinds of OpenFlow controllers. A
4705 bridge may have any number of each kind:
4706 Primary controllers
4708 This is the kind of controller envisioned by the OpenFlow
4709 specifications. Usually, a primary controller implements
4710 a network policy by taking charge of the switch’s flow
4711 table.
4712 The fail_mode column in the Bridge table applies to pri‐
4714 mary controllers.
4715 When multiple primary controllers are configured, Open
4717 vSwitch connects to all of them simultaneously. OpenFlow
4718 provides few facilities to allow multiple controllers to
4719 coordinate in interacting with a single switch, so more
4720 than one primary controller should be specified only if
4721 the controllers are themselves designed to coordinate
4722 with each other.
4723 Service controllers
4725 These kinds of OpenFlow controller connections are in‐
4726 tended for occasional support and maintenance use, e.g.
4727 with ovs-ofctl. Usually a service controller connects
4728 only briefly to inspect or modify some of a switch’s
4729 state.
4730 The fail_mode column in the Bridge table does not apply
4732 to service controllers.
4733 By default, Open vSwitch treats controllers with active connec‐
4735 tion methods as primary controllers and those with passive con‐
4736 nection methods as service controllers. Set this column to the
4737 desired type to override this default.
4738 target: string
4740 Connection method for controller.
4741 The following active connection methods are currently supported:
4743 ssl:host[:port]
4745 The specified SSL port on the host at the given host,
4746 which can either be a DNS name (if built with unbound li‐
4747 brary) or an IP address. The ssl column in the
4748 Open_vSwitch table must point to a valid SSL configura‐
4749 tion when this form is used.
4750 If port is not specified, it defaults to 6653.
4752 SSL support is an optional feature that is not always
4754 built as part of Open vSwitch.
4755 tcp:host[:port]
4757 The specified TCP port on the host at the given host,
4758 which can either be a DNS name (if built with unbound li‐
4759 brary) or an IP address (IPv4 or IPv6). If host is an
4760 IPv6 address, wrap it in square brackets, e.g.
4761 tcp:[::1]:6653.
4762 If port is not specified, it defaults to 6653.
4764 The following passive connection methods are currently sup‐
4766 ported:
4767 pssl:[port][:host]
4769 Listens for SSL connections on the specified TCP port. If
4770 host, which can either be a DNS name (if built with un‐
4771 bound library) or an IP address, is specified, then con‐
4772 nections are restricted to the resolved or specified lo‐
4773 cal IP address (either IPv4 or IPv6). If host is an IPv6
4774 address, wrap it in square brackets, e.g.
4775 pssl:6653:[::1].
4776 If port is not specified, it defaults to 6653. If host is
4778 not specified then it listens only on IPv4 (but not IPv6)
4779 addresses. The ssl column in the Open_vSwitch table must
4780 point to a valid SSL configuration when this form is
4781 used.
4782 If port is not specified, it currently to 6653.
4784 SSL support is an optional feature that is not always
4786 built as part of Open vSwitch.
4787 ptcp:[port][:host]
4789 Listens for connections on the specified TCP port. If
4790 host, which can either be a DNS name (if built with un‐
4791 bound library) or an IP address, is specified, then con‐
4792 nections are restricted to the resolved or specified lo‐
4793 cal IP address (either IPv4 or IPv6). If host is an IPv6
4794 address, wrap it in square brackets, e.g.
4795 ptcp:6653:[::1]. If host is not specified then it listens
4796 only on IPv4 addresses.
4797 If port is not specified, it defaults to 6653.
4799 When multiple controllers are configured for a single bridge,
4801 the target values must be unique. Duplicate target values yield
4802 unspecified results.
4803 connection_mode: optional string, either in-band or out-of-band
4805 If it is specified, this setting must be one of the following
4806 strings that describes how Open vSwitch contacts this OpenFlow
4807 controller over the network:
4808 in-band
4810 In this mode, this controller’s OpenFlow traffic travels
4811 over the bridge associated with the controller. With this
4812 setting, Open vSwitch allows traffic to and from the con‐
4813 troller regardless of the contents of the OpenFlow flow
4814 table. (Otherwise, Open vSwitch would never be able to
4815 connect to the controller, because it did not have a flow
4816 to enable it.) This is the most common connection mode
4817 because it is not necessary to maintain two independent
4818 networks.
4819 out-of-band
4821 In this mode, OpenFlow traffic uses a control network
4822 separate from the bridge associated with this controller,
4823 that is, the bridge does not use any of its own network
4824 devices to communicate with the controller. The control
4825 network must be configured separately, before or after
4826 ovs-vswitchd is started.
4827 If not specified, the default is implementation-specific.
4829 Controller Failure Detection and Handling:
4831 max_backoff: optional integer, at least 1,000
4833 Maximum number of milliseconds to wait between connection at‐
4834 tempts. Default is implementation-specific.
4835 inactivity_probe: optional integer
4837 Maximum number of milliseconds of idle time on connection to
4838 controller before sending an inactivity probe message. If Open
4839 vSwitch does not communicate with the controller for the speci‐
4840 fied number of seconds, it will send a probe. If a response is
4841 not received for the same additional amount of time, Open
4842 vSwitch assumes the connection has been broken and attempts to
4843 reconnect. Default is implementation-specific. A value of 0 dis‐
4844 ables inactivity probes.
4845 Asynchronous Messages:
4847 OpenFlow switches send certain messages to controllers spontanenously,
4849 that is, not in response to any request from the controller. These mes‐
4850 sages are called ``asynchronous messages.’’ These columns allow asyn‐
4851 chronous messages to be limited or disabled to ensure the best use of
4852 network resources.
4853 enable_async_messages: optional boolean
4855 The OpenFlow protocol enables asynchronous messages at time of
4856 connection establishment, which means that a controller can re‐
4857 ceive asynchronous messages, potentially many of them, even if
4858 it turns them off immediately after connecting. Set this column
4859 to false to change Open vSwitch behavior to disable, by default,
4860 all asynchronous messages. The controller can use the
4861 NXT_SET_ASYNC_CONFIG Nicira extension to OpenFlow to turn on any
4862 messages that it does want to receive, if any.
4863 Controller Rate Limiting:
4865 A switch can forward packets to a controller over the OpenFlow proto‐
4867 col. Forwarding packets this way at too high a rate can overwhelm a
4868 controller, frustrate use of the OpenFlow connection for other pur‐
4869 poses, increase the latency of flow setup, and use an unreasonable
4870 amount of bandwidth. Therefore, Open vSwitch supports limiting the rate
4871 of packet forwarding to a controller.
4872 There are two main reasons in OpenFlow for a packet to be sent to a
4874 controller: either the packet ``misses’’ in the flow table, that is,
4875 there is no matching flow, or a flow table action says to send the
4876 packet to the controller. Open vSwitch limits the rate of each kind of
4877 packet separately at the configured rate. Therefore, the actual rate
4878 that packets are sent to the controller can be up to twice the config‐
4879 ured rate, when packets are sent for both reasons.
4880 This feature is specific to forwarding packets over an OpenFlow connec‐
4882 tion. It is not general-purpose QoS. See the QoS table for quality of
4883 service configuration, and ingress_policing_rate in the Interface table
4884 for ingress policing configuration.
4885 controller_queue_size: optional integer, in range 1 to 512
4887 This sets the maximum size of the queue of packets that need to
4888 be sent to this OpenFlow controller. The value must be less than
4889 512. If not specified the queue size is limited to the value set
4890 for the management controller in other_config:controller-queue-
4891 size if present or 100 packets by default. Note: increasing the
4892 queue size might have a negative impact on latency.
4893 controller_rate_limit: optional integer, at least 100
4895 The maximum rate at which the switch will forward packets to the
4896 OpenFlow controller, in packets per second. If no value is spec‐
4897 ified, rate limiting is disabled.
4898 controller_burst_limit: optional integer, at least 25
4900 When a high rate triggers rate-limiting, Open vSwitch queues
4901 packets to the controller for each port and transmits them to
4902 the controller at the configured rate. This value limits the
4903 number of queued packets. Ports on a bridge share the packet
4904 queue fairly.
4905 This value has no effect unless controller_rate_limit is config‐
4907 ured. The current default when this value is not specified is
4908 one-quarter of controller_rate_limit, meaning that queuing can
4909 delay forwarding a packet to the controller by up to 250 ms.
4910 Controller Rate Limiting Statistics:
4912 These values report the effects of rate limiting. Their values are rel‐
4914 ative to establishment of the most recent OpenFlow connection, or since
4915 rate limiting was enabled, whichever happened more recently. Each con‐
4916 sists of two values, one with TYPE replaced by miss for rate limiting
4917 flow table misses, and the other with TYPE replaced by action for rate
4918 limiting packets sent by OpenFlow actions.
4919 These statistics are reported only when controller rate limiting is en‐
4921 abled.
4922 status : packet-in-TYPE-bypassed: optional string, containing an inte‐
4924 ger, at least 0
4925 Number of packets sent directly to the controller, without queu‐
4926 ing, because the rate did not exceed the configured maximum.
4927 status : packet-in-TYPE-queued: optional string, containing an integer,
4929 at least 0
4930 Number of packets added to the queue to send later.
4931 status : packet-in-TYPE-dropped: optional string, containing an inte‐
4933 ger, at least 0
4934 Number of packets added to the queue that were later dropped due
4935 to overflow. This value is less than or equal to status:packet-
4936 in-TYPE-queued.
4937 status : packet-in-TYPE-backlog: optional string, containing an inte‐
4939 ger, at least 0
4940 Number of packets currently queued. The other statistics in‐
4941 crease monotonically, but this one fluctuates between 0 and the
4942 controller_burst_limit as conditions change.
4943 Additional In-Band Configuration:
4945 These values are considered only in in-band control mode (see connec‐
4947 tion_mode).
4948 When multiple controllers are configured on a single bridge, there
4950 should be only one set of unique values in these columns. If different
4951 values are set for these columns in different controllers, the effect
4952 is unspecified.
4953 local_ip: optional string
4955 The IP address to configure on the local port, e.g.
4956 192.168.0.123. If this value is unset, then local_netmask and
4957 local_gateway are ignored.
4958 local_netmask: optional string
4960 The IP netmask to configure on the local port, e.g.
4961 255.255.255.0. If local_ip is set but this value is unset, then
4962 the default is chosen based on whether the IP address is class
4963 A, B, or C.
4964 local_gateway: optional string
4966 The IP address of the gateway to configure on the local port, as
4967 a string, e.g. 192.168.0.1. Leave this column unset if this net‐
4968 work has no gateway.
4969 Controller Status:
4971 is_connected: boolean
4973 true if currently connected to this controller, false otherwise.
4974 role: optional string, one of master, other, or slave
4976 The level of authority this controller has on the associated
4977 bridge. Possible values are:
4978 other Allows the controller access to all OpenFlow features.
4980 master Equivalent to other, except that there may be at most one
4982 such controller at a time. If a given controller promotes
4983 itself to this role, ovs-vswitchd demotes any existing
4984 controller with the role to slave.
4985 slave Allows the controller read-only access to OpenFlow fea‐
4987 tures. Attempts to modify the flow table will be rejected
4988 with an error. Such controllers do not receive
4989 OFPT_PACKET_IN or OFPT_FLOW_REMOVED messages, but they do
4990 receive OFPT_PORT_STATUS messages.
4991 status : last_error: optional string
4993 A human-readable description of the last error on the connection
4994 to the controller; i.e. strerror(errno). This key will exist
4995 only if an error has occurred.
4996 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
4998 IDLE, or VOID
4999 The state of the connection to the controller:
5000 VOID Connection is disabled.
5002 BACKOFF
5004 Attempting to reconnect at an increasing period.
5005 CONNECTING
5007 Attempting to connect.
5008 ACTIVE Connected, remote host responsive.
5010 IDLE Connection is idle. Waiting for response to keep-alive.
5012 These values may change in the future. They are provided only
5014 for human consumption.
5015 status : sec_since_connect: optional string, containing an integer, at
5017 least 0
5018 The amount of time since this controller last successfully con‐
5019 nected to the switch (in seconds). Value is empty if controller
5020 has never successfully connected.
5021 status : sec_since_disconnect: optional string, containing an integer,
5023 at least 1
5024 The amount of time since this controller last disconnected from
5025 the switch (in seconds). Value is empty if controller has never
5026 disconnected.
5027 Connection Parameters:
5029 Additional configuration for a connection between the controller and
5031 the Open vSwitch.
5032 other_config : dscp: optional string, containing an integer
5034 The Differentiated Service Code Point (DSCP) is specified using
5035 6 bits in the Type of Service (TOS) field in the IP header. DSCP
5036 provides a mechanism to classify the network traffic and provide
5037 Quality of Service (QoS) on IP networks. The DSCP value speci‐
5038 fied here is used when establishing the connection between the
5039 controller and the Open vSwitch. If no value is specified, a de‐
5040 fault value of 48 is chosen. Valid DSCP values must be in the
5041 range 0 to 63.
5042 Common Columns:
5044 The overall purpose of these columns is described under Common Columns
5046 at the beginning of this document.
5047 external_ids: map of string-string pairs
5049 other_config: map of string-string pairs
5051
5053 Configuration for a database connection to an Open vSwitch database
5054 (OVSDB) client.
5055 This table primarily configures the Open vSwitch database
5057 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The switch
5058 does read the table to determine what connections should be treated as
5059 in-band.
5060 The Open vSwitch database server can initiate and maintain active con‐
5062 nections to remote clients. It can also listen for database connec‐
5063 tions.
5064 Summary:
5066 Core Features:
5067 target string (must be unique within table)
5068 connection_mode optional string, either in-band or
5069 out-of-band
5070 Client Failure Detection and Handling:
5071 max_backoff optional integer, at least 1,000
5072 inactivity_probe optional integer
5073 Status:
5074 is_connected boolean
5075 status : last_error optional string
5076 status : state optional string, one of ACTIVE, BACKOFF,
5077 CONNECTING, IDLE, or VOID
5078 status : sec_since_connect optional string, containing an integer,
5079 at least 0
5080 status : sec_since_disconnect
5081 optional string, containing an integer,
5082 at least 0
5083 status : locks_held optional string
5084 status : locks_waiting optional string
5085 status : locks_lost optional string
5086 status : n_connections optional string, containing an integer,
5087 at least 2
5088 status : bound_port optional string, containing an integer
5089 Connection Parameters:
5090 other_config : dscp optional string, containing an integer
5091 Common Columns:
5092 external_ids map of string-string pairs
5093 other_config map of string-string pairs
5094 Details:
5096 Core Features:
5097 target: string (must be unique within table)
5099 Connection method for managers.
5100 The following connection methods are currently supported:
5102 ssl:host[:port]
5104 The specified SSL port on the host at the given host,
5105 which can either be a DNS name (if built with unbound li‐
5106 brary) or an IP address. The ssl column in the
5107 Open_vSwitch table must point to a valid SSL configura‐
5108 tion when this form is used.
5109 If port is not specified, it defaults to 6640.
5111 SSL support is an optional feature that is not always
5113 built as part of Open vSwitch.
5114 tcp:host[:port]
5116 The specified TCP port on the host at the given host,
5117 which can either be a DNS name (if built with unbound li‐
5118 brary) or an IP address (IPv4 or IPv6). If host is an
5119 IPv6 address, wrap it in square brackets, e.g.
5120 tcp:[::1]:6640.
5121 If port is not specified, it defaults to 6640.
5123 pssl:[port][:host]
5125 Listens for SSL connections on the specified TCP port.
5126 Specify 0 for port to have the kernel automatically
5127 choose an available port. If host, which can either be a
5128 DNS name (if built with unbound library) or an IP ad‐
5129 dress, is specified, then connections are restricted to
5130 the resolved or specified local IP address (either IPv4
5131 or IPv6 address). If host is an IPv6 address, wrap in
5132 square brackets, e.g. pssl:6640:[::1]. If host is not
5133 specified then it listens only on IPv4 (but not IPv6) ad‐
5134 dresses. The ssl column in the Open_vSwitch table must
5135 point to a valid SSL configuration when this form is
5136 used.
5137 If port is not specified, it defaults to 6640.
5139 SSL support is an optional feature that is not always
5141 built as part of Open vSwitch.
5142 ptcp:[port][:host]
5144 Listens for connections on the specified TCP port. Spec‐
5145 ify 0 for port to have the kernel automatically choose an
5146 available port. If host, which can either be a DNS name
5147 (if built with unbound library) or an IP address, is
5148 specified, then connections are restricted to the re‐
5149 solved or specified local IP address (either IPv4 or IPv6
5150 address). If host is an IPv6 address, wrap it in square
5151 brackets, e.g. ptcp:6640:[::1]. If host is not specified
5152 then it listens only on IPv4 addresses.
5153 If port is not specified, it defaults to 6640.
5155 When multiple managers are configured, the target values must be
5157 unique. Duplicate target values yield unspecified results.
5158 connection_mode: optional string, either in-band or out-of-band
5160 If it is specified, this setting must be one of the following
5161 strings that describes how Open vSwitch contacts this OVSDB
5162 client over the network:
5163 in-band
5165 In this mode, this connection’s traffic travels over a
5166 bridge managed by Open vSwitch. With this setting, Open
5167 vSwitch allows traffic to and from the client regardless
5168 of the contents of the OpenFlow flow table. (Otherwise,
5169 Open vSwitch would never be able to connect to the
5170 client, because it did not have a flow to enable it.)
5171 This is the most common connection mode because it is not
5172 necessary to maintain two independent networks.
5173 out-of-band
5175 In this mode, the client’s traffic uses a control network
5176 separate from that managed by Open vSwitch, that is, Open
5177 vSwitch does not use any of its own network devices to
5178 communicate with the client. The control network must be
5179 configured separately, before or after ovs-vswitchd is
5180 started.
5181 If not specified, the default is implementation-specific.
5183 Client Failure Detection and Handling:
5185 max_backoff: optional integer, at least 1,000
5187 Maximum number of milliseconds to wait between connection at‐
5188 tempts. Default is implementation-specific.
5189 inactivity_probe: optional integer
5191 Maximum number of milliseconds of idle time on connection to the
5192 client before sending an inactivity probe message. If Open
5193 vSwitch does not communicate with the client for the specified
5194 number of seconds, it will send a probe. If a response is not
5195 received for the same additional amount of time, Open vSwitch
5196 assumes the connection has been broken and attempts to recon‐
5197 nect. Default is implementation-specific. A value of 0 disables
5198 inactivity probes.
5199 Status:
5201 Key-value pair of is_connected is always updated. Other key-value pairs
5203 in the status columns may be updated depends on the target type.
5204 When target specifies a connection method that listens for inbound con‐
5206 nections (e.g. ptcp: or punix:), both n_connections and is_connected
5207 may also be updated while the remaining key-value pairs are omitted.
5208 On the other hand, when target specifies an outbound connection, all
5210 key-value pairs may be updated, except the above-mentioned two key-
5211 value pairs associated with inbound connection targets. They are omit‐
5212 ted.
5213 is_connected: boolean
5215 true if currently connected to this manager, false otherwise.
5216 status : last_error: optional string
5218 A human-readable description of the last error on the connection
5219 to the manager; i.e. strerror(errno). This key will exist only
5220 if an error has occurred.
5221 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
5223 IDLE, or VOID
5224 The state of the connection to the manager:
5225 VOID Connection is disabled.
5227 BACKOFF
5229 Attempting to reconnect at an increasing period.
5230 CONNECTING
5232 Attempting to connect.
5233 ACTIVE Connected, remote host responsive.
5235 IDLE Connection is idle. Waiting for response to keep-alive.
5237 These values may change in the future. They are provided only
5239 for human consumption.
5240 status : sec_since_connect: optional string, containing an integer, at
5242 least 0
5243 The amount of time since this manager last successfully con‐
5244 nected to the database (in seconds). Value is empty if manager
5245 has never successfully connected.
5246 status : sec_since_disconnect: optional string, containing an integer,
5248 at least 0
5249 The amount of time since this manager last disconnected from the
5250 database (in seconds). Value is empty if manager has never dis‐
5251 connected.
5252 status : locks_held: optional string
5254 Space-separated list of the names of OVSDB locks that the con‐
5255 nection holds. Omitted if the connection does not hold any
5256 locks.
5257 status : locks_waiting: optional string
5259 Space-separated list of the names of OVSDB locks that the con‐
5260 nection is currently waiting to acquire. Omitted if the connec‐
5261 tion is not waiting for any locks.
5262 status : locks_lost: optional string
5264 Space-separated list of the names of OVSDB locks that the con‐
5265 nection has had stolen by another OVSDB client. Omitted if no
5266 locks have been stolen from this connection.
5267 status : n_connections: optional string, containing an integer, at
5269 least 2
5270 When target specifies a connection method that listens for in‐
5271 bound connections (e.g. ptcp: or pssl:) and more than one con‐
5272 nection is actually active, the value is the number of active
5273 connections. Otherwise, this key-value pair is omitted.
5274 status : bound_port: optional string, containing an integer
5276 When target is ptcp: or pssl:, this is the TCP port on which the
5277 OVSDB server is listening. (This is particularly useful when
5278 target specifies a port of 0, allowing the kernel to choose any
5279 available port.)
5280 Connection Parameters:
5282 Additional configuration for a connection between the manager and the
5284 Open vSwitch Database.
5285 other_config : dscp: optional string, containing an integer
5287 The Differentiated Service Code Point (DSCP) is specified using
5288 6 bits in the Type of Service (TOS) field in the IP header. DSCP
5289 provides a mechanism to classify the network traffic and provide
5290 Quality of Service (QoS) on IP networks. The DSCP value speci‐
5291 fied here is used when establishing the connection between the
5292 manager and the Open vSwitch. If no value is specified, a de‐
5293 fault value of 48 is chosen. Valid DSCP values must be in the
5294 range 0 to 63.
5295 Common Columns:
5297 The overall purpose of these columns is described under Common Columns
5299 at the beginning of this document.
5300 external_ids: map of string-string pairs
5302 other_config: map of string-string pairs
5304
5306 A NetFlow target. NetFlow is a protocol that exports a number of de‐
5307 tails about terminating IP flows, such as the principals involved and
5308 duration.
5309 Summary:
5311 targets set of 1 or more strings
5312 engine_id optional integer, in range 0 to 255
5313 engine_type optional integer, in range 0 to 255
5314 active_timeout integer, at least -1
5315 add_id_to_interface boolean
5316 Common Columns:
5317 external_ids map of string-string pairs
5318 Details:
5320 targets: set of 1 or more strings
5321 NetFlow targets in the form ip:port. The ip must be specified
5322 numerically, not as a DNS name.
5323 engine_id: optional integer, in range 0 to 255
5325 Engine ID to use in NetFlow messages. Defaults to datapath index
5326 if not specified.
5327 engine_type: optional integer, in range 0 to 255
5329 Engine type to use in NetFlow messages. Defaults to datapath in‐
5330 dex if not specified.
5331 active_timeout: integer, at least -1
5333 The interval at which NetFlow records are sent for flows that
5334 are still active, in seconds. A value of 0 requests the default
5335 timeout (currently 600 seconds); a value of -1 disables active
5336 timeouts.
5337 The NetFlow passive timeout, for flows that become inactive, is
5339 not configurable. It will vary depending on the Open vSwitch
5340 version, the forms and contents of the OpenFlow flow tables, CPU
5341 and memory usage, and network activity. A typical passive time‐
5342 out is about a second.
5343 add_id_to_interface: boolean
5345 If this column’s value is false, the ingress and egress inter‐
5346 face fields of NetFlow flow records are derived from OpenFlow
5347 port numbers. When it is true, the 7 most significant bits of
5348 these fields will be replaced by the least significant 7 bits of
5349 the engine id. This is useful because many NetFlow collectors do
5350 not expect multiple switches to be sending messages from the
5351 same host, so they do not store the engine information which
5352 could be used to disambiguate the traffic.
5353 When this option is enabled, a maximum of 508 ports are sup‐
5355 ported.
5356 Common Columns:
5358 The overall purpose of these columns is described under Common Columns
5360 at the beginning of this document.
5361 external_ids: map of string-string pairs
5363
5365 Configuration for a datapath within Open_vSwitch.
5366 A datapath is responsible for providing the packet handling in Open
5368 vSwitch. There are two primary datapath implementations used by Open
5369 vSwitch: kernel and userspace. Kernel datapath implementations are
5370 available for Linux and Hyper-V, and selected as system in the data‐
5371 path_type column of the Bridge table. The userspace datapath is used by
5372 DPDK and AF-XDP, and is selected as netdev in the datapath_type column
5373 of the Bridge table.
5374 A datapath of a particular type is shared by all the bridges that use
5376 that datapath. Thus, configurations applied to this table affect all
5377 bridges that use this datapath.
5378 Summary:
5380 datapath_version string
5381 ct_zones map of integer-CT_Zone pairs, key in
5382 range 0 to 65,535
5383 Capabilities:
5384 capabilities : max_vlan_headers
5385 optional string, containing an integer,
5386 at least 0
5387 capabilities : recirc optional string, either true or false
5388 capabilities : lb_output_action
5389 optional string, either true or false
5390 Connection-Tracking Capabilities:
5391 capabilities : ct_state optional string, either true or false
5392 capabilities : ct_state_nat
5393 optional string, either true or false
5394 capabilities : ct_zone optional string, either true or false
5395 capabilities : ct_mark optional string, either true or false
5396 capabilities : ct_label optional string, either true or false
5397 capabilities : ct_orig_tuple
5398 optional string, either true or false
5399 capabilities : ct_orig_tuple6
5400 optional string, either true or false
5401 capabilities : masked_set_action
5402 optional string, either true or false
5403 capabilities : tnl_push_pop
5404 optional string, either true or false
5405 capabilities : ufid optional string, either true or false
5406 capabilities : trunc optional string, either true or false
5407 capabilities : nd_ext optional string, either true or false
5408 Clone Actions:
5409 capabilities : clone optional string, either true or false
5410 capabilities : sample_nesting
5411 optional string, containing an integer,
5412 at least 0
5413 capabilities : ct_eventmask
5414 optional string, either true or false
5415 capabilities : ct_clear optional string, either true or false
5416 capabilities : max_hash_alg
5417 optional string, containing an integer,
5418 at least 0
5419 capabilities : check_pkt_len
5420 optional string, either true or false
5421 capabilities : ct_timeout optional string, either true or false
5422 capabilities : explicit_drop_action
5423 optional string, either true or false
5424 capabilities : ct_zero_snat
5425 optional string, either true or false
5426 capabilities : ct_flush optional string, either true or false
5427 Common Columns:
5428 external_ids map of string-string pairs
5429 Details:
5431 datapath_version: string
5432 Reports the version number of the Open vSwitch datapath in use.
5433 This allows management software to detect and report discrepan‐
5434 cies between Open vSwitch userspace and datapath versions. (The
5435 ovs_version column in the Open_vSwitch reports the Open vSwitch
5436 userspace version.) The version reported depends on the datapath
5437 in use:
5438 • When the kernel module included in the Open vSwitch
5440 source tree is used, this column reports the Open vSwitch
5441 version from which the module was taken.
5442 • When the kernel module that is part of the upstream Linux
5444 kernel is used, this column reports <unknown>.
5445 • When the datapath is built into the ovs-vswitchd binary,
5447 this column reports <built-in>. A built-in datapath is by
5448 definition the same version as the rest of the Open
5449 vSwitch userspace.
5450 • Other datapaths (such as the Hyper-V kernel datapath)
5452 currently report <unknown>.
5453 A version discrepancy between ovs-vswitchd and the datapath in
5455 use is not normally cause for alarm. The Open vSwitch kernel
5456 datapaths for Linux and Hyper-V, in particular, are designed for
5457 maximum inter-version compatibility: any userspace version works
5458 with with any kernel version. Some reasons do exist to insist on
5459 particular user/kernel pairings. First, newer kernel versions
5460 add new features, that can only be used by new-enough userspace,
5461 e.g. VXLAN tunneling requires certain minimal userspace and ker‐
5462 nel versions. Second, as an extension to the first reason, some
5463 newer kernel versions add new features for enhancing performance
5464 that only new-enough userspace versions can take advantage of.
5465 ct_zones: map of integer-CT_Zone pairs, key in range 0 to 65,535
5467 Configuration for connection tracking zones. Each pair maps from
5468 a zone id to a configuration for that zone. Zone 0 applies to
5469 the default zone (ie, the one used if a zone is not specified in
5470 connection tracking-related OpenFlow matches and actions).
5471 Capabilities:
5473 The capabilities column reports a datapath’s features. For the netdev
5475 datapath, the capabilities are fixed for a given version of Open
5476 vSwitch because this datapath is built into the ovs-vswitchd binary.
5477 The Linux kernel and Windows and other datapaths, which are external to
5478 OVS userspace, can vary in version and capabilities independently from
5479 ovs-vswitchd.
5480 Some of these features indicate whether higher-level Open vSwitch fea‐
5482 tures are available. For example, OpenFlow features for connection-
5483 tracking are available only when capabilities:ct_state is true. A con‐
5484 troller that wishes to determine whether a feature is supported could,
5485 therefore, consult the relevant capabilities in this table. However, as
5486 a general rule, it is better for a controller to try to use the higher-
5487 level feature and use the result as an indication of support, since the
5488 low-level capabilities are more likely to shift over time than the
5489 high-level features that rely on them.
5490 capabilities : max_vlan_headers: optional string, containing an inte‐
5492 ger, at least 0
5493 Number of 802.1q VLAN headers supported by the datapath, as
5494 probed by the ovs-vswitchd slow path. If the datapath supports
5495 more VLAN headers than the slow path, this reports the slow
5496 path’s limit. The value of other-config:vlan-limit in the
5497 Open_vSwitch table does not influence the number reported here.
5498 capabilities : recirc: optional string, either true or false
5500 If this is true, then the datapath supports recirculation,
5501 specifically OVS_KEY_ATTR_RECIRC_ID. Recirculation enables
5502 higher performance for MPLS and active-active load balancing
5503 bonding modes.
5504 capabilities : lb_output_action: optional string, either true or false
5506 If this is true, then the datapath supports optimized balance-
5507 tcp bond mode. This capability replaces existing hash and recirc
5508 actions with new action lb_output and avoids recirculation of
5509 packet in datapath. It is supported only for balance-tcp bond
5510 mode in netdev datapath. The new action gives higher performance
5511 by using bond buckets instead of post recirculation flows for
5512 selection of slave port from bond. By default this new action is
5513 disabled, however it can be enabled by setting other-config:lb-
5514 output-action in Port table.
5515 Connection-Tracking Capabilities:
5517 These capabilities are granular because Open vSwitch and its datapaths
5519 added support for connection tracking over several releases, with fea‐
5520 tures added individually over that time.
5521 capabilities : ct_state: optional string, either true or false
5523 If true, datapath supports OVS_KEY_ATTR_CT_STATE, which indi‐
5524 cates support for the bits in the OpenFlow ct_state field (see
5525 ovs-fields(7)) other than snat and dnat, which have a separate
5526 capability.
5527 If this is false, the datapath does not support connection-
5529 tracking at all and the remaining connection-tracking capabili‐
5530 ties should all be false. In this case, Open vSwitch will reject
5531 flows that match on the ct_state field or use the ct action.
5532 capabilities : ct_state_nat: optional string, either true or false
5534 If true, it means that the datapath supports the snat and dnat
5535 flags in the OpenFlow ct_state field. The ct_state capability
5536 must be true for this to make sense.
5537 If false, Open vSwitch will reject flows that match on the snat
5539 or dnat bits in ct_state or use nat in the ct action.
5540 capabilities : ct_zone: optional string, either true or false
5542 If true, datapath supports OVS_KEY_ATTR_CT_ZONE. If false, Open
5543 vSwitch rejects flows that match on the ct_zone field or that
5544 specify a nonzero zone or a zone field on the ct action.
5545 capabilities : ct_mark: optional string, either true or false
5547 If true, datapath supports OVS_KEY_ATTR_CT_MARK. If false, Open
5548 vSwitch rejects flows that match on the ct_mark field or that
5549 set ct_mark in the ct action.
5550 capabilities : ct_label: optional string, either true or false
5552 If true, datapath supports OVS_KEY_ATTR_CT_LABEL. If false, Open
5553 vSwitch rejects flows that match on the ct_label field or that
5554 set ct_label in the ct action.
5555 capabilities : ct_orig_tuple: optional string, either true or false
5557 If true, the datapath supports matching the 5-tuple from the
5558 connection’s original direction for IPv4 traffic. If false, Open
5559 vSwitch rejects flows that match on ct_nw_src or ct_nw_dst, that
5560 use the ct feature of the resubmit action, or the force keyword
5561 in the ct action. (The latter isn’t tied to connection tracking
5562 support of original tuples in any technical way. They are con‐
5563 flated because all current datapaths implemented the two fea‐
5564 tures at the same time.)
5565 If this and capabilities:ct_orig_tuple6 are both false, Open
5567 vSwitch rejects flows that match on ct_nw_proto, ct_tp_src, or
5568 ct_tp_dst.
5569 capabilities : ct_orig_tuple6: optional string, either true or false
5571 If true, the datapath supports matching the 5-tuple from the
5572 connection’s original direction for IPv6 traffic. If false, Open
5573 vSwitch rejects flows that match on ct_ipv6_src or ct_ipv6_dst.
5574 capabilities : masked_set_action: optional string, either true or false
5576 True if the datapath supports masked data in OVS_ACTION_ATTR_SET
5577 actions. Masked data can improve performance by allowing
5578 megaflows to match on fewer fields.
5579 capabilities : tnl_push_pop: optional string, either true or false
5581 True if the datapath supports tnl_push and pop actions. This is
5582 a prerequisite for a datapath to support native tunneling.
5583 capabilities : ufid: optional string, either true or false
5585 True if the datapath supports OVS_FLOW_ATTR_UFID. UFID support
5586 improves revalidation performance by transferring less data be‐
5587 tween the slow path and the datapath.
5588 capabilities : trunc: optional string, either true or false
5590 True if the datapath supports OVS_ACTION_ATTR_TRUNC action. If
5591 false, the output action with packet truncation requires every
5592 packet to be sent to the Open vSwitch slow path, which is likely
5593 to make it too slow for mirroring traffic in bulk.
5594 capabilities : nd_ext: optional string, either true or false
5596 True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS to
5597 match on ICMPv6 "ND reserved" and "ND option type" header
5598 fields. If false, the datapath reports error if the feature is
5599 used.
5600 Clone Actions:
5602 When Open vSwitch translates actions from OpenFlow into the datapath
5604 representation, some of the datapath actions may modify the packet or
5605 have other side effects that later datapath actions can’t undo. The
5606 OpenFlow ct, meter, output with truncation, encap, decap, and
5607 dec_nsh_ttl actions fall into this category. Often, this is not a prob‐
5608 lem because nothing later on needs the original packet.
5609 Such actions can, however, occur in circumstances where the translation
5611 does require the original packet. For example, an OpenFlow output ac‐
5612 tion might direct a packet to a patch port, which might in turn lead to
5613 a ct action that NATs the packet (which cannot be undone), and then af‐
5614 terward when control flow pops back across the patch port some other
5615 action might need to act on the original packet.
5616 Open vSwitch has two different ways to implement this ``save and re‐
5618 store’’ via datapath actions. These capabilities indicate which one
5619 Open vSwitch will choose. When neither is available, Open vSwitch sim‐
5620 ply fails in situations that require this feature.
5621 capabilities : clone: optional string, either true or false
5623 True if the datapath supports OVS_ACTION_ATTR_CLONE action. This
5624 is the preferred option for saving and restoring packets, since
5625 it is intended for the purpose, but old datapaths do not support
5626 it. Open vSwitch will use it whenever it is available.
5627 (The OpenFlow clone action does not always yield a OVS_AC‐
5629 TION_ATTR_CLONE action. It only does so when the datapath sup‐
5630 ports it and the clone brackets actions that otherwise cannot be
5631 undone.)
5632 capabilities : sample_nesting: optional string, containing an integer,
5634 at least 0
5635 Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE ac‐
5636 tion. Open vSwitch misuses this action for saving and restoring
5637 packets when the datapath supports more than 3 levels of nesting
5638 and OVS_ACTION_ATTR_CLONE is not available.
5639 capabilities : ct_eventmask: optional string, either true or false
5641 True if the datapath’s OVS_ACTION_ATTR_CT action implements the
5642 OVS_CT_ATTR_EVENTMASK attribute. When this is true, Open vSwitch
5643 uses the event mask feature to limit the kinds of events re‐
5644 ported to conntrack update listeners. When Open vSwitch doesn’t
5645 limit the event mask, listeners receive reports of numerous usu‐
5646 ally unimportant events, such as TCP state machine changes,
5647 which can waste CPU time.
5648 capabilities : ct_clear: optional string, either true or false
5650 True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR action.
5651 If false, the OpenFlow ct_clear action has no effect on the
5652 datapath.
5653 capabilities : max_hash_alg: optional string, containing an integer, at
5655 least 0
5656 Highest supported dp_hash algorithm. This allows Open vSwitch to
5657 avoid requesting a packet hash that the datapath does not sup‐
5658 port.
5659 capabilities : check_pkt_len: optional string, either true or false
5661 True if the datapath supports OVS_ACTION_ATTR_CHECK_PKT_LEN. If
5662 false, Open vSwitch implements the check_pkt_larger action by
5663 sending every packet through the Open vSwitch slow path, which
5664 is likely to make it too slow for handling traffic in bulk.
5665 capabilities : ct_timeout: optional string, either true or false
5667 True if the datapath supports OVS_CT_ATTR_TIMEOUT in the OVS_AC‐
5668 TION_ATTR_CT action. If false, Open vswitch cannot implement
5669 timeout policies based on connection tracking zones, as config‐
5670 ured through the CT_Timeout_Policy table.
5671 capabilities : explicit_drop_action: optional string, either true or
5673 false
5674 True if the datapath supports OVS_ACTION_ATTR_DROP. If false,
5675 explicit drop action will not be sent to the datapath.
5676 capabilities : ct_zero_snat: optional string, either true or false
5678 True if the datapath supports all-zero SNAT. This is a special
5679 case if the src IP address is configured as all 0’s, i.e.,
5680 nat(src=0.0.0.0). In this case, when a source port collision is
5681 detected during the commit, the source port will be translated
5682 to an ephemeral port. If there is no collision, no SNAT is per‐
5683 formed.
5684 capabilities : ct_flush: optional string, either true or false
5686 True if the datapath supports CT flush OpenFlow Nicira extension
5687 called NXT_CT_FLUSH. The NXT_CT_FLUSH extensions allows to flush
5688 CT entries based on specified parameters.
5689 Common Columns:
5691 The overall purpose of these columns is described under Common Columns
5693 at the beginning of this document.
5694 external_ids: map of string-string pairs
5696
5698 Connection tracking zone configuration
5699 Summary:
5701 timeout_policy optional CT_Timeout_Policy
5702 Common Columns:
5703 external_ids map of string-string pairs
5704 Details:
5706 timeout_policy: optional CT_Timeout_Policy
5707 Connection tracking timeout policy for this zone. If a timeout
5708 policy is not specified, it defaults to the timeout policy in
5709 the system.
5710 Common Columns:
5712 The overall purpose of these columns is described under Common Columns
5714 at the beginning of this document.
5715 external_ids: map of string-string pairs
5717
5719 Connection tracking timeout policy configuration
5720 Summary:
5722 Timeouts:
5723 timeouts map of string-integer pairs, key one of
5724 icmp_first, icmp_reply, tcp_close,
5725 tcp_close_wait, tcp_established,
5726 tcp_fin_wait, tcp_last_ack, tcp_retrans‐
5727 mit, tcp_syn_recv, tcp_syn_sent2,
5728 tcp_syn_sent, tcp_time_wait, tcp_unack,
5729 udp_first, udp_multiple, or udp_single,
5730 value in range 0 to 4,294,967,295
5731 TCP Timeouts:
5732 timeouts : tcp_syn_sent optional integer, in range 0 to
5733 4,294,967,295
5734 timeouts : tcp_syn_recv optional integer, in range 0 to
5735 4,294,967,295
5736 timeouts : tcp_established
5737 optional integer, in range 0 to
5738 4,294,967,295
5739 timeouts : tcp_fin_wait optional integer, in range 0 to
5740 4,294,967,295
5741 timeouts : tcp_close_wait
5742 optional integer, in range 0 to
5743 4,294,967,295
5744 timeouts : tcp_last_ack optional integer, in range 0 to
5745 4,294,967,295
5746 timeouts : tcp_time_wait optional integer, in range 0 to
5747 4,294,967,295
5748 timeouts : tcp_close optional integer, in range 0 to
5749 4,294,967,295
5750 timeouts : tcp_syn_sent2 optional integer, in range 0 to
5751 4,294,967,295
5752 timeouts : tcp_retransmit
5753 optional integer, in range 0 to
5754 4,294,967,295
5755 timeouts : tcp_unack optional integer, in range 0 to
5756 4,294,967,295
5757 UDP Timeouts:
5758 timeouts : udp_first optional integer, in range 0 to
5759 4,294,967,295
5760 timeouts : udp_single optional integer, in range 0 to
5761 4,294,967,295
5762 timeouts : udp_multiple optional integer, in range 0 to
5763 4,294,967,295
5764 ICMP Timeouts:
5765 timeouts : icmp_first optional integer, in range 0 to
5766 4,294,967,295
5767 timeouts : icmp_reply optional integer, in range 0 to
5768 4,294,967,295
5769 Common Columns:
5770 external_ids map of string-string pairs
5771 Details:
5773 Timeouts:
5774 timeouts: map of string-integer pairs, key one of icmp_first, icmp_re‐
5776 ply, tcp_close, tcp_close_wait, tcp_established, tcp_fin_wait,
5777 tcp_last_ack, tcp_retransmit, tcp_syn_recv, tcp_syn_sent2,
5778 tcp_syn_sent, tcp_time_wait, tcp_unack, udp_first, udp_multiple, or
5779 udp_single, value in range 0 to 4,294,967,295
5780 The timeouts column contains key-value pairs used to configure
5781 connection tracking timeouts in a datapath. Key-value pairs that
5782 are not supported by a datapath are ignored. The timeout value
5783 is in seconds.
5784 TCP Timeouts:
5786 timeouts : tcp_syn_sent: optional integer, in range 0 to 4,294,967,295
5788 The timeout for the connection after the first TCP SYN packet
5789 has been seen by conntrack.
5790 timeouts : tcp_syn_recv: optional integer, in range 0 to 4,294,967,295
5792 The timeout of the connection after the first TCP SYN-ACK packet
5793 has been seen by conntrack.
5794 timeouts : tcp_established: optional integer, in range 0 to
5796 4,294,967,295
5797 The timeout of the connection after the connection has been
5798 fully established.
5799 timeouts : tcp_fin_wait: optional integer, in range 0 to 4,294,967,295
5801 The timeout of the connection after the first TCP FIN packet has
5802 been seen by conntrack.
5803 timeouts : tcp_close_wait: optional integer, in range 0 to
5805 4,294,967,295
5806 The timeout of the connection after the first TCP ACK packet has
5807 been seen after it receives TCP FIN packet. This timeout is only
5808 supported by the Linux kernel datapath.
5809 timeouts : tcp_last_ack: optional integer, in range 0 to 4,294,967,295
5811 The timeout of the connection after TCP FIN packets have been
5812 seen by conntrack from both directions. This timeout is only
5813 supported by the Linux kernel datapath.
5814 timeouts : tcp_time_wait: optional integer, in range 0 to 4,294,967,295
5816 The timeout of the connection after conntrack has seen the TCP
5817 ACK packet for the second TCP FIN packet.
5818 timeouts : tcp_close: optional integer, in range 0 to 4,294,967,295
5820 The timeout of the connection after the first TCP RST packet has
5821 been seen by conntrack.
5822 timeouts : tcp_syn_sent2: optional integer, in range 0 to 4,294,967,295
5824 The timeout of the connection when only a TCP SYN packet has
5825 been seen by conntrack from both directions (simultaneous open).
5826 This timeout is only supported by the Linux kernel datapath.
5827 timeouts : tcp_retransmit: optional integer, in range 0 to
5829 4,294,967,295
5830 The timeout of the connection when it exceeds the maximum number
5831 of retransmissions. This timeout is only supported by the Linux
5832 kernel datapath.
5833 timeouts : tcp_unack: optional integer, in range 0 to 4,294,967,295
5835 The timeout of the connection when non-SYN packets create an es‐
5836 tablished connection in TCP loose tracking mode. This timeout is
5837 only supported by the Linux kernel datapath.
5838 UDP Timeouts:
5840 timeouts : udp_first: optional integer, in range 0 to 4,294,967,295
5842 The timeout of the connection after the first UDP packet has
5843 been seen by conntrack. This timeout is only supported by the
5844 userspace datapath.
5845 timeouts : udp_single: optional integer, in range 0 to 4,294,967,295
5847 The timeout of the connection when conntrack only seen UDP
5848 packet from the source host, but the destination host has never
5849 sent one back.
5850 timeouts : udp_multiple: optional integer, in range 0 to 4,294,967,295
5852 The timeout of the connection when UDP packets have been seen in
5853 both directions.
5854 ICMP Timeouts:
5856 timeouts : icmp_first: optional integer, in range 0 to 4,294,967,295
5858 The timeout of the connection after the first ICMP packet has
5859 been seen by conntrack.
5860 timeouts : icmp_reply: optional integer, in range 0 to 4,294,967,295
5862 The timeout of the connection when ICMP packets have been seen
5863 in both direction. This timeout is only supported by the
5864 userspace datapath.
5865 Common Columns:
5867 The overall purpose of these columns is described under Common Columns
5869 at the beginning of this document.
5870 external_ids: map of string-string pairs
5872
5874 SSL configuration for an Open_vSwitch.
5875 Summary:
5877 private_key string
5878 certificate string
5879 ca_cert string
5880 bootstrap_ca_cert boolean
5881 Common Columns:
5882 external_ids map of string-string pairs
5883 Details:
5885 private_key: string
5886 Name of a PEM file containing the private key used as the
5887 switch’s identity for SSL connections to the controller.
5888 certificate: string
5890 Name of a PEM file containing a certificate, signed by the cer‐
5891 tificate authority (CA) used by the controller and manager, that
5892 certifies the switch’s private key, identifying a trustworthy
5893 switch.
5894 ca_cert: string
5896 Name of a PEM file containing the CA certificate used to verify
5897 that the switch is connected to a trustworthy controller.
5898 bootstrap_ca_cert: boolean
5900 If set to true, then Open vSwitch will attempt to obtain the CA
5901 certificate from the controller on its first SSL connection and
5902 save it to the named PEM file. If it is successful, it will im‐
5903 mediately drop the connection and reconnect, and from then on
5904 all SSL connections must be authenticated by a certificate
5905 signed by the CA certificate thus obtained. This option exposes
5906 the SSL connection to a man-in-the-middle attack obtaining the
5907 initial CA certificate. It may still be useful for bootstrap‐
5908 ping.
5909 Common Columns:
5911 The overall purpose of these columns is described under Common Columns
5913 at the beginning of this document.
5914 external_ids: map of string-string pairs
5916
5918 A set of sFlow(R) targets. sFlow is a protocol for remote monitoring of
5919 switches.
5920 Summary:
5922 agent optional string
5923 header optional integer
5924 polling optional integer
5925 sampling optional integer
5926 targets set of 1 or more strings
5927 Common Columns:
5928 external_ids map of string-string pairs
5929 Details:
5931 agent: optional string
5932 Determines the agent address, that is, the IP address reported
5933 to collectors as the source of the sFlow data. It may be an IP
5934 address or the name of a network device. In the latter case, the
5935 network device’s IP address is used,
5936 If not specified, the agent device is figured from the first
5938 target address and the routing table. If the routing table does
5939 not contain a route to the target, the IP address defaults to
5940 the local_ip in the collector’s Controller.
5941 If an agent IP address cannot be determined, sFlow is disabled.
5943 header: optional integer
5945 Number of bytes of a sampled packet to send to the collector. If
5946 not specified, the default is 128 bytes.
5947 polling: optional integer
5949 Polling rate in seconds to send port statistics to the collec‐
5950 tor. If not specified, defaults to 30 seconds.
5951 sampling: optional integer
5953 Rate at which packets should be sampled and sent to the collec‐
5954 tor. If not specified, defaults to 400, which means one out of
5955 400 packets, on average, will be sent to the collector.
5956 targets: set of 1 or more strings
5958 sFlow targets in the form ip:port.
5959 Common Columns:
5961 The overall purpose of these columns is described under Common Columns
5963 at the beginning of this document.
5964 external_ids: map of string-string pairs
5966
5968 Configuration for sending packets to IPFIX collectors.
5969 IPFIX is a protocol that exports a number of details about flows. The
5971 IPFIX implementation in Open vSwitch samples packets at a configurable
5972 rate, extracts flow information from those packets, optionally caches
5973 and aggregates the flow information, and sends the result to one or
5974 more collectors.
5975 IPFIX in Open vSwitch can be configured two different ways:
5977 • With per-bridge sampling, Open vSwitch performs IPFIX
5979 sampling automatically on all packets that pass through a
5980 bridge. To configure per-bridge sampling, create an IPFIX
5981 record and point a Bridge table’s ipfix column to it. The
5982 Flow_Sample_Collector_Set table is not used for per-
5983 bridge sampling.
5984 • With flow-based sampling, sample actions in the OpenFlow
5986 flow table drive IPFIX sampling. See ovs-actions(7) for a
5987 description of the sample action.
5988 Flow-based sampling also requires database configuration:
5990 create a IPFIX record that describes the IPFIX configura‐
5991 tion and a Flow_Sample_Collector_Set record that points
5992 to the Bridge whose flow table holds the sample actions
5993 and to IPFIX record. The ipfix in the Bridge table is not
5994 used for flow-based sampling.
5995 Summary:
5997 targets set of strings
5998 cache_active_timeout optional integer, in range 0 to 4,200
5999 cache_max_flows optional integer, in range 0 to
6000 4,294,967,295
6001 stats_interval optional integer, in range 1 to 3,600
6002 template_interval optional integer, in range 1 to 3,600
6003 other_config : enable-tunnel-sampling
6004 optional string, either true or false
6005 other_config : virtual_obs_id optional string
6006 Per-Bridge Sampling:
6007 sampling optional integer, in range 1 to
6008 4,294,967,295
6009 obs_domain_id optional integer, in range 0 to
6010 4,294,967,295
6011 obs_point_id optional integer, in range 0 to
6012 4,294,967,295
6013 other_config : enable-input-sampling
6014 optional string, either true or false
6015 other_config : enable-output-sampling
6016 optional string, either true or false
6017 Common Columns:
6018 external_ids map of string-string pairs
6019 Details:
6021 targets: set of strings
6022 IPFIX target collectors in the form ip:port.
6023 cache_active_timeout: optional integer, in range 0 to 4,200
6025 The maximum period in seconds for which an IPFIX flow record is
6026 cached and aggregated before being sent. If not specified, de‐
6027 faults to 0. If 0, caching is disabled.
6028 cache_max_flows: optional integer, in range 0 to 4,294,967,295
6030 The maximum number of IPFIX flow records that can be cached at a
6031 time. If not specified, defaults to 0. If 0, caching is dis‐
6032 abled.
6033 stats_interval: optional integer, in range 1 to 3,600
6035 Interval (in seconds) for sending IPFIX exporting process sta‐
6036 tistics according to IETF RFC 5101 Section 4.3.
6037 Default value is 600
6039 template_interval: optional integer, in range 1 to 3,600
6041 Interval (in seconds) for sending IPFIX Template information for
6042 each Observation Domain ID.
6043 Default value is 600
6045 other_config : enable-tunnel-sampling: optional string, either true or
6047 false
6048 Set to true to enable sampling and reporting tunnel header 7-tu‐
6049 ples in IPFIX flow records. Tunnel sampling is enabled by de‐
6050 fault.
6051 The following enterprise entities report the sampled tunnel
6053 info:
6054 tunnelType:
6056 ID: 891, and enterprise ID 6876 (VMware).
6057 type: unsigned 8-bit integer.
6059 data type semantics: identifier.
6061 description: Identifier of the layer 2 network overlay
6063 network encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03
6064 LISP, 0x07 GENEVE.
6065 tunnelKey:
6067 ID: 892, and enterprise ID 6876 (VMware).
6068 type: variable-length octetarray.
6070 data type semantics: identifier.
6072 description: Key which is used for identifying an indi‐
6074 vidual traffic flow within a VxLAN (24-bit VNI), GENEVE
6075 (24-bit VNI), GRE (32-bit key), or LISP (24-bit instance
6076 ID) tunnel. The key is encoded in this octetarray as a
6077 3-, 4-, or 8-byte integer ID in network byte order.
6078 tunnelSourceIPv4Address:
6080 ID: 893, and enterprise ID 6876 (VMware).
6081 type: unsigned 32-bit integer.
6083 data type semantics: identifier.
6085 description: The IPv4 source address in the tunnel IP
6087 packet header.
6088 tunnelDestinationIPv4Address:
6090 ID: 894, and enterprise ID 6876 (VMware).
6091 type: unsigned 32-bit integer.
6093 data type semantics: identifier.
6095 description: The IPv4 destination address in the tunnel
6097 IP packet header.
6098 tunnelProtocolIdentifier:
6100 ID: 895, and enterprise ID 6876 (VMware).
6101 type: unsigned 8-bit integer.
6103 data type semantics: identifier.
6105 description: The value of the protocol number in the tun‐
6107 nel IP packet header. The protocol number identifies the
6108 tunnel IP packet payload type.
6109 tunnelSourceTransportPort:
6111 ID: 896, and enterprise ID 6876 (VMware).
6112 type: unsigned 16-bit integer.
6114 data type semantics: identifier.
6116 description: The source port identifier in the tunnel
6118 transport header. For the transport protocols UDP, TCP,
6119 and SCTP, this is the source port number given in the re‐
6120 spective header.
6121 tunnelDestinationTransportPort:
6123 ID: 897, and enterprise ID 6876 (VMware).
6124 type: unsigned 16-bit integer.
6126 data type semantics: identifier.
6128 description: The destination port identifier in the tun‐
6130 nel transport header. For the transport protocols UDP,
6131 TCP, and SCTP, this is the destination port number given
6132 in the respective header.
6133 Before Open vSwitch 2.5.90, other_config:enable-tunnel-sampling
6135 was only supported with per-bridge sampling, and ignored other‐
6136 wise. Open vSwitch 2.5.90 and later support other_config:enable-
6137 tunnel-sampling for per-bridge and per-flow sampling.
6138 other_config : virtual_obs_id: optional string
6140 A string that accompanies each IPFIX flow record. Its intended
6141 use is for the ``virtual observation ID,’’ an identifier of a
6142 virtual observation point that is locally unique in a virtual
6143 network. It describes a location in the virtual network where IP
6144 packets can be observed. The maximum length is 254 bytes. If not
6145 specified, the field is omitted from the IPFIX flow record.
6146 The following enterprise entity reports the specified virtual
6148 observation ID:
6149 virtualObsID:
6151 ID: 898, and enterprise ID 6876 (VMware).
6152 type: variable-length string.
6154 data type semantics: identifier.
6156 description: A virtual observation domain ID that is lo‐
6158 cally unique in a virtual network.
6159 This feature was introduced in Open vSwitch 2.5.90.
6161 Per-Bridge Sampling:
6163 These values affect only per-bridge sampling. See above for a descrip‐
6165 tion of the differences between per-bridge and flow-based sampling.
6166 sampling: optional integer, in range 1 to 4,294,967,295
6168 The rate at which packets should be sampled and sent to each
6169 target collector. If not specified, defaults to 400, which means
6170 one out of 400 packets, on average, will be sent to each target
6171 collector.
6172 obs_domain_id: optional integer, in range 0 to 4,294,967,295
6174 The IPFIX Observation Domain ID sent in each IPFIX packet. If
6175 not specified, defaults to 0.
6176 obs_point_id: optional integer, in range 0 to 4,294,967,295
6178 The IPFIX Observation Point ID sent in each IPFIX flow record.
6179 If not specified, defaults to 0.
6180 other_config : enable-input-sampling: optional string, either true or
6182 false
6183 By default, Open vSwitch samples and reports flows at bridge
6184 port input in IPFIX flow records. Set this column to false to
6185 disable input sampling.
6186 other_config : enable-output-sampling: optional string, either true or
6188 false
6189 By default, Open vSwitch samples and reports flows at bridge
6190 port output in IPFIX flow records. Set this column to false to
6191 disable output sampling.
6192 Common Columns:
6194 The overall purpose of these columns is described under Common Columns
6196 at the beginning of this document.
6197 external_ids: map of string-string pairs
6199
6201 A set of IPFIX collectors of packet samples generated by OpenFlow sam‐
6202 ple actions. This table is used only for IPFIX flow-based sampling, not
6203 for per-bridge sampling (see the IPFIX table for a description of the
6204 two forms).
6205 Summary:
6207 id integer, in range 0 to 4,294,967,295
6208 bridge Bridge
6209 ipfix optional IPFIX
6210 Common Columns:
6211 external_ids map of string-string pairs
6212 Details:
6214 id: integer, in range 0 to 4,294,967,295
6215 The ID of this collector set, unique among the bridge’s collec‐
6216 tor sets, to be used as the collector_set_id in OpenFlow sample
6217 actions.
6218 bridge: Bridge
6220 The bridge into which OpenFlow sample actions can be added to
6221 send packet samples to this set of IPFIX collectors.
6222 ipfix: optional IPFIX
6224 Configuration of the set of IPFIX collectors to send one flow
6225 record per sampled packet to.
6226 Common Columns:
6228 The overall purpose of these columns is described under Common Columns
6230 at the beginning of this document.
6231 external_ids: map of string-string pairs
6233
6235 Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM
6236 draft standard describes a compact method of using IEEE 802.1AB Link
6237 Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
6238 Path Bridging (SPB) network to automatically attach network devices to
6239 individual services in a SPB network. The intent here is to allow net‐
6240 work applications and devices using OVS to be able to easily take ad‐
6241 vantage of features offered by industry standard SPB networks.
6242 Auto Attach (AA) uses LLDP to communicate between a directly connected
6244 Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP proto‐
6245 col is extended to add two new Type-Length-Value tuples (TLVs). The
6246 first new TLV supports the ongoing discovery of directly connected AA
6247 correspondents. Auto Attach operates by regularly transmitting AA dis‐
6248 covery TLVs between the AA client and AA server. By exchanging these
6249 discovery messages, both the AAC and AAS learn the system name and sys‐
6250 tem description of their peer. In the OVS context, OVS operates as the
6251 AA client and the AA server resides on a switch at the edge of the SPB
6252 network.
6253 Once AA discovery has been completed the AAC then uses the second new
6255 TLV to deliver identifier mappings from the AAC to the AAS. A primary
6256 feature of Auto Attach is to facilitate the mapping of VLANs defined
6257 outside the SPB network onto service ids (ISIDs) defined within the SPM
6258 network. By doing so individual external VLANs can be mapped onto spe‐
6259 cific SPB network services. These VLAN id to ISID mappings can be con‐
6260 figured and managed locally using new options added to the ovs-vsctl
6261 command.
6262 The Auto Attach OVS feature does not provide a full implementation of
6264 the LLDP protocol. Support for the mandatory TLVs as defined by the
6265 LLDP standard and support for the AA TLV extensions is provided. LLDP
6266 protocol support in OVS can be enabled or disabled on a port by port
6267 basis. LLDP support is disabled by default.
6268 Summary:
6270 system_name string
6271 system_description string
6272 mappings map of integer-integer pairs, key in
6273 range 0 to 16,777,215, value in range 0
6274 to 4,095
6275 Details:
6277 system_name: string
6278 The system_name string is exported in LLDP messages. It should
6279 uniquely identify the bridge in the network.
6280 system_description: string
6282 The system_description string is exported in LLDP messages. It
6283 should describe the type of software and hardware.
6284 mappings: map of integer-integer pairs, key in range 0 to 16,777,215,
6286 value in range 0 to 4,095
6287 A mapping from SPB network Individual Service Identifier (ISID)
6288 to VLAN id.
6289Open vSwitch 3.2.0 DB Schema 8.4.0 ovs-vswitchd.conf.db(5)