1ovs-vswitchd.conf.db(5) Open vSwitch Manual ovs-vswitchd.conf.db(5)
2
6 ovs-vswitchd.conf.db - Open_vSwitch database schema
7 A database with this schema holds the configuration for one Open
9 vSwitch daemon. The top-level configuration for the daemon is the
10 Open_vSwitch table, which must have exactly one record. Records in
11 other tables are significant only when they can be reached directly or
12 indirectly from the Open_vSwitch table. Records that are not reachable
13 from the Open_vSwitch table are automatically deleted from the data‐
14 base, except for records in a few distinguished ``root set’’ tables.
15 Common Columns
17 Most tables contain two special columns, named other_config and exter‐
18 nal_ids. These columns have the same form and purpose each place that
19 they appear, so we describe them here to save space later.
20 other_config: map of string-string pairs
22 Key-value pairs for configuring rarely used features.
23 Supported keys, along with the forms taken by their val‐
24 ues, are documented individually for each table.
25 A few tables do not have other_config columns because no
27 key-value pairs have yet been defined for them.
28 external_ids: map of string-string pairs
30 Key-value pairs for use by external frameworks that inte‐
31 grate with Open vSwitch, rather than by Open vSwitch
32 itself. System integrators should either use the Open
33 vSwitch development mailing list to coordinate on common
34 key-value definitions, or choose key names that are
35 likely to be unique. In some cases, where key-value pairs
36 have been defined that are likely to be widely useful,
37 they are documented individually for each table.
38
40 The following list summarizes the purpose of each of the tables in the
41 Open_vSwitch database. Each table is described in more detail on a
42 later page.
43 Table Purpose
45 Open_vSwitch
46 Open vSwitch configuration.
47 Bridge Bridge configuration.
48 Port Port configuration.
49 Interface One physical network device in a Port.
50 Flow_Table
51 OpenFlow table configuration
52 QoS Quality of Service configuration
53 Queue QoS output queue.
54 Mirror Port mirroring.
55 Controller
56 OpenFlow controller configuration.
57 Manager OVSDB management connection.
58 NetFlow NetFlow configuration.
59 Datapath Datapath configuration.
60 CT_Zone CT_Zone configuration.
61 CT_Timeout_Policy
62 CT_Timeout_Policy configuration.
63 SSL SSL configuration.
64 sFlow sFlow configuration.
65 IPFIX IPFIX configuration.
66 Flow_Sample_Collector_Set
67 Flow_Sample_Collector_Set configuration.
68 AutoAttach
69 AutoAttach configuration.
70
72 Configuration for an Open vSwitch daemon. There must be exactly one
73 record in the Open_vSwitch table.
74 Summary:
76 Configuration:
77 datapaths map of string-Datapath pairs
78 bridges set of Bridges
79 ssl optional SSL
80 external_ids : system-id optional string
81 external_ids : xs-system-uuid
82 optional string
83 external_ids : hostname optional string
84 external_ids : rundir optional string
85 other_config : stats-update-interval
86 optional string, containing an integer,
87 at least 5,000
88 other_config : flow-restore-wait
89 optional string, either true or false
90 other_config : flow-limit optional string, containing an integer,
91 at least 0
92 other_config : max-idle optional string, containing an integer,
93 at least 500
94 other_config : max-revalidator
95 optional string, containing an integer,
96 at least 100
97 other_config : min-revalidate-pps
98 optional string, containing an integer,
99 at least 1
100 other_config : hw-offload optional string, either true or false
101 other_config : tc-policy optional string, one of none, skip_hw, or
102 skip_sw
103 other_config : dpdk-init optional string, one of false, true, or
104 try
105 other_config : dpdk-lcore-mask
106 optional string, containing an integer,
107 at least 1
108 other_config : pmd-cpu-mask
109 optional string
110 other_config : dpdk-alloc-mem
111 optional string, containing an integer,
112 at least 0
113 other_config : dpdk-socket-mem
114 optional string
115 other_config : dpdk-socket-limit
116 optional string
117 other_config : dpdk-hugepage-dir
118 optional string
119 other_config : dpdk-extra optional string
120 other_config : vhost-sock-dir
121 optional string
122 other_config : vhost-iommu-support
123 optional string, either true or false
124 other_config : vhost-postcopy-support
125 optional string, either true or false
126 other_config : per-port-memory
127 optional string, either true or false
128 other_config : tx-flush-interval
129 optional string, containing an integer,
130 in range 0 to 1,000,000
131 other_config : pmd-perf-metrics
132 optional string, either true or false
133 other_config : smc-enable optional string, either true or false
134 other_config : pmd-rxq-assign
135 optional string, either cycles or
136 roundrobin
137 other_config : n-handler-threads
138 optional string, containing an integer,
139 at least 1
140 other_config : n-revalidator-threads
141 optional string, containing an integer,
142 at least 1
143 other_config : emc-insert-inv-prob
144 optional string, containing an integer,
145 in range 0 to 4,294,967,295
146 other_config : vlan-limit optional string, containing an integer,
147 at least 0
148 other_config : bundle-idle-timeout
149 optional string, containing an integer,
150 at least 1
151 other_config : offload-rebalance
152 optional string, either true or false
153 other_config : pmd-auto-lb optional string, either true or false
154 other_config : pmd-auto-lb-rebal-interval
155 optional string, containing an integer,
156 in range 0 to 20,000
157 other_config : pmd-auto-lb-load-threshold
158 optional string, containing an integer,
159 in range 0 to 100
160 other_config : pmd-auto-lb-improvement-threshold
161 optional string, containing an integer,
162 in range 0 to 100
163 other_config : userspace-tso-enable
164 optional string, either true or false
165 Status:
166 next_cfg integer
167 cur_cfg integer
168 dpdk_initialized boolean
169 Statistics:
170 other_config : enable-statistics
171 optional string, either true or false
172 statistics : cpu optional string, containing an integer,
173 at least 1
174 statistics : load_average
175 optional string
176 statistics : memory optional string
177 statistics : process_NAME
178 optional string
179 statistics : file_systems
180 optional string
181 Version Reporting:
182 ovs_version optional string
183 db_version optional string
184 system_type optional string
185 system_version optional string
186 dpdk_version optional string
187 Capabilities:
188 datapath_types set of strings
189 iface_types set of strings
190 Database Configuration:
191 manager_options set of Managers
192 IPsec:
193 other_config : private_key optional string
194 other_config : certificate optional string
195 other_config : ca_cert optional string
196 Plaintext Tunnel Policy:
197 other_config : ipsec_skb_mark
198 optional string
199 Common Columns:
200 other_config map of string-string pairs
201 external_ids map of string-string pairs
202 Details:
204 Configuration:
205 datapaths: map of string-Datapath pairs
207 Map of datapath types to datapaths. The datapath_type column of
208 the Bridge table is used as a key for this map. The value points
209 to a row in the Datapath table.
210 bridges: set of Bridges
212 Set of bridges managed by the daemon.
213 ssl: optional SSL
215 SSL used globally by the daemon.
216 external_ids : system-id: optional string
218 A unique identifier for the Open vSwitch’s physical host. The
219 form of the identifier depends on the type of the host. On a
220 Citrix XenServer, this will likely be the same as exter‐
221 nal_ids:xs-system-uuid.
222 external_ids : xs-system-uuid: optional string
224 The Citrix XenServer universally unique identifier for the phys‐
225 ical host as displayed by xe host-list.
226 external_ids : hostname: optional string
228 The hostname for the host running Open vSwitch. This is a fully
229 qualified domain name since version 2.6.2.
230 external_ids : rundir: optional string
232 In Open vSwitch 2.8 and later, the run directory of the running
233 Open vSwitch daemon. This directory is used for runtime state
234 such as control and management sockets. The value of other_con‐
235 fig:vhost-sock-dir is relative to this directory.
236 other_config : stats-update-interval: optional string, containing an
238 integer, at least 5,000
239 Interval for updating statistics to the database, in millisec‐
240 onds. This option will affect the update of the statistics col‐
241 umn in the following tables: Port, Interface , Mirror.
242 Default value is 5000 ms.
244 Getting statistics more frequently can be achieved via OpenFlow.
246 other_config : flow-restore-wait: optional string, either true or false
248 When ovs-vswitchd starts up, it has an empty flow table and
249 therefore it handles all arriving packets in its default fashion
250 according to its configuration, by dropping them or sending them
251 to an OpenFlow controller or switching them as a standalone
252 switch. This behavior is ordinarily desirable. However, if
253 ovs-vswitchd is restarting as part of a ``hot-upgrade,’’ then
254 this leads to a relatively long period during which packets are
255 mishandled.
256 This option allows for improvement. When ovs-vswitchd starts
258 with this value set as true, it will neither flush or expire
259 previously set datapath flows nor will it send and receive any
260 packets to or from the datapath. When this value is later set to
261 false, ovs-vswitchd will start receiving packets from the data‐
262 path and re-setup the flows.
263 Additionally, ovs-vswitchd is prevented from connecting to con‐
265 trollers when this value is set to true. This prevents con‐
266 trollers from making changes to the flow table in the middle of
267 flow restoration, which could result in undesirable intermediate
268 states. Once this value has been set to false and the desired
269 flow state has been restored, ovs-vswitchd will be able to
270 reconnect to controllers and process any new flow table modifi‐
271 cations.
272 Thus, with this option, the procedure for a hot-upgrade of
274 ovs-vswitchd becomes roughly the following:
275 1. Stop ovs-vswitchd.
277 2. Set other_config:flow-restore-wait to true.
279 3. Start ovs-vswitchd.
281 4. Use ovs-ofctl (or some other program, such as an OpenFlow
283 controller) to restore the OpenFlow flow table to the
284 desired state.
285 5. Set other_config:flow-restore-wait to false (or remove it
287 entirely from the database).
288 The ovs-ctl’s ``restart’’ and ``force-reload-kmod’’ functions
290 use the above config option during hot upgrades.
291 other_config : flow-limit: optional string, containing an integer, at
293 least 0
294 The maximum number of flows allowed in the datapath flow table.
295 Internally OVS will choose a flow limit which will likely be
296 lower than this number, based on real time network conditions.
297 Tweaking this value is discouraged unless you know exactly what
298 you’re doing.
299 The default is 200000.
301 other_config : max-idle: optional string, containing an integer, at
303 least 500
304 The maximum time (in ms) that idle flows will remain cached in
305 the datapath. Internally OVS will check the validity and activ‐
306 ity for datapath flows regularly and may expire flows quicker
307 than this number, based on real time network conditions. Tweak‐
308 ing this value is discouraged unless you know exactly what
309 you’re doing.
310 The default is 10000.
312 other_config : max-revalidator: optional string, containing an integer,
314 at least 100
315 The maximum time (in ms) that revalidator threads will wait
316 before executing flow revalidation. Note that this is maximum
317 allowed value. Actual timeout used by OVS is minimum of max-idle
318 and max-revalidator values. Tweaking this value is discouraged
319 unless you know exactly what you’re doing.
320 The default is 500.
322 other_config : min-revalidate-pps: optional string, containing an inte‐
324 ger, at least 1
325 Set minimum pps that flow must have in order to be revalidated
326 when revalidation duration exceeds half of max-revalidator con‐
327 fig variable.
328 The default is 5.
330 other_config : hw-offload: optional string, either true or false
332 Set this value to true to enable netdev flow offload.
333 The default value is false. Changing this value requires
335 restarting the daemon
336 Currently Open vSwitch supports hardware offloading on Linux
338 systems. On other systems, this value is ignored. This function‐
339 ality is considered ’experimental’. Depending on which OpenFlow
340 matches and actions are configured, which kernel version is
341 used, and what hardware is available, Open vSwitch may not be
342 able to offload functionality to hardware.
343 In order to dump HW offloaded flows use ovs-appctl
345 dpctl/dump-flows, ovs-dpctl doesn’t support this functionality.
346 See ovs-vswitchd(8) for details.
347 other_config : tc-policy: optional string, one of none, skip_hw, or
349 skip_sw
350 Specified the policy used with HW offloading. Options:
351 none Add software rule and offload rule to HW.
353 skip_sw
355 Offload rule to HW only.
356 skip_hw
358 Add software rule without offloading rule to HW.
359 This is only relevant if other_config:hw-offload is enabled.
361 The default value is none.
363 other_config : dpdk-init: optional string, one of false, true, or try
365 Set this value to true or try to enable runtime support for DPDK
366 ports. The vswitch must have compile-time support for DPDK as
367 well.
368 A value of true will cause the ovs-vswitchd process to abort if
370 DPDK cannot be initialized. A value of try will allow the ovs-
371 vswitchd process to continue running even if DPDK cannot be ini‐
372 tialized.
373 The default value is false. Changing this value requires
375 restarting the daemon
376 If this value is false at startup, any dpdk ports which are con‐
378 figured in the bridge will fail due to memory errors.
379 other_config : dpdk-lcore-mask: optional string, containing an integer,
381 at least 1
382 Specifies the CPU cores where dpdk lcore threads should be
383 spawned. The DPDK lcore threads are used for DPDK library tasks,
384 such as library internal message processing, logging, etc. Value
385 should be in the form of a hex string (so ’0x123’) similar to
386 the ’taskset’ mask input.
387 The lowest order bit corresponds to the first CPU core. A set
389 bit means the corresponding core is available and an lcore
390 thread will be created and pinned to it. If the input does not
391 cover all cores, those uncovered cores are considered not set.
392 For performance reasons, it is best to set this to a single core
394 on the system, rather than allow lcore threads to float.
395 If not specified, the value will be determined by choosing the
397 lowest CPU core from initial cpu affinity list. Otherwise, the
398 value will be passed directly to the DPDK library.
399 other_config : pmd-cpu-mask: optional string
401 Specifies CPU mask for setting the cpu affinity of PMD (Poll
402 Mode Driver) threads. Value should be in the form of hex string,
403 similar to the dpdk EAL ’-c COREMASK’ option input or the
404 ’taskset’ mask input.
405 The lowest order bit corresponds to the first CPU core. A set
407 bit means the corresponding core is available and a pmd thread
408 will be created and pinned to it. If the input does not cover
409 all cores, those uncovered cores are considered not set.
410 If not specified, one pmd thread will be created for each numa
412 node and pinned to any available core on the numa node by
413 default.
414 other_config : dpdk-alloc-mem: optional string, containing an integer,
416 at least 0
417 Specifies the amount of memory to preallocate from the hugepage
418 pool, regardless of socket. It is recommended that dpdk-socket-
419 mem is used instead.
420 other_config : dpdk-socket-mem: optional string
422 Specifies the amount of memory to preallocate from the hugepage
423 pool, on a per-socket basis.
424 The specifier is a comma-separated string, in ascending order of
426 CPU socket. E.g. On a four socket system 1024,0,2048 would set
427 socket 0 to preallocate 1024MB, socket 1 to preallocate 0MB,
428 socket 2 to preallocate 2048MB and socket 3 (no value given) to
429 preallocate 0MB.
430 If dpdk-socket-mem and dpdk-alloc-mem are not specified, dpdk-
432 socket-mem will be used and the default value is 1024 for each
433 numa node. If dpdk-socket-mem and dpdk-alloc-mem are specified
434 at same time, dpdk-socket-mem will be used as default. Changing
435 this value requires restarting the daemon.
436 other_config : dpdk-socket-limit: optional string
438 Limits the maximum amount of memory that can be used from the
439 hugepage pool, on a per-socket basis.
440 The specifier is a comma-separated list of memory limits per
442 socket. 0 will disable the limit for a particular socket.
443 If not specified, OVS will configure limits equal to the amount
445 of preallocated memory specified by other_config:dpdk-socket-mem
446 or --socket-mem in other_config:dpdk-extra. If none of the above
447 options specified or --legacy-mem provided in other_config:dpdk-
448 extra, limits will not be applied. Changing this value requires
449 restarting the daemon.
450 other_config : dpdk-hugepage-dir: optional string
452 Specifies the path to the hugetlbfs mount point.
453 If not specified, this will be guessed by the DPDK library
455 (default is /dev/hugepages). Changing this value requires
456 restarting the daemon.
457 other_config : dpdk-extra: optional string
459 Specifies additional eal command line arguments for DPDK.
460 The default is empty. Changing this value requires restarting
462 the daemon
463 other_config : vhost-sock-dir: optional string
465 Specifies a relative path from external_ids:rundir to the vhost-
466 user unix domain socket files. If this value is unset, the sock‐
467 ets are put directly in external_ids:rundir.
468 Changing this value requires restarting the daemon.
470 other_config : vhost-iommu-support: optional string, either true or
472 false
473 vHost IOMMU is a security feature, which restricts the vhost
474 memory that a virtio device may access. vHost IOMMU support is
475 disabled by default, due to a bug in QEMU implementations of the
476 vhost REPLY_ACK protocol, (on which vHost IOMMU relies) prior to
477 v2.9.1. Setting this value to true enables vHost IOMMU support
478 for vHost User Client ports in OvS-DPDK, starting from DPDK
479 v17.11.
480 Changing this value requires restarting the daemon.
482 other_config : vhost-postcopy-support: optional string, either true or
484 false
485 vHost post-copy is a feature which allows switching live migra‐
486 tion of VM attached to dpdkvhostuserclient port to post-copy
487 mode if default pre-copy migration can not be converged or takes
488 too long to converge. Setting this value to true enables vHost
489 post-copy support for all dpdkvhostuserclient ports. Available
490 starting from DPDK v18.11 and QEMU 2.12.
491 Changing this value requires restarting the daemon.
493 other_config : per-port-memory: optional string, either true or false
495 By default OVS DPDK uses a shared memory model wherein devices
496 that have the same MTU and socket values can share the same mem‐
497 pool. Setting this value to true changes this behaviour. Per
498 port memory allow DPDK devices to use private memory per device.
499 This can provide greater transparency as regards memory usage
500 but potentially at the cost of greater memory requirements.
501 Changing this value requires restarting the daemon if dpdk-init
503 has already been set to true.
504 other_config : tx-flush-interval: optional string, containing an inte‐
506 ger, in range 0 to 1,000,000
507 Specifies the time in microseconds that a packet can wait in
508 output batch for sending i.e. amount of time that packet can
509 spend in an intermediate output queue before sending to netdev.
510 This option can be used to configure balance between throughput
511 and latency. Lower values decreases latency while higher values
512 may be useful to achieve higher performance.
513 Defaults to 0 i.e. instant packet sending (latency optimized).
515 other_config : pmd-perf-metrics: optional string, either true or false
517 Enables recording of detailed PMD performance metrics for analy‐
518 sis and trouble-shooting. This can have a performance impact in
519 the order of 1%.
520 Defaults to false but can be changed at any time.
522 other_config : smc-enable: optional string, either true or false
524 Signature match cache or SMC is a cache between EMC and megaflow
525 cache. It does not store the full key of the flow, so it is more
526 memory efficient comparing to EMC cache. SMC is especially use‐
527 ful when flow count is larger than EMC capacity.
528 Defaults to false but can be changed at any time.
530 other_config : pmd-rxq-assign: optional string, either cycles or
532 roundrobin
533 Specifies how RX queues will be automatically assigned to CPU
534 cores. Options:
535 cycles Rxqs will be sorted by order of measured processing
537 cycles before being assigned to CPU cores.
538 roundrobin
540 Rxqs will be round-robined across CPU cores.
541 The default value is cycles.
543 Changing this value will affect an automatic re-assignment of
545 Rxqs to CPUs. Note: Rxqs mapped to CPU cores with pmd-rxq-affin‐
546 ity are unaffected.
547 other_config : n-handler-threads: optional string, containing an inte‐
549 ger, at least 1
550 Specifies the number of threads for software datapaths to use
551 for handling new flows. The default the number of online CPU
552 cores minus the number of revalidators.
553 This configuration is per datapath. If you have more than one
555 software datapath (e.g. some system bridges and some netdev
556 bridges), then the total number of threads is n-handler-threads
557 times the number of software datapaths.
558 other_config : n-revalidator-threads: optional string, containing an
560 integer, at least 1
561 Specifies the number of threads for software datapaths to use
562 for revalidating flows in the datapath. Typically, there is a
563 direct correlation between the number of revalidator threads,
564 and the number of flows allowed in the datapath. The default is
565 the number of cpu cores divided by four plus one. If n-han‐
566 dler-threads is set, the default changes to the number of cpu
567 cores minus the number of handler threads.
568 This configuration is per datapath. If you have more than one
570 software datapath (e.g. some system bridges and some netdev
571 bridges), then the total number of threads is n-handler-threads
572 times the number of software datapaths.
573 other_config : emc-insert-inv-prob: optional string, containing an
575 integer, in range 0 to 4,294,967,295
576 Specifies the inverse probability (1/emc-insert-inv-prob) of a
577 flow being inserted into the Exact Match Cache (EMC). On average
578 one in every emc-insert-inv-prob packets that generate a unique
579 flow will cause an insertion into the EMC. A value of 1 will
580 result in an insertion for every flow (1/1 = 100%) whereas a
581 value of zero will result in no insertions and essentially dis‐
582 able the EMC.
583 Defaults to 100 ie. there is (1/100 =) 1% chance of EMC inser‐
585 tion.
586 other_config : vlan-limit: optional string, containing an integer, at
588 least 0
589 Limits the number of VLAN headers that can be matched to the
590 specified number. Further VLAN headers will be treated as pay‐
591 load, e.g. a packet with more 802.1q headers will match Ethernet
592 type 0x8100.
593 Open vSwitch userspace currently supports at most 2 VLANs, and
595 each datapath has its own limit. If vlan-limit is nonzero, it
596 acts as a further limit.
597 If this value is absent, the default is currently 1. This main‐
599 tains backward compatibility with controllers that were designed
600 for use with Open vSwitch versions earlier than 2.8, which only
601 supported one VLAN.
602 other_config : bundle-idle-timeout: optional string, containing an
604 integer, at least 1
605 The maximum time (in seconds) that idle bundles will wait to be
606 expired since it was either opened, modified or closed.
607 OpenFlow specification mandates the timeout to be at least one
609 second. The default is 10 seconds.
610 other_config : offload-rebalance: optional string, either true or false
612 Configures HW offload rebalancing, that allows to dynamically
613 offload and un-offload flows while an offload-device is out of
614 resources (OOR). This policy allows flows to be selected for
615 offloading based on the packets-per-second (pps) rate of flows.
616 Set this value to true to enable this option.
618 The default value is false. Changing this value requires
620 restarting the daemon.
621 This is only relevant if HW offloading is enabled (hw-offload).
623 When this policy is enabled, it also requires ’tc-policy’ to be
624 set to ’skip_sw’.
625 other_config : pmd-auto-lb: optional string, either true or false
627 Configures PMD Auto Load Balancing that allows automatic assign‐
628 ment of RX queues to PMDs if any of PMDs is overloaded (i.e. a
629 processing cycles > other_config:pmd-auto-lb-load-threshold).
630 It uses current scheme of cycle based assignment of RX queues
632 that are not statically pinned to PMDs.
633 The default value is false.
635 Set this value to true to enable this option. It is currently
637 disabled by default and an experimental feature.
638 This only comes in effect if cycle based assignment is enabled
640 and there are more than one non-isolated PMDs present and at
641 least one of it polls more than one queue.
642 other_config : pmd-auto-lb-rebal-interval: optional string, containing
644 an integer, in range 0 to 20,000
645 The minimum time (in minutes) 2 consecutive PMD Auto Load Bal‐
646 ancing iterations.
647 The defaul value is 1 min. If configured to 0 then it would be
649 converted to default value i.e. 1 min
650 This option can be configured to avoid frequent trigger of auto
652 load balancing of PMDs. For e.g. set the value (in min) such
653 that it occurs once in few hours or a day or a week.
654 other_config : pmd-auto-lb-load-threshold: optional string, containing
656 an integer, in range 0 to 100
657 Specifies the minimum PMD thread load threshold (% of used
658 cycles) of any non-isolated PMD threads when a PMD Auto Load
659 Balance may be triggered.
660 The default value is 95%.
662 other_config : pmd-auto-lb-improvement-threshold: optional string, con‐
664 taining an integer, in range 0 to 100
665 Specifies the minimum evaluated % improvement in load distribu‐
666 tion across the non-isolated PMD threads that will allow a PMD
667 Auto Load Balance to occur.
668 Note, setting this parameter to 0 will always allow an auto load
670 balance to occur regardless of estimated improvement or not.
671 The default value is 25%.
673 other_config : userspace-tso-enable: optional string, either true or
675 false
676 Set this value to true to enable userspace support for TCP Seg‐
677 mentation Offloading (TSO). When it is enabled, the interfaces
678 can provide an oversized TCP segment to the datapath and the
679 datapath will offload the TCP segmentation and checksum calcula‐
680 tion to the interfaces when necessary.
681 The default value is false. Changing this value requires
683 restarting the daemon.
684 The feature only works if Open vSwitch is built with DPDK sup‐
686 port.
687 The feature is considered experimental.
689 Status:
691 next_cfg: integer
693 Sequence number for client to increment. When a client modifies
694 any part of the database configuration and wishes to wait for
695 Open vSwitch to finish applying the changes, it may increment
696 this sequence number.
697 cur_cfg: integer
699 Sequence number that Open vSwitch sets to the current value of
700 next_cfg after it finishes applying a set of configuration
701 changes.
702 dpdk_initialized: boolean
704 True if other_config:dpdk-init is set to true and the DPDK
705 library is successfully initialized.
706 Statistics:
708 The statistics column contains key-value pairs that report statistics
710 about a system running an Open vSwitch. These are updated periodically
711 (currently, every 5 seconds). Key-value pairs that cannot be determined
712 or that do not apply to a platform are omitted.
713 other_config : enable-statistics: optional string, either true or false
715 Statistics are disabled by default to avoid overhead in the com‐
716 mon case when statistics gathering is not useful. Set this value
717 to true to enable populating the statistics column or to false
718 to explicitly disable it.
719 statistics : cpu: optional string, containing an integer, at least 1
721 Number of CPU processors, threads, or cores currently online and
722 available to the operating system on which Open vSwitch is run‐
723 ning, as an integer. This may be less than the number installed,
724 if some are not online or if they are not available to the oper‐
725 ating system.
726 Open vSwitch userspace processes are not multithreaded, but the
728 Linux kernel-based datapath is.
729 statistics : load_average: optional string
731 A comma-separated list of three floating-point numbers, repre‐
732 senting the system load average over the last 1, 5, and 15 min‐
733 utes, respectively.
734 statistics : memory: optional string
736 A comma-separated list of integers, each of which represents a
737 quantity of memory in kilobytes that describes the operating
738 system on which Open vSwitch is running. In respective order,
739 these values are:
740 1. Total amount of RAM allocated to the OS.
742 2. RAM allocated to the OS that is in use.
744 3. RAM that can be flushed out to disk or otherwise discarded
746 if that space is needed for another purpose. This number is
747 necessarily less than or equal to the previous value.
748 4. Total disk space allocated for swap.
750 5. Swap space currently in use.
752 On Linux, all five values can be determined and are included. On
754 other operating systems, only the first two values can be deter‐
755 mined, so the list will only have two values.
756 statistics : process_NAME: optional string
758 One such key-value pair, with NAME replaced by a process name,
759 will exist for each running Open vSwitch daemon process, with
760 name replaced by the daemon’s name (e.g. process_ovs-vswitchd).
761 The value is a comma-separated list of integers. The integers
762 represent the following, with memory measured in kilobytes and
763 durations in milliseconds:
764 1. The process’s virtual memory size.
766 2. The process’s resident set size.
768 3. The amount of user and system CPU time consumed by the
770 process.
771 4. The number of times that the process has crashed and been
773 automatically restarted by the monitor.
774 5. The duration since the process was started.
776 6. The duration for which the process has been running.
778 The interpretation of some of these values depends on whether
780 the process was started with the --monitor. If it was not, then
781 the crash count will always be 0 and the two durations will
782 always be the same. If --monitor was given, then the crash count
783 may be positive; if it is, the latter duration is the amount of
784 time since the most recent crash and restart.
785 There will be one key-value pair for each file in Open vSwitch’s
787 ``run directory’’ (usually /var/run/openvswitch) whose name ends
788 in .pid, whose contents are a process ID, and which is locked by
789 a running process. The name is taken from the pidfile’s name.
790 Currently Open vSwitch is only able to obtain all of the above
792 detail on Linux systems. On other systems, the same key-value
793 pairs will be present but the values will always be the empty
794 string.
795 statistics : file_systems: optional string
797 A space-separated list of information on local, writable file
798 systems. Each item in the list describes one file system and
799 consists in turn of a comma-separated list of the following:
800 1. Mount point, e.g. / or /var/log. Any spaces or commas in the
802 mount point are replaced by underscores.
803 2. Total size, in kilobytes, as an integer.
805 3. Amount of storage in use, in kilobytes, as an integer.
807 This key-value pair is omitted if there are no local, writable
809 file systems or if Open vSwitch cannot obtain the needed infor‐
810 mation.
811 Version Reporting:
813 These columns report the types and versions of the hardware and soft‐
815 ware running Open vSwitch. We recommend in general that software should
816 test whether specific features are supported instead of relying on ver‐
817 sion number checks. These values are primarily intended for reporting
818 to human administrators.
819 ovs_version: optional string
821 The Open vSwitch version number, e.g. 1.1.0.
822 db_version: optional string
824 The database schema version number, e.g. 1.2.3. See ovsdb-
825 tool(1) for an explanation of the numbering scheme.
826 The schema version is part of the database schema, so it can
828 also be retrieved by fetching the schema using the Open vSwitch
829 database protocol.
830 system_type: optional string
832 An identifier for the type of system on top of which Open
833 vSwitch runs, e.g. XenServer or KVM.
834 System integrators are responsible for choosing and setting an
836 appropriate value for this column.
837 system_version: optional string
839 The version of the system identified by system_type, e.g.
840 5.6.100-39265p on XenServer 5.6.100 build 39265.
841 System integrators are responsible for choosing and setting an
843 appropriate value for this column.
844 dpdk_version: optional string
846 The version of the linked DPDK library.
847 Capabilities:
849 These columns report capabilities of the Open vSwitch instance.
851 datapath_types: set of strings
853 This column reports the different dpifs registered with the sys‐
854 tem. These are the values that this instance supports in the
855 datapath_type column of the Bridge table.
856 iface_types: set of strings
858 This column reports the different netdevs registered with the
859 system. These are the values that this instance supports in the
860 type column of the Interface table.
861 Database Configuration:
863 These columns primarily configure the Open vSwitch database
865 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The OVSDB
866 database also uses the ssl settings.
867 The Open vSwitch switch does read the database configuration to deter‐
869 mine remote IP addresses to which in-band control should apply.
870 manager_options: set of Managers
872 Database clients to which the Open vSwitch database server
873 should connect or to which it should listen, along with options
874 for how these connections should be configured. See the Manager
875 table for more information.
876 For this column to serve its purpose, ovsdb-server must be con‐
878 figured to honor it. The easiest way to do this is to invoke
879 ovsdb-server with the option
880 --remote=db:Open_vSwitch,Open_vSwitch,manager_options The
881 startup scripts that accompany Open vSwitch do this by default.
882 IPsec:
884 These settings control the global configuration of IPsec tunnels. The
886 options column of the Interface table configures IPsec for individual
887 tunnels.
888 OVS IPsec supports the following three forms of authentication. Cur‐
890 rently, all IPsec tunnels must use the same form:
891 1. Pre-shared keys: Omit the global settings. On each tunnel,
893 set options:psk.
894 2. Self-signed certificates: Set the private_key and certifi‐
896 cate global settings. On each tunnel, set
897 options:remote_cert. The remote certificate can be self-
898 signed.
899 3. CA-signed certificates: Set all of the global settings. On
901 each tunnel, set options:remote_name to the common name (CN)
902 of the remote certificate. The remote certificate must be
903 signed by the CA.
904 other_config : private_key: optional string
906 Name of a PEM file containing the private key used as the
907 switch’s identity for IPsec tunnels.
908 other_config : certificate: optional string
910 Name of a PEM file containing a certificate that certifies the
911 switch’s private key, and identifies a trustworthy switch for
912 IPsec tunnels. The certificate must be x.509 version 3 and with
913 the string in common name (CN) also set in the subject alterna‐
914 tive name (SAN).
915 other_config : ca_cert: optional string
917 Name of a PEM file containing the CA certificate used to verify
918 that a remote switch of the IPsec tunnel is trustworthy.
919 Plaintext Tunnel Policy:
921 When an IPsec tunnel is configured in this database, multiple indepen‐
923 dent components take responsibility for implementing it. ovs-vswitchd
924 and its datapath handle packet forwarding to the tunnel and a separate
925 daemon pushes the tunnel’s IPsec policy configuration to the kernel or
926 other entity that implements it. There is a race: if the former config‐
927 uration completes before the latter, then packets sent by the local
928 host over the tunnel can be transmitted in plaintext. Using this set‐
929 ting, OVS users can avoid this undesirable situation.
930 other_config : ipsec_skb_mark: optional string
932 This setting takes the form value/mask. If it is specified, then
933 the skb_mark field in every outgoing tunneled packet sent in
934 plaintext is compared against it and, if it matches, the packet
935 is dropped. This is a global setting that is applied to every
936 tunneled packet, regardless of whether IPsec encryption is
937 enabled for the tunnel, the type of tunnel, or whether OVS is
938 involved.
939 Example policies:
941 1/1 Drop all unencrypted tunneled packets in which the least-
943 significant bit of skb_mark is 1. This would be a useful
944 policy given an OpenFlow flow table that sets skb_mark to
945 1 for traffic that should be encrypted. The default
946 skb_mark is 0, so this would not affect other traffic.
947 0/1 Drop all unencrypted tunneled packets in which the least-
949 significant bit of skb_mark is 0. This would be a useful
950 policy if no unencrypted tunneled traffic should exit the
951 system without being specially permitted by setting
952 skb_mark to 1.
953 (empty)
955 If this setting is empty or unset, then all unencrypted
956 tunneled packets are transmitted in the usual way.
957 Common Columns:
959 The overall purpose of these columns is described under Common Columns
961 at the beginning of this document.
962 other_config: map of string-string pairs
964 external_ids: map of string-string pairs
966
968 Configuration for a bridge within an Open_vSwitch.
969 A Bridge record represents an Ethernet switch with one or more
971 ``ports,’’ which are the Port records pointed to by the Bridge’s ports
972 column.
973 Summary:
975 Core Features:
976 name immutable string (must be unique within
977 table)
978 ports set of Ports
979 mirrors set of Mirrors
980 netflow optional NetFlow
981 sflow optional sFlow
982 ipfix optional IPFIX
983 flood_vlans set of up to 4,096 integers, in range 0
984 to 4,095
985 auto_attach optional AutoAttach
986 OpenFlow Configuration:
987 controller set of Controllers
988 flow_tables map of integer-Flow_Table pairs, key in
989 range 0 to 254
990 fail_mode optional string, either secure or stand‐
991 alone
992 datapath_id optional string
993 datapath_version string
994 other_config : datapath-id optional string
995 other_config : dp-desc optional string
996 other_config : dp-sn optional string
997 other_config : disable-in-band
998 optional string, either true or false
999 other_config : in-band-queue
1000 optional string, containing an integer,
1001 in range 0 to 4,294,967,295
1002 other_config : controller-queue-size
1003 optional string, containing an integer,
1004 in range 1 to 512
1005 protocols set of strings, one of OpenFlow10, Open‐
1006 Flow11, OpenFlow12, OpenFlow13, Open‐
1007 Flow14, or OpenFlow15
1008 Spanning Tree Configuration:
1009 STP Configuration:
1010 stp_enable boolean
1011 other_config : stp-system-id
1012 optional string
1013 other_config : stp-priority
1014 optional string, containing an integer,
1015 in range 0 to 65,535
1016 other_config : stp-hello-time
1017 optional string, containing an integer,
1018 in range 1 to 10
1019 other_config : stp-max-age
1020 optional string, containing an integer,
1021 in range 6 to 40
1022 other_config : stp-forward-delay
1023 optional string, containing an integer,
1024 in range 4 to 30
1025 other_config : mcast-snooping-aging-time
1026 optional string, containing an integer,
1027 at least 1
1028 other_config : mcast-snooping-table-size
1029 optional string, containing an integer,
1030 at least 1
1031 other_config : mcast-snooping-disable-flood-unregistered
1032 optional string, either true or false
1033 STP Status:
1034 status : stp_bridge_id optional string
1035 status : stp_designated_root
1036 optional string
1037 status : stp_root_path_cost
1038 optional string
1039 Rapid Spanning Tree:
1040 RSTP Configuration:
1041 rstp_enable boolean
1042 other_config : rstp-address
1043 optional string
1044 other_config : rstp-priority
1045 optional string, containing an integer,
1046 in range 0 to 61,440
1047 other_config : rstp-ageing-time
1048 optional string, containing an integer,
1049 in range 10 to 1,000,000
1050 other_config : rstp-force-protocol-version
1051 optional string, containing an integer
1052 other_config : rstp-max-age
1053 optional string, containing an integer,
1054 in range 6 to 40
1055 other_config : rstp-forward-delay
1056 optional string, containing an integer,
1057 in range 4 to 30
1058 other_config : rstp-transmit-hold-count
1059 optional string, containing an integer,
1060 in range 1 to 10
1061 RSTP Status:
1062 rstp_status : rstp_bridge_id
1063 optional string
1064 rstp_status : rstp_root_id
1065 optional string
1066 rstp_status : rstp_root_path_cost
1067 optional string, containing an integer,
1068 at least 0
1069 rstp_status : rstp_designated_id
1070 optional string
1071 rstp_status : rstp_designated_port_id
1072 optional string
1073 rstp_status : rstp_bridge_port_id
1074 optional string
1075 Multicast Snooping Configuration:
1076 mcast_snooping_enable boolean
1077 Other Features:
1078 datapath_type string
1079 external_ids : bridge-id optional string
1080 external_ids : xs-network-uuids
1081 optional string
1082 other_config : hwaddr optional string
1083 other_config : forward-bpdu
1084 optional string, either true or false
1085 other_config : mac-aging-time
1086 optional string, containing an integer,
1087 at least 1
1088 other_config : mac-table-size
1089 optional string, containing an integer,
1090 at least 1
1091 Common Columns:
1092 other_config map of string-string pairs
1093 external_ids map of string-string pairs
1094 Details:
1096 Core Features:
1097 name: immutable string (must be unique within table)
1099 Bridge identifier. Must be unique among the names of ports,
1100 interfaces, and bridges on a host.
1101 The name must be alphanumeric and must not contain forward or
1103 backward slashes. The name of a bridge is also the name of an
1104 Interface (and a Port) within the bridge, so the restrictions on
1105 the name column in the Interface table, particularly on length,
1106 also apply to bridge names. Refer to the documentation for
1107 Interface names for details.
1108 ports: set of Ports
1110 Ports included in the bridge.
1111 mirrors: set of Mirrors
1113 Port mirroring configuration.
1114 netflow: optional NetFlow
1116 NetFlow configuration.
1117 sflow: optional sFlow
1119 sFlow(R) configuration.
1120 ipfix: optional IPFIX
1122 IPFIX configuration.
1123 flood_vlans: set of up to 4,096 integers, in range 0 to 4,095
1125 VLAN IDs of VLANs on which MAC address learning should be dis‐
1126 abled, so that packets are flooded instead of being sent to spe‐
1127 cific ports that are believed to contain packets’ destination
1128 MACs. This should ordinarily be used to disable MAC learning on
1129 VLANs used for mirroring (RSPAN VLANs). It may also be useful
1130 for debugging.
1131 SLB bonding (see the bond_mode column in the Port table) is
1133 incompatible with flood_vlans. Consider using another bonding
1134 mode or a different type of mirror instead.
1135 auto_attach: optional AutoAttach
1137 Auto Attach configuration.
1138 OpenFlow Configuration:
1140 controller: set of Controllers
1142 OpenFlow controller set. If unset, then no OpenFlow controllers
1143 will be used.
1144 If there are primary controllers, removing all of them clears
1146 the OpenFlow flow tables, group table, and meter table. If there
1147 are no primary controllers, adding one also clears these tables.
1148 Other changes to the set of controllers, such as adding or
1149 removing a service controller, adding another primary controller
1150 to supplement an existing primary controller, or removing only
1151 one of two primary controllers, have no effect on these tables.
1152 flow_tables: map of integer-Flow_Table pairs, key in range 0 to 254
1154 Configuration for OpenFlow tables. Each pair maps from an Open‐
1155 Flow table ID to configuration for that table.
1156 fail_mode: optional string, either secure or standalone
1158 When a controller is configured, it is, ordinarily, responsible
1159 for setting up all flows on the switch. Thus, if the connection
1160 to the controller fails, no new network connections can be set
1161 up. If the connection to the controller stays down long enough,
1162 no packets can pass through the switch at all. This setting
1163 determines the switch’s response to such a situation. It may be
1164 set to one of the following:
1165 standalone
1167 If no message is received from the controller for three
1168 times the inactivity probe interval (see inactiv‐
1169 ity_probe), then Open vSwitch will take over responsibil‐
1170 ity for setting up flows. In this mode, Open vSwitch
1171 causes the bridge to act like an ordinary MAC-learning
1172 switch. Open vSwitch will continue to retry connecting to
1173 the controller in the background and, when the connection
1174 succeeds, it will discontinue its standalone behavior.
1175 secure Open vSwitch will not set up flows on its own when the
1177 controller connection fails or when no controllers are
1178 defined. The bridge will continue to retry connecting to
1179 any defined controllers forever.
1180 The default is standalone if the value is unset, but future ver‐
1182 sions of Open vSwitch may change the default.
1183 The standalone mode can create forwarding loops on a bridge that
1185 has more than one uplink port unless STP is enabled. To avoid
1186 loops on such a bridge, configure secure mode or enable STP (see
1187 stp_enable).
1188 The fail_mode setting applies only to primary controllers. When
1190 more than one primary controller is configured, fail_mode is
1191 considered only when none of the configured controllers can be
1192 contacted.
1193 Changing fail_mode when no primary controllers are configured
1195 clears the OpenFlow flow tables, group table, and meter table.
1196 datapath_id: optional string
1198 Reports the OpenFlow datapath ID in use. Exactly 16 hex digits.
1199 (Setting this column has no useful effect. Set other-con‐
1200 fig:datapath-id instead.)
1201 datapath_version: string
1203 Reports the datapath version. This column is maintained for
1204 backwards compatibility. The preferred locatation is the data‐
1205 path_id column of the Datapath table. The full documentation for
1206 this column is there.
1207 other_config : datapath-id: optional string
1209 Overrides the default OpenFlow datapath ID, setting it to the
1210 specified value specified in hex. The value must either have a
1211 0x prefix or be exactly 16 hex digits long. May not be all-zero.
1212 other_config : dp-desc: optional string
1214 Human readable description of datapath. It is a maximum 256
1215 byte-long free-form string to describe the datapath for debug‐
1216 ging purposes, e.g. switch3 in room 3120. The value is returned
1217 by the switch as a part of reply to OFPMP_DESC request
1218 (ofp_desc). The OpenFlow specification (e.g. 1.3.5) describes
1219 the ofp_desc structure to contaion "NULL terminated ASCII
1220 strings". For the compatibility reasons no more than 255 ASCII
1221 characters should be used.
1222 other_config : dp-sn: optional string
1224 Serial number. It is a maximum 32 byte-long free-form string to
1225 provide an additional switch identification. The value is
1226 returned by the switch as a part of reply to OFPMP_DESC request
1227 (ofp_desc). Same as mentioned in the description of other-con‐
1228 fig:dp-desc, the string should be no more than 31 ASCII charac‐
1229 ters for the compatibility.
1230 other_config : disable-in-band: optional string, either true or false
1232 If set to true, disable in-band control on the bridge regardless
1233 of controller and manager settings.
1234 other_config : in-band-queue: optional string, containing an integer,
1236 in range 0 to 4,294,967,295
1237 A queue ID as a nonnegative integer. This sets the OpenFlow
1238 queue ID that will be used by flows set up by in-band control on
1239 this bridge. If unset, or if the port used by an in-band control
1240 flow does not have QoS configured, or if the port does not have
1241 a queue with the specified ID, the default queue is used
1242 instead.
1243 other_config : controller-queue-size: optional string, containing an
1245 integer, in range 1 to 512
1246 This sets the maximum size of the queue of packets that need to
1247 be sent to the OpenFlow management controller. The value must be
1248 less than 512. If not specified the queue size is limited to 100
1249 packets by default. Note: increasing the queue size might have a
1250 negative impact on latency.
1251 protocols: set of strings, one of OpenFlow10, OpenFlow11, OpenFlow12,
1253 OpenFlow13, OpenFlow14, or OpenFlow15
1254 List of OpenFlow protocols that may be used when negotiating a
1255 connection with a controller. OpenFlow 1.0, 1.1, 1.2, 1.3, 1.4,
1256 and 1.5 are enabled by default if this column is empty.
1257 Spanning Tree Configuration:
1259 The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol that
1261 ensures loop-free topologies. It allows redundant links to be included
1262 in the network to provide automatic backup paths if the active links
1263 fails.
1264 These settings configure the slower-to-converge but still widely sup‐
1266 ported version of Spanning Tree Protocol, sometimes known as
1267 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree
1268 Protocol (RSTP), documented later in the section titled Rapid Spanning
1269 Tree Configuration.
1270 STP Configuration:
1272 stp_enable: boolean
1274 Enable spanning tree on the bridge. By default, STP is disabled
1275 on bridges. Bond, internal, and mirror ports are not supported
1276 and will not participate in the spanning tree.
1277 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1279 will be used.
1280 other_config : stp-system-id: optional string
1282 The bridge’s STP identifier (the lower 48 bits of the bridge-id)
1283 in the form xx:xx:xx:xx:xx:xx. By default, the identifier is the
1284 MAC address of the bridge.
1285 other_config : stp-priority: optional string, containing an integer, in
1287 range 0 to 65,535
1288 The bridge’s relative priority value for determining the root
1289 bridge (the upper 16 bits of the bridge-id). A bridge with the
1290 lowest bridge-id is elected the root. By default, the priority
1291 is 0x8000.
1292 other_config : stp-hello-time: optional string, containing an integer,
1294 in range 1 to 10
1295 The interval between transmissions of hello messages by desig‐
1296 nated ports, in seconds. By default the hello interval is 2 sec‐
1297 onds.
1298 other_config : stp-max-age: optional string, containing an integer, in
1300 range 6 to 40
1301 The maximum age of the information transmitted by the bridge
1302 when it is the root bridge, in seconds. By default, the maximum
1303 age is 20 seconds.
1304 other_config : stp-forward-delay: optional string, containing an inte‐
1306 ger, in range 4 to 30
1307 The delay to wait between transitioning root and designated
1308 ports to forwarding, in seconds. By default, the forwarding
1309 delay is 15 seconds.
1310 other_config : mcast-snooping-aging-time: optional string, containing
1312 an integer, at least 1
1313 The maximum number of seconds to retain a multicast snooping
1314 entry for which no packets have been seen. The default is cur‐
1315 rently 300 seconds (5 minutes). The value, if specified, is
1316 forced into a reasonable range, currently 15 to 3600 seconds.
1317 other_config : mcast-snooping-table-size: optional string, containing
1319 an integer, at least 1
1320 The maximum number of multicast snooping addresses to learn. The
1321 default is currently 2048. The value, if specified, is forced
1322 into a reasonable range, currently 10 to 1,000,000.
1323 other_config : mcast-snooping-disable-flood-unregistered: optional
1325 string, either true or false
1326 If set to false, unregistered multicast packets are forwarded to
1327 all ports. If set to true, unregistered multicast packets are
1328 forwarded to ports connected to multicast routers.
1329 STP Status:
1331 These key-value pairs report the status of 802.1D-1998. They are
1333 present only if STP is enabled (via the stp_enable column).
1334 status : stp_bridge_id: optional string
1336 The bridge ID used in spanning tree advertisements, in the form
1337 xxxx.yyyyyyyyyyyy where the xs are the STP priority, the ys are
1338 the STP system ID, and each x and y is a hex digit.
1339 status : stp_designated_root: optional string
1341 The designated root for this spanning tree, in the same form as
1342 status:stp_bridge_id. If this bridge is the root, this will have
1343 the same value as status:stp_bridge_id, otherwise it will dif‐
1344 fer.
1345 status : stp_root_path_cost: optional string
1347 The path cost of reaching the designated bridge. A lower number
1348 is better. The value is 0 if this bridge is the root, otherwise
1349 it is higher.
1350 Rapid Spanning Tree:
1352 Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
1354 that ensures loop-free topologies. RSTP superseded STP with the publi‐
1355 cation of 802.1D-2004. Compared to STP, RSTP converges more quickly and
1356 recovers more quickly from failures.
1357 RSTP Configuration:
1359 rstp_enable: boolean
1361 Enable Rapid Spanning Tree on the bridge. By default, RSTP is
1362 disabled on bridges. Bond, internal, and mirror ports are not
1363 supported and will not participate in the spanning tree.
1364 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1366 will be used.
1367 other_config : rstp-address: optional string
1369 The bridge’s RSTP address (the lower 48 bits of the bridge-id)
1370 in the form xx:xx:xx:xx:xx:xx. By default, the address is the
1371 MAC address of the bridge.
1372 other_config : rstp-priority: optional string, containing an integer,
1374 in range 0 to 61,440
1375 The bridge’s relative priority value for determining the root
1376 bridge (the upper 16 bits of the bridge-id). A bridge with the
1377 lowest bridge-id is elected the root. By default, the priority
1378 is 0x8000 (32768). This value needs to be a multiple of 4096,
1379 otherwise it’s rounded to the nearest inferior one.
1380 other_config : rstp-ageing-time: optional string, containing an inte‐
1382 ger, in range 10 to 1,000,000
1383 The Ageing Time parameter for the Bridge. The default value is
1384 300 seconds.
1385 other_config : rstp-force-protocol-version: optional string, containing
1387 an integer
1388 The Force Protocol Version parameter for the Bridge. This can
1389 take the value 0 (STP Compatibility mode) or 2 (the default,
1390 normal operation).
1391 other_config : rstp-max-age: optional string, containing an integer, in
1393 range 6 to 40
1394 The maximum age of the information transmitted by the Bridge
1395 when it is the Root Bridge. The default value is 20.
1396 other_config : rstp-forward-delay: optional string, containing an inte‐
1398 ger, in range 4 to 30
1399 The delay used by STP Bridges to transition Root and Designated
1400 Ports to Forwarding. The default value is 15.
1401 other_config : rstp-transmit-hold-count: optional string, containing an
1403 integer, in range 1 to 10
1404 The Transmit Hold Count used by the Port Transmit state machine
1405 to limit transmission rate. The default value is 6.
1406 RSTP Status:
1408 These key-value pairs report the status of 802.1D-2004. They are
1410 present only if RSTP is enabled (via the rstp_enable column).
1411 rstp_status : rstp_bridge_id: optional string
1413 The bridge ID used in rapid spanning tree advertisements, in the
1414 form x.yyy.zzzzzzzzzzzz where x is the RSTP priority, the ys are
1415 a locally assigned system ID extension, the zs are the STP sys‐
1416 tem ID, and each x, y, or z is a hex digit.
1417 rstp_status : rstp_root_id: optional string
1419 The root of this spanning tree, in the same form as rstp_sta‐
1420 tus:rstp_bridge_id. If this bridge is the root, this will have
1421 the same value as rstp_status:rstp_bridge_id, otherwise it will
1422 differ.
1423 rstp_status : rstp_root_path_cost: optional string, containing an inte‐
1425 ger, at least 0
1426 The path cost of reaching the root. A lower number is better.
1427 The value is 0 if this bridge is the root, otherwise it is
1428 higher.
1429 rstp_status : rstp_designated_id: optional string
1431 The RSTP designated ID, in the same form as rstp_sta‐
1432 tus:rstp_bridge_id.
1433 rstp_status : rstp_designated_port_id: optional string
1435 The RSTP designated port ID, as a 4-digit hex number.
1436 rstp_status : rstp_bridge_port_id: optional string
1438 The RSTP bridge port ID, as a 4-digit hex number.
1439 Multicast Snooping Configuration:
1441 Multicast snooping (RFC 4541) monitors the Internet Group Management
1443 Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
1444 and multicast routers. The switch uses what IGMP and MLD snooping
1445 learns to forward multicast traffic only to interfaces that are con‐
1446 nected to interested receivers. Currently it supports IGMPv1, IGMPv2,
1447 IGMPv3, MLDv1 and MLDv2 protocols.
1448 mcast_snooping_enable: boolean
1450 Enable multicast snooping on the bridge. For now, the default is
1451 disabled.
1452 Other Features:
1454 datapath_type: string
1456 Name of datapath provider. The kernel datapath has type system.
1457 The userspace datapath has type netdev. A manager may refer to
1458 the datapath_types column of the Open_vSwitch table for a list
1459 of the types accepted by this Open vSwitch instance.
1460 external_ids : bridge-id: optional string
1462 A unique identifier of the bridge. On Citrix XenServer this will
1463 commonly be the same as external_ids:xs-network-uuids.
1464 external_ids : xs-network-uuids: optional string
1466 Semicolon-delimited set of universally unique identifier(s) for
1467 the network with which this bridge is associated on a Citrix
1468 XenServer host. The network identifiers are RFC 4122 UUIDs as
1469 displayed by, e.g., xe network-list.
1470 other_config : hwaddr: optional string
1472 An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the
1473 hardware address of the local port and influence the datapath
1474 ID.
1475 other_config : forward-bpdu: optional string, either true or false
1477 Controls forwarding of BPDUs and other network control frames
1478 when NORMAL action is invoked. When this option is false or
1479 unset, frames with reserved Ethernet addresses (see table below)
1480 will not be forwarded. When this option is true, such frames
1481 will not be treated specially.
1482 The above general rule has the following exceptions:
1484 · If STP is enabled on the bridge (see the stp_enable col‐
1486 umn in the Bridge table), the bridge processes all
1487 received STP packets and never passes them to OpenFlow or
1488 forwards them. This is true even if STP is disabled on an
1489 individual port.
1490 · If LLDP is enabled on an interface (see the lldp column
1492 in the Interface table), the interface processes received
1493 LLDP packets and never passes them to OpenFlow or for‐
1494 wards them.
1495 Set this option to true if the Open vSwitch bridge connects dif‐
1497 ferent Ethernet networks and is not configured to participate in
1498 STP.
1499 This option affects packets with the following destination MAC
1501 addresses:
1502 01:80:c2:00:00:00
1504 IEEE 802.1D Spanning Tree Protocol (STP).
1505 01:80:c2:00:00:01
1507 IEEE Pause frame.
1508 01:80:c2:00:00:0x
1510 Other reserved protocols.
1511 00:e0:2b:00:00:00
1513 Extreme Discovery Protocol (EDP).
1514 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06
1516 Ethernet Automatic Protection Switching (EAPS).
1517 01:00:0c:cc:cc:cc
1519 Cisco Discovery Protocol (CDP), VLAN Trunking Protocol
1520 (VTP), Dynamic Trunking Protocol (DTP), Port Aggregation
1521 Protocol (PAgP), and others.
1522 01:00:0c:cc:cc:cd
1524 Cisco Shared Spanning Tree Protocol PVSTP+.
1525 01:00:0c:cd:cd:cd
1527 Cisco STP Uplink Fast.
1528 01:00:0c:00:00:00
1530 Cisco Inter Switch Link.
1531 01:00:0c:cc:cc:cx
1533 Cisco CFM.
1534 other_config : mac-aging-time: optional string, containing an integer,
1536 at least 1
1537 The maximum number of seconds to retain a MAC learning entry for
1538 which no packets have been seen. The default is currently 300
1539 seconds (5 minutes). The value, if specified, is forced into a
1540 reasonable range, currently 15 to 3600 seconds.
1541 A short MAC aging time allows a network to more quickly detect
1543 that a host is no longer connected to a switch port. However, it
1544 also makes it more likely that packets will be flooded unneces‐
1545 sarily, when they are addressed to a connected host that rarely
1546 transmits packets. To reduce the incidence of unnecessary flood‐
1547 ing, use a MAC aging time longer than the maximum interval at
1548 which a host will ordinarily transmit packets.
1549 other_config : mac-table-size: optional string, containing an integer,
1551 at least 1
1552 The maximum number of MAC addresses to learn. The default is
1553 currently 8192. The value, if specified, is forced into a rea‐
1554 sonable range, currently 10 to 1,000,000.
1555 Common Columns:
1557 The overall purpose of these columns is described under Common Columns
1559 at the beginning of this document.
1560 other_config: map of string-string pairs
1562 external_ids: map of string-string pairs
1564
1566 A port within a Bridge.
1567 Most commonly, a port has exactly one ``interface,’’ pointed to by its
1569 interfaces column. Such a port logically corresponds to a port on a
1570 physical Ethernet switch. A port with more than one interface is a
1571 ``bonded port’’ (see Bonding Configuration).
1572 Some properties that one might think as belonging to a port are actu‐
1574 ally part of the port’s Interface members.
1575 Summary:
1577 name immutable string (must be unique within
1578 table)
1579 interfaces set of 1 or more Interfaces
1580 VLAN Configuration:
1581 vlan_mode optional string, one of access,
1582 dot1q-tunnel, native-tagged,
1583 native-untagged, or trunk
1584 tag optional integer, in range 0 to 4,095
1585 trunks set of up to 4,096 integers, in range 0
1586 to 4,095
1587 cvlans set of up to 4,096 integers, in range 0
1588 to 4,095
1589 other_config : qinq-ethtype
1590 optional string, either 802.1ad or 802.1q
1591 other_config : priority-tags
1592 optional string, one of always,
1593 if-nonzero, or never
1594 Bonding Configuration:
1595 bond_mode optional string, one of active-backup,
1596 balance-slb, or balance-tcp
1597 other_config : bond-hash-basis
1598 optional string, containing an integer
1599 other_config : lb-output-action
1600 optional string, either true or false
1601 other_config : bond-primary
1602 optional string
1603 Link Failure Detection:
1604 other_config : bond-detect-mode
1605 optional string, either carrier or miimon
1606 other_config : bond-miimon-interval
1607 optional string, containing an integer
1608 bond_updelay integer
1609 bond_downdelay integer
1610 LACP Configuration:
1611 lacp optional string, one of active, off, or
1612 passive
1613 other_config : lacp-system-id
1614 optional string
1615 other_config : lacp-system-priority
1616 optional string, containing an integer,
1617 in range 1 to 65,535
1618 other_config : lacp-time optional string, either fast or slow
1619 other_config : lacp-fallback-ab
1620 optional string, either true or false
1621 Rebalancing Configuration:
1622 other_config : bond-rebalance-interval
1623 optional string, containing an integer,
1624 in range 0 to 2,147,483,647
1625 bond_fake_iface boolean
1626 Spanning Tree Protocol:
1627 STP Configuration:
1628 other_config : stp-enable
1629 optional string, either true or false
1630 other_config : stp-port-num
1631 optional string, containing an integer,
1632 in range 1 to 255
1633 other_config : stp-port-priority
1634 optional string, containing an integer,
1635 in range 0 to 255
1636 other_config : stp-path-cost
1637 optional string, containing an integer,
1638 in range 0 to 65,535
1639 STP Status:
1640 status : stp_port_id optional string
1641 status : stp_state optional string, one of blocking, dis‐
1642 abled, forwarding, learning, or listening
1643 status : stp_sec_in_state
1644 optional string, containing an integer,
1645 at least 0
1646 status : stp_role optional string, one of alternate, desig‐
1647 nated, or root
1648 Rapid Spanning Tree Protocol:
1649 RSTP Configuration:
1650 other_config : rstp-enable
1651 optional string, either true or false
1652 other_config : rstp-port-priority
1653 optional string, containing an integer,
1654 in range 0 to 240
1655 other_config : rstp-port-num
1656 optional string, containing an integer,
1657 in range 1 to 4,095
1658 other_config : rstp-port-path-cost
1659 optional string, containing an integer
1660 other_config : rstp-port-admin-edge
1661 optional string, either true or false
1662 other_config : rstp-port-auto-edge
1663 optional string, either true or false
1664 other_config : rstp-port-mcheck
1665 optional string, either true or false
1666 RSTP Status:
1667 rstp_status : rstp_port_id
1668 optional string
1669 rstp_status : rstp_port_role
1670 optional string, one of Alternate,
1671 Backup, Designated, Disabled, or Root
1672 rstp_status : rstp_port_state
1673 optional string, one of Disabled, Dis‐
1674 carding, Forwarding, or Learning
1675 rstp_status : rstp_designated_bridge_id
1676 optional string
1677 rstp_status : rstp_designated_port_id
1678 optional string
1679 rstp_status : rstp_designated_path_cost
1680 optional string, containing an integer
1681 RSTP Statistics:
1682 rstp_statistics : rstp_tx_count
1683 optional integer
1684 rstp_statistics : rstp_rx_count
1685 optional integer
1686 rstp_statistics : rstp_error_count
1687 optional integer
1688 rstp_statistics : rstp_uptime
1689 optional integer
1690 Multicast Snooping:
1691 other_config : mcast-snooping-flood
1692 optional string, either true or false
1693 other_config : mcast-snooping-flood-reports
1694 optional string, either true or false
1695 Other Features:
1696 qos optional QoS
1697 mac optional string
1698 fake_bridge boolean
1699 protected boolean
1700 external_ids : fake-bridge-id-*
1701 optional string
1702 other_config : transient optional string, either true or false
1703 bond_active_slave optional string
1704 Port Statistics:
1705 Statistics: STP transmit and receive counters:
1706 statistics : stp_tx_count
1707 optional integer
1708 statistics : stp_rx_count
1709 optional integer
1710 statistics : stp_error_count
1711 optional integer
1712 Common Columns:
1713 other_config map of string-string pairs
1714 external_ids map of string-string pairs
1715 Details:
1717 name: immutable string (must be unique within table)
1718 Port name. For a non-bonded port, this should be the same as its
1719 interface’s name. Port names must otherwise be unique among the
1720 names of ports, interfaces, and bridges on a host. Because port
1721 and interfaces names are usually the same, the restrictions on
1722 the name column in the Interface table, particularly on length,
1723 also apply to port names. Refer to the documentation for Inter‐
1724 face names for details.
1725 interfaces: set of 1 or more Interfaces
1727 The port’s interfaces. If there is more than one, this is a
1728 bonded Port.
1729 VLAN Configuration:
1731 In short, a VLAN (short for ``virtual LAN’’) is a way to partition a
1733 single switch into multiple switches. VLANs can be confusing, so for an
1734 introduction, please refer to the question ``What’s a VLAN?’’ in the
1735 Open vSwitch FAQ.
1736 A VLAN is sometimes encoded into a packet using a 802.1Q or 802.1ad
1738 VLAN header, but every packet is part of some VLAN whether or not it is
1739 encoded in the packet. (A packet that appears to have no VLAN is part
1740 of VLAN 0, by default.) As a result, it’s useful to think of a VLAN as
1741 a metadata property of a packet, separate from how the VLAN is encoded.
1742 For a given port, this column determines how the encoding of a packet
1743 that ingresses or egresses the port maps to the packet’s VLAN. When a
1744 packet enters the switch, its VLAN is determined based on its setting
1745 in this column and its VLAN headers, if any, and then, conceptually,
1746 the VLAN headers are then stripped off. Conversely, when a packet exits
1747 the switch, its VLAN and the settings in this column determine what
1748 VLAN headers, if any, are pushed onto the packet before it egresses the
1749 port.
1750 The VLAN configuration in this column affects Open vSwitch only when it
1752 is doing ``normal switching.’’ It does not affect flows set up by an
1753 OpenFlow controller, outside of the OpenFlow ``normal action.’’
1754 Bridge ports support the following types of VLAN configuration:
1756 trunk A trunk port carries packets on one or more specified
1758 VLANs specified in the trunks column (often, on every
1759 VLAN). A packet that ingresses on a trunk port is in the
1760 VLAN specified in its 802.1Q header, or VLAN 0 if the
1761 packet has no 802.1Q header. A packet that egresses
1762 through a trunk port will have an 802.1Q header if it has
1763 a nonzero VLAN ID.
1764 Any packet that ingresses on a trunk port tagged with a
1766 VLAN that the port does not trunk is dropped.
1767 access An access port carries packets on exactly one VLAN speci‐
1769 fied in the tag column. Packets egressing on an access
1770 port have no 802.1Q header.
1771 Any packet with an 802.1Q header with a nonzero VLAN ID
1773 that ingresses on an access port is dropped, regardless
1774 of whether the VLAN ID in the header is the access port’s
1775 VLAN ID.
1776 native-tagged
1778 A native-tagged port resembles a trunk port, with the
1779 exception that a packet without an 802.1Q header that
1780 ingresses on a native-tagged port is in the ``native
1781 VLAN’’ (specified in the tag column).
1782 native-untagged
1784 A native-untagged port resembles a native-tagged port,
1785 with the exception that a packet that egresses on a
1786 native-untagged port in the native VLAN will not have an
1787 802.1Q header.
1788 dot1q-tunnel
1790 A dot1q-tunnel port is somewhat like an access port. Like
1791 an access port, it carries packets on the single VLAN
1792 specified in the tag column and this VLAN, called the
1793 service VLAN, does not appear in an 802.1Q header for
1794 packets that ingress or egress on the port. The main dif‐
1795 ference lies in the behavior when packets that include a
1796 802.1Q header ingress on the port. Whereas an access port
1797 drops such packets, a dot1q-tunnel port treats these as
1798 double-tagged with the outer service VLAN tag and the
1799 inner customer VLAN taken from the 802.1Q header. Corre‐
1800 spondingly, to egress on the port, a packet outer VLAN
1801 (or only VLAN) must be tag, which is removed before
1802 egress, which exposes the inner (customer) VLAN if one is
1803 present.
1804 If cvlans is set, only allows packets in the specified
1806 customer VLANs.
1807 A packet will only egress through bridge ports that carry the VLAN of
1809 the packet, as described by the rules above.
1810 vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
1812 native-untagged, or trunk
1813 The VLAN mode of the port, as described above. When this column
1814 is empty, a default mode is selected as follows:
1815 · If tag contains a value, the port is an access port. The
1817 trunks column should be empty.
1818 · Otherwise, the port is a trunk port. The trunks column
1820 value is honored if it is present.
1821 tag: optional integer, in range 0 to 4,095
1823 For an access port, the port’s implicitly tagged VLAN. For a
1824 native-tagged or native-untagged port, the port’s native VLAN.
1825 Must be empty if this is a trunk port.
1826 trunks: set of up to 4,096 integers, in range 0 to 4,095
1828 For a trunk, native-tagged, or native-untagged port, the 802.1Q
1829 VLAN or VLANs that this port trunks; if it is empty, then the
1830 port trunks all VLANs. Must be empty if this is an access port.
1831 A native-tagged or native-untagged port always trunks its native
1833 VLAN, regardless of whether trunks includes that VLAN.
1834 cvlans: set of up to 4,096 integers, in range 0 to 4,095
1836 For a dot1q-tunnel port, the customer VLANs that this port
1837 includes. If this is empty, the port includes all customer
1838 VLANs.
1839 For other kinds of ports, this setting is ignored.
1841 other_config : qinq-ethtype: optional string, either 802.1ad or 802.1q
1843 For a dot1q-tunnel port, this is the TPID for the service tag,
1844 that is, for the 802.1Q header that contains the service VLAN
1845 ID. Because packets that actually ingress and egress a dot1q-
1846 tunnel port do not include an 802.1Q header for the service
1847 VLAN, this does not affect packets on the dot1q-tunnel port
1848 itself. Rather, it determines the service VLAN for a packet that
1849 ingresses on a dot1q-tunnel port and egresses on a trunk port.
1850 The value 802.1ad specifies TPID 0x88a8, which is also the
1852 default if the setting is omitted. The value 802.1q specifies
1853 TPID 0x8100.
1854 For other kinds of ports, this setting is ignored.
1856 other_config : priority-tags: optional string, one of always,
1858 if-nonzero, or never
1859 An 802.1Q header contains two important pieces of information: a
1860 VLAN ID and a priority. A frame with a zero VLAN ID, called a
1861 ``priority-tagged’’ frame, is supposed to be treated the same
1862 way as a frame without an 802.1Q header at all (except for the
1863 priority).
1864 However, some network elements ignore any frame that has 802.1Q
1866 header at all, even when the VLAN ID is zero. Therefore, by
1867 default Open vSwitch does not output priority-tagged frames,
1868 instead omitting the 802.1Q header entirely if the VLAN ID is
1869 zero. Set this key to if-nonzero to enable priority-tagged
1870 frames on a port.
1871 For if-nonzero Open vSwitch omits the 802.1Q header on output if
1873 both the VLAN ID and priority would be zero. Set to always to
1874 retain the 802.1Q header in such frames as well.
1875 All frames output to native-tagged ports have a nonzero VLAN ID,
1877 so this setting is not meaningful on native-tagged ports.
1878 Bonding Configuration:
1880 A port that has more than one interface is a ``bonded port.’’ Bonding
1882 allows for load balancing and fail-over.
1883 The following types of bonding will work with any kind of upstream
1885 switch. On the upstream switch, do not configure the interfaces as a
1886 bond:
1887 balance-slb
1889 Balances flows among members based on source MAC address
1890 and output VLAN, with periodic rebalancing as traffic
1891 patterns change.
1892 active-backup
1894 Assigns all flows to one member, failing over to a backup
1895 member when the active member is disabled. This is the
1896 only bonding mode in which interfaces may be plugged into
1897 different upstream switches.
1898 The following modes require the upstream switch to support 802.3ad with
1900 successful LACP negotiation. If LACP negotiation fails and other-con‐
1901 fig:lacp-fallback-ab is true, then active-backup mode is used:
1902 balance-tcp
1904 Balances flows among members based on L3 and L4 protocol
1905 information such as IP addresses and TCP/UDP ports.
1906 These columns apply only to bonded ports. Their values are otherwise
1908 ignored.
1909 bond_mode: optional string, one of active-backup, balance-slb, or bal‐
1911 ance-tcp
1912 The type of bonding used for a bonded port. Defaults to
1913 active-backup if unset.
1914 other_config : bond-hash-basis: optional string, containing an integer
1916 An integer hashed along with flows when choosing output members
1917 in load balanced bonds. When changed, all flows will be assigned
1918 different hash values possibly causing member selection deci‐
1919 sions to change. Does not affect bonding modes which do not
1920 employ load balancing such as active-backup.
1921 other_config : lb-output-action: optional string, either true or false
1923 Enable/disable usage of optimized lb_output action for balancing
1924 flows among output members in load balanced bonds in bal‐
1925 ance-tcp. When enabled, it uses optimized path for balance-tcp
1926 mode by using rss hash and avoids recirculation. This knob does
1927 not affect other balancing modes.
1928 other_config : bond-primary: optional string
1930 If a slave interface with this name exists in the bond and is
1931 up, it will be made active. Relevant only when other_con‐
1932 fig:bond_mode is active-backup or if balance-tcp falls back to
1933 active-backup (e.g., LACP negotiation fails and other_con‐
1934 fig:lacp-fallback-ab is true).
1935 Link Failure Detection:
1937 An important part of link bonding is detecting that links are down so
1939 that they may be disabled. These settings determine how Open vSwitch
1940 detects link failure.
1941 other_config : bond-detect-mode: optional string, either carrier or
1943 miimon
1944 The means used to detect link failures. Defaults to carrier
1945 which uses each interface’s carrier to detect failures. When set
1946 to miimon, will check for failures by polling each interface’s
1947 MII.
1948 other_config : bond-miimon-interval: optional string, containing an
1950 integer
1951 The interval, in milliseconds, between successive attempts to
1952 poll each interface’s MII. Relevant only when other_config:bond-
1953 detect-mode is miimon.
1954 bond_updelay: integer
1956 The number of milliseconds for which the link must stay up on an
1957 interface before the interface is considered to be up. Specify 0
1958 to enable the interface immediately.
1959 This setting is honored only when at least one bonded interface
1961 is already enabled. When no interfaces are enabled, then the
1962 first bond interface to come up is enabled immediately.
1963 bond_downdelay: integer
1965 The number of milliseconds for which the link must stay down on
1966 an interface before the interface is considered to be down.
1967 Specify 0 to disable the interface immediately.
1968 LACP Configuration:
1970 LACP, the Link Aggregation Control Protocol, is an IEEE standard that
1972 allows switches to automatically detect that they are connected by mul‐
1973 tiple links and aggregate across those links. These settings control
1974 LACP behavior.
1975 lacp: optional string, one of active, off, or passive
1977 Configures LACP on this port. LACP allows directly connected
1978 switches to negotiate which links may be bonded. LACP may be
1979 enabled on non-bonded ports for the benefit of any switches they
1980 may be connected to. active ports are allowed to initiate LACP
1981 negotiations. passive ports are allowed to participate in LACP
1982 negotiations initiated by a remote switch, but not allowed to
1983 initiate such negotiations themselves. If LACP is enabled on a
1984 port whose partner switch does not support LACP, the bond will
1985 be disabled, unless other-config:lacp-fallback-ab is set to
1986 true. Defaults to off if unset.
1987 other_config : lacp-system-id: optional string
1989 The LACP system ID of this Port. The system ID of a LACP bond is
1990 used to identify itself to its partners. Must be a nonzero MAC
1991 address. Defaults to the bridge Ethernet address if unset.
1992 other_config : lacp-system-priority: optional string, containing an
1994 integer, in range 1 to 65,535
1995 The LACP system priority of this Port. In LACP negotiations,
1996 link status decisions are made by the system with the numeri‐
1997 cally lower priority.
1998 other_config : lacp-time: optional string, either fast or slow
2000 The LACP timing which should be used on this Port. By default
2001 slow is used. When configured to be fast LACP heartbeats are
2002 requested at a rate of once per second causing connectivity
2003 problems to be detected more quickly. In slow mode, heartbeats
2004 are requested at a rate of once every 30 seconds.
2005 other_config : lacp-fallback-ab: optional string, either true or false
2007 Determines the behavior of openvswitch bond in LACP mode. If the
2008 partner switch does not support LACP, setting this option to
2009 true allows openvswitch to fallback to active-backup. If the
2010 option is set to false, the bond will be disabled. In both the
2011 cases, once the partner switch is configured to LACP mode, the
2012 bond will use LACP.
2013 Rebalancing Configuration:
2015 These settings control behavior when a bond is in balance-slb or bal‐
2017 ance-tcp mode.
2018 other_config : bond-rebalance-interval: optional string, containing an
2020 integer, in range 0 to 2,147,483,647
2021 For a load balanced bonded port, the number of milliseconds
2022 between successive attempts to rebalance the bond, that is, to
2023 move flows from one interface on the bond to another in an
2024 attempt to keep usage of each interface roughly equal. If zero,
2025 load balancing is disabled on the bond (link failure still cause
2026 flows to move). If less than 1000ms, the rebalance interval will
2027 be 1000ms.
2028 bond_fake_iface: boolean
2030 For a bonded port, whether to create a fake internal interface
2031 with the name of the port. Use only for compatibility with
2032 legacy software that requires this.
2033 Spanning Tree Protocol:
2035 The configuration here is only meaningful, and the status is only popu‐
2037 lated, when 802.1D-1998 Spanning Tree Protocol is enabled on the port’s
2038 Bridge with its stp_enable column.
2039 STP Configuration:
2041 other_config : stp-enable: optional string, either true or false
2043 When STP is enabled on a bridge, it is enabled by default on all
2044 of the bridge’s ports except bond, internal, and mirror ports
2045 (which do not work with STP). If this column’s value is false,
2046 STP is disabled on the port.
2047 other_config : stp-port-num: optional string, containing an integer, in
2049 range 1 to 255
2050 The port number used for the lower 8 bits of the port-id. By
2051 default, the numbers will be assigned automatically. If any
2052 port’s number is manually configured on a bridge, then they must
2053 all be.
2054 other_config : stp-port-priority: optional string, containing an inte‐
2056 ger, in range 0 to 255
2057 The port’s relative priority value for determining the root port
2058 (the upper 8 bits of the port-id). A port with a lower port-id
2059 will be chosen as the root port. By default, the priority is
2060 0x80.
2061 other_config : stp-path-cost: optional string, containing an integer,
2063 in range 0 to 65,535
2064 Spanning tree path cost for the port. A lower number indicates a
2065 faster link. By default, the cost is based on the maximum speed
2066 of the link.
2067 STP Status:
2069 status : stp_port_id: optional string
2071 The port ID used in spanning tree advertisements for this port,
2072 as 4 hex digits. Configuring the port ID is described in the
2073 stp-port-num and stp-port-priority keys of the other_config sec‐
2074 tion earlier.
2075 status : stp_state: optional string, one of blocking, disabled, for‐
2077 warding, learning, or listening
2078 STP state of the port.
2079 status : stp_sec_in_state: optional string, containing an integer, at
2081 least 0
2082 The amount of time this port has been in the current STP state,
2083 in seconds.
2084 status : stp_role: optional string, one of alternate, designated, or
2086 root
2087 STP role of the port.
2088 Rapid Spanning Tree Protocol:
2090 The configuration here is only meaningful, and the status and statis‐
2092 tics are only populated, when 802.1D-1998 Spanning Tree Protocol is
2093 enabled on the port’s Bridge with its stp_enable column.
2094 RSTP Configuration:
2096 other_config : rstp-enable: optional string, either true or false
2098 When RSTP is enabled on a bridge, it is enabled by default on
2099 all of the bridge’s ports except bond, internal, and mirror
2100 ports (which do not work with RSTP). If this column’s value is
2101 false, RSTP is disabled on the port.
2102 other_config : rstp-port-priority: optional string, containing an inte‐
2104 ger, in range 0 to 240
2105 The port’s relative priority value for determining the root
2106 port, in multiples of 16. By default, the port priority is 0x80
2107 (128). Any value in the lower 4 bits is rounded off. The signif‐
2108 icant upper 4 bits become the upper 4 bits of the port-id. A
2109 port with the lowest port-id is elected as the root.
2110 other_config : rstp-port-num: optional string, containing an integer,
2112 in range 1 to 4,095
2113 The local RSTP port number, used as the lower 12 bits of the
2114 port-id. By default the port numbers are assigned automatically,
2115 and typically may not correspond to the OpenFlow port numbers. A
2116 port with the lowest port-id is elected as the root.
2117 other_config : rstp-port-path-cost: optional string, containing an
2119 integer
2120 The port path cost. The Port’s contribution, when it is the Root
2121 Port, to the Root Path Cost for the Bridge. By default the cost
2122 is automatically calculated from the port’s speed.
2123 other_config : rstp-port-admin-edge: optional string, either true or
2125 false
2126 The admin edge port parameter for the Port. Default is false.
2127 other_config : rstp-port-auto-edge: optional string, either true or
2129 false
2130 The auto edge port parameter for the Port. Default is true.
2131 other_config : rstp-port-mcheck: optional string, either true or false
2133 The mcheck port parameter for the Port. Default is false. May be
2134 set to force the Port Protocol Migration state machine to trans‐
2135 mit RST BPDUs for a MigrateTime period, to test whether all STP
2136 Bridges on the attached LAN have been removed and the Port can
2137 continue to transmit RSTP BPDUs. Setting mcheck has no effect if
2138 the Bridge is operating in STP Compatibility mode.
2139 Changing the value from true to false has no effect, but needs
2141 to be done if this behavior is to be triggered again by subse‐
2142 quently changing the value from false to true.
2143 RSTP Status:
2145 rstp_status : rstp_port_id: optional string
2147 The port ID used in spanning tree advertisements for this port,
2148 as 4 hex digits. Configuring the port ID is described in the
2149 rstp-port-num and rstp-port-priority keys of the other_config
2150 section earlier.
2151 rstp_status : rstp_port_role: optional string, one of Alternate,
2153 Backup, Designated, Disabled, or Root
2154 RSTP role of the port.
2155 rstp_status : rstp_port_state: optional string, one of Disabled, Dis‐
2157 carding, Forwarding, or Learning
2158 RSTP state of the port.
2159 rstp_status : rstp_designated_bridge_id: optional string
2161 The port’s RSTP designated bridge ID, in the same form as
2162 rstp_status:rstp_bridge_id in the Bridge table.
2163 rstp_status : rstp_designated_port_id: optional string
2165 The port’s RSTP designated port ID, as 4 hex digits.
2166 rstp_status : rstp_designated_path_cost: optional string, containing an
2168 integer
2169 The port’s RSTP designated path cost. Lower is better.
2170 RSTP Statistics:
2172 rstp_statistics : rstp_tx_count: optional integer
2174 Number of RSTP BPDUs transmitted through this port.
2175 rstp_statistics : rstp_rx_count: optional integer
2177 Number of valid RSTP BPDUs received by this port.
2178 rstp_statistics : rstp_error_count: optional integer
2180 Number of invalid RSTP BPDUs received by this port.
2181 rstp_statistics : rstp_uptime: optional integer
2183 The duration covered by the other RSTP statistics, in seconds.
2184 Multicast Snooping:
2186 other_config : mcast-snooping-flood: optional string, either true or
2188 false
2189 If set to true, multicast packets (except Reports) are uncondi‐
2190 tionally forwarded to the specific port.
2191 other_config : mcast-snooping-flood-reports: optional string, either
2193 true or false
2194 If set to true, multicast Reports are unconditionally forwarded
2195 to the specific port.
2196 Other Features:
2198 qos: optional QoS
2200 Quality of Service configuration for this port.
2201 mac: optional string
2203 The MAC address to use for this port for the purpose of choosing
2204 the bridge’s MAC address. This column does not necessarily
2205 reflect the port’s actual MAC address, nor will setting it
2206 change the port’s actual MAC address.
2207 fake_bridge: boolean
2209 Does this port represent a sub-bridge for its tagged VLAN within
2210 the Bridge? See ovs-vsctl(8) for more information.
2211 protected: boolean
2213 The protected ports feature allows certain ports to be desig‐
2214 nated as protected. Traffic between protected ports is blocked.
2215 Protected ports can send traffic to unprotected ports. Unpro‐
2216 tected ports can send traffic to any port. Default is false.
2217 external_ids : fake-bridge-id-*: optional string
2219 External IDs for a fake bridge (see the fake_bridge column) are
2220 defined by prefixing a Bridge external_ids key with
2221 fake-bridge-, e.g. fake-bridge-xs-network-uuids.
2222 other_config : transient: optional string, either true or false
2224 If set to true, the port will be removed when ovs-ctl start
2225 --delete-transient-ports is used.
2226 bond_active_slave: optional string
2228 For a bonded port, record the MAC address of the current active
2229 member.
2230 Port Statistics:
2232 Key-value pairs that report port statistics. The update period is con‐
2234 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
2235 ble.
2236 Statistics: STP transmit and receive counters:
2238 statistics : stp_tx_count: optional integer
2240 Number of STP BPDUs sent on this port by the spanning tree
2241 library.
2242 statistics : stp_rx_count: optional integer
2244 Number of STP BPDUs received on this port and accepted by the
2245 spanning tree library.
2246 statistics : stp_error_count: optional integer
2248 Number of bad STP BPDUs received on this port. Bad BPDUs include
2249 runt packets and those with an unexpected protocol ID.
2250 Common Columns:
2252 The overall purpose of these columns is described under Common Columns
2254 at the beginning of this document.
2255 other_config: map of string-string pairs
2257 external_ids: map of string-string pairs
2259
2261 An interface within a Port.
2262 Summary:
2264 Core Features:
2265 name immutable string (must be unique within
2266 table)
2267 ifindex optional integer, in range 0 to
2268 4,294,967,295
2269 mac_in_use optional string
2270 mac optional string
2271 error optional string
2272 OpenFlow Port Number:
2273 ofport optional integer
2274 ofport_request optional integer, in range 1 to 65,279
2275 System-Specific Details:
2276 type string
2277 Tunnel Options:
2278 options : remote_ip optional string
2279 options : local_ip optional string
2280 options : in_key optional string
2281 options : out_key optional string
2282 options : dst_port optional string
2283 options : key optional string
2284 options : tos optional string
2285 options : ttl optional string
2286 options : df_default optional string, either true or false
2287 options : egress_pkt_mark optional string
2288 Tunnel Options: lisp only:
2289 options : packet_type optional string, either legacy_l3 or ptap
2290 Tunnel Options: vxlan only:
2291 options : exts optional string
2292 options : packet_type optional string, one of legacy_l2,
2293 legacy_l3, or ptap
2294 Tunnel Options: gre only:
2295 options : packet_type optional string, one of legacy_l2,
2296 legacy_l3, or ptap
2297 options : seq optional string, either true or false
2298 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2299 options : csum optional string, either true or false
2300 Tunnel Options: IPsec:
2301 options : psk optional string
2302 options : remote_cert optional string
2303 options : remote_name optional string
2304 Tunnel Options: erspan only:
2305 options : erspan_idx optional string
2306 options : erspan_ver optional string
2307 options : erspan_dir optional string
2308 options : erspan_hwid optional string
2309 Tunnel Options: Bareudp only:
2310 options : payload_type optional string
2311 Patch Options:
2312 options : peer optional string
2313 PMD (Poll Mode Driver) Options:
2314 options : n_rxq optional string, containing an integer,
2315 at least 1
2316 options : dpdk-devargs optional string
2317 other_config : pmd-rxq-affinity
2318 optional string
2319 options : xdp-mode optional string, one of best-effort,
2320 generic, native-with-zerocopy, or native
2321 options : use-need-wakeup optional string, either true or false
2322 options : vhost-server-path
2323 optional string
2324 options : tx-retries-max optional string, containing an integer,
2325 in range 0 to 32
2326 options : n_rxq_desc optional string, containing an integer,
2327 in range 1 to 4,096
2328 options : n_txq_desc optional string, containing an integer,
2329 in range 1 to 4,096
2330 options : dpdk-vf-mac optional string
2331 EMC (Exact Match Cache) Configuration:
2332 other_config : emc-enable optional string, either true or false
2333 MTU:
2334 mtu optional integer
2335 mtu_request optional integer, at least 1
2336 Interface Status:
2337 admin_state optional string, either down or up
2338 link_state optional string, either down or up
2339 link_resets optional integer
2340 link_speed optional integer
2341 duplex optional string, either full or half
2342 lacp_current optional boolean
2343 status map of string-string pairs
2344 status : driver_name optional string
2345 status : driver_version optional string
2346 status : firmware_version optional string
2347 status : source_ip optional string
2348 status : tunnel_egress_iface
2349 optional string
2350 status : tunnel_egress_iface_carrier
2351 optional string, either down or up
2352 dpdk:
2353 status : port_no optional string
2354 status : numa_id optional string
2355 status : min_rx_bufsize optional string
2356 status : max_rx_pktlen optional string
2357 status : max_rx_queues optional string
2358 status : max_tx_queues optional string
2359 status : max_mac_addrs optional string
2360 status : max_hash_mac_addrs
2361 optional string
2362 status : max_vfs optional string
2363 status : max_vmdq_pools optional string
2364 status : if_type optional string
2365 status : if_descr optional string
2366 status : pci-vendor_id optional string
2367 status : pci-device_id optional string
2368 Statistics:
2369 Statistics: Successful transmit and receive counters:
2370 statistics : rx_packets optional integer
2371 statistics : rx_bytes optional integer
2372 statistics : tx_packets optional integer
2373 statistics : tx_bytes optional integer
2374 Statistics: Receive errors:
2375 statistics : rx_dropped optional integer
2376 statistics : rx_frame_err
2377 optional integer
2378 statistics : rx_over_err optional integer
2379 statistics : rx_crc_err optional integer
2380 statistics : rx_errors optional integer
2381 Statistics: Transmit errors:
2382 statistics : tx_dropped optional integer
2383 statistics : collisions optional integer
2384 statistics : tx_errors optional integer
2385 Ingress Policing:
2386 ingress_policing_rate integer, at least 0
2387 ingress_policing_burst integer, at least 0
2388 Bidirectional Forwarding Detection (BFD):
2389 BFD Configuration:
2390 bfd : enable optional string, either true or false
2391 bfd : min_rx optional string, containing an integer,
2392 at least 1
2393 bfd : min_tx optional string, containing an integer,
2394 at least 1
2395 bfd : decay_min_rx optional string, containing an integer
2396 bfd : forwarding_if_rx optional string, either true or false
2397 bfd : cpath_down optional string, either true or false
2398 bfd : check_tnl_key optional string, either true or false
2399 bfd : bfd_local_src_mac optional string
2400 bfd : bfd_local_dst_mac optional string
2401 bfd : bfd_remote_dst_mac optional string
2402 bfd : bfd_src_ip optional string
2403 bfd : bfd_dst_ip optional string
2404 bfd : oam optional string
2405 bfd : mult optional string, containing an integer,
2406 in range 1 to 255
2407 BFD Status:
2408 bfd_status : state optional string, one of admin_down, down,
2409 init, or up
2410 bfd_status : forwarding optional string, either true or false
2411 bfd_status : diagnostic optional string
2412 bfd_status : remote_state
2413 optional string, one of admin_down, down,
2414 init, or up
2415 bfd_status : remote_diagnostic
2416 optional string
2417 bfd_status : flap_count optional string, containing an integer,
2418 at least 0
2419 Connectivity Fault Management:
2420 cfm_mpid optional integer
2421 cfm_flap_count optional integer
2422 cfm_fault optional boolean
2423 cfm_fault_status : recv none
2424 cfm_fault_status : rdi none
2425 cfm_fault_status : maid none
2426 cfm_fault_status : loopback
2427 none
2428 cfm_fault_status : overflow
2429 none
2430 cfm_fault_status : override
2431 none
2432 cfm_fault_status : interval
2433 none
2434 cfm_remote_opstate optional string, either down or up
2435 cfm_health optional integer, in range 0 to 100
2436 cfm_remote_mpids set of integers
2437 other_config : cfm_interval
2438 optional string, containing an integer
2439 other_config : cfm_extended
2440 optional string, either true or false
2441 other_config : cfm_demand optional string, either true or false
2442 other_config : cfm_opstate optional string, either down or up
2443 other_config : cfm_ccm_vlan
2444 optional string, containing an integer,
2445 in range 1 to 4,095
2446 other_config : cfm_ccm_pcp optional string, containing an integer,
2447 in range 1 to 7
2448 Bonding Configuration:
2449 other_config : lacp-port-id
2450 optional string, containing an integer,
2451 in range 1 to 65,535
2452 other_config : lacp-port-priority
2453 optional string, containing an integer,
2454 in range 1 to 65,535
2455 other_config : lacp-aggregation-key
2456 optional string, containing an integer,
2457 in range 1 to 65,535
2458 Virtual Machine Identifiers:
2459 external_ids : attached-mac
2460 optional string
2461 external_ids : iface-id optional string
2462 external_ids : iface-status
2463 optional string, either active or inac‐
2464 tive
2465 external_ids : xs-vif-uuid optional string
2466 external_ids : xs-network-uuid
2467 optional string
2468 external_ids : vm-id optional string
2469 external_ids : xs-vm-uuid optional string
2470 Auto Attach Configuration:
2471 lldp : enable optional string, either true or false
2472 Flow control Configuration:
2473 options : rx-flow-ctrl optional string, either true or false
2474 options : tx-flow-ctrl optional string, either true or false
2475 options : flow-ctrl-autoneg
2476 optional string, either true or false
2477 Link State Change detection mode:
2478 options : dpdk-lsc-interrupt
2479 optional string, either true or false
2480 Common Columns:
2481 other_config map of string-string pairs
2482 external_ids map of string-string pairs
2483 Details:
2485 Core Features:
2486 name: immutable string (must be unique within table)
2488 Interface name. Should be alphanumeric. For non-bonded port,
2489 this should be the same as the port name. It must otherwise be
2490 unique among the names of ports, interfaces, and bridges on a
2491 host.
2492 The maximum length of an interface name depends on the underly‐
2494 ing datapath:
2495 · The names of interfaces implemented as Linux and BSD net‐
2497 work devices, including interfaces with type internal,
2498 tap, or system plus the different types of tunnel ports,
2499 are limited to 15 bytes. Windows limits these names to
2500 255 bytes.
2501 · The names of patch ports are not used in the underlying
2503 datapath, so operating system restrictions do not apply.
2504 Thus, they may have arbitrary length.
2505 Regardless of other restrictions, OpenFlow only supports 15-byte
2507 names, which means that ovs-ofctl and OpenFlow controllers will
2508 show names truncated to 15 bytes.
2509 ifindex: optional integer, in range 0 to 4,294,967,295
2511 A positive interface index as defined for SNMP MIB-II in RFCs
2512 1213 and 2863, if the interface has one, otherwise 0. The
2513 ifindex is useful for seamless integration with protocols such
2514 as SNMP and sFlow.
2515 mac_in_use: optional string
2517 The MAC address in use by this interface.
2518 mac: optional string
2520 Ethernet address to set for this interface. If unset then the
2521 default MAC address is used:
2522 · For the local interface, the default is the lowest-num‐
2524 bered MAC address among the other bridge ports, either
2525 the value of the mac in its Port record, if set, or its
2526 actual MAC (for bonded ports, the MAC of its member whose
2527 name is first in alphabetical order). Internal ports and
2528 bridge ports that are used as port mirroring destinations
2529 (see the Mirror table) are ignored.
2530 · For other internal interfaces, the default MAC is ran‐
2532 domly generated.
2533 · External interfaces typically have a MAC address associ‐
2535 ated with their hardware.
2536 Some interfaces may not have a software-controllable MAC
2538 address. This option only affects internal ports. For other type
2539 ports, you can change the MAC address outside Open vSwitch,
2540 using ip command.
2541 error: optional string
2543 If the configuration of the port failed, as indicated by -1 in
2544 ofport, Open vSwitch sets this column to an error description in
2545 human readable form. Otherwise, Open vSwitch clears this column.
2546 OpenFlow Port Number:
2548 When a client adds a new interface, Open vSwitch chooses an OpenFlow
2550 port number for the new port. If the client that adds the port fills in
2551 ofport_request, then Open vSwitch tries to use its value as the Open‐
2552 Flow port number. Otherwise, or if the requested port number is already
2553 in use or cannot be used for another reason, Open vSwitch automatically
2554 assigns a free port number. Regardless of how the port number was
2555 obtained, Open vSwitch then reports in ofport the port number actually
2556 assigned.
2557 Open vSwitch limits the port numbers that it automatically assigns to
2559 the range 1 through 32,767, inclusive. Controllers therefore have free
2560 use of ports 32,768 and up.
2561 ofport: optional integer
2563 OpenFlow port number for this interface. Open vSwitch sets this
2564 column’s value, so other clients should treat it as read-only.
2565 The OpenFlow ``local’’ port (OFPP_LOCAL) is 65,534. The other
2567 valid port numbers are in the range 1 to 65,279, inclusive.
2568 Value -1 indicates an error adding the interface.
2569 ofport_request: optional integer, in range 1 to 65,279
2571 Requested OpenFlow port number for this interface.
2572 A client should ideally set this column’s value in the same
2574 database transaction that it uses to create the interface. Open
2575 vSwitch version 2.1 and later will honor a later request for a
2576 specific port number, althuogh it might confuse some con‐
2577 trollers: OpenFlow does not have a way to announce a port number
2578 change, so Open vSwitch represents it over OpenFlow as a port
2579 deletion followed immediately by a port addition.
2580 If ofport_request is set or changed to some other port’s auto‐
2582 matically assigned port number, Open vSwitch chooses a new port
2583 number for the latter port.
2584 System-Specific Details:
2586 type: string
2588 The interface type. The types supported by a particular instance
2589 of Open vSwitch are listed in the iface_types column in the
2590 Open_vSwitch table. The following types are defined:
2591 system An ordinary network device, e.g. eth0 on Linux. Sometimes
2593 referred to as ``external interfaces’’ since they are
2594 generally connected to hardware external to that on which
2595 the Open vSwitch is running. The empty string is a syn‐
2596 onym for system.
2597 internal
2599 A simulated network device that sends and receives traf‐
2600 fic. An internal interface whose name is the same as its
2601 bridge’s name is called the ``local interface.’’ It does
2602 not make sense to bond an internal interface, so the
2603 terms ``port’’ and ``interface’’ are often used impre‐
2604 cisely for internal interfaces.
2605 tap A TUN/TAP device managed by Open vSwitch.
2607 Open vSwitch checks the interface state before send pack‐
2609 ets to the device. When it is down, the packets are
2610 dropped and the tx_dropped statistic is updated accord‐
2611 ingly. Older versions of Open vSwitch did not check the
2612 interface state and then the tx_packets was incremented
2613 along with tx_dropped.
2614 geneve An Ethernet over Geneve
2616 (http://tools.ietf.org/html/draft-ietf-nvo3-geneve)
2617 IPv4/IPv6 tunnel. A description of how to match and set
2618 Geneve options can be found in the ovs-ofctl manual page.
2619 gre Generic Routing Encapsulation (GRE) over IPv4 tunnel,
2621 configurable to encapsulate layer 2 or layer 3 traffic.
2622 ip6gre Generic Routing Encapsulation (GRE) over IPv6 tunnel,
2624 encapsulate layer 2 traffic.
2625 vxlan An Ethernet tunnel over the UDP-based VXLAN protocol
2627 described in RFC 7348.
2628 Open vSwitch uses IANA-assigned UDP destination port
2630 4789. The source port used for VXLAN traffic varies on a
2631 per-flow basis and is in the ephemeral port range.
2632 lisp A layer 3 tunnel over the experimental, UDP-based Loca‐
2634 tor/ID Separation Protocol (RFC 6830).
2635 Only IPv4 and IPv6 packets are supported by the protocol,
2637 and they are sent and received without an Ethernet
2638 header. Traffic to/from LISP ports is expected to be con‐
2639 figured explicitly, and the ports are not intended to
2640 participate in learning based switching. As such, they
2641 are always excluded from packet flooding.
2642 stt The Stateless TCP Tunnel (STT) is particularly useful
2644 when tunnel endpoints are in end-systems, as it utilizes
2645 the capabilities of standard network interface cards to
2646 improve performance. STT utilizes a TCP-like header
2647 inside the IP header. It is stateless, i.e., there is no
2648 TCP connection state of any kind associated with the tun‐
2649 nel. The TCP-like header is used to leverage the capabil‐
2650 ities of existing network interface cards, but should not
2651 be interpreted as implying any sort of connection state
2652 between endpoints. Since the STT protocol does not engage
2653 in the usual TCP 3-way handshake, so it will have diffi‐
2654 culty traversing stateful firewalls. The protocol is doc‐
2655 umented at https://tools.ietf.org/html/draft-davie-stt
2656 All traffic uses a default destination port of 7471.
2657 patch A pair of virtual devices that act as a patch cable.
2659 gtpu GPRS Tunneling Protocol (GTP) is a group of IP-based com‐
2661 munications protocols used to carry general packet radio
2662 service (GPRS) within GSM, UMTS and LTE networks. GTP-U
2663 is used for carrying user data within the GPRS core net‐
2664 work and between the radio access network and the core
2665 network. The user data transported can be packets in any
2666 of IPv4, IPv6, or PPP formats.
2667 The protocol is documented at http://www.3gpp.org/DynaRe‐
2669 port/29281.htm
2670 Open vSwitch uses UDP destination port 2152. The source
2672 port used for GTP traffic varies on a per-flow basis and
2673 is in the ephemeral port range.
2674 Bareudp
2676 The Bareudp tunnel provides a generic L3 encapsulation
2677 support for tunnelling different L3 protocols like MPLS,
2678 IP, NSH etc. inside a UDP tunnel.
2679 Tunnel Options:
2681 These options apply to interfaces with type of geneve, bareudp, gre,
2683 ip6gre, vxlan, lisp and stt.
2684 Each tunnel must be uniquely identified by the combination of type,
2686 options:remote_ip, options:local_ip, and options:in_key. If two ports
2687 are defined that are the same except one has an optional identifier and
2688 the other does not, the more specific one is matched first.
2689 options:in_key is considered more specific than options:local_ip if a
2690 port defines one and another port defines the other. options:in_key is
2691 not applicable for bareudp tunnels. Hence it is not considered while
2692 identifying a bareudp tunnel.
2693 options : remote_ip: optional string
2695 Required. The remote tunnel endpoint, one of:
2696 · An IPv4 or IPv6 address (not a DNS name), e.g.
2698 192.168.0.123. Only unicast endpoints are supported.
2699 · The word flow. The tunnel accepts packets from any remote
2701 tunnel endpoint. To process only packets from a specific
2702 remote tunnel endpoint, the flow entries may match on the
2703 tun_src or tun_ipv6_srcfield. When sending packets to a
2704 remote_ip=flow tunnel, the flow actions must explicitly
2705 set the tun_dst or tun_ipv6_dst field to the IP address
2706 of the desired remote tunnel endpoint, e.g. with a
2707 set_field action.
2708 The remote tunnel endpoint for any packet received from a tunnel
2710 is available in the tun_src field for matching in the flow ta‐
2711 ble.
2712 options : local_ip: optional string
2714 Optional. The tunnel destination IP that received packets must
2715 match. Default is to match all addresses. If specified, may be
2716 one of:
2717 · An IPv4/IPv6 address (not a DNS name), e.g. 192.168.12.3.
2719 · The word flow. The tunnel accepts packets sent to any of
2721 the local IP addresses of the system running OVS. To
2722 process only packets sent to a specific IP address, the
2723 flow entries may match on the tun_dst or tun_ipv6_dst
2724 field. When sending packets to a local_ip=flow tunnel,
2725 the flow actions may explicitly set the tun_src or
2726 tun_ipv6_src field to the desired IP address, e.g. with a
2727 set_field action. However, while routing the tunneled
2728 packet out, the local system may override the specified
2729 address with the local IP address configured for the out‐
2730 going system interface.
2731 This option is valid only for tunnels also configured
2733 with the remote_ip=flow option.
2734 The tunnel destination IP address for any packet received from a
2736 tunnel is available in the tun_dst or tun_ipv6_dst field for
2737 matching in the flow table.
2738 options : in_key: optional string
2740 Optional, not applicable for bareudp. The key that received
2741 packets must contain, one of:
2742 · 0. The tunnel receives packets with no key or with a key
2744 of 0. This is equivalent to specifying no options:in_key
2745 at all.
2746 · A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit
2748 (for GRE) or 64-bit (for STT) number. The tunnel receives
2749 only packets with the specified key.
2750 · The word flow. The tunnel accepts packets with any key.
2752 The key will be placed in the tun_id field for matching
2753 in the flow table. The ovs-fields(7) manual page contains
2754 additional information about matching fields in OpenFlow
2755 flows.
2756 options : out_key: optional string
2758 Optional, not applicable for bareudp. The key to be set on out‐
2759 going packets, one of:
2760 · 0. Packets sent through the tunnel will have no key. This
2762 is equivalent to specifying no options:out_key at all.
2763 · A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit
2765 (for GRE) or 64-bit (for STT) number. Packets sent
2766 through the tunnel will have the specified key.
2767 · The word flow. Packets sent through the tunnel will have
2769 the key set using the set_tunnel Nicira OpenFlow vendor
2770 extension (0 is used in the absence of an action). The
2771 ovs-fields(7) manual page contains additional information
2772 about the Nicira OpenFlow vendor extensions.
2773 options : dst_port: optional string
2775 Optional. The tunnel transport layer destination port, for UDP
2776 and TCP based tunnel protocols (Geneve, VXLAN, LISP, and STT).
2777 options : key: optional string
2779 Optional. Shorthand to set in_key and out_key at the same time.
2780 options : tos: optional string
2782 Optional. The value of the ToS bits to be set on the encapsulat‐
2783 ing packet. ToS is interpreted as DSCP and ECN bits, ECN part
2784 must be zero. It may also be the word inherit, in which case the
2785 ToS will be copied from the inner packet if it is IPv4 or IPv6
2786 (otherwise it will be 0). The ECN fields are always inherited.
2787 Default is 0.
2788 options : ttl: optional string
2790 Optional. The TTL to be set on the encapsulating packet. It may
2791 also be the word inherit, in which case the TTL will be copied
2792 from the inner packet if it is IPv4 or IPv6 (otherwise it will
2793 be the system default, typically 64). Default is the system
2794 default TTL.
2795 options : df_default: optional string, either true or false
2797 Optional. If enabled, the Don’t Fragment bit will be set on tun‐
2798 nel outer headers to allow path MTU discovery. Default is
2799 enabled; set to false to disable.
2800 options : egress_pkt_mark: optional string
2802 Optional. The pkt_mark to be set on the encapsulating packet.
2803 This option sets packet mark for the tunnel endpoint for all
2804 tunnel packets including tunnel monitoring.
2805 Tunnel Options: lisp only:
2807 options : packet_type: optional string, either legacy_l3 or ptap
2809 A LISP tunnel sends and receives only IPv4 and IPv6 packets.
2810 This option controls what how the tunnel represents the packets
2811 that it sends and receives:
2812 · By default, or if this option is legacy_l3, the tunnel
2814 represents packets as Ethernet frames for compatibility
2815 with legacy OpenFlow controllers that expect this behav‐
2816 ior.
2817 · If this option is ptap, the tunnel represents packets
2819 using the packet_type mechanism introduced in OpenFlow
2820 1.5.
2821 Tunnel Options: vxlan only:
2823 options : exts: optional string
2825 Optional. Comma separated list of optional VXLAN extensions to
2826 enable. The following extensions are supported:
2827 · gbp: VXLAN-GBP allows to transport the group policy con‐
2829 text of a packet across the VXLAN tunnel to other network
2830 peers. See the description of tun_gbp_id and
2831 tun_gbp_flags in ovs-fields(7) for additional informa‐
2832 tion.
2833 (https://tools.ietf.org/html/draft-smith-vxlan-group-pol‐
2834 icy)
2835 · gpe: Support for Generic Protocol Encapsulation in accor‐
2837 dance with IETF draft
2838 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe.
2839 Without this option, a VXLAN packet always encapsulates
2840 an Ethernet frame. With this option, an VXLAN packet may
2841 also encapsulate an IPv4, IPv6, NSH, or MPLS packet.
2842 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2844 ptap
2845 This option controls what types of packets the tunnel sends and
2846 receives and how it represents them:
2847 · By default, or if this option is legacy_l2, the tunnel
2849 sends and receives only Ethernet frames.
2850 · If this option is legacy_l3, the tunnel sends and
2852 receives only non-Ethernet (L3) packet, but the packets
2853 are represented as Ethernet frames for compatibility with
2854 legacy OpenFlow controllers that expect this behavior.
2855 This requires enabling gpe in options:exts.
2856 · If this option is ptap, Open vSwitch represents packets
2858 in the tunnel using the packet_type mechanism introduced
2859 in OpenFlow 1.5. This mechanism supports any kind of
2860 packet, but actually sending and receiving non-Ethernet
2861 packets requires additionally enabling gpe in
2862 options:exts.
2863 Tunnel Options: gre only:
2865 gre interfaces support these options.
2867 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2869 ptap
2870 This option controls what types of packets the tunnel sends and
2871 receives and how it represents them:
2872 · By default, or if this option is legacy_l2, the tunnel
2874 sends and receives only Ethernet frames.
2875 · If this option is legacy_l3, the tunnel sends and
2877 receives only non-Ethernet (L3) packet, but the packets
2878 are represented as Ethernet frames for compatibility with
2879 legacy OpenFlow controllers that expect this behavior.
2880 · The legacy_l3 option is only available via the user space
2882 datapath. The OVS kernel datapath does not support
2883 devices of type ARPHRD_IPGRE which is the requirement for
2884 legacy_l3 type packets.
2885 · If this option is ptap, the tunnel sends and receives any
2887 kind of packet. Open vSwitch represents packets in the
2888 tunnel using the packet_type mechanism introduced in
2889 OpenFlow 1.5.
2890 options : seq: optional string, either true or false
2892 Optional. A 4-byte sequence number field for GRE tunnel only.
2893 Default is disabled, set to true to enable. Sequence number is
2894 incremented by one on each outgoing packet.
2895 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2897 gre, ip6gre, geneve, bareudp and vxlan interfaces support these
2899 options.
2900 options : csum: optional string, either true or false
2902 Optional. Compute encapsulation header (either GRE or UDP)
2903 checksums on outgoing packets. Default is disabled, set to true
2904 to enable. Checksums present on incoming packets will be vali‐
2905 dated regardless of this setting.
2906 When using the upstream Linux kernel module, computation of
2908 checksums for geneve and vxlan requires Linux kernel version 4.0
2909 or higher. gre and ip6gre support checksums for all versions of
2910 Open vSwitch that support GRE. The out of tree kernel module
2911 distributed as part of OVS can compute all tunnel checksums on
2912 any kernel version that it is compatible with.
2913 Tunnel Options: IPsec:
2915 Setting any of these options enables IPsec support for a given tunnel.
2917 gre, geneve, vxlan and stt interfaces support these options. See the
2918 IPsec section in the Open_vSwitch table for a description of each mode.
2919 options : psk: optional string
2921 In PSK mode only, the preshared secret to negotiate tunnel. This
2922 value must match on both tunnel ends.
2923 options : remote_cert: optional string
2925 In self-signed certificate mode only, name of a PEM file con‐
2926 taining a certificate of the remote switch. The certificate must
2927 be x.509 version 3 and with the string in common name (CN) also
2928 set in the subject alternative name (SAN).
2929 options : remote_name: optional string
2931 In CA-signed certificate mode only, common name (CN) of the
2932 remote certificate.
2933 Tunnel Options: erspan only:
2935 Only erspan interfaces support these options.
2937 options : erspan_idx: optional string
2939 20 bit index/port number associated with the ERSPAN traffic’s
2940 source port and direction (ingress/egress). This field is plat‐
2941 form dependent.
2942 options : erspan_ver: optional string
2944 ERSPAN version: 1 for version 1 (type II) or 2 for version 2
2945 (type III).
2946 options : erspan_dir: optional string
2948 Specifies the ERSPAN v2 mirrored traffic’s direction. 1 for
2949 egress traffic, and 0 for ingress traffic.
2950 options : erspan_hwid: optional string
2952 ERSPAN hardware ID is a 6-bit unique identifier of an ERSPAN v2
2953 engine within a system.
2954 Tunnel Options: Bareudp only:
2956 options : payload_type: optional string
2958 Specifies the ethertype of the l3 protocol the bareudp device is
2959 tunnelling. For the tunnels which supports multiple ethertypes
2960 of a l3 protocol (IP, MPLS) this field specifies the protocol
2961 name as a string.
2962 Patch Options:
2964 These options apply only to patch ports, that is, interfaces whose type
2966 column is patch. Patch ports are mainly a way to connect otherwise
2967 independent bridges to one another, similar to how one might plug an
2968 Ethernet cable (a ``patch cable’’) into two physical switches to con‐
2969 nect those switches. The effect of plugging a patch port into two
2970 switches is conceptually similar to that of plugging the two ends of a
2971 Linux veth device into those switches, but the implementation of patch
2972 ports makes them much more efficient.
2973 Patch ports may connect two different bridges (the usual case) or the
2975 same bridge. In the latter case, take special care to avoid loops, e.g.
2976 by programming appropriate flows with OpenFlow. Patch ports do not work
2977 if its ends are attached to bridges on different datapaths, e.g. to
2978 connect bridges in system and netdev datapaths.
2979 The following command creates and connects patch ports p0 and p1 and
2981 adds them to bridges br0 and br1, respectively:
2982 ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
2984 -- add-port br1 p1 -- set Interface p1 type=patch options:peer=p0
2985 options : peer: optional string
2988 The name of the Interface for the other side of the patch. The
2989 named Interface’s own peer option must specify this Interface’s
2990 name. That is, the two patch interfaces must have reversed name
2991 and peer values.
2992 PMD (Poll Mode Driver) Options:
2994 Only PMD netdevs support these options.
2996 options : n_rxq: optional string, containing an integer, at least 1
2998 Specifies the maximum number of rx queues to be created for PMD
2999 netdev. If not specified or specified to 0, one rx queue will be
3000 created by default. Not supported by DPDK vHost interfaces.
3001 options : dpdk-devargs: optional string
3003 Specifies the PCI address associated with the port for physical
3004 devices, or the virtual driver to be used for the port when a
3005 virtual PMD is intended to be used. For the latter, the argument
3006 string typically takes the form of eth_driver_namex, where
3007 driver_name is a valid virtual DPDK PMD driver name and x is a
3008 unique identifier of your choice for the given port. Only sup‐
3009 ported by the dpdk port type.
3010 other_config : pmd-rxq-affinity: optional string
3012 Specifies mapping of RX queues of this interface to CPU cores.
3013 Value should be set in the following form:
3015 other_config:pmd-rxq-affinity=<rxq-affinity-list>
3017 where
3019 · <rxq-affinity-list> ::= NULL | <non-empty-list>
3021 · <non-empty-list> ::= <affinity-pair> | <affinity-pair> ,
3023 <non-empty-list>
3024 · <affinity-pair> ::= <queue-id> : <core-id>
3026 options : xdp-mode: optional string, one of best-effort, generic,
3028 native-with-zerocopy, or native
3029 Specifies the operational mode of the XDP program.
3030 In native-with-zerocopy mode the XDP program is loaded into the
3032 device driver with zero-copy RX and TX enabled. This mode
3033 requires device driver support and has the best performance
3034 because there should be no copying of packets.
3035 native is the same as native-with-zerocopy, but without zero-
3037 copy capability. This requires at least one copy between kernel
3038 and the userspace. This mode also requires support from device
3039 driver.
3040 In generic case the XDP program in kernel works after skb allo‐
3042 cation on early stages of packet processing inside the network
3043 stack. This mode doesn’t require driver support, but has much
3044 lower performance.
3045 best-effort tries to detect and choose the best (fastest) from
3047 the available modes for current interface.
3048 Note that this option is specific to netdev-afxdp. Defaults to
3050 best-effort mode.
3051 options : use-need-wakeup: optional string, either true or false
3053 Specifies whether to use need_wakeup feature in afxdp netdev. If
3054 enabled, OVS explicitly wakes up the kernel RX, using poll()
3055 syscall and wakes up TX, using sendto() syscall. For physical
3056 devices, this feature improves the performance by avoiding
3057 unnecessary sendto syscalls. Defaults to true if supported by
3058 libbpf.
3059 options : vhost-server-path: optional string
3061 The value specifies the path to the socket associated with a
3062 vHost User client mode device that has been or will be created
3063 by QEMU. Only supported by dpdkvhostuserclient interfaces.
3064 options : tx-retries-max: optional string, containing an integer, in
3066 range 0 to 32
3067 The value specifies the maximum amount of vhost tx retries that
3068 can be made while trying to send a batch of packets to an inter‐
3069 face. Only supported by dpdkvhostuserclient interfaces.
3070 Default value is 8.
3072 options : n_rxq_desc: optional string, containing an integer, in range
3074 1 to 4,096
3075 Specifies the rx queue size (number rx descriptors) for dpdk
3076 ports. The value must be a power of 2, less than 4096 and sup‐
3077 ported by the hardware of the device being configured. If not
3078 specified or an incorrect value is specified, 2048 rx descrip‐
3079 tors will be used by default.
3080 options : n_txq_desc: optional string, containing an integer, in range
3082 1 to 4,096
3083 Specifies the tx queue size (number tx descriptors) for dpdk
3084 ports. The value must be a power of 2, less than 4096 and sup‐
3085 ported by the hardware of the device being configured. If not
3086 specified or an incorrect value is specified, 2048 tx descrip‐
3087 tors will be used by default.
3088 options : dpdk-vf-mac: optional string
3090 Ethernet address to set for this VF interface. If unset then the
3091 default MAC address is used:
3092 · For most drivers, the default MAC address assigned by
3094 their hardware.
3095 · For bifurcated drivers, the MAC currently used by the
3097 kernel netdevice.
3098 This option may only be used with dpdk VF representors.
3100 EMC (Exact Match Cache) Configuration:
3102 These settings controls behaviour of EMC lookups/insertions for packets
3104 received from the interface.
3105 other_config : emc-enable: optional string, either true or false
3107 Specifies if Exact Match Cache (EMC) should be used while pro‐
3108 cessing packets received from this interface. If true,
3109 other_config:emc-insert-inv-prob will have effect on this inter‐
3110 face.
3111 Defaults to true.
3113 MTU:
3115 The MTU (maximum transmission unit) is the largest amount of data that
3117 can fit into a single Ethernet frame. The standard Ethernet MTU is 1500
3118 bytes. Some physical media and many kinds of virtual interfaces can be
3119 configured with higher MTUs.
3120 A client may change an interface MTU by filling in mtu_request. Open
3122 vSwitch then reports in mtu the currently configured value.
3123 mtu: optional integer
3125 The currently configured MTU for the interface.
3126 This column will be empty for an interface that does not have an
3128 MTU as, for example, some kinds of tunnels do not.
3129 Open vSwitch sets this column’s value, so other clients should
3131 treat it as read-only.
3132 mtu_request: optional integer, at least 1
3134 Requested MTU (Maximum Transmission Unit) for the interface. A
3135 client can fill this column to change the MTU of an interface.
3136 RFC 791 requires every internet module to be able to forward a
3138 datagram of 68 octets without further fragmentation. The maximum
3139 size of an IP packet is 65535 bytes.
3140 If this is not set and if the interface has internal type, Open
3142 vSwitch will change the MTU to match the minimum of the other
3143 interfaces in the bridge.
3144 Interface Status:
3146 Status information about interfaces attached to bridges, updated every
3148 5 seconds. Not all interfaces have all of these properties; virtual
3149 interfaces don’t have a link speed, for example. Non-applicable columns
3150 will have empty values.
3151 admin_state: optional string, either down or up
3153 The administrative state of the physical network link.
3154 link_state: optional string, either down or up
3156 The observed state of the physical network link. This is ordi‐
3157 narily the link’s carrier status. If the interface’s Port is a
3158 bond configured for miimon monitoring, it is instead the network
3159 link’s miimon status.
3160 link_resets: optional integer
3162 The number of times Open vSwitch has observed the link_state of
3163 this Interface change.
3164 link_speed: optional integer
3166 The negotiated speed of the physical network link. Valid values
3167 are positive integers greater than 0.
3168 duplex: optional string, either full or half
3170 The duplex mode of the physical network link.
3171 lacp_current: optional boolean
3173 Boolean value indicating LACP status for this interface. If
3174 true, this interface has current LACP information about its LACP
3175 partner. This information may be used to monitor the health of
3176 interfaces in a LACP enabled port. This column will be empty if
3177 LACP is not enabled.
3178 status: map of string-string pairs
3180 Key-value pairs that report port status. Supported status values
3181 are type-dependent; some interfaces may not have a valid sta‐
3182 tus:driver_name, for example.
3183 status : driver_name: optional string
3185 The name of the device driver controlling the network adapter.
3186 status : driver_version: optional string
3188 The version string of the device driver controlling the network
3189 adapter.
3190 status : firmware_version: optional string
3192 The version string of the network adapter’s firmware, if avail‐
3193 able.
3194 status : source_ip: optional string
3196 The source IP address used for an IPv4/IPv6 tunnel end-point,
3197 such as gre.
3198 status : tunnel_egress_iface: optional string
3200 Egress interface for tunnels. Currently only relevant for tun‐
3201 nels on Linux systems, this column will show the name of the
3202 interface which is responsible for routing traffic destined for
3203 the configured options:remote_ip. This could be an internal
3204 interface such as a bridge port.
3205 status : tunnel_egress_iface_carrier: optional string, either down or
3207 up
3208 Whether carrier is detected on status:tunnel_egress_iface.
3209 dpdk:
3211 DPDK specific interface status options.
3213 status : port_no: optional string
3215 DPDK port ID.
3216 status : numa_id: optional string
3218 NUMA socket ID to which an Ethernet device is connected.
3219 status : min_rx_bufsize: optional string
3221 Minimum size of RX buffer.
3222 status : max_rx_pktlen: optional string
3224 Maximum configurable length of RX pkt.
3225 status : max_rx_queues: optional string
3227 Maximum number of RX queues.
3228 status : max_tx_queues: optional string
3230 Maximum number of TX queues.
3231 status : max_mac_addrs: optional string
3233 Maximum number of MAC addresses.
3234 status : max_hash_mac_addrs: optional string
3236 Maximum number of hash MAC addresses for MTA and UTA.
3237 status : max_vfs: optional string
3239 Maximum number of hash MAC addresses for MTA and UTA. Maximum
3240 number of VFs.
3241 status : max_vmdq_pools: optional string
3243 Maximum number of VMDq pools.
3244 status : if_type: optional string
3246 Interface type ID according to IANA ifTYPE MIB definitions.
3247 status : if_descr: optional string
3249 Interface description string.
3250 status : pci-vendor_id: optional string
3252 Vendor ID of PCI device.
3253 status : pci-device_id: optional string
3255 Device ID of PCI device.
3256 Statistics:
3258 Key-value pairs that report interface statistics. The current implemen‐
3260 tation updates these counters periodically. The update period is con‐
3261 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
3262 ble. Future implementations may update them when an interface is cre‐
3263 ated, when they are queried (e.g. using an OVSDB select operation), and
3264 just before an interface is deleted due to virtual interface hot-unplug
3265 or VM shutdown, and perhaps at other times, but not on any regular
3266 periodic basis.
3267 These are the same statistics reported by OpenFlow in its struct
3269 ofp_port_stats structure. If an interface does not support a given
3270 statistic, then that pair is omitted.
3271 Statistics: Successful transmit and receive counters:
3273 statistics : rx_packets: optional integer
3275 Number of received packets.
3276 statistics : rx_bytes: optional integer
3278 Number of received bytes.
3279 statistics : tx_packets: optional integer
3281 Number of transmitted packets.
3282 statistics : tx_bytes: optional integer
3284 Number of transmitted bytes.
3285 Statistics: Receive errors:
3287 statistics : rx_dropped: optional integer
3289 Number of packets dropped by RX.
3290 statistics : rx_frame_err: optional integer
3292 Number of frame alignment errors.
3293 statistics : rx_over_err: optional integer
3295 Number of packets with RX overrun.
3296 statistics : rx_crc_err: optional integer
3298 Number of CRC errors.
3299 statistics : rx_errors: optional integer
3301 Total number of receive errors, greater than or equal to the sum
3302 of the above.
3303 Statistics: Transmit errors:
3305 statistics : tx_dropped: optional integer
3307 Number of packets dropped by TX.
3308 statistics : collisions: optional integer
3310 Number of collisions.
3311 statistics : tx_errors: optional integer
3313 Total number of transmit errors, greater than or equal to the
3314 sum of the above.
3315 Ingress Policing:
3317 These settings control ingress policing for packets received on this
3319 interface. On a physical interface, this limits the rate at which traf‐
3320 fic is allowed into the system from the outside; on a virtual interface
3321 (one connected to a virtual machine), this limits the rate at which the
3322 VM is able to transmit.
3323 Policing is a simple form of quality-of-service that simply drops pack‐
3325 ets received in excess of the configured rate. Due to its simplicity,
3326 policing is usually less accurate and less effective than egress QoS
3327 (which is configured using the QoS and Queue tables).
3328 Policing is currently implemented on Linux and OVS with DPDK. Both
3330 implementations use a simple ``token bucket’’ approach:
3331 · The size of the bucket corresponds to ingress_polic‐
3333 ing_burst. Initially the bucket is full.
3334 · Whenever a packet is received, its size (converted to
3336 tokens) is compared to the number of tokens currently in
3337 the bucket. If the required number of tokens are avail‐
3338 able, they are removed and the packet is forwarded. Oth‐
3339 erwise, the packet is dropped.
3340 · Whenever it is not full, the bucket is refilled with
3342 tokens at the rate specified by ingress_policing_rate.
3343 Policing interacts badly with some network protocols, and especially
3345 with fragmented IP packets. Suppose that there is enough network activ‐
3346 ity to keep the bucket nearly empty all the time. Then this token
3347 bucket algorithm will forward a single packet every so often, with the
3348 period depending on packet size and on the configured rate. All of the
3349 fragments of an IP packets are normally transmitted back-to-back, as a
3350 group. In such a situation, therefore, only one of these fragments will
3351 be forwarded and the rest will be dropped. IP does not provide any way
3352 for the intended recipient to ask for only the remaining fragments. In
3353 such a case there are two likely possibilities for what will happen
3354 next: either all of the fragments will eventually be retransmitted (as
3355 TCP will do), in which case the same problem will recur, or the sender
3356 will not realize that its packet has been dropped and data will simply
3357 be lost (as some UDP-based protocols will do). Either way, it is possi‐
3358 ble that no forward progress will ever occur.
3359 ingress_policing_rate: integer, at least 0
3361 Maximum rate for data received on this interface, in kbps. Data
3362 received faster than this rate is dropped. Set to 0 (the
3363 default) to disable policing.
3364 ingress_policing_burst: integer, at least 0
3366 Maximum burst size for data received on this interface, in kb.
3367 The default burst size if set to 0 is 8000 kbit. This value has
3368 no effect if ingress_policing_rate is 0.
3369 Specifying a larger burst size lets the algorithm be more for‐
3371 giving, which is important for protocols like TCP that react se‐
3372 verely to dropped packets. The burst size should be at least the
3373 size of the interface’s MTU. Specifying a value that is numeri‐
3374 cally at least as large as 80% of ingress_policing_rate helps
3375 TCP come closer to achieving the full rate.
3376 Bidirectional Forwarding Detection (BFD):
3378 BFD, defined in RFC 5880 and RFC 5881, allows point-to-point detection
3380 of connectivity failures by occasional transmission of BFD control mes‐
3381 sages. Open vSwitch implements BFD to serve as a more popular and stan‐
3382 dards compliant alternative to CFM.
3383 BFD operates by regularly transmitting BFD control messages at a rate
3385 negotiated independently in each direction. Each endpoint specifies the
3386 rate at which it expects to receive control messages, and the rate at
3387 which it is willing to transmit them. By default, Open vSwitch uses a
3388 detection multiplier of three, meaning that an endpoint signals a con‐
3389 nectivity fault if three consecutive BFD control messages fail to
3390 arrive. In the case of a unidirectional connectivity issue, the system
3391 not receiving BFD control messages signals the problem to its peer in
3392 the messages it transmits.
3393 The Open vSwitch implementation of BFD aims to comply faithfully with
3395 RFC 5880 requirements. Open vSwitch does not implement the optional
3396 Authentication or ``Echo Mode’’ features.
3397 OVS 2.13 and earlier intercepted and processed all BFD packets. OVS
3399 2.14 and later only intercept and process BFD packets destined to a
3400 configured BFD instance, and other BFD packets are made available to
3401 the OVS flow table for forwarding.
3402 BFD Configuration:
3404 A controller sets up key-value pairs in the bfd column to enable and
3406 configure BFD.
3407 bfd : enable: optional string, either true or false
3409 True to enable BFD on this Interface. If not specified, BFD will
3410 not be enabled by default.
3411 bfd : min_rx: optional string, containing an integer, at least 1
3413 The shortest interval, in milliseconds, at which this BFD ses‐
3414 sion offers to receive BFD control messages. The remote endpoint
3415 may choose to send messages at a slower rate. Defaults to 1000.
3416 bfd : min_tx: optional string, containing an integer, at least 1
3418 The shortest interval, in milliseconds, at which this BFD ses‐
3419 sion is willing to transmit BFD control messages. Messages will
3420 actually be transmitted at a slower rate if the remote endpoint
3421 is not willing to receive as quickly as specified. Defaults to
3422 100.
3423 bfd : decay_min_rx: optional string, containing an integer
3425 An alternate receive interval, in milliseconds, that must be
3426 greater than or equal to bfd:min_rx. The implementation switches
3427 from bfd:min_rx to bfd:decay_min_rx when there is no obvious
3428 incoming data traffic at the interface, to reduce the CPU and
3429 bandwidth cost of monitoring an idle interface. This feature may
3430 be disabled by setting a value of 0. This feature is reset when‐
3431 ever bfd:decay_min_rx or bfd:min_rx changes.
3432 bfd : forwarding_if_rx: optional string, either true or false
3434 When true, traffic received on the Interface is used to indicate
3435 the capability of packet I/O. BFD control packets are still
3436 transmitted and received. At least one BFD control packet must
3437 be received every 100 * bfd:min_rx amount of time. Otherwise,
3438 even if traffic are received, the bfd:forwarding will be false.
3439 bfd : cpath_down: optional string, either true or false
3441 Set to true to notify the remote endpoint that traffic should
3442 not be forwarded to this system for some reason other than a
3443 connectivty failure on the interface being monitored. The typi‐
3444 cal underlying reason is ``concatenated path down,’’ that is,
3445 that connectivity beyond the local system is down. Defaults to
3446 false.
3447 bfd : check_tnl_key: optional string, either true or false
3449 Set to true to make BFD accept only control messages with a tun‐
3450 nel key of zero. By default, BFD accepts control messages with
3451 any tunnel key.
3452 bfd : bfd_local_src_mac: optional string
3454 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3455 the MAC used as source for transmitted BFD packets. The default
3456 is the mac address of the BFD enabled interface.
3457 bfd : bfd_local_dst_mac: optional string
3459 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3460 the MAC used as destination for transmitted BFD packets. The
3461 default is 00:23:20:00:00:01.
3462 bfd : bfd_remote_dst_mac: optional string
3464 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3465 the MAC used for checking the destination of received BFD pack‐
3466 ets. Packets with different destination MAC will not be consid‐
3467 ered as BFD packets. If not specified the destination MAC
3468 address of received BFD packets are not checked.
3469 bfd : bfd_src_ip: optional string
3471 Set to an IPv4 address to set the IP address used as source for
3472 transmitted BFD packets. The default is 169.254.1.1.
3473 bfd : bfd_dst_ip: optional string
3475 Set to an IPv4 address to set the IP address used as destination
3476 for transmitted BFD packets. The default is 169.254.1.0.
3477 bfd : oam: optional string
3479 Some tunnel protocols (such as Geneve) include a bit in the
3480 header to indicate that the encapsulated packet is an OAM frame.
3481 By setting this to true, BFD packets will be marked as OAM if
3482 encapsulated in one of these tunnels.
3483 bfd : mult: optional string, containing an integer, in range 1 to 255
3485 The BFD detection multiplier, which defaults to 3. An endpoint
3486 signals a connectivity fault if the given number of consecutive
3487 BFD control messages fail to arrive.
3488 BFD Status:
3490 The switch sets key-value pairs in the bfd_status column to report the
3492 status of BFD on this interface. When BFD is not enabled, with
3493 bfd:enable, the switch clears all key-value pairs from bfd_status.
3494 bfd_status : state: optional string, one of admin_down, down, init, or
3496 up
3497 Reports the state of the BFD session. The BFD session is fully
3498 healthy and negotiated if UP.
3499 bfd_status : forwarding: optional string, either true or false
3501 Reports whether the BFD session believes this Interface may be
3502 used to forward traffic. Typically this means the local session
3503 is signaling UP, and the remote system isn’t signaling a problem
3504 such as concatenated path down.
3505 bfd_status : diagnostic: optional string
3507 A diagnostic code specifying the local system’s reason for the
3508 last change in session state. The error messages are defined in
3509 section 4.1 of [RFC 5880].
3510 bfd_status : remote_state: optional string, one of admin_down, down,
3512 init, or up
3513 Reports the state of the remote endpoint’s BFD session.
3514 bfd_status : remote_diagnostic: optional string
3516 A diagnostic code specifying the remote system’s reason for the
3517 last change in session state. The error messages are defined in
3518 section 4.1 of [RFC 5880].
3519 bfd_status : flap_count: optional string, containing an integer, at
3521 least 0
3522 Counts the number of bfd_status:forwarding flaps since start. A
3523 flap is considered as a change of the bfd_status:forwarding
3524 value.
3525 Connectivity Fault Management:
3527 802.1ag Connectivity Fault Management (CFM) allows a group of Mainte‐
3529 nance Points (MPs) called a Maintenance Association (MA) to detect con‐
3530 nectivity problems with each other. MPs within a MA should have com‐
3531 plete and exclusive interconnectivity. This is verified by occasionally
3532 broadcasting Continuity Check Messages (CCMs) at a configurable trans‐
3533 mission interval.
3534 According to the 802.1ag specification, each Maintenance Point should
3536 be configured out-of-band with a list of Remote Maintenance Points it
3537 should have connectivity to. Open vSwitch differs from the specifica‐
3538 tion in this area. It simply assumes the link is faulted if no Remote
3539 Maintenance Points are reachable, and considers it not faulted other‐
3540 wise.
3541 When operating over tunnels which have no in_key, or an in_key of flow.
3543 CFM will only accept CCMs with a tunnel key of zero.
3544 cfm_mpid: optional integer
3546 A Maintenance Point ID (MPID) uniquely identifies each endpoint
3547 within a Maintenance Association. The MPID is used to identify
3548 this endpoint to other Maintenance Points in the MA. Each end of
3549 a link being monitored should have a different MPID. Must be
3550 configured to enable CFM on this Interface.
3551 According to the 802.1ag specification, MPIDs can only range
3553 between [1, 8191]. However, extended mode (see other_con‐
3554 fig:cfm_extended) supports eight byte MPIDs.
3555 cfm_flap_count: optional integer
3557 Counts the number of cfm fault flapps since boot. A flap is con‐
3558 sidered to be a change of the cfm_fault value.
3559 cfm_fault: optional boolean
3561 Indicates a connectivity fault triggered by an inability to
3562 receive heartbeats from any remote endpoint. When a fault is
3563 triggered on Interfaces participating in bonds, they will be
3564 disabled.
3565 Faults can be triggered for several reasons. Most importantly
3567 they are triggered when no CCMs are received for a period of 3.5
3568 times the transmission interval. Faults are also triggered when
3569 any CCMs indicate that a Remote Maintenance Point is not receiv‐
3570 ing CCMs but able to send them. Finally, a fault is triggered if
3571 a CCM is received which indicates unexpected configuration.
3572 Notably, this case arises when a CCM is received which adver‐
3573 tises the local MPID.
3574 cfm_fault_status : recv: none
3576 Indicates a CFM fault was triggered due to a lack of CCMs
3577 received on the Interface.
3578 cfm_fault_status : rdi: none
3580 Indicates a CFM fault was triggered due to the reception of a
3581 CCM with the RDI bit flagged. Endpoints set the RDI bit in their
3582 CCMs when they are not receiving CCMs themselves. This typically
3583 indicates a unidirectional connectivity failure.
3584 cfm_fault_status : maid: none
3586 Indicates a CFM fault was triggered due to the reception of a
3587 CCM with a MAID other than the one Open vSwitch uses. CFM broad‐
3588 casts are tagged with an identification number in addition to
3589 the MPID called the MAID. Open vSwitch only supports receiving
3590 CCM broadcasts tagged with the MAID it uses internally.
3591 cfm_fault_status : loopback: none
3593 Indicates a CFM fault was triggered due to the reception of a
3594 CCM advertising the same MPID configured in the cfm_mpid column
3595 of this Interface. This may indicate a loop in the network.
3596 cfm_fault_status : overflow: none
3598 Indicates a CFM fault was triggered because the CFM module
3599 received CCMs from more remote endpoints than it can keep track
3600 of.
3601 cfm_fault_status : override: none
3603 Indicates a CFM fault was manually triggered by an administrator
3604 using an ovs-appctl command.
3605 cfm_fault_status : interval: none
3607 Indicates a CFM fault was triggered due to the reception of a
3608 CCM frame having an invalid interval.
3609 cfm_remote_opstate: optional string, either down or up
3611 When in extended mode, indicates the operational state of the
3612 remote endpoint as either up or down. See other_con‐
3613 fig:cfm_opstate.
3614 cfm_health: optional integer, in range 0 to 100
3616 Indicates the health of the interface as a percentage of CCM
3617 frames received over 21 other_config:cfm_intervals. The health
3618 of an interface is undefined if it is communicating with more
3619 than one cfm_remote_mpids. It reduces if healthy heartbeats are
3620 not received at the expected rate, and gradually improves as
3621 healthy heartbeats are received at the desired rate. Every 21
3622 other_config:cfm_intervals, the health of the interface is
3623 refreshed.
3624 As mentioned above, the faults can be triggered for several rea‐
3626 sons. The link health will deteriorate even if heartbeats are
3627 received but they are reported to be unhealthy. An unhealthy
3628 heartbeat in this context is a heartbeat for which either some
3629 fault is set or is out of sequence. The interface health can be
3630 100 only on receiving healthy heartbeats at the desired rate.
3631 cfm_remote_mpids: set of integers
3633 When CFM is properly configured, Open vSwitch will occasionally
3634 receive CCM broadcasts. These broadcasts contain the MPID of the
3635 sending Maintenance Point. The list of MPIDs from which this
3636 Interface is receiving broadcasts from is regularly collected
3637 and written to this column.
3638 other_config : cfm_interval: optional string, containing an integer
3640 The interval, in milliseconds, between transmissions of CFM
3641 heartbeats. Three missed heartbeat receptions indicate a connec‐
3642 tivity fault.
3643 In standard operation only intervals of 3, 10, 100, 1,000,
3645 10,000, 60,000, or 600,000 ms are supported. Other values will
3646 be rounded down to the nearest value on the list. Extended mode
3647 (see other_config:cfm_extended) supports any interval up to
3648 65,535 ms. In either mode, the default is 1000 ms.
3649 We do not recommend using intervals less than 100 ms.
3651 other_config : cfm_extended: optional string, either true or false
3653 When true, the CFM module operates in extended mode. This causes
3654 it to use a nonstandard destination address to avoid conflicting
3655 with compliant implementations which may be running concurrently
3656 on the network. Furthermore, extended mode increases the accu‐
3657 racy of the cfm_interval configuration parameter by breaking
3658 wire compatibility with 802.1ag compliant implementations. And
3659 extended mode allows eight byte MPIDs. Defaults to false.
3660 other_config : cfm_demand: optional string, either true or false
3662 When true, and other_config:cfm_extended is true, the CFM module
3663 operates in demand mode. When in demand mode, traffic received
3664 on the Interface is used to indicate liveness. CCMs are still
3665 transmitted and received. At least one CCM must be received
3666 every 100 * other_config:cfm_interval amount of time. Otherwise,
3667 even if traffic are received, the CFM module will raise the con‐
3668 nectivity fault.
3669 Demand mode has a couple of caveats:
3671 · To ensure that ovs-vswitchd has enough time to pull sta‐
3673 tistics from the datapath, the fault detection interval
3674 is set to 3.5 * MAX(other_config:cfm_interval, 500) ms.
3675 · To avoid ambiguity, demand mode disables itself when
3677 there are multiple remote maintenance points.
3678 · If the Interface is heavily congested, CCMs containing
3680 the other_config:cfm_opstate status may be dropped caus‐
3681 ing changes in the operational state to be delayed. Simi‐
3682 larly, if CCMs containing the RDI bit are not received,
3683 unidirectional link failures may not be detected.
3684 other_config : cfm_opstate: optional string, either down or up
3686 When down, the CFM module marks all CCMs it generates as opera‐
3687 tionally down without triggering a fault. This allows remote
3688 maintenance points to choose not to forward traffic to the
3689 Interface on which this CFM module is running. Currently, in
3690 Open vSwitch, the opdown bit of CCMs affects Interfaces partici‐
3691 pating in bonds, and the bundle OpenFlow action. This setting is
3692 ignored when CFM is not in extended mode. Defaults to up.
3693 other_config : cfm_ccm_vlan: optional string, containing an integer, in
3695 range 1 to 4,095
3696 When set, the CFM module will apply a VLAN tag to all CCMs it
3697 generates with the given value. May be the string random in
3698 which case each CCM will be tagged with a different randomly
3699 generated VLAN.
3700 other_config : cfm_ccm_pcp: optional string, containing an integer, in
3702 range 1 to 7
3703 When set, the CFM module will apply a VLAN tag to all CCMs it
3704 generates with the given PCP value, the VLAN ID of the tag is
3705 governed by the value of other_config:cfm_ccm_vlan. If
3706 other_config:cfm_ccm_vlan is unset, a VLAN ID of zero is used.
3707 Bonding Configuration:
3709 other_config : lacp-port-id: optional string, containing an integer, in
3711 range 1 to 65,535
3712 The LACP port ID of this Interface. Port IDs are used in LACP
3713 negotiations to identify individual ports participating in a
3714 bond.
3715 other_config : lacp-port-priority: optional string, containing an inte‐
3717 ger, in range 1 to 65,535
3718 The LACP port priority of this Interface. In LACP negotiations
3719 Interfaces with numerically lower priorities are preferred for
3720 aggregation.
3721 other_config : lacp-aggregation-key: optional string, containing an
3723 integer, in range 1 to 65,535
3724 The LACP aggregation key of this Interface. Interfaces with dif‐
3725 ferent aggregation keys may not be active within a given Port at
3726 the same time.
3727 Virtual Machine Identifiers:
3729 These key-value pairs specifically apply to an interface that repre‐
3731 sents a virtual Ethernet interface connected to a virtual machine.
3732 These key-value pairs should not be present for other types of inter‐
3733 faces. Keys whose names end in -uuid have values that uniquely identify
3734 the entity in question. For a Citrix XenServer hypervisor, these values
3735 are UUIDs in RFC 4122 format. Other hypervisors may use other formats.
3736 external_ids : attached-mac: optional string
3738 The MAC address programmed into the ``virtual hardware’’ for
3739 this interface, in the form xx:xx:xx:xx:xx:xx. For Citrix
3740 XenServer, this is the value of the MAC field in the VIF record
3741 for this interface.
3742 external_ids : iface-id: optional string
3744 A system-unique identifier for the interface. On XenServer, this
3745 will commonly be the same as external_ids:xs-vif-uuid.
3746 external_ids : iface-status: optional string, either active or inactive
3748 Hypervisors may sometimes have more than one interface associ‐
3749 ated with a given external_ids:iface-id, only one of which is
3750 actually in use at a given time. For example, in some circum‐
3751 stances XenServer has both a ``tap’’ and a ``vif’’ interface for
3752 a single external_ids:iface-id, but only uses one of them at a
3753 time. A hypervisor that behaves this way must mark the currently
3754 in use interface active and the others inactive. A hypervisor
3755 that never has more than one interface for a given exter‐
3756 nal_ids:iface-id may mark that interface active or omit exter‐
3757 nal_ids:iface-status entirely.
3758 During VM migration, a given external_ids:iface-id might tran‐
3760 siently be marked active on two different hypervisors. That is,
3761 active means that this external_ids:iface-id is the active
3762 instance within a single hypervisor, not in a broader scope.
3763 There is one exception: some hypervisors support ``migration’’
3764 from a given hypervisor to itself (most often for test pur‐
3765 poses). During such a ``migration,’’ two instances of a single
3766 external_ids:iface-id might both be briefly marked active on a
3767 single hypervisor.
3768 external_ids : xs-vif-uuid: optional string
3770 The virtual interface associated with this interface.
3771 external_ids : xs-network-uuid: optional string
3773 The virtual network to which this interface is attached.
3774 external_ids : vm-id: optional string
3776 The VM to which this interface belongs. On XenServer, this will
3777 be the same as external_ids:xs-vm-uuid.
3778 external_ids : xs-vm-uuid: optional string
3780 The VM to which this interface belongs.
3781 Auto Attach Configuration:
3783 Auto Attach configuration for a particular interface.
3785 lldp : enable: optional string, either true or false
3787 True to enable LLDP on this Interface. If not specified, LLDP
3788 will be disabled by default.
3789 Flow control Configuration:
3791 Ethernet flow control defined in IEEE 802.1Qbb provides link level flow
3793 control using MAC pause frames. Implemented only for interfaces with
3794 type dpdk.
3795 options : rx-flow-ctrl: optional string, either true or false
3797 Set to true to enable Rx flow control on physical ports. By
3798 default, Rx flow control is disabled.
3799 options : tx-flow-ctrl: optional string, either true or false
3801 Set to true to enable Tx flow control on physical ports. By
3802 default, Tx flow control is disabled.
3803 options : flow-ctrl-autoneg: optional string, either true or false
3805 Set to true to enable flow control auto negotiation on physical
3806 ports. By default, auto-neg is disabled.
3807 Link State Change detection mode:
3809 options : dpdk-lsc-interrupt: optional string, either true or false
3811 Set this value to true to configure interrupt mode for Link
3812 State Change (LSC) detection instead of poll mode for the DPDK
3813 interface.
3814 If this value is not set, poll mode is configured.
3816 This parameter has an effect only on netdev dpdk interfaces.
3818 Common Columns:
3820 The overall purpose of these columns is described under Common Columns
3822 at the beginning of this document.
3823 other_config: map of string-string pairs
3825 external_ids: map of string-string pairs
3827
3829 Configuration for a particular OpenFlow table.
3830 Summary:
3832 name optional string
3833 Eviction Policy:
3834 flow_limit optional integer, at least 0
3835 overflow_policy optional string, either evict or refuse
3836 groups set of strings
3837 Classifier Optimization:
3838 prefixes set of up to 3 strings
3839 Common Columns:
3840 external_ids map of string-string pairs
3841 Details:
3843 name: optional string
3844 The table’s name. Set this column to change the name that con‐
3845 trollers will receive when they request table statistics, e.g.
3846 ovs-ofctl dump-tables. The name does not affect switch behavior.
3847 Eviction Policy:
3849 Open vSwitch supports limiting the number of flows that may be
3851 installed in a flow table, via the flow_limit column. When adding a
3852 flow would exceed this limit, by default Open vSwitch reports an error,
3853 but there are two ways to configure Open vSwitch to instead delete
3854 (``evict’’) a flow to make room for the new one:
3855 · Set the overflow_policy column to evict.
3857 · Send an OpenFlow 1.4+ ``table mod request’’ to enable
3859 eviction for the flow table (e.g. ovs-ofctl -O OpenFlow14
3860 mod-table br0 0 evict to enable eviction on flow table 0
3861 of bridge br0).
3862 When a flow must be evicted due to overflow, the flow to evict is cho‐
3864 sen through an approximation of the following algorithm. This algorithm
3865 is used regardless of how eviction was enabled:
3866 1. Divide the flows in the table into groups based on the val‐
3868 ues of the fields or subfields specified in the groups col‐
3869 umn, so that all of the flows in a given group have the same
3870 values for those fields. If a flow does not specify a given
3871 field, that field’s value is treated as 0. If groups is
3872 empty, then all of the flows in the flow table are treated
3873 as a single group.
3874 2. Consider the flows in the largest group, that is, the group
3876 that contains the greatest number of flows. If two or more
3877 groups all have the same largest number of flows, consider
3878 the flows in all of those groups.
3879 3. If the flows under consideration have different importance
3881 values, eliminate from consideration any flows except those
3882 with the lowest importance. (``Importance,’’ a 16-bit inte‐
3883 ger value attached to each flow, was introduced in OpenFlow
3884 1.4. Flows inserted with older versions of OpenFlow always
3885 have an importance of 0.)
3886 4. Among the flows under consideration, choose the flow that
3888 expires soonest for eviction.
3889 The eviction process only considers flows that have an idle timeout or
3891 a hard timeout. That is, eviction never deletes permanent flows. (Per‐
3892 manent flows do count against flow_limit.)
3893 flow_limit: optional integer, at least 0
3895 If set, limits the number of flows that may be added to the ta‐
3896 ble. Open vSwitch may limit the number of flows in a table for
3897 other reasons, e.g. due to hardware limitations or for resource
3898 availability or performance reasons.
3899 overflow_policy: optional string, either evict or refuse
3901 Controls the switch’s behavior when an OpenFlow flow table modi‐
3902 fication request would add flows in excess of flow_limit. The
3903 supported values are:
3904 refuse Refuse to add the flow or flows. This is also the default
3906 policy when overflow_policy is unset.
3907 evict Delete a flow chosen according to the algorithm described
3909 above.
3910 groups: set of strings
3912 When overflow_policy is evict, this controls how flows are cho‐
3913 sen for eviction when the flow table would otherwise exceed
3914 flow_limit flows. Its value is a set of NXM fields or sub-
3915 fields, each of which takes one of the forms field[] or
3916 field[start..end], e.g. NXM_OF_IN_PORT[]. Please see meta-flow.h
3917 for a complete list of NXM field names.
3918 Open vSwitch ignores any invalid or unknown field specifica‐
3920 tions.
3921 When eviction is not enabled, via overflow_policy or an OpenFlow
3923 1.4+ ``table mod,’’ this column has no effect.
3924 Classifier Optimization:
3926 prefixes: set of up to 3 strings
3928 This string set specifies which fields should be used for
3929 address prefix tracking. Prefix tracking allows the classifier
3930 to skip rules with longer than necessary prefixes, resulting in
3931 better wildcarding for datapath flows.
3932 Prefix tracking may be beneficial when a flow table contains
3934 matches on IP address fields with different prefix lengths. For
3935 example, when a flow table contains IP address matches on both
3936 full addresses and proper prefixes, the full address matches
3937 will typically cause the datapath flow to un-wildcard the whole
3938 address field (depending on flow entry priorities). In this case
3939 each packet with a different address gets handed to the
3940 userspace for flow processing and generates its own datapath
3941 flow. With prefix tracking enabled for the address field in
3942 question packets with addresses matching shorter prefixes would
3943 generate datapath flows where the irrelevant address bits are
3944 wildcarded, allowing the same datapath flow to handle all the
3945 packets within the prefix in question. In this case many
3946 userspace upcalls can be avoided and the overall performance can
3947 be better.
3948 This is a performance optimization only, so packets will receive
3950 the same treatment with or without prefix tracking.
3951 The supported fields are: tun_id, tun_src, tun_dst,
3953 tun_ipv6_src, tun_ipv6_dst, nw_src, nw_dst (or aliases ip_src
3954 and ip_dst), ipv6_src, and ipv6_dst. (Using this feature for
3955 tun_id would only make sense if the tunnel IDs have prefix
3956 structure similar to IP addresses.)
3957 By default, the prefixes=ip_dst,ip_src are used on each flow ta‐
3959 ble. This instructs the flow classifier to track the IP destina‐
3960 tion and source addresses used by the rules in this specific
3961 flow table.
3962 The keyword none is recognized as an explicit override of the
3964 default values, causing no prefix fields to be tracked.
3965 To set the prefix fields, the flow table record needs to exist:
3967 ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create
3969 Flow_Table name=table0
3970 Creates a flow table record for the OpenFlow table number
3971 0.
3972 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
3974 Enables prefix tracking for IP source and destination
3975 address fields.
3976 There is a maximum number of fields that can be enabled for any
3978 one flow table. Currently this limit is 3.
3979 Common Columns:
3981 The overall purpose of these columns is described under Common Columns
3983 at the beginning of this document.
3984 external_ids: map of string-string pairs
3986
3988 Quality of Service (QoS) configuration for each Port that references
3989 it.
3990 Summary:
3992 type string
3993 queues map of integer-Queue pairs, key in range
3994 0 to 4,294,967,295
3995 Configuration for linux-htb and linux-hfsc:
3996 other_config : max-rate optional string, containing an integer
3997 Configuration for egress-policer QoS:
3998 other_config : cir optional string, containing an integer
3999 other_config : cbs optional string, containing an integer
4000 other_config : eir optional string, containing an integer
4001 other_config : ebs optional string, containing an integer
4002 Configuration for linux-sfq:
4003 other_config : perturb optional string, containing an integer
4004 other_config : quantum optional string, containing an integer
4005 Configuration for linux-netem:
4006 other_config : latency optional string, containing an integer
4007 other_config : limit optional string, containing an integer
4008 other_config : loss optional string, containing an integer
4009 Common Columns:
4010 other_config map of string-string pairs
4011 external_ids map of string-string pairs
4012 Details:
4014 type: string
4015 The type of QoS to implement. The currently defined types are
4016 listed below:
4017 linux-htb
4019 Linux ``hierarchy token bucket’’ classifier. See tc-
4020 htb(8) (also at http://linux.die.net/man/8/tc-htb) and
4021 the HTB manual (http://luxik.cdi.cz/~devik/qos/htb/man‐
4022 ual/userg.htm) for information on how this classifier
4023 works and how to configure it.
4024 linux-hfsc
4026 Linux "Hierarchical Fair Service Curve" classifier. See
4027 http://linux-ip.net/articles/hfsc.en/ for information on
4028 how this classifier works.
4029 linux-sfq
4031 Linux ``Stochastic Fairness Queueing’’ classifier. See
4032 tc-sfq(8) (also at http://linux.die.net/man/8/tc-sfq) for
4033 information on how this classifier works.
4034 linux-codel
4036 Linux ``Controlled Delay’’ classifier. See tc-codel(8)
4037 (also at
4038 http://man7.org/linux/man-pages/man8/tc-codel.8.html) for
4039 information on how this classifier works.
4040 linux-fq_codel
4042 Linux ``Fair Queuing with Controlled Delay’’ classifier.
4043 See tc-fq_codel(8) (also at
4044 http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html)
4045 for information on how this classifier works.
4046 linux-netem
4048 Linux ``Network Emulator’’ classifier. See tc-netem(8)
4049 (also at
4050 http://man7.org/linux/man-pages/man8/tc-netem.8.html) for
4051 information on how this classifier works.
4052 linux-noop
4054 Linux ``No operation.’’ By default, Open vSwitch manages
4055 quality of service on all of its configured ports. This
4056 can be helpful, but sometimes administrators prefer to
4057 use other software to manage QoS. This type prevents Open
4058 vSwitch from changing the QoS configuration for a port.
4059 egress-policer
4061 A DPDK egress policer algorithm using the DPDK rte_meter
4062 library. The rte_meter library provides an implementation
4063 which allows the metering and policing of traffic. The
4064 implementation in OVS essentially creates a single token
4065 bucket used to police traffic. It should be noted that
4066 when the rte_meter is configured as part of QoS there
4067 will be a performance overhead as the rte_meter itself
4068 will consume CPU cycles in order to police traffic. These
4069 CPU cycles ordinarily are used for packet proccessing. As
4070 such the drop in performance will be noticed in terms of
4071 overall aggregate traffic throughput.
4072 trtcm-policer
4074 A DPDK egress policer algorithm using RFC 4115’s Two-
4075 Rate, Three-Color marker. It’s a two-level hierarchical
4076 policer which first does a color-blind marking of the
4077 traffic at the queue level, followed by a color-aware
4078 marking at the port level. At the end traffic marked as
4079 Green or Yellow is forwarded, Red is dropped. For details
4080 on how traffic is marked, see RFC 4115. If the ``default
4081 queue’’, 0, is not configured it’s automatically created
4082 with the same other_config values as the physical port.
4083 queues: map of integer-Queue pairs, key in range 0 to 4,294,967,295
4085 A map from queue numbers to Queue records. The supported range
4086 of queue numbers depend on type. The queue numbers are the same
4087 as the queue_id used in OpenFlow in struct ofp_action_enqueue
4088 and other structures.
4089 Queue 0 is the ``default queue.’’ It is used by OpenFlow output
4091 actions when no specific queue has been set. When no configura‐
4092 tion for queue 0 is present, it is automatically configured as
4093 if a Queue record with empty dscp and other_config columns had
4094 been specified. (Before version 1.6, Open vSwitch would leave
4095 queue 0 unconfigured in this case. With some queuing disci‐
4096 plines, this dropped all packets destined for the default
4097 queue.)
4098 Configuration for linux-htb and linux-hfsc:
4100 The linux-htb and linux-hfsc classes support the following key-value
4102 pair:
4103 other_config : max-rate: optional string, containing an integer
4105 Maximum rate shared by all queued traffic, in bit/s. Optional.
4106 If not specified, for physical interfaces, the default is the
4107 link rate. For other interfaces or if the link rate cannot be
4108 determined, the default is currently 100 Mbps.
4109 Configuration for egress-policer QoS:
4111 QoS type egress-policer provides egress policing for userspace port
4113 types with DPDK. It has the following key-value pairs defined.
4114 other_config : cir: optional string, containing an integer
4116 The Committed Information Rate (CIR) is measured in bytes of IP
4117 packets per second, i.e. it includes the IP header, but not link
4118 specific (e.g. Ethernet) headers. This represents the bytes per
4119 second rate at which the token bucket will be updated. The cir
4120 value is calculated by (pps x packet data size). For example
4121 assuming a user wishes to limit a stream consisting of 64 byte
4122 packets to 1 million packets per second the CIR would be set to
4123 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4124 Where 1,000,000 is the policing rate for the number of packets
4125 per second and 46 represents the size of the packet data for a
4126 64 byte ip packet.
4127 other_config : cbs: optional string, containing an integer
4129 The Committed Burst Size (CBS) is measured in bytes and repre‐
4130 sents a token bucket. At a minimum this value should be be set
4131 to the expected largest size packet in the traffic stream. In
4132 practice larger values may be used to increase the size of the
4133 token bucket. If a packet can be transmitted then the cbs will
4134 be decremented by the number of bytes/tokens of the packet. If
4135 there are not enough tokens in the cbs bucket the packet will be
4136 dropped.
4137 other_config : eir: optional string, containing an integer
4139 The Excess Information Rate (EIR) is measured in bytes of IP
4140 packets per second, i.e. it includes the IP header, but not link
4141 specific (e.g. Ethernet) headers. This represents the bytes per
4142 second rate at which the token bucket will be updated. The eir
4143 value is calculated by (pps x packet data size). For example
4144 assuming a user wishes to limit a stream consisting of 64 byte
4145 packets to 1 million packets per second the EIR would be set to
4146 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4147 Where 1,000,000 is the policing rate for the number of packets
4148 per second and 46 represents the size of the packet data for a
4149 64 byte ip packet.
4150 other_config : ebs: optional string, containing an integer
4152 The Excess Burst Size (EBS) is measured in bytes and represents
4153 a token bucket. At a minimum this value should be be set to the
4154 expected largest size packet in the traffic stream. In practice
4155 larger values may be used to increase the size of the token
4156 bucket. If a packet can be transmitted then the ebs will be
4157 decremented by the number of bytes/tokens of the packet. If
4158 there are not enough tokens in the cbs bucket the packet might
4159 be dropped.
4160 Configuration for linux-sfq:
4162 The linux-sfq QoS supports the following key-value pairs:
4164 other_config : perturb: optional string, containing an integer
4166 Number of seconds between consecutive perturbations in hashing
4167 algorithm. Different flows can end up in the same hash bucket
4168 causing unfairness. Perturbation’s goal is to remove possible
4169 unfairness. The default and recommended value is 10. Too low a
4170 value is discouraged because each perturbation can cause packet
4171 reordering.
4172 other_config : quantum: optional string, containing an integer
4174 Number of bytes linux-sfq QoS can dequeue in one turn in round-
4175 robin from one flow. The default and recommended value is equal
4176 to interface’s MTU.
4177 Configuration for linux-netem:
4179 The linux-netem QoS supports the following key-value pairs:
4181 other_config : latency: optional string, containing an integer
4183 Adds the chosen delay to the packets outgoing to chosen network
4184 interface. The latency value expressed in us.
4185 other_config : limit: optional string, containing an integer
4187 Maximum number of packets the qdisc may hold queued at a time.
4188 The default value is 1000.
4189 other_config : loss: optional string, containing an integer
4191 Adds an independent loss probability to the packets outgoing
4192 from the chosen network interface.
4193 Common Columns:
4195 The overall purpose of these columns is described under Common Columns
4197 at the beginning of this document.
4198 other_config: map of string-string pairs
4200 external_ids: map of string-string pairs
4202
4204 A configuration for a port output queue, used in configuring Quality of
4205 Service (QoS) features. May be referenced by queues column in QoS ta‐
4206 ble.
4207 Summary:
4209 dscp optional integer, in range 0 to 63
4210 Configuration for linux-htb QoS:
4211 other_config : min-rate optional string, containing an integer,
4212 at least 1
4213 other_config : max-rate optional string, containing an integer,
4214 at least 1
4215 other_config : burst optional string, containing an integer,
4216 at least 1
4217 other_config : priority optional string, containing an integer,
4218 in range 0 to 4,294,967,295
4219 Configuration for linux-hfsc QoS:
4220 other_config : min-rate optional string, containing an integer,
4221 at least 1
4222 other_config : max-rate optional string, containing an integer,
4223 at least 1
4224 Common Columns:
4225 other_config map of string-string pairs
4226 external_ids map of string-string pairs
4227 Details:
4229 dscp: optional integer, in range 0 to 63
4230 If set, Open vSwitch will mark all traffic egressing this Queue
4231 with the given DSCP bits. Traffic egressing the default Queue is
4232 only marked if it was explicitly selected as the Queue at the
4233 time the packet was output. If unset, the DSCP bits of traffic
4234 egressing this Queue will remain unchanged.
4235 Configuration for linux-htb QoS:
4237 QoS type linux-htb may use queue_ids less than 61440. It has the fol‐
4239 lowing key-value pairs defined.
4240 other_config : min-rate: optional string, containing an integer, at
4242 least 1
4243 Minimum guaranteed bandwidth, in bit/s.
4244 other_config : max-rate: optional string, containing an integer, at
4246 least 1
4247 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4248 queue’s rate will not be allowed to exceed the specified value,
4249 even if excess bandwidth is available. If unspecified, defaults
4250 to no limit.
4251 other_config : burst: optional string, containing an integer, at least
4253 1
4254 Burst size, in bits. This is the maximum amount of ``credits’’
4255 that a queue can accumulate while it is idle. Optional. Details
4256 of the linux-htb implementation require a minimum burst size, so
4257 a too-small burst will be silently ignored.
4258 other_config : priority: optional string, containing an integer, in
4260 range 0 to 4,294,967,295
4261 A queue with a smaller priority will receive all the excess
4262 bandwidth that it can use before a queue with a larger value
4263 receives any. Specific priority values are unimportant; only
4264 relative ordering matters. Defaults to 0 if unspecified.
4265 Configuration for linux-hfsc QoS:
4267 QoS type linux-hfsc may use queue_ids less than 61440. It has the fol‐
4269 lowing key-value pairs defined.
4270 other_config : min-rate: optional string, containing an integer, at
4272 least 1
4273 Minimum guaranteed bandwidth, in bit/s.
4274 other_config : max-rate: optional string, containing an integer, at
4276 least 1
4277 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4278 queue’s rate will not be allowed to exceed the specified value,
4279 even if excess bandwidth is available. If unspecified, defaults
4280 to no limit.
4281 Common Columns:
4283 The overall purpose of these columns is described under Common Columns
4285 at the beginning of this document.
4286 other_config: map of string-string pairs
4288 external_ids: map of string-string pairs
4290
4292 A port mirror within a Bridge.
4293 A port mirror configures a bridge to send selected frames to special
4295 ``mirrored’’ ports, in addition to their normal destinations. Mirroring
4296 traffic may also be referred to as SPAN or RSPAN, depending on how the
4297 mirrored traffic is sent.
4298 When a packet enters an Open vSwitch bridge, it becomes eligible for
4300 mirroring based on its ingress port and VLAN. As the packet travels
4301 through the flow tables, each time it is output to a port, it becomes
4302 eligible for mirroring based on the egress port and VLAN. In Open
4303 vSwitch 2.5 and later, mirroring occurs just after a packet first
4304 becomes eligible, using the packet as it exists at that point; in Open
4305 vSwitch 2.4 and earlier, mirroring occurs only after a packet has tra‐
4306 versed all the flow tables, using the original packet as it entered the
4307 bridge. This makes a difference only when the flow table modifies the
4308 packet: in Open vSwitch 2.4, the modifications are never visible to
4309 mirrors, whereas in Open vSwitch 2.5 and later modifications made
4310 before the first output that makes it eligible for mirroring to a par‐
4311 ticular destination are visible.
4312 A packet that enters an Open vSwitch bridge is mirrored to a particular
4314 destination only once, even if it is eligible for multiple reasons. For
4315 example, a packet would be mirrored to a particular output_port only
4316 once, even if it is selected for mirroring to that port by
4317 select_dst_port and select_src_port in the same or different Mirror
4318 records.
4319 Summary:
4321 name string
4322 Selecting Packets for Mirroring:
4323 select_all boolean
4324 select_dst_port set of weak reference to Ports
4325 select_src_port set of weak reference to Ports
4326 select_vlan set of up to 4,096 integers, in range 0
4327 to 4,095
4328 Mirroring Destination Configuration:
4329 output_port optional weak reference to Port
4330 output_vlan optional integer, in range 1 to 4,095
4331 snaplen optional integer, in range 14 to 65,535
4332 Statistics: Mirror counters:
4333 statistics : tx_packets optional integer
4334 statistics : tx_bytes optional integer
4335 Common Columns:
4336 external_ids map of string-string pairs
4337 Details:
4339 name: string
4340 Arbitrary identifier for the Mirror.
4341 Selecting Packets for Mirroring:
4343 To be selected for mirroring, a given packet must enter or leave the
4345 bridge through a selected port and it must also be in one of the
4346 selected VLANs.
4347 select_all: boolean
4349 If true, every packet arriving or departing on any port is
4350 selected for mirroring.
4351 select_dst_port: set of weak reference to Ports
4353 Ports on which departing packets are selected for mirroring.
4354 select_src_port: set of weak reference to Ports
4356 Ports on which arriving packets are selected for mirroring.
4357 select_vlan: set of up to 4,096 integers, in range 0 to 4,095
4359 VLANs on which packets are selected for mirroring. An empty set
4360 selects packets on all VLANs.
4361 Mirroring Destination Configuration:
4363 These columns are mutually exclusive. Exactly one of them must be
4365 nonempty.
4366 output_port: optional weak reference to Port
4368 Output port for selected packets, if nonempty.
4369 Specifying a port for mirror output reserves that port exclu‐
4371 sively for mirroring. No frames other than those selected for
4372 mirroring via this column will be forwarded to the port, and any
4373 frames received on the port will be discarded.
4374 The output port may be any kind of port supported by Open
4376 vSwitch. It may be, for example, a physical port (sometimes
4377 called SPAN) or a GRE tunnel.
4378 output_vlan: optional integer, in range 1 to 4,095
4380 Output VLAN for selected packets, if nonempty.
4381 The frames will be sent out all ports that trunk output_vlan, as
4383 well as any ports with implicit VLAN output_vlan. When a mir‐
4384 rored frame is sent out a trunk port, the frame’s VLAN tag will
4385 be set to output_vlan, replacing any existing tag; when it is
4386 sent out an implicit VLAN port, the frame will not be tagged.
4387 This type of mirroring is sometimes called RSPAN.
4388 See the documentation for other_config:forward-bpdu in the
4390 Interface table for a list of destination MAC addresses which
4391 will not be mirrored to a VLAN to avoid confusing switches that
4392 interpret the protocols that they represent.
4393 Please note: Mirroring to a VLAN can disrupt a network that con‐
4395 tains unmanaged switches. Consider an unmanaged physical switch
4396 with two ports: port 1, connected to an end host, and port 2,
4397 connected to an Open vSwitch configured to mirror received pack‐
4398 ets into VLAN 123 on port 2. Suppose that the end host sends a
4399 packet on port 1 that the physical switch forwards to port 2.
4400 The Open vSwitch forwards this packet to its destination and
4401 then reflects it back on port 2 in VLAN 123. This reflected
4402 packet causes the unmanaged physical switch to replace the MAC
4403 learning table entry, which correctly pointed to port 1, with
4404 one that incorrectly points to port 2. Afterward, the physical
4405 switch will direct packets destined for the end host to the Open
4406 vSwitch on port 2, instead of to the end host on port 1, dis‐
4407 rupting connectivity. If mirroring to a VLAN is desired in this
4408 scenario, then the physical switch must be replaced by one that
4409 learns Ethernet addresses on a per-VLAN basis. In addition,
4410 learning should be disabled on the VLAN containing mirrored
4411 traffic. If this is not done then intermediate switches will
4412 learn the MAC address of each end host from the mirrored traf‐
4413 fic. If packets being sent to that end host are also mirrored,
4414 then they will be dropped since the switch will attempt to send
4415 them out the input port. Disabling learning for the VLAN will
4416 cause the switch to correctly send the packet out all ports con‐
4417 figured for that VLAN. If Open vSwitch is being used as an
4418 intermediate switch, learning can be disabled by adding the mir‐
4419 rored VLAN to flood_vlans in the appropriate Bridge table or
4420 tables.
4421 Mirroring to a GRE tunnel has fewer caveats than mirroring to a
4423 VLAN and should generally be preferred.
4424 snaplen: optional integer, in range 14 to 65,535
4426 Maximum per-packet number of bytes to mirror.
4427 A mirrored packet with size larger than snaplen will be trun‐
4429 cated in datapath to snaplen bytes before sending to the mirror
4430 output port. If omitted, packets are not truncated.
4431 Statistics: Mirror counters:
4433 Key-value pairs that report mirror statistics. The update period is
4435 controlled by other_config:stats-update-interval in the Open_vSwitch
4436 table.
4437 statistics : tx_packets: optional integer
4439 Number of packets transmitted through this mirror.
4440 statistics : tx_bytes: optional integer
4442 Number of bytes transmitted through this mirror.
4443 Common Columns:
4445 The overall purpose of these columns is described under Common Columns
4447 at the beginning of this document.
4448 external_ids: map of string-string pairs
4450
4452 An OpenFlow controller.
4453 Summary:
4455 Core Features:
4456 type optional string, either primary or ser‐
4457 vice
4458 target string
4459 connection_mode optional string, either in-band or
4460 out-of-band
4461 Controller Failure Detection and Handling:
4462 max_backoff optional integer, at least 1,000
4463 inactivity_probe optional integer
4464 Asynchronous Messages:
4465 enable_async_messages optional boolean
4466 Controller Rate Limiting:
4467 controller_queue_size optional integer, in range 1 to 512
4468 controller_rate_limit optional integer, at least 100
4469 controller_burst_limit optional integer, at least 25
4470 Controller Rate Limiting Statistics:
4471 status : packet-in-TYPE-bypassed
4472 optional string, containing an integer,
4473 at least 0
4474 status : packet-in-TYPE-queued
4475 optional string, containing an integer,
4476 at least 0
4477 status : packet-in-TYPE-dropped
4478 optional string, containing an integer,
4479 at least 0
4480 status : packet-in-TYPE-backlog
4481 optional string, containing an integer,
4482 at least 0
4483 Additional In-Band Configuration:
4484 local_ip optional string
4485 local_netmask optional string
4486 local_gateway optional string
4487 Controller Status:
4488 is_connected boolean
4489 role optional string, one of master, other, or
4490 slave
4491 status : last_error optional string
4492 status : state optional string, one of ACTIVE, BACKOFF,
4493 CONNECTING, IDLE, or VOID
4494 status : sec_since_connect optional string, containing an integer,
4495 at least 0
4496 status : sec_since_disconnect
4497 optional string, containing an integer,
4498 at least 1
4499 Connection Parameters:
4500 other_config : dscp optional string, containing an integer
4501 Common Columns:
4502 external_ids map of string-string pairs
4503 other_config map of string-string pairs
4504 Details:
4506 Core Features:
4507 type: optional string, either primary or service
4509 Open vSwitch supports two kinds of OpenFlow controllers. A
4510 bridge may have any number of each kind:
4511 Primary controllers
4513 This is the kind of controller envisioned by the OpenFlow
4514 specifications. Usually, a primary controller implements
4515 a network policy by taking charge of the switch’s flow
4516 table.
4517 The fail_mode column in the Bridge table applies to pri‐
4519 mary controllers.
4520 When multiple primary controllers are configured, Open
4522 vSwitch connects to all of them simultaneously. OpenFlow
4523 provides few facilities to allow multiple controllers to
4524 coordinate in interacting with a single switch, so more
4525 than one primary controller should be specified only if
4526 the controllers are themselves designed to coordinate
4527 with each other.
4528 Service controllers
4530 These kinds of OpenFlow controller connections are
4531 intended for occasional support and maintenance use, e.g.
4532 with ovs-ofctl. Usually a service controller connects
4533 only briefly to inspect or modify some of a switch’s
4534 state.
4535 The fail_mode column in the Bridge table does not apply
4537 to service controllers.
4538 By default, Open vSwitch treats controllers with active connec‐
4540 tion methods as primary controllers and those with passive con‐
4541 nection methods as service controllers. Set this column to the
4542 desired type to override this default.
4543 target: string
4545 Connection method for controller.
4546 The following active connection methods are currently supported:
4548 ssl:host[:port]
4550 The specified SSL port on the host at the given host,
4551 which can either be a DNS name (if built with unbound
4552 library) or an IP address. The ssl column in the
4553 Open_vSwitch table must point to a valid SSL configura‐
4554 tion when this form is used.
4555 If port is not specified, it defaults to 6653.
4557 SSL support is an optional feature that is not always
4559 built as part of Open vSwitch.
4560 tcp:host[:port]
4562 The specified TCP port on the host at the given host,
4563 which can either be a DNS name (if built with unbound
4564 library) or an IP address (IPv4 or IPv6). If host is an
4565 IPv6 address, wrap it in square brackets, e.g.
4566 tcp:[::1]:6653.
4567 If port is not specified, it defaults to 6653.
4569 The following passive connection methods are currently sup‐
4571 ported:
4572 pssl:[port][:host]
4574 Listens for SSL connections on the specified TCP port. If
4575 host, which can either be a DNS name (if built with
4576 unbound library) or an IP address, is specified, then
4577 connections are restricted to the resolved or specified
4578 local IP address (either IPv4 or IPv6). If host is an
4579 IPv6 address, wrap it in square brackets, e.g.
4580 pssl:6653:[::1].
4581 If port is not specified, it defaults to 6653. If host is
4583 not specified then it listens only on IPv4 (but not IPv6)
4584 addresses. The ssl column in the Open_vSwitch table must
4585 point to a valid SSL configuration when this form is
4586 used.
4587 If port is not specified, it currently to 6653.
4589 SSL support is an optional feature that is not always
4591 built as part of Open vSwitch.
4592 ptcp:[port][:host]
4594 Listens for connections on the specified TCP port. If
4595 host, which can either be a DNS name (if built with
4596 unbound library) or an IP address, is specified, then
4597 connections are restricted to the resolved or specified
4598 local IP address (either IPv4 or IPv6). If host is an
4599 IPv6 address, wrap it in square brackets, e.g.
4600 ptcp:6653:[::1]. If host is not specified then it listens
4601 only on IPv4 addresses.
4602 If port is not specified, it defaults to 6653.
4604 When multiple controllers are configured for a single bridge,
4606 the target values must be unique. Duplicate target values yield
4607 unspecified results.
4608 connection_mode: optional string, either in-band or out-of-band
4610 If it is specified, this setting must be one of the following
4611 strings that describes how Open vSwitch contacts this OpenFlow
4612 controller over the network:
4613 in-band
4615 In this mode, this controller’s OpenFlow traffic travels
4616 over the bridge associated with the controller. With this
4617 setting, Open vSwitch allows traffic to and from the con‐
4618 troller regardless of the contents of the OpenFlow flow
4619 table. (Otherwise, Open vSwitch would never be able to
4620 connect to the controller, because it did not have a flow
4621 to enable it.) This is the most common connection mode
4622 because it is not necessary to maintain two independent
4623 networks.
4624 out-of-band
4626 In this mode, OpenFlow traffic uses a control network
4627 separate from the bridge associated with this controller,
4628 that is, the bridge does not use any of its own network
4629 devices to communicate with the controller. The control
4630 network must be configured separately, before or after
4631 ovs-vswitchd is started.
4632 If not specified, the default is implementation-specific.
4634 Controller Failure Detection and Handling:
4636 max_backoff: optional integer, at least 1,000
4638 Maximum number of milliseconds to wait between connection
4639 attempts. Default is implementation-specific.
4640 inactivity_probe: optional integer
4642 Maximum number of milliseconds of idle time on connection to
4643 controller before sending an inactivity probe message. If Open
4644 vSwitch does not communicate with the controller for the speci‐
4645 fied number of seconds, it will send a probe. If a response is
4646 not received for the same additional amount of time, Open
4647 vSwitch assumes the connection has been broken and attempts to
4648 reconnect. Default is implementation-specific. A value of 0 dis‐
4649 ables inactivity probes.
4650 Asynchronous Messages:
4652 OpenFlow switches send certain messages to controllers spontanenously,
4654 that is, not in response to any request from the controller. These mes‐
4655 sages are called ``asynchronous messages.’’ These columns allow asyn‐
4656 chronous messages to be limited or disabled to ensure the best use of
4657 network resources.
4658 enable_async_messages: optional boolean
4660 The OpenFlow protocol enables asynchronous messages at time of
4661 connection establishment, which means that a controller can
4662 receive asynchronous messages, potentially many of them, even if
4663 it turns them off immediately after connecting. Set this column
4664 to false to change Open vSwitch behavior to disable, by default,
4665 all asynchronous messages. The controller can use the
4666 NXT_SET_ASYNC_CONFIG Nicira extension to OpenFlow to turn on any
4667 messages that it does want to receive, if any.
4668 Controller Rate Limiting:
4670 A switch can forward packets to a controller over the OpenFlow proto‐
4672 col. Forwarding packets this way at too high a rate can overwhelm a
4673 controller, frustrate use of the OpenFlow connection for other pur‐
4674 poses, increase the latency of flow setup, and use an unreasonable
4675 amount of bandwidth. Therefore, Open vSwitch supports limiting the rate
4676 of packet forwarding to a controller.
4677 There are two main reasons in OpenFlow for a packet to be sent to a
4679 controller: either the packet ``misses’’ in the flow table, that is,
4680 there is no matching flow, or a flow table action says to send the
4681 packet to the controller. Open vSwitch limits the rate of each kind of
4682 packet separately at the configured rate. Therefore, the actual rate
4683 that packets are sent to the controller can be up to twice the config‐
4684 ured rate, when packets are sent for both reasons.
4685 This feature is specific to forwarding packets over an OpenFlow connec‐
4687 tion. It is not general-purpose QoS. See the QoS table for quality of
4688 service configuration, and ingress_policing_rate in the Interface table
4689 for ingress policing configuration.
4690 controller_queue_size: optional integer, in range 1 to 512
4692 This sets the maximum size of the queue of packets that need to
4693 be sent to this OpenFlow controller. The value must be less than
4694 512. If not specified the queue size is limited to the value set
4695 for the management controller in other_config:controller-queue-
4696 size if present or 100 packets by default. Note: increasing the
4697 queue size might have a negative impact on latency.
4698 controller_rate_limit: optional integer, at least 100
4700 The maximum rate at which the switch will forward packets to the
4701 OpenFlow controller, in packets per second. If no value is spec‐
4702 ified, rate limiting is disabled.
4703 controller_burst_limit: optional integer, at least 25
4705 When a high rate triggers rate-limiting, Open vSwitch queues
4706 packets to the controller for each port and transmits them to
4707 the controller at the configured rate. This value limits the
4708 number of queued packets. Ports on a bridge share the packet
4709 queue fairly.
4710 This value has no effect unless controller_rate_limit is config‐
4712 ured. The current default when this value is not specified is
4713 one-quarter of controller_rate_limit, meaning that queuing can
4714 delay forwarding a packet to the controller by up to 250 ms.
4715 Controller Rate Limiting Statistics:
4717 These values report the effects of rate limiting. Their values are rel‐
4719 ative to establishment of the most recent OpenFlow connection, or since
4720 rate limiting was enabled, whichever happened more recently. Each con‐
4721 sists of two values, one with TYPE replaced by miss for rate limiting
4722 flow table misses, and the other with TYPE replaced by action for rate
4723 limiting packets sent by OpenFlow actions.
4724 These statistics are reported only when controller rate limiting is
4726 enabled.
4727 status : packet-in-TYPE-bypassed: optional string, containing an inte‐
4729 ger, at least 0
4730 Number of packets sent directly to the controller, without queu‐
4731 ing, because the rate did not exceed the configured maximum.
4732 status : packet-in-TYPE-queued: optional string, containing an integer,
4734 at least 0
4735 Number of packets added to the queue to send later.
4736 status : packet-in-TYPE-dropped: optional string, containing an inte‐
4738 ger, at least 0
4739 Number of packets added to the queue that were later dropped due
4740 to overflow. This value is less than or equal to status:packet-
4741 in-TYPE-queued.
4742 status : packet-in-TYPE-backlog: optional string, containing an inte‐
4744 ger, at least 0
4745 Number of packets currently queued. The other statistics
4746 increase monotonically, but this one fluctuates between 0 and
4747 the controller_burst_limit as conditions change.
4748 Additional In-Band Configuration:
4750 These values are considered only in in-band control mode (see connec‐
4752 tion_mode).
4753 When multiple controllers are configured on a single bridge, there
4755 should be only one set of unique values in these columns. If different
4756 values are set for these columns in different controllers, the effect
4757 is unspecified.
4758 local_ip: optional string
4760 The IP address to configure on the local port, e.g.
4761 192.168.0.123. If this value is unset, then local_netmask and
4762 local_gateway are ignored.
4763 local_netmask: optional string
4765 The IP netmask to configure on the local port, e.g.
4766 255.255.255.0. If local_ip is set but this value is unset, then
4767 the default is chosen based on whether the IP address is class
4768 A, B, or C.
4769 local_gateway: optional string
4771 The IP address of the gateway to configure on the local port, as
4772 a string, e.g. 192.168.0.1. Leave this column unset if this net‐
4773 work has no gateway.
4774 Controller Status:
4776 is_connected: boolean
4778 true if currently connected to this controller, false otherwise.
4779 role: optional string, one of master, other, or slave
4781 The level of authority this controller has on the associated
4782 bridge. Possible values are:
4783 other Allows the controller access to all OpenFlow features.
4785 master Equivalent to other, except that there may be at most one
4787 such controller at a time. If a given controller promotes
4788 itself to this role, ovs-vswitchd demotes any existing
4789 controller with the role to slave.
4790 slave Allows the controller read-only access to OpenFlow fea‐
4792 tures. Attempts to modify the flow table will be rejected
4793 with an error. Such controllers do not receive
4794 OFPT_PACKET_IN or OFPT_FLOW_REMOVED messages, but they do
4795 receive OFPT_PORT_STATUS messages.
4796 status : last_error: optional string
4798 A human-readable description of the last error on the connection
4799 to the controller; i.e. strerror(errno). This key will exist
4800 only if an error has occurred.
4801 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
4803 IDLE, or VOID
4804 The state of the connection to the controller:
4805 VOID Connection is disabled.
4807 BACKOFF
4809 Attempting to reconnect at an increasing period.
4810 CONNECTING
4812 Attempting to connect.
4813 ACTIVE Connected, remote host responsive.
4815 IDLE Connection is idle. Waiting for response to keep-alive.
4817 These values may change in the future. They are provided only
4819 for human consumption.
4820 status : sec_since_connect: optional string, containing an integer, at
4822 least 0
4823 The amount of time since this controller last successfully con‐
4824 nected to the switch (in seconds). Value is empty if controller
4825 has never successfully connected.
4826 status : sec_since_disconnect: optional string, containing an integer,
4828 at least 1
4829 The amount of time since this controller last disconnected from
4830 the switch (in seconds). Value is empty if controller has never
4831 disconnected.
4832 Connection Parameters:
4834 Additional configuration for a connection between the controller and
4836 the Open vSwitch.
4837 other_config : dscp: optional string, containing an integer
4839 The Differentiated Service Code Point (DSCP) is specified using
4840 6 bits in the Type of Service (TOS) field in the IP header. DSCP
4841 provides a mechanism to classify the network traffic and provide
4842 Quality of Service (QoS) on IP networks. The DSCP value speci‐
4843 fied here is used when establishing the connection between the
4844 controller and the Open vSwitch. If no value is specified, a
4845 default value of 48 is chosen. Valid DSCP values must be in the
4846 range 0 to 63.
4847 Common Columns:
4849 The overall purpose of these columns is described under Common Columns
4851 at the beginning of this document.
4852 external_ids: map of string-string pairs
4854 other_config: map of string-string pairs
4856
4858 Configuration for a database connection to an Open vSwitch database
4859 (OVSDB) client.
4860 This table primarily configures the Open vSwitch database
4862 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The switch
4863 does read the table to determine what connections should be treated as
4864 in-band.
4865 The Open vSwitch database server can initiate and maintain active con‐
4867 nections to remote clients. It can also listen for database connec‐
4868 tions.
4869 Summary:
4871 Core Features:
4872 target string (must be unique within table)
4873 connection_mode optional string, either in-band or
4874 out-of-band
4875 Client Failure Detection and Handling:
4876 max_backoff optional integer, at least 1,000
4877 inactivity_probe optional integer
4878 Status:
4879 is_connected boolean
4880 status : last_error optional string
4881 status : state optional string, one of ACTIVE, BACKOFF,
4882 CONNECTING, IDLE, or VOID
4883 status : sec_since_connect optional string, containing an integer,
4884 at least 0
4885 status : sec_since_disconnect
4886 optional string, containing an integer,
4887 at least 0
4888 status : locks_held optional string
4889 status : locks_waiting optional string
4890 status : locks_lost optional string
4891 status : n_connections optional string, containing an integer,
4892 at least 2
4893 status : bound_port optional string, containing an integer
4894 Connection Parameters:
4895 other_config : dscp optional string, containing an integer
4896 Common Columns:
4897 external_ids map of string-string pairs
4898 other_config map of string-string pairs
4899 Details:
4901 Core Features:
4902 target: string (must be unique within table)
4904 Connection method for managers.
4905 The following connection methods are currently supported:
4907 ssl:host[:port]
4909 The specified SSL port on the host at the given host,
4910 which can either be a DNS name (if built with unbound
4911 library) or an IP address. The ssl column in the
4912 Open_vSwitch table must point to a valid SSL configura‐
4913 tion when this form is used.
4914 If port is not specified, it defaults to 6640.
4916 SSL support is an optional feature that is not always
4918 built as part of Open vSwitch.
4919 tcp:host[:port]
4921 The specified TCP port on the host at the given host,
4922 which can either be a DNS name (if built with unbound
4923 library) or an IP address (IPv4 or IPv6). If host is an
4924 IPv6 address, wrap it in square brackets, e.g.
4925 tcp:[::1]:6640.
4926 If port is not specified, it defaults to 6640.
4928 pssl:[port][:host]
4930 Listens for SSL connections on the specified TCP port.
4931 Specify 0 for port to have the kernel automatically
4932 choose an available port. If host, which can either be a
4933 DNS name (if built with unbound library) or an IP
4934 address, is specified, then connections are restricted to
4935 the resolved or specified local IP address (either IPv4
4936 or IPv6 address). If host is an IPv6 address, wrap in
4937 square brackets, e.g. pssl:6640:[::1]. If host is not
4938 specified then it listens only on IPv4 (but not IPv6)
4939 addresses. The ssl column in the Open_vSwitch table must
4940 point to a valid SSL configuration when this form is
4941 used.
4942 If port is not specified, it defaults to 6640.
4944 SSL support is an optional feature that is not always
4946 built as part of Open vSwitch.
4947 ptcp:[port][:host]
4949 Listens for connections on the specified TCP port. Spec‐
4950 ify 0 for port to have the kernel automatically choose an
4951 available port. If host, which can either be a DNS name
4952 (if built with unbound library) or an IP address, is
4953 specified, then connections are restricted to the
4954 resolved or specified local IP address (either IPv4 or
4955 IPv6 address). If host is an IPv6 address, wrap it in
4956 square brackets, e.g. ptcp:6640:[::1]. If host is not
4957 specified then it listens only on IPv4 addresses.
4958 If port is not specified, it defaults to 6640.
4960 When multiple managers are configured, the target values must be
4962 unique. Duplicate target values yield unspecified results.
4963 connection_mode: optional string, either in-band or out-of-band
4965 If it is specified, this setting must be one of the following
4966 strings that describes how Open vSwitch contacts this OVSDB
4967 client over the network:
4968 in-band
4970 In this mode, this connection’s traffic travels over a
4971 bridge managed by Open vSwitch. With this setting, Open
4972 vSwitch allows traffic to and from the client regardless
4973 of the contents of the OpenFlow flow table. (Otherwise,
4974 Open vSwitch would never be able to connect to the
4975 client, because it did not have a flow to enable it.)
4976 This is the most common connection mode because it is not
4977 necessary to maintain two independent networks.
4978 out-of-band
4980 In this mode, the client’s traffic uses a control network
4981 separate from that managed by Open vSwitch, that is, Open
4982 vSwitch does not use any of its own network devices to
4983 communicate with the client. The control network must be
4984 configured separately, before or after ovs-vswitchd is
4985 started.
4986 If not specified, the default is implementation-specific.
4988 Client Failure Detection and Handling:
4990 max_backoff: optional integer, at least 1,000
4992 Maximum number of milliseconds to wait between connection
4993 attempts. Default is implementation-specific.
4994 inactivity_probe: optional integer
4996 Maximum number of milliseconds of idle time on connection to the
4997 client before sending an inactivity probe message. If Open
4998 vSwitch does not communicate with the client for the specified
4999 number of seconds, it will send a probe. If a response is not
5000 received for the same additional amount of time, Open vSwitch
5001 assumes the connection has been broken and attempts to recon‐
5002 nect. Default is implementation-specific. A value of 0 disables
5003 inactivity probes.
5004 Status:
5006 Key-value pair of is_connected is always updated. Other key-value pairs
5008 in the status columns may be updated depends on the target type.
5009 When target specifies a connection method that listens for inbound con‐
5011 nections (e.g. ptcp: or punix:), both n_connections and is_connected
5012 may also be updated while the remaining key-value pairs are omitted.
5013 On the other hand, when target specifies an outbound connection, all
5015 key-value pairs may be updated, except the above-mentioned two key-
5016 value pairs associated with inbound connection targets. They are omit‐
5017 ted.
5018 is_connected: boolean
5020 true if currently connected to this manager, false otherwise.
5021 status : last_error: optional string
5023 A human-readable description of the last error on the connection
5024 to the manager; i.e. strerror(errno). This key will exist only
5025 if an error has occurred.
5026 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
5028 IDLE, or VOID
5029 The state of the connection to the manager:
5030 VOID Connection is disabled.
5032 BACKOFF
5034 Attempting to reconnect at an increasing period.
5035 CONNECTING
5037 Attempting to connect.
5038 ACTIVE Connected, remote host responsive.
5040 IDLE Connection is idle. Waiting for response to keep-alive.
5042 These values may change in the future. They are provided only
5044 for human consumption.
5045 status : sec_since_connect: optional string, containing an integer, at
5047 least 0
5048 The amount of time since this manager last successfully con‐
5049 nected to the database (in seconds). Value is empty if manager
5050 has never successfully connected.
5051 status : sec_since_disconnect: optional string, containing an integer,
5053 at least 0
5054 The amount of time since this manager last disconnected from the
5055 database (in seconds). Value is empty if manager has never dis‐
5056 connected.
5057 status : locks_held: optional string
5059 Space-separated list of the names of OVSDB locks that the con‐
5060 nection holds. Omitted if the connection does not hold any
5061 locks.
5062 status : locks_waiting: optional string
5064 Space-separated list of the names of OVSDB locks that the con‐
5065 nection is currently waiting to acquire. Omitted if the connec‐
5066 tion is not waiting for any locks.
5067 status : locks_lost: optional string
5069 Space-separated list of the names of OVSDB locks that the con‐
5070 nection has had stolen by another OVSDB client. Omitted if no
5071 locks have been stolen from this connection.
5072 status : n_connections: optional string, containing an integer, at
5074 least 2
5075 When target specifies a connection method that listens for
5076 inbound connections (e.g. ptcp: or pssl:) and more than one con‐
5077 nection is actually active, the value is the number of active
5078 connections. Otherwise, this key-value pair is omitted.
5079 status : bound_port: optional string, containing an integer
5081 When target is ptcp: or pssl:, this is the TCP port on which the
5082 OVSDB server is listening. (This is particularly useful when
5083 target specifies a port of 0, allowing the kernel to choose any
5084 available port.)
5085 Connection Parameters:
5087 Additional configuration for a connection between the manager and the
5089 Open vSwitch Database.
5090 other_config : dscp: optional string, containing an integer
5092 The Differentiated Service Code Point (DSCP) is specified using
5093 6 bits in the Type of Service (TOS) field in the IP header. DSCP
5094 provides a mechanism to classify the network traffic and provide
5095 Quality of Service (QoS) on IP networks. The DSCP value speci‐
5096 fied here is used when establishing the connection between the
5097 manager and the Open vSwitch. If no value is specified, a
5098 default value of 48 is chosen. Valid DSCP values must be in the
5099 range 0 to 63.
5100 Common Columns:
5102 The overall purpose of these columns is described under Common Columns
5104 at the beginning of this document.
5105 external_ids: map of string-string pairs
5107 other_config: map of string-string pairs
5109
5111 A NetFlow target. NetFlow is a protocol that exports a number of
5112 details about terminating IP flows, such as the principals involved and
5113 duration.
5114 Summary:
5116 targets set of 1 or more strings
5117 engine_id optional integer, in range 0 to 255
5118 engine_type optional integer, in range 0 to 255
5119 active_timeout integer, at least -1
5120 add_id_to_interface boolean
5121 Common Columns:
5122 external_ids map of string-string pairs
5123 Details:
5125 targets: set of 1 or more strings
5126 NetFlow targets in the form ip:port. The ip must be specified
5127 numerically, not as a DNS name.
5128 engine_id: optional integer, in range 0 to 255
5130 Engine ID to use in NetFlow messages. Defaults to datapath index
5131 if not specified.
5132 engine_type: optional integer, in range 0 to 255
5134 Engine type to use in NetFlow messages. Defaults to datapath
5135 index if not specified.
5136 active_timeout: integer, at least -1
5138 The interval at which NetFlow records are sent for flows that
5139 are still active, in seconds. A value of 0 requests the default
5140 timeout (currently 600 seconds); a value of -1 disables active
5141 timeouts.
5142 The NetFlow passive timeout, for flows that become inactive, is
5144 not configurable. It will vary depending on the Open vSwitch
5145 version, the forms and contents of the OpenFlow flow tables, CPU
5146 and memory usage, and network activity. A typical passive time‐
5147 out is about a second.
5148 add_id_to_interface: boolean
5150 If this column’s value is false, the ingress and egress inter‐
5151 face fields of NetFlow flow records are derived from OpenFlow
5152 port numbers. When it is true, the 7 most significant bits of
5153 these fields will be replaced by the least significant 7 bits of
5154 the engine id. This is useful because many NetFlow collectors do
5155 not expect multiple switches to be sending messages from the
5156 same host, so they do not store the engine information which
5157 could be used to disambiguate the traffic.
5158 When this option is enabled, a maximum of 508 ports are sup‐
5160 ported.
5161 Common Columns:
5163 The overall purpose of these columns is described under Common Columns
5165 at the beginning of this document.
5166 external_ids: map of string-string pairs
5168
5170 Configuration for a datapath within Open_vSwitch.
5171 A datapath is responsible for providing the packet handling in Open
5173 vSwitch. There are two primary datapath implementations used by Open
5174 vSwitch: kernel and userspace. Kernel datapath implementations are
5175 available for Linux and Hyper-V, and selected as system in the data‐
5176 path_type column of the Bridge table. The userspace datapath is used by
5177 DPDK and AF-XDP, and is selected as netdev in the datapath_type column
5178 of the Bridge table.
5179 A datapath of a particular type is shared by all the bridges that use
5181 that datapath. Thus, configurations applied to this table affect all
5182 bridges that use this datapath.
5183 Summary:
5185 datapath_version string
5186 ct_zones map of integer-CT_Zone pairs, key in
5187 range 0 to 65,535
5188 Capabilities:
5189 capabilities : max_vlan_headers
5190 optional string, containing an integer,
5191 at least 0
5192 capabilities : recirc optional string, either true or false
5193 capabilities : lb_output_action
5194 optional string, either true or false
5195 Connection-Tracking Capabilities:
5196 capabilities : ct_state optional string, either true or false
5197 capabilities : ct_state_nat
5198 optional string, either true or false
5199 capabilities : ct_zone optional string, either true or false
5200 capabilities : ct_mark optional string, either true or false
5201 capabilities : ct_label optional string, either true or false
5202 capabilities : ct_orig_tuple
5203 optional string, either true or false
5204 capabilities : ct_orig_tuple6
5205 optional string, either true or false
5206 capabilities : masked_set_action
5207 optional string, either true or false
5208 capabilities : tnl_push_pop
5209 optional string, either true or false
5210 capabilities : ufid optional string, either true or false
5211 capabilities : trunc optional string, either true or false
5212 capabilities : nd_ext optional string, either true or false
5213 Clone Actions:
5214 capabilities : clone optional string, either true or false
5215 capabilities : sample_nesting
5216 optional string, containing an integer,
5217 at least 0
5218 capabilities : ct_eventmask
5219 optional string, either true or false
5220 capabilities : ct_clear optional string, either true or false
5221 capabilities : max_hash_alg
5222 optional string, containing an integer,
5223 at least 0
5224 capabilities : check_pkt_len
5225 optional string, either true or false
5226 capabilities : ct_timeout optional string, either true or false
5227 capabilities : explicit_drop_action
5228 optional string, either true or false
5229 Common Columns:
5230 external_ids map of string-string pairs
5231 Details:
5233 datapath_version: string
5234 Reports the version number of the Open vSwitch datapath in use.
5235 This allows management software to detect and report discrepan‐
5236 cies between Open vSwitch userspace and datapath versions. (The
5237 ovs_version column in the Open_vSwitch reports the Open vSwitch
5238 userspace version.) The version reported depends on the datapath
5239 in use:
5240 · When the kernel module included in the Open vSwitch
5242 source tree is used, this column reports the Open vSwitch
5243 version from which the module was taken.
5244 · When the kernel module that is part of the upstream Linux
5246 kernel is used, this column reports <unknown>.
5247 · When the datapath is built into the ovs-vswitchd binary,
5249 this column reports <built-in>. A built-in datapath is by
5250 definition the same version as the rest of the Open
5251 vSwitch userspace.
5252 · Other datapaths (such as the Hyper-V kernel datapath)
5254 currently report <unknown>.
5255 A version discrepancy between ovs-vswitchd and the datapath in
5257 use is not normally cause for alarm. The Open vSwitch kernel
5258 datapaths for Linux and Hyper-V, in particular, are designed for
5259 maximum inter-version compatibility: any userspace version works
5260 with with any kernel version. Some reasons do exist to insist on
5261 particular user/kernel pairings. First, newer kernel versions
5262 add new features, that can only be used by new-enough userspace,
5263 e.g. VXLAN tunneling requires certain minimal userspace and ker‐
5264 nel versions. Second, as an extension to the first reason, some
5265 newer kernel versions add new features for enhancing performance
5266 that only new-enough userspace versions can take advantage of.
5267 ct_zones: map of integer-CT_Zone pairs, key in range 0 to 65,535
5269 Configuration for connection tracking zones. Each pair maps from
5270 a zone id to a configuration for that zone. Zone 0 applies to
5271 the default zone (ie, the one used if a zone is not specified in
5272 connection tracking-related OpenFlow matches and actions).
5273 Capabilities:
5275 The capabilities column reports a datapath’s features. For the netdev
5277 datapath, the capabilities are fixed for a given version of Open
5278 vSwitch because this datapath is built into the ovs-vswitchd binary.
5279 The Linux kernel and Windows and other datapaths, which are external to
5280 OVS userspace, can vary in version and capabilities independently from
5281 ovs-vswitchd.
5282 Some of these features indicate whether higher-level Open vSwitch fea‐
5284 tures are available. For example, OpenFlow features for connection-
5285 tracking are available only when capabilities:ct_state is true. A con‐
5286 troller that wishes to determine whether a feature is supported could,
5287 therefore, consult the relevant capabilities in this table. However, as
5288 a general rule, it is better for a controller to try to use the higher-
5289 level feature and use the result as an indication of support, since the
5290 low-level capabilities are more likely to shift over time than the
5291 high-level features that rely on them.
5292 capabilities : max_vlan_headers: optional string, containing an inte‐
5294 ger, at least 0
5295 Number of 802.1q VLAN headers supported by the datapath, as
5296 probed by the ovs-vswitchd slow path. If the datapath supports
5297 more VLAN headers than the slow path, this reports the slow
5298 path’s limit. The value of other-config:vlan-limit in the
5299 Open_vSwitch table does not influence the number reported here.
5300 capabilities : recirc: optional string, either true or false
5302 If this is true, then the datapath supports recirculation,
5303 specifically OVS_KEY_ATTR_RECIRC_ID. Recirculation enables
5304 higher performance for MPLS and active-active load balancing
5305 bonding modes.
5306 capabilities : lb_output_action: optional string, either true or false
5308 If this is true, then the datapath supports optimized balance-
5309 tcp bond mode. This capability replaces existing hash and recirc
5310 actions with new action lb_output and avoids recirculation of
5311 packet in datapath. It is supported only for balance-tcp bond
5312 mode in netdev datapath. The new action gives higer performance
5313 by using bond buckets instead of post recirculation flows for
5314 selection of slave port from bond. By default this new action is
5315 disabled, however it can be enabled by setting other-config:lb-
5316 output-action in Port table.
5317 Connection-Tracking Capabilities:
5319 These capabilities are granular because Open vSwitch and its datapaths
5321 added support for connection tracking over several releases, with fea‐
5322 tures added individually over that time.
5323 capabilities : ct_state: optional string, either true or false
5325 If true, datapath supports OVS_KEY_ATTR_CT_STATE, which indi‐
5326 cates support for the bits in the OpenFlow ct_state field (see
5327 ovs-fields(7)) other than snat and dnat, which have a separate
5328 capability.
5329 If this is false, the datapath does not support connection-
5331 tracking at all and the remaining connection-tracking capabili‐
5332 ties should all be false. In this case, Open vSwitch will reject
5333 flows that match on the ct_state field or use the ct action.
5334 capabilities : ct_state_nat: optional string, either true or false
5336 If true, it means that the datapath supports the snat and dnat
5337 flags in the OpenFlow ct_state field. The ct_state capability
5338 must be true for this to make sense.
5339 If false, Open vSwitch will reject flows that match on the snat
5341 or dnat bits in ct_state or use nat in the ct action.
5342 capabilities : ct_zone: optional string, either true or false
5344 If true, datapath supports OVS_KEY_ATTR_CT_ZONE. If false, Open
5345 vSwitch rejects flows that match on the ct_zone field or that
5346 specify a nonzero zone or a zone field on the ct action.
5347 capabilities : ct_mark: optional string, either true or false
5349 If true, datapath supports OVS_KEY_ATTR_CT_MARK. If false, Open
5350 vSwitch rejects flows that match on the ct_mark field or that
5351 set ct_mark in the ct action.
5352 capabilities : ct_label: optional string, either true or false
5354 If true, datapath supports OVS_KEY_ATTR_CT_LABEL. If false, Open
5355 vSwitch rejects flows that match on the ct_label field or that
5356 set ct_label in the ct action.
5357 capabilities : ct_orig_tuple: optional string, either true or false
5359 If true, the datapath supports matching the 5-tuple from the
5360 connection’s original direction for IPv4 traffic. If false, Open
5361 vSwitch rejects flows that match on ct_nw_src or ct_nw_dst, that
5362 use the ct feature of the resubmit action, or the force keyword
5363 in the ct action. (The latter isn’t tied to connection tracking
5364 support of original tuples in any technical way. They are con‐
5365 flated because all current datapaths implemented the two fea‐
5366 tures at the same time.)
5367 If this and capabilities:ct_orig_tuple6 are both false, Open
5369 vSwitch rejects flows that match on ct_nw_proto, ct_tp_src, or
5370 ct_tp_dst.
5371 capabilities : ct_orig_tuple6: optional string, either true or false
5373 If true, the datapath supports matching the 5-tuple from the
5374 connection’s original direction for IPv6 traffic. If false, Open
5375 vSwitch rejects flows that match on ct_ipv6_src or ct_ipv6_dst.
5376 capabilities : masked_set_action: optional string, either true or false
5378 True if the datapath supports masked data in OVS_ACTION_ATTR_SET
5379 actions. Masked data can improve performance by allowing
5380 megaflows to match on fewer fields.
5381 capabilities : tnl_push_pop: optional string, either true or false
5383 True if the datapath supports tnl_push and pop actions. This is
5384 a prerequisite for a datapath to support native tunneling.
5385 capabilities : ufid: optional string, either true or false
5387 True if the datapath supports OVS_FLOW_ATTR_UFID. UFID support
5388 improves revalidation performance by transferring less data
5389 between the slow path and the datapath.
5390 capabilities : trunc: optional string, either true or false
5392 True if the datapath supports OVS_ACTION_ATTR_TRUNC action. If
5393 false, the output action with packet truncation requires every
5394 packet to be sent to the Open vSwitch slow path, which is likely
5395 to make it too slow for mirroring traffic in bulk.
5396 capabilities : nd_ext: optional string, either true or false
5398 True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS to
5399 match on ICMPv6 "ND reserved" and "ND option type" header
5400 fields. If false, the datapath reports error if the feature is
5401 used.
5402 Clone Actions:
5404 When Open vSwitch translates actions from OpenFlow into the datapath
5406 representation, some of the datapath actions may modify the packet or
5407 have other side effects that later datapath actions can’t undo. The
5408 OpenFlow ct, meter, output with truncation, encap, decap, and
5409 dec_nsh_ttl actions fall into this category. Often, this is not a prob‐
5410 lem because nothing later on needs the original packet.
5411 Such actions can, however, occur in circumstances where the translation
5413 does require the original packet. For example, an OpenFlow output
5414 action might direct a packet to a patch port, which might in turn lead
5415 to a ct action that NATs the packet (which cannot be undone), and then
5416 afterward when control flow pops back across the patch port some other
5417 action might need to act on the original packet.
5418 Open vSwitch has two different ways to implement this ``save and
5420 restore’’ via datapath actions. These capabilities indicate which one
5421 Open vSwitch will choose. When neither is available, Open vSwitch sim‐
5422 ply fails in situations that require this feature.
5423 capabilities : clone: optional string, either true or false
5425 True if the datapath supports OVS_ACTION_ATTR_CLONE action. This
5426 is the preferred option for saving and restoring packets, since
5427 it is intended for the purpose, but old datapaths do not support
5428 it. Open vSwitch will use it whenever it is available.
5429 (The OpenFlow clone action does not always yield a
5431 OVS_ACTION_ATTR_CLONE action. It only does so when the datapath
5432 supports it and the clone brackets actions that otherwise cannot
5433 be undone.)
5434 capabilities : sample_nesting: optional string, containing an integer,
5436 at least 0
5437 Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE
5438 action. Open vSwitch misuses this action for saving and restor‐
5439 ing packets when the datapath supports more than 3 levels of
5440 nesting and OVS_ACTION_ATTR_CLONE is not available.
5441 capabilities : ct_eventmask: optional string, either true or false
5443 True if the datapath’s OVS_ACTION_ATTR_CT action implements the
5444 OVS_CT_ATTR_EVENTMASK attribute. When this is true, Open vSwitch
5445 uses the event mask feature to limit the kinds of events
5446 reported to conntrack update listeners. When Open vSwitch
5447 doesn’t limit the event mask, listeners receive reports of
5448 numerous usually unimportant events, such as TCP state machine
5449 changes, which can waste CPU time.
5450 capabilities : ct_clear: optional string, either true or false
5452 True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR action.
5453 If false, the OpenFlow ct_clear action has no effect on the
5454 datapath.
5455 capabilities : max_hash_alg: optional string, containing an integer, at
5457 least 0
5458 Highest supported dp_hash algorithm. This allows Open vSwitch to
5459 avoid requesting a packet hash that the datapath does not sup‐
5460 port.
5461 capabilities : check_pkt_len: optional string, either true or false
5463 True if the datapath supports OVS_ACTION_ATTR_CHECK_PKT_LEN. If
5464 false, Open vSwitch implements the check_pkt_larger action by
5465 sending every packet through the Open vSwitch slow path, which
5466 is likely to make it too slow for handling traffic in bulk.
5467 capabilities : ct_timeout: optional string, either true or false
5469 True if the datapath supports OVS_CT_ATTR_TIMEOUT in the
5470 OVS_ACTION_ATTR_CT action. If false, Open vswitch cannot imple‐
5471 ment timeout policies based on connection tracking zones, as
5472 configured through the CT_Timeout_Policy table.
5473 capabilities : explicit_drop_action: optional string, either true or
5475 false
5476 True if the datapath supports OVS_ACTION_ATTR_DROP. If false,
5477 explicit drop action will not be sent to the datapath.
5478 Common Columns:
5480 The overall purpose of these columns is described under Common Columns
5482 at the beginning of this document.
5483 external_ids: map of string-string pairs
5485
5487 Connection tracking zone configuration
5488 Summary:
5490 timeout_policy optional CT_Timeout_Policy
5491 Common Columns:
5492 external_ids map of string-string pairs
5493 Details:
5495 timeout_policy: optional CT_Timeout_Policy
5496 Connection tracking timeout policy for this zone. If a timeout
5497 policy is not specified, it defaults to the timeout policy in
5498 the system.
5499 Common Columns:
5501 The overall purpose of these columns is described under Common Columns
5503 at the beginning of this document.
5504 external_ids: map of string-string pairs
5506
5508 Connection tracking timeout policy configuration
5509 Summary:
5511 Timeouts:
5512 timeouts map of string-integer pairs, key one of
5513 icmp_first, icmp_reply, tcp_close,
5514 tcp_close_wait, tcp_established,
5515 tcp_fin_wait, tcp_last_ack, tcp_retrans‐
5516 mit, tcp_syn_recv, tcp_syn_sent2,
5517 tcp_syn_sent, tcp_time_wait, tcp_unack,
5518 udp_first, udp_multiple, or udp_single,
5519 value in range 0 to 4,294,967,295
5520 TCP Timeouts:
5521 timeouts : tcp_syn_sent optional integer, in range 0 to
5522 4,294,967,295
5523 timeouts : tcp_syn_recv optional integer, in range 0 to
5524 4,294,967,295
5525 timeouts : tcp_established
5526 optional integer, in range 0 to
5527 4,294,967,295
5528 timeouts : tcp_fin_wait optional integer, in range 0 to
5529 4,294,967,295
5530 timeouts : tcp_close_wait
5531 optional integer, in range 0 to
5532 4,294,967,295
5533 timeouts : tcp_last_ack optional integer, in range 0 to
5534 4,294,967,295
5535 timeouts : tcp_time_wait optional integer, in range 0 to
5536 4,294,967,295
5537 timeouts : tcp_close optional integer, in range 0 to
5538 4,294,967,295
5539 timeouts : tcp_syn_sent2 optional integer, in range 0 to
5540 4,294,967,295
5541 timeouts : tcp_retransmit
5542 optional integer, in range 0 to
5543 4,294,967,295
5544 timeouts : tcp_unack optional integer, in range 0 to
5545 4,294,967,295
5546 UDP Timeouts:
5547 timeouts : udp_first optional integer, in range 0 to
5548 4,294,967,295
5549 timeouts : udp_single optional integer, in range 0 to
5550 4,294,967,295
5551 timeouts : udp_multiple optional integer, in range 0 to
5552 4,294,967,295
5553 ICMP Timeouts:
5554 timeouts : icmp_first optional integer, in range 0 to
5555 4,294,967,295
5556 timeouts : icmp_reply optional integer, in range 0 to
5557 4,294,967,295
5558 Common Columns:
5559 external_ids map of string-string pairs
5560 Details:
5562 Timeouts:
5563 timeouts: map of string-integer pairs, key one of icmp_first,
5565 icmp_reply, tcp_close, tcp_close_wait, tcp_established, tcp_fin_wait,
5566 tcp_last_ack, tcp_retransmit, tcp_syn_recv, tcp_syn_sent2,
5567 tcp_syn_sent, tcp_time_wait, tcp_unack, udp_first, udp_multiple, or
5568 udp_single, value in range 0 to 4,294,967,295
5569 The timeouts column contains key-value pairs used to configure
5570 connection tracking timeouts in a datapath. Key-value pairs that
5571 are not supported by a datapath are ignored. The timeout value
5572 is in seconds.
5573 TCP Timeouts:
5575 timeouts : tcp_syn_sent: optional integer, in range 0 to 4,294,967,295
5577 The timeout for the connection after the first TCP SYN packet
5578 has been seen by conntrack.
5579 timeouts : tcp_syn_recv: optional integer, in range 0 to 4,294,967,295
5581 The timeout of the connection after the first TCP SYN-ACK packet
5582 has been seen by conntrack.
5583 timeouts : tcp_established: optional integer, in range 0 to
5585 4,294,967,295
5586 The timeout of the connection after the connection has been
5587 fully established.
5588 timeouts : tcp_fin_wait: optional integer, in range 0 to 4,294,967,295
5590 The timeout of the connection after the first TCP FIN packet has
5591 been seen by conntrack.
5592 timeouts : tcp_close_wait: optional integer, in range 0 to
5594 4,294,967,295
5595 The timeout of the connection after the first TCP ACK packet has
5596 been seen after it receives TCP FIN packet. This timeout is only
5597 supported by the Linux kernel datapath.
5598 timeouts : tcp_last_ack: optional integer, in range 0 to 4,294,967,295
5600 The timeout of the connection after TCP FIN packets have been
5601 seen by conntrack from both directions. This timeout is only
5602 supported by the Linux kernel datapath.
5603 timeouts : tcp_time_wait: optional integer, in range 0 to 4,294,967,295
5605 The timeout of the connection after conntrack has seen the TCP
5606 ACK packet for the second TCP FIN packet.
5607 timeouts : tcp_close: optional integer, in range 0 to 4,294,967,295
5609 The timeout of the connection after the first TCP RST packet has
5610 been seen by conntrack.
5611 timeouts : tcp_syn_sent2: optional integer, in range 0 to 4,294,967,295
5613 The timeout of the connection when only a TCP SYN packet has
5614 been seen by conntrack from both directions (simultaneous open).
5615 This timeout is only supported by the Linux kernel datapath.
5616 timeouts : tcp_retransmit: optional integer, in range 0 to
5618 4,294,967,295
5619 The timeout of the connection when it exceeds the maximum number
5620 of retransmissions. This timeout is only supported by the Linux
5621 kernel datapath.
5622 timeouts : tcp_unack: optional integer, in range 0 to 4,294,967,295
5624 The timeout of the connection when non-SYN packets create an
5625 established connection in TCP loose tracking mode. This timeout
5626 is only supported by the Linux kernel datapath.
5627 UDP Timeouts:
5629 timeouts : udp_first: optional integer, in range 0 to 4,294,967,295
5631 The timeout of the connection after the first UDP packet has
5632 been seen by conntrack. This timeout is only supported by the
5633 userspace datapath.
5634 timeouts : udp_single: optional integer, in range 0 to 4,294,967,295
5636 The timeout of the connection when conntrack only seen UDP
5637 packet from the source host, but the destination host has never
5638 sent one back.
5639 timeouts : udp_multiple: optional integer, in range 0 to 4,294,967,295
5641 The timeout of the connection when UDP packets have been seen in
5642 both directions.
5643 ICMP Timeouts:
5645 timeouts : icmp_first: optional integer, in range 0 to 4,294,967,295
5647 The timeout of the connection after the first ICMP packet has
5648 been seen by conntrack.
5649 timeouts : icmp_reply: optional integer, in range 0 to 4,294,967,295
5651 The timeout of the connection when ICMP packets have been seen
5652 in both direction. This timeout is only supported by the
5653 userspace datapath.
5654 Common Columns:
5656 The overall purpose of these columns is described under Common Columns
5658 at the beginning of this document.
5659 external_ids: map of string-string pairs
5661
5663 SSL configuration for an Open_vSwitch.
5664 Summary:
5666 private_key string
5667 certificate string
5668 ca_cert string
5669 bootstrap_ca_cert boolean
5670 Common Columns:
5671 external_ids map of string-string pairs
5672 Details:
5674 private_key: string
5675 Name of a PEM file containing the private key used as the
5676 switch’s identity for SSL connections to the controller.
5677 certificate: string
5679 Name of a PEM file containing a certificate, signed by the cer‐
5680 tificate authority (CA) used by the controller and manager, that
5681 certifies the switch’s private key, identifying a trustworthy
5682 switch.
5683 ca_cert: string
5685 Name of a PEM file containing the CA certificate used to verify
5686 that the switch is connected to a trustworthy controller.
5687 bootstrap_ca_cert: boolean
5689 If set to true, then Open vSwitch will attempt to obtain the CA
5690 certificate from the controller on its first SSL connection and
5691 save it to the named PEM file. If it is successful, it will
5692 immediately drop the connection and reconnect, and from then on
5693 all SSL connections must be authenticated by a certificate
5694 signed by the CA certificate thus obtained. This option exposes
5695 the SSL connection to a man-in-the-middle attack obtaining the
5696 initial CA certificate. It may still be useful for bootstrap‐
5697 ping.
5698 Common Columns:
5700 The overall purpose of these columns is described under Common Columns
5702 at the beginning of this document.
5703 external_ids: map of string-string pairs
5705
5707 A set of sFlow(R) targets. sFlow is a protocol for remote monitoring of
5708 switches.
5709 Summary:
5711 agent optional string
5712 header optional integer
5713 polling optional integer
5714 sampling optional integer
5715 targets set of 1 or more strings
5716 Common Columns:
5717 external_ids map of string-string pairs
5718 Details:
5720 agent: optional string
5721 Determines the agent address, that is, the IP address reported
5722 to collectors as the source of the sFlow data. It may be an IP
5723 address or the name of a network device. In the latter case, the
5724 network device’s IP address is used,
5725 If not specified, the agent device is figured from the first
5727 target address and the routing table. If the routing table does
5728 not contain a route to the target, the IP address defaults to
5729 the local_ip in the collector’s Controller.
5730 If an agent IP address cannot be determined, sFlow is disabled.
5732 header: optional integer
5734 Number of bytes of a sampled packet to send to the collector. If
5735 not specified, the default is 128 bytes.
5736 polling: optional integer
5738 Polling rate in seconds to send port statistics to the collec‐
5739 tor. If not specified, defaults to 30 seconds.
5740 sampling: optional integer
5742 Rate at which packets should be sampled and sent to the collec‐
5743 tor. If not specified, defaults to 400, which means one out of
5744 400 packets, on average, will be sent to the collector.
5745 targets: set of 1 or more strings
5747 sFlow targets in the form ip:port.
5748 Common Columns:
5750 The overall purpose of these columns is described under Common Columns
5752 at the beginning of this document.
5753 external_ids: map of string-string pairs
5755
5757 Configuration for sending packets to IPFIX collectors.
5758 IPFIX is a protocol that exports a number of details about flows. The
5760 IPFIX implementation in Open vSwitch samples packets at a configurable
5761 rate, extracts flow information from those packets, optionally caches
5762 and aggregates the flow information, and sends the result to one or
5763 more collectors.
5764 IPFIX in Open vSwitch can be configured two different ways:
5766 · With per-bridge sampling, Open vSwitch performs IPFIX
5768 sampling automatically on all packets that pass through a
5769 bridge. To configure per-bridge sampling, create an IPFIX
5770 record and point a Bridge table’s ipfix column to it. The
5771 Flow_Sample_Collector_Set table is not used for per-
5772 bridge sampling.
5773 · With flow-based sampling, sample actions in the OpenFlow
5775 flow table drive IPFIX sampling. See ovs-actions(7) for a
5776 description of the sample action.
5777 Flow-based sampling also requires database configuration:
5779 create a IPFIX record that describes the IPFIX configura‐
5780 tion and a Flow_Sample_Collector_Set record that points
5781 to the Bridge whose flow table holds the sample actions
5782 and to IPFIX record. The ipfix in the Bridge table is not
5783 used for flow-based sampling.
5784 Summary:
5786 targets set of strings
5787 cache_active_timeout optional integer, in range 0 to 4,200
5788 cache_max_flows optional integer, in range 0 to
5789 4,294,967,295
5790 other_config : enable-tunnel-sampling
5791 optional string, either true or false
5792 other_config : virtual_obs_id optional string
5793 Per-Bridge Sampling:
5794 sampling optional integer, in range 1 to
5795 4,294,967,295
5796 obs_domain_id optional integer, in range 0 to
5797 4,294,967,295
5798 obs_point_id optional integer, in range 0 to
5799 4,294,967,295
5800 other_config : enable-input-sampling
5801 optional string, either true or false
5802 other_config : enable-output-sampling
5803 optional string, either true or false
5804 Common Columns:
5805 external_ids map of string-string pairs
5806 Details:
5808 targets: set of strings
5809 IPFIX target collectors in the form ip:port.
5810 cache_active_timeout: optional integer, in range 0 to 4,200
5812 The maximum period in seconds for which an IPFIX flow record is
5813 cached and aggregated before being sent. If not specified,
5814 defaults to 0. If 0, caching is disabled.
5815 cache_max_flows: optional integer, in range 0 to 4,294,967,295
5817 The maximum number of IPFIX flow records that can be cached at a
5818 time. If not specified, defaults to 0. If 0, caching is dis‐
5819 abled.
5820 other_config : enable-tunnel-sampling: optional string, either true or
5822 false
5823 Set to true to enable sampling and reporting tunnel header
5824 7-tuples in IPFIX flow records. Tunnel sampling is enabled by
5825 default.
5826 The following enterprise entities report the sampled tunnel
5828 info:
5829 tunnelType:
5831 ID: 891, and enterprise ID 6876 (VMware).
5832 type: unsigned 8-bit integer.
5834 data type semantics: identifier.
5836 description: Identifier of the layer 2 network overlay
5838 network encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03
5839 LISP, 0x07 GENEVE.
5840 tunnelKey:
5842 ID: 892, and enterprise ID 6876 (VMware).
5843 type: variable-length octetarray.
5845 data type semantics: identifier.
5847 description: Key which is used for identifying an indi‐
5849 vidual traffic flow within a VxLAN (24-bit VNI), GENEVE
5850 (24-bit VNI), GRE (32-bit key), or LISP (24-bit instance
5851 ID) tunnel. The key is encoded in this octetarray as a
5852 3-, 4-, or 8-byte integer ID in network byte order.
5853 tunnelSourceIPv4Address:
5855 ID: 893, and enterprise ID 6876 (VMware).
5856 type: unsigned 32-bit integer.
5858 data type semantics: identifier.
5860 description: The IPv4 source address in the tunnel IP
5862 packet header.
5863 tunnelDestinationIPv4Address:
5865 ID: 894, and enterprise ID 6876 (VMware).
5866 type: unsigned 32-bit integer.
5868 data type semantics: identifier.
5870 description: The IPv4 destination address in the tunnel
5872 IP packet header.
5873 tunnelProtocolIdentifier:
5875 ID: 895, and enterprise ID 6876 (VMware).
5876 type: unsigned 8-bit integer.
5878 data type semantics: identifier.
5880 description: The value of the protocol number in the tun‐
5882 nel IP packet header. The protocol number identifies the
5883 tunnel IP packet payload type.
5884 tunnelSourceTransportPort:
5886 ID: 896, and enterprise ID 6876 (VMware).
5887 type: unsigned 16-bit integer.
5889 data type semantics: identifier.
5891 description: The source port identifier in the tunnel
5893 transport header. For the transport protocols UDP, TCP,
5894 and SCTP, this is the source port number given in the
5895 respective header.
5896 tunnelDestinationTransportPort:
5898 ID: 897, and enterprise ID 6876 (VMware).
5899 type: unsigned 16-bit integer.
5901 data type semantics: identifier.
5903 description: The destination port identifier in the tun‐
5905 nel transport header. For the transport protocols UDP,
5906 TCP, and SCTP, this is the destination port number given
5907 in the respective header.
5908 Before Open vSwitch 2.5.90, other_config:enable-tunnel-sampling
5910 was only supported with per-bridge sampling, and ignored other‐
5911 wise. Open vSwitch 2.5.90 and later support other_config:enable-
5912 tunnel-sampling for per-bridge and per-flow sampling.
5913 other_config : virtual_obs_id: optional string
5915 A string that accompanies each IPFIX flow record. Its intended
5916 use is for the ``virtual observation ID,’’ an identifier of a
5917 virtual observation point that is locally unique in a virtual
5918 network. It describes a location in the virtual network where IP
5919 packets can be observed. The maximum length is 254 bytes. If not
5920 specified, the field is omitted from the IPFIX flow record.
5921 The following enterprise entity reports the specified virtual
5923 observation ID:
5924 virtualObsID:
5926 ID: 898, and enterprise ID 6876 (VMware).
5927 type: variable-length string.
5929 data type semantics: identifier.
5931 description: A virtual observation domain ID that is
5933 locally unique in a virtual network.
5934 This feature was introduced in Open vSwitch 2.5.90.
5936 Per-Bridge Sampling:
5938 These values affect only per-bridge sampling. See above for a descrip‐
5940 tion of the differences between per-bridge and flow-based sampling.
5941 sampling: optional integer, in range 1 to 4,294,967,295
5943 The rate at which packets should be sampled and sent to each
5944 target collector. If not specified, defaults to 400, which means
5945 one out of 400 packets, on average, will be sent to each target
5946 collector.
5947 obs_domain_id: optional integer, in range 0 to 4,294,967,295
5949 The IPFIX Observation Domain ID sent in each IPFIX packet. If
5950 not specified, defaults to 0.
5951 obs_point_id: optional integer, in range 0 to 4,294,967,295
5953 The IPFIX Observation Point ID sent in each IPFIX flow record.
5954 If not specified, defaults to 0.
5955 other_config : enable-input-sampling: optional string, either true or
5957 false
5958 By default, Open vSwitch samples and reports flows at bridge
5959 port input in IPFIX flow records. Set this column to false to
5960 disable input sampling.
5961 other_config : enable-output-sampling: optional string, either true or
5963 false
5964 By default, Open vSwitch samples and reports flows at bridge
5965 port output in IPFIX flow records. Set this column to false to
5966 disable output sampling.
5967 Common Columns:
5969 The overall purpose of these columns is described under Common Columns
5971 at the beginning of this document.
5972 external_ids: map of string-string pairs
5974
5976 A set of IPFIX collectors of packet samples generated by OpenFlow sam‐
5977 ple actions. This table is used only for IPFIX flow-based sampling, not
5978 for per-bridge sampling (see the IPFIX table for a description of the
5979 two forms).
5980 Summary:
5982 id integer, in range 0 to 4,294,967,295
5983 bridge Bridge
5984 ipfix optional IPFIX
5985 Common Columns:
5986 external_ids map of string-string pairs
5987 Details:
5989 id: integer, in range 0 to 4,294,967,295
5990 The ID of this collector set, unique among the bridge’s collec‐
5991 tor sets, to be used as the collector_set_id in OpenFlow sample
5992 actions.
5993 bridge: Bridge
5995 The bridge into which OpenFlow sample actions can be added to
5996 send packet samples to this set of IPFIX collectors.
5997 ipfix: optional IPFIX
5999 Configuration of the set of IPFIX collectors to send one flow
6000 record per sampled packet to.
6001 Common Columns:
6003 The overall purpose of these columns is described under Common Columns
6005 at the beginning of this document.
6006 external_ids: map of string-string pairs
6008
6010 Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM
6011 draft standard describes a compact method of using IEEE 802.1AB Link
6012 Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
6013 Path Bridging (SPB) network to automatically attach network devices to
6014 individual services in a SPB network. The intent here is to allow net‐
6015 work applications and devices using OVS to be able to easily take
6016 advantage of features offered by industry standard SPB networks.
6017 Auto Attach (AA) uses LLDP to communicate between a directly connected
6019 Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP proto‐
6020 col is extended to add two new Type-Length-Value tuples (TLVs). The
6021 first new TLV supports the ongoing discovery of directly connected AA
6022 correspondents. Auto Attach operates by regularly transmitting AA dis‐
6023 covery TLVs between the AA client and AA server. By exchanging these
6024 discovery messages, both the AAC and AAS learn the system name and sys‐
6025 tem description of their peer. In the OVS context, OVS operates as the
6026 AA client and the AA server resides on a switch at the edge of the SPB
6027 network.
6028 Once AA discovery has been completed the AAC then uses the second new
6030 TLV to deliver identifier mappings from the AAC to the AAS. A primary
6031 feature of Auto Attach is to facilitate the mapping of VLANs defined
6032 outside the SPB network onto service ids (ISIDs) defined within the SPM
6033 network. By doing so individual external VLANs can be mapped onto spe‐
6034 cific SPB network services. These VLAN id to ISID mappings can be con‐
6035 figured and managed locally using new options added to the ovs-vsctl
6036 command.
6037 The Auto Attach OVS feature does not provide a full implementation of
6039 the LLDP protocol. Support for the mandatory TLVs as defined by the
6040 LLDP standard and support for the AA TLV extensions is provided. LLDP
6041 protocol support in OVS can be enabled or disabled on a port by port
6042 basis. LLDP support is disabled by default.
6043 Summary:
6045 system_name string
6046 system_description string
6047 mappings map of integer-integer pairs, key in
6048 range 0 to 16,777,215, value in range 0
6049 to 4,095
6050 Details:
6052 system_name: string
6053 The system_name string is exported in LLDP messages. It should
6054 uniquely identify the bridge in the network.
6055 system_description: string
6057 The system_description string is exported in LLDP messages. It
6058 should describe the type of software and hardware.
6059 mappings: map of integer-integer pairs, key in range 0 to 16,777,215,
6061 value in range 0 to 4,095
6062 A mapping from SPB network Individual Service Identifier (ISID)
6063 to VLAN id.
6064Open vSwitch 2.15.0 DB Schema 8.2.0 ovs-vswitchd.conf.db(5)