1ovn-nb(5) Open vSwitch Manual ovn-nb(5)
2
6 ovn-nb - OVN_Northbound database schema
7 This database is the interface between OVN and the cloud management
9 system (CMS), such as OpenStack, running above it. The CMS produces al‐
10 most all of the contents of the database. The ovn-northd program moni‐
11 tors the database contents, transforms it, and stores it into the
12 OVN_Southbound database.
13 We generally speak of ``the’’ CMS, but one can imagine scenarios in
15 which multiple CMSes manage different parts of an OVN deployment.
16 External IDs
18 Each of the tables in this database contains a special column, named
19 external_ids. This column has the same form and purpose each place it
20 appears.
21 external_ids: map of string-string pairs
23 Key-value pairs for use by the CMS. The CMS might use
24 certain pairs, for example, to identify entities in its
25 own configuration that correspond to those in this data‐
26 base.
27
29 The following list summarizes the purpose of each of the tables in the
30 OVN_Northbound database. Each table is described in more detail on a
31 later page.
32 Table Purpose
34 NB_Global Northbound configuration
35 Logical_Switch
36 L2 logical switch
37 Logical_Switch_Port
38 L2 logical switch port
39 Forwarding_Group
40 forwarding group
41 Address_Set
42 Address Sets
43 Port_Group
44 Port Groups
45 Load_Balancer
46 load balancer
47 Load_Balancer_Health_Check
48 load balancer
49 ACL Access Control List (ACL) rule
50 Logical_Router
51 L3 logical router
52 QoS QoS rule
53 Meter Meter entry
54 Meter_Band
55 Band for meter entries
56 Logical_Router_Port
57 L3 logical router port
58 Logical_Router_Static_Route
59 Logical router static routes
60 Logical_Router_Policy
61 Logical router policies
62 NAT NAT rules
63 DHCP_Options
64 DHCP options
65 Connection
66 OVSDB client connections.
67 DNS Native DNS resolution
68 SSL SSL configuration.
69 Gateway_Chassis
70 Gateway_Chassis configuration.
71 HA_Chassis_Group
72 HA_Chassis_Group configuration.
73 HA_Chassis
74 HA_Chassis configuration.
75 BFD BFD configuration.
76
78 Northbound configuration for an OVN system. This table must have ex‐
79 actly one row.
80 Summary:
82 Identity:
83 name string
84 Status:
85 nb_cfg integer
86 nb_cfg_timestamp integer
87 sb_cfg integer
88 sb_cfg_timestamp integer
89 hv_cfg integer
90 hv_cfg_timestamp integer
91 Common Columns:
92 external_ids map of string-string pairs
93 Common options:
94 options map of string-string pairs
95 Options for configuring OVS BFD:
96 options : bfd-min-rx optional string
97 options : bfd-decay-min-rx
98 optional string
99 options : bfd-min-tx optional string
100 options : bfd-mult optional string
101 options : mac_prefix optional string
102 options : controller_event optional string, either true or false
103 options : northd_probe_interval
104 optional string
105 options : use_logical_dp_groups
106 optional string
107 options : ignore_lsp_down optional string
108 options : use_ct_inv_match optional string
109 Options for configuring interconnection route advertisement:
110 options : ic-route-adv optional string
111 options : ic-route-learn optional string
112 options : ic-route-adv-default
113 optional string
114 options : ic-route-learn-default
115 optional string
116 options : ic-route-blacklist
117 optional string
118 Connection Options:
119 connections set of Connections
120 ssl optional SSL
121 Security Configurations:
122 ipsec boolean
123 Read-only Options:
124 options : max_tunid optional string
125 Details:
127 Identity:
128 name: string
130 The name of the OVN cluster, which uniquely identifies the OVN
131 cluster throughout all OVN clusters supposed to interconnect
132 with each other.
133 Status:
135 These columns allow a client to track the overall configuration state
137 of the system.
138 nb_cfg: integer
140 Sequence number for client to increment. When a client modifies
141 any part of the northbound database configuration and wishes to
142 wait for ovn-northd and possibly all of the hypervisors to fin‐
143 ish applying the changes, it may increment this sequence number.
144 nb_cfg_timestamp: integer
146 The timestamp, in milliseconds since the epoch, when ovn-northd
147 sees the latest nb_cfg and starts processing.
148 To print the timestamp as a human-readable date:
150 date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed ’s/...$//’)"
152 sb_cfg: integer
155 Sequence number that ovn-northd sets to the value of nb_cfg af‐
156 ter it finishes applying the corresponding configuration changes
157 to the OVN_Southbound database.
158 sb_cfg_timestamp: integer
160 The timestamp, in milliseconds since the epoch, when ovn-northd
161 finishes applying the corresponding configuration changes to the
162 OVN_Southbound database successfully.
163 hv_cfg: integer
165 Sequence number that ovn-northd sets to the smallest sequence
166 number of all the chassis in the system, as reported in the
167 Chassis_Private table in the southbound database. Thus, hv_cfg
168 equals nb_cfg if all chassis are caught up with the northbound
169 configuration (which may never happen, if any chassis is down).
170 This value can regress, if a chassis was removed from the system
171 and rejoins before catching up.
172 If there are no chassis, then ovn-northd copies nb_cfg to
174 hv_cfg. Thus, in this case, the (nonexistent) hypervisors are
175 always considered to be caught up. This means that hypervisors
176 can be "caught up" even in cases where sb_cfg would show that
177 the southbound database is not. To detect when both the hypervi‐
178 sors and the southbound database are caught up, a client should
179 take the smaller of sb_cfg and hv_cfg.
180 hv_cfg_timestamp: integer
182 The largest timestamp, in milliseconds since the epoch, of the
183 smallest sequence number of all the chassis in the system, as
184 reported in the Chassis_Private table in the southbound data‐
185 base. In other words, this timestamp reflects the time when the
186 slowest chassis catches up with the northbound configuration,
187 which is useful for end-to-end control plane latency measure‐
188 ment.
189 Common Columns:
191 external_ids: map of string-string pairs
193 See External IDs at the beginning of this document.
194 Common options:
196 options: map of string-string pairs
198 This column provides general key/value settings. The supported
199 options are described individually below.
200 Options for configuring OVS BFD:
202 These options apply when ovn-controller configures OVS BFD on tunnels
204 interfaces. Please note these parameters refer to legacy OVS BFD imple‐
205 mentation and not to OVN BFD one.
206 options : bfd-min-rx: optional string
208 BFD option min-rx value to use when configuring BFD on tunnel
209 interfaces.
210 options : bfd-decay-min-rx: optional string
212 BFD option decay-min-rx value to use when configuring BFD on
213 tunnel interfaces.
214 options : bfd-min-tx: optional string
216 BFD option min-tx value to use when configuring BFD on tunnel
217 interfaces.
218 options : bfd-mult: optional string
220 BFD option mult value to use when configuring BFD on tunnel in‐
221 terfaces.
222 options : mac_prefix: optional string
224 Configure a given OUI to be used as prefix when L2 address is
225 dynamically assigned, e.g. 00:11:22
226 options : controller_event: optional string, either true or false
228 Value set by the CMS to enable/disable ovn-controller event re‐
229 porting. Traffic into OVS can raise a ’controller’ event that
230 results in a Controller_Event being written to the Con‐
231 troller_Event table in SBDB. When the CMS has seen the event and
232 taken appropriate action, it can remove the correponding row in
233 Controller_Event table. The intention is for a CMS to see the
234 events and take some sort of action. Please see the Con‐
235 troller_Event table in SBDB. It is possible to associate a meter
236 to each controller event type in order to not overload the pinc‐
237 trl thread under heavy load. Each event type relies on a meter
238 with a defined name:
239 • empty_lb_backends: event-elb
241 options : northd_probe_interval: optional string
243 The inactivity probe interval of the connection to the OVN
244 Northbound and Southbound databases from ovn-northd, in mil‐
245 liseconds. If the value is zero, it disables the connection
246 keepalive feature.
247 If the value is nonzero, then it will be forced to a value of at
249 least 1000 ms.
250 options : use_logical_dp_groups: optional string
252 If set to true, ovn-northd will combine logical flows that dif‐
253 fers only by logical datapath into a single logical flow with
254 logical datapath group attached.
255 While this should significantly reduce number of logical flows
257 stored in Southbound database this could also increase process‐
258 ing complexity on the ovn-controller side, e.g., ovn-controller
259 will re-consider logical flow for all logical datapaths in a
260 group. If the option set to false, there will be separate logi‐
261 cal flow per logical datapath and only this flow will be re-con‐
262 sidered.
263 The default value is false.
265 options : ignore_lsp_down: optional string
267 If set to false, ARP/ND reply flows for logical switch ports
268 will be installed only if the port is up, i.e. claimed by a
269 Chassis. If set to true, these flows are installed regardless of
270 the status of the port, which can result in a situation that ARP
271 request to an IP is resolved even before the relevant VM/con‐
272 tainer is running. For environments where this is not an issue,
273 setting it to true can reduce the load and latency of the con‐
274 trol plane. The default value is false.
275 options : use_ct_inv_match: optional string
277 If set to false, ovn-northd will not use the ct.inv field in any
278 of the logical flow matches. The default value is true. If the
279 NIC supports offloading OVS datapath flows but doesn’t support
280 offloading ct_state inv flag, then the datapath flows matching
281 on this flag (either +inv or -inv) will not be offloaded. CMS
282 should consider setting use_ct_inv_match to false in such cases.
283 This results in a side effect of the invalid packets getting de‐
284 livered to the destination VIF, which otherwise would have been
285 dropped by OVN.
286 Options for configuring interconnection route advertisement:
288 These options control how routes are advertised between OVN deployments
290 for interconnection. If enabled, ovn-ic from different OVN deployments
291 exchanges routes between each other through the global OVN_IC_South‐
292 bound database. Only routers with ports connected to interconnection
293 transit switches participate in route advertisement. For each of these
294 routers, there are two types of routes to be advertised:
295 Firstly, the static routes configured in the router are advertised.
297 Secondly, the networks configured in the logical router ports that are
299 not on the transit switches are advertised. These are considered as di‐
300 rectly connected subnets on the router.
301 Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10) are never
303 advertised.
304 The learned routes are added to the static_routes column of the Logi‐
306 cal_Router table, with external_ids:ic-learned-route set to the uuid of
307 the row in Route table of the OVN_IC_Southbound database.
308 options : ic-route-adv: optional string
310 A boolean value that enables route advertisement to the global
311 OVN_IC_Southbound database. Default is false.
312 options : ic-route-learn: optional string
314 A boolean value that enables route learning from the global
315 OVN_IC_Southbound database. Default is false.
316 options : ic-route-adv-default: optional string
318 A boolean value that enables advertising default route to the
319 global OVN_IC_Southbound database. Default is false. This option
320 takes effect only when option ic-route-adv is true.
321 options : ic-route-learn-default: optional string
323 A boolean value that enables learning default route from the
324 global OVN_IC_Southbound database. Default is false. This option
325 takes effect only when option ic-route-learn is true.
326 options : ic-route-blacklist: optional string
328 A string value contains a list of CIDRs delimited by ",". A
329 route will not be advertised or learned if the route’s prefix
330 belongs to any of the CIDRs listed.
331 Connection Options:
333 connections: set of Connections
335 Database clients to which the Open vSwitch database server
336 should connect or on which it should listen, along with options
337 for how these connections should be configured. See the Connec‐
338 tion table for more information.
339 ssl: optional SSL
341 Global SSL configuration.
342 Security Configurations:
344 ipsec: boolean
346 Tunnel encryption configuration. If this column is set to be
347 true, all OVN tunnels will be encrypted with IPsec.
348 Read-only Options:
350 options : max_tunid: optional string
352 The maximum supported tunnel ID. Depends on types of encapsula‐
353 tion enabled in the cluster.
354
356 Each row represents one L2 logical switch.
357 There are two kinds of logical switches, that is, ones that fully vir‐
359 tualize the network (overlay logical switches) and ones that provide
360 simple connectivity to physical networks (bridged logical switches).
361 They work in the same way when providing connectivity between logical
362 ports on same chassis, but differently when connecting remote logical
363 ports. Overlay logical switches connect remote logical ports by tun‐
364 nels, while bridged logical switches provide connectivity to remote
365 ports by bridging the packets to directly connected physical L2 seg‐
366 ments with the help of localnet ports. Each bridged logical switch has
367 one or more localnet ports, which have only one special address un‐
368 known.
369 Summary:
371 ports set of Logical_Switch_Ports
372 load_balancer set of weak reference to Load_Balancers
373 acls set of ACLs
374 qos_rules set of QoSes
375 dns_records set of weak reference to DNSes
376 forwarding_groups set of Forwarding_Groups
377 Naming:
378 name string
379 external_ids : neutron:network_name
380 optional string
381 IP Address Assignment:
382 other_config : subnet optional string
383 other_config : exclude_ips optional string
384 other_config : ipv6_prefix optional string
385 other_config : mac_only optional string, either true or false
386 IP Multicast Snooping Options:
387 other_config : mcast_snoop optional string, either true or false
388 other_config : mcast_querier
389 optional string, either true or false
390 other_config : mcast_flood_unregistered
391 optional string, either true or false
392 other_config : mcast_table_size
393 optional string, containing an integer,
394 in range 1 to 32,766
395 other_config : mcast_idle_timeout
396 optional string, containing an integer,
397 in range 15 to 3,600
398 other_config : mcast_query_interval
399 optional string, containing an integer,
400 in range 1 to 3,600
401 other_config : mcast_query_max_response
402 optional string, containing an integer,
403 in range 1 to 10
404 other_config : mcast_eth_src
405 optional string
406 other_config : mcast_ip4_src
407 optional string
408 other_config : mcast_ip6_src
409 optional string
410 Interconnection:
411 other_config : interconn-ts
412 optional string
413 Tunnel Key:
414 other_config : requested-tnl-key
415 optional string, containing an integer,
416 in range 1 to 16,777,215
417 Other options:
418 other_config : vlan-passthru
419 optional string, either true or false
420 Common Columns:
421 external_ids map of string-string pairs
422 Details:
424 ports: set of Logical_Switch_Ports
425 The logical ports connected to the logical switch.
426 It is an error for multiple logical switches to include the same
428 logical port.
429 load_balancer: set of weak reference to Load_Balancers
431 Load balance a virtual ip address to a set of logical port end‐
432 point ip addresses.
433 acls: set of ACLs
435 Access control rules that apply to packets within the logical
436 switch.
437 qos_rules: set of QoSes
439 QoS marking and metering rules that apply to packets within the
440 logical switch.
441 dns_records: set of weak reference to DNSes
443 This column defines the DNS records to be used for resolving in‐
444 ternal DNS queries within the logical switch by the native DNS
445 resolver. Please see the DNS table.
446 forwarding_groups: set of Forwarding_Groups
448 Groups a set of logical port endpoints for traffic going out of
449 the logical switch.
450 Naming:
452 These columns provide names for the logical switch. From OVN’s perspec‐
454 tive, these names have no special meaning or purpose other than to pro‐
455 vide convenience for human interaction with the database. There is no
456 requirement for the name to be unique. (For a unique identifier for a
457 logical switch, use its row UUID.)
458 (Originally, name was intended to serve the purpose of a human-friendly
460 name, but the Neutron integration used it to uniquely identify its own
461 switch object, in the format neutron-uuid. Later on, Neutron started
462 propagating the friendly name of a switch as external_ids:neutron:net‐
463 work_name. Perhaps this can be cleaned up someday.)
464 name: string
466 A name for the logical switch.
467 external_ids : neutron:network_name: optional string
469 Another name for the logical switch.
470 IP Address Assignment:
472 These options control automatic IP address management (IPAM) for ports
474 attached to the logical switch. To enable IPAM for IPv4, set other_con‐
475 fig:subnet and optionally other_config:exclude_ips. To enable IPAM for
476 IPv6, set other_config:ipv6_prefix. IPv4 and IPv6 may be enabled to‐
477 gether or separately.
478 To request dynamic address assignment for a particular port, use the
480 dynamic keyword in the addresses column of the port’s Logi‐
481 cal_Switch_Port row. This requests both an IPv4 and an IPv6 address, if
482 IPAM for IPv4 and IPv6 are both enabled.
483 other_config : subnet: optional string
485 Set this to an IPv4 subnet, e.g. 192.168.0.0/24, to enable
486 ovn-northd to automatically assign IP addresses within that sub‐
487 net.
488 other_config : exclude_ips: optional string
490 To exclude some addresses from automatic IP address management,
491 set this to a list of the IPv4 addresses or ..-delimited ranges
492 to exclude. The addresses or ranges should be a subset of those
493 in other_config:subnet.
494 Whether listed or not, ovn-northd will never allocate the first
496 or last address in a subnet, such as 192.168.0.0 or
497 192.168.0.255 in 192.168.0.0/24.
498 Examples:
500 • 192.168.0.2 192.168.0.10
502 • 192.168.0.4 192.168.0.30..192.168.0.60
504 192.168.0.110..192.168.0.120
505 • 192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30
507 192.168.0.144
508 other_config : ipv6_prefix: optional string
510 Set this to an IPv6 prefix to enable ovn-northd to automatically
511 assign IPv6 addresses using this prefix. The assigned IPv6 ad‐
512 dress will be generated using the IPv6 prefix and the MAC ad‐
513 dress (converted to an IEEE EUI64 identifier) of the port. The
514 IPv6 prefix defined here should be a valid IPv6 address ending
515 with ::.
516 Examples:
518 • aef0::
520 • bef0:1234:a890:5678::
522 • 8230:5678::
524 other_config : mac_only: optional string, either true or false
526 Value used to request to assign L2 address only if neither sub‐
527 net nor ipv6_prefix are specified
528 IP Multicast Snooping Options:
530 These options control IP Multicast Snooping configuration of the logi‐
532 cal switch. To enable IP Multicast Snooping set other_con‐
533 fig:mcast_snoop to true. To enable IP Multicast Querier set other_con‐
534 fig:mcast_snoop to true. If IP Multicast Querier is enabled other_con‐
535 fig:mcast_eth_src and other_config:mcast_ip4_src must be set.
536 other_config : mcast_snoop: optional string, either true or false
538 Enables/disables IP Multicast Snooping on the logical switch.
539 other_config : mcast_querier: optional string, either true or false
541 Enables/disables IP Multicast Querier on the logical switch.
542 other_config : mcast_flood_unregistered: optional string, either true
544 or false
545 Determines whether unregistered multicast traffic should be
546 flooded or not. Only applicable if other_config:mcast_snoop is
547 enabled.
548 other_config : mcast_table_size: optional string, containing an inte‐
550 ger, in range 1 to 32,766
551 Number of multicast groups to be stored. Default: 2048.
552 other_config : mcast_idle_timeout: optional string, containing an inte‐
554 ger, in range 15 to 3,600
555 Configures the IP Multicast Snooping group idle timeout (in sec‐
556 onds). Default: 300 seconds.
557 other_config : mcast_query_interval: optional string, containing an in‐
559 teger, in range 1 to 3,600
560 Configures the IP Multicast Querier interval between queries (in
561 seconds). Default: other_config:mcast_idle_timeout / 2.
562 other_config : mcast_query_max_response: optional string, containing an
564 integer, in range 1 to 10
565 Configures the value of the "max-response" field in the multi‐
566 cast queries originated by the logical switch. Default: 1 sec‐
567 ond.
568 other_config : mcast_eth_src: optional string
570 Configures the source Ethernet address for queries originated by
571 the logical switch.
572 other_config : mcast_ip4_src: optional string
574 Configures the source IPv4 address for queries originated by the
575 logical switch.
576 other_config : mcast_ip6_src: optional string
578 Configures the source IPv6 address for queries originated by the
579 logical switch.
580 Interconnection:
582 other_config : interconn-ts: optional string
584 The name of corresponding transit switch in OVN_IC_Northbound
585 database. This kind of logical switch is created and controlled
586 by ovn-ic.
587 Tunnel Key:
589 other_config : requested-tnl-key: optional string, containing an inte‐
591 ger, in range 1 to 16,777,215
592 Configures the datapath tunnel key for the logical switch. Usu‐
593 ally this is not needed because ovn-northd will assign an unique
594 key for each datapath by itself. However, if it is configured,
595 ovn-northd honors the configured value. The typical use case is
596 for interconnection: the tunnel keys for transit switches need
597 to be unique globally, so they are maintained in the global
598 OVN_IC_Southbound database, and ovn-ic simply syncs the value
599 from OVN_IC_Southbound through this config.
600 Other options:
602 other_config : vlan-passthru: optional string, either true or false
604 Determines whether VLAN tagged incoming traffic should be al‐
605 lowed.
606 Common Columns:
608 external_ids: map of string-string pairs
610 See External IDs at the beginning of this document.
611
613 A port within an L2 logical switch.
614 Summary:
616 Core Features:
617 name string (must be unique within table)
618 type string
619 Options:
620 options map of string-string pairs
621 Options for router ports:
622 options : router-port optional string
623 options : nat-addresses optional string
624 Options for localnet ports:
625 options : network_name optional string
626 Options for l2gateway ports:
627 options : network_name optional string
628 options : l2gateway-chassis
629 optional string
630 Options for vtep ports:
631 options : vtep-physical-switch
632 optional string
633 options : vtep-logical-switch
634 optional string
635 VMI (or VIF) Options:
636 options : requested-chassis
637 optional string
638 options : qos_max_rate optional string
639 options : qos_burst optional string
640 Virtual port Options:
641 options : virtual-ip optional string
642 options : virtual-parents
643 optional string
644 IP Multicast Snooping Options:
645 options : mcast_flood optional string, either true or false
646 options : mcast_flood_reports
647 optional string, either true or false
648 Containers:
649 parent_name optional string
650 tag_request optional integer, in range 0 to 4,095
651 tag optional integer, in range 1 to 4,095
652 Port State:
653 up optional boolean
654 enabled optional boolean
655 Addressing:
656 addresses set of strings
657 dynamic_addresses optional string
658 port_security set of strings
659 DHCP:
660 dhcpv4_options optional weak reference to DHCP_Options
661 dhcpv6_options optional weak reference to DHCP_Options
662 ha_chassis_group optional HA_Chassis_Group
663 Naming:
664 external_ids : neutron:port_name
665 optional string
666 Tunnel Key:
667 options : requested-tnl-key
668 optional string, containing an integer,
669 in range 1 to 32,767
670 Common Columns:
671 external_ids map of string-string pairs
672 Details:
674 Core Features:
675 name: string (must be unique within table)
677 The logical port name.
678 For entities (VMs or containers) that are spawned in the hyper‐
680 visor, the name used here must match those used in the exter‐
681 nal_ids:iface-id in the Open_vSwitch database’s Interface table,
682 because hypervisors use external_ids:iface-id as a lookup key to
683 identify the network interface of that entity.
684 For containers that share a VIF within a VM, the name can be any
686 unique identifier. See Containers, below, for more information.
687 A logical switch port may not have the same name as a logical
689 router port, but the database schema cannot enforce this.
690 type: string
692 Specify a type for this logical port. Logical ports can be used
693 to model other types of connectivity into an OVN logical switch.
694 The following types are defined:
695 (empty string)
697 A VM (or VIF) interface.
698 router A connection to a logical router. The value of op‐
700 tions:router-port specifies the name of the Logi‐
701 cal_Router_Port to which this logical switch port is con‐
702 nected.
703 localnet
705 A connection to a locally accessible network from
706 ovn-controller instances that have a corresponding bridge
707 mapping. A logical switch can have multiple localnet
708 ports attached. This type is used to model direct connec‐
709 tivity to existing networks. In this case, each chassis
710 should have a mapping for one of the physical networks
711 only. Note: nothing said above implies that a chassis
712 cannot be plugged to multiple physical networks as long
713 as they belong to different switches.
714 localport
716 A connection to a local VIF. Traffic that arrives on a
717 localport is never forwarded over a tunnel to another
718 chassis. These ports are present on every chassis and
719 have the same address in all of them. This is used to
720 model connectivity to local services that run on every
721 hypervisor.
722 l2gateway
724 A connection to a physical network.
725 vtep A port to a logical switch on a VTEP gateway.
727 external
729 Represents a logical port which is external and not hav‐
730 ing an OVS port in the integration bridge. OVN will never
731 receive any traffic from this port or send any traffic to
732 this port. OVN can support native services like
733 DHCPv4/DHCPv6/DNS for this port. If ha_chassis_group is
734 defined, ovn-controller running in the master chassis of
735 the HA chassis group will bind this port to provide these
736 native services. It is expected that this port belong to
737 a bridged logical switch (with a localnet port).
738 It is recommended to use the same HA chassis group for
740 all the external ports of a logical switch. Otherwise,
741 the physical switch might see MAC flap issue when differ‐
742 ent chassis provide the native services. For example when
743 supporting native DHCPv4 service, DHCPv4 server mac (con‐
744 figured in options:server_mac column in table DHCP_Op‐
745 tions) originating from different ports can cause MAC
746 flap issue. The MAC of the logical router IP(s) can also
747 flap if the same HA chassis group is not set for all the
748 external ports of a logical switch.
749 Below are some of the use cases where external ports can
751 be used.
752 • VMs connected to SR-IOV nics - Traffic from these
754 VMs by passes the kernel stack and local ovn-con‐
755 troller do not bind these ports and cannot serve
756 the native services.
757 • When CMS supports provisioning baremetal servers.
759 virtual
761 Represents a logical port which does not have an OVS port
762 in the integration bridge and has a virtual ip configured
763 in the options:virtual-ip column. This virtual ip can
764 move around between the logical ports configured in the
765 options:virtual-parents column.
766 One of the use case where virtual ports can be used is.
768 • The virtual ip represents a load balancer vip and
770 the virtual parents provide load balancer service
771 in an active-standby setup with the active virtual
772 parent owning the virtual ip.
773 remote A remote port is to model a port that resides remotely on
775 another OVN, which is on the other side of a transit log‐
776 ical switch for OVN interconnection. This type of ports
777 are created by ovn-ic instead of by CMS. Any change to
778 the port will be automatically overwritten by ovn-ic.
779 Options:
781 options: map of string-string pairs
783 This column provides key/value settings specific to the logical
784 port type. The type-specific options are described individually
785 below.
786 Options for router ports:
788 These options apply when type is router.
790 options : router-port: optional string
792 Required. The name of the Logical_Router_Port to which this log‐
793 ical switch port is connected.
794 options : nat-addresses: optional string
796 This is used to send gratuitous ARPs for SNAT and DNAT IP ad‐
797 dresses via the localnet port that is attached to the same logi‐
798 cal switch as this type router port. This option is specified on
799 a logical switch port that is connected to a gateway router, or
800 a logical switch port that is connected to a distributed gateway
801 port on a logical router.
802 This must take one of the following forms:
804 router Gratuitous ARPs will be sent for all SNAT and DNAT exter‐
806 nal IP addresses and for all load balancer IP addresses
807 defined on the options:router-port’s logical router, us‐
808 ing the options:router-port’s MAC address.
809 This form of options:nat-addresses is valid for logical
811 switch ports where options:router-port is the name of a
812 port on a gateway router, or the name of a distributed
813 gateway port.
814 Supported only in OVN 2.8 and later. Earlier versions re‐
816 quired NAT addresses to be manually synchronized.
817 Ethernet address followed by one or more IPv4 addresses
819 Example: 80:fa:5b:06:72:b7 158.36.44.22 158.36.44.24.
820 This would result in generation of gratuitous ARPs for IP
821 addresses 158.36.44.22 and 158.36.44.24 with a MAC ad‐
822 dress of 80:fa:5b:06:72:b7.
823 This form of options:nat-addresses is only valid for log‐
825 ical switch ports where options:router-port is the name
826 of a port on a gateway router.
827 Options for localnet ports:
829 These options apply when type is localnet.
831 options : network_name: optional string
833 Required. The name of the network to which the localnet port is
834 connected. Each hypervisor, via ovn-controller, uses its local
835 configuration to determine exactly how to connect to this lo‐
836 cally accessible network, if at all.
837 Options for l2gateway ports:
839 These options apply when type is l2gateway.
841 options : network_name: optional string
843 Required. The name of the network to which the l2gateway port is
844 connected. The L2 gateway, via ovn-controller, uses its local
845 configuration to determine exactly how to connect to this net‐
846 work.
847 options : l2gateway-chassis: optional string
849 Required. The chassis on which the l2gateway logical port should
850 be bound to. ovn-controller running on the defined chassis will
851 connect this logical port to the physical network.
852 Options for vtep ports:
854 These options apply when type is vtep.
856 options : vtep-physical-switch: optional string
858 Required. The name of the VTEP gateway.
859 options : vtep-logical-switch: optional string
861 Required. A logical switch name connected by the VTEP gateway.
862 VMI (or VIF) Options:
864 These options apply to logical ports with type having (empty string)
866 options : requested-chassis: optional string
868 If set, identifies a specific chassis (by name or hostname) that
869 is allowed to bind this port. Using this option will prevent
870 thrashing between two chassis trying to bind the same port dur‐
871 ing a live migration. It can also prevent similar thrashing due
872 to a mis-configuration, if a port is accidentally created on
873 more than one chassis.
874 options : qos_max_rate: optional string
876 If set, indicates the maximum rate for data sent from this in‐
877 terface, in bit/s. The traffic will be shaped according to this
878 limit.
879 options : qos_burst: optional string
881 If set, indicates the maximum burst size for data sent from this
882 interface, in bits.
883 Virtual port Options:
885 These options apply when type is virtual.
887 options : virtual-ip: optional string
889 This option represents the virtual IPv4 address.
890 options : virtual-parents: optional string
892 This options represents a set of logical port names (with in the
893 same logical switch) which can own the virtual ip configured in
894 the options:virtual-ip. All these virtual parents should add the
895 virtual ip in the port_security if port security addressed are
896 enabled.
897 IP Multicast Snooping Options:
899 These options apply when the port is part of a logical switch which has
901 other_config :mcast_snoop set to true.
902 options : mcast_flood: optional string, either true or false
904 If set to true, multicast packets (except reports) are uncondi‐
905 tionally forwarded to the specific port.
906 options : mcast_flood_reports: optional string, either true or false
908 If set to true, multicast reports are unconditionally forwarded
909 to the specific port.
910 Containers:
912 When a large number of containers are nested within a VM, it may be too
914 expensive to dedicate a VIF to each container. OVN can use VLAN tags to
915 support such cases. Each container is assigned a VLAN ID and each
916 packet that passes between the hypervisor and the VM is tagged with the
917 appropriate ID for the container. Such VLAN IDs never appear on a phys‐
918 ical wire, even inside a tunnel, so they need not be unique except rel‐
919 ative to a single VM on a hypervisor.
920 These columns are used for VIFs that represent nested containers using
922 shared VIFs. For VMs and for containers that have dedicated VIFs, they
923 are empty.
924 parent_name: optional string
926 The VM interface through which the nested container sends its
927 network traffic. This must match the name column for some other
928 Logical_Switch_Port.
929 tag_request: optional integer, in range 0 to 4,095
931 The VLAN tag in the network traffic associated with a con‐
932 tainer’s network interface. The client can request ovn-northd to
933 allocate a tag that is unique within the scope of a specific
934 parent (specified in parent_name) by setting a value of 0 in
935 this column. The allocated value is written by ovn-northd in the
936 tag column. (Note that these tags are allocated and managed lo‐
937 cally in ovn-northd, so they cannot be reconstructed in the
938 event that the database is lost.) The client can also request a
939 specific non-zero tag and ovn-northd will honor it and copy that
940 value to the tag column.
941 When type is set to localnet or l2gateway, this can be set to
943 indicate that the port represents a connection to a specific
944 VLAN on a locally accessible network. The VLAN ID is used to
945 match incoming traffic and is also added to outgoing traffic.
946 tag: optional integer, in range 1 to 4,095
948 The VLAN tag allocated by ovn-northd based on the contents of
949 the tag_request column.
950 Port State:
952 up: optional boolean
954 This column is populated by ovn-northd, rather than by the CMS
955 plugin as is most of this database. When a logical port is bound
956 to a physical location in the OVN Southbound database Binding
957 table, ovn-northd sets this column to true; otherwise, or if the
958 port becomes unbound later, it sets it to false. If this column
959 is empty, the port is not considered up. This allows the CMS to
960 wait for a VM’s (or container’s) networking to become active be‐
961 fore it allows the VM (or container) to start.
962 Logical ports of router type are an exception to this rule. They
964 are considered to be always up, that is this column is always
965 set to true.
966 enabled: optional boolean
968 This column is used to administratively set port state. If this
969 column is empty or is set to true, the port is enabled. If this
970 column is set to false, the port is disabled. A disabled port
971 has all ingress and egress traffic dropped.
972 Addressing:
974 addresses: set of strings
976 Addresses owned by the logical port.
977 Each element in the set must take one of the following forms:
979 Ethernet address followed by zero or more IPv4 or IPv6 addresses
981 (or both)
982 An Ethernet address defined is owned by the logical port.
983 Like a physical Ethernet NIC, a logical port ordinarily
984 has a single fixed Ethernet address.
985 When a OVN logical switch processes a unicast Ethernet
987 frame whose destination MAC address is in a logical
988 port’s addresses column, it delivers it only to that
989 port, as if a MAC learning process had learned that MAC
990 address on the port.
991 If IPv4 or IPv6 address(es) (or both) are defined, it in‐
993 dicates that the logical port owns the given IP ad‐
994 dresses.
995 If IPv4 address(es) are defined, the OVN logical switch
997 uses this information to synthesize responses to ARP re‐
998 quests without traversing the physical network. The OVN
999 logical router connected to the logical switch, if any,
1000 uses this information to avoid issuing ARP requests for
1001 logical switch ports.
1002 Note that the order here is important. The Ethernet ad‐
1004 dress must be listed before the IP address(es) if de‐
1005 fined.
1006 Examples:
1008 80:fa:5b:06:72:b7
1010 This indicates that the logical port owns the
1011 above mac address.
1012 80:fa:5b:06:72:b7 10.0.0.4 20.0.0.4
1014 This indicates that the logical port owns the mac
1015 address and two IPv4 addresses.
1016 80:fa:5b:06:72:b7 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1018 This indicates that the logical port owns the mac
1019 address and 1 IPv6 address.
1020 80:fa:5b:06:72:b7 10.0.0.4
1022 fdaa:15f2:72cf:0:f816:3eff:fe20:3f41
1023 This indicates that the logical port owns the mac
1024 address and 1 IPv4 address and 1 IPv6 address.
1025 unknown
1027 This indicates that the logical port has an unknown set
1028 of Ethernet addresses. When an OVN logical switch pro‐
1029 cesses a unicast Ethernet frame whose destination MAC ad‐
1030 dress is not in any logical port’s addresses column, it
1031 delivers it to the port (or ports) whose addresses col‐
1032 umns include unknown.
1033 dynamic
1035 Use dynamic to make ovn-northd generate a globally unique
1036 MAC address, choose an unused IPv4 address with the logi‐
1037 cal port’s subnet (if other_config:subnet is set in the
1038 port’s Logical_Switch), and generate an IPv6 address from
1039 the MAC address (if other_config:ipv6_prefix is set in
1040 the port’s Logical_Switch) and store them in the port’s
1041 dynamic_addresses column.
1042 Only one element containing dynamic may appear in ad‐
1044 dresses.
1045 dynamic ip
1047 dynamic ipv6
1048 dynamic ip ipv6
1049 These act like dynamic alone but specify particular IPv4 or
1050 IPv6 addresses to use. OVN IPAM will still automatically
1051 allocate the other address if configured appropriately. Ex‐
1052 ample: dynamic 192.168.0.1 2001::1.
1053 mac dynamic
1055 This acts like dynamic alone but specifies a particular MAC
1056 address to use. OVN IPAM will still automatically allocate
1057 IPv4 or IPv6 addresses, or both, if configured appropri‐
1058 ately. Example: 80:fa:5b:06:72:b7 dynamic
1059 router
1061 Accepted only when type is router. This indicates that the
1062 Ethernet, IPv4, and IPv6 addresses for this logical switch
1063 port should be obtained from the connected logical router
1064 port, as specified by router-port in options.
1065 The resulting addresses are used to populate the logical
1067 switch’s destination lookup, and also for the logical
1068 switch to generate ARP and ND replies.
1069 If the connected logical router port has a distributed
1071 gateway port specified and the logical router has rules
1072 specified in nat with external_mac, then those addresses
1073 are also used to populate the switch’s destination lookup.
1074 Supported only in OVN 2.7 and later. Earlier versions re‐
1076 quired router addresses to be manually synchronized.
1077 dynamic_addresses: optional string
1079 Addresses assigned to the logical port by ovn-northd, if dynamic
1080 is specified in addresses. Addresses will be of the same format
1081 as those that populate the addresses column. Note that dynami‐
1082 cally assigned addresses are constructed and managed locally in
1083 ovn-northd, so they cannot be reconstructed in the event that
1084 the database is lost.
1085 port_security: set of strings
1087 This column controls the addresses from which the host attached
1088 to the logical port (``the host’’) is allowed to send packets
1089 and to which it is allowed to receive packets. If this column is
1090 empty, all addresses are permitted.
1091 Each element in the set must begin with one Ethernet address.
1093 This would restrict the host to sending packets from and receiv‐
1094 ing packets to the ethernet addresses defined in the logical
1095 port’s port_security column. It also restricts the inner source
1096 MAC addresses that the host may send in ARP and IPv6 Neighbor
1097 Discovery packets. The host is always allowed to receive packets
1098 to multicast and broadcast Ethernet addresses.
1099 Each element in the set may additionally contain one or more
1101 IPv4 or IPv6 addresses (or both), with optional masks. If a mask
1102 is given, it must be a CIDR mask. In addition to the restric‐
1103 tions described for Ethernet addresses above, such an element
1104 restricts the IPv4 or IPv6 addresses from which the host may
1105 send and to which it may receive packets to the specified ad‐
1106 dresses. A masked address, if the host part is zero, indicates
1107 that the host is allowed to use any address in the subnet; if
1108 the host part is nonzero, the mask simply indicates the size of
1109 the subnet. In addition:
1110 • If any IPv4 address is given, the host is also allowed to
1112 receive packets to the IPv4 local broadcast address
1113 255.255.255.255 and to IPv4 multicast addresses
1114 (224.0.0.0/4). If an IPv4 address with a mask is given,
1115 the host is also allowed to receive packets to the broad‐
1116 cast address in that specified subnet.
1117 If any IPv4 address is given, the host is additionally
1119 restricted to sending ARP packets with the specified
1120 source IPv4 address. (RARP is not restricted.)
1121 • If any IPv6 address is given, the host is also allowed to
1123 receive packets to IPv6 multicast addresses (ff00::/8).
1124 If any IPv6 address is given, the host is additionally
1126 restricted to sending IPv6 Neighbor Discovery Solicita‐
1127 tion or Advertisement packets with the specified source
1128 address or, for solicitations, the unspecified address.
1129 If an element includes an IPv4 address, but no IPv6 addresses,
1131 then IPv6 traffic is not allowed. If an element includes an IPv6
1132 address, but no IPv4 address, then IPv4 and ARP traffic is not
1133 allowed.
1134 This column uses the same lexical syntax as the match column in
1136 the OVN Southbound database’s Pipeline table. Multiple addresses
1137 within an element may be space or comma separated.
1138 This column is provided as a convenience to cloud management
1140 systems, but all of the features that it implements can be im‐
1141 plemented as ACLs using the ACL table.
1142 Examples:
1144 80:fa:5b:06:72:b7
1146 The host may send traffic from and receive traffic to the
1147 specified MAC address, and to receive traffic to Ethernet
1148 multicast and broadcast addresses, but not otherwise. The
1149 host may not send ARP or IPv6 Neighbor Discovery packets
1150 with inner source Ethernet addresses other than the one
1151 specified.
1152 80:fa:5b:06:72:b7 192.168.1.10/24
1154 This adds further restrictions to the first example. The
1155 host may send IPv4 packets from or receive IPv4 packets
1156 to only 192.168.1.10, except that it may also receive
1157 IPv4 packets to 192.168.1.255 (based on the subnet mask),
1158 255.255.255.255, and any address in 224.0.0.0/4. The host
1159 may not send ARPs with a source Ethernet address other
1160 than 80:fa:5b:06:72:b7 or source IPv4 address other than
1161 192.168.1.10. The host may not send or receive any IPv6
1162 (including IPv6 Neighbor Discovery) traffic.
1163 "80:fa:5b:12:42:ba", "80:fa:5b:06:72:b7 192.168.1.10/24"
1165 The host may send traffic from and receive traffic to the
1166 specified MAC addresses, and to receive traffic to Ether‐
1167 net multicast and broadcast addresses, but not otherwise.
1168 With MAC 80:fa:5b:12:42:ba, the host may send traffic
1169 from and receive traffic to any L3 address. With MAC
1170 80:fa:5b:06:72:b7, the host may send IPv4 packets from or
1171 receive IPv4 packets to only 192.168.1.10, except that it
1172 may also receive IPv4 packets to 192.168.1.255 (based on
1173 the subnet mask), 255.255.255.255, and any address in
1174 224.0.0.0/4. The host may not send or receive any IPv6
1175 (including IPv6 Neighbor Discovery) traffic.
1176 DHCP:
1178 dhcpv4_options: optional weak reference to DHCP_Options
1180 This column defines the DHCPv4 Options to be included by the
1181 ovn-controller when it replies to the DHCPv4 requests. Please
1182 see the DHCP_Options table.
1183 dhcpv6_options: optional weak reference to DHCP_Options
1185 This column defines the DHCPv6 Options to be included by the
1186 ovn-controller when it replies to the DHCPv6 requests. Please
1187 see the DHCP_Options table.
1188 ha_chassis_group: optional HA_Chassis_Group
1190 References a row in the OVN Northbound database’s HA_Chas‐
1191 sis_Group table. It indicates the HA chassis group to use if the
1192 type is set to external. If type is not external, this column is
1193 ignored.
1194 Naming:
1196 external_ids : neutron:port_name: optional string
1198 This column gives an optional human-friendly name for the port.
1199 This name has no special meaning or purpose other than to pro‐
1200 vide convenience for human interaction with the northbound data‐
1201 base.
1202 Neutron copies this from its own port object’s name. (Neutron
1204 ports do are not assigned human-friendly names by default, so it
1205 will often be empty.)
1206 Tunnel Key:
1208 options : requested-tnl-key: optional string, containing an integer, in
1210 range 1 to 32,767
1211 Configures the port binding tunnel key for the port. Usually
1212 this is not needed because ovn-northd will assign an unique key
1213 for each port by itself. However, if it is configured,
1214 ovn-northd honors the configured value. The typical use case is
1215 for interconnection: the tunnel keys for ports on transit
1216 switches need to be unique globally, so they are maintained in
1217 the global OVN_IC_Southbound database, and ovn-ic simply syncs
1218 the value from OVN_IC_Southbound through this config.
1219 Common Columns:
1221 external_ids: map of string-string pairs
1223 See External IDs at the beginning of this document.
1224 The ovn-northd program copies all these pairs into the exter‐
1226 nal_ids column of the Port_Binding table in OVN_Southbound data‐
1227 base.
1228
1230 Each row represents one forwarding group.
1231 Summary:
1233 name string
1234 vip string
1235 vmac string
1236 liveness boolean
1237 child_port set of 1 or more strings
1238 Common Columns:
1239 external_ids map of string-string pairs
1240 Details:
1242 name: string
1243 A name for the forwarding group. This name has no special mean‐
1244 ing or purpose other than to provide convenience for human in‐
1245 teraction with the ovn-nb database.
1246 vip: string
1248 The virtual IP address assigned to the forwarding group. It will
1249 respond with vmac when an ARP request is sent for vip.
1250 vmac: string
1252 The virtual MAC address assigned to the forwarding group.
1253 liveness: boolean
1255 If set to true, liveness is enabled for child ports otherwise it
1256 is disabled.
1257 child_port: set of 1 or more strings
1259 List of child ports in the forwarding group.
1260 Common Columns:
1262 external_ids: map of string-string pairs
1264 See External IDs at the beginning of this document.
1265
1267 Each row in this table represents a named set of addresses. An address
1268 set may contain Ethernet, IPv4, or IPv6 addresses with optional bitwise
1269 or CIDR masks. Address set may ultimately be used in ACLs to compare
1270 against fields such as ip4.src or ip6.src. A single address set must
1271 contain addresses of the same type. As an example, the following would
1272 create an address set with three IP addresses:
1273 ovn-nbctl create Address_Set name=set1 addresses=’10.0.0.1 10.0.0.2 10.0.0.3’
1275 Address sets may be used in the match column of the ACL table. For syn‐
1278 tax information, see the details of the expression language used for
1279 the match column in the Logical_Flow table of the OVN_Southbound data‐
1280 base.
1281 Summary:
1283 name string (must be unique within table)
1284 addresses set of strings
1285 Common Columns:
1286 external_ids map of string-string pairs
1287 Details:
1289 name: string (must be unique within table)
1290 A name for the address set. Names are ASCII and must match
1291 [a-zA-Z_.][a-zA-Z_.0-9]*.
1292 addresses: set of strings
1294 The set of addresses in string form.
1295 Common Columns:
1297 external_ids: map of string-string pairs
1299 See External IDs at the beginning of this document.
1300
1302 Each row in this table represents a named group of logical switch
1303 ports.
1304 Port groups may be used in the match column of the ACL table. For syn‐
1306 tax information, see the details of the expression language used for
1307 the match column in the Logical_Flow table of the OVN_Southbound data‐
1308 base.
1309 For each port group, there are two address sets generated to the Ad‐
1311 dress_Set table of the OVN_Southbound database, containing the IP ad‐
1312 dresses of the group of ports, one for IPv4, and the other for IPv6,
1313 with name being the name of the Port_Group followed by a suffix _ip4
1314 for IPv4 and _ip6 for IPv6. The generated address sets can be used in
1315 the same way as regular address sets in the match column of the ACL ta‐
1316 ble. For syntax information, see the details of the expression language
1317 used for the match column in the Logical_Flow table of the OVN_South‐
1318 bound database.
1319 Summary:
1321 name string (must be unique within table)
1322 ports set of weak reference to Logi‐
1323 cal_Switch_Ports
1324 acls set of ACLs
1325 Common Columns:
1326 external_ids map of string-string pairs
1327 Details:
1329 name: string (must be unique within table)
1330 A name for the port group. Names are ASCII and must match
1331 [a-zA-Z_.][a-zA-Z_.0-9]*.
1332 ports: set of weak reference to Logical_Switch_Ports
1334 The logical switch ports belonging to the group in uuids.
1335 acls: set of ACLs
1337 Access control rules that apply to the port group. Applying an
1338 ACL to a port group has the same effect as applying the ACL to
1339 all logical lswitches that the ports of the port group belong
1340 to.
1341 Common Columns:
1343 external_ids: map of string-string pairs
1345 See External IDs at the beginning of this document.
1346
1348 Each row represents one load balancer.
1349 Summary:
1351 name string
1352 vips map of string-string pairs
1353 protocol optional string, one of sctp, tcp, or udp
1354 Health Checks:
1355 health_check set of Load_Balancer_Health_Checks
1356 ip_port_mappings map of string-string pairs
1357 selection_fields set of strings, one of eth_dst, eth_src,
1358 ip_dst, ip_src, tp_dst, or tp_src
1359 Common Columns:
1360 external_ids map of string-string pairs
1361 Load_Balancer options:
1362 options : reject optional string, either true or false
1363 options : hairpin_snat_ip optional string
1364 options : skip_snat optional string
1365 Details:
1367 name: string
1368 A name for the load balancer. This name has no special meaning
1369 or purpose other than to provide convenience for human interac‐
1370 tion with the ovn-nb database.
1371 vips: map of string-string pairs
1373 A map of virtual IP addresses (and an optional port number with
1374 : as a separator) associated with this load balancer and their
1375 corresponding endpoint IP addresses (and optional port numbers
1376 with : as separators) separated by commas. If the destination IP
1377 address (and port number) of a packet leaving a container or a
1378 VM matches the virtual IP address (and port number) provided
1379 here as a key, then OVN will statefully replace the destination
1380 IP address by one of the provided IP address (and port number)
1381 in this map as a value. IPv4 and IPv6 addresses are supported
1382 for load balancing; however a VIP of one address family may not
1383 be mapped to a destination IP address of a different family. If
1384 specifying an IPv6 address with a port, the address portion must
1385 be enclosed in square brackets. Examples for keys are
1386 "192.168.1.4" and "[fd0f::1]:8800". Examples for value are
1387 "10.0.0.1, 10.0.0.2" and "20.0.0.10:8800, 20.0.0.11:8800".
1388 When the Load_Balancer is added to the logical_switch, the VIP
1390 has to be in a different subnet than the one used for the logi‐
1391 cal_switch. Since VIP is in a different subnet, you should con‐
1392 nect your logical switch to either a OVN logical router or a
1393 real router (this is because the client can now send a packet
1394 with VIP as the destination IP address and router’s mac address
1395 as the destination MAC address).
1396 protocol: optional string, one of sctp, tcp, or udp
1398 Valid protocols are tcp, udp, or sctp. This column is useful
1399 when a port number is provided as part of the vips column. If
1400 this column is empty and a port number is provided as part of
1401 vips column, OVN assumes the protocol to be tcp.
1402 Health Checks:
1404 OVN supports health checks for load balancer endpoints, for IPv4 load
1406 balancers only. When health checks are enabled, the load balancer uses
1407 only healthy endpoints.
1408 Suppose that vips contains a key-value pair
1410 10.0.0.10:80=10.0.0.4:8080,20.0.0.4:8080. To enable health checks for
1411 this virtual’s endpoints, add two key-value pairs to ip_port_mappings,
1412 with keys 10.0.0.4 and 20.0.0.4, and add to health_check a reference to
1413 a Load_Balancer_Health_Check row whose vip is set to 10.0.0.10.
1414 health_check: set of Load_Balancer_Health_Checks
1416 Load balancer health checks associated with this load balancer.
1417 ip_port_mappings: map of string-string pairs
1419 Maps from endpoint IP to a colon-separated pair of logical port
1420 name and source IP, e.g. port_name:sourc_ip. Health checks are
1421 sent to this port with the specified source IP.
1422 For example, in the example above, IP to port mappings might be
1424 defined as 10.0.0.4=sw0-p1:10.0.0.2 and
1425 20.0.0.4=sw1-p1:20.0.0.2, if the values given were suitable
1426 ports and IP addresses.
1427 selection_fields: set of strings, one of eth_dst, eth_src, ip_dst,
1429 ip_src, tp_dst, or tp_src
1430 OVN native load balancers are supported using the OpenFlow
1431 groups of type select. OVS supports two selection methods:
1432 dp_hash and hash (with optional fields specified) in selecting
1433 the buckets of a group. Please see the OVS documentation (man
1434 ovs-ofctl) for more details on the selection methods. Each end‐
1435 point IP (and port if set) is mapped to a bucket in the group
1436 flow.
1437 CMS can choose the hash selection method by setting the selec‐
1439 tion fields in this column. ovs-vswitchd uses the specified
1440 fields in generating the hash.
1441 dp_hash selection method uses the assistance of datapath to cal‐
1443 culate the hash and it is expected to be faster than hash selec‐
1444 tion method. So CMS should take this into consideration before
1445 using the hash method. Please consult the OVS documentation and
1446 OVS sources for the implementation details.
1447 Common Columns:
1449 external_ids: map of string-string pairs
1451 See External IDs at the beginning of this document.
1452 Load_Balancer options:
1454 options : reject: optional string, either true or false
1456 If the load balancer is created with --reject option and it has
1457 no active backends, a TCP reset segment (for tcp) or an ICMP
1458 port unreachable packet (for all other kind of traffic) will be
1459 sent whenever an incoming packet is received for this load-bal‐
1460 ancer. Please note using --reject option will disable empty_lb
1461 SB controller event for this load balancer.
1462 options : hairpin_snat_ip: optional string
1464 IP to be used as source IP for packets that have been hair-
1465 pinned after load balancing. The default behavior when the op‐
1466 tion is not set is to use the load balancer VIP as source IP.
1467 This option may have exactly one IPv4 and/or one IPv6 address on
1468 it, separated by a space character.
1469 options : skip_snat: optional string
1471 If the load balancing rule is configured with skip_snat option,
1472 the force_snat_for_lb option configured for the router pipeline
1473 will not be applied for this load balancer.
1474
1476 Each row represents one load balancer health check. Health checks are
1477 supported for IPv4 load balancers only.
1478 Summary:
1480 vip string
1481 Health check options:
1482 options : interval optional string, containing an integer
1483 options : timeout optional string, containing an integer
1484 options : success_count optional string, containing an integer
1485 options : failure_count optional string, containing an integer
1486 Common Columns:
1487 external_ids map of string-string pairs
1488 Details:
1490 vip: string
1491 vip whose endpoints should be monitored for health check.
1492 Health check options:
1494 options : interval: optional string, containing an integer
1496 The interval, in seconds, between health checks.
1497 options : timeout: optional string, containing an integer
1499 The time, in seconds, after which a health check times out.
1500 options : success_count: optional string, containing an integer
1502 The number of successful checks after which the endpoint is con‐
1503 sidered online.
1504 options : failure_count: optional string, containing an integer
1506 The number of failure checks after which the endpoint is consid‐
1507 ered offline.
1508 Common Columns:
1510 external_ids: map of string-string pairs
1512 See External IDs at the beginning of this document.
1513
1515 Each row in this table represents one ACL rule for a logical switch or
1516 a port group that points to it through its acls column. The action col‐
1517 umn for the highest-priority matching row in this table determines a
1518 packet’s treatment. If no row matches, packets are allowed by default.
1519 (Default-deny treatment is possible: add a rule with priority 0, 1 as
1520 match, and deny as action.)
1521 Summary:
1523 priority integer, in range 0 to 32,767
1524 direction string, either from-lport or to-lport
1525 match string
1526 action string, one of allow-related, allow,
1527 drop, or reject
1528 Logging:
1529 log boolean
1530 name optional string, at most 63 characters
1531 long
1532 severity optional string, one of alert, debug,
1533 info, notice, or warning
1534 meter optional string
1535 Common Columns:
1536 external_ids map of string-string pairs
1537 Details:
1539 priority: integer, in range 0 to 32,767
1540 The ACL rule’s priority. Rules with numerically higher priority
1541 take precedence over those with lower. If two ACL rules with the
1542 same priority both match, then the one actually applied to a
1543 packet is undefined.
1544 Return traffic from an allow-related flow is always allowed and
1546 cannot be changed through an ACL.
1547 direction: string, either from-lport or to-lport
1549 Direction of the traffic to which this rule should apply:
1550 • from-lport: Used to implement filters on traffic arriving
1552 from a logical port. These rules are applied to the logi‐
1553 cal switch’s ingress pipeline.
1554 • to-lport: Used to implement filters on traffic forwarded
1556 to a logical port. These rules are applied to the logical
1557 switch’s egress pipeline.
1558 match: string
1560 The packets that the ACL should match, in the same expression
1561 language used for the match column in the OVN Southbound data‐
1562 base’s Logical_Flow table. The outport logical port is only
1563 available in the to-lport direction (the inport is available in
1564 both directions).
1565 By default all traffic is allowed. When writing a more restric‐
1567 tive policy, it is important to remember to allow flows such as
1568 ARP and IPv6 neighbor discovery packets.
1569 Note that you can not create an ACL matching on a port with
1571 type=router or type=localnet.
1572 action: string, one of allow-related, allow, drop, or reject
1574 The action to take when the ACL rule matches:
1575 • allow: Forward the packet.
1577 • allow-related: Forward the packet and related traffic
1579 (e.g. inbound replies to an outbound connection).
1580 • drop: Silently drop the packet.
1582 • reject: Drop the packet, replying with a RST for TCP or
1584 ICMPv4/ICMPv6 unreachable message for other
1585 IPv4/IPv6-based protocols.
1586 Logging:
1588 These columns control whether and how OVN logs packets that match an
1590 ACL.
1591 log: boolean
1593 If set to true, packets that match the ACL will trigger a log
1594 message on the transport node or nodes that perform ACL process‐
1595 ing. Logging may be combined with any action.
1596 If set to false, the remaining columns in this group have no
1598 significance.
1599 name: optional string, at most 63 characters long
1601 This name, if it is provided, is included in log records. It
1602 provides the administrator and the cloud management system a way
1603 to associate a log record with a particular ACL.
1604 severity: optional string, one of alert, debug, info, notice, or warn‐
1606 ing
1607 The severity of the ACL. The severity levels match those of sys‐
1608 log, in decreasing level of severity: alert, warning, notice,
1609 info, or debug. When the column is empty, the default is info.
1610 meter: optional string
1612 The name of a meter to rate-limit log messages for the ACL. The
1613 string must match the name column of a row in the Meter table.
1614 By default, log messages are not rate-limited. In order to en‐
1615 sure that the same Meter rate limits multiple ACL logs sepa‐
1616 rately, set the fair column.
1617 Common Columns:
1619 external_ids: map of string-string pairs
1621 See External IDs at the beginning of this document.
1622
1624 Each row represents one L3 logical router.
1625 Summary:
1627 ports set of Logical_Router_Ports
1628 static_routes set of Logical_Router_Static_Routes
1629 policies set of Logical_Router_Policys
1630 enabled optional boolean
1631 nat set of NATs
1632 load_balancer set of weak reference to Load_Balancers
1633 Naming:
1634 name string
1635 external_ids : neutron:router_name
1636 optional string
1637 Options:
1638 options : chassis optional string
1639 options : dnat_force_snat_ip
1640 optional string
1641 options : lb_force_snat_ip optional string
1642 options : mcast_relay optional string, either true or false
1643 options : dynamic_neigh_routers
1644 optional string, either true or false
1645 options : always_learn_from_arp_request
1646 optional string, either true or false
1647 options : requested-tnl-key
1648 optional string, containing an integer,
1649 in range 1 to 16,777,215
1650 options : snat-ct-zone optional string, containing an integer,
1651 in range 0 to 65,535
1652 Common Columns:
1653 external_ids map of string-string pairs
1654 Details:
1656 ports: set of Logical_Router_Ports
1657 The router’s ports.
1658 static_routes: set of Logical_Router_Static_Routes
1660 Zero or more static routes for the router.
1661 policies: set of Logical_Router_Policys
1663 Zero or more routing policies for the router.
1664 enabled: optional boolean
1666 This column is used to administratively set router state. If
1667 this column is empty or is set to true, the router is enabled.
1668 If this column is set to false, the router is disabled. A dis‐
1669 abled router has all ingress and egress traffic dropped.
1670 nat: set of NATs
1672 One or more NAT rules for the router. NAT rules only work on
1673 Gateway routers, and on distributed routers with logical gateway
1674 ports.
1675 load_balancer: set of weak reference to Load_Balancers
1677 Load balance a virtual ip address to a set of logical port ip
1678 addresses. Load balancer rules only work on the Gateway routers
1679 or routers with distributed gateway ports.
1680 Naming:
1682 These columns provide names for the logical router. From OVN’s perspec‐
1684 tive, these names have no special meaning or purpose other than to pro‐
1685 vide convenience for human interaction with the northbound database.
1686 There is no requirement for the name to be unique. (For a unique iden‐
1687 tifier for a logical router, use its row UUID.)
1688 (Originally, name was intended to serve the purpose of a human-friendly
1690 name, but the Neutron integration used it to uniquely identify its own
1691 router object, in the format neutron-uuid. Later on, Neutron started
1692 propagating the friendly name of a router as external_ids:neu‐
1693 tron:router_name. Perhaps this can be cleaned up someday.)
1694 name: string
1696 A name for the logical router.
1697 external_ids : neutron:router_name: optional string
1699 Another name for the logical router.
1700 Options:
1702 Additional options for the logical router.
1704 options : chassis: optional string
1706 If set, indicates that the logical router in question is a Gate‐
1707 way router (which is centralized) and resides in the set chas‐
1708 sis. The same value is also used by ovn-controller to uniquely
1709 identify the chassis in the OVN deployment and comes from exter‐
1710 nal_ids:system-id in the Open_vSwitch table of Open_vSwitch
1711 database.
1712 The Gateway router can only be connected to a distributed router
1714 via a switch if SNAT and DNAT are to be configured in the Gate‐
1715 way router.
1716 options : dnat_force_snat_ip: optional string
1718 If set, indicates a set of IP addresses to use to force SNAT a
1719 packet that has already been DNATed in the gateway router. When
1720 multiple gateway routers are configured, a packet can poten‐
1721 tially enter any of the gateway router, get DNATted and eventu‐
1722 ally reach the logical switch port. For the return traffic to go
1723 back to the same gateway router (for unDNATing), the packet
1724 needs a SNAT in the first place. This can be achieved by setting
1725 the above option with a gateway specific set of IP addresses.
1726 This option may have exactly one IPv4 and/or one IPv6 address on
1727 it, separated by a a space.
1728 options : lb_force_snat_ip: optional string
1730 If set, this option can take two possible type of values. Either
1731 a set of IP addresses or the string value - router_ip.
1732 If a set of IP addresses are configured, it indicates to use to
1734 force SNAT a packet that has already been load-balanced in the
1735 gateway router. When multiple gateway routers are configured, a
1736 packet can potentially enter any of the gateway routers, get
1737 DNATted as part of the load-balancing and eventually reach the
1738 logical switch port. For the return traffic to go back to the
1739 same gateway router (for unDNATing), the packet needs a SNAT in
1740 the first place. This can be achieved by setting the above op‐
1741 tion with a gateway specific set of IP addresses. This option
1742 may have exactly one IPv4 and/or one IPv6 address on it, sepa‐
1743 rated by a space character.
1744 If it is configured with the value router_ip, then the load bal‐
1746 anced packet is SNATed with the IP of router port (attached to
1747 the gateway router) selected as the destination after taking the
1748 routing decision.
1749 options : mcast_relay: optional string, either true or false
1751 Enables/disables IP multicast relay between logical switches
1752 connected to the logical router. Default: False.
1753 options : dynamic_neigh_routers: optional string, either true or false
1755 If set to true, the router will resolve neighbor routers’ MAC
1756 addresses only by dynamic ARP/ND, instead of prepopulating
1757 static mappings for all neighbor routers in the ARP/ND Resolu‐
1758 tion stage. This reduces number of flows, but requires ARP/ND
1759 messages to resolve the IP-MAC bindings when needed. It is false
1760 by default. It is recommended to set to true when a large number
1761 of logical routers are connected to the same logical switch but
1762 most of them never need to send traffic between each other.
1763 options : always_learn_from_arp_request: optional string, either true
1765 or false
1766 This option controls the behavior when handling IPv4 ARP re‐
1767 quests or IPv6 ND-NS packets - whether a dynamic neighbor (MAC
1768 binding) entry is added/updated.
1769 true - Always learn the MAC-IP binding, and add/update the MAC
1771 binding entry.
1772 false - If there is a MAC binding for that IP and the MAC is
1774 different, or, if TPA of ARP request belongs to any router port
1775 on this router, then update/add that MAC-IP binding. Otherwise,
1776 don’t update/add entries.
1777 It is true by default. It is recommended to set to false when a
1779 large number of logical routers are connected to the same logi‐
1780 cal switch but most of them never need to send traffic between
1781 each other, to reduce the size of the MAC binding table.
1782 options : requested-tnl-key: optional string, containing an integer, in
1784 range 1 to 16,777,215
1785 Configures the datapath tunnel key for the logical router. This
1786 is not needed because ovn-northd will assign an unique key for
1787 each datapath by itself. However, if it is configured,
1788 ovn-northd honors the configured value.
1789 options : snat-ct-zone: optional string, containing an integer, in
1791 range 0 to 65,535
1792 Use the requested conntrack zone for SNAT with this router. This
1793 can be useful if egress traffic from the host running OVN comes
1794 from both OVN and other sources. This way, OVN and the other
1795 sources can make use of the same conntrack zone.
1796 Common Columns:
1798 external_ids: map of string-string pairs
1800 See External IDs at the beginning of this document.
1801
1803 Each row in this table represents one QoS rule for a logical switch
1804 that points to it through its qos_rules column. Two types of QoS are
1805 supported: DSCP marking and metering. A match with the highest-priority
1806 will have QoS applied to it. If the action column is specified, then
1807 matching packets will have DSCP marking applied. If the bandwdith col‐
1808 umn is specified, then matching packets will have metering applied. ac‐
1809 tion and bandwdith are not exclusive, so both marking and metering by
1810 defined for the same QoS entry. If no row matches, packets will not
1811 have any QoS applied.
1812 Summary:
1814 priority integer, in range 0 to 32,767
1815 direction string, either from-lport or to-lport
1816 match string
1817 action map of string-integer pairs, key must be
1818 dscp, value in range 0 to 63
1819 bandwidth map of string-integer pairs, key either
1820 burst or rate, value in range 1 to
1821 4,294,967,295
1822 external_ids map of string-string pairs
1823 Details:
1825 priority: integer, in range 0 to 32,767
1826 The QoS rule’s priority. Rules with numerically higher priority
1827 take precedence over those with lower. If two QoS rules with the
1828 same priority both match, then the one actually applied to a
1829 packet is undefined.
1830 direction: string, either from-lport or to-lport
1832 The value of this field is similar to ACL column in the OVN
1833 Northbound database’s ACL table.
1834 match: string
1836 The packets that the QoS rules should match, in the same expres‐
1837 sion language used for the match column in the OVN Southbound
1838 database’s Logical_Flow table. The outport logical port is only
1839 available in the to-lport direction (the inport is available in
1840 both directions).
1841 action: map of string-integer pairs, key must be dscp, value in range 0
1843 to 63
1844 When specified, matching flows will have DSCP marking applied.
1845 • dscp: The value of this action should be in the range of
1847 0 to 63 (inclusive).
1848 bandwidth: map of string-integer pairs, key either burst or rate, value
1850 in range 1 to 4,294,967,295
1851 When specified, matching packets will have bandwidth metering
1852 applied. Traffic over the limit will be dropped.
1853 • rate: The value of rate limit in kbps.
1855 • burst: The value of burst rate limit in kilobits. This is
1857 optional and needs to specify the rate.
1858 external_ids: map of string-string pairs
1860 See External IDs at the beginning of this document.
1861
1863 Each row in this table represents a meter that can be used for QoS or
1864 rate-limiting.
1865 Summary:
1867 name string (must be unique within table)
1868 unit string, either kbps or pktps
1869 bands set of 1 or more Meter_Bands
1870 fair optional boolean
1871 external_ids map of string-string pairs
1872 Details:
1874 name: string (must be unique within table)
1875 A name for this meter.
1876 Names that begin with "__" (two underscores) are reserved for
1878 OVN internal use and should not be added manually.
1879 unit: string, either kbps or pktps
1881 The unit for rate and burst_rate parameters in the bands entry.
1882 kbps specifies kilobits per second, and pktps specifies packets
1883 per second.
1884 bands: set of 1 or more Meter_Bands
1886 The bands associated with this meter. Each band specifies a rate
1887 above which the band is to take the action action. If multiple
1888 bands’ rates are exceeded, then the band with the highest rate
1889 among the exceeded bands is selected.
1890 fair: optional boolean
1892 This column is used to further describe the desired behavior of
1893 the meter when there are multiple references to it. If this col‐
1894 umn is empty or is set to false, the rate will be shared across
1895 all rows that refer to the same Meter name. Conversely, when
1896 this column is set to true, each user of the same Meter will be
1897 rate-limited on its own.
1898 external_ids: map of string-string pairs
1900 See External IDs at the beginning of this document.
1901
1903 Each row in this table represents a meter band which specifies the rate
1904 above which the configured action should be applied. These bands are
1905 referenced by the bands column in the Meter table.
1906 Summary:
1908 action string, must be drop
1909 rate integer, in range 1 to 4,294,967,295
1910 burst_size integer, in range 0 to 4,294,967,295
1911 external_ids map of string-string pairs
1912 Details:
1914 action: string, must be drop
1915 The action to execute when this band matches. The only supported
1916 action is drop.
1917 rate: integer, in range 1 to 4,294,967,295
1919 The rate limit for this band, in kilobits per second or bits per
1920 second, depending on whether the parent Meter entry’s unit col‐
1921 umn specified kbps or pktps.
1922 burst_size: integer, in range 0 to 4,294,967,295
1924 The maximum burst allowed for the band in kilobits or packets,
1925 depending on whether kbps or pktps was selected in the parent
1926 Meter entry’s unit column. If the size is zero, the switch is
1927 free to select some reasonable value depending on its configura‐
1928 tion.
1929 external_ids: map of string-string pairs
1931 See External IDs at the beginning of this document.
1932
1934 A port within an L3 logical router.
1935 Exactly one Logical_Router row must reference a given logical router
1937 port.
1938 Summary:
1940 name string (must be unique within table)
1941 networks set of 1 or more strings
1942 mac string
1943 enabled optional boolean
1944 Distributed Gateway Ports:
1945 ha_chassis_group optional HA_Chassis_Group
1946 gateway_chassis set of Gateway_Chassises
1947 Options for Physical VLAN MTU Issues:
1948 options : reside-on-redirect-chassis
1949 optional string, either true or false
1950 options : redirect-type optional string, either bridged or over‐
1951 lay
1952 ipv6_prefix set of strings
1953 ipv6_ra_configs:
1954 ipv6_ra_configs : address_mode
1955 optional string
1956 ipv6_ra_configs : router_preference
1957 optional string
1958 ipv6_ra_configs : route_info
1959 optional string
1960 ipv6_ra_configs : mtu optional string
1961 ipv6_ra_configs : send_periodic
1962 optional string
1963 ipv6_ra_configs : max_interval
1964 optional string
1965 ipv6_ra_configs : min_interval
1966 optional string
1967 ipv6_ra_configs : rdnss optional string
1968 ipv6_ra_configs : dnssl optional string
1969 Options:
1970 options : mcast_flood optional string, either true or false
1971 options : requested-tnl-key
1972 optional string, containing an integer,
1973 in range 1 to 32,767
1974 options : prefix_delegation
1975 optional string, either true or false
1976 options : prefix optional string, either true or false
1977 Attachment:
1978 peer optional string
1979 Common Columns:
1980 external_ids map of string-string pairs
1981 Details:
1983 name: string (must be unique within table)
1984 A name for the logical router port.
1985 In addition to provide convenience for human interaction with
1987 the northbound database, this column is used as reference by its
1988 patch port in Logical_Switch_Port or another logical router port
1989 in Logical_Router_Port.
1990 A logical router port may not have the same name as a logical
1992 switch port, but the database schema cannot enforce this.
1993 networks: set of 1 or more strings
1995 The IP addresses and netmasks of the router. For example,
1996 192.168.0.1/24 indicates that the router’s IP address is
1997 192.168.0.1 and that packets destined to 192.168.0.x should be
1998 routed to this port.
1999 A logical router port always adds a link-local IPv6 address
2001 (fe80::/64) automatically generated from the interface’s MAC ad‐
2002 dress using the modified EUI-64 format.
2003 mac: string
2005 The Ethernet address that belongs to this router port.
2006 enabled: optional boolean
2008 This column is used to administratively set port state. If this
2009 column is empty or is set to true, the port is enabled. If this
2010 column is set to false, the port is disabled. A disabled port
2011 has all ingress and egress traffic dropped.
2012 Distributed Gateway Ports:
2014 Gateways, as documented under Gateways in the OVN architecture guide,
2016 provide limited connectivity between logical networks and physical
2017 ones. OVN support multiple kinds of gateways. The Logical_Router_Port
2018 table can be used two different ways to configure distributed gateway
2019 ports, which are one kind of gateway. These two forms of configuration
2020 exist for historical reasons. Both of them produce the same kind of OVN
2021 southbound records and the same behavior in practice.
2022 If either of these are set, this logical router port represents a dis‐
2024 tributed gateway port that connects this router to a logical switch
2025 with a localnet port or a connection to another OVN deployment. There
2026 may be at most one such logical router port on each logical router.
2027 The preferred way to configure a gateway is ha_chassis_group, but gate‐
2029 way_chassis is also supported for backward compatibility. Only one of
2030 these should be set at a time on a given LRP, since they configure the
2031 same features.
2032 Even when a gateway is configured, the logical router port still effec‐
2034 tively resides on each chassis. However, due to the implications of the
2035 use of L2 learning in the physical network, as well as the need to sup‐
2036 port advanced features such as one-to-many NAT (aka IP masquerading), a
2037 subset of the logical router processing is handled in a centralized
2038 manner on the gateway chassis.
2039 When more than one gateway chassis is specified, OVN only uses one at a
2041 time. OVN can rely on OVS BFD implementation to monitor gateway connec‐
2042 tivity, preferring the highest-priority gateway that is online. Priori‐
2043 ties are specified in the priority column of Gateway_Chassis or
2044 HA_Chassis.
2045 ovn-northd programs the external_mac rules specified in the LRP’s LR
2047 into the peer logical switch’s destination lookup on the chassis where
2048 the logical_port resides. In addition, the logical router’s MAC address
2049 is automatically programmed in the peer logical switch’s destination
2050 lookup flow on the gateway chasssis. If it is desired to generate gra‐
2051 tuitous ARPs for NAT addresses, then set the peer LSP’s options:nat-ad‐
2052 dresses to router.
2053 OVN 20.03 and earlier supported a third way to configure distributed
2055 gateway ports using options:redirect-chassis to specify the gateway
2056 chassis. This method is no longer supported. Any remaining users should
2057 switch to one of the newer methods instead. A gateway_chassis may be
2058 easily configured from the command line, e.g. ovn-nbctl lrp-set-gate‐
2059 way-chassis lrp chassis.
2060 ha_chassis_group: optional HA_Chassis_Group
2062 Designates an HA_Chassis_Group to provide gateway high avail‐
2063 ability.
2064 gateway_chassis: set of Gateway_Chassises
2066 Designates one or more Gateway_Chassis for the logical router
2067 port.
2068 Options for Physical VLAN MTU Issues:
2070 MTU issues arise in mixing tunnels with logical networks that are
2072 bridged to a physical VLAN. For an explanation of the MTU issues, see
2073 Physical VLAN MTU Issues in the OVN architecture document. The follow‐
2074 ing options, which are alternatives, provide solutions. Both of them
2075 cause packets to be sent over localnet instead of tunnels, but they
2076 differ in whether some or all packets are sent this way. The most prom‐
2077 inent tradeoff between these options is that reside-on-redirect-chassis
2078 is easier to configure and that redirect-type performs better for east-
2079 west traffic.
2080 options : reside-on-redirect-chassis: optional string, either true or
2082 false
2083 If set to true, this option forces all traffic across the logi‐
2084 cal router port to pass through the gateway chassis using a hop
2085 across a localnet port. This changes behavior in two ways:
2086 • Without this option, east-west traffic passes directly
2088 between source and destination chassis (or even within a
2089 single chassis, for co-located VMs). With this option,
2090 all east-west traffic passes through the gateway chassis.
2091 • Without this option, traffic between the gateway chassis
2093 and other chassis is encapsulated in tunnels. With this
2094 option, traffic passes over a localnet interface.
2095 This option may usefully be set only on logical router ports
2097 that connect a distributed logical router to a logical switch
2098 with VIFs. It should not be set on a distributed gateway port.
2099 OVN honors this option only if the logical router has a distrib‐
2101 uted gateway port and if the LRP’s peer switch has a localnet
2102 port.
2103 options : redirect-type: optional string, either bridged or overlay
2105 If set to bridged on a distributed gateway port, this option
2106 causes OVN to redirect packets to the gateway chassis over a lo‐
2107 calnet port instead of a tunnel. The relevant chassis must share
2108 a localnet port.
2109 This feature requires the administrator or the CMS to configure
2111 each participating chassis with a unique Ethernet address for
2112 the logical router by setting ovn-chassis-mac-mappings in the
2113 Open vSwitch database, for use by ovn-controller.
2114 Setting this option to overlay or leaving it unset has no ef‐
2116 fect. This option may usefully be set only on a distributed
2117 gateway port. It is otherwise ignored.
2118 ipv6_prefix: set of strings
2120 This column contains IPv6 prefix obtained by prefix delegation
2121 router according to RFC 3633
2122 ipv6_ra_configs:
2124 This column defines the IPv6 ND RA address mode and ND MTU Option to be
2126 included by ovn-controller when it replies to the IPv6 Router solicita‐
2127 tion requests.
2128 ipv6_ra_configs : address_mode: optional string
2130 The address mode to be used for IPv6 address configuration. The
2131 supported values are:
2132 • slaac: Address configuration using Router Advertisement
2134 (RA) packet. The IPv6 prefixes defined in the Logi‐
2135 cal_Router_Port table’s networks column will be included
2136 in the RA’s ICMPv6 option - Prefix information.
2137 • dhcpv6_stateful: Address configuration using DHCPv6.
2139 • dhcpv6_stateless: Address configuration using Router Ad‐
2141 vertisement (RA) packet. Other IPv6 options are provided
2142 by DHCPv6.
2143 ipv6_ra_configs : router_preference: optional string
2145 Default Router Preference (PRF) indicates whether to prefer this
2146 router over other default routers (RFC 4191). Possible values
2147 are:
2148 • HIGH: mapped to 0x01 in RA PRF field
2150 • MEDIUM: mapped to 0x00 in RA PRF field
2152 • LOW: mapped to 0x11 in RA PRF field
2154 ipv6_ra_configs : route_info: optional string
2156 Route Info is used to configure Route Info Option sent in Router
2157 Advertisment according to RFC 4191. Route Info is a comma sepa‐
2158 rated string where each field provides PRF and prefix for a
2159 given route (e.g: HIGH-aef1::11/48,LOW-aef2::11/96) Possible PRF
2160 values are:
2161 • HIGH: mapped to 0x01 in RA PRF field
2163 • MEDIUM: mapped to 0x00 in RA PRF field
2165 • LOW: mapped to 0x11 in RA PRF field
2167 ipv6_ra_configs : mtu: optional string
2169 The recommended MTU for the link. Default is 0, which means no
2170 MTU Option will be included in RA packet replied by ovn-con‐
2171 troller. Per RFC 2460, the mtu value is recommended no less than
2172 1280, so any mtu value less than 1280 will be considered as no
2173 MTU Option.
2174 ipv6_ra_configs : send_periodic: optional string
2176 If set to true, then this router interface will send router ad‐
2177 vertisements periodically. The default is false.
2178 ipv6_ra_configs : max_interval: optional string
2180 The maximum number of seconds to wait between sending periodic
2181 router advertisements. This option has no effect if ipv6_ra_con‐
2182 figs:send_periodic is false. The default is 600.
2183 ipv6_ra_configs : min_interval: optional string
2185 The minimum number of seconds to wait between sending periodic
2186 router advertisements. This option has no effect if ipv6_ra_con‐
2187 figs:send_periodic is false. The default is one-third of
2188 ipv6_ra_configs:max_interval, i.e. 200 seconds if that key is
2189 unset.
2190 ipv6_ra_configs : rdnss: optional string
2192 IPv6 address of RDNSS server announced in RA packets. At the mo‐
2193 ment OVN supports just one RDNSS server.
2194 ipv6_ra_configs : dnssl: optional string
2196 DNS Search List announced in RA packets. Multiple DNS Search
2197 List must be ’comma’ separated (e.g. "a.b.c, d.e.f")
2198 Options:
2200 Additional options for the logical router port.
2202 options : mcast_flood: optional string, either true or false
2204 If set to true, multicast traffic (including reports) are uncon‐
2205 ditionally forwarded to the specific port.
2206 This option applies when the port is part of a logical router
2208 which has options:mcast_relay set to true.
2209 options : requested-tnl-key: optional string, containing an integer, in
2211 range 1 to 32,767
2212 Configures the port binding tunnel key for the port. Usually
2213 this is not needed because ovn-northd will assign an unique key
2214 for each port by itself. However, if it is configured,
2215 ovn-northd honors the configured value.
2216 options : prefix_delegation: optional string, either true or false
2218 If set to true, enable IPv6 prefix delegation state machine on
2219 this logical router port (RFC3633). IPv6 prefix delegation is
2220 available just on a gateway router or on a gateway router port.
2221 options : prefix: optional string, either true or false
2223 If set to true, this interface will receive an IPv6 prefix ac‐
2224 cording to RFC3663
2225 Attachment:
2227 A given router port serves one of two purposes:
2229 • To attach a logical switch to a logical router. A logical
2231 router port of this type is referenced by exactly one
2232 Logical_Switch_Port of type router. The value of name is
2233 set as router-port in column options of Logi‐
2234 cal_Switch_Port. In this case peer column is empty.
2235 • To connect one logical router to another. This requires a
2237 pair of logical router ports, each connected to a differ‐
2238 ent router. Each router port in the pair specifies the
2239 other in its peer column. No Logical_Switch refers to the
2240 router port.
2241 peer: optional string
2243 For a router port used to connect two logical routers, this
2244 identifies the other router port in the pair by name.
2245 For a router port attached to a logical switch, this column is
2247 empty.
2248 Common Columns:
2250 external_ids: map of string-string pairs
2252 See External IDs at the beginning of this document.
2253
2255 Each record represents a static route.
2256 When multiple routes match a packet, the longest-prefix match is cho‐
2258 sen. For a given prefix length, a dst-ip route is preferred over a
2259 src-ip route.
2260 When there are ECMP routes, i.e. multiple routes with same prefix and
2262 policy, one of them will be selected based on the 5-tuple hashing of
2263 the packet header.
2264 Summary:
2266 ip_prefix string
2267 policy optional string, either dst-ip or src-ip
2268 nexthop string
2269 output_port optional string
2270 bfd optional weak reference to BFD
2271 external_ids : ic-learned-route
2272 optional string
2273 Common Columns:
2274 external_ids map of string-string pairs
2275 Common options:
2276 options map of string-string pairs
2277 options : ecmp_symmetric_reply
2278 optional string
2279 Details:
2281 ip_prefix: string
2282 IP prefix of this route (e.g. 192.168.100.0/24).
2283 policy: optional string, either dst-ip or src-ip
2285 If it is specified, this setting describes the policy used to
2286 make routing decisions. This setting must be one of the follow‐
2287 ing strings:
2288 • src-ip: This policy sends the packet to the nexthop when
2290 the packet’s source IP address matches ip_prefix.
2291 • dst-ip: This policy sends the packet to the nexthop when
2293 the packet’s destination IP address matches ip_prefix.
2294 If not specified, the default is dst-ip.
2296 nexthop: string
2298 Nexthop IP address for this route. Nexthop IP address should be
2299 the IP address of a connected router port or the IP address of a
2300 logical port.
2301 output_port: optional string
2303 The name of the Logical_Router_Port via which the packet needs
2304 to be sent out. This is optional and when not specified, OVN
2305 will automatically figure this out based on the nexthop. When
2306 this is specified and there are multiple IP addresses on the
2307 router port and none of them are in the same subnet of nexthop,
2308 OVN chooses the first IP address as the one via which the nex‐
2309 thop is reachable.
2310 bfd: optional weak reference to BFD
2312 Reference to BFD row if the route has associated a BFD session
2313 external_ids : ic-learned-route: optional string
2315 ovn-ic populates this key if the route is learned from the
2316 global OVN_IC_Southbound database. In this case the value will
2317 be set to the uuid of the row in Route table of the
2318 OVN_IC_Southbound database.
2319 Common Columns:
2321 external_ids: map of string-string pairs
2323 See External IDs at the beginning of this document.
2324 Common options:
2326 options: map of string-string pairs
2328 This column provides general key/value settings. The supported
2329 options are described individually below.
2330 options : ecmp_symmetric_reply: optional string
2332 It true, then new traffic that arrives over this route will have
2333 its reply traffic bypass ECMP route selection and will be sent
2334 out this route instead. Note that this option overrides any
2335 rules set in the Logical_Router_policy table. This option only
2336 works on gateway routers (routers that have options:chassis
2337 set).
2338
2340 Each row in this table represents one routing policy for a logical
2341 router that points to it through its policies column. The action column
2342 for the highest-priority matching row in this table determines a
2343 packet’s treatment. If no row matches, packets are allowed by default.
2344 (Default-deny treatment is possible: add a rule with priority 0, 1 as
2345 match, and drop as action.)
2346 Summary:
2348 priority integer, in range 0 to 32,767
2349 match string
2350 action string, one of allow, drop, or reroute
2351 nexthop optional string
2352 nexthops set of strings
2353 options : pkt_mark optional string
2354 Common Columns:
2355 external_ids map of string-string pairs
2356 Details:
2358 priority: integer, in range 0 to 32,767
2359 The routing policy’s priority. Rules with numerically higher
2360 priority take precedence over those with lower. A rule is
2361 uniquely identified by the priority and match string.
2362 match: string
2364 The packets that the routing policy should match, in the same
2365 expression language used for the match column in the OVN South‐
2366 bound database’s Logical_Flow table.
2367 By default all traffic is allowed. When writing a more restric‐
2369 tive policy, it is important to remember to allow flows such as
2370 ARP and IPv6 neighbor discovery packets.
2371 action: string, one of allow, drop, or reroute
2373 The action to take when the routing policy matches:
2374 • allow: Forward the packet.
2376 • drop: Silently drop the packet.
2378 • reroute: Reroute packet to nexthop or nexthops.
2380 nexthop: optional string
2382 Note: This column is deprecated in favor of nexthops.
2383 Next-hop IP address for this route, which should be the IP ad‐
2385 dress of a connected router port or the IP address of a logical
2386 port.
2387 nexthops: set of strings
2389 Next-hop ECMP IP addresses for this route. Each IP in the list
2390 should be the IP address of a connected router port or the IP
2391 address of a logical port.
2392 One IP from the list is selected as next hop.
2394 options : pkt_mark: optional string
2396 Marks the packet with the value specified when the router policy
2397 is applied. CMS can inspect this packet marker and take some de‐
2398 cisions if desired. This value is not preserved when the packet
2399 goes out on the wire.
2400 Common Columns:
2402 external_ids: map of string-string pairs
2404 See External IDs at the beginning of this document.
2405
2407 Each record represents a NAT rule.
2408 Summary:
2410 type string, one of dnat, dnat_and_snat, or
2411 snat
2412 external_ip string
2413 external_mac optional string
2414 external_port_range string
2415 logical_ip string
2416 logical_port optional string
2417 allowed_ext_ips optional Address_Set
2418 exempted_ext_ips optional Address_Set
2419 options : stateless optional string
2420 Common Columns:
2421 external_ids map of string-string pairs
2422 Details:
2424 type: string, one of dnat, dnat_and_snat, or snat
2425 Type of the NAT rule.
2426 • When type is dnat, the externally visible IP address ex‐
2428 ternal_ip is DNATted to the IP address logical_ip in the
2429 logical space.
2430 • When type is snat, IP packets with their source IP ad‐
2432 dress that either matches the IP address in logical_ip or
2433 is in the network provided by logical_ip is SNATed into
2434 the IP address in external_ip.
2435 • When type is dnat_and_snat, the externally visible IP ad‐
2437 dress external_ip is DNATted to the IP address logical_ip
2438 in the logical space. In addition, IP packets with the
2439 source IP address that matches logical_ip is SNATed into
2440 the IP address in external_ip.
2441 external_ip: string
2443 An IPv4 address.
2444 external_mac: optional string
2446 A MAC address.
2447 This is only used on the gateway port on distributed routers.
2449 This must be specified in order for the NAT rule to be processed
2450 in a distributed manner on all chassis. If this is not specified
2451 for a NAT rule on a distributed router, then this NAT rule will
2452 be processed in a centralized manner on the gateway port in‐
2453 stance on the gateway chassis.
2454 This MAC address must be unique on the logical switch that the
2456 gateway port is attached to. If the MAC address used on the log‐
2457 ical_port is globally unique, then that MAC address can be spec‐
2458 ified as this external_mac.
2459 external_port_range: string
2461 L4 source port range
2462 Range of ports, from which a port number will be picked that
2464 will replace the source port of to be NATed packet. This is ba‐
2465 sically PAT (port address translation).
2466 Value of the column is in the format, port_lo-port_hi. For exam‐
2468 ple: external_port_range : "1-30000"
2469 Valid range of ports is 1-65535.
2471 logical_ip: string
2473 An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
2474 logical_port: optional string
2476 The name of the logical port where the logical_ip resides.
2477 This is only used on distributed routers. This must be specified
2479 in order for the NAT rule to be processed in a distributed man‐
2480 ner on all chassis. If this is not specified for a NAT rule on a
2481 distributed router, then this NAT rule will be processed in a
2482 centralized manner on the gateway port instance on the gateway
2483 chassis.
2484 allowed_ext_ips: optional Address_Set
2486 It represents Address Set of external ips that NAT rule is ap‐
2487 plicable to. For SNAT type NAT rules, this refers to destination
2488 addresses. For DNAT type NAT rules, this refers to source ad‐
2489 dresses.
2490 This configuration overrides the default NAT behavior of apply‐
2492 ing a rule solely based on internal IP. Without this configura‐
2493 tion, NAT happens without considering the external IP (i.e
2494 dest/source for snat/dnat type rule). With this configuration
2495 NAT rule is applied ONLY if external ip is in the input Address
2496 Set.
2497 exempted_ext_ips: optional Address_Set
2499 It represents Address Set of external ips that NAT rule is NOT
2500 applicable to. For SNAT type NAT rules, this refers to destina‐
2501 tion addresses. For DNAT type NAT rules, this refers to source
2502 addresses.
2503 This configuration overrides the default NAT behavior of apply‐
2505 ing a rule solely based on internal IP. Without this configura‐
2506 tion, NAT happens without considering the external IP (i.e
2507 dest/source for snat/dnat type rule). With this configuration
2508 NAT rule is NOT applied if external ip is in the input Address
2509 Set.
2510 If there are NAT rules in a logical router with overlapping IP
2512 prefixes (including /32), then usage of exempted_ext_ips should
2513 be avoided in following scenario. a. SNAT rule (let us say
2514 RULE1) with logical_ip PREFIX/MASK (let us say 50.0.0.0/24). b.
2515 SNAT rule (let us say RULE2) with logical_ip PREFIX/MASK+1 (let
2516 us say 50.0.0.0/25). c. Now, if exempted_ext_ips is associated
2517 with RULE2, then a logical ip which matches both 50.0.0.0/24 and
2518 50.0.0.0/25 may get the RULE2 applied to it instead of RULE1.
2519 allowed_ext_ips and exempted_ext_ips are mutually exclusive to
2521 each other. If both Address Sets are set for a rule, then the
2522 NAT rule is not considered.
2523 options : stateless: optional string
2525 Indicates if a dnat_and_snat rule should lead to connection
2526 tracking state or not.
2527 Common Columns:
2529 external_ids: map of string-string pairs
2531 See External IDs at the beginning of this document.
2532
2534 OVN implements native DHCPv4 support which caters to the common use
2535 case of providing an IPv4 address to a booting instance by providing
2536 stateless replies to DHCPv4 requests based on statically configured ad‐
2537 dress mappings. To do this it allows a short list of DHCPv4 options to
2538 be configured and applied at each compute host running ovn-controller.
2539 OVN also implements native DHCPv6 support which provides stateless
2541 replies to DHCPv6 requests.
2542 Summary:
2544 cidr string
2545 DHCPv4 options:
2546 Mandatory DHCPv4 options:
2547 options : server_id optional string
2548 options : server_mac optional string
2549 options : lease_time optional string, containing an integer,
2550 in range 0 to 4,294,967,295
2551 IPv4 DHCP Options:
2552 options : router optional string
2553 options : netmask optional string
2554 options : dns_server optional string
2555 options : log_server optional string
2556 options : lpr_server optional string
2557 options : swap_server optional string
2558 options : policy_filter optional string
2559 options : router_solicitation
2560 optional string
2561 options : nis_server optional string
2562 options : ntp_server optional string
2563 options : netbios_name_server
2564 optional string
2565 options : classless_static_route
2566 optional string
2567 options : ms_classless_static_route
2568 optional string
2569 Boolean DHCP Options:
2570 options : ip_forward_enable
2571 optional string, either 0 or 1
2572 options : router_discovery
2573 optional string, either 0 or 1
2574 options : ethernet_encap optional string, either 0 or 1
2575 Integer DHCP Options:
2576 options : default_ttl optional string, containing an integer,
2577 in range 0 to 255
2578 options : tcp_ttl optional string, containing an integer,
2579 in range 0 to 255
2580 options : mtu optional string, containing an integer,
2581 in range 68 to 65,535
2582 options : T1 optional string, containing an integer,
2583 in range 68 to 4,294,967,295
2584 options : T2 optional string, containing an integer,
2585 in range 68 to 4,294,967,295
2586 options : arp_cache_timeout
2587 optional string, containing an integer,
2588 in range 0 to 255
2589 options : tcp_keepalive_interval
2590 optional string, containing an integer,
2591 in range 0 to 255
2592 options : netbios_node_type
2593 optional string, containing an integer,
2594 in range 0 to 255
2595 String DHCP Options:
2596 options : wpad optional string
2597 options : bootfile_name optional string
2598 options : path_prefix optional string
2599 options : tftp_server_address
2600 optional string
2601 options : domain_name optional string
2602 options : bootfile_name_alt
2603 optional string
2604 options : broadcast_address
2605 optional string
2606 DHCP Options of type host_id:
2607 options : tftp_server optional string
2608 DHCP Options of type domains:
2609 options : domain_search_list
2610 optional string
2611 DHCPv6 options:
2612 Mandatory DHCPv6 options:
2613 options : server_id optional string
2614 IPv6 DHCPv6 options:
2615 options : dns_server optional string
2616 String DHCPv6 options:
2617 options : domain_search optional string
2618 options : dhcpv6_stateless
2619 optional string
2620 Common Columns:
2621 external_ids map of string-string pairs
2622 Details:
2624 cidr: string
2625 The DHCPv4/DHCPv6 options will be included if the logical port
2626 has its IP address in this cidr.
2627 DHCPv4 options:
2629 The CMS should define the set of DHCPv4 options as key/value pairs in
2631 the options column of this table. For ovn-controller to include these
2632 DHCPv4 options, the dhcpv4_options of Logical_Switch_Port should refer
2633 to an entry in this table.
2634 Mandatory DHCPv4 options:
2636 The following options must be defined.
2638 options : server_id: optional string
2640 The IP address for the DHCP server to use. This should be in the
2641 subnet of the offered IP. This is also included in the DHCP of‐
2642 fer as option 54, ``server identifier.’’
2643 options : server_mac: optional string
2645 The Ethernet address for the DHCP server to use.
2646 options : lease_time: optional string, containing an integer, in range
2648 0 to 4,294,967,295
2649 The offered lease time in seconds,
2650 The DHCPv4 option code for this option is 51.
2652 IPv4 DHCP Options:
2654 Below are the supported DHCPv4 options whose values are an IPv4 ad‐
2656 dress, e.g. 192.168.1.1. Some options accept multiple IPv4 addresses
2657 enclosed within curly braces, e.g. {192.168.1.2, 192.168.1.3}. Please
2658 refer to RFC 2132 for more details on DHCPv4 options and their codes.
2659 options : router: optional string
2661 The IP address of a gateway for the client to use. This should
2662 be in the subnet of the offered IP. The DHCPv4 option code for
2663 this option is 3.
2664 options : netmask: optional string
2666 The DHCPv4 option code for this option is 1.
2667 options : dns_server: optional string
2669 The DHCPv4 option code for this option is 6.
2670 options : log_server: optional string
2672 The DHCPv4 option code for this option is 7.
2673 options : lpr_server: optional string
2675 The DHCPv4 option code for this option is 9.
2676 options : swap_server: optional string
2678 The DHCPv4 option code for this option is 16.
2679 options : policy_filter: optional string
2681 The DHCPv4 option code for this option is 21.
2682 options : router_solicitation: optional string
2684 The DHCPv4 option code for this option is 32.
2685 options : nis_server: optional string
2687 The DHCPv4 option code for this option is 41.
2688 options : ntp_server: optional string
2690 The DHCPv4 option code for this option is 42.
2691 options : netbios_name_server: optional string
2693 The DHCPv4 option code for this option is 44.
2694 options : classless_static_route: optional string
2696 The DHCPv4 option code for this option is 121.
2697 This option can contain one or more static routes, each of which
2699 consists of a destination descriptor and the IP address of the
2700 router that should be used to reach that destination. Please see
2701 RFC 3442 for more details.
2702 Example: {30.0.0.0/24,10.0.0.10, 0.0.0.0/0,10.0.0.1}
2704 options : ms_classless_static_route: optional string
2706 The DHCPv4 option code for this option is 249. This option is
2707 similar to classless_static_route supported by Microsoft Windows
2708 DHCPv4 clients.
2709 Boolean DHCP Options:
2711 These options accept a Boolean value, expressed as 0 for false or 1 for
2713 true.
2714 options : ip_forward_enable: optional string, either 0 or 1
2716 The DHCPv4 option code for this option is 19.
2717 options : router_discovery: optional string, either 0 or 1
2719 The DHCPv4 option code for this option is 31.
2720 options : ethernet_encap: optional string, either 0 or 1
2722 The DHCPv4 option code for this option is 36.
2723 Integer DHCP Options:
2725 These options accept a nonnegative integer value.
2727 options : default_ttl: optional string, containing an integer, in range
2729 0 to 255
2730 The DHCPv4 option code for this option is 23.
2731 options : tcp_ttl: optional string, containing an integer, in range 0
2733 to 255
2734 The DHCPv4 option code for this option is 37.
2735 options : mtu: optional string, containing an integer, in range 68 to
2737 65,535
2738 The DHCPv4 option code for this option is 26.
2739 options : T1: optional string, containing an integer, in range 68 to
2741 4,294,967,295
2742 This specifies the time interval from address assignment until
2743 the client begins trying to renew its address. The DHCPv4 option
2744 code for this option is 58.
2745 options : T2: optional string, containing an integer, in range 68 to
2747 4,294,967,295
2748 This specifies the time interval from address assignment until
2749 the client begins trying to rebind its address. The DHCPv4 op‐
2750 tion code for this option is 59.
2751 options : arp_cache_timeout: optional string, containing an integer, in
2753 range 0 to 255
2754 The DHCPv4 option code for this option is 35. This option speci‐
2755 fies the timeout in seconds for ARP cache entries.
2756 options : tcp_keepalive_interval: optional string, containing an inte‐
2758 ger, in range 0 to 255
2759 The DHCPv4 option code for this option is 38. This option speci‐
2760 fies the interval that the client TCP should wait before sending
2761 a keepalive message on a TCP connection.
2762 options : netbios_node_type: optional string, containing an integer, in
2764 range 0 to 255
2765 The DHCPv4 option code for this option is 46.
2766 String DHCP Options:
2768 These options accept a string value.
2770 options : wpad: optional string
2772 The DHCPv4 option code for this option is 252. This option is
2773 used as part of web proxy auto discovery to provide a URL for a
2774 web proxy.
2775 options : bootfile_name: optional string
2777 The DHCPv4 option code for this option is 67. This option is
2778 used to identify a bootfile.
2779 options : path_prefix: optional string
2781 The DHCPv4 option code for this option is 210. In PXELINUX’ case
2782 this option is used to set a common path prefix, instead of de‐
2783 riving it from the bootfile name.
2784 options : tftp_server_address: optional string
2786 The DHCPv4 option code for this option is 150. The option con‐
2787 tains one or more IPv4 addresses that the client MAY use. This
2788 option is Cisco proprietary, the IEEE standard that matches with
2789 this requirement is option 66 (tftp_server).
2790 options : domain_name: optional string
2792 The DHCPv4 option code for this option is 15. This option speci‐
2793 fies the domain name that client should use when resolving host‐
2794 names via the Domain Name System.
2795 options : bootfile_name_alt: optional string
2797 "bootfile_name_alt" option is used to support iPXE. When both
2798 "bootfile_name" and "bootfile_name_alt" are provided by the CMS,
2799 "bootfile_name" will be used for option 67 if the dhcp request
2800 contains etherboot option (175), otherwise "bootfile_name_alt"
2801 will be used.
2802 options : broadcast_address: optional string
2804 The DHCPv4 option code for this option is 28. This option speci‐
2805 fies the IP address used as a broadcast address.
2806 DHCP Options of type host_id:
2808 These options accept either an IPv4 address or a string value.
2810 options : tftp_server: optional string
2812 The DHCPv4 option code for this option is 66.
2813 DHCP Options of type domains:
2815 These options accept string value which is a comma separated list of
2817 domain names. The domain names are encoded based on RFC 1035.
2818 options : domain_search_list: optional string
2820 The DHCPv4 option code for this option is 119.
2821 DHCPv6 options:
2823 OVN also implements native DHCPv6 support. The CMS should define the
2825 set of DHCPv6 options as key/value pairs. The define DHCPv6 options
2826 will be included in the DHCPv6 response to the DHCPv6 Solicit/Re‐
2827 quest/Confirm packet from the logical ports having the IPv6 addresses
2828 in the cidr.
2829 Mandatory DHCPv6 options:
2831 The following options must be defined.
2833 options : server_id: optional string
2835 The Ethernet address for the DHCP server to use. This is also
2836 included in the DHCPv6 reply as option 2, ``Server Identifier’’
2837 to carry a DUID identifying a server between a client and a
2838 server. ovn-controller defines DUID based on Link-layer Address
2839 [DUID-LL].
2840 IPv6 DHCPv6 options:
2842 Below are the supported DHCPv6 options whose values are an IPv6 ad‐
2844 dress, e.g. aef0::4. Some options accept multiple IPv6 addresses en‐
2845 closed within curly braces, e.g. {aef0::4, aef0::5}. Please refer to
2846 RFC 3315 for more details on DHCPv6 options and their codes.
2847 options : dns_server: optional string
2849 The DHCPv6 option code for this option is 23. This option speci‐
2850 fies the DNS servers that the VM should use.
2851 String DHCPv6 options:
2853 These options accept string values.
2855 options : domain_search: optional string
2857 The DHCPv6 option code for this option is 24. This option speci‐
2858 fies the domain search list the client should use to resolve
2859 hostnames with DNS.
2860 Example: "ovn.org".
2862 options : dhcpv6_stateless: optional string
2864 This option specifies the OVN native DHCPv6 will work in state‐
2865 less mode, which means OVN native DHCPv6 will not offer IPv6 ad‐
2866 dresses for VM/VIF ports, but only reply other configurations,
2867 such as DNS and domain search list. When setting this option
2868 with string value "true", VM/VIF will configure IPv6 addresses
2869 by stateless way. Default value for this option is false.
2870 Common Columns:
2872 external_ids: map of string-string pairs
2874 See External IDs at the beginning of this document.
2875
2877 Configuration for a database connection to an Open vSwitch database
2878 (OVSDB) client.
2879 This table primarily configures the Open vSwitch database server
2881 (ovsdb-server).
2882 The Open vSwitch database server can initiate and maintain active con‐
2884 nections to remote clients. It can also listen for database connec‐
2885 tions.
2886 Summary:
2888 Core Features:
2889 target string (must be unique within table)
2890 Client Failure Detection and Handling:
2891 max_backoff optional integer, at least 1,000
2892 inactivity_probe optional integer
2893 Status:
2894 is_connected boolean
2895 status : last_error optional string
2896 status : state optional string, one of ACTIVE, BACKOFF,
2897 CONNECTING, IDLE, or VOID
2898 status : sec_since_connect optional string, containing an integer,
2899 at least 0
2900 status : sec_since_disconnect
2901 optional string, containing an integer,
2902 at least 0
2903 status : locks_held optional string
2904 status : locks_waiting optional string
2905 status : locks_lost optional string
2906 status : n_connections optional string, containing an integer,
2907 at least 2
2908 status : bound_port optional string, containing an integer
2909 Common Columns:
2910 external_ids map of string-string pairs
2911 other_config map of string-string pairs
2912 Details:
2914 Core Features:
2915 target: string (must be unique within table)
2917 Connection methods for clients.
2918 The following connection methods are currently supported:
2920 ssl:host[:port]
2922 The specified SSL port on the host at the given host,
2923 which can either be a DNS name (if built with unbound li‐
2924 brary) or an IP address. A valid SSL configuration must
2925 be provided when this form is used, this configuration
2926 can be specified via command-line options or the SSL ta‐
2927 ble.
2928 If port is not specified, it defaults to 6640.
2930 SSL support is an optional feature that is not always
2932 built as part of Open vSwitch.
2933 tcp:host[:port]
2935 The specified TCP port on the host at the given host,
2936 which can either be a DNS name (if built with unbound li‐
2937 brary) or an IP address. If host is an IPv6 address, wrap
2938 it in square brackets, e.g. tcp:[::1]:6640.
2939 If port is not specified, it defaults to 6640.
2941 pssl:[port][:host]
2943 Listens for SSL connections on the specified TCP port.
2944 Specify 0 for port to have the kernel automatically
2945 choose an available port. If host, which can either be a
2946 DNS name (if built with unbound library) or an IP ad‐
2947 dress, is specified, then connections are restricted to
2948 the resolved or specified local IPaddress (either IPv4 or
2949 IPv6 address). If host is an IPv6 address, wrap in square
2950 brackets, e.g. pssl:6640:[::1]. If host is not specified
2951 then it listens only on IPv4 (but not IPv6) addresses. A
2952 valid SSL configuration must be provided when this form
2953 is used, this can be specified either via command-line
2954 options or the SSL table.
2955 If port is not specified, it defaults to 6640.
2957 SSL support is an optional feature that is not always
2959 built as part of Open vSwitch.
2960 ptcp:[port][:host]
2962 Listens for connections on the specified TCP port. Spec‐
2963 ify 0 for port to have the kernel automatically choose an
2964 available port. If host, which can either be a DNS name
2965 (if built with unbound library) or an IP address, is
2966 specified, then connections are restricted to the re‐
2967 solved or specified local IP address (either IPv4 or IPv6
2968 address). If host is an IPv6 address, wrap it in square
2969 brackets, e.g. ptcp:6640:[::1]. If host is not specified
2970 then it listens only on IPv4 addresses.
2971 If port is not specified, it defaults to 6640.
2973 When multiple clients are configured, the target values must be
2975 unique. Duplicate target values yield unspecified results.
2976 Client Failure Detection and Handling:
2978 max_backoff: optional integer, at least 1,000
2980 Maximum number of milliseconds to wait between connection at‐
2981 tempts. Default is implementation-specific.
2982 inactivity_probe: optional integer
2984 Maximum number of milliseconds of idle time on connection to the
2985 client before sending an inactivity probe message. If Open
2986 vSwitch does not communicate with the client for the specified
2987 number of seconds, it will send a probe. If a response is not
2988 received for the same additional amount of time, Open vSwitch
2989 assumes the connection has been broken and attempts to recon‐
2990 nect. Default is implementation-specific. A value of 0 disables
2991 inactivity probes.
2992 Status:
2994 Key-value pair of is_connected is always updated. Other key-value pairs
2996 in the status columns may be updated depends on the target type.
2997 When target specifies a connection method that listens for inbound con‐
2999 nections (e.g. ptcp: or punix:), both n_connections and is_connected
3000 may also be updated while the remaining key-value pairs are omitted.
3001 On the other hand, when target specifies an outbound connection, all
3003 key-value pairs may be updated, except the above-mentioned two key-
3004 value pairs associated with inbound connection targets. They are omit‐
3005 ted.
3006 is_connected: boolean
3008 true if currently connected to this client, false otherwise.
3009 status : last_error: optional string
3011 A human-readable description of the last error on the connection
3012 to the manager; i.e. strerror(errno). This key will exist only
3013 if an error has occurred.
3014 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
3016 IDLE, or VOID
3017 The state of the connection to the manager:
3018 VOID Connection is disabled.
3020 BACKOFF
3022 Attempting to reconnect at an increasing period.
3023 CONNECTING
3025 Attempting to connect.
3026 ACTIVE Connected, remote host responsive.
3028 IDLE Connection is idle. Waiting for response to keep-alive.
3030 These values may change in the future. They are provided only
3032 for human consumption.
3033 status : sec_since_connect: optional string, containing an integer, at
3035 least 0
3036 The amount of time since this client last successfully connected
3037 to the database (in seconds). Value is empty if client has never
3038 successfully been connected.
3039 status : sec_since_disconnect: optional string, containing an integer,
3041 at least 0
3042 The amount of time since this client last disconnected from the
3043 database (in seconds). Value is empty if client has never dis‐
3044 connected.
3045 status : locks_held: optional string
3047 Space-separated list of the names of OVSDB locks that the con‐
3048 nection holds. Omitted if the connection does not hold any
3049 locks.
3050 status : locks_waiting: optional string
3052 Space-separated list of the names of OVSDB locks that the con‐
3053 nection is currently waiting to acquire. Omitted if the connec‐
3054 tion is not waiting for any locks.
3055 status : locks_lost: optional string
3057 Space-separated list of the names of OVSDB locks that the con‐
3058 nection has had stolen by another OVSDB client. Omitted if no
3059 locks have been stolen from this connection.
3060 status : n_connections: optional string, containing an integer, at
3062 least 2
3063 When target specifies a connection method that listens for in‐
3064 bound connections (e.g. ptcp: or pssl:) and more than one con‐
3065 nection is actually active, the value is the number of active
3066 connections. Otherwise, this key-value pair is omitted.
3067 status : bound_port: optional string, containing an integer
3069 When target is ptcp: or pssl:, this is the TCP port on which the
3070 OVSDB server is listening. (This is particularly useful when
3071 target specifies a port of 0, allowing the kernel to choose any
3072 available port.)
3073 Common Columns:
3075 The overall purpose of these columns is described under Common Columns
3077 at the beginning of this document.
3078 external_ids: map of string-string pairs
3080 other_config: map of string-string pairs
3082
3084 Each row in this table stores the DNS records. The Logical_Switch ta‐
3085 ble’s dns_records references these records.
3086 Summary:
3088 records map of string-string pairs
3089 external_ids map of string-string pairs
3090 Details:
3092 records: map of string-string pairs
3093 Key-value pair of DNS records with DNS query name as the key and
3094 value as a string of IP address(es) separated by comma or space.
3095 Example: "vm1.ovn.org" = "10.0.0.4 aef0::4"
3097 external_ids: map of string-string pairs
3099 See External IDs at the beginning of this document.
3100
3102 SSL configuration for ovn-nb database access.
3103 Summary:
3105 private_key string
3106 certificate string
3107 ca_cert string
3108 bootstrap_ca_cert boolean
3109 ssl_protocols string
3110 ssl_ciphers string
3111 Common Columns:
3112 external_ids map of string-string pairs
3113 Details:
3115 private_key: string
3116 Name of a PEM file containing the private key used as the
3117 switch’s identity for SSL connections to the controller.
3118 certificate: string
3120 Name of a PEM file containing a certificate, signed by the cer‐
3121 tificate authority (CA) used by the controller and manager, that
3122 certifies the switch’s private key, identifying a trustworthy
3123 switch.
3124 ca_cert: string
3126 Name of a PEM file containing the CA certificate used to verify
3127 that the switch is connected to a trustworthy controller.
3128 bootstrap_ca_cert: boolean
3130 If set to true, then Open vSwitch will attempt to obtain the CA
3131 certificate from the controller on its first SSL connection and
3132 save it to the named PEM file. If it is successful, it will im‐
3133 mediately drop the connection and reconnect, and from then on
3134 all SSL connections must be authenticated by a certificate
3135 signed by the CA certificate thus obtained. This option exposes
3136 the SSL connection to a man-in-the-middle attack obtaining the
3137 initial CA certificate. It may still be useful for bootstrap‐
3138 ping.
3139 ssl_protocols: string
3141 List of SSL protocols to be enabled for SSL connections. The de‐
3142 fault when this option is omitted is TLSv1,TLSv1.1,TLSv1.2.
3143 ssl_ciphers: string
3145 List of ciphers (in OpenSSL cipher string format) to be sup‐
3146 ported for SSL connections. The default when this option is
3147 omitted is HIGH:!aNULL:!MD5.
3148 Common Columns:
3150 The overall purpose of these columns is described under Common Columns
3152 at the beginning of this document.
3153 external_ids: map of string-string pairs
3155
3157 Association of a chassis to a logical router port. The traffic going
3158 out through an specific router port will be redirected to a chassis, or
3159 a set of them in high availability configurations.
3160 Summary:
3162 name string (must be unique within table)
3163 chassis_name string
3164 priority integer, in range 0 to 32,767
3165 options map of string-string pairs
3166 Common Columns:
3167 external_ids map of string-string pairs
3168 Details:
3170 name: string (must be unique within table)
3171 Name of the Gateway_Chassis.
3172 A suggested, but not required naming convention is
3174 ${port_name}_${chassis_name}.
3175 chassis_name: string
3177 Name of the chassis that we want to redirect traffic through for
3178 the associated logical router port. The value must match the
3179 name column of the Chassis table in the OVN_Southbound database.
3180 priority: integer, in range 0 to 32,767
3182 This is the priority of a chassis among all Gateway_Chassis be‐
3183 longing to the same logical router port.
3184 options: map of string-string pairs
3186 Reserved for future use.
3187 Common Columns:
3189 external_ids: map of string-string pairs
3191 See External IDs at the beginning of this document.
3192
3194 Table representing a group of chassis which can provide high availabil‐
3195 ity services. Each chassis in the group is represented by the table
3196 HA_Chassis. The HA chassis with highest priority will be the master of
3197 this group. If the master chassis failover is detected, the HA chassis
3198 with the next higher priority takes over the responsibility of provid‐
3199 ing the HA. If a distributed gateway router port references a row in
3200 this table, then the master HA chassis in this group provides the gate‐
3201 way functionality.
3202 Summary:
3204 name string (must be unique within table)
3205 ha_chassis set of HA_Chassises
3206 Common Columns:
3207 external_ids map of string-string pairs
3208 Details:
3210 name: string (must be unique within table)
3211 Name of the HA_Chassis_Group. Name should be unique.
3212 ha_chassis: set of HA_Chassises
3214 A list of HA chassis which belongs to this group.
3215 Common Columns:
3217 external_ids: map of string-string pairs
3219 See External IDs at the beginning of this document.
3220
3222 Summary:
3223 chassis_name string
3224 priority integer, in range 0 to 32,767
3225 Common Columns:
3226 external_ids map of string-string pairs
3227 Details:
3229 chassis_name: string
3230 Name of the chassis which is part of the HA chassis group. The
3231 value must match the name column of the Chassis table in the
3232 OVN_Southbound database.
3233 priority: integer, in range 0 to 32,767
3235 Priority of the chassis. Chassis with highest priority will be
3236 the master.
3237 Common Columns:
3239 external_ids: map of string-string pairs
3241 See External IDs at the beginning of this document.
3242
3244 Contains BFD parameter for ovn-controller BFD configuration. OVN BFD
3245 implementation is used to provide detection of failures in the path be‐
3246 tween adjacent forwarding engines, including the OVN interfaces. OVN
3247 BFD provides link status info to OVN northd in order to update logical
3248 flows according to the status of BFD endpoints. In the current imple‐
3249 mentation OVN BFD is used to check next-hop status for ECMP routes.
3250 Please note BFD table refers to OVN BFD implementation and not to OVS
3251 legacy one.
3252 Summary:
3254 Configuration:
3255 logical_port string
3256 dst_ip string
3257 min_tx optional integer, at least 1
3258 min_rx optional integer
3259 detect_mult optional integer, at least 1
3260 options map of string-string pairs
3261 external_ids map of string-string pairs
3262 Status Reporting:
3263 status optional string, one of admin_down, down,
3264 init, or up
3265 Details:
3267 Configuration:
3268 ovn-northd reads configuration from these columns.
3270 logical_port: string
3272 OVN logical port when BFD engine is running.
3273 dst_ip: string
3275 BFD peer IP address.
3276 min_tx: optional integer, at least 1
3278 This is the minimum interval, in milliseconds, that the local
3279 system would like to use when transmitting BFD Control packets,
3280 less any jitter applied. The value zero is reserved. Default
3281 value is 1000 ms.
3282 min_rx: optional integer
3284 This is the minimum interval, in milliseconds, between received
3285 BFD Control packets that this system is capable of supporting,
3286 less any jitter applied by the sender. If this value is zero,
3287 the transmitting system does not want the remote system to send
3288 any periodic BFD Control packets.
3289 detect_mult: optional integer, at least 1
3291 Detection time multiplier. The negotiated transmit interval,
3292 multiplied by this value, provides the Detection Time for the
3293 receiving system in Asynchronous mode. Default value is 5.
3294 options: map of string-string pairs
3296 Reserved for future use.
3297 external_ids: map of string-string pairs
3299 See External IDs at the beginning of this document.
3300 Status Reporting:
3302 ovn-northd writes BFD status into these columns.
3304 status: optional string, one of admin_down, down, init, or up
3306 BFD port logical states. Possible values are:
3307 • admin_down
3309 • down
3311 • init
3313 • up
3315Open vSwitch 21.03.1 DB Schema 5.31.0 ovn-nb(5)