1ovs-vswitchd.conf.db(5) Open vSwitch Manual ovs-vswitchd.conf.db(5)
2
6 ovs-vswitchd.conf.db - Open_vSwitch database schema
7 A database with this schema holds the configuration for one Open
9 vSwitch daemon. The top-level configuration for the daemon is the
10 Open_vSwitch table, which must have exactly one record. Records in
11 other tables are significant only when they can be reached directly or
12 indirectly from the Open_vSwitch table. Records that are not reachable
13 from the Open_vSwitch table are automatically deleted from the data‐
14 base, except for records in a few distinguished ``root set’’ tables.
15 Common Columns
17 Most tables contain two special columns, named other_config and exter‐
18 nal_ids. These columns have the same form and purpose each place that
19 they appear, so we describe them here to save space later.
20 other_config: map of string-string pairs
22 Key-value pairs for configuring rarely used features.
23 Supported keys, along with the forms taken by their val‐
24 ues, are documented individually for each table.
25 A few tables do not have other_config columns because no
27 key-value pairs have yet been defined for them.
28 external_ids: map of string-string pairs
30 Key-value pairs for use by external frameworks that inte‐
31 grate with Open vSwitch, rather than by Open vSwitch it‐
32 self. System integrators should either use the Open
33 vSwitch development mailing list to coordinate on common
34 key-value definitions, or choose key names that are
35 likely to be unique. In some cases, where key-value pairs
36 have been defined that are likely to be widely useful,
37 they are documented individually for each table.
38
40 The following list summarizes the purpose of each of the tables in the
41 Open_vSwitch database. Each table is described in more detail on a
42 later page.
43 Table Purpose
45 Open_vSwitch
46 Open vSwitch configuration.
47 Bridge Bridge configuration.
48 Port Port configuration.
49 Interface One physical network device in a Port.
50 Flow_Table
51 OpenFlow table configuration
52 QoS Quality of Service configuration
53 Queue QoS output queue.
54 Mirror Port mirroring.
55 Controller
56 OpenFlow controller configuration.
57 Manager OVSDB management connection.
58 NetFlow NetFlow configuration.
59 Datapath Datapath configuration.
60 CT_Zone CT_Zone configuration.
61 CT_Timeout_Policy
62 CT_Timeout_Policy configuration.
63 SSL SSL configuration.
64 sFlow sFlow configuration.
65 IPFIX IPFIX configuration.
66 Flow_Sample_Collector_Set
67 Flow_Sample_Collector_Set configuration.
68 AutoAttach
69 AutoAttach configuration.
70
72 Configuration for an Open vSwitch daemon. There must be exactly one
73 record in the Open_vSwitch table.
74 Summary:
76 Configuration:
77 datapaths map of string-Datapath pairs
78 bridges set of Bridges
79 ssl optional SSL
80 external_ids : system-id optional string
81 external_ids : xs-system-uuid
82 optional string
83 external_ids : hostname optional string
84 external_ids : rundir optional string
85 other_config : stats-update-interval
86 optional string, containing an integer,
87 at least 5,000
88 other_config : flow-restore-wait
89 optional string, either true or false
90 other_config : flow-limit optional string, containing an integer,
91 at least 0
92 other_config : max-idle optional string, containing an integer,
93 at least 500
94 other_config : max-revalidator
95 optional string, containing an integer,
96 at least 100
97 other_config : min-revalidate-pps
98 optional string, containing an integer,
99 at least 1
100 other_config : hw-offload optional string, either true or false
101 other_config : tc-policy optional string, one of none, skip_hw, or
102 skip_sw
103 other_config : dpdk-init optional string, one of false, true, or
104 try
105 other_config : dpdk-lcore-mask
106 optional string, containing an integer,
107 at least 1
108 other_config : pmd-cpu-mask
109 optional string
110 other_config : dpdk-alloc-mem
111 optional string, containing an integer,
112 at least 0
113 other_config : dpdk-socket-mem
114 optional string
115 other_config : dpdk-socket-limit
116 optional string
117 other_config : dpdk-hugepage-dir
118 optional string
119 other_config : dpdk-extra optional string
120 other_config : vhost-sock-dir
121 optional string
122 other_config : vhost-iommu-support
123 optional string, either true or false
124 other_config : vhost-postcopy-support
125 optional string, either true or false
126 other_config : per-port-memory
127 optional string, either true or false
128 other_config : tx-flush-interval
129 optional string, containing an integer,
130 in range 0 to 1,000,000
131 other_config : pmd-perf-metrics
132 optional string, either true or false
133 other_config : smc-enable optional string, either true or false
134 other_config : pmd-rxq-assign
135 optional string, either cycles or
136 roundrobin
137 other_config : n-handler-threads
138 optional string, containing an integer,
139 at least 1
140 other_config : n-revalidator-threads
141 optional string, containing an integer,
142 at least 1
143 other_config : emc-insert-inv-prob
144 optional string, containing an integer,
145 in range 0 to 4,294,967,295
146 other_config : vlan-limit optional string, containing an integer,
147 at least 0
148 other_config : bundle-idle-timeout
149 optional string, containing an integer,
150 at least 1
151 other_config : offload-rebalance
152 optional string, either true or false
153 other_config : pmd-auto-lb optional string, either true or false
154 other_config : pmd-auto-lb-rebal-interval
155 optional string, containing an integer,
156 in range 0 to 20,000
157 other_config : pmd-auto-lb-load-threshold
158 optional string, containing an integer,
159 in range 0 to 100
160 other_config : pmd-auto-lb-improvement-threshold
161 optional string, containing an integer,
162 in range 0 to 100
163 other_config : userspace-tso-enable
164 optional string, either true or false
165 Status:
166 next_cfg integer
167 cur_cfg integer
168 dpdk_initialized boolean
169 Statistics:
170 other_config : enable-statistics
171 optional string, either true or false
172 statistics : cpu optional string, containing an integer,
173 at least 1
174 statistics : load_average
175 optional string
176 statistics : memory optional string
177 statistics : process_NAME
178 optional string
179 statistics : file_systems
180 optional string
181 Version Reporting:
182 ovs_version optional string
183 db_version optional string
184 system_type optional string
185 system_version optional string
186 dpdk_version optional string
187 Capabilities:
188 datapath_types set of strings
189 iface_types set of strings
190 Database Configuration:
191 manager_options set of Managers
192 IPsec:
193 other_config : private_key optional string
194 other_config : certificate optional string
195 other_config : ca_cert optional string
196 Plaintext Tunnel Policy:
197 other_config : ipsec_skb_mark
198 optional string
199 Common Columns:
200 other_config map of string-string pairs
201 external_ids map of string-string pairs
202 Details:
204 Configuration:
205 datapaths: map of string-Datapath pairs
207 Map of datapath types to datapaths. The datapath_type column of
208 the Bridge table is used as a key for this map. The value points
209 to a row in the Datapath table.
210 bridges: set of Bridges
212 Set of bridges managed by the daemon.
213 ssl: optional SSL
215 SSL used globally by the daemon.
216 external_ids : system-id: optional string
218 A unique identifier for the Open vSwitch’s physical host. The
219 form of the identifier depends on the type of the host. On a
220 Citrix XenServer, this will likely be the same as exter‐
221 nal_ids:xs-system-uuid.
222 external_ids : xs-system-uuid: optional string
224 The Citrix XenServer universally unique identifier for the phys‐
225 ical host as displayed by xe host-list.
226 external_ids : hostname: optional string
228 The hostname for the host running Open vSwitch. This is a fully
229 qualified domain name since version 2.6.2.
230 external_ids : rundir: optional string
232 In Open vSwitch 2.8 and later, the run directory of the running
233 Open vSwitch daemon. This directory is used for runtime state
234 such as control and management sockets. The value of other_con‐
235 fig:vhost-sock-dir is relative to this directory.
236 other_config : stats-update-interval: optional string, containing an
238 integer, at least 5,000
239 Interval for updating statistics to the database, in millisec‐
240 onds. This option will affect the update of the statistics col‐
241 umn in the following tables: Port, Interface , Mirror.
242 Default value is 5000 ms.
244 Getting statistics more frequently can be achieved via OpenFlow.
246 other_config : flow-restore-wait: optional string, either true or false
248 When ovs-vswitchd starts up, it has an empty flow table and
249 therefore it handles all arriving packets in its default fashion
250 according to its configuration, by dropping them or sending them
251 to an OpenFlow controller or switching them as a standalone
252 switch. This behavior is ordinarily desirable. However, if
253 ovs-vswitchd is restarting as part of a ``hot-upgrade,’’ then
254 this leads to a relatively long period during which packets are
255 mishandled.
256 This option allows for improvement. When ovs-vswitchd starts
258 with this value set as true, it will neither flush or expire
259 previously set datapath flows nor will it send and receive any
260 packets to or from the datapath. When this value is later set to
261 false, ovs-vswitchd will start receiving packets from the data‐
262 path and re-setup the flows.
263 Additionally, ovs-vswitchd is prevented from connecting to con‐
265 trollers when this value is set to true. This prevents con‐
266 trollers from making changes to the flow table in the middle of
267 flow restoration, which could result in undesirable intermediate
268 states. Once this value has been set to false and the desired
269 flow state has been restored, ovs-vswitchd will be able to re‐
270 connect to controllers and process any new flow table modifica‐
271 tions.
272 Thus, with this option, the procedure for a hot-upgrade of
274 ovs-vswitchd becomes roughly the following:
275 1. Stop ovs-vswitchd.
277 2. Set other_config:flow-restore-wait to true.
279 3. Start ovs-vswitchd.
281 4. Use ovs-ofctl (or some other program, such as an OpenFlow
283 controller) to restore the OpenFlow flow table to the de‐
284 sired state.
285 5. Set other_config:flow-restore-wait to false (or remove it
287 entirely from the database).
288 The ovs-ctl’s ``restart’’ and ``force-reload-kmod’’ functions
290 use the above config option during hot upgrades.
291 other_config : flow-limit: optional string, containing an integer, at
293 least 0
294 The maximum number of flows allowed in the datapath flow table.
295 Internally OVS will choose a flow limit which will likely be
296 lower than this number, based on real time network conditions.
297 Tweaking this value is discouraged unless you know exactly what
298 you’re doing.
299 The default is 200000.
301 other_config : max-idle: optional string, containing an integer, at
303 least 500
304 The maximum time (in ms) that idle flows will remain cached in
305 the datapath. Internally OVS will check the validity and activ‐
306 ity for datapath flows regularly and may expire flows quicker
307 than this number, based on real time network conditions. Tweak‐
308 ing this value is discouraged unless you know exactly what
309 you’re doing.
310 The default is 10000.
312 other_config : max-revalidator: optional string, containing an integer,
314 at least 100
315 The maximum time (in ms) that revalidator threads will wait be‐
316 fore executing flow revalidation. Note that this is maximum al‐
317 lowed value. Actual timeout used by OVS is minimum of max-idle
318 and max-revalidator values. Tweaking this value is discouraged
319 unless you know exactly what you’re doing.
320 The default is 500.
322 other_config : min-revalidate-pps: optional string, containing an inte‐
324 ger, at least 1
325 Set minimum pps that flow must have in order to be revalidated
326 when revalidation duration exceeds half of max-revalidator con‐
327 fig variable.
328 The default is 5.
330 other_config : hw-offload: optional string, either true or false
332 Set this value to true to enable netdev flow offload.
333 The default value is false. Changing this value requires
335 restarting the daemon
336 Currently Open vSwitch supports hardware offloading on Linux
338 systems. On other systems, this value is ignored. This function‐
339 ality is considered ’experimental’. Depending on which OpenFlow
340 matches and actions are configured, which kernel version is
341 used, and what hardware is available, Open vSwitch may not be
342 able to offload functionality to hardware.
343 In order to dump HW offloaded flows use ovs-appctl
345 dpctl/dump-flows, ovs-dpctl doesn’t support this functionality.
346 See ovs-vswitchd(8) for details.
347 other_config : tc-policy: optional string, one of none, skip_hw, or
349 skip_sw
350 Specified the policy used with HW offloading. Options:
351 none Add software rule and offload rule to HW.
353 skip_sw
355 Offload rule to HW only.
356 skip_hw
358 Add software rule without offloading rule to HW.
359 This is only relevant if other_config:hw-offload is enabled.
361 The default value is none.
363 other_config : dpdk-init: optional string, one of false, true, or try
365 Set this value to true or try to enable runtime support for DPDK
366 ports. The vswitch must have compile-time support for DPDK as
367 well.
368 A value of true will cause the ovs-vswitchd process to abort if
370 DPDK cannot be initialized. A value of try will allow the ovs-
371 vswitchd process to continue running even if DPDK cannot be ini‐
372 tialized.
373 The default value is false. Changing this value requires
375 restarting the daemon
376 If this value is false at startup, any dpdk ports which are con‐
378 figured in the bridge will fail due to memory errors.
379 other_config : dpdk-lcore-mask: optional string, containing an integer,
381 at least 1
382 Specifies the CPU cores where dpdk lcore threads should be
383 spawned. The DPDK lcore threads are used for DPDK library tasks,
384 such as library internal message processing, logging, etc. Value
385 should be in the form of a hex string (so ’0x123’) similar to
386 the ’taskset’ mask input.
387 The lowest order bit corresponds to the first CPU core. A set
389 bit means the corresponding core is available and an lcore
390 thread will be created and pinned to it. If the input does not
391 cover all cores, those uncovered cores are considered not set.
392 For performance reasons, it is best to set this to a single core
394 on the system, rather than allow lcore threads to float.
395 If not specified, the value will be determined by choosing the
397 lowest CPU core from initial cpu affinity list. Otherwise, the
398 value will be passed directly to the DPDK library.
399 other_config : pmd-cpu-mask: optional string
401 Specifies CPU mask for setting the cpu affinity of PMD (Poll
402 Mode Driver) threads. Value should be in the form of hex string,
403 similar to the dpdk EAL ’-c COREMASK’ option input or the
404 ’taskset’ mask input.
405 The lowest order bit corresponds to the first CPU core. A set
407 bit means the corresponding core is available and a pmd thread
408 will be created and pinned to it. If the input does not cover
409 all cores, those uncovered cores are considered not set.
410 If not specified, one pmd thread will be created for each numa
412 node and pinned to any available core on the numa node by de‐
413 fault.
414 other_config : dpdk-alloc-mem: optional string, containing an integer,
416 at least 0
417 Specifies the amount of memory to preallocate from the hugepage
418 pool, regardless of socket. It is recommended that dpdk-socket-
419 mem is used instead.
420 other_config : dpdk-socket-mem: optional string
422 Specifies the amount of memory to preallocate from the hugepage
423 pool, on a per-socket basis.
424 The specifier is a comma-separated string, in ascending order of
426 CPU socket. E.g. On a four socket system 1024,0,2048 would set
427 socket 0 to preallocate 1024MB, socket 1 to preallocate 0MB,
428 socket 2 to preallocate 2048MB and socket 3 (no value given) to
429 preallocate 0MB.
430 If dpdk-socket-mem and dpdk-alloc-mem are not specified, dpdk-
432 socket-mem will be used and the default value is 1024 for each
433 numa node. If dpdk-socket-mem and dpdk-alloc-mem are specified
434 at same time, dpdk-socket-mem will be used as default. Changing
435 this value requires restarting the daemon.
436 other_config : dpdk-socket-limit: optional string
438 Limits the maximum amount of memory that can be used from the
439 hugepage pool, on a per-socket basis.
440 The specifier is a comma-separated list of memory limits per
442 socket. 0 will disable the limit for a particular socket.
443 If not specified, OVS will configure limits equal to the amount
445 of preallocated memory specified by other_config:dpdk-socket-mem
446 or --socket-mem in other_config:dpdk-extra. If none of the above
447 options specified or --legacy-mem provided in other_config:dpdk-
448 extra, limits will not be applied. Changing this value requires
449 restarting the daemon.
450 other_config : dpdk-hugepage-dir: optional string
452 Specifies the path to the hugetlbfs mount point.
453 If not specified, this will be guessed by the DPDK library (de‐
455 fault is /dev/hugepages). Changing this value requires restart‐
456 ing the daemon.
457 other_config : dpdk-extra: optional string
459 Specifies additional eal command line arguments for DPDK.
460 The default is empty. Changing this value requires restarting
462 the daemon
463 other_config : vhost-sock-dir: optional string
465 Specifies a relative path from external_ids:rundir to the vhost-
466 user unix domain socket files. If this value is unset, the sock‐
467 ets are put directly in external_ids:rundir.
468 Changing this value requires restarting the daemon.
470 other_config : vhost-iommu-support: optional string, either true or
472 false
473 vHost IOMMU is a security feature, which restricts the vhost
474 memory that a virtio device may access. vHost IOMMU support is
475 disabled by default, due to a bug in QEMU implementations of the
476 vhost REPLY_ACK protocol, (on which vHost IOMMU relies) prior to
477 v2.9.1. Setting this value to true enables vHost IOMMU support
478 for vHost User Client ports in OvS-DPDK, starting from DPDK
479 v17.11.
480 Changing this value requires restarting the daemon.
482 other_config : vhost-postcopy-support: optional string, either true or
484 false
485 vHost post-copy is a feature which allows switching live migra‐
486 tion of VM attached to dpdkvhostuserclient port to post-copy
487 mode if default pre-copy migration can not be converged or takes
488 too long to converge. Setting this value to true enables vHost
489 post-copy support for all dpdkvhostuserclient ports. Available
490 starting from DPDK v18.11 and QEMU 2.12.
491 Changing this value requires restarting the daemon.
493 other_config : per-port-memory: optional string, either true or false
495 By default OVS DPDK uses a shared memory model wherein devices
496 that have the same MTU and socket values can share the same mem‐
497 pool. Setting this value to true changes this behaviour. Per
498 port memory allow DPDK devices to use private memory per device.
499 This can provide greater transparency as regards memory usage
500 but potentially at the cost of greater memory requirements.
501 Changing this value requires restarting the daemon if dpdk-init
503 has already been set to true.
504 other_config : tx-flush-interval: optional string, containing an inte‐
506 ger, in range 0 to 1,000,000
507 Specifies the time in microseconds that a packet can wait in
508 output batch for sending i.e. amount of time that packet can
509 spend in an intermediate output queue before sending to netdev.
510 This option can be used to configure balance between throughput
511 and latency. Lower values decreases latency while higher values
512 may be useful to achieve higher performance.
513 Defaults to 0 i.e. instant packet sending (latency optimized).
515 other_config : pmd-perf-metrics: optional string, either true or false
517 Enables recording of detailed PMD performance metrics for analy‐
518 sis and trouble-shooting. This can have a performance impact in
519 the order of 1%.
520 Defaults to false but can be changed at any time.
522 other_config : smc-enable: optional string, either true or false
524 Signature match cache or SMC is a cache between EMC and megaflow
525 cache. It does not store the full key of the flow, so it is more
526 memory efficient comparing to EMC cache. SMC is especially use‐
527 ful when flow count is larger than EMC capacity.
528 Defaults to false but can be changed at any time.
530 other_config : pmd-rxq-assign: optional string, either cycles or
532 roundrobin
533 Specifies how RX queues will be automatically assigned to CPU
534 cores. Options:
535 cycles Rxqs will be sorted by order of measured processing cy‐
537 cles before being assigned to CPU cores.
538 roundrobin
540 Rxqs will be round-robined across CPU cores.
541 The default value is cycles.
543 Changing this value will affect an automatic re-assignment of
545 Rxqs to CPUs. Note: Rxqs mapped to CPU cores with pmd-rxq-affin‐
546 ity are unaffected.
547 other_config : n-handler-threads: optional string, containing an inte‐
549 ger, at least 1
550 Specifies the number of threads for software datapaths to use
551 for handling new flows. The default the number of online CPU
552 cores minus the number of revalidators.
553 This configuration is per datapath. If you have more than one
555 software datapath (e.g. some system bridges and some netdev
556 bridges), then the total number of threads is n-handler-threads
557 times the number of software datapaths.
558 other_config : n-revalidator-threads: optional string, containing an
560 integer, at least 1
561 Specifies the number of threads for software datapaths to use
562 for revalidating flows in the datapath. Typically, there is a
563 direct correlation between the number of revalidator threads,
564 and the number of flows allowed in the datapath. The default is
565 the number of cpu cores divided by four plus one. If n-han‐
566 dler-threads is set, the default changes to the number of cpu
567 cores minus the number of handler threads.
568 This configuration is per datapath. If you have more than one
570 software datapath (e.g. some system bridges and some netdev
571 bridges), then the total number of threads is n-handler-threads
572 times the number of software datapaths.
573 other_config : emc-insert-inv-prob: optional string, containing an in‐
575 teger, in range 0 to 4,294,967,295
576 Specifies the inverse probability (1/emc-insert-inv-prob) of a
577 flow being inserted into the Exact Match Cache (EMC). On average
578 one in every emc-insert-inv-prob packets that generate a unique
579 flow will cause an insertion into the EMC. A value of 1 will re‐
580 sult in an insertion for every flow (1/1 = 100%) whereas a value
581 of zero will result in no insertions and essentially disable the
582 EMC.
583 Defaults to 100 ie. there is (1/100 =) 1% chance of EMC inser‐
585 tion.
586 other_config : vlan-limit: optional string, containing an integer, at
588 least 0
589 Limits the number of VLAN headers that can be matched to the
590 specified number. Further VLAN headers will be treated as pay‐
591 load, e.g. a packet with more 802.1q headers will match Ethernet
592 type 0x8100.
593 Open vSwitch userspace currently supports at most 2 VLANs, and
595 each datapath has its own limit. If vlan-limit is nonzero, it
596 acts as a further limit.
597 If this value is absent, the default is currently 1. This main‐
599 tains backward compatibility with controllers that were designed
600 for use with Open vSwitch versions earlier than 2.8, which only
601 supported one VLAN.
602 other_config : bundle-idle-timeout: optional string, containing an in‐
604 teger, at least 1
605 The maximum time (in seconds) that idle bundles will wait to be
606 expired since it was either opened, modified or closed.
607 OpenFlow specification mandates the timeout to be at least one
609 second. The default is 10 seconds.
610 other_config : offload-rebalance: optional string, either true or false
612 Configures HW offload rebalancing, that allows to dynamically
613 offload and un-offload flows while an offload-device is out of
614 resources (OOR). This policy allows flows to be selected for of‐
615 floading based on the packets-per-second (pps) rate of flows.
616 Set this value to true to enable this option.
618 The default value is false. Changing this value requires
620 restarting the daemon.
621 This is only relevant if HW offloading is enabled (hw-offload).
623 When this policy is enabled, it also requires ’tc-policy’ to be
624 set to ’skip_sw’.
625 other_config : pmd-auto-lb: optional string, either true or false
627 Configures PMD Auto Load Balancing that allows automatic assign‐
628 ment of RX queues to PMDs if any of PMDs is overloaded (i.e. a
629 processing cycles > other_config:pmd-auto-lb-load-threshold).
630 It uses current scheme of cycle based assignment of RX queues
632 that are not statically pinned to PMDs.
633 The default value is false.
635 Set this value to true to enable this option. It is currently
637 disabled by default and an experimental feature.
638 This only comes in effect if cycle based assignment is enabled
640 and there are more than one non-isolated PMDs present and at
641 least one of it polls more than one queue.
642 other_config : pmd-auto-lb-rebal-interval: optional string, containing
644 an integer, in range 0 to 20,000
645 The minimum time (in minutes) 2 consecutive PMD Auto Load Bal‐
646 ancing iterations.
647 The defaul value is 1 min. If configured to 0 then it would be
649 converted to default value i.e. 1 min
650 This option can be configured to avoid frequent trigger of auto
652 load balancing of PMDs. For e.g. set the value (in min) such
653 that it occurs once in few hours or a day or a week.
654 other_config : pmd-auto-lb-load-threshold: optional string, containing
656 an integer, in range 0 to 100
657 Specifies the minimum PMD thread load threshold (% of used cy‐
658 cles) of any non-isolated PMD threads when a PMD Auto Load Bal‐
659 ance may be triggered.
660 The default value is 95%.
662 other_config : pmd-auto-lb-improvement-threshold: optional string, con‐
664 taining an integer, in range 0 to 100
665 Specifies the minimum evaluated % improvement in load distribu‐
666 tion across the non-isolated PMD threads that will allow a PMD
667 Auto Load Balance to occur.
668 Note, setting this parameter to 0 will always allow an auto load
670 balance to occur regardless of estimated improvement or not.
671 The default value is 25%.
673 other_config : userspace-tso-enable: optional string, either true or
675 false
676 Set this value to true to enable userspace support for TCP Seg‐
677 mentation Offloading (TSO). When it is enabled, the interfaces
678 can provide an oversized TCP segment to the datapath and the
679 datapath will offload the TCP segmentation and checksum calcula‐
680 tion to the interfaces when necessary.
681 The default value is false. Changing this value requires
683 restarting the daemon.
684 The feature only works if Open vSwitch is built with DPDK sup‐
686 port.
687 The feature is considered experimental.
689 Status:
691 next_cfg: integer
693 Sequence number for client to increment. When a client modifies
694 any part of the database configuration and wishes to wait for
695 Open vSwitch to finish applying the changes, it may increment
696 this sequence number.
697 cur_cfg: integer
699 Sequence number that Open vSwitch sets to the current value of
700 next_cfg after it finishes applying a set of configuration
701 changes.
702 dpdk_initialized: boolean
704 True if other_config:dpdk-init is set to true and the DPDK li‐
705 brary is successfully initialized.
706 Statistics:
708 The statistics column contains key-value pairs that report statistics
710 about a system running an Open vSwitch. These are updated periodically
711 (currently, every 5 seconds). Key-value pairs that cannot be determined
712 or that do not apply to a platform are omitted.
713 other_config : enable-statistics: optional string, either true or false
715 Statistics are disabled by default to avoid overhead in the com‐
716 mon case when statistics gathering is not useful. Set this value
717 to true to enable populating the statistics column or to false
718 to explicitly disable it.
719 statistics : cpu: optional string, containing an integer, at least 1
721 Number of CPU processors, threads, or cores currently online and
722 available to the operating system on which Open vSwitch is run‐
723 ning, as an integer. This may be less than the number installed,
724 if some are not online or if they are not available to the oper‐
725 ating system.
726 Open vSwitch userspace processes are not multithreaded, but the
728 Linux kernel-based datapath is.
729 statistics : load_average: optional string
731 A comma-separated list of three floating-point numbers, repre‐
732 senting the system load average over the last 1, 5, and 15 min‐
733 utes, respectively.
734 statistics : memory: optional string
736 A comma-separated list of integers, each of which represents a
737 quantity of memory in kilobytes that describes the operating
738 system on which Open vSwitch is running. In respective order,
739 these values are:
740 1. Total amount of RAM allocated to the OS.
742 2. RAM allocated to the OS that is in use.
744 3. RAM that can be flushed out to disk or otherwise discarded
746 if that space is needed for another purpose. This number is
747 necessarily less than or equal to the previous value.
748 4. Total disk space allocated for swap.
750 5. Swap space currently in use.
752 On Linux, all five values can be determined and are included. On
754 other operating systems, only the first two values can be deter‐
755 mined, so the list will only have two values.
756 statistics : process_NAME: optional string
758 One such key-value pair, with NAME replaced by a process name,
759 will exist for each running Open vSwitch daemon process, with
760 name replaced by the daemon’s name (e.g. process_ovs-vswitchd).
761 The value is a comma-separated list of integers. The integers
762 represent the following, with memory measured in kilobytes and
763 durations in milliseconds:
764 1. The process’s virtual memory size.
766 2. The process’s resident set size.
768 3. The amount of user and system CPU time consumed by the
770 process.
771 4. The number of times that the process has crashed and been
773 automatically restarted by the monitor.
774 5. The duration since the process was started.
776 6. The duration for which the process has been running.
778 The interpretation of some of these values depends on whether
780 the process was started with the --monitor. If it was not, then
781 the crash count will always be 0 and the two durations will al‐
782 ways be the same. If --monitor was given, then the crash count
783 may be positive; if it is, the latter duration is the amount of
784 time since the most recent crash and restart.
785 There will be one key-value pair for each file in Open vSwitch’s
787 ``run directory’’ (usually /var/run/openvswitch) whose name ends
788 in .pid, whose contents are a process ID, and which is locked by
789 a running process. The name is taken from the pidfile’s name.
790 Currently Open vSwitch is only able to obtain all of the above
792 detail on Linux systems. On other systems, the same key-value
793 pairs will be present but the values will always be the empty
794 string.
795 statistics : file_systems: optional string
797 A space-separated list of information on local, writable file
798 systems. Each item in the list describes one file system and
799 consists in turn of a comma-separated list of the following:
800 1. Mount point, e.g. / or /var/log. Any spaces or commas in the
802 mount point are replaced by underscores.
803 2. Total size, in kilobytes, as an integer.
805 3. Amount of storage in use, in kilobytes, as an integer.
807 This key-value pair is omitted if there are no local, writable
809 file systems or if Open vSwitch cannot obtain the needed infor‐
810 mation.
811 Version Reporting:
813 These columns report the types and versions of the hardware and soft‐
815 ware running Open vSwitch. We recommend in general that software should
816 test whether specific features are supported instead of relying on ver‐
817 sion number checks. These values are primarily intended for reporting
818 to human administrators.
819 ovs_version: optional string
821 The Open vSwitch version number, e.g. 1.1.0.
822 db_version: optional string
824 The database schema version number, e.g. 1.2.3. See ovsdb-
825 tool(1) for an explanation of the numbering scheme.
826 The schema version is part of the database schema, so it can
828 also be retrieved by fetching the schema using the Open vSwitch
829 database protocol.
830 system_type: optional string
832 An identifier for the type of system on top of which Open
833 vSwitch runs, e.g. XenServer or KVM.
834 System integrators are responsible for choosing and setting an
836 appropriate value for this column.
837 system_version: optional string
839 The version of the system identified by system_type, e.g.
840 5.6.100-39265p on XenServer 5.6.100 build 39265.
841 System integrators are responsible for choosing and setting an
843 appropriate value for this column.
844 dpdk_version: optional string
846 The version of the linked DPDK library.
847 Capabilities:
849 These columns report capabilities of the Open vSwitch instance.
851 datapath_types: set of strings
853 This column reports the different dpifs registered with the sys‐
854 tem. These are the values that this instance supports in the
855 datapath_type column of the Bridge table.
856 iface_types: set of strings
858 This column reports the different netdevs registered with the
859 system. These are the values that this instance supports in the
860 type column of the Interface table.
861 Database Configuration:
863 These columns primarily configure the Open vSwitch database
865 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The OVSDB
866 database also uses the ssl settings.
867 The Open vSwitch switch does read the database configuration to deter‐
869 mine remote IP addresses to which in-band control should apply.
870 manager_options: set of Managers
872 Database clients to which the Open vSwitch database server
873 should connect or to which it should listen, along with options
874 for how these connections should be configured. See the Manager
875 table for more information.
876 For this column to serve its purpose, ovsdb-server must be con‐
878 figured to honor it. The easiest way to do this is to invoke
879 ovsdb-server with the option --re‐
880 mote=db:Open_vSwitch,Open_vSwitch,manager_options The startup
881 scripts that accompany Open vSwitch do this by default.
882 IPsec:
884 These settings control the global configuration of IPsec tunnels. The
886 options column of the Interface table configures IPsec for individual
887 tunnels.
888 OVS IPsec supports the following three forms of authentication. Cur‐
890 rently, all IPsec tunnels must use the same form:
891 1. Pre-shared keys: Omit the global settings. On each tunnel,
893 set options:psk.
894 2. Self-signed certificates: Set the private_key and certifi‐
896 cate global settings. On each tunnel, set options:re‐
897 mote_cert. The remote certificate can be self-signed.
898 3. CA-signed certificates: Set all of the global settings. On
900 each tunnel, set options:remote_name to the common name (CN)
901 of the remote certificate. The remote certificate must be
902 signed by the CA.
903 other_config : private_key: optional string
905 Name of a PEM file containing the private key used as the
906 switch’s identity for IPsec tunnels.
907 other_config : certificate: optional string
909 Name of a PEM file containing a certificate that certifies the
910 switch’s private key, and identifies a trustworthy switch for
911 IPsec tunnels. The certificate must be x.509 version 3 and with
912 the string in common name (CN) also set in the subject alterna‐
913 tive name (SAN).
914 other_config : ca_cert: optional string
916 Name of a PEM file containing the CA certificate used to verify
917 that a remote switch of the IPsec tunnel is trustworthy.
918 Plaintext Tunnel Policy:
920 When an IPsec tunnel is configured in this database, multiple indepen‐
922 dent components take responsibility for implementing it. ovs-vswitchd
923 and its datapath handle packet forwarding to the tunnel and a separate
924 daemon pushes the tunnel’s IPsec policy configuration to the kernel or
925 other entity that implements it. There is a race: if the former config‐
926 uration completes before the latter, then packets sent by the local
927 host over the tunnel can be transmitted in plaintext. Using this set‐
928 ting, OVS users can avoid this undesirable situation.
929 other_config : ipsec_skb_mark: optional string
931 This setting takes the form value/mask. If it is specified, then
932 the skb_mark field in every outgoing tunneled packet sent in
933 plaintext is compared against it and, if it matches, the packet
934 is dropped. This is a global setting that is applied to every
935 tunneled packet, regardless of whether IPsec encryption is en‐
936 abled for the tunnel, the type of tunnel, or whether OVS is in‐
937 volved.
938 Example policies:
940 1/1 Drop all unencrypted tunneled packets in which the least-
942 significant bit of skb_mark is 1. This would be a useful
943 policy given an OpenFlow flow table that sets skb_mark to
944 1 for traffic that should be encrypted. The default
945 skb_mark is 0, so this would not affect other traffic.
946 0/1 Drop all unencrypted tunneled packets in which the least-
948 significant bit of skb_mark is 0. This would be a useful
949 policy if no unencrypted tunneled traffic should exit the
950 system without being specially permitted by setting
951 skb_mark to 1.
952 (empty)
954 If this setting is empty or unset, then all unencrypted
955 tunneled packets are transmitted in the usual way.
956 Common Columns:
958 The overall purpose of these columns is described under Common Columns
960 at the beginning of this document.
961 other_config: map of string-string pairs
963 external_ids: map of string-string pairs
965
967 Configuration for a bridge within an Open_vSwitch.
968 A Bridge record represents an Ethernet switch with one or more
970 ``ports,’’ which are the Port records pointed to by the Bridge’s ports
971 column.
972 Summary:
974 Core Features:
975 name immutable string (must be unique within
976 table)
977 ports set of Ports
978 mirrors set of Mirrors
979 netflow optional NetFlow
980 sflow optional sFlow
981 ipfix optional IPFIX
982 flood_vlans set of up to 4,096 integers, in range 0
983 to 4,095
984 auto_attach optional AutoAttach
985 OpenFlow Configuration:
986 controller set of Controllers
987 flow_tables map of integer-Flow_Table pairs, key in
988 range 0 to 254
989 fail_mode optional string, either secure or stand‐
990 alone
991 datapath_id optional string
992 datapath_version string
993 other_config : datapath-id optional string
994 other_config : dp-desc optional string
995 other_config : dp-sn optional string
996 other_config : disable-in-band
997 optional string, either true or false
998 other_config : in-band-queue
999 optional string, containing an integer,
1000 in range 0 to 4,294,967,295
1001 other_config : controller-queue-size
1002 optional string, containing an integer,
1003 in range 1 to 512
1004 protocols set of strings, one of OpenFlow10, Open‐
1005 Flow11, OpenFlow12, OpenFlow13, Open‐
1006 Flow14, or OpenFlow15
1007 Spanning Tree Configuration:
1008 STP Configuration:
1009 stp_enable boolean
1010 other_config : stp-system-id
1011 optional string
1012 other_config : stp-priority
1013 optional string, containing an integer,
1014 in range 0 to 65,535
1015 other_config : stp-hello-time
1016 optional string, containing an integer,
1017 in range 1 to 10
1018 other_config : stp-max-age
1019 optional string, containing an integer,
1020 in range 6 to 40
1021 other_config : stp-forward-delay
1022 optional string, containing an integer,
1023 in range 4 to 30
1024 other_config : mcast-snooping-aging-time
1025 optional string, containing an integer,
1026 at least 1
1027 other_config : mcast-snooping-table-size
1028 optional string, containing an integer,
1029 at least 1
1030 other_config : mcast-snooping-disable-flood-unregistered
1031 optional string, either true or false
1032 STP Status:
1033 status : stp_bridge_id optional string
1034 status : stp_designated_root
1035 optional string
1036 status : stp_root_path_cost
1037 optional string
1038 Rapid Spanning Tree:
1039 RSTP Configuration:
1040 rstp_enable boolean
1041 other_config : rstp-address
1042 optional string
1043 other_config : rstp-priority
1044 optional string, containing an integer,
1045 in range 0 to 61,440
1046 other_config : rstp-ageing-time
1047 optional string, containing an integer,
1048 in range 10 to 1,000,000
1049 other_config : rstp-force-protocol-version
1050 optional string, containing an integer
1051 other_config : rstp-max-age
1052 optional string, containing an integer,
1053 in range 6 to 40
1054 other_config : rstp-forward-delay
1055 optional string, containing an integer,
1056 in range 4 to 30
1057 other_config : rstp-transmit-hold-count
1058 optional string, containing an integer,
1059 in range 1 to 10
1060 RSTP Status:
1061 rstp_status : rstp_bridge_id
1062 optional string
1063 rstp_status : rstp_root_id
1064 optional string
1065 rstp_status : rstp_root_path_cost
1066 optional string, containing an integer,
1067 at least 0
1068 rstp_status : rstp_designated_id
1069 optional string
1070 rstp_status : rstp_designated_port_id
1071 optional string
1072 rstp_status : rstp_bridge_port_id
1073 optional string
1074 Multicast Snooping Configuration:
1075 mcast_snooping_enable boolean
1076 Other Features:
1077 datapath_type string
1078 external_ids : bridge-id optional string
1079 external_ids : xs-network-uuids
1080 optional string
1081 other_config : hwaddr optional string
1082 other_config : forward-bpdu
1083 optional string, either true or false
1084 other_config : mac-aging-time
1085 optional string, containing an integer,
1086 at least 1
1087 other_config : mac-table-size
1088 optional string, containing an integer,
1089 at least 1
1090 Common Columns:
1091 other_config map of string-string pairs
1092 external_ids map of string-string pairs
1093 Details:
1095 Core Features:
1096 name: immutable string (must be unique within table)
1098 Bridge identifier. Must be unique among the names of ports, in‐
1099 terfaces, and bridges on a host.
1100 The name must be alphanumeric and must not contain forward or
1102 backward slashes. The name of a bridge is also the name of an
1103 Interface (and a Port) within the bridge, so the restrictions on
1104 the name column in the Interface table, particularly on length,
1105 also apply to bridge names. Refer to the documentation for In‐
1106 terface names for details.
1107 ports: set of Ports
1109 Ports included in the bridge.
1110 mirrors: set of Mirrors
1112 Port mirroring configuration.
1113 netflow: optional NetFlow
1115 NetFlow configuration.
1116 sflow: optional sFlow
1118 sFlow(R) configuration.
1119 ipfix: optional IPFIX
1121 IPFIX configuration.
1122 flood_vlans: set of up to 4,096 integers, in range 0 to 4,095
1124 VLAN IDs of VLANs on which MAC address learning should be dis‐
1125 abled, so that packets are flooded instead of being sent to spe‐
1126 cific ports that are believed to contain packets’ destination
1127 MACs. This should ordinarily be used to disable MAC learning on
1128 VLANs used for mirroring (RSPAN VLANs). It may also be useful
1129 for debugging.
1130 SLB bonding (see the bond_mode column in the Port table) is in‐
1132 compatible with flood_vlans. Consider using another bonding mode
1133 or a different type of mirror instead.
1134 auto_attach: optional AutoAttach
1136 Auto Attach configuration.
1137 OpenFlow Configuration:
1139 controller: set of Controllers
1141 OpenFlow controller set. If unset, then no OpenFlow controllers
1142 will be used.
1143 If there are primary controllers, removing all of them clears
1145 the OpenFlow flow tables, group table, and meter table. If there
1146 are no primary controllers, adding one also clears these tables.
1147 Other changes to the set of controllers, such as adding or re‐
1148 moving a service controller, adding another primary controller
1149 to supplement an existing primary controller, or removing only
1150 one of two primary controllers, have no effect on these tables.
1151 flow_tables: map of integer-Flow_Table pairs, key in range 0 to 254
1153 Configuration for OpenFlow tables. Each pair maps from an Open‐
1154 Flow table ID to configuration for that table.
1155 fail_mode: optional string, either secure or standalone
1157 When a controller is configured, it is, ordinarily, responsible
1158 for setting up all flows on the switch. Thus, if the connection
1159 to the controller fails, no new network connections can be set
1160 up. If the connection to the controller stays down long enough,
1161 no packets can pass through the switch at all. This setting de‐
1162 termines the switch’s response to such a situation. It may be
1163 set to one of the following:
1164 standalone
1166 If no message is received from the controller for three
1167 times the inactivity probe interval (see inactiv‐
1168 ity_probe), then Open vSwitch will take over responsibil‐
1169 ity for setting up flows. In this mode, Open vSwitch
1170 causes the bridge to act like an ordinary MAC-learning
1171 switch. Open vSwitch will continue to retry connecting to
1172 the controller in the background and, when the connection
1173 succeeds, it will discontinue its standalone behavior.
1174 secure Open vSwitch will not set up flows on its own when the
1176 controller connection fails or when no controllers are
1177 defined. The bridge will continue to retry connecting to
1178 any defined controllers forever.
1179 The default is standalone if the value is unset, but future ver‐
1181 sions of Open vSwitch may change the default.
1182 The standalone mode can create forwarding loops on a bridge that
1184 has more than one uplink port unless STP is enabled. To avoid
1185 loops on such a bridge, configure secure mode or enable STP (see
1186 stp_enable).
1187 The fail_mode setting applies only to primary controllers. When
1189 more than one primary controller is configured, fail_mode is
1190 considered only when none of the configured controllers can be
1191 contacted.
1192 Changing fail_mode when no primary controllers are configured
1194 clears the OpenFlow flow tables, group table, and meter table.
1195 datapath_id: optional string
1197 Reports the OpenFlow datapath ID in use. Exactly 16 hex digits.
1198 (Setting this column has no useful effect. Set other-con‐
1199 fig:datapath-id instead.)
1200 datapath_version: string
1202 Reports the datapath version. This column is maintained for
1203 backwards compatibility. The preferred locatation is the data‐
1204 path_id column of the Datapath table. The full documentation for
1205 this column is there.
1206 other_config : datapath-id: optional string
1208 Overrides the default OpenFlow datapath ID, setting it to the
1209 specified value specified in hex. The value must either have a
1210 0x prefix or be exactly 16 hex digits long. May not be all-zero.
1211 other_config : dp-desc: optional string
1213 Human readable description of datapath. It is a maximum 256
1214 byte-long free-form string to describe the datapath for debug‐
1215 ging purposes, e.g. switch3 in room 3120. The value is returned
1216 by the switch as a part of reply to OFPMP_DESC request
1217 (ofp_desc). The OpenFlow specification (e.g. 1.3.5) describes
1218 the ofp_desc structure to contaion "NULL terminated ASCII
1219 strings". For the compatibility reasons no more than 255 ASCII
1220 characters should be used.
1221 other_config : dp-sn: optional string
1223 Serial number. It is a maximum 32 byte-long free-form string to
1224 provide an additional switch identification. The value is re‐
1225 turned by the switch as a part of reply to OFPMP_DESC request
1226 (ofp_desc). Same as mentioned in the description of other-con‐
1227 fig:dp-desc, the string should be no more than 31 ASCII charac‐
1228 ters for the compatibility.
1229 other_config : disable-in-band: optional string, either true or false
1231 If set to true, disable in-band control on the bridge regardless
1232 of controller and manager settings.
1233 other_config : in-band-queue: optional string, containing an integer,
1235 in range 0 to 4,294,967,295
1236 A queue ID as a nonnegative integer. This sets the OpenFlow
1237 queue ID that will be used by flows set up by in-band control on
1238 this bridge. If unset, or if the port used by an in-band control
1239 flow does not have QoS configured, or if the port does not have
1240 a queue with the specified ID, the default queue is used in‐
1241 stead.
1242 other_config : controller-queue-size: optional string, containing an
1244 integer, in range 1 to 512
1245 This sets the maximum size of the queue of packets that need to
1246 be sent to the OpenFlow management controller. The value must be
1247 less than 512. If not specified the queue size is limited to 100
1248 packets by default. Note: increasing the queue size might have a
1249 negative impact on latency.
1250 protocols: set of strings, one of OpenFlow10, OpenFlow11, OpenFlow12,
1252 OpenFlow13, OpenFlow14, or OpenFlow15
1253 List of OpenFlow protocols that may be used when negotiating a
1254 connection with a controller. OpenFlow 1.0, 1.1, 1.2, 1.3, 1.4,
1255 and 1.5 are enabled by default if this column is empty.
1256 Spanning Tree Configuration:
1258 The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol that
1260 ensures loop-free topologies. It allows redundant links to be included
1261 in the network to provide automatic backup paths if the active links
1262 fails.
1263 These settings configure the slower-to-converge but still widely sup‐
1265 ported version of Spanning Tree Protocol, sometimes known as
1266 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree
1267 Protocol (RSTP), documented later in the section titled Rapid Spanning
1268 Tree Configuration.
1269 STP Configuration:
1271 stp_enable: boolean
1273 Enable spanning tree on the bridge. By default, STP is disabled
1274 on bridges. Bond, internal, and mirror ports are not supported
1275 and will not participate in the spanning tree.
1276 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1278 will be used.
1279 other_config : stp-system-id: optional string
1281 The bridge’s STP identifier (the lower 48 bits of the bridge-id)
1282 in the form xx:xx:xx:xx:xx:xx. By default, the identifier is the
1283 MAC address of the bridge.
1284 other_config : stp-priority: optional string, containing an integer, in
1286 range 0 to 65,535
1287 The bridge’s relative priority value for determining the root
1288 bridge (the upper 16 bits of the bridge-id). A bridge with the
1289 lowest bridge-id is elected the root. By default, the priority
1290 is 0x8000.
1291 other_config : stp-hello-time: optional string, containing an integer,
1293 in range 1 to 10
1294 The interval between transmissions of hello messages by desig‐
1295 nated ports, in seconds. By default the hello interval is 2 sec‐
1296 onds.
1297 other_config : stp-max-age: optional string, containing an integer, in
1299 range 6 to 40
1300 The maximum age of the information transmitted by the bridge
1301 when it is the root bridge, in seconds. By default, the maximum
1302 age is 20 seconds.
1303 other_config : stp-forward-delay: optional string, containing an inte‐
1305 ger, in range 4 to 30
1306 The delay to wait between transitioning root and designated
1307 ports to forwarding, in seconds. By default, the forwarding de‐
1308 lay is 15 seconds.
1309 other_config : mcast-snooping-aging-time: optional string, containing
1311 an integer, at least 1
1312 The maximum number of seconds to retain a multicast snooping en‐
1313 try for which no packets have been seen. The default is cur‐
1314 rently 300 seconds (5 minutes). The value, if specified, is
1315 forced into a reasonable range, currently 15 to 3600 seconds.
1316 other_config : mcast-snooping-table-size: optional string, containing
1318 an integer, at least 1
1319 The maximum number of multicast snooping addresses to learn. The
1320 default is currently 2048. The value, if specified, is forced
1321 into a reasonable range, currently 10 to 1,000,000.
1322 other_config : mcast-snooping-disable-flood-unregistered: optional
1324 string, either true or false
1325 If set to false, unregistered multicast packets are forwarded to
1326 all ports. If set to true, unregistered multicast packets are
1327 forwarded to ports connected to multicast routers.
1328 STP Status:
1330 These key-value pairs report the status of 802.1D-1998. They are
1332 present only if STP is enabled (via the stp_enable column).
1333 status : stp_bridge_id: optional string
1335 The bridge ID used in spanning tree advertisements, in the form
1336 xxxx.yyyyyyyyyyyy where the xs are the STP priority, the ys are
1337 the STP system ID, and each x and y is a hex digit.
1338 status : stp_designated_root: optional string
1340 The designated root for this spanning tree, in the same form as
1341 status:stp_bridge_id. If this bridge is the root, this will have
1342 the same value as status:stp_bridge_id, otherwise it will dif‐
1343 fer.
1344 status : stp_root_path_cost: optional string
1346 The path cost of reaching the designated bridge. A lower number
1347 is better. The value is 0 if this bridge is the root, otherwise
1348 it is higher.
1349 Rapid Spanning Tree:
1351 Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
1353 that ensures loop-free topologies. RSTP superseded STP with the publi‐
1354 cation of 802.1D-2004. Compared to STP, RSTP converges more quickly and
1355 recovers more quickly from failures.
1356 RSTP Configuration:
1358 rstp_enable: boolean
1360 Enable Rapid Spanning Tree on the bridge. By default, RSTP is
1361 disabled on bridges. Bond, internal, and mirror ports are not
1362 supported and will not participate in the spanning tree.
1363 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1365 will be used.
1366 other_config : rstp-address: optional string
1368 The bridge’s RSTP address (the lower 48 bits of the bridge-id)
1369 in the form xx:xx:xx:xx:xx:xx. By default, the address is the
1370 MAC address of the bridge.
1371 other_config : rstp-priority: optional string, containing an integer,
1373 in range 0 to 61,440
1374 The bridge’s relative priority value for determining the root
1375 bridge (the upper 16 bits of the bridge-id). A bridge with the
1376 lowest bridge-id is elected the root. By default, the priority
1377 is 0x8000 (32768). This value needs to be a multiple of 4096,
1378 otherwise it’s rounded to the nearest inferior one.
1379 other_config : rstp-ageing-time: optional string, containing an inte‐
1381 ger, in range 10 to 1,000,000
1382 The Ageing Time parameter for the Bridge. The default value is
1383 300 seconds.
1384 other_config : rstp-force-protocol-version: optional string, containing
1386 an integer
1387 The Force Protocol Version parameter for the Bridge. This can
1388 take the value 0 (STP Compatibility mode) or 2 (the default,
1389 normal operation).
1390 other_config : rstp-max-age: optional string, containing an integer, in
1392 range 6 to 40
1393 The maximum age of the information transmitted by the Bridge
1394 when it is the Root Bridge. The default value is 20.
1395 other_config : rstp-forward-delay: optional string, containing an inte‐
1397 ger, in range 4 to 30
1398 The delay used by STP Bridges to transition Root and Designated
1399 Ports to Forwarding. The default value is 15.
1400 other_config : rstp-transmit-hold-count: optional string, containing an
1402 integer, in range 1 to 10
1403 The Transmit Hold Count used by the Port Transmit state machine
1404 to limit transmission rate. The default value is 6.
1405 RSTP Status:
1407 These key-value pairs report the status of 802.1D-2004. They are
1409 present only if RSTP is enabled (via the rstp_enable column).
1410 rstp_status : rstp_bridge_id: optional string
1412 The bridge ID used in rapid spanning tree advertisements, in the
1413 form x.yyy.zzzzzzzzzzzz where x is the RSTP priority, the ys are
1414 a locally assigned system ID extension, the zs are the STP sys‐
1415 tem ID, and each x, y, or z is a hex digit.
1416 rstp_status : rstp_root_id: optional string
1418 The root of this spanning tree, in the same form as rstp_sta‐
1419 tus:rstp_bridge_id. If this bridge is the root, this will have
1420 the same value as rstp_status:rstp_bridge_id, otherwise it will
1421 differ.
1422 rstp_status : rstp_root_path_cost: optional string, containing an inte‐
1424 ger, at least 0
1425 The path cost of reaching the root. A lower number is better.
1426 The value is 0 if this bridge is the root, otherwise it is
1427 higher.
1428 rstp_status : rstp_designated_id: optional string
1430 The RSTP designated ID, in the same form as rstp_sta‐
1431 tus:rstp_bridge_id.
1432 rstp_status : rstp_designated_port_id: optional string
1434 The RSTP designated port ID, as a 4-digit hex number.
1435 rstp_status : rstp_bridge_port_id: optional string
1437 The RSTP bridge port ID, as a 4-digit hex number.
1438 Multicast Snooping Configuration:
1440 Multicast snooping (RFC 4541) monitors the Internet Group Management
1442 Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
1443 and multicast routers. The switch uses what IGMP and MLD snooping
1444 learns to forward multicast traffic only to interfaces that are con‐
1445 nected to interested receivers. Currently it supports IGMPv1, IGMPv2,
1446 IGMPv3, MLDv1 and MLDv2 protocols.
1447 mcast_snooping_enable: boolean
1449 Enable multicast snooping on the bridge. For now, the default is
1450 disabled.
1451 Other Features:
1453 datapath_type: string
1455 Name of datapath provider. The kernel datapath has type system.
1456 The userspace datapath has type netdev. A manager may refer to
1457 the datapath_types column of the Open_vSwitch table for a list
1458 of the types accepted by this Open vSwitch instance.
1459 external_ids : bridge-id: optional string
1461 A unique identifier of the bridge. On Citrix XenServer this will
1462 commonly be the same as external_ids:xs-network-uuids.
1463 external_ids : xs-network-uuids: optional string
1465 Semicolon-delimited set of universally unique identifier(s) for
1466 the network with which this bridge is associated on a Citrix
1467 XenServer host. The network identifiers are RFC 4122 UUIDs as
1468 displayed by, e.g., xe network-list.
1469 other_config : hwaddr: optional string
1471 An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the
1472 hardware address of the local port and influence the datapath
1473 ID.
1474 other_config : forward-bpdu: optional string, either true or false
1476 Controls forwarding of BPDUs and other network control frames
1477 when NORMAL action is invoked. When this option is false or un‐
1478 set, frames with reserved Ethernet addresses (see table below)
1479 will not be forwarded. When this option is true, such frames
1480 will not be treated specially.
1481 The above general rule has the following exceptions:
1483 • If STP is enabled on the bridge (see the stp_enable col‐
1485 umn in the Bridge table), the bridge processes all re‐
1486 ceived STP packets and never passes them to OpenFlow or
1487 forwards them. This is true even if STP is disabled on an
1488 individual port.
1489 • If LLDP is enabled on an interface (see the lldp column
1491 in the Interface table), the interface processes received
1492 LLDP packets and never passes them to OpenFlow or for‐
1493 wards them.
1494 Set this option to true if the Open vSwitch bridge connects dif‐
1496 ferent Ethernet networks and is not configured to participate in
1497 STP.
1498 This option affects packets with the following destination MAC
1500 addresses:
1501 01:80:c2:00:00:00
1503 IEEE 802.1D Spanning Tree Protocol (STP).
1504 01:80:c2:00:00:01
1506 IEEE Pause frame.
1507 01:80:c2:00:00:0x
1509 Other reserved protocols.
1510 00:e0:2b:00:00:00
1512 Extreme Discovery Protocol (EDP).
1513 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06
1515 Ethernet Automatic Protection Switching (EAPS).
1516 01:00:0c:cc:cc:cc
1518 Cisco Discovery Protocol (CDP), VLAN Trunking Protocol
1519 (VTP), Dynamic Trunking Protocol (DTP), Port Aggregation
1520 Protocol (PAgP), and others.
1521 01:00:0c:cc:cc:cd
1523 Cisco Shared Spanning Tree Protocol PVSTP+.
1524 01:00:0c:cd:cd:cd
1526 Cisco STP Uplink Fast.
1527 01:00:0c:00:00:00
1529 Cisco Inter Switch Link.
1530 01:00:0c:cc:cc:cx
1532 Cisco CFM.
1533 other_config : mac-aging-time: optional string, containing an integer,
1535 at least 1
1536 The maximum number of seconds to retain a MAC learning entry for
1537 which no packets have been seen. The default is currently 300
1538 seconds (5 minutes). The value, if specified, is forced into a
1539 reasonable range, currently 15 to 3600 seconds.
1540 A short MAC aging time allows a network to more quickly detect
1542 that a host is no longer connected to a switch port. However, it
1543 also makes it more likely that packets will be flooded unneces‐
1544 sarily, when they are addressed to a connected host that rarely
1545 transmits packets. To reduce the incidence of unnecessary flood‐
1546 ing, use a MAC aging time longer than the maximum interval at
1547 which a host will ordinarily transmit packets.
1548 other_config : mac-table-size: optional string, containing an integer,
1550 at least 1
1551 The maximum number of MAC addresses to learn. The default is
1552 currently 8192. The value, if specified, is forced into a rea‐
1553 sonable range, currently 10 to 1,000,000.
1554 Common Columns:
1556 The overall purpose of these columns is described under Common Columns
1558 at the beginning of this document.
1559 other_config: map of string-string pairs
1561 external_ids: map of string-string pairs
1563
1565 A port within a Bridge.
1566 Most commonly, a port has exactly one ``interface,’’ pointed to by its
1568 interfaces column. Such a port logically corresponds to a port on a
1569 physical Ethernet switch. A port with more than one interface is a
1570 ``bonded port’’ (see Bonding Configuration).
1571 Some properties that one might think as belonging to a port are actu‐
1573 ally part of the port’s Interface members.
1574 Summary:
1576 name immutable string (must be unique within
1577 table)
1578 interfaces set of 1 or more Interfaces
1579 VLAN Configuration:
1580 vlan_mode optional string, one of access,
1581 dot1q-tunnel, native-tagged, native-un‐
1582 tagged, or trunk
1583 tag optional integer, in range 0 to 4,095
1584 trunks set of up to 4,096 integers, in range 0
1585 to 4,095
1586 cvlans set of up to 4,096 integers, in range 0
1587 to 4,095
1588 other_config : qinq-ethtype
1589 optional string, either 802.1ad or 802.1q
1590 other_config : priority-tags
1591 optional string, one of always, if-non‐
1592 zero, or never
1593 Bonding Configuration:
1594 bond_mode optional string, one of active-backup,
1595 balance-slb, or balance-tcp
1596 other_config : bond-hash-basis
1597 optional string, containing an integer
1598 other_config : lb-output-action
1599 optional string, either true or false
1600 other_config : bond-primary
1601 optional string
1602 Link Failure Detection:
1603 other_config : bond-detect-mode
1604 optional string, either carrier or miimon
1605 other_config : bond-miimon-interval
1606 optional string, containing an integer
1607 bond_updelay integer
1608 bond_downdelay integer
1609 LACP Configuration:
1610 lacp optional string, one of active, off, or
1611 passive
1612 other_config : lacp-system-id
1613 optional string
1614 other_config : lacp-system-priority
1615 optional string, containing an integer,
1616 in range 1 to 65,535
1617 other_config : lacp-time optional string, either fast or slow
1618 other_config : lacp-fallback-ab
1619 optional string, either true or false
1620 Rebalancing Configuration:
1621 other_config : bond-rebalance-interval
1622 optional string, containing an integer,
1623 in range 0 to 2,147,483,647
1624 bond_fake_iface boolean
1625 Spanning Tree Protocol:
1626 STP Configuration:
1627 other_config : stp-enable
1628 optional string, either true or false
1629 other_config : stp-port-num
1630 optional string, containing an integer,
1631 in range 1 to 255
1632 other_config : stp-port-priority
1633 optional string, containing an integer,
1634 in range 0 to 255
1635 other_config : stp-path-cost
1636 optional string, containing an integer,
1637 in range 0 to 65,535
1638 STP Status:
1639 status : stp_port_id optional string
1640 status : stp_state optional string, one of blocking, dis‐
1641 abled, forwarding, learning, or listening
1642 status : stp_sec_in_state
1643 optional string, containing an integer,
1644 at least 0
1645 status : stp_role optional string, one of alternate, desig‐
1646 nated, or root
1647 Rapid Spanning Tree Protocol:
1648 RSTP Configuration:
1649 other_config : rstp-enable
1650 optional string, either true or false
1651 other_config : rstp-port-priority
1652 optional string, containing an integer,
1653 in range 0 to 240
1654 other_config : rstp-port-num
1655 optional string, containing an integer,
1656 in range 1 to 4,095
1657 other_config : rstp-port-path-cost
1658 optional string, containing an integer
1659 other_config : rstp-port-admin-edge
1660 optional string, either true or false
1661 other_config : rstp-port-auto-edge
1662 optional string, either true or false
1663 other_config : rstp-port-mcheck
1664 optional string, either true or false
1665 RSTP Status:
1666 rstp_status : rstp_port_id
1667 optional string
1668 rstp_status : rstp_port_role
1669 optional string, one of Alternate,
1670 Backup, Designated, Disabled, or Root
1671 rstp_status : rstp_port_state
1672 optional string, one of Disabled, Dis‐
1673 carding, Forwarding, or Learning
1674 rstp_status : rstp_designated_bridge_id
1675 optional string
1676 rstp_status : rstp_designated_port_id
1677 optional string
1678 rstp_status : rstp_designated_path_cost
1679 optional string, containing an integer
1680 RSTP Statistics:
1681 rstp_statistics : rstp_tx_count
1682 optional integer
1683 rstp_statistics : rstp_rx_count
1684 optional integer
1685 rstp_statistics : rstp_error_count
1686 optional integer
1687 rstp_statistics : rstp_uptime
1688 optional integer
1689 Multicast Snooping:
1690 other_config : mcast-snooping-flood
1691 optional string, either true or false
1692 other_config : mcast-snooping-flood-reports
1693 optional string, either true or false
1694 Other Features:
1695 qos optional QoS
1696 mac optional string
1697 fake_bridge boolean
1698 protected boolean
1699 external_ids : fake-bridge-id-*
1700 optional string
1701 other_config : transient optional string, either true or false
1702 bond_active_slave optional string
1703 Port Statistics:
1704 Statistics: STP transmit and receive counters:
1705 statistics : stp_tx_count
1706 optional integer
1707 statistics : stp_rx_count
1708 optional integer
1709 statistics : stp_error_count
1710 optional integer
1711 Common Columns:
1712 other_config map of string-string pairs
1713 external_ids map of string-string pairs
1714 Details:
1716 name: immutable string (must be unique within table)
1717 Port name. For a non-bonded port, this should be the same as its
1718 interface’s name. Port names must otherwise be unique among the
1719 names of ports, interfaces, and bridges on a host. Because port
1720 and interfaces names are usually the same, the restrictions on
1721 the name column in the Interface table, particularly on length,
1722 also apply to port names. Refer to the documentation for Inter‐
1723 face names for details.
1724 interfaces: set of 1 or more Interfaces
1726 The port’s interfaces. If there is more than one, this is a
1727 bonded Port.
1728 VLAN Configuration:
1730 In short, a VLAN (short for ``virtual LAN’’) is a way to partition a
1732 single switch into multiple switches. VLANs can be confusing, so for an
1733 introduction, please refer to the question ``What’s a VLAN?’’ in the
1734 Open vSwitch FAQ.
1735 A VLAN is sometimes encoded into a packet using a 802.1Q or 802.1ad
1737 VLAN header, but every packet is part of some VLAN whether or not it is
1738 encoded in the packet. (A packet that appears to have no VLAN is part
1739 of VLAN 0, by default.) As a result, it’s useful to think of a VLAN as
1740 a metadata property of a packet, separate from how the VLAN is encoded.
1741 For a given port, this column determines how the encoding of a packet
1742 that ingresses or egresses the port maps to the packet’s VLAN. When a
1743 packet enters the switch, its VLAN is determined based on its setting
1744 in this column and its VLAN headers, if any, and then, conceptually,
1745 the VLAN headers are then stripped off. Conversely, when a packet exits
1746 the switch, its VLAN and the settings in this column determine what
1747 VLAN headers, if any, are pushed onto the packet before it egresses the
1748 port.
1749 The VLAN configuration in this column affects Open vSwitch only when it
1751 is doing ``normal switching.’’ It does not affect flows set up by an
1752 OpenFlow controller, outside of the OpenFlow ``normal action.’’
1753 Bridge ports support the following types of VLAN configuration:
1755 trunk A trunk port carries packets on one or more specified
1757 VLANs specified in the trunks column (often, on every
1758 VLAN). A packet that ingresses on a trunk port is in the
1759 VLAN specified in its 802.1Q header, or VLAN 0 if the
1760 packet has no 802.1Q header. A packet that egresses
1761 through a trunk port will have an 802.1Q header if it has
1762 a nonzero VLAN ID.
1763 Any packet that ingresses on a trunk port tagged with a
1765 VLAN that the port does not trunk is dropped.
1766 access An access port carries packets on exactly one VLAN speci‐
1768 fied in the tag column. Packets egressing on an access
1769 port have no 802.1Q header.
1770 Any packet with an 802.1Q header with a nonzero VLAN ID
1772 that ingresses on an access port is dropped, regardless
1773 of whether the VLAN ID in the header is the access port’s
1774 VLAN ID.
1775 native-tagged
1777 A native-tagged port resembles a trunk port, with the ex‐
1778 ception that a packet without an 802.1Q header that in‐
1779 gresses on a native-tagged port is in the ``native VLAN’’
1780 (specified in the tag column).
1781 native-untagged
1783 A native-untagged port resembles a native-tagged port,
1784 with the exception that a packet that egresses on a na‐
1785 tive-untagged port in the native VLAN will not have an
1786 802.1Q header.
1787 dot1q-tunnel
1789 A dot1q-tunnel port is somewhat like an access port. Like
1790 an access port, it carries packets on the single VLAN
1791 specified in the tag column and this VLAN, called the
1792 service VLAN, does not appear in an 802.1Q header for
1793 packets that ingress or egress on the port. The main dif‐
1794 ference lies in the behavior when packets that include a
1795 802.1Q header ingress on the port. Whereas an access port
1796 drops such packets, a dot1q-tunnel port treats these as
1797 double-tagged with the outer service VLAN tag and the in‐
1798 ner customer VLAN taken from the 802.1Q header. Corre‐
1799 spondingly, to egress on the port, a packet outer VLAN
1800 (or only VLAN) must be tag, which is removed before
1801 egress, which exposes the inner (customer) VLAN if one is
1802 present.
1803 If cvlans is set, only allows packets in the specified
1805 customer VLANs.
1806 A packet will only egress through bridge ports that carry the VLAN of
1808 the packet, as described by the rules above.
1809 vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
1811 native-untagged, or trunk
1812 The VLAN mode of the port, as described above. When this column
1813 is empty, a default mode is selected as follows:
1814 • If tag contains a value, the port is an access port. The
1816 trunks column should be empty.
1817 • Otherwise, the port is a trunk port. The trunks column
1819 value is honored if it is present.
1820 tag: optional integer, in range 0 to 4,095
1822 For an access port, the port’s implicitly tagged VLAN. For a na‐
1823 tive-tagged or native-untagged port, the port’s native VLAN.
1824 Must be empty if this is a trunk port.
1825 trunks: set of up to 4,096 integers, in range 0 to 4,095
1827 For a trunk, native-tagged, or native-untagged port, the 802.1Q
1828 VLAN or VLANs that this port trunks; if it is empty, then the
1829 port trunks all VLANs. Must be empty if this is an access port.
1830 A native-tagged or native-untagged port always trunks its native
1832 VLAN, regardless of whether trunks includes that VLAN.
1833 cvlans: set of up to 4,096 integers, in range 0 to 4,095
1835 For a dot1q-tunnel port, the customer VLANs that this port in‐
1836 cludes. If this is empty, the port includes all customer VLANs.
1837 For other kinds of ports, this setting is ignored.
1839 other_config : qinq-ethtype: optional string, either 802.1ad or 802.1q
1841 For a dot1q-tunnel port, this is the TPID for the service tag,
1842 that is, for the 802.1Q header that contains the service VLAN
1843 ID. Because packets that actually ingress and egress a dot1q-
1844 tunnel port do not include an 802.1Q header for the service
1845 VLAN, this does not affect packets on the dot1q-tunnel port it‐
1846 self. Rather, it determines the service VLAN for a packet that
1847 ingresses on a dot1q-tunnel port and egresses on a trunk port.
1848 The value 802.1ad specifies TPID 0x88a8, which is also the de‐
1850 fault if the setting is omitted. The value 802.1q specifies TPID
1851 0x8100.
1852 For other kinds of ports, this setting is ignored.
1854 other_config : priority-tags: optional string, one of always, if-non‐
1856 zero, or never
1857 An 802.1Q header contains two important pieces of information: a
1858 VLAN ID and a priority. A frame with a zero VLAN ID, called a
1859 ``priority-tagged’’ frame, is supposed to be treated the same
1860 way as a frame without an 802.1Q header at all (except for the
1861 priority).
1862 However, some network elements ignore any frame that has 802.1Q
1864 header at all, even when the VLAN ID is zero. Therefore, by de‐
1865 fault Open vSwitch does not output priority-tagged frames, in‐
1866 stead omitting the 802.1Q header entirely if the VLAN ID is
1867 zero. Set this key to if-nonzero to enable priority-tagged
1868 frames on a port.
1869 For if-nonzero Open vSwitch omits the 802.1Q header on output if
1871 both the VLAN ID and priority would be zero. Set to always to
1872 retain the 802.1Q header in such frames as well.
1873 All frames output to native-tagged ports have a nonzero VLAN ID,
1875 so this setting is not meaningful on native-tagged ports.
1876 Bonding Configuration:
1878 A port that has more than one interface is a ``bonded port.’’ Bonding
1880 allows for load balancing and fail-over.
1881 The following types of bonding will work with any kind of upstream
1883 switch. On the upstream switch, do not configure the interfaces as a
1884 bond:
1885 balance-slb
1887 Balances flows among members based on source MAC address
1888 and output VLAN, with periodic rebalancing as traffic
1889 patterns change.
1890 active-backup
1892 Assigns all flows to one member, failing over to a backup
1893 member when the active member is disabled. This is the
1894 only bonding mode in which interfaces may be plugged into
1895 different upstream switches.
1896 The following modes require the upstream switch to support 802.3ad with
1898 successful LACP negotiation. If LACP negotiation fails and other-con‐
1899 fig:lacp-fallback-ab is true, then active-backup mode is used:
1900 balance-tcp
1902 Balances flows among members based on L3 and L4 protocol
1903 information such as IP addresses and TCP/UDP ports.
1904 These columns apply only to bonded ports. Their values are otherwise
1906 ignored.
1907 bond_mode: optional string, one of active-backup, balance-slb, or bal‐
1909 ance-tcp
1910 The type of bonding used for a bonded port. Defaults to ac‐
1911 tive-backup if unset.
1912 other_config : bond-hash-basis: optional string, containing an integer
1914 An integer hashed along with flows when choosing output members
1915 in load balanced bonds. When changed, all flows will be assigned
1916 different hash values possibly causing member selection deci‐
1917 sions to change. Does not affect bonding modes which do not em‐
1918 ploy load balancing such as active-backup.
1919 other_config : lb-output-action: optional string, either true or false
1921 Enable/disable usage of optimized lb_output action for balancing
1922 flows among output members in load balanced bonds in bal‐
1923 ance-tcp. When enabled, it uses optimized path for balance-tcp
1924 mode by using rss hash and avoids recirculation. This knob does
1925 not affect other balancing modes.
1926 other_config : bond-primary: optional string
1928 If a slave interface with this name exists in the bond and is
1929 up, it will be made active. Relevant only when other_con‐
1930 fig:bond_mode is active-backup or if balance-tcp falls back to
1931 active-backup (e.g., LACP negotiation fails and other_con‐
1932 fig:lacp-fallback-ab is true).
1933 Link Failure Detection:
1935 An important part of link bonding is detecting that links are down so
1937 that they may be disabled. These settings determine how Open vSwitch
1938 detects link failure.
1939 other_config : bond-detect-mode: optional string, either carrier or mi‐
1941 imon
1942 The means used to detect link failures. Defaults to carrier
1943 which uses each interface’s carrier to detect failures. When set
1944 to miimon, will check for failures by polling each interface’s
1945 MII.
1946 other_config : bond-miimon-interval: optional string, containing an in‐
1948 teger
1949 The interval, in milliseconds, between successive attempts to
1950 poll each interface’s MII. Relevant only when other_config:bond-
1951 detect-mode is miimon.
1952 bond_updelay: integer
1954 The number of milliseconds for which the link must stay up on an
1955 interface before the interface is considered to be up. Specify 0
1956 to enable the interface immediately.
1957 This setting is honored only when at least one bonded interface
1959 is already enabled. When no interfaces are enabled, then the
1960 first bond interface to come up is enabled immediately.
1961 bond_downdelay: integer
1963 The number of milliseconds for which the link must stay down on
1964 an interface before the interface is considered to be down.
1965 Specify 0 to disable the interface immediately.
1966 LACP Configuration:
1968 LACP, the Link Aggregation Control Protocol, is an IEEE standard that
1970 allows switches to automatically detect that they are connected by mul‐
1971 tiple links and aggregate across those links. These settings control
1972 LACP behavior.
1973 lacp: optional string, one of active, off, or passive
1975 Configures LACP on this port. LACP allows directly connected
1976 switches to negotiate which links may be bonded. LACP may be en‐
1977 abled on non-bonded ports for the benefit of any switches they
1978 may be connected to. active ports are allowed to initiate LACP
1979 negotiations. passive ports are allowed to participate in LACP
1980 negotiations initiated by a remote switch, but not allowed to
1981 initiate such negotiations themselves. If LACP is enabled on a
1982 port whose partner switch does not support LACP, the bond will
1983 be disabled, unless other-config:lacp-fallback-ab is set to
1984 true. Defaults to off if unset.
1985 other_config : lacp-system-id: optional string
1987 The LACP system ID of this Port. The system ID of a LACP bond is
1988 used to identify itself to its partners. Must be a nonzero MAC
1989 address. Defaults to the bridge Ethernet address if unset.
1990 other_config : lacp-system-priority: optional string, containing an in‐
1992 teger, in range 1 to 65,535
1993 The LACP system priority of this Port. In LACP negotiations,
1994 link status decisions are made by the system with the numeri‐
1995 cally lower priority.
1996 other_config : lacp-time: optional string, either fast or slow
1998 The LACP timing which should be used on this Port. By default
1999 slow is used. When configured to be fast LACP heartbeats are re‐
2000 quested at a rate of once per second causing connectivity prob‐
2001 lems to be detected more quickly. In slow mode, heartbeats are
2002 requested at a rate of once every 30 seconds.
2003 other_config : lacp-fallback-ab: optional string, either true or false
2005 Determines the behavior of openvswitch bond in LACP mode. If the
2006 partner switch does not support LACP, setting this option to
2007 true allows openvswitch to fallback to active-backup. If the op‐
2008 tion is set to false, the bond will be disabled. In both the
2009 cases, once the partner switch is configured to LACP mode, the
2010 bond will use LACP.
2011 Rebalancing Configuration:
2013 These settings control behavior when a bond is in balance-slb or bal‐
2015 ance-tcp mode.
2016 other_config : bond-rebalance-interval: optional string, containing an
2018 integer, in range 0 to 2,147,483,647
2019 For a load balanced bonded port, the number of milliseconds be‐
2020 tween successive attempts to rebalance the bond, that is, to
2021 move flows from one interface on the bond to another in an at‐
2022 tempt to keep usage of each interface roughly equal. If zero,
2023 load balancing is disabled on the bond (link failure still cause
2024 flows to move). If less than 1000ms, the rebalance interval will
2025 be 1000ms.
2026 bond_fake_iface: boolean
2028 For a bonded port, whether to create a fake internal interface
2029 with the name of the port. Use only for compatibility with
2030 legacy software that requires this.
2031 Spanning Tree Protocol:
2033 The configuration here is only meaningful, and the status is only popu‐
2035 lated, when 802.1D-1998 Spanning Tree Protocol is enabled on the port’s
2036 Bridge with its stp_enable column.
2037 STP Configuration:
2039 other_config : stp-enable: optional string, either true or false
2041 When STP is enabled on a bridge, it is enabled by default on all
2042 of the bridge’s ports except bond, internal, and mirror ports
2043 (which do not work with STP). If this column’s value is false,
2044 STP is disabled on the port.
2045 other_config : stp-port-num: optional string, containing an integer, in
2047 range 1 to 255
2048 The port number used for the lower 8 bits of the port-id. By de‐
2049 fault, the numbers will be assigned automatically. If any port’s
2050 number is manually configured on a bridge, then they must all
2051 be.
2052 other_config : stp-port-priority: optional string, containing an inte‐
2054 ger, in range 0 to 255
2055 The port’s relative priority value for determining the root port
2056 (the upper 8 bits of the port-id). A port with a lower port-id
2057 will be chosen as the root port. By default, the priority is
2058 0x80.
2059 other_config : stp-path-cost: optional string, containing an integer,
2061 in range 0 to 65,535
2062 Spanning tree path cost for the port. A lower number indicates a
2063 faster link. By default, the cost is based on the maximum speed
2064 of the link.
2065 STP Status:
2067 status : stp_port_id: optional string
2069 The port ID used in spanning tree advertisements for this port,
2070 as 4 hex digits. Configuring the port ID is described in the
2071 stp-port-num and stp-port-priority keys of the other_config sec‐
2072 tion earlier.
2073 status : stp_state: optional string, one of blocking, disabled, for‐
2075 warding, learning, or listening
2076 STP state of the port.
2077 status : stp_sec_in_state: optional string, containing an integer, at
2079 least 0
2080 The amount of time this port has been in the current STP state,
2081 in seconds.
2082 status : stp_role: optional string, one of alternate, designated, or
2084 root
2085 STP role of the port.
2086 Rapid Spanning Tree Protocol:
2088 The configuration here is only meaningful, and the status and statis‐
2090 tics are only populated, when 802.1D-1998 Spanning Tree Protocol is en‐
2091 abled on the port’s Bridge with its stp_enable column.
2092 RSTP Configuration:
2094 other_config : rstp-enable: optional string, either true or false
2096 When RSTP is enabled on a bridge, it is enabled by default on
2097 all of the bridge’s ports except bond, internal, and mirror
2098 ports (which do not work with RSTP). If this column’s value is
2099 false, RSTP is disabled on the port.
2100 other_config : rstp-port-priority: optional string, containing an inte‐
2102 ger, in range 0 to 240
2103 The port’s relative priority value for determining the root
2104 port, in multiples of 16. By default, the port priority is 0x80
2105 (128). Any value in the lower 4 bits is rounded off. The signif‐
2106 icant upper 4 bits become the upper 4 bits of the port-id. A
2107 port with the lowest port-id is elected as the root.
2108 other_config : rstp-port-num: optional string, containing an integer,
2110 in range 1 to 4,095
2111 The local RSTP port number, used as the lower 12 bits of the
2112 port-id. By default the port numbers are assigned automatically,
2113 and typically may not correspond to the OpenFlow port numbers. A
2114 port with the lowest port-id is elected as the root.
2115 other_config : rstp-port-path-cost: optional string, containing an in‐
2117 teger
2118 The port path cost. The Port’s contribution, when it is the Root
2119 Port, to the Root Path Cost for the Bridge. By default the cost
2120 is automatically calculated from the port’s speed.
2121 other_config : rstp-port-admin-edge: optional string, either true or
2123 false
2124 The admin edge port parameter for the Port. Default is false.
2125 other_config : rstp-port-auto-edge: optional string, either true or
2127 false
2128 The auto edge port parameter for the Port. Default is true.
2129 other_config : rstp-port-mcheck: optional string, either true or false
2131 The mcheck port parameter for the Port. Default is false. May be
2132 set to force the Port Protocol Migration state machine to trans‐
2133 mit RST BPDUs for a MigrateTime period, to test whether all STP
2134 Bridges on the attached LAN have been removed and the Port can
2135 continue to transmit RSTP BPDUs. Setting mcheck has no effect if
2136 the Bridge is operating in STP Compatibility mode.
2137 Changing the value from true to false has no effect, but needs
2139 to be done if this behavior is to be triggered again by subse‐
2140 quently changing the value from false to true.
2141 RSTP Status:
2143 rstp_status : rstp_port_id: optional string
2145 The port ID used in spanning tree advertisements for this port,
2146 as 4 hex digits. Configuring the port ID is described in the
2147 rstp-port-num and rstp-port-priority keys of the other_config
2148 section earlier.
2149 rstp_status : rstp_port_role: optional string, one of Alternate,
2151 Backup, Designated, Disabled, or Root
2152 RSTP role of the port.
2153 rstp_status : rstp_port_state: optional string, one of Disabled, Dis‐
2155 carding, Forwarding, or Learning
2156 RSTP state of the port.
2157 rstp_status : rstp_designated_bridge_id: optional string
2159 The port’s RSTP designated bridge ID, in the same form as
2160 rstp_status:rstp_bridge_id in the Bridge table.
2161 rstp_status : rstp_designated_port_id: optional string
2163 The port’s RSTP designated port ID, as 4 hex digits.
2164 rstp_status : rstp_designated_path_cost: optional string, containing an
2166 integer
2167 The port’s RSTP designated path cost. Lower is better.
2168 RSTP Statistics:
2170 rstp_statistics : rstp_tx_count: optional integer
2172 Number of RSTP BPDUs transmitted through this port.
2173 rstp_statistics : rstp_rx_count: optional integer
2175 Number of valid RSTP BPDUs received by this port.
2176 rstp_statistics : rstp_error_count: optional integer
2178 Number of invalid RSTP BPDUs received by this port.
2179 rstp_statistics : rstp_uptime: optional integer
2181 The duration covered by the other RSTP statistics, in seconds.
2182 Multicast Snooping:
2184 other_config : mcast-snooping-flood: optional string, either true or
2186 false
2187 If set to true, multicast packets (except Reports) are uncondi‐
2188 tionally forwarded to the specific port.
2189 other_config : mcast-snooping-flood-reports: optional string, either
2191 true or false
2192 If set to true, multicast Reports are unconditionally forwarded
2193 to the specific port.
2194 Other Features:
2196 qos: optional QoS
2198 Quality of Service configuration for this port.
2199 mac: optional string
2201 The MAC address to use for this port for the purpose of choosing
2202 the bridge’s MAC address. This column does not necessarily re‐
2203 flect the port’s actual MAC address, nor will setting it change
2204 the port’s actual MAC address.
2205 fake_bridge: boolean
2207 Does this port represent a sub-bridge for its tagged VLAN within
2208 the Bridge? See ovs-vsctl(8) for more information.
2209 protected: boolean
2211 The protected ports feature allows certain ports to be desig‐
2212 nated as protected. Traffic between protected ports is blocked.
2213 Protected ports can send traffic to unprotected ports. Unpro‐
2214 tected ports can send traffic to any port. Default is false.
2215 external_ids : fake-bridge-id-*: optional string
2217 External IDs for a fake bridge (see the fake_bridge column) are
2218 defined by prefixing a Bridge external_ids key with
2219 fake-bridge-, e.g. fake-bridge-xs-network-uuids.
2220 other_config : transient: optional string, either true or false
2222 If set to true, the port will be removed when ovs-ctl start
2223 --delete-transient-ports is used.
2224 bond_active_slave: optional string
2226 For a bonded port, record the MAC address of the current active
2227 member.
2228 Port Statistics:
2230 Key-value pairs that report port statistics. The update period is con‐
2232 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
2233 ble.
2234 Statistics: STP transmit and receive counters:
2236 statistics : stp_tx_count: optional integer
2238 Number of STP BPDUs sent on this port by the spanning tree li‐
2239 brary.
2240 statistics : stp_rx_count: optional integer
2242 Number of STP BPDUs received on this port and accepted by the
2243 spanning tree library.
2244 statistics : stp_error_count: optional integer
2246 Number of bad STP BPDUs received on this port. Bad BPDUs include
2247 runt packets and those with an unexpected protocol ID.
2248 Common Columns:
2250 The overall purpose of these columns is described under Common Columns
2252 at the beginning of this document.
2253 other_config: map of string-string pairs
2255 external_ids: map of string-string pairs
2257
2259 An interface within a Port.
2260 Summary:
2262 Core Features:
2263 name immutable string (must be unique within
2264 table)
2265 ifindex optional integer, in range 0 to
2266 4,294,967,295
2267 mac_in_use optional string
2268 mac optional string
2269 error optional string
2270 OpenFlow Port Number:
2271 ofport optional integer
2272 ofport_request optional integer, in range 1 to 65,279
2273 System-Specific Details:
2274 type string
2275 Tunnel Options:
2276 options : remote_ip optional string
2277 options : local_ip optional string
2278 options : in_key optional string
2279 options : out_key optional string
2280 options : dst_port optional string
2281 options : key optional string
2282 options : tos optional string
2283 options : ttl optional string
2284 options : df_default optional string, either true or false
2285 options : egress_pkt_mark optional string
2286 Tunnel Options: lisp only:
2287 options : packet_type optional string, either legacy_l3 or ptap
2288 Tunnel Options: vxlan only:
2289 options : exts optional string
2290 options : packet_type optional string, one of legacy_l2,
2291 legacy_l3, or ptap
2292 Tunnel Options: gre only:
2293 options : packet_type optional string, one of legacy_l2,
2294 legacy_l3, or ptap
2295 options : seq optional string, either true or false
2296 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2297 options : csum optional string, either true or false
2298 Tunnel Options: IPsec:
2299 options : psk optional string
2300 options : remote_cert optional string
2301 options : remote_name optional string
2302 Tunnel Options: erspan only:
2303 options : erspan_idx optional string
2304 options : erspan_ver optional string
2305 options : erspan_dir optional string
2306 options : erspan_hwid optional string
2307 Tunnel Options: Bareudp only:
2308 options : payload_type optional string
2309 Patch Options:
2310 options : peer optional string
2311 PMD (Poll Mode Driver) Options:
2312 options : n_rxq optional string, containing an integer,
2313 at least 1
2314 options : dpdk-devargs optional string
2315 other_config : pmd-rxq-affinity
2316 optional string
2317 options : xdp-mode optional string, one of best-effort,
2318 generic, native-with-zerocopy, or native
2319 options : use-need-wakeup optional string, either true or false
2320 options : vhost-server-path
2321 optional string
2322 options : tx-retries-max optional string, containing an integer,
2323 in range 0 to 32
2324 options : n_rxq_desc optional string, containing an integer,
2325 in range 1 to 4,096
2326 options : n_txq_desc optional string, containing an integer,
2327 in range 1 to 4,096
2328 options : dpdk-vf-mac optional string
2329 EMC (Exact Match Cache) Configuration:
2330 other_config : emc-enable optional string, either true or false
2331 MTU:
2332 mtu optional integer
2333 mtu_request optional integer, at least 1
2334 Interface Status:
2335 admin_state optional string, either down or up
2336 link_state optional string, either down or up
2337 link_resets optional integer
2338 link_speed optional integer
2339 duplex optional string, either full or half
2340 lacp_current optional boolean
2341 status map of string-string pairs
2342 status : driver_name optional string
2343 status : driver_version optional string
2344 status : firmware_version optional string
2345 status : source_ip optional string
2346 status : tunnel_egress_iface
2347 optional string
2348 status : tunnel_egress_iface_carrier
2349 optional string, either down or up
2350 dpdk:
2351 status : port_no optional string
2352 status : numa_id optional string
2353 status : min_rx_bufsize optional string
2354 status : max_rx_pktlen optional string
2355 status : max_rx_queues optional string
2356 status : max_tx_queues optional string
2357 status : max_mac_addrs optional string
2358 status : max_hash_mac_addrs
2359 optional string
2360 status : max_vfs optional string
2361 status : max_vmdq_pools optional string
2362 status : if_type optional string
2363 status : if_descr optional string
2364 status : pci-vendor_id optional string
2365 status : pci-device_id optional string
2366 Statistics:
2367 Statistics: Successful transmit and receive counters:
2368 statistics : rx_packets optional integer
2369 statistics : rx_bytes optional integer
2370 statistics : tx_packets optional integer
2371 statistics : tx_bytes optional integer
2372 Statistics: Receive errors:
2373 statistics : rx_dropped optional integer
2374 statistics : rx_frame_err
2375 optional integer
2376 statistics : rx_over_err optional integer
2377 statistics : rx_crc_err optional integer
2378 statistics : rx_errors optional integer
2379 Statistics: Transmit errors:
2380 statistics : tx_dropped optional integer
2381 statistics : collisions optional integer
2382 statistics : tx_errors optional integer
2383 Ingress Policing:
2384 ingress_policing_rate integer, at least 0
2385 ingress_policing_burst integer, at least 0
2386 Bidirectional Forwarding Detection (BFD):
2387 BFD Configuration:
2388 bfd : enable optional string, either true or false
2389 bfd : min_rx optional string, containing an integer,
2390 at least 1
2391 bfd : min_tx optional string, containing an integer,
2392 at least 1
2393 bfd : decay_min_rx optional string, containing an integer
2394 bfd : forwarding_if_rx optional string, either true or false
2395 bfd : cpath_down optional string, either true or false
2396 bfd : check_tnl_key optional string, either true or false
2397 bfd : bfd_local_src_mac optional string
2398 bfd : bfd_local_dst_mac optional string
2399 bfd : bfd_remote_dst_mac optional string
2400 bfd : bfd_src_ip optional string
2401 bfd : bfd_dst_ip optional string
2402 bfd : oam optional string
2403 bfd : mult optional string, containing an integer,
2404 in range 1 to 255
2405 BFD Status:
2406 bfd_status : state optional string, one of admin_down, down,
2407 init, or up
2408 bfd_status : forwarding optional string, either true or false
2409 bfd_status : diagnostic optional string
2410 bfd_status : remote_state
2411 optional string, one of admin_down, down,
2412 init, or up
2413 bfd_status : remote_diagnostic
2414 optional string
2415 bfd_status : flap_count optional string, containing an integer,
2416 at least 0
2417 Connectivity Fault Management:
2418 cfm_mpid optional integer
2419 cfm_flap_count optional integer
2420 cfm_fault optional boolean
2421 cfm_fault_status : recv none
2422 cfm_fault_status : rdi none
2423 cfm_fault_status : maid none
2424 cfm_fault_status : loopback
2425 none
2426 cfm_fault_status : overflow
2427 none
2428 cfm_fault_status : override
2429 none
2430 cfm_fault_status : interval
2431 none
2432 cfm_remote_opstate optional string, either down or up
2433 cfm_health optional integer, in range 0 to 100
2434 cfm_remote_mpids set of integers
2435 other_config : cfm_interval
2436 optional string, containing an integer
2437 other_config : cfm_extended
2438 optional string, either true or false
2439 other_config : cfm_demand optional string, either true or false
2440 other_config : cfm_opstate optional string, either down or up
2441 other_config : cfm_ccm_vlan
2442 optional string, containing an integer,
2443 in range 1 to 4,095
2444 other_config : cfm_ccm_pcp optional string, containing an integer,
2445 in range 1 to 7
2446 Bonding Configuration:
2447 other_config : lacp-port-id
2448 optional string, containing an integer,
2449 in range 1 to 65,535
2450 other_config : lacp-port-priority
2451 optional string, containing an integer,
2452 in range 1 to 65,535
2453 other_config : lacp-aggregation-key
2454 optional string, containing an integer,
2455 in range 1 to 65,535
2456 Virtual Machine Identifiers:
2457 external_ids : attached-mac
2458 optional string
2459 external_ids : iface-id optional string
2460 external_ids : iface-status
2461 optional string, either active or inac‐
2462 tive
2463 external_ids : xs-vif-uuid optional string
2464 external_ids : xs-network-uuid
2465 optional string
2466 external_ids : vm-id optional string
2467 external_ids : xs-vm-uuid optional string
2468 Auto Attach Configuration:
2469 lldp : enable optional string, either true or false
2470 Flow control Configuration:
2471 options : rx-flow-ctrl optional string, either true or false
2472 options : tx-flow-ctrl optional string, either true or false
2473 options : flow-ctrl-autoneg
2474 optional string, either true or false
2475 Link State Change detection mode:
2476 options : dpdk-lsc-interrupt
2477 optional string, either true or false
2478 Common Columns:
2479 other_config map of string-string pairs
2480 external_ids map of string-string pairs
2481 Details:
2483 Core Features:
2484 name: immutable string (must be unique within table)
2486 Interface name. Should be alphanumeric. For non-bonded port,
2487 this should be the same as the port name. It must otherwise be
2488 unique among the names of ports, interfaces, and bridges on a
2489 host.
2490 The maximum length of an interface name depends on the underly‐
2492 ing datapath:
2493 • The names of interfaces implemented as Linux and BSD net‐
2495 work devices, including interfaces with type internal,
2496 tap, or system plus the different types of tunnel ports,
2497 are limited to 15 bytes. Windows limits these names to
2498 255 bytes.
2499 • The names of patch ports are not used in the underlying
2501 datapath, so operating system restrictions do not apply.
2502 Thus, they may have arbitrary length.
2503 Regardless of other restrictions, OpenFlow only supports 15-byte
2505 names, which means that ovs-ofctl and OpenFlow controllers will
2506 show names truncated to 15 bytes.
2507 ifindex: optional integer, in range 0 to 4,294,967,295
2509 A positive interface index as defined for SNMP MIB-II in RFCs
2510 1213 and 2863, if the interface has one, otherwise 0. The
2511 ifindex is useful for seamless integration with protocols such
2512 as SNMP and sFlow.
2513 mac_in_use: optional string
2515 The MAC address in use by this interface.
2516 mac: optional string
2518 Ethernet address to set for this interface. If unset then the
2519 default MAC address is used:
2520 • For the local interface, the default is the lowest-num‐
2522 bered MAC address among the other bridge ports, either
2523 the value of the mac in its Port record, if set, or its
2524 actual MAC (for bonded ports, the MAC of its member whose
2525 name is first in alphabetical order). Internal ports and
2526 bridge ports that are used as port mirroring destinations
2527 (see the Mirror table) are ignored.
2528 • For other internal interfaces, the default MAC is ran‐
2530 domly generated.
2531 • External interfaces typically have a MAC address associ‐
2533 ated with their hardware.
2534 Some interfaces may not have a software-controllable MAC ad‐
2536 dress. This option only affects internal ports. For other type
2537 ports, you can change the MAC address outside Open vSwitch, us‐
2538 ing ip command.
2539 error: optional string
2541 If the configuration of the port failed, as indicated by -1 in
2542 ofport, Open vSwitch sets this column to an error description in
2543 human readable form. Otherwise, Open vSwitch clears this column.
2544 OpenFlow Port Number:
2546 When a client adds a new interface, Open vSwitch chooses an OpenFlow
2548 port number for the new port. If the client that adds the port fills in
2549 ofport_request, then Open vSwitch tries to use its value as the Open‐
2550 Flow port number. Otherwise, or if the requested port number is already
2551 in use or cannot be used for another reason, Open vSwitch automatically
2552 assigns a free port number. Regardless of how the port number was ob‐
2553 tained, Open vSwitch then reports in ofport the port number actually
2554 assigned.
2555 Open vSwitch limits the port numbers that it automatically assigns to
2557 the range 1 through 32,767, inclusive. Controllers therefore have free
2558 use of ports 32,768 and up.
2559 ofport: optional integer
2561 OpenFlow port number for this interface. Open vSwitch sets this
2562 column’s value, so other clients should treat it as read-only.
2563 The OpenFlow ``local’’ port (OFPP_LOCAL) is 65,534. The other
2565 valid port numbers are in the range 1 to 65,279, inclusive.
2566 Value -1 indicates an error adding the interface.
2567 ofport_request: optional integer, in range 1 to 65,279
2569 Requested OpenFlow port number for this interface.
2570 A client should ideally set this column’s value in the same
2572 database transaction that it uses to create the interface. Open
2573 vSwitch version 2.1 and later will honor a later request for a
2574 specific port number, althuogh it might confuse some con‐
2575 trollers: OpenFlow does not have a way to announce a port number
2576 change, so Open vSwitch represents it over OpenFlow as a port
2577 deletion followed immediately by a port addition.
2578 If ofport_request is set or changed to some other port’s auto‐
2580 matically assigned port number, Open vSwitch chooses a new port
2581 number for the latter port.
2582 System-Specific Details:
2584 type: string
2586 The interface type. The types supported by a particular instance
2587 of Open vSwitch are listed in the iface_types column in the
2588 Open_vSwitch table. The following types are defined:
2589 system An ordinary network device, e.g. eth0 on Linux. Sometimes
2591 referred to as ``external interfaces’’ since they are
2592 generally connected to hardware external to that on which
2593 the Open vSwitch is running. The empty string is a syn‐
2594 onym for system.
2595 internal
2597 A simulated network device that sends and receives traf‐
2598 fic. An internal interface whose name is the same as its
2599 bridge’s name is called the ``local interface.’’ It does
2600 not make sense to bond an internal interface, so the
2601 terms ``port’’ and ``interface’’ are often used impre‐
2602 cisely for internal interfaces.
2603 tap A TUN/TAP device managed by Open vSwitch.
2605 Open vSwitch checks the interface state before send pack‐
2607 ets to the device. When it is down, the packets are
2608 dropped and the tx_dropped statistic is updated accord‐
2609 ingly. Older versions of Open vSwitch did not check the
2610 interface state and then the tx_packets was incremented
2611 along with tx_dropped.
2612 geneve An Ethernet over Geneve
2614 (http://tools.ietf.org/html/draft-ietf-nvo3-geneve)
2615 IPv4/IPv6 tunnel. A description of how to match and set
2616 Geneve options can be found in the ovs-ofctl manual page.
2617 gre Generic Routing Encapsulation (GRE) over IPv4 tunnel,
2619 configurable to encapsulate layer 2 or layer 3 traffic.
2620 ip6gre Generic Routing Encapsulation (GRE) over IPv6 tunnel, en‐
2622 capsulate layer 2 traffic.
2623 vxlan An Ethernet tunnel over the UDP-based VXLAN protocol de‐
2625 scribed in RFC 7348.
2626 Open vSwitch uses IANA-assigned UDP destination port
2628 4789. The source port used for VXLAN traffic varies on a
2629 per-flow basis and is in the ephemeral port range.
2630 lisp A layer 3 tunnel over the experimental, UDP-based Loca‐
2632 tor/ID Separation Protocol (RFC 6830).
2633 Only IPv4 and IPv6 packets are supported by the protocol,
2635 and they are sent and received without an Ethernet
2636 header. Traffic to/from LISP ports is expected to be con‐
2637 figured explicitly, and the ports are not intended to
2638 participate in learning based switching. As such, they
2639 are always excluded from packet flooding.
2640 stt The Stateless TCP Tunnel (STT) is particularly useful
2642 when tunnel endpoints are in end-systems, as it utilizes
2643 the capabilities of standard network interface cards to
2644 improve performance. STT utilizes a TCP-like header in‐
2645 side the IP header. It is stateless, i.e., there is no
2646 TCP connection state of any kind associated with the tun‐
2647 nel. The TCP-like header is used to leverage the capabil‐
2648 ities of existing network interface cards, but should not
2649 be interpreted as implying any sort of connection state
2650 between endpoints. Since the STT protocol does not engage
2651 in the usual TCP 3-way handshake, so it will have diffi‐
2652 culty traversing stateful firewalls. The protocol is doc‐
2653 umented at https://tools.ietf.org/html/draft-davie-stt
2654 All traffic uses a default destination port of 7471.
2655 patch A pair of virtual devices that act as a patch cable.
2657 gtpu GPRS Tunneling Protocol (GTP) is a group of IP-based com‐
2659 munications protocols used to carry general packet radio
2660 service (GPRS) within GSM, UMTS and LTE networks. GTP-U
2661 is used for carrying user data within the GPRS core net‐
2662 work and between the radio access network and the core
2663 network. The user data transported can be packets in any
2664 of IPv4, IPv6, or PPP formats.
2665 The protocol is documented at http://www.3gpp.org/DynaRe‐
2667 port/29281.htm
2668 Open vSwitch uses UDP destination port 2152. The source
2670 port used for GTP traffic varies on a per-flow basis and
2671 is in the ephemeral port range.
2672 Bareudp
2674 The Bareudp tunnel provides a generic L3 encapsulation
2675 support for tunnelling different L3 protocols like MPLS,
2676 IP, NSH etc. inside a UDP tunnel.
2677 Tunnel Options:
2679 These options apply to interfaces with type of geneve, bareudp, gre,
2681 ip6gre, vxlan, lisp and stt.
2682 Each tunnel must be uniquely identified by the combination of type, op‐
2684 tions:remote_ip, options:local_ip, and options:in_key. If two ports are
2685 defined that are the same except one has an optional identifier and the
2686 other does not, the more specific one is matched first. options:in_key
2687 is considered more specific than options:local_ip if a port defines one
2688 and another port defines the other. options:in_key is not applicable
2689 for bareudp tunnels. Hence it is not considered while identifying a
2690 bareudp tunnel.
2691 options : remote_ip: optional string
2693 Required. The remote tunnel endpoint, one of:
2694 • An IPv4 or IPv6 address (not a DNS name), e.g.
2696 192.168.0.123. Only unicast endpoints are supported.
2697 • The word flow. The tunnel accepts packets from any remote
2699 tunnel endpoint. To process only packets from a specific
2700 remote tunnel endpoint, the flow entries may match on the
2701 tun_src or tun_ipv6_srcfield. When sending packets to a
2702 remote_ip=flow tunnel, the flow actions must explicitly
2703 set the tun_dst or tun_ipv6_dst field to the IP address
2704 of the desired remote tunnel endpoint, e.g. with a
2705 set_field action.
2706 The remote tunnel endpoint for any packet received from a tunnel
2708 is available in the tun_src field for matching in the flow ta‐
2709 ble.
2710 options : local_ip: optional string
2712 Optional. The tunnel destination IP that received packets must
2713 match. Default is to match all addresses. If specified, may be
2714 one of:
2715 • An IPv4/IPv6 address (not a DNS name), e.g. 192.168.12.3.
2717 • The word flow. The tunnel accepts packets sent to any of
2719 the local IP addresses of the system running OVS. To
2720 process only packets sent to a specific IP address, the
2721 flow entries may match on the tun_dst or tun_ipv6_dst
2722 field. When sending packets to a local_ip=flow tunnel,
2723 the flow actions may explicitly set the tun_src or
2724 tun_ipv6_src field to the desired IP address, e.g. with a
2725 set_field action. However, while routing the tunneled
2726 packet out, the local system may override the specified
2727 address with the local IP address configured for the out‐
2728 going system interface.
2729 This option is valid only for tunnels also configured
2731 with the remote_ip=flow option.
2732 The tunnel destination IP address for any packet received from a
2734 tunnel is available in the tun_dst or tun_ipv6_dst field for
2735 matching in the flow table.
2736 options : in_key: optional string
2738 Optional, not applicable for bareudp. The key that received
2739 packets must contain, one of:
2740 • 0. The tunnel receives packets with no key or with a key
2742 of 0. This is equivalent to specifying no options:in_key
2743 at all.
2744 • A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit
2746 (for GRE) or 64-bit (for STT) number. The tunnel receives
2747 only packets with the specified key.
2748 • The word flow. The tunnel accepts packets with any key.
2750 The key will be placed in the tun_id field for matching
2751 in the flow table. The ovs-fields(7) manual page contains
2752 additional information about matching fields in OpenFlow
2753 flows.
2754 options : out_key: optional string
2756 Optional, not applicable for bareudp. The key to be set on out‐
2757 going packets, one of:
2758 • 0. Packets sent through the tunnel will have no key. This
2760 is equivalent to specifying no options:out_key at all.
2761 • A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit
2763 (for GRE) or 64-bit (for STT) number. Packets sent
2764 through the tunnel will have the specified key.
2765 • The word flow. Packets sent through the tunnel will have
2767 the key set using the set_tunnel Nicira OpenFlow vendor
2768 extension (0 is used in the absence of an action). The
2769 ovs-fields(7) manual page contains additional information
2770 about the Nicira OpenFlow vendor extensions.
2771 options : dst_port: optional string
2773 Optional. The tunnel transport layer destination port, for UDP
2774 and TCP based tunnel protocols (Geneve, VXLAN, LISP, and STT).
2775 options : key: optional string
2777 Optional. Shorthand to set in_key and out_key at the same time.
2778 options : tos: optional string
2780 Optional. The value of the ToS bits to be set on the encapsulat‐
2781 ing packet. ToS is interpreted as DSCP and ECN bits, ECN part
2782 must be zero. It may also be the word inherit, in which case the
2783 ToS will be copied from the inner packet if it is IPv4 or IPv6
2784 (otherwise it will be 0). The ECN fields are always inherited.
2785 Default is 0.
2786 options : ttl: optional string
2788 Optional. The TTL to be set on the encapsulating packet. It may
2789 also be the word inherit, in which case the TTL will be copied
2790 from the inner packet if it is IPv4 or IPv6 (otherwise it will
2791 be the system default, typically 64). Default is the system de‐
2792 fault TTL.
2793 options : df_default: optional string, either true or false
2795 Optional. If enabled, the Don’t Fragment bit will be set on tun‐
2796 nel outer headers to allow path MTU discovery. Default is en‐
2797 abled; set to false to disable.
2798 options : egress_pkt_mark: optional string
2800 Optional. The pkt_mark to be set on the encapsulating packet.
2801 This option sets packet mark for the tunnel endpoint for all
2802 tunnel packets including tunnel monitoring.
2803 Tunnel Options: lisp only:
2805 options : packet_type: optional string, either legacy_l3 or ptap
2807 A LISP tunnel sends and receives only IPv4 and IPv6 packets.
2808 This option controls what how the tunnel represents the packets
2809 that it sends and receives:
2810 • By default, or if this option is legacy_l3, the tunnel
2812 represents packets as Ethernet frames for compatibility
2813 with legacy OpenFlow controllers that expect this behav‐
2814 ior.
2815 • If this option is ptap, the tunnel represents packets us‐
2817 ing the packet_type mechanism introduced in OpenFlow 1.5.
2818 Tunnel Options: vxlan only:
2820 options : exts: optional string
2822 Optional. Comma separated list of optional VXLAN extensions to
2823 enable. The following extensions are supported:
2824 • gbp: VXLAN-GBP allows to transport the group policy con‐
2826 text of a packet across the VXLAN tunnel to other network
2827 peers. See the description of tun_gbp_id and
2828 tun_gbp_flags in ovs-fields(7) for additional informa‐
2829 tion.
2830 (https://tools.ietf.org/html/draft-smith-vxlan-group-pol‐
2831 icy)
2832 • gpe: Support for Generic Protocol Encapsulation in accor‐
2834 dance with IETF draft
2835 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe.
2836 Without this option, a VXLAN packet always encapsulates
2837 an Ethernet frame. With this option, an VXLAN packet may
2838 also encapsulate an IPv4, IPv6, NSH, or MPLS packet.
2839 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2841 ptap
2842 This option controls what types of packets the tunnel sends and
2843 receives and how it represents them:
2844 • By default, or if this option is legacy_l2, the tunnel
2846 sends and receives only Ethernet frames.
2847 • If this option is legacy_l3, the tunnel sends and re‐
2849 ceives only non-Ethernet (L3) packet, but the packets are
2850 represented as Ethernet frames for compatibility with
2851 legacy OpenFlow controllers that expect this behavior.
2852 This requires enabling gpe in options:exts.
2853 • If this option is ptap, Open vSwitch represents packets
2855 in the tunnel using the packet_type mechanism introduced
2856 in OpenFlow 1.5. This mechanism supports any kind of
2857 packet, but actually sending and receiving non-Ethernet
2858 packets requires additionally enabling gpe in op‐
2859 tions:exts.
2860 Tunnel Options: gre only:
2862 gre interfaces support these options.
2864 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2866 ptap
2867 This option controls what types of packets the tunnel sends and
2868 receives and how it represents them:
2869 • By default, or if this option is legacy_l2, the tunnel
2871 sends and receives only Ethernet frames.
2872 • If this option is legacy_l3, the tunnel sends and re‐
2874 ceives only non-Ethernet (L3) packet, but the packets are
2875 represented as Ethernet frames for compatibility with
2876 legacy OpenFlow controllers that expect this behavior.
2877 • The legacy_l3 option is only available via the user space
2879 datapath. The OVS kernel datapath does not support de‐
2880 vices of type ARPHRD_IPGRE which is the requirement for
2881 legacy_l3 type packets.
2882 • If this option is ptap, the tunnel sends and receives any
2884 kind of packet. Open vSwitch represents packets in the
2885 tunnel using the packet_type mechanism introduced in
2886 OpenFlow 1.5.
2887 options : seq: optional string, either true or false
2889 Optional. A 4-byte sequence number field for GRE tunnel only.
2890 Default is disabled, set to true to enable. Sequence number is
2891 incremented by one on each outgoing packet.
2892 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2894 gre, ip6gre, geneve, bareudp and vxlan interfaces support these op‐
2896 tions.
2897 options : csum: optional string, either true or false
2899 Optional. Compute encapsulation header (either GRE or UDP)
2900 checksums on outgoing packets. Default is disabled, set to true
2901 to enable. Checksums present on incoming packets will be vali‐
2902 dated regardless of this setting.
2903 When using the upstream Linux kernel module, computation of
2905 checksums for geneve and vxlan requires Linux kernel version 4.0
2906 or higher. gre and ip6gre support checksums for all versions of
2907 Open vSwitch that support GRE. The out of tree kernel module
2908 distributed as part of OVS can compute all tunnel checksums on
2909 any kernel version that it is compatible with.
2910 Tunnel Options: IPsec:
2912 Setting any of these options enables IPsec support for a given tunnel.
2914 gre, geneve, vxlan and stt interfaces support these options. See the
2915 IPsec section in the Open_vSwitch table for a description of each mode.
2916 options : psk: optional string
2918 In PSK mode only, the preshared secret to negotiate tunnel. This
2919 value must match on both tunnel ends.
2920 options : remote_cert: optional string
2922 In self-signed certificate mode only, name of a PEM file con‐
2923 taining a certificate of the remote switch. The certificate must
2924 be x.509 version 3 and with the string in common name (CN) also
2925 set in the subject alternative name (SAN).
2926 options : remote_name: optional string
2928 In CA-signed certificate mode only, common name (CN) of the re‐
2929 mote certificate.
2930 Tunnel Options: erspan only:
2932 Only erspan interfaces support these options.
2934 options : erspan_idx: optional string
2936 20 bit index/port number associated with the ERSPAN traffic’s
2937 source port and direction (ingress/egress). This field is plat‐
2938 form dependent.
2939 options : erspan_ver: optional string
2941 ERSPAN version: 1 for version 1 (type II) or 2 for version 2
2942 (type III).
2943 options : erspan_dir: optional string
2945 Specifies the ERSPAN v2 mirrored traffic’s direction. 1 for
2946 egress traffic, and 0 for ingress traffic.
2947 options : erspan_hwid: optional string
2949 ERSPAN hardware ID is a 6-bit unique identifier of an ERSPAN v2
2950 engine within a system.
2951 Tunnel Options: Bareudp only:
2953 options : payload_type: optional string
2955 Specifies the ethertype of the l3 protocol the bareudp device is
2956 tunnelling. For the tunnels which supports multiple ethertypes
2957 of a l3 protocol (IP, MPLS) this field specifies the protocol
2958 name as a string.
2959 Patch Options:
2961 These options apply only to patch ports, that is, interfaces whose type
2963 column is patch. Patch ports are mainly a way to connect otherwise in‐
2964 dependent bridges to one another, similar to how one might plug an Eth‐
2965 ernet cable (a ``patch cable’’) into two physical switches to connect
2966 those switches. The effect of plugging a patch port into two switches
2967 is conceptually similar to that of plugging the two ends of a Linux
2968 veth device into those switches, but the implementation of patch ports
2969 makes them much more efficient.
2970 Patch ports may connect two different bridges (the usual case) or the
2972 same bridge. In the latter case, take special care to avoid loops, e.g.
2973 by programming appropriate flows with OpenFlow. Patch ports do not work
2974 if its ends are attached to bridges on different datapaths, e.g. to
2975 connect bridges in system and netdev datapaths.
2976 The following command creates and connects patch ports p0 and p1 and
2978 adds them to bridges br0 and br1, respectively:
2979 ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
2981 -- add-port br1 p1 -- set Interface p1 type=patch options:peer=p0
2982 options : peer: optional string
2985 The name of the Interface for the other side of the patch. The
2986 named Interface’s own peer option must specify this Interface’s
2987 name. That is, the two patch interfaces must have reversed name
2988 and peer values.
2989 PMD (Poll Mode Driver) Options:
2991 Only PMD netdevs support these options.
2993 options : n_rxq: optional string, containing an integer, at least 1
2995 Specifies the maximum number of rx queues to be created for PMD
2996 netdev. If not specified or specified to 0, one rx queue will be
2997 created by default. Not supported by DPDK vHost interfaces.
2998 options : dpdk-devargs: optional string
3000 Specifies the PCI address associated with the port for physical
3001 devices, or the virtual driver to be used for the port when a
3002 virtual PMD is intended to be used. For the latter, the argument
3003 string typically takes the form of eth_driver_namex, where
3004 driver_name is a valid virtual DPDK PMD driver name and x is a
3005 unique identifier of your choice for the given port. Only sup‐
3006 ported by the dpdk port type.
3007 other_config : pmd-rxq-affinity: optional string
3009 Specifies mapping of RX queues of this interface to CPU cores.
3010 Value should be set in the following form:
3012 other_config:pmd-rxq-affinity=<rxq-affinity-list>
3014 where
3016 • <rxq-affinity-list> ::= NULL | <non-empty-list>
3018 • <non-empty-list> ::= <affinity-pair> | <affinity-pair> ,
3020 <non-empty-list>
3021 • <affinity-pair> ::= <queue-id> : <core-id>
3023 options : xdp-mode: optional string, one of best-effort, generic, na‐
3025 tive-with-zerocopy, or native
3026 Specifies the operational mode of the XDP program.
3027 In native-with-zerocopy mode the XDP program is loaded into the
3029 device driver with zero-copy RX and TX enabled. This mode re‐
3030 quires device driver support and has the best performance be‐
3031 cause there should be no copying of packets.
3032 native is the same as native-with-zerocopy, but without zero-
3034 copy capability. This requires at least one copy between kernel
3035 and the userspace. This mode also requires support from device
3036 driver.
3037 In generic case the XDP program in kernel works after skb allo‐
3039 cation on early stages of packet processing inside the network
3040 stack. This mode doesn’t require driver support, but has much
3041 lower performance.
3042 best-effort tries to detect and choose the best (fastest) from
3044 the available modes for current interface.
3045 Note that this option is specific to netdev-afxdp. Defaults to
3047 best-effort mode.
3048 options : use-need-wakeup: optional string, either true or false
3050 Specifies whether to use need_wakeup feature in afxdp netdev. If
3051 enabled, OVS explicitly wakes up the kernel RX, using poll()
3052 syscall and wakes up TX, using sendto() syscall. For physical
3053 devices, this feature improves the performance by avoiding un‐
3054 necessary sendto syscalls. Defaults to true if supported by
3055 libbpf.
3056 options : vhost-server-path: optional string
3058 The value specifies the path to the socket associated with a
3059 vHost User client mode device that has been or will be created
3060 by QEMU. Only supported by dpdkvhostuserclient interfaces.
3061 options : tx-retries-max: optional string, containing an integer, in
3063 range 0 to 32
3064 The value specifies the maximum amount of vhost tx retries that
3065 can be made while trying to send a batch of packets to an inter‐
3066 face. Only supported by dpdkvhostuserclient interfaces.
3067 Default value is 8.
3069 options : n_rxq_desc: optional string, containing an integer, in range
3071 1 to 4,096
3072 Specifies the rx queue size (number rx descriptors) for dpdk
3073 ports. The value must be a power of 2, less than 4096 and sup‐
3074 ported by the hardware of the device being configured. If not
3075 specified or an incorrect value is specified, 2048 rx descrip‐
3076 tors will be used by default.
3077 options : n_txq_desc: optional string, containing an integer, in range
3079 1 to 4,096
3080 Specifies the tx queue size (number tx descriptors) for dpdk
3081 ports. The value must be a power of 2, less than 4096 and sup‐
3082 ported by the hardware of the device being configured. If not
3083 specified or an incorrect value is specified, 2048 tx descrip‐
3084 tors will be used by default.
3085 options : dpdk-vf-mac: optional string
3087 Ethernet address to set for this VF interface. If unset then the
3088 default MAC address is used:
3089 • For most drivers, the default MAC address assigned by
3091 their hardware.
3092 • For bifurcated drivers, the MAC currently used by the
3094 kernel netdevice.
3095 This option may only be used with dpdk VF representors.
3097 EMC (Exact Match Cache) Configuration:
3099 These settings controls behaviour of EMC lookups/insertions for packets
3101 received from the interface.
3102 other_config : emc-enable: optional string, either true or false
3104 Specifies if Exact Match Cache (EMC) should be used while pro‐
3105 cessing packets received from this interface. If true,
3106 other_config:emc-insert-inv-prob will have effect on this inter‐
3107 face.
3108 Defaults to true.
3110 MTU:
3112 The MTU (maximum transmission unit) is the largest amount of data that
3114 can fit into a single Ethernet frame. The standard Ethernet MTU is 1500
3115 bytes. Some physical media and many kinds of virtual interfaces can be
3116 configured with higher MTUs.
3117 A client may change an interface MTU by filling in mtu_request. Open
3119 vSwitch then reports in mtu the currently configured value.
3120 mtu: optional integer
3122 The currently configured MTU for the interface.
3123 This column will be empty for an interface that does not have an
3125 MTU as, for example, some kinds of tunnels do not.
3126 Open vSwitch sets this column’s value, so other clients should
3128 treat it as read-only.
3129 mtu_request: optional integer, at least 1
3131 Requested MTU (Maximum Transmission Unit) for the interface. A
3132 client can fill this column to change the MTU of an interface.
3133 RFC 791 requires every internet module to be able to forward a
3135 datagram of 68 octets without further fragmentation. The maximum
3136 size of an IP packet is 65535 bytes.
3137 If this is not set and if the interface has internal type, Open
3139 vSwitch will change the MTU to match the minimum of the other
3140 interfaces in the bridge.
3141 Interface Status:
3143 Status information about interfaces attached to bridges, updated every
3145 5 seconds. Not all interfaces have all of these properties; virtual in‐
3146 terfaces don’t have a link speed, for example. Non-applicable columns
3147 will have empty values.
3148 admin_state: optional string, either down or up
3150 The administrative state of the physical network link.
3151 link_state: optional string, either down or up
3153 The observed state of the physical network link. This is ordi‐
3154 narily the link’s carrier status. If the interface’s Port is a
3155 bond configured for miimon monitoring, it is instead the network
3156 link’s miimon status.
3157 link_resets: optional integer
3159 The number of times Open vSwitch has observed the link_state of
3160 this Interface change.
3161 link_speed: optional integer
3163 The negotiated speed of the physical network link. Valid values
3164 are positive integers greater than 0.
3165 duplex: optional string, either full or half
3167 The duplex mode of the physical network link.
3168 lacp_current: optional boolean
3170 Boolean value indicating LACP status for this interface. If
3171 true, this interface has current LACP information about its LACP
3172 partner. This information may be used to monitor the health of
3173 interfaces in a LACP enabled port. This column will be empty if
3174 LACP is not enabled.
3175 status: map of string-string pairs
3177 Key-value pairs that report port status. Supported status values
3178 are type-dependent; some interfaces may not have a valid sta‐
3179 tus:driver_name, for example.
3180 status : driver_name: optional string
3182 The name of the device driver controlling the network adapter.
3183 status : driver_version: optional string
3185 The version string of the device driver controlling the network
3186 adapter.
3187 status : firmware_version: optional string
3189 The version string of the network adapter’s firmware, if avail‐
3190 able.
3191 status : source_ip: optional string
3193 The source IP address used for an IPv4/IPv6 tunnel end-point,
3194 such as gre.
3195 status : tunnel_egress_iface: optional string
3197 Egress interface for tunnels. Currently only relevant for tun‐
3198 nels on Linux systems, this column will show the name of the in‐
3199 terface which is responsible for routing traffic destined for
3200 the configured options:remote_ip. This could be an internal in‐
3201 terface such as a bridge port.
3202 status : tunnel_egress_iface_carrier: optional string, either down or
3204 up
3205 Whether carrier is detected on status:tunnel_egress_iface.
3206 dpdk:
3208 DPDK specific interface status options.
3210 status : port_no: optional string
3212 DPDK port ID.
3213 status : numa_id: optional string
3215 NUMA socket ID to which an Ethernet device is connected.
3216 status : min_rx_bufsize: optional string
3218 Minimum size of RX buffer.
3219 status : max_rx_pktlen: optional string
3221 Maximum configurable length of RX pkt.
3222 status : max_rx_queues: optional string
3224 Maximum number of RX queues.
3225 status : max_tx_queues: optional string
3227 Maximum number of TX queues.
3228 status : max_mac_addrs: optional string
3230 Maximum number of MAC addresses.
3231 status : max_hash_mac_addrs: optional string
3233 Maximum number of hash MAC addresses for MTA and UTA.
3234 status : max_vfs: optional string
3236 Maximum number of hash MAC addresses for MTA and UTA. Maximum
3237 number of VFs.
3238 status : max_vmdq_pools: optional string
3240 Maximum number of VMDq pools.
3241 status : if_type: optional string
3243 Interface type ID according to IANA ifTYPE MIB definitions.
3244 status : if_descr: optional string
3246 Interface description string.
3247 status : pci-vendor_id: optional string
3249 Vendor ID of PCI device.
3250 status : pci-device_id: optional string
3252 Device ID of PCI device.
3253 Statistics:
3255 Key-value pairs that report interface statistics. The current implemen‐
3257 tation updates these counters periodically. The update period is con‐
3258 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
3259 ble. Future implementations may update them when an interface is cre‐
3260 ated, when they are queried (e.g. using an OVSDB select operation), and
3261 just before an interface is deleted due to virtual interface hot-unplug
3262 or VM shutdown, and perhaps at other times, but not on any regular pe‐
3263 riodic basis.
3264 These are the same statistics reported by OpenFlow in its struct
3266 ofp_port_stats structure. If an interface does not support a given
3267 statistic, then that pair is omitted.
3268 Statistics: Successful transmit and receive counters:
3270 statistics : rx_packets: optional integer
3272 Number of received packets.
3273 statistics : rx_bytes: optional integer
3275 Number of received bytes.
3276 statistics : tx_packets: optional integer
3278 Number of transmitted packets.
3279 statistics : tx_bytes: optional integer
3281 Number of transmitted bytes.
3282 Statistics: Receive errors:
3284 statistics : rx_dropped: optional integer
3286 Number of packets dropped by RX.
3287 statistics : rx_frame_err: optional integer
3289 Number of frame alignment errors.
3290 statistics : rx_over_err: optional integer
3292 Number of packets with RX overrun.
3293 statistics : rx_crc_err: optional integer
3295 Number of CRC errors.
3296 statistics : rx_errors: optional integer
3298 Total number of receive errors, greater than or equal to the sum
3299 of the above.
3300 Statistics: Transmit errors:
3302 statistics : tx_dropped: optional integer
3304 Number of packets dropped by TX.
3305 statistics : collisions: optional integer
3307 Number of collisions.
3308 statistics : tx_errors: optional integer
3310 Total number of transmit errors, greater than or equal to the
3311 sum of the above.
3312 Ingress Policing:
3314 These settings control ingress policing for packets received on this
3316 interface. On a physical interface, this limits the rate at which traf‐
3317 fic is allowed into the system from the outside; on a virtual interface
3318 (one connected to a virtual machine), this limits the rate at which the
3319 VM is able to transmit.
3320 Policing is a simple form of quality-of-service that simply drops pack‐
3322 ets received in excess of the configured rate. Due to its simplicity,
3323 policing is usually less accurate and less effective than egress QoS
3324 (which is configured using the QoS and Queue tables).
3325 Policing is currently implemented on Linux and OVS with DPDK. Both im‐
3327 plementations use a simple ``token bucket’’ approach:
3328 • The size of the bucket corresponds to ingress_polic‐
3330 ing_burst. Initially the bucket is full.
3331 • Whenever a packet is received, its size (converted to to‐
3333 kens) is compared to the number of tokens currently in
3334 the bucket. If the required number of tokens are avail‐
3335 able, they are removed and the packet is forwarded. Oth‐
3336 erwise, the packet is dropped.
3337 • Whenever it is not full, the bucket is refilled with to‐
3339 kens at the rate specified by ingress_policing_rate.
3340 Policing interacts badly with some network protocols, and especially
3342 with fragmented IP packets. Suppose that there is enough network activ‐
3343 ity to keep the bucket nearly empty all the time. Then this token
3344 bucket algorithm will forward a single packet every so often, with the
3345 period depending on packet size and on the configured rate. All of the
3346 fragments of an IP packets are normally transmitted back-to-back, as a
3347 group. In such a situation, therefore, only one of these fragments will
3348 be forwarded and the rest will be dropped. IP does not provide any way
3349 for the intended recipient to ask for only the remaining fragments. In
3350 such a case there are two likely possibilities for what will happen
3351 next: either all of the fragments will eventually be retransmitted (as
3352 TCP will do), in which case the same problem will recur, or the sender
3353 will not realize that its packet has been dropped and data will simply
3354 be lost (as some UDP-based protocols will do). Either way, it is possi‐
3355 ble that no forward progress will ever occur.
3356 ingress_policing_rate: integer, at least 0
3358 Maximum rate for data received on this interface, in kbps. Data
3359 received faster than this rate is dropped. Set to 0 (the de‐
3360 fault) to disable policing.
3361 ingress_policing_burst: integer, at least 0
3363 Maximum burst size for data received on this interface, in kb.
3364 The default burst size if set to 0 is 8000 kbit. This value has
3365 no effect if ingress_policing_rate is 0.
3366 Specifying a larger burst size lets the algorithm be more for‐
3368 giving, which is important for protocols like TCP that react se‐
3369 verely to dropped packets. The burst size should be at least the
3370 size of the interface’s MTU. Specifying a value that is numeri‐
3371 cally at least as large as 80% of ingress_policing_rate helps
3372 TCP come closer to achieving the full rate.
3373 Bidirectional Forwarding Detection (BFD):
3375 BFD, defined in RFC 5880 and RFC 5881, allows point-to-point detection
3377 of connectivity failures by occasional transmission of BFD control mes‐
3378 sages. Open vSwitch implements BFD to serve as a more popular and stan‐
3379 dards compliant alternative to CFM.
3380 BFD operates by regularly transmitting BFD control messages at a rate
3382 negotiated independently in each direction. Each endpoint specifies the
3383 rate at which it expects to receive control messages, and the rate at
3384 which it is willing to transmit them. By default, Open vSwitch uses a
3385 detection multiplier of three, meaning that an endpoint signals a con‐
3386 nectivity fault if three consecutive BFD control messages fail to ar‐
3387 rive. In the case of a unidirectional connectivity issue, the system
3388 not receiving BFD control messages signals the problem to its peer in
3389 the messages it transmits.
3390 The Open vSwitch implementation of BFD aims to comply faithfully with
3392 RFC 5880 requirements. Open vSwitch does not implement the optional Au‐
3393 thentication or ``Echo Mode’’ features.
3394 OVS 2.13 and earlier intercepted and processed all BFD packets. OVS
3396 2.14 and later only intercept and process BFD packets destined to a
3397 configured BFD instance, and other BFD packets are made available to
3398 the OVS flow table for forwarding.
3399 BFD Configuration:
3401 A controller sets up key-value pairs in the bfd column to enable and
3403 configure BFD.
3404 bfd : enable: optional string, either true or false
3406 True to enable BFD on this Interface. If not specified, BFD will
3407 not be enabled by default.
3408 bfd : min_rx: optional string, containing an integer, at least 1
3410 The shortest interval, in milliseconds, at which this BFD ses‐
3411 sion offers to receive BFD control messages. The remote endpoint
3412 may choose to send messages at a slower rate. Defaults to 1000.
3413 bfd : min_tx: optional string, containing an integer, at least 1
3415 The shortest interval, in milliseconds, at which this BFD ses‐
3416 sion is willing to transmit BFD control messages. Messages will
3417 actually be transmitted at a slower rate if the remote endpoint
3418 is not willing to receive as quickly as specified. Defaults to
3419 100.
3420 bfd : decay_min_rx: optional string, containing an integer
3422 An alternate receive interval, in milliseconds, that must be
3423 greater than or equal to bfd:min_rx. The implementation switches
3424 from bfd:min_rx to bfd:decay_min_rx when there is no obvious in‐
3425 coming data traffic at the interface, to reduce the CPU and
3426 bandwidth cost of monitoring an idle interface. This feature may
3427 be disabled by setting a value of 0. This feature is reset when‐
3428 ever bfd:decay_min_rx or bfd:min_rx changes.
3429 bfd : forwarding_if_rx: optional string, either true or false
3431 When true, traffic received on the Interface is used to indicate
3432 the capability of packet I/O. BFD control packets are still
3433 transmitted and received. At least one BFD control packet must
3434 be received every 100 * bfd:min_rx amount of time. Otherwise,
3435 even if traffic are received, the bfd:forwarding will be false.
3436 bfd : cpath_down: optional string, either true or false
3438 Set to true to notify the remote endpoint that traffic should
3439 not be forwarded to this system for some reason other than a
3440 connectivty failure on the interface being monitored. The typi‐
3441 cal underlying reason is ``concatenated path down,’’ that is,
3442 that connectivity beyond the local system is down. Defaults to
3443 false.
3444 bfd : check_tnl_key: optional string, either true or false
3446 Set to true to make BFD accept only control messages with a tun‐
3447 nel key of zero. By default, BFD accepts control messages with
3448 any tunnel key.
3449 bfd : bfd_local_src_mac: optional string
3451 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3452 the MAC used as source for transmitted BFD packets. The default
3453 is the mac address of the BFD enabled interface.
3454 bfd : bfd_local_dst_mac: optional string
3456 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3457 the MAC used as destination for transmitted BFD packets. The de‐
3458 fault is 00:23:20:00:00:01.
3459 bfd : bfd_remote_dst_mac: optional string
3461 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3462 the MAC used for checking the destination of received BFD pack‐
3463 ets. Packets with different destination MAC will not be consid‐
3464 ered as BFD packets. If not specified the destination MAC ad‐
3465 dress of received BFD packets are not checked.
3466 bfd : bfd_src_ip: optional string
3468 Set to an IPv4 address to set the IP address used as source for
3469 transmitted BFD packets. The default is 169.254.1.1.
3470 bfd : bfd_dst_ip: optional string
3472 Set to an IPv4 address to set the IP address used as destination
3473 for transmitted BFD packets. The default is 169.254.1.0.
3474 bfd : oam: optional string
3476 Some tunnel protocols (such as Geneve) include a bit in the
3477 header to indicate that the encapsulated packet is an OAM frame.
3478 By setting this to true, BFD packets will be marked as OAM if
3479 encapsulated in one of these tunnels.
3480 bfd : mult: optional string, containing an integer, in range 1 to 255
3482 The BFD detection multiplier, which defaults to 3. An endpoint
3483 signals a connectivity fault if the given number of consecutive
3484 BFD control messages fail to arrive.
3485 BFD Status:
3487 The switch sets key-value pairs in the bfd_status column to report the
3489 status of BFD on this interface. When BFD is not enabled, with bfd:en‐
3490 able, the switch clears all key-value pairs from bfd_status.
3491 bfd_status : state: optional string, one of admin_down, down, init, or
3493 up
3494 Reports the state of the BFD session. The BFD session is fully
3495 healthy and negotiated if UP.
3496 bfd_status : forwarding: optional string, either true or false
3498 Reports whether the BFD session believes this Interface may be
3499 used to forward traffic. Typically this means the local session
3500 is signaling UP, and the remote system isn’t signaling a problem
3501 such as concatenated path down.
3502 bfd_status : diagnostic: optional string
3504 A diagnostic code specifying the local system’s reason for the
3505 last change in session state. The error messages are defined in
3506 section 4.1 of [RFC 5880].
3507 bfd_status : remote_state: optional string, one of admin_down, down,
3509 init, or up
3510 Reports the state of the remote endpoint’s BFD session.
3511 bfd_status : remote_diagnostic: optional string
3513 A diagnostic code specifying the remote system’s reason for the
3514 last change in session state. The error messages are defined in
3515 section 4.1 of [RFC 5880].
3516 bfd_status : flap_count: optional string, containing an integer, at
3518 least 0
3519 Counts the number of bfd_status:forwarding flaps since start. A
3520 flap is considered as a change of the bfd_status:forwarding
3521 value.
3522 Connectivity Fault Management:
3524 802.1ag Connectivity Fault Management (CFM) allows a group of Mainte‐
3526 nance Points (MPs) called a Maintenance Association (MA) to detect con‐
3527 nectivity problems with each other. MPs within a MA should have com‐
3528 plete and exclusive interconnectivity. This is verified by occasionally
3529 broadcasting Continuity Check Messages (CCMs) at a configurable trans‐
3530 mission interval.
3531 According to the 802.1ag specification, each Maintenance Point should
3533 be configured out-of-band with a list of Remote Maintenance Points it
3534 should have connectivity to. Open vSwitch differs from the specifica‐
3535 tion in this area. It simply assumes the link is faulted if no Remote
3536 Maintenance Points are reachable, and considers it not faulted other‐
3537 wise.
3538 When operating over tunnels which have no in_key, or an in_key of flow.
3540 CFM will only accept CCMs with a tunnel key of zero.
3541 cfm_mpid: optional integer
3543 A Maintenance Point ID (MPID) uniquely identifies each endpoint
3544 within a Maintenance Association. The MPID is used to identify
3545 this endpoint to other Maintenance Points in the MA. Each end of
3546 a link being monitored should have a different MPID. Must be
3547 configured to enable CFM on this Interface.
3548 According to the 802.1ag specification, MPIDs can only range be‐
3550 tween [1, 8191]. However, extended mode (see other_con‐
3551 fig:cfm_extended) supports eight byte MPIDs.
3552 cfm_flap_count: optional integer
3554 Counts the number of cfm fault flapps since boot. A flap is con‐
3555 sidered to be a change of the cfm_fault value.
3556 cfm_fault: optional boolean
3558 Indicates a connectivity fault triggered by an inability to re‐
3559 ceive heartbeats from any remote endpoint. When a fault is trig‐
3560 gered on Interfaces participating in bonds, they will be dis‐
3561 abled.
3562 Faults can be triggered for several reasons. Most importantly
3564 they are triggered when no CCMs are received for a period of 3.5
3565 times the transmission interval. Faults are also triggered when
3566 any CCMs indicate that a Remote Maintenance Point is not receiv‐
3567 ing CCMs but able to send them. Finally, a fault is triggered if
3568 a CCM is received which indicates unexpected configuration. No‐
3569 tably, this case arises when a CCM is received which advertises
3570 the local MPID.
3571 cfm_fault_status : recv: none
3573 Indicates a CFM fault was triggered due to a lack of CCMs re‐
3574 ceived on the Interface.
3575 cfm_fault_status : rdi: none
3577 Indicates a CFM fault was triggered due to the reception of a
3578 CCM with the RDI bit flagged. Endpoints set the RDI bit in their
3579 CCMs when they are not receiving CCMs themselves. This typically
3580 indicates a unidirectional connectivity failure.
3581 cfm_fault_status : maid: none
3583 Indicates a CFM fault was triggered due to the reception of a
3584 CCM with a MAID other than the one Open vSwitch uses. CFM broad‐
3585 casts are tagged with an identification number in addition to
3586 the MPID called the MAID. Open vSwitch only supports receiving
3587 CCM broadcasts tagged with the MAID it uses internally.
3588 cfm_fault_status : loopback: none
3590 Indicates a CFM fault was triggered due to the reception of a
3591 CCM advertising the same MPID configured in the cfm_mpid column
3592 of this Interface. This may indicate a loop in the network.
3593 cfm_fault_status : overflow: none
3595 Indicates a CFM fault was triggered because the CFM module re‐
3596 ceived CCMs from more remote endpoints than it can keep track
3597 of.
3598 cfm_fault_status : override: none
3600 Indicates a CFM fault was manually triggered by an administrator
3601 using an ovs-appctl command.
3602 cfm_fault_status : interval: none
3604 Indicates a CFM fault was triggered due to the reception of a
3605 CCM frame having an invalid interval.
3606 cfm_remote_opstate: optional string, either down or up
3608 When in extended mode, indicates the operational state of the
3609 remote endpoint as either up or down. See other_config:cfm_op‐
3610 state.
3611 cfm_health: optional integer, in range 0 to 100
3613 Indicates the health of the interface as a percentage of CCM
3614 frames received over 21 other_config:cfm_intervals. The health
3615 of an interface is undefined if it is communicating with more
3616 than one cfm_remote_mpids. It reduces if healthy heartbeats are
3617 not received at the expected rate, and gradually improves as
3618 healthy heartbeats are received at the desired rate. Every 21
3619 other_config:cfm_intervals, the health of the interface is re‐
3620 freshed.
3621 As mentioned above, the faults can be triggered for several rea‐
3623 sons. The link health will deteriorate even if heartbeats are
3624 received but they are reported to be unhealthy. An unhealthy
3625 heartbeat in this context is a heartbeat for which either some
3626 fault is set or is out of sequence. The interface health can be
3627 100 only on receiving healthy heartbeats at the desired rate.
3628 cfm_remote_mpids: set of integers
3630 When CFM is properly configured, Open vSwitch will occasionally
3631 receive CCM broadcasts. These broadcasts contain the MPID of the
3632 sending Maintenance Point. The list of MPIDs from which this In‐
3633 terface is receiving broadcasts from is regularly collected and
3634 written to this column.
3635 other_config : cfm_interval: optional string, containing an integer
3637 The interval, in milliseconds, between transmissions of CFM
3638 heartbeats. Three missed heartbeat receptions indicate a connec‐
3639 tivity fault.
3640 In standard operation only intervals of 3, 10, 100, 1,000,
3642 10,000, 60,000, or 600,000 ms are supported. Other values will
3643 be rounded down to the nearest value on the list. Extended mode
3644 (see other_config:cfm_extended) supports any interval up to
3645 65,535 ms. In either mode, the default is 1000 ms.
3646 We do not recommend using intervals less than 100 ms.
3648 other_config : cfm_extended: optional string, either true or false
3650 When true, the CFM module operates in extended mode. This causes
3651 it to use a nonstandard destination address to avoid conflicting
3652 with compliant implementations which may be running concurrently
3653 on the network. Furthermore, extended mode increases the accu‐
3654 racy of the cfm_interval configuration parameter by breaking
3655 wire compatibility with 802.1ag compliant implementations. And
3656 extended mode allows eight byte MPIDs. Defaults to false.
3657 other_config : cfm_demand: optional string, either true or false
3659 When true, and other_config:cfm_extended is true, the CFM module
3660 operates in demand mode. When in demand mode, traffic received
3661 on the Interface is used to indicate liveness. CCMs are still
3662 transmitted and received. At least one CCM must be received ev‐
3663 ery 100 * other_config:cfm_interval amount of time. Otherwise,
3664 even if traffic are received, the CFM module will raise the con‐
3665 nectivity fault.
3666 Demand mode has a couple of caveats:
3668 • To ensure that ovs-vswitchd has enough time to pull sta‐
3670 tistics from the datapath, the fault detection interval
3671 is set to 3.5 * MAX(other_config:cfm_interval, 500) ms.
3672 • To avoid ambiguity, demand mode disables itself when
3674 there are multiple remote maintenance points.
3675 • If the Interface is heavily congested, CCMs containing
3677 the other_config:cfm_opstate status may be dropped caus‐
3678 ing changes in the operational state to be delayed. Simi‐
3679 larly, if CCMs containing the RDI bit are not received,
3680 unidirectional link failures may not be detected.
3681 other_config : cfm_opstate: optional string, either down or up
3683 When down, the CFM module marks all CCMs it generates as opera‐
3684 tionally down without triggering a fault. This allows remote
3685 maintenance points to choose not to forward traffic to the In‐
3686 terface on which this CFM module is running. Currently, in Open
3687 vSwitch, the opdown bit of CCMs affects Interfaces participating
3688 in bonds, and the bundle OpenFlow action. This setting is ig‐
3689 nored when CFM is not in extended mode. Defaults to up.
3690 other_config : cfm_ccm_vlan: optional string, containing an integer, in
3692 range 1 to 4,095
3693 When set, the CFM module will apply a VLAN tag to all CCMs it
3694 generates with the given value. May be the string random in
3695 which case each CCM will be tagged with a different randomly
3696 generated VLAN.
3697 other_config : cfm_ccm_pcp: optional string, containing an integer, in
3699 range 1 to 7
3700 When set, the CFM module will apply a VLAN tag to all CCMs it
3701 generates with the given PCP value, the VLAN ID of the tag is
3702 governed by the value of other_config:cfm_ccm_vlan. If
3703 other_config:cfm_ccm_vlan is unset, a VLAN ID of zero is used.
3704 Bonding Configuration:
3706 other_config : lacp-port-id: optional string, containing an integer, in
3708 range 1 to 65,535
3709 The LACP port ID of this Interface. Port IDs are used in LACP
3710 negotiations to identify individual ports participating in a
3711 bond.
3712 other_config : lacp-port-priority: optional string, containing an inte‐
3714 ger, in range 1 to 65,535
3715 The LACP port priority of this Interface. In LACP negotiations
3716 Interfaces with numerically lower priorities are preferred for
3717 aggregation.
3718 other_config : lacp-aggregation-key: optional string, containing an in‐
3720 teger, in range 1 to 65,535
3721 The LACP aggregation key of this Interface. Interfaces with dif‐
3722 ferent aggregation keys may not be active within a given Port at
3723 the same time.
3724 Virtual Machine Identifiers:
3726 These key-value pairs specifically apply to an interface that repre‐
3728 sents a virtual Ethernet interface connected to a virtual machine.
3729 These key-value pairs should not be present for other types of inter‐
3730 faces. Keys whose names end in -uuid have values that uniquely identify
3731 the entity in question. For a Citrix XenServer hypervisor, these values
3732 are UUIDs in RFC 4122 format. Other hypervisors may use other formats.
3733 external_ids : attached-mac: optional string
3735 The MAC address programmed into the ``virtual hardware’’ for
3736 this interface, in the form xx:xx:xx:xx:xx:xx. For Citrix
3737 XenServer, this is the value of the MAC field in the VIF record
3738 for this interface.
3739 external_ids : iface-id: optional string
3741 A system-unique identifier for the interface. On XenServer, this
3742 will commonly be the same as external_ids:xs-vif-uuid.
3743 external_ids : iface-status: optional string, either active or inactive
3745 Hypervisors may sometimes have more than one interface associ‐
3746 ated with a given external_ids:iface-id, only one of which is
3747 actually in use at a given time. For example, in some circum‐
3748 stances XenServer has both a ``tap’’ and a ``vif’’ interface for
3749 a single external_ids:iface-id, but only uses one of them at a
3750 time. A hypervisor that behaves this way must mark the currently
3751 in use interface active and the others inactive. A hypervisor
3752 that never has more than one interface for a given exter‐
3753 nal_ids:iface-id may mark that interface active or omit exter‐
3754 nal_ids:iface-status entirely.
3755 During VM migration, a given external_ids:iface-id might tran‐
3757 siently be marked active on two different hypervisors. That is,
3758 active means that this external_ids:iface-id is the active in‐
3759 stance within a single hypervisor, not in a broader scope. There
3760 is one exception: some hypervisors support ``migration’’ from a
3761 given hypervisor to itself (most often for test purposes). Dur‐
3762 ing such a ``migration,’’ two instances of a single exter‐
3763 nal_ids:iface-id might both be briefly marked active on a single
3764 hypervisor.
3765 external_ids : xs-vif-uuid: optional string
3767 The virtual interface associated with this interface.
3768 external_ids : xs-network-uuid: optional string
3770 The virtual network to which this interface is attached.
3771 external_ids : vm-id: optional string
3773 The VM to which this interface belongs. On XenServer, this will
3774 be the same as external_ids:xs-vm-uuid.
3775 external_ids : xs-vm-uuid: optional string
3777 The VM to which this interface belongs.
3778 Auto Attach Configuration:
3780 Auto Attach configuration for a particular interface.
3782 lldp : enable: optional string, either true or false
3784 True to enable LLDP on this Interface. If not specified, LLDP
3785 will be disabled by default.
3786 Flow control Configuration:
3788 Ethernet flow control defined in IEEE 802.1Qbb provides link level flow
3790 control using MAC pause frames. Implemented only for interfaces with
3791 type dpdk.
3792 options : rx-flow-ctrl: optional string, either true or false
3794 Set to true to enable Rx flow control on physical ports. By de‐
3795 fault, Rx flow control is disabled.
3796 options : tx-flow-ctrl: optional string, either true or false
3798 Set to true to enable Tx flow control on physical ports. By de‐
3799 fault, Tx flow control is disabled.
3800 options : flow-ctrl-autoneg: optional string, either true or false
3802 Set to true to enable flow control auto negotiation on physical
3803 ports. By default, auto-neg is disabled.
3804 Link State Change detection mode:
3806 options : dpdk-lsc-interrupt: optional string, either true or false
3808 Set this value to true to configure interrupt mode for Link
3809 State Change (LSC) detection instead of poll mode for the DPDK
3810 interface.
3811 If this value is not set, poll mode is configured.
3813 This parameter has an effect only on netdev dpdk interfaces.
3815 Common Columns:
3817 The overall purpose of these columns is described under Common Columns
3819 at the beginning of this document.
3820 other_config: map of string-string pairs
3822 external_ids: map of string-string pairs
3824
3826 Configuration for a particular OpenFlow table.
3827 Summary:
3829 name optional string
3830 Eviction Policy:
3831 flow_limit optional integer, at least 0
3832 overflow_policy optional string, either evict or refuse
3833 groups set of strings
3834 Classifier Optimization:
3835 prefixes set of up to 3 strings
3836 Common Columns:
3837 external_ids map of string-string pairs
3838 Details:
3840 name: optional string
3841 The table’s name. Set this column to change the name that con‐
3842 trollers will receive when they request table statistics, e.g.
3843 ovs-ofctl dump-tables. The name does not affect switch behavior.
3844 Eviction Policy:
3846 Open vSwitch supports limiting the number of flows that may be in‐
3848 stalled in a flow table, via the flow_limit column. When adding a flow
3849 would exceed this limit, by default Open vSwitch reports an error, but
3850 there are two ways to configure Open vSwitch to instead delete
3851 (``evict’’) a flow to make room for the new one:
3852 • Set the overflow_policy column to evict.
3854 • Send an OpenFlow 1.4+ ``table mod request’’ to enable
3856 eviction for the flow table (e.g. ovs-ofctl -O OpenFlow14
3857 mod-table br0 0 evict to enable eviction on flow table 0
3858 of bridge br0).
3859 When a flow must be evicted due to overflow, the flow to evict is cho‐
3861 sen through an approximation of the following algorithm. This algorithm
3862 is used regardless of how eviction was enabled:
3863 1. Divide the flows in the table into groups based on the val‐
3865 ues of the fields or subfields specified in the groups col‐
3866 umn, so that all of the flows in a given group have the same
3867 values for those fields. If a flow does not specify a given
3868 field, that field’s value is treated as 0. If groups is
3869 empty, then all of the flows in the flow table are treated
3870 as a single group.
3871 2. Consider the flows in the largest group, that is, the group
3873 that contains the greatest number of flows. If two or more
3874 groups all have the same largest number of flows, consider
3875 the flows in all of those groups.
3876 3. If the flows under consideration have different importance
3878 values, eliminate from consideration any flows except those
3879 with the lowest importance. (``Importance,’’ a 16-bit inte‐
3880 ger value attached to each flow, was introduced in OpenFlow
3881 1.4. Flows inserted with older versions of OpenFlow always
3882 have an importance of 0.)
3883 4. Among the flows under consideration, choose the flow that
3885 expires soonest for eviction.
3886 The eviction process only considers flows that have an idle timeout or
3888 a hard timeout. That is, eviction never deletes permanent flows. (Per‐
3889 manent flows do count against flow_limit.)
3890 flow_limit: optional integer, at least 0
3892 If set, limits the number of flows that may be added to the ta‐
3893 ble. Open vSwitch may limit the number of flows in a table for
3894 other reasons, e.g. due to hardware limitations or for resource
3895 availability or performance reasons.
3896 overflow_policy: optional string, either evict or refuse
3898 Controls the switch’s behavior when an OpenFlow flow table modi‐
3899 fication request would add flows in excess of flow_limit. The
3900 supported values are:
3901 refuse Refuse to add the flow or flows. This is also the default
3903 policy when overflow_policy is unset.
3904 evict Delete a flow chosen according to the algorithm described
3906 above.
3907 groups: set of strings
3909 When overflow_policy is evict, this controls how flows are cho‐
3910 sen for eviction when the flow table would otherwise exceed
3911 flow_limit flows. Its value is a set of NXM fields or sub-
3912 fields, each of which takes one of the forms field[] or
3913 field[start..end], e.g. NXM_OF_IN_PORT[]. Please see meta-flow.h
3914 for a complete list of NXM field names.
3915 Open vSwitch ignores any invalid or unknown field specifica‐
3917 tions.
3918 When eviction is not enabled, via overflow_policy or an OpenFlow
3920 1.4+ ``table mod,’’ this column has no effect.
3921 Classifier Optimization:
3923 prefixes: set of up to 3 strings
3925 This string set specifies which fields should be used for ad‐
3926 dress prefix tracking. Prefix tracking allows the classifier to
3927 skip rules with longer than necessary prefixes, resulting in
3928 better wildcarding for datapath flows.
3929 Prefix tracking may be beneficial when a flow table contains
3931 matches on IP address fields with different prefix lengths. For
3932 example, when a flow table contains IP address matches on both
3933 full addresses and proper prefixes, the full address matches
3934 will typically cause the datapath flow to un-wildcard the whole
3935 address field (depending on flow entry priorities). In this case
3936 each packet with a different address gets handed to the
3937 userspace for flow processing and generates its own datapath
3938 flow. With prefix tracking enabled for the address field in
3939 question packets with addresses matching shorter prefixes would
3940 generate datapath flows where the irrelevant address bits are
3941 wildcarded, allowing the same datapath flow to handle all the
3942 packets within the prefix in question. In this case many
3943 userspace upcalls can be avoided and the overall performance can
3944 be better.
3945 This is a performance optimization only, so packets will receive
3947 the same treatment with or without prefix tracking.
3948 The supported fields are: tun_id, tun_src, tun_dst,
3950 tun_ipv6_src, tun_ipv6_dst, nw_src, nw_dst (or aliases ip_src
3951 and ip_dst), ipv6_src, and ipv6_dst. (Using this feature for
3952 tun_id would only make sense if the tunnel IDs have prefix
3953 structure similar to IP addresses.)
3954 By default, the prefixes=ip_dst,ip_src are used on each flow ta‐
3956 ble. This instructs the flow classifier to track the IP destina‐
3957 tion and source addresses used by the rules in this specific
3958 flow table.
3959 The keyword none is recognized as an explicit override of the
3961 default values, causing no prefix fields to be tracked.
3962 To set the prefix fields, the flow table record needs to exist:
3964 ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create
3966 Flow_Table name=table0
3967 Creates a flow table record for the OpenFlow table number
3968 0.
3969 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
3971 Enables prefix tracking for IP source and destination ad‐
3972 dress fields.
3973 There is a maximum number of fields that can be enabled for any
3975 one flow table. Currently this limit is 3.
3976 Common Columns:
3978 The overall purpose of these columns is described under Common Columns
3980 at the beginning of this document.
3981 external_ids: map of string-string pairs
3983
3985 Quality of Service (QoS) configuration for each Port that references
3986 it.
3987 Summary:
3989 type string
3990 queues map of integer-Queue pairs, key in range
3991 0 to 4,294,967,295
3992 Configuration for linux-htb and linux-hfsc:
3993 other_config : max-rate optional string, containing an integer
3994 Configuration for egress-policer QoS:
3995 other_config : cir optional string, containing an integer
3996 other_config : cbs optional string, containing an integer
3997 other_config : eir optional string, containing an integer
3998 other_config : ebs optional string, containing an integer
3999 Configuration for linux-sfq:
4000 other_config : perturb optional string, containing an integer
4001 other_config : quantum optional string, containing an integer
4002 Configuration for linux-netem:
4003 other_config : latency optional string, containing an integer
4004 other_config : limit optional string, containing an integer
4005 other_config : loss optional string, containing an integer
4006 Common Columns:
4007 other_config map of string-string pairs
4008 external_ids map of string-string pairs
4009 Details:
4011 type: string
4012 The type of QoS to implement. The currently defined types are
4013 listed below:
4014 linux-htb
4016 Linux ``hierarchy token bucket’’ classifier. See tc-
4017 htb(8) (also at http://linux.die.net/man/8/tc-htb) and
4018 the HTB manual (http://luxik.cdi.cz/~devik/qos/htb/man‐
4019 ual/userg.htm) for information on how this classifier
4020 works and how to configure it.
4021 linux-hfsc
4023 Linux "Hierarchical Fair Service Curve" classifier. See
4024 http://linux-ip.net/articles/hfsc.en/ for information on
4025 how this classifier works.
4026 linux-sfq
4028 Linux ``Stochastic Fairness Queueing’’ classifier. See
4029 tc-sfq(8) (also at http://linux.die.net/man/8/tc-sfq) for
4030 information on how this classifier works.
4031 linux-codel
4033 Linux ``Controlled Delay’’ classifier. See tc-codel(8)
4034 (also at
4035 http://man7.org/linux/man-pages/man8/tc-codel.8.html) for
4036 information on how this classifier works.
4037 linux-fq_codel
4039 Linux ``Fair Queuing with Controlled Delay’’ classifier.
4040 See tc-fq_codel(8) (also at
4041 http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html)
4042 for information on how this classifier works.
4043 linux-netem
4045 Linux ``Network Emulator’’ classifier. See tc-netem(8)
4046 (also at
4047 http://man7.org/linux/man-pages/man8/tc-netem.8.html) for
4048 information on how this classifier works.
4049 linux-noop
4051 Linux ``No operation.’’ By default, Open vSwitch manages
4052 quality of service on all of its configured ports. This
4053 can be helpful, but sometimes administrators prefer to
4054 use other software to manage QoS. This type prevents Open
4055 vSwitch from changing the QoS configuration for a port.
4056 egress-policer
4058 A DPDK egress policer algorithm using the DPDK rte_meter
4059 library. The rte_meter library provides an implementation
4060 which allows the metering and policing of traffic. The
4061 implementation in OVS essentially creates a single token
4062 bucket used to police traffic. It should be noted that
4063 when the rte_meter is configured as part of QoS there
4064 will be a performance overhead as the rte_meter itself
4065 will consume CPU cycles in order to police traffic. These
4066 CPU cycles ordinarily are used for packet proccessing. As
4067 such the drop in performance will be noticed in terms of
4068 overall aggregate traffic throughput.
4069 trtcm-policer
4071 A DPDK egress policer algorithm using RFC 4115’s Two-
4072 Rate, Three-Color marker. It’s a two-level hierarchical
4073 policer which first does a color-blind marking of the
4074 traffic at the queue level, followed by a color-aware
4075 marking at the port level. At the end traffic marked as
4076 Green or Yellow is forwarded, Red is dropped. For details
4077 on how traffic is marked, see RFC 4115. If the ``default
4078 queue’’, 0, is not configured it’s automatically created
4079 with the same other_config values as the physical port.
4080 queues: map of integer-Queue pairs, key in range 0 to 4,294,967,295
4082 A map from queue numbers to Queue records. The supported range
4083 of queue numbers depend on type. The queue numbers are the same
4084 as the queue_id used in OpenFlow in struct ofp_action_enqueue
4085 and other structures.
4086 Queue 0 is the ``default queue.’’ It is used by OpenFlow output
4088 actions when no specific queue has been set. When no configura‐
4089 tion for queue 0 is present, it is automatically configured as
4090 if a Queue record with empty dscp and other_config columns had
4091 been specified. (Before version 1.6, Open vSwitch would leave
4092 queue 0 unconfigured in this case. With some queuing disci‐
4093 plines, this dropped all packets destined for the default
4094 queue.)
4095 Configuration for linux-htb and linux-hfsc:
4097 The linux-htb and linux-hfsc classes support the following key-value
4099 pair:
4100 other_config : max-rate: optional string, containing an integer
4102 Maximum rate shared by all queued traffic, in bit/s. Optional.
4103 If not specified, for physical interfaces, the default is the
4104 link rate. For other interfaces or if the link rate cannot be
4105 determined, the default is currently 100 Mbps.
4106 Configuration for egress-policer QoS:
4108 QoS type egress-policer provides egress policing for userspace port
4110 types with DPDK. It has the following key-value pairs defined.
4111 other_config : cir: optional string, containing an integer
4113 The Committed Information Rate (CIR) is measured in bytes of IP
4114 packets per second, i.e. it includes the IP header, but not link
4115 specific (e.g. Ethernet) headers. This represents the bytes per
4116 second rate at which the token bucket will be updated. The cir
4117 value is calculated by (pps x packet data size). For example as‐
4118 suming a user wishes to limit a stream consisting of 64 byte
4119 packets to 1 million packets per second the CIR would be set to
4120 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4121 Where 1,000,000 is the policing rate for the number of packets
4122 per second and 46 represents the size of the packet data for a
4123 64 byte ip packet.
4124 other_config : cbs: optional string, containing an integer
4126 The Committed Burst Size (CBS) is measured in bytes and repre‐
4127 sents a token bucket. At a minimum this value should be be set
4128 to the expected largest size packet in the traffic stream. In
4129 practice larger values may be used to increase the size of the
4130 token bucket. If a packet can be transmitted then the cbs will
4131 be decremented by the number of bytes/tokens of the packet. If
4132 there are not enough tokens in the cbs bucket the packet will be
4133 dropped.
4134 other_config : eir: optional string, containing an integer
4136 The Excess Information Rate (EIR) is measured in bytes of IP
4137 packets per second, i.e. it includes the IP header, but not link
4138 specific (e.g. Ethernet) headers. This represents the bytes per
4139 second rate at which the token bucket will be updated. The eir
4140 value is calculated by (pps x packet data size). For example as‐
4141 suming a user wishes to limit a stream consisting of 64 byte
4142 packets to 1 million packets per second the EIR would be set to
4143 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4144 Where 1,000,000 is the policing rate for the number of packets
4145 per second and 46 represents the size of the packet data for a
4146 64 byte ip packet.
4147 other_config : ebs: optional string, containing an integer
4149 The Excess Burst Size (EBS) is measured in bytes and represents
4150 a token bucket. At a minimum this value should be be set to the
4151 expected largest size packet in the traffic stream. In practice
4152 larger values may be used to increase the size of the token
4153 bucket. If a packet can be transmitted then the ebs will be
4154 decremented by the number of bytes/tokens of the packet. If
4155 there are not enough tokens in the cbs bucket the packet might
4156 be dropped.
4157 Configuration for linux-sfq:
4159 The linux-sfq QoS supports the following key-value pairs:
4161 other_config : perturb: optional string, containing an integer
4163 Number of seconds between consecutive perturbations in hashing
4164 algorithm. Different flows can end up in the same hash bucket
4165 causing unfairness. Perturbation’s goal is to remove possible
4166 unfairness. The default and recommended value is 10. Too low a
4167 value is discouraged because each perturbation can cause packet
4168 reordering.
4169 other_config : quantum: optional string, containing an integer
4171 Number of bytes linux-sfq QoS can dequeue in one turn in round-
4172 robin from one flow. The default and recommended value is equal
4173 to interface’s MTU.
4174 Configuration for linux-netem:
4176 The linux-netem QoS supports the following key-value pairs:
4178 other_config : latency: optional string, containing an integer
4180 Adds the chosen delay to the packets outgoing to chosen network
4181 interface. The latency value expressed in us.
4182 other_config : limit: optional string, containing an integer
4184 Maximum number of packets the qdisc may hold queued at a time.
4185 The default value is 1000.
4186 other_config : loss: optional string, containing an integer
4188 Adds an independent loss probability to the packets outgoing
4189 from the chosen network interface.
4190 Common Columns:
4192 The overall purpose of these columns is described under Common Columns
4194 at the beginning of this document.
4195 other_config: map of string-string pairs
4197 external_ids: map of string-string pairs
4199
4201 A configuration for a port output queue, used in configuring Quality of
4202 Service (QoS) features. May be referenced by queues column in QoS ta‐
4203 ble.
4204 Summary:
4206 dscp optional integer, in range 0 to 63
4207 Configuration for linux-htb QoS:
4208 other_config : min-rate optional string, containing an integer,
4209 at least 1
4210 other_config : max-rate optional string, containing an integer,
4211 at least 1
4212 other_config : burst optional string, containing an integer,
4213 at least 1
4214 other_config : priority optional string, containing an integer,
4215 in range 0 to 4,294,967,295
4216 Configuration for linux-hfsc QoS:
4217 other_config : min-rate optional string, containing an integer,
4218 at least 1
4219 other_config : max-rate optional string, containing an integer,
4220 at least 1
4221 Common Columns:
4222 other_config map of string-string pairs
4223 external_ids map of string-string pairs
4224 Details:
4226 dscp: optional integer, in range 0 to 63
4227 If set, Open vSwitch will mark all traffic egressing this Queue
4228 with the given DSCP bits. Traffic egressing the default Queue is
4229 only marked if it was explicitly selected as the Queue at the
4230 time the packet was output. If unset, the DSCP bits of traffic
4231 egressing this Queue will remain unchanged.
4232 Configuration for linux-htb QoS:
4234 QoS type linux-htb may use queue_ids less than 61440. It has the fol‐
4236 lowing key-value pairs defined.
4237 other_config : min-rate: optional string, containing an integer, at
4239 least 1
4240 Minimum guaranteed bandwidth, in bit/s.
4241 other_config : max-rate: optional string, containing an integer, at
4243 least 1
4244 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4245 queue’s rate will not be allowed to exceed the specified value,
4246 even if excess bandwidth is available. If unspecified, defaults
4247 to no limit.
4248 other_config : burst: optional string, containing an integer, at least
4250 1
4251 Burst size, in bits. This is the maximum amount of ``credits’’
4252 that a queue can accumulate while it is idle. Optional. Details
4253 of the linux-htb implementation require a minimum burst size, so
4254 a too-small burst will be silently ignored.
4255 other_config : priority: optional string, containing an integer, in
4257 range 0 to 4,294,967,295
4258 A queue with a smaller priority will receive all the excess
4259 bandwidth that it can use before a queue with a larger value re‐
4260 ceives any. Specific priority values are unimportant; only rela‐
4261 tive ordering matters. Defaults to 0 if unspecified.
4262 Configuration for linux-hfsc QoS:
4264 QoS type linux-hfsc may use queue_ids less than 61440. It has the fol‐
4266 lowing key-value pairs defined.
4267 other_config : min-rate: optional string, containing an integer, at
4269 least 1
4270 Minimum guaranteed bandwidth, in bit/s.
4271 other_config : max-rate: optional string, containing an integer, at
4273 least 1
4274 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4275 queue’s rate will not be allowed to exceed the specified value,
4276 even if excess bandwidth is available. If unspecified, defaults
4277 to no limit.
4278 Common Columns:
4280 The overall purpose of these columns is described under Common Columns
4282 at the beginning of this document.
4283 other_config: map of string-string pairs
4285 external_ids: map of string-string pairs
4287
4289 A port mirror within a Bridge.
4290 A port mirror configures a bridge to send selected frames to special
4292 ``mirrored’’ ports, in addition to their normal destinations. Mirroring
4293 traffic may also be referred to as SPAN or RSPAN, depending on how the
4294 mirrored traffic is sent.
4295 When a packet enters an Open vSwitch bridge, it becomes eligible for
4297 mirroring based on its ingress port and VLAN. As the packet travels
4298 through the flow tables, each time it is output to a port, it becomes
4299 eligible for mirroring based on the egress port and VLAN. In Open
4300 vSwitch 2.5 and later, mirroring occurs just after a packet first be‐
4301 comes eligible, using the packet as it exists at that point; in Open
4302 vSwitch 2.4 and earlier, mirroring occurs only after a packet has tra‐
4303 versed all the flow tables, using the original packet as it entered the
4304 bridge. This makes a difference only when the flow table modifies the
4305 packet: in Open vSwitch 2.4, the modifications are never visible to
4306 mirrors, whereas in Open vSwitch 2.5 and later modifications made be‐
4307 fore the first output that makes it eligible for mirroring to a partic‐
4308 ular destination are visible.
4309 A packet that enters an Open vSwitch bridge is mirrored to a particular
4311 destination only once, even if it is eligible for multiple reasons. For
4312 example, a packet would be mirrored to a particular output_port only
4313 once, even if it is selected for mirroring to that port by se‐
4314 lect_dst_port and select_src_port in the same or different Mirror
4315 records.
4316 Summary:
4318 name string
4319 Selecting Packets for Mirroring:
4320 select_all boolean
4321 select_dst_port set of weak reference to Ports
4322 select_src_port set of weak reference to Ports
4323 select_vlan set of up to 4,096 integers, in range 0
4324 to 4,095
4325 Mirroring Destination Configuration:
4326 output_port optional weak reference to Port
4327 output_vlan optional integer, in range 1 to 4,095
4328 snaplen optional integer, in range 14 to 65,535
4329 Statistics: Mirror counters:
4330 statistics : tx_packets optional integer
4331 statistics : tx_bytes optional integer
4332 Common Columns:
4333 external_ids map of string-string pairs
4334 Details:
4336 name: string
4337 Arbitrary identifier for the Mirror.
4338 Selecting Packets for Mirroring:
4340 To be selected for mirroring, a given packet must enter or leave the
4342 bridge through a selected port and it must also be in one of the se‐
4343 lected VLANs.
4344 select_all: boolean
4346 If true, every packet arriving or departing on any port is se‐
4347 lected for mirroring.
4348 select_dst_port: set of weak reference to Ports
4350 Ports on which departing packets are selected for mirroring.
4351 select_src_port: set of weak reference to Ports
4353 Ports on which arriving packets are selected for mirroring.
4354 select_vlan: set of up to 4,096 integers, in range 0 to 4,095
4356 VLANs on which packets are selected for mirroring. An empty set
4357 selects packets on all VLANs.
4358 Mirroring Destination Configuration:
4360 These columns are mutually exclusive. Exactly one of them must be
4362 nonempty.
4363 output_port: optional weak reference to Port
4365 Output port for selected packets, if nonempty.
4366 Specifying a port for mirror output reserves that port exclu‐
4368 sively for mirroring. No frames other than those selected for
4369 mirroring via this column will be forwarded to the port, and any
4370 frames received on the port will be discarded.
4371 The output port may be any kind of port supported by Open
4373 vSwitch. It may be, for example, a physical port (sometimes
4374 called SPAN) or a GRE tunnel.
4375 output_vlan: optional integer, in range 1 to 4,095
4377 Output VLAN for selected packets, if nonempty.
4378 The frames will be sent out all ports that trunk output_vlan, as
4380 well as any ports with implicit VLAN output_vlan. When a mir‐
4381 rored frame is sent out a trunk port, the frame’s VLAN tag will
4382 be set to output_vlan, replacing any existing tag; when it is
4383 sent out an implicit VLAN port, the frame will not be tagged.
4384 This type of mirroring is sometimes called RSPAN.
4385 See the documentation for other_config:forward-bpdu in the In‐
4387 terface table for a list of destination MAC addresses which will
4388 not be mirrored to a VLAN to avoid confusing switches that in‐
4389 terpret the protocols that they represent.
4390 Please note: Mirroring to a VLAN can disrupt a network that con‐
4392 tains unmanaged switches. Consider an unmanaged physical switch
4393 with two ports: port 1, connected to an end host, and port 2,
4394 connected to an Open vSwitch configured to mirror received pack‐
4395 ets into VLAN 123 on port 2. Suppose that the end host sends a
4396 packet on port 1 that the physical switch forwards to port 2.
4397 The Open vSwitch forwards this packet to its destination and
4398 then reflects it back on port 2 in VLAN 123. This reflected
4399 packet causes the unmanaged physical switch to replace the MAC
4400 learning table entry, which correctly pointed to port 1, with
4401 one that incorrectly points to port 2. Afterward, the physical
4402 switch will direct packets destined for the end host to the Open
4403 vSwitch on port 2, instead of to the end host on port 1, dis‐
4404 rupting connectivity. If mirroring to a VLAN is desired in this
4405 scenario, then the physical switch must be replaced by one that
4406 learns Ethernet addresses on a per-VLAN basis. In addition,
4407 learning should be disabled on the VLAN containing mirrored
4408 traffic. If this is not done then intermediate switches will
4409 learn the MAC address of each end host from the mirrored traf‐
4410 fic. If packets being sent to that end host are also mirrored,
4411 then they will be dropped since the switch will attempt to send
4412 them out the input port. Disabling learning for the VLAN will
4413 cause the switch to correctly send the packet out all ports con‐
4414 figured for that VLAN. If Open vSwitch is being used as an in‐
4415 termediate switch, learning can be disabled by adding the mir‐
4416 rored VLAN to flood_vlans in the appropriate Bridge table or ta‐
4417 bles.
4418 Mirroring to a GRE tunnel has fewer caveats than mirroring to a
4420 VLAN and should generally be preferred.
4421 snaplen: optional integer, in range 14 to 65,535
4423 Maximum per-packet number of bytes to mirror.
4424 A mirrored packet with size larger than snaplen will be trun‐
4426 cated in datapath to snaplen bytes before sending to the mirror
4427 output port. If omitted, packets are not truncated.
4428 Statistics: Mirror counters:
4430 Key-value pairs that report mirror statistics. The update period is
4432 controlled by other_config:stats-update-interval in the Open_vSwitch
4433 table.
4434 statistics : tx_packets: optional integer
4436 Number of packets transmitted through this mirror.
4437 statistics : tx_bytes: optional integer
4439 Number of bytes transmitted through this mirror.
4440 Common Columns:
4442 The overall purpose of these columns is described under Common Columns
4444 at the beginning of this document.
4445 external_ids: map of string-string pairs
4447
4449 An OpenFlow controller.
4450 Summary:
4452 Core Features:
4453 type optional string, either primary or ser‐
4454 vice
4455 target string
4456 connection_mode optional string, either in-band or
4457 out-of-band
4458 Controller Failure Detection and Handling:
4459 max_backoff optional integer, at least 1,000
4460 inactivity_probe optional integer
4461 Asynchronous Messages:
4462 enable_async_messages optional boolean
4463 Controller Rate Limiting:
4464 controller_queue_size optional integer, in range 1 to 512
4465 controller_rate_limit optional integer, at least 100
4466 controller_burst_limit optional integer, at least 25
4467 Controller Rate Limiting Statistics:
4468 status : packet-in-TYPE-bypassed
4469 optional string, containing an integer,
4470 at least 0
4471 status : packet-in-TYPE-queued
4472 optional string, containing an integer,
4473 at least 0
4474 status : packet-in-TYPE-dropped
4475 optional string, containing an integer,
4476 at least 0
4477 status : packet-in-TYPE-backlog
4478 optional string, containing an integer,
4479 at least 0
4480 Additional In-Band Configuration:
4481 local_ip optional string
4482 local_netmask optional string
4483 local_gateway optional string
4484 Controller Status:
4485 is_connected boolean
4486 role optional string, one of master, other, or
4487 slave
4488 status : last_error optional string
4489 status : state optional string, one of ACTIVE, BACKOFF,
4490 CONNECTING, IDLE, or VOID
4491 status : sec_since_connect optional string, containing an integer,
4492 at least 0
4493 status : sec_since_disconnect
4494 optional string, containing an integer,
4495 at least 1
4496 Connection Parameters:
4497 other_config : dscp optional string, containing an integer
4498 Common Columns:
4499 external_ids map of string-string pairs
4500 other_config map of string-string pairs
4501 Details:
4503 Core Features:
4504 type: optional string, either primary or service
4506 Open vSwitch supports two kinds of OpenFlow controllers. A
4507 bridge may have any number of each kind:
4508 Primary controllers
4510 This is the kind of controller envisioned by the OpenFlow
4511 specifications. Usually, a primary controller implements
4512 a network policy by taking charge of the switch’s flow
4513 table.
4514 The fail_mode column in the Bridge table applies to pri‐
4516 mary controllers.
4517 When multiple primary controllers are configured, Open
4519 vSwitch connects to all of them simultaneously. OpenFlow
4520 provides few facilities to allow multiple controllers to
4521 coordinate in interacting with a single switch, so more
4522 than one primary controller should be specified only if
4523 the controllers are themselves designed to coordinate
4524 with each other.
4525 Service controllers
4527 These kinds of OpenFlow controller connections are in‐
4528 tended for occasional support and maintenance use, e.g.
4529 with ovs-ofctl. Usually a service controller connects
4530 only briefly to inspect or modify some of a switch’s
4531 state.
4532 The fail_mode column in the Bridge table does not apply
4534 to service controllers.
4535 By default, Open vSwitch treats controllers with active connec‐
4537 tion methods as primary controllers and those with passive con‐
4538 nection methods as service controllers. Set this column to the
4539 desired type to override this default.
4540 target: string
4542 Connection method for controller.
4543 The following active connection methods are currently supported:
4545 ssl:host[:port]
4547 The specified SSL port on the host at the given host,
4548 which can either be a DNS name (if built with unbound li‐
4549 brary) or an IP address. The ssl column in the
4550 Open_vSwitch table must point to a valid SSL configura‐
4551 tion when this form is used.
4552 If port is not specified, it defaults to 6653.
4554 SSL support is an optional feature that is not always
4556 built as part of Open vSwitch.
4557 tcp:host[:port]
4559 The specified TCP port on the host at the given host,
4560 which can either be a DNS name (if built with unbound li‐
4561 brary) or an IP address (IPv4 or IPv6). If host is an
4562 IPv6 address, wrap it in square brackets, e.g.
4563 tcp:[::1]:6653.
4564 If port is not specified, it defaults to 6653.
4566 The following passive connection methods are currently sup‐
4568 ported:
4569 pssl:[port][:host]
4571 Listens for SSL connections on the specified TCP port. If
4572 host, which can either be a DNS name (if built with un‐
4573 bound library) or an IP address, is specified, then con‐
4574 nections are restricted to the resolved or specified lo‐
4575 cal IP address (either IPv4 or IPv6). If host is an IPv6
4576 address, wrap it in square brackets, e.g.
4577 pssl:6653:[::1].
4578 If port is not specified, it defaults to 6653. If host is
4580 not specified then it listens only on IPv4 (but not IPv6)
4581 addresses. The ssl column in the Open_vSwitch table must
4582 point to a valid SSL configuration when this form is
4583 used.
4584 If port is not specified, it currently to 6653.
4586 SSL support is an optional feature that is not always
4588 built as part of Open vSwitch.
4589 ptcp:[port][:host]
4591 Listens for connections on the specified TCP port. If
4592 host, which can either be a DNS name (if built with un‐
4593 bound library) or an IP address, is specified, then con‐
4594 nections are restricted to the resolved or specified lo‐
4595 cal IP address (either IPv4 or IPv6). If host is an IPv6
4596 address, wrap it in square brackets, e.g.
4597 ptcp:6653:[::1]. If host is not specified then it listens
4598 only on IPv4 addresses.
4599 If port is not specified, it defaults to 6653.
4601 When multiple controllers are configured for a single bridge,
4603 the target values must be unique. Duplicate target values yield
4604 unspecified results.
4605 connection_mode: optional string, either in-band or out-of-band
4607 If it is specified, this setting must be one of the following
4608 strings that describes how Open vSwitch contacts this OpenFlow
4609 controller over the network:
4610 in-band
4612 In this mode, this controller’s OpenFlow traffic travels
4613 over the bridge associated with the controller. With this
4614 setting, Open vSwitch allows traffic to and from the con‐
4615 troller regardless of the contents of the OpenFlow flow
4616 table. (Otherwise, Open vSwitch would never be able to
4617 connect to the controller, because it did not have a flow
4618 to enable it.) This is the most common connection mode
4619 because it is not necessary to maintain two independent
4620 networks.
4621 out-of-band
4623 In this mode, OpenFlow traffic uses a control network
4624 separate from the bridge associated with this controller,
4625 that is, the bridge does not use any of its own network
4626 devices to communicate with the controller. The control
4627 network must be configured separately, before or after
4628 ovs-vswitchd is started.
4629 If not specified, the default is implementation-specific.
4631 Controller Failure Detection and Handling:
4633 max_backoff: optional integer, at least 1,000
4635 Maximum number of milliseconds to wait between connection at‐
4636 tempts. Default is implementation-specific.
4637 inactivity_probe: optional integer
4639 Maximum number of milliseconds of idle time on connection to
4640 controller before sending an inactivity probe message. If Open
4641 vSwitch does not communicate with the controller for the speci‐
4642 fied number of seconds, it will send a probe. If a response is
4643 not received for the same additional amount of time, Open
4644 vSwitch assumes the connection has been broken and attempts to
4645 reconnect. Default is implementation-specific. A value of 0 dis‐
4646 ables inactivity probes.
4647 Asynchronous Messages:
4649 OpenFlow switches send certain messages to controllers spontanenously,
4651 that is, not in response to any request from the controller. These mes‐
4652 sages are called ``asynchronous messages.’’ These columns allow asyn‐
4653 chronous messages to be limited or disabled to ensure the best use of
4654 network resources.
4655 enable_async_messages: optional boolean
4657 The OpenFlow protocol enables asynchronous messages at time of
4658 connection establishment, which means that a controller can re‐
4659 ceive asynchronous messages, potentially many of them, even if
4660 it turns them off immediately after connecting. Set this column
4661 to false to change Open vSwitch behavior to disable, by default,
4662 all asynchronous messages. The controller can use the
4663 NXT_SET_ASYNC_CONFIG Nicira extension to OpenFlow to turn on any
4664 messages that it does want to receive, if any.
4665 Controller Rate Limiting:
4667 A switch can forward packets to a controller over the OpenFlow proto‐
4669 col. Forwarding packets this way at too high a rate can overwhelm a
4670 controller, frustrate use of the OpenFlow connection for other pur‐
4671 poses, increase the latency of flow setup, and use an unreasonable
4672 amount of bandwidth. Therefore, Open vSwitch supports limiting the rate
4673 of packet forwarding to a controller.
4674 There are two main reasons in OpenFlow for a packet to be sent to a
4676 controller: either the packet ``misses’’ in the flow table, that is,
4677 there is no matching flow, or a flow table action says to send the
4678 packet to the controller. Open vSwitch limits the rate of each kind of
4679 packet separately at the configured rate. Therefore, the actual rate
4680 that packets are sent to the controller can be up to twice the config‐
4681 ured rate, when packets are sent for both reasons.
4682 This feature is specific to forwarding packets over an OpenFlow connec‐
4684 tion. It is not general-purpose QoS. See the QoS table for quality of
4685 service configuration, and ingress_policing_rate in the Interface table
4686 for ingress policing configuration.
4687 controller_queue_size: optional integer, in range 1 to 512
4689 This sets the maximum size of the queue of packets that need to
4690 be sent to this OpenFlow controller. The value must be less than
4691 512. If not specified the queue size is limited to the value set
4692 for the management controller in other_config:controller-queue-
4693 size if present or 100 packets by default. Note: increasing the
4694 queue size might have a negative impact on latency.
4695 controller_rate_limit: optional integer, at least 100
4697 The maximum rate at which the switch will forward packets to the
4698 OpenFlow controller, in packets per second. If no value is spec‐
4699 ified, rate limiting is disabled.
4700 controller_burst_limit: optional integer, at least 25
4702 When a high rate triggers rate-limiting, Open vSwitch queues
4703 packets to the controller for each port and transmits them to
4704 the controller at the configured rate. This value limits the
4705 number of queued packets. Ports on a bridge share the packet
4706 queue fairly.
4707 This value has no effect unless controller_rate_limit is config‐
4709 ured. The current default when this value is not specified is
4710 one-quarter of controller_rate_limit, meaning that queuing can
4711 delay forwarding a packet to the controller by up to 250 ms.
4712 Controller Rate Limiting Statistics:
4714 These values report the effects of rate limiting. Their values are rel‐
4716 ative to establishment of the most recent OpenFlow connection, or since
4717 rate limiting was enabled, whichever happened more recently. Each con‐
4718 sists of two values, one with TYPE replaced by miss for rate limiting
4719 flow table misses, and the other with TYPE replaced by action for rate
4720 limiting packets sent by OpenFlow actions.
4721 These statistics are reported only when controller rate limiting is en‐
4723 abled.
4724 status : packet-in-TYPE-bypassed: optional string, containing an inte‐
4726 ger, at least 0
4727 Number of packets sent directly to the controller, without queu‐
4728 ing, because the rate did not exceed the configured maximum.
4729 status : packet-in-TYPE-queued: optional string, containing an integer,
4731 at least 0
4732 Number of packets added to the queue to send later.
4733 status : packet-in-TYPE-dropped: optional string, containing an inte‐
4735 ger, at least 0
4736 Number of packets added to the queue that were later dropped due
4737 to overflow. This value is less than or equal to status:packet-
4738 in-TYPE-queued.
4739 status : packet-in-TYPE-backlog: optional string, containing an inte‐
4741 ger, at least 0
4742 Number of packets currently queued. The other statistics in‐
4743 crease monotonically, but this one fluctuates between 0 and the
4744 controller_burst_limit as conditions change.
4745 Additional In-Band Configuration:
4747 These values are considered only in in-band control mode (see connec‐
4749 tion_mode).
4750 When multiple controllers are configured on a single bridge, there
4752 should be only one set of unique values in these columns. If different
4753 values are set for these columns in different controllers, the effect
4754 is unspecified.
4755 local_ip: optional string
4757 The IP address to configure on the local port, e.g.
4758 192.168.0.123. If this value is unset, then local_netmask and
4759 local_gateway are ignored.
4760 local_netmask: optional string
4762 The IP netmask to configure on the local port, e.g.
4763 255.255.255.0. If local_ip is set but this value is unset, then
4764 the default is chosen based on whether the IP address is class
4765 A, B, or C.
4766 local_gateway: optional string
4768 The IP address of the gateway to configure on the local port, as
4769 a string, e.g. 192.168.0.1. Leave this column unset if this net‐
4770 work has no gateway.
4771 Controller Status:
4773 is_connected: boolean
4775 true if currently connected to this controller, false otherwise.
4776 role: optional string, one of master, other, or slave
4778 The level of authority this controller has on the associated
4779 bridge. Possible values are:
4780 other Allows the controller access to all OpenFlow features.
4782 master Equivalent to other, except that there may be at most one
4784 such controller at a time. If a given controller promotes
4785 itself to this role, ovs-vswitchd demotes any existing
4786 controller with the role to slave.
4787 slave Allows the controller read-only access to OpenFlow fea‐
4789 tures. Attempts to modify the flow table will be rejected
4790 with an error. Such controllers do not receive
4791 OFPT_PACKET_IN or OFPT_FLOW_REMOVED messages, but they do
4792 receive OFPT_PORT_STATUS messages.
4793 status : last_error: optional string
4795 A human-readable description of the last error on the connection
4796 to the controller; i.e. strerror(errno). This key will exist
4797 only if an error has occurred.
4798 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
4800 IDLE, or VOID
4801 The state of the connection to the controller:
4802 VOID Connection is disabled.
4804 BACKOFF
4806 Attempting to reconnect at an increasing period.
4807 CONNECTING
4809 Attempting to connect.
4810 ACTIVE Connected, remote host responsive.
4812 IDLE Connection is idle. Waiting for response to keep-alive.
4814 These values may change in the future. They are provided only
4816 for human consumption.
4817 status : sec_since_connect: optional string, containing an integer, at
4819 least 0
4820 The amount of time since this controller last successfully con‐
4821 nected to the switch (in seconds). Value is empty if controller
4822 has never successfully connected.
4823 status : sec_since_disconnect: optional string, containing an integer,
4825 at least 1
4826 The amount of time since this controller last disconnected from
4827 the switch (in seconds). Value is empty if controller has never
4828 disconnected.
4829 Connection Parameters:
4831 Additional configuration for a connection between the controller and
4833 the Open vSwitch.
4834 other_config : dscp: optional string, containing an integer
4836 The Differentiated Service Code Point (DSCP) is specified using
4837 6 bits in the Type of Service (TOS) field in the IP header. DSCP
4838 provides a mechanism to classify the network traffic and provide
4839 Quality of Service (QoS) on IP networks. The DSCP value speci‐
4840 fied here is used when establishing the connection between the
4841 controller and the Open vSwitch. If no value is specified, a de‐
4842 fault value of 48 is chosen. Valid DSCP values must be in the
4843 range 0 to 63.
4844 Common Columns:
4846 The overall purpose of these columns is described under Common Columns
4848 at the beginning of this document.
4849 external_ids: map of string-string pairs
4851 other_config: map of string-string pairs
4853
4855 Configuration for a database connection to an Open vSwitch database
4856 (OVSDB) client.
4857 This table primarily configures the Open vSwitch database
4859 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The switch
4860 does read the table to determine what connections should be treated as
4861 in-band.
4862 The Open vSwitch database server can initiate and maintain active con‐
4864 nections to remote clients. It can also listen for database connec‐
4865 tions.
4866 Summary:
4868 Core Features:
4869 target string (must be unique within table)
4870 connection_mode optional string, either in-band or
4871 out-of-band
4872 Client Failure Detection and Handling:
4873 max_backoff optional integer, at least 1,000
4874 inactivity_probe optional integer
4875 Status:
4876 is_connected boolean
4877 status : last_error optional string
4878 status : state optional string, one of ACTIVE, BACKOFF,
4879 CONNECTING, IDLE, or VOID
4880 status : sec_since_connect optional string, containing an integer,
4881 at least 0
4882 status : sec_since_disconnect
4883 optional string, containing an integer,
4884 at least 0
4885 status : locks_held optional string
4886 status : locks_waiting optional string
4887 status : locks_lost optional string
4888 status : n_connections optional string, containing an integer,
4889 at least 2
4890 status : bound_port optional string, containing an integer
4891 Connection Parameters:
4892 other_config : dscp optional string, containing an integer
4893 Common Columns:
4894 external_ids map of string-string pairs
4895 other_config map of string-string pairs
4896 Details:
4898 Core Features:
4899 target: string (must be unique within table)
4901 Connection method for managers.
4902 The following connection methods are currently supported:
4904 ssl:host[:port]
4906 The specified SSL port on the host at the given host,
4907 which can either be a DNS name (if built with unbound li‐
4908 brary) or an IP address. The ssl column in the
4909 Open_vSwitch table must point to a valid SSL configura‐
4910 tion when this form is used.
4911 If port is not specified, it defaults to 6640.
4913 SSL support is an optional feature that is not always
4915 built as part of Open vSwitch.
4916 tcp:host[:port]
4918 The specified TCP port on the host at the given host,
4919 which can either be a DNS name (if built with unbound li‐
4920 brary) or an IP address (IPv4 or IPv6). If host is an
4921 IPv6 address, wrap it in square brackets, e.g.
4922 tcp:[::1]:6640.
4923 If port is not specified, it defaults to 6640.
4925 pssl:[port][:host]
4927 Listens for SSL connections on the specified TCP port.
4928 Specify 0 for port to have the kernel automatically
4929 choose an available port. If host, which can either be a
4930 DNS name (if built with unbound library) or an IP ad‐
4931 dress, is specified, then connections are restricted to
4932 the resolved or specified local IP address (either IPv4
4933 or IPv6 address). If host is an IPv6 address, wrap in
4934 square brackets, e.g. pssl:6640:[::1]. If host is not
4935 specified then it listens only on IPv4 (but not IPv6) ad‐
4936 dresses. The ssl column in the Open_vSwitch table must
4937 point to a valid SSL configuration when this form is
4938 used.
4939 If port is not specified, it defaults to 6640.
4941 SSL support is an optional feature that is not always
4943 built as part of Open vSwitch.
4944 ptcp:[port][:host]
4946 Listens for connections on the specified TCP port. Spec‐
4947 ify 0 for port to have the kernel automatically choose an
4948 available port. If host, which can either be a DNS name
4949 (if built with unbound library) or an IP address, is
4950 specified, then connections are restricted to the re‐
4951 solved or specified local IP address (either IPv4 or IPv6
4952 address). If host is an IPv6 address, wrap it in square
4953 brackets, e.g. ptcp:6640:[::1]. If host is not specified
4954 then it listens only on IPv4 addresses.
4955 If port is not specified, it defaults to 6640.
4957 When multiple managers are configured, the target values must be
4959 unique. Duplicate target values yield unspecified results.
4960 connection_mode: optional string, either in-band or out-of-band
4962 If it is specified, this setting must be one of the following
4963 strings that describes how Open vSwitch contacts this OVSDB
4964 client over the network:
4965 in-band
4967 In this mode, this connection’s traffic travels over a
4968 bridge managed by Open vSwitch. With this setting, Open
4969 vSwitch allows traffic to and from the client regardless
4970 of the contents of the OpenFlow flow table. (Otherwise,
4971 Open vSwitch would never be able to connect to the
4972 client, because it did not have a flow to enable it.)
4973 This is the most common connection mode because it is not
4974 necessary to maintain two independent networks.
4975 out-of-band
4977 In this mode, the client’s traffic uses a control network
4978 separate from that managed by Open vSwitch, that is, Open
4979 vSwitch does not use any of its own network devices to
4980 communicate with the client. The control network must be
4981 configured separately, before or after ovs-vswitchd is
4982 started.
4983 If not specified, the default is implementation-specific.
4985 Client Failure Detection and Handling:
4987 max_backoff: optional integer, at least 1,000
4989 Maximum number of milliseconds to wait between connection at‐
4990 tempts. Default is implementation-specific.
4991 inactivity_probe: optional integer
4993 Maximum number of milliseconds of idle time on connection to the
4994 client before sending an inactivity probe message. If Open
4995 vSwitch does not communicate with the client for the specified
4996 number of seconds, it will send a probe. If a response is not
4997 received for the same additional amount of time, Open vSwitch
4998 assumes the connection has been broken and attempts to recon‐
4999 nect. Default is implementation-specific. A value of 0 disables
5000 inactivity probes.
5001 Status:
5003 Key-value pair of is_connected is always updated. Other key-value pairs
5005 in the status columns may be updated depends on the target type.
5006 When target specifies a connection method that listens for inbound con‐
5008 nections (e.g. ptcp: or punix:), both n_connections and is_connected
5009 may also be updated while the remaining key-value pairs are omitted.
5010 On the other hand, when target specifies an outbound connection, all
5012 key-value pairs may be updated, except the above-mentioned two key-
5013 value pairs associated with inbound connection targets. They are omit‐
5014 ted.
5015 is_connected: boolean
5017 true if currently connected to this manager, false otherwise.
5018 status : last_error: optional string
5020 A human-readable description of the last error on the connection
5021 to the manager; i.e. strerror(errno). This key will exist only
5022 if an error has occurred.
5023 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
5025 IDLE, or VOID
5026 The state of the connection to the manager:
5027 VOID Connection is disabled.
5029 BACKOFF
5031 Attempting to reconnect at an increasing period.
5032 CONNECTING
5034 Attempting to connect.
5035 ACTIVE Connected, remote host responsive.
5037 IDLE Connection is idle. Waiting for response to keep-alive.
5039 These values may change in the future. They are provided only
5041 for human consumption.
5042 status : sec_since_connect: optional string, containing an integer, at
5044 least 0
5045 The amount of time since this manager last successfully con‐
5046 nected to the database (in seconds). Value is empty if manager
5047 has never successfully connected.
5048 status : sec_since_disconnect: optional string, containing an integer,
5050 at least 0
5051 The amount of time since this manager last disconnected from the
5052 database (in seconds). Value is empty if manager has never dis‐
5053 connected.
5054 status : locks_held: optional string
5056 Space-separated list of the names of OVSDB locks that the con‐
5057 nection holds. Omitted if the connection does not hold any
5058 locks.
5059 status : locks_waiting: optional string
5061 Space-separated list of the names of OVSDB locks that the con‐
5062 nection is currently waiting to acquire. Omitted if the connec‐
5063 tion is not waiting for any locks.
5064 status : locks_lost: optional string
5066 Space-separated list of the names of OVSDB locks that the con‐
5067 nection has had stolen by another OVSDB client. Omitted if no
5068 locks have been stolen from this connection.
5069 status : n_connections: optional string, containing an integer, at
5071 least 2
5072 When target specifies a connection method that listens for in‐
5073 bound connections (e.g. ptcp: or pssl:) and more than one con‐
5074 nection is actually active, the value is the number of active
5075 connections. Otherwise, this key-value pair is omitted.
5076 status : bound_port: optional string, containing an integer
5078 When target is ptcp: or pssl:, this is the TCP port on which the
5079 OVSDB server is listening. (This is particularly useful when
5080 target specifies a port of 0, allowing the kernel to choose any
5081 available port.)
5082 Connection Parameters:
5084 Additional configuration for a connection between the manager and the
5086 Open vSwitch Database.
5087 other_config : dscp: optional string, containing an integer
5089 The Differentiated Service Code Point (DSCP) is specified using
5090 6 bits in the Type of Service (TOS) field in the IP header. DSCP
5091 provides a mechanism to classify the network traffic and provide
5092 Quality of Service (QoS) on IP networks. The DSCP value speci‐
5093 fied here is used when establishing the connection between the
5094 manager and the Open vSwitch. If no value is specified, a de‐
5095 fault value of 48 is chosen. Valid DSCP values must be in the
5096 range 0 to 63.
5097 Common Columns:
5099 The overall purpose of these columns is described under Common Columns
5101 at the beginning of this document.
5102 external_ids: map of string-string pairs
5104 other_config: map of string-string pairs
5106
5108 A NetFlow target. NetFlow is a protocol that exports a number of de‐
5109 tails about terminating IP flows, such as the principals involved and
5110 duration.
5111 Summary:
5113 targets set of 1 or more strings
5114 engine_id optional integer, in range 0 to 255
5115 engine_type optional integer, in range 0 to 255
5116 active_timeout integer, at least -1
5117 add_id_to_interface boolean
5118 Common Columns:
5119 external_ids map of string-string pairs
5120 Details:
5122 targets: set of 1 or more strings
5123 NetFlow targets in the form ip:port. The ip must be specified
5124 numerically, not as a DNS name.
5125 engine_id: optional integer, in range 0 to 255
5127 Engine ID to use in NetFlow messages. Defaults to datapath index
5128 if not specified.
5129 engine_type: optional integer, in range 0 to 255
5131 Engine type to use in NetFlow messages. Defaults to datapath in‐
5132 dex if not specified.
5133 active_timeout: integer, at least -1
5135 The interval at which NetFlow records are sent for flows that
5136 are still active, in seconds. A value of 0 requests the default
5137 timeout (currently 600 seconds); a value of -1 disables active
5138 timeouts.
5139 The NetFlow passive timeout, for flows that become inactive, is
5141 not configurable. It will vary depending on the Open vSwitch
5142 version, the forms and contents of the OpenFlow flow tables, CPU
5143 and memory usage, and network activity. A typical passive time‐
5144 out is about a second.
5145 add_id_to_interface: boolean
5147 If this column’s value is false, the ingress and egress inter‐
5148 face fields of NetFlow flow records are derived from OpenFlow
5149 port numbers. When it is true, the 7 most significant bits of
5150 these fields will be replaced by the least significant 7 bits of
5151 the engine id. This is useful because many NetFlow collectors do
5152 not expect multiple switches to be sending messages from the
5153 same host, so they do not store the engine information which
5154 could be used to disambiguate the traffic.
5155 When this option is enabled, a maximum of 508 ports are sup‐
5157 ported.
5158 Common Columns:
5160 The overall purpose of these columns is described under Common Columns
5162 at the beginning of this document.
5163 external_ids: map of string-string pairs
5165
5167 Configuration for a datapath within Open_vSwitch.
5168 A datapath is responsible for providing the packet handling in Open
5170 vSwitch. There are two primary datapath implementations used by Open
5171 vSwitch: kernel and userspace. Kernel datapath implementations are
5172 available for Linux and Hyper-V, and selected as system in the data‐
5173 path_type column of the Bridge table. The userspace datapath is used by
5174 DPDK and AF-XDP, and is selected as netdev in the datapath_type column
5175 of the Bridge table.
5176 A datapath of a particular type is shared by all the bridges that use
5178 that datapath. Thus, configurations applied to this table affect all
5179 bridges that use this datapath.
5180 Summary:
5182 datapath_version string
5183 ct_zones map of integer-CT_Zone pairs, key in
5184 range 0 to 65,535
5185 Capabilities:
5186 capabilities : max_vlan_headers
5187 optional string, containing an integer,
5188 at least 0
5189 capabilities : recirc optional string, either true or false
5190 capabilities : lb_output_action
5191 optional string, either true or false
5192 Connection-Tracking Capabilities:
5193 capabilities : ct_state optional string, either true or false
5194 capabilities : ct_state_nat
5195 optional string, either true or false
5196 capabilities : ct_zone optional string, either true or false
5197 capabilities : ct_mark optional string, either true or false
5198 capabilities : ct_label optional string, either true or false
5199 capabilities : ct_orig_tuple
5200 optional string, either true or false
5201 capabilities : ct_orig_tuple6
5202 optional string, either true or false
5203 capabilities : masked_set_action
5204 optional string, either true or false
5205 capabilities : tnl_push_pop
5206 optional string, either true or false
5207 capabilities : ufid optional string, either true or false
5208 capabilities : trunc optional string, either true or false
5209 capabilities : nd_ext optional string, either true or false
5210 Clone Actions:
5211 capabilities : clone optional string, either true or false
5212 capabilities : sample_nesting
5213 optional string, containing an integer,
5214 at least 0
5215 capabilities : ct_eventmask
5216 optional string, either true or false
5217 capabilities : ct_clear optional string, either true or false
5218 capabilities : max_hash_alg
5219 optional string, containing an integer,
5220 at least 0
5221 capabilities : check_pkt_len
5222 optional string, either true or false
5223 capabilities : ct_timeout optional string, either true or false
5224 capabilities : explicit_drop_action
5225 optional string, either true or false
5226 Common Columns:
5227 external_ids map of string-string pairs
5228 Details:
5230 datapath_version: string
5231 Reports the version number of the Open vSwitch datapath in use.
5232 This allows management software to detect and report discrepan‐
5233 cies between Open vSwitch userspace and datapath versions. (The
5234 ovs_version column in the Open_vSwitch reports the Open vSwitch
5235 userspace version.) The version reported depends on the datapath
5236 in use:
5237 • When the kernel module included in the Open vSwitch
5239 source tree is used, this column reports the Open vSwitch
5240 version from which the module was taken.
5241 • When the kernel module that is part of the upstream Linux
5243 kernel is used, this column reports <unknown>.
5244 • When the datapath is built into the ovs-vswitchd binary,
5246 this column reports <built-in>. A built-in datapath is by
5247 definition the same version as the rest of the Open
5248 vSwitch userspace.
5249 • Other datapaths (such as the Hyper-V kernel datapath)
5251 currently report <unknown>.
5252 A version discrepancy between ovs-vswitchd and the datapath in
5254 use is not normally cause for alarm. The Open vSwitch kernel
5255 datapaths for Linux and Hyper-V, in particular, are designed for
5256 maximum inter-version compatibility: any userspace version works
5257 with with any kernel version. Some reasons do exist to insist on
5258 particular user/kernel pairings. First, newer kernel versions
5259 add new features, that can only be used by new-enough userspace,
5260 e.g. VXLAN tunneling requires certain minimal userspace and ker‐
5261 nel versions. Second, as an extension to the first reason, some
5262 newer kernel versions add new features for enhancing performance
5263 that only new-enough userspace versions can take advantage of.
5264 ct_zones: map of integer-CT_Zone pairs, key in range 0 to 65,535
5266 Configuration for connection tracking zones. Each pair maps from
5267 a zone id to a configuration for that zone. Zone 0 applies to
5268 the default zone (ie, the one used if a zone is not specified in
5269 connection tracking-related OpenFlow matches and actions).
5270 Capabilities:
5272 The capabilities column reports a datapath’s features. For the netdev
5274 datapath, the capabilities are fixed for a given version of Open
5275 vSwitch because this datapath is built into the ovs-vswitchd binary.
5276 The Linux kernel and Windows and other datapaths, which are external to
5277 OVS userspace, can vary in version and capabilities independently from
5278 ovs-vswitchd.
5279 Some of these features indicate whether higher-level Open vSwitch fea‐
5281 tures are available. For example, OpenFlow features for connection-
5282 tracking are available only when capabilities:ct_state is true. A con‐
5283 troller that wishes to determine whether a feature is supported could,
5284 therefore, consult the relevant capabilities in this table. However, as
5285 a general rule, it is better for a controller to try to use the higher-
5286 level feature and use the result as an indication of support, since the
5287 low-level capabilities are more likely to shift over time than the
5288 high-level features that rely on them.
5289 capabilities : max_vlan_headers: optional string, containing an inte‐
5291 ger, at least 0
5292 Number of 802.1q VLAN headers supported by the datapath, as
5293 probed by the ovs-vswitchd slow path. If the datapath supports
5294 more VLAN headers than the slow path, this reports the slow
5295 path’s limit. The value of other-config:vlan-limit in the
5296 Open_vSwitch table does not influence the number reported here.
5297 capabilities : recirc: optional string, either true or false
5299 If this is true, then the datapath supports recirculation,
5300 specifically OVS_KEY_ATTR_RECIRC_ID. Recirculation enables
5301 higher performance for MPLS and active-active load balancing
5302 bonding modes.
5303 capabilities : lb_output_action: optional string, either true or false
5305 If this is true, then the datapath supports optimized balance-
5306 tcp bond mode. This capability replaces existing hash and recirc
5307 actions with new action lb_output and avoids recirculation of
5308 packet in datapath. It is supported only for balance-tcp bond
5309 mode in netdev datapath. The new action gives higer performance
5310 by using bond buckets instead of post recirculation flows for
5311 selection of slave port from bond. By default this new action is
5312 disabled, however it can be enabled by setting other-config:lb-
5313 output-action in Port table.
5314 Connection-Tracking Capabilities:
5316 These capabilities are granular because Open vSwitch and its datapaths
5318 added support for connection tracking over several releases, with fea‐
5319 tures added individually over that time.
5320 capabilities : ct_state: optional string, either true or false
5322 If true, datapath supports OVS_KEY_ATTR_CT_STATE, which indi‐
5323 cates support for the bits in the OpenFlow ct_state field (see
5324 ovs-fields(7)) other than snat and dnat, which have a separate
5325 capability.
5326 If this is false, the datapath does not support connection-
5328 tracking at all and the remaining connection-tracking capabili‐
5329 ties should all be false. In this case, Open vSwitch will reject
5330 flows that match on the ct_state field or use the ct action.
5331 capabilities : ct_state_nat: optional string, either true or false
5333 If true, it means that the datapath supports the snat and dnat
5334 flags in the OpenFlow ct_state field. The ct_state capability
5335 must be true for this to make sense.
5336 If false, Open vSwitch will reject flows that match on the snat
5338 or dnat bits in ct_state or use nat in the ct action.
5339 capabilities : ct_zone: optional string, either true or false
5341 If true, datapath supports OVS_KEY_ATTR_CT_ZONE. If false, Open
5342 vSwitch rejects flows that match on the ct_zone field or that
5343 specify a nonzero zone or a zone field on the ct action.
5344 capabilities : ct_mark: optional string, either true or false
5346 If true, datapath supports OVS_KEY_ATTR_CT_MARK. If false, Open
5347 vSwitch rejects flows that match on the ct_mark field or that
5348 set ct_mark in the ct action.
5349 capabilities : ct_label: optional string, either true or false
5351 If true, datapath supports OVS_KEY_ATTR_CT_LABEL. If false, Open
5352 vSwitch rejects flows that match on the ct_label field or that
5353 set ct_label in the ct action.
5354 capabilities : ct_orig_tuple: optional string, either true or false
5356 If true, the datapath supports matching the 5-tuple from the
5357 connection’s original direction for IPv4 traffic. If false, Open
5358 vSwitch rejects flows that match on ct_nw_src or ct_nw_dst, that
5359 use the ct feature of the resubmit action, or the force keyword
5360 in the ct action. (The latter isn’t tied to connection tracking
5361 support of original tuples in any technical way. They are con‐
5362 flated because all current datapaths implemented the two fea‐
5363 tures at the same time.)
5364 If this and capabilities:ct_orig_tuple6 are both false, Open
5366 vSwitch rejects flows that match on ct_nw_proto, ct_tp_src, or
5367 ct_tp_dst.
5368 capabilities : ct_orig_tuple6: optional string, either true or false
5370 If true, the datapath supports matching the 5-tuple from the
5371 connection’s original direction for IPv6 traffic. If false, Open
5372 vSwitch rejects flows that match on ct_ipv6_src or ct_ipv6_dst.
5373 capabilities : masked_set_action: optional string, either true or false
5375 True if the datapath supports masked data in OVS_ACTION_ATTR_SET
5376 actions. Masked data can improve performance by allowing
5377 megaflows to match on fewer fields.
5378 capabilities : tnl_push_pop: optional string, either true or false
5380 True if the datapath supports tnl_push and pop actions. This is
5381 a prerequisite for a datapath to support native tunneling.
5382 capabilities : ufid: optional string, either true or false
5384 True if the datapath supports OVS_FLOW_ATTR_UFID. UFID support
5385 improves revalidation performance by transferring less data be‐
5386 tween the slow path and the datapath.
5387 capabilities : trunc: optional string, either true or false
5389 True if the datapath supports OVS_ACTION_ATTR_TRUNC action. If
5390 false, the output action with packet truncation requires every
5391 packet to be sent to the Open vSwitch slow path, which is likely
5392 to make it too slow for mirroring traffic in bulk.
5393 capabilities : nd_ext: optional string, either true or false
5395 True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS to
5396 match on ICMPv6 "ND reserved" and "ND option type" header
5397 fields. If false, the datapath reports error if the feature is
5398 used.
5399 Clone Actions:
5401 When Open vSwitch translates actions from OpenFlow into the datapath
5403 representation, some of the datapath actions may modify the packet or
5404 have other side effects that later datapath actions can’t undo. The
5405 OpenFlow ct, meter, output with truncation, encap, decap, and
5406 dec_nsh_ttl actions fall into this category. Often, this is not a prob‐
5407 lem because nothing later on needs the original packet.
5408 Such actions can, however, occur in circumstances where the translation
5410 does require the original packet. For example, an OpenFlow output ac‐
5411 tion might direct a packet to a patch port, which might in turn lead to
5412 a ct action that NATs the packet (which cannot be undone), and then af‐
5413 terward when control flow pops back across the patch port some other
5414 action might need to act on the original packet.
5415 Open vSwitch has two different ways to implement this ``save and re‐
5417 store’’ via datapath actions. These capabilities indicate which one
5418 Open vSwitch will choose. When neither is available, Open vSwitch sim‐
5419 ply fails in situations that require this feature.
5420 capabilities : clone: optional string, either true or false
5422 True if the datapath supports OVS_ACTION_ATTR_CLONE action. This
5423 is the preferred option for saving and restoring packets, since
5424 it is intended for the purpose, but old datapaths do not support
5425 it. Open vSwitch will use it whenever it is available.
5426 (The OpenFlow clone action does not always yield a OVS_AC‐
5428 TION_ATTR_CLONE action. It only does so when the datapath sup‐
5429 ports it and the clone brackets actions that otherwise cannot be
5430 undone.)
5431 capabilities : sample_nesting: optional string, containing an integer,
5433 at least 0
5434 Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE ac‐
5435 tion. Open vSwitch misuses this action for saving and restoring
5436 packets when the datapath supports more than 3 levels of nesting
5437 and OVS_ACTION_ATTR_CLONE is not available.
5438 capabilities : ct_eventmask: optional string, either true or false
5440 True if the datapath’s OVS_ACTION_ATTR_CT action implements the
5441 OVS_CT_ATTR_EVENTMASK attribute. When this is true, Open vSwitch
5442 uses the event mask feature to limit the kinds of events re‐
5443 ported to conntrack update listeners. When Open vSwitch doesn’t
5444 limit the event mask, listeners receive reports of numerous usu‐
5445 ally unimportant events, such as TCP state machine changes,
5446 which can waste CPU time.
5447 capabilities : ct_clear: optional string, either true or false
5449 True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR action.
5450 If false, the OpenFlow ct_clear action has no effect on the
5451 datapath.
5452 capabilities : max_hash_alg: optional string, containing an integer, at
5454 least 0
5455 Highest supported dp_hash algorithm. This allows Open vSwitch to
5456 avoid requesting a packet hash that the datapath does not sup‐
5457 port.
5458 capabilities : check_pkt_len: optional string, either true or false
5460 True if the datapath supports OVS_ACTION_ATTR_CHECK_PKT_LEN. If
5461 false, Open vSwitch implements the check_pkt_larger action by
5462 sending every packet through the Open vSwitch slow path, which
5463 is likely to make it too slow for handling traffic in bulk.
5464 capabilities : ct_timeout: optional string, either true or false
5466 True if the datapath supports OVS_CT_ATTR_TIMEOUT in the OVS_AC‐
5467 TION_ATTR_CT action. If false, Open vswitch cannot implement
5468 timeout policies based on connection tracking zones, as config‐
5469 ured through the CT_Timeout_Policy table.
5470 capabilities : explicit_drop_action: optional string, either true or
5472 false
5473 True if the datapath supports OVS_ACTION_ATTR_DROP. If false,
5474 explicit drop action will not be sent to the datapath.
5475 Common Columns:
5477 The overall purpose of these columns is described under Common Columns
5479 at the beginning of this document.
5480 external_ids: map of string-string pairs
5482
5484 Connection tracking zone configuration
5485 Summary:
5487 timeout_policy optional CT_Timeout_Policy
5488 Common Columns:
5489 external_ids map of string-string pairs
5490 Details:
5492 timeout_policy: optional CT_Timeout_Policy
5493 Connection tracking timeout policy for this zone. If a timeout
5494 policy is not specified, it defaults to the timeout policy in
5495 the system.
5496 Common Columns:
5498 The overall purpose of these columns is described under Common Columns
5500 at the beginning of this document.
5501 external_ids: map of string-string pairs
5503
5505 Connection tracking timeout policy configuration
5506 Summary:
5508 Timeouts:
5509 timeouts map of string-integer pairs, key one of
5510 icmp_first, icmp_reply, tcp_close,
5511 tcp_close_wait, tcp_established,
5512 tcp_fin_wait, tcp_last_ack, tcp_retrans‐
5513 mit, tcp_syn_recv, tcp_syn_sent2,
5514 tcp_syn_sent, tcp_time_wait, tcp_unack,
5515 udp_first, udp_multiple, or udp_single,
5516 value in range 0 to 4,294,967,295
5517 TCP Timeouts:
5518 timeouts : tcp_syn_sent optional integer, in range 0 to
5519 4,294,967,295
5520 timeouts : tcp_syn_recv optional integer, in range 0 to
5521 4,294,967,295
5522 timeouts : tcp_established
5523 optional integer, in range 0 to
5524 4,294,967,295
5525 timeouts : tcp_fin_wait optional integer, in range 0 to
5526 4,294,967,295
5527 timeouts : tcp_close_wait
5528 optional integer, in range 0 to
5529 4,294,967,295
5530 timeouts : tcp_last_ack optional integer, in range 0 to
5531 4,294,967,295
5532 timeouts : tcp_time_wait optional integer, in range 0 to
5533 4,294,967,295
5534 timeouts : tcp_close optional integer, in range 0 to
5535 4,294,967,295
5536 timeouts : tcp_syn_sent2 optional integer, in range 0 to
5537 4,294,967,295
5538 timeouts : tcp_retransmit
5539 optional integer, in range 0 to
5540 4,294,967,295
5541 timeouts : tcp_unack optional integer, in range 0 to
5542 4,294,967,295
5543 UDP Timeouts:
5544 timeouts : udp_first optional integer, in range 0 to
5545 4,294,967,295
5546 timeouts : udp_single optional integer, in range 0 to
5547 4,294,967,295
5548 timeouts : udp_multiple optional integer, in range 0 to
5549 4,294,967,295
5550 ICMP Timeouts:
5551 timeouts : icmp_first optional integer, in range 0 to
5552 4,294,967,295
5553 timeouts : icmp_reply optional integer, in range 0 to
5554 4,294,967,295
5555 Common Columns:
5556 external_ids map of string-string pairs
5557 Details:
5559 Timeouts:
5560 timeouts: map of string-integer pairs, key one of icmp_first, icmp_re‐
5562 ply, tcp_close, tcp_close_wait, tcp_established, tcp_fin_wait,
5563 tcp_last_ack, tcp_retransmit, tcp_syn_recv, tcp_syn_sent2,
5564 tcp_syn_sent, tcp_time_wait, tcp_unack, udp_first, udp_multiple, or
5565 udp_single, value in range 0 to 4,294,967,295
5566 The timeouts column contains key-value pairs used to configure
5567 connection tracking timeouts in a datapath. Key-value pairs that
5568 are not supported by a datapath are ignored. The timeout value
5569 is in seconds.
5570 TCP Timeouts:
5572 timeouts : tcp_syn_sent: optional integer, in range 0 to 4,294,967,295
5574 The timeout for the connection after the first TCP SYN packet
5575 has been seen by conntrack.
5576 timeouts : tcp_syn_recv: optional integer, in range 0 to 4,294,967,295
5578 The timeout of the connection after the first TCP SYN-ACK packet
5579 has been seen by conntrack.
5580 timeouts : tcp_established: optional integer, in range 0 to
5582 4,294,967,295
5583 The timeout of the connection after the connection has been
5584 fully established.
5585 timeouts : tcp_fin_wait: optional integer, in range 0 to 4,294,967,295
5587 The timeout of the connection after the first TCP FIN packet has
5588 been seen by conntrack.
5589 timeouts : tcp_close_wait: optional integer, in range 0 to
5591 4,294,967,295
5592 The timeout of the connection after the first TCP ACK packet has
5593 been seen after it receives TCP FIN packet. This timeout is only
5594 supported by the Linux kernel datapath.
5595 timeouts : tcp_last_ack: optional integer, in range 0 to 4,294,967,295
5597 The timeout of the connection after TCP FIN packets have been
5598 seen by conntrack from both directions. This timeout is only
5599 supported by the Linux kernel datapath.
5600 timeouts : tcp_time_wait: optional integer, in range 0 to 4,294,967,295
5602 The timeout of the connection after conntrack has seen the TCP
5603 ACK packet for the second TCP FIN packet.
5604 timeouts : tcp_close: optional integer, in range 0 to 4,294,967,295
5606 The timeout of the connection after the first TCP RST packet has
5607 been seen by conntrack.
5608 timeouts : tcp_syn_sent2: optional integer, in range 0 to 4,294,967,295
5610 The timeout of the connection when only a TCP SYN packet has
5611 been seen by conntrack from both directions (simultaneous open).
5612 This timeout is only supported by the Linux kernel datapath.
5613 timeouts : tcp_retransmit: optional integer, in range 0 to
5615 4,294,967,295
5616 The timeout of the connection when it exceeds the maximum number
5617 of retransmissions. This timeout is only supported by the Linux
5618 kernel datapath.
5619 timeouts : tcp_unack: optional integer, in range 0 to 4,294,967,295
5621 The timeout of the connection when non-SYN packets create an es‐
5622 tablished connection in TCP loose tracking mode. This timeout is
5623 only supported by the Linux kernel datapath.
5624 UDP Timeouts:
5626 timeouts : udp_first: optional integer, in range 0 to 4,294,967,295
5628 The timeout of the connection after the first UDP packet has
5629 been seen by conntrack. This timeout is only supported by the
5630 userspace datapath.
5631 timeouts : udp_single: optional integer, in range 0 to 4,294,967,295
5633 The timeout of the connection when conntrack only seen UDP
5634 packet from the source host, but the destination host has never
5635 sent one back.
5636 timeouts : udp_multiple: optional integer, in range 0 to 4,294,967,295
5638 The timeout of the connection when UDP packets have been seen in
5639 both directions.
5640 ICMP Timeouts:
5642 timeouts : icmp_first: optional integer, in range 0 to 4,294,967,295
5644 The timeout of the connection after the first ICMP packet has
5645 been seen by conntrack.
5646 timeouts : icmp_reply: optional integer, in range 0 to 4,294,967,295
5648 The timeout of the connection when ICMP packets have been seen
5649 in both direction. This timeout is only supported by the
5650 userspace datapath.
5651 Common Columns:
5653 The overall purpose of these columns is described under Common Columns
5655 at the beginning of this document.
5656 external_ids: map of string-string pairs
5658
5660 SSL configuration for an Open_vSwitch.
5661 Summary:
5663 private_key string
5664 certificate string
5665 ca_cert string
5666 bootstrap_ca_cert boolean
5667 Common Columns:
5668 external_ids map of string-string pairs
5669 Details:
5671 private_key: string
5672 Name of a PEM file containing the private key used as the
5673 switch’s identity for SSL connections to the controller.
5674 certificate: string
5676 Name of a PEM file containing a certificate, signed by the cer‐
5677 tificate authority (CA) used by the controller and manager, that
5678 certifies the switch’s private key, identifying a trustworthy
5679 switch.
5680 ca_cert: string
5682 Name of a PEM file containing the CA certificate used to verify
5683 that the switch is connected to a trustworthy controller.
5684 bootstrap_ca_cert: boolean
5686 If set to true, then Open vSwitch will attempt to obtain the CA
5687 certificate from the controller on its first SSL connection and
5688 save it to the named PEM file. If it is successful, it will im‐
5689 mediately drop the connection and reconnect, and from then on
5690 all SSL connections must be authenticated by a certificate
5691 signed by the CA certificate thus obtained. This option exposes
5692 the SSL connection to a man-in-the-middle attack obtaining the
5693 initial CA certificate. It may still be useful for bootstrap‐
5694 ping.
5695 Common Columns:
5697 The overall purpose of these columns is described under Common Columns
5699 at the beginning of this document.
5700 external_ids: map of string-string pairs
5702
5704 A set of sFlow(R) targets. sFlow is a protocol for remote monitoring of
5705 switches.
5706 Summary:
5708 agent optional string
5709 header optional integer
5710 polling optional integer
5711 sampling optional integer
5712 targets set of 1 or more strings
5713 Common Columns:
5714 external_ids map of string-string pairs
5715 Details:
5717 agent: optional string
5718 Determines the agent address, that is, the IP address reported
5719 to collectors as the source of the sFlow data. It may be an IP
5720 address or the name of a network device. In the latter case, the
5721 network device’s IP address is used,
5722 If not specified, the agent device is figured from the first
5724 target address and the routing table. If the routing table does
5725 not contain a route to the target, the IP address defaults to
5726 the local_ip in the collector’s Controller.
5727 If an agent IP address cannot be determined, sFlow is disabled.
5729 header: optional integer
5731 Number of bytes of a sampled packet to send to the collector. If
5732 not specified, the default is 128 bytes.
5733 polling: optional integer
5735 Polling rate in seconds to send port statistics to the collec‐
5736 tor. If not specified, defaults to 30 seconds.
5737 sampling: optional integer
5739 Rate at which packets should be sampled and sent to the collec‐
5740 tor. If not specified, defaults to 400, which means one out of
5741 400 packets, on average, will be sent to the collector.
5742 targets: set of 1 or more strings
5744 sFlow targets in the form ip:port.
5745 Common Columns:
5747 The overall purpose of these columns is described under Common Columns
5749 at the beginning of this document.
5750 external_ids: map of string-string pairs
5752
5754 Configuration for sending packets to IPFIX collectors.
5755 IPFIX is a protocol that exports a number of details about flows. The
5757 IPFIX implementation in Open vSwitch samples packets at a configurable
5758 rate, extracts flow information from those packets, optionally caches
5759 and aggregates the flow information, and sends the result to one or
5760 more collectors.
5761 IPFIX in Open vSwitch can be configured two different ways:
5763 • With per-bridge sampling, Open vSwitch performs IPFIX
5765 sampling automatically on all packets that pass through a
5766 bridge. To configure per-bridge sampling, create an IPFIX
5767 record and point a Bridge table’s ipfix column to it. The
5768 Flow_Sample_Collector_Set table is not used for per-
5769 bridge sampling.
5770 • With flow-based sampling, sample actions in the OpenFlow
5772 flow table drive IPFIX sampling. See ovs-actions(7) for a
5773 description of the sample action.
5774 Flow-based sampling also requires database configuration:
5776 create a IPFIX record that describes the IPFIX configura‐
5777 tion and a Flow_Sample_Collector_Set record that points
5778 to the Bridge whose flow table holds the sample actions
5779 and to IPFIX record. The ipfix in the Bridge table is not
5780 used for flow-based sampling.
5781 Summary:
5783 targets set of strings
5784 cache_active_timeout optional integer, in range 0 to 4,200
5785 cache_max_flows optional integer, in range 0 to
5786 4,294,967,295
5787 other_config : enable-tunnel-sampling
5788 optional string, either true or false
5789 other_config : virtual_obs_id optional string
5790 Per-Bridge Sampling:
5791 sampling optional integer, in range 1 to
5792 4,294,967,295
5793 obs_domain_id optional integer, in range 0 to
5794 4,294,967,295
5795 obs_point_id optional integer, in range 0 to
5796 4,294,967,295
5797 other_config : enable-input-sampling
5798 optional string, either true or false
5799 other_config : enable-output-sampling
5800 optional string, either true or false
5801 Common Columns:
5802 external_ids map of string-string pairs
5803 Details:
5805 targets: set of strings
5806 IPFIX target collectors in the form ip:port.
5807 cache_active_timeout: optional integer, in range 0 to 4,200
5809 The maximum period in seconds for which an IPFIX flow record is
5810 cached and aggregated before being sent. If not specified, de‐
5811 faults to 0. If 0, caching is disabled.
5812 cache_max_flows: optional integer, in range 0 to 4,294,967,295
5814 The maximum number of IPFIX flow records that can be cached at a
5815 time. If not specified, defaults to 0. If 0, caching is dis‐
5816 abled.
5817 other_config : enable-tunnel-sampling: optional string, either true or
5819 false
5820 Set to true to enable sampling and reporting tunnel header 7-tu‐
5821 ples in IPFIX flow records. Tunnel sampling is enabled by de‐
5822 fault.
5823 The following enterprise entities report the sampled tunnel
5825 info:
5826 tunnelType:
5828 ID: 891, and enterprise ID 6876 (VMware).
5829 type: unsigned 8-bit integer.
5831 data type semantics: identifier.
5833 description: Identifier of the layer 2 network overlay
5835 network encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03
5836 LISP, 0x07 GENEVE.
5837 tunnelKey:
5839 ID: 892, and enterprise ID 6876 (VMware).
5840 type: variable-length octetarray.
5842 data type semantics: identifier.
5844 description: Key which is used for identifying an indi‐
5846 vidual traffic flow within a VxLAN (24-bit VNI), GENEVE
5847 (24-bit VNI), GRE (32-bit key), or LISP (24-bit instance
5848 ID) tunnel. The key is encoded in this octetarray as a
5849 3-, 4-, or 8-byte integer ID in network byte order.
5850 tunnelSourceIPv4Address:
5852 ID: 893, and enterprise ID 6876 (VMware).
5853 type: unsigned 32-bit integer.
5855 data type semantics: identifier.
5857 description: The IPv4 source address in the tunnel IP
5859 packet header.
5860 tunnelDestinationIPv4Address:
5862 ID: 894, and enterprise ID 6876 (VMware).
5863 type: unsigned 32-bit integer.
5865 data type semantics: identifier.
5867 description: The IPv4 destination address in the tunnel
5869 IP packet header.
5870 tunnelProtocolIdentifier:
5872 ID: 895, and enterprise ID 6876 (VMware).
5873 type: unsigned 8-bit integer.
5875 data type semantics: identifier.
5877 description: The value of the protocol number in the tun‐
5879 nel IP packet header. The protocol number identifies the
5880 tunnel IP packet payload type.
5881 tunnelSourceTransportPort:
5883 ID: 896, and enterprise ID 6876 (VMware).
5884 type: unsigned 16-bit integer.
5886 data type semantics: identifier.
5888 description: The source port identifier in the tunnel
5890 transport header. For the transport protocols UDP, TCP,
5891 and SCTP, this is the source port number given in the re‐
5892 spective header.
5893 tunnelDestinationTransportPort:
5895 ID: 897, and enterprise ID 6876 (VMware).
5896 type: unsigned 16-bit integer.
5898 data type semantics: identifier.
5900 description: The destination port identifier in the tun‐
5902 nel transport header. For the transport protocols UDP,
5903 TCP, and SCTP, this is the destination port number given
5904 in the respective header.
5905 Before Open vSwitch 2.5.90, other_config:enable-tunnel-sampling
5907 was only supported with per-bridge sampling, and ignored other‐
5908 wise. Open vSwitch 2.5.90 and later support other_config:enable-
5909 tunnel-sampling for per-bridge and per-flow sampling.
5910 other_config : virtual_obs_id: optional string
5912 A string that accompanies each IPFIX flow record. Its intended
5913 use is for the ``virtual observation ID,’’ an identifier of a
5914 virtual observation point that is locally unique in a virtual
5915 network. It describes a location in the virtual network where IP
5916 packets can be observed. The maximum length is 254 bytes. If not
5917 specified, the field is omitted from the IPFIX flow record.
5918 The following enterprise entity reports the specified virtual
5920 observation ID:
5921 virtualObsID:
5923 ID: 898, and enterprise ID 6876 (VMware).
5924 type: variable-length string.
5926 data type semantics: identifier.
5928 description: A virtual observation domain ID that is lo‐
5930 cally unique in a virtual network.
5931 This feature was introduced in Open vSwitch 2.5.90.
5933 Per-Bridge Sampling:
5935 These values affect only per-bridge sampling. See above for a descrip‐
5937 tion of the differences between per-bridge and flow-based sampling.
5938 sampling: optional integer, in range 1 to 4,294,967,295
5940 The rate at which packets should be sampled and sent to each
5941 target collector. If not specified, defaults to 400, which means
5942 one out of 400 packets, on average, will be sent to each target
5943 collector.
5944 obs_domain_id: optional integer, in range 0 to 4,294,967,295
5946 The IPFIX Observation Domain ID sent in each IPFIX packet. If
5947 not specified, defaults to 0.
5948 obs_point_id: optional integer, in range 0 to 4,294,967,295
5950 The IPFIX Observation Point ID sent in each IPFIX flow record.
5951 If not specified, defaults to 0.
5952 other_config : enable-input-sampling: optional string, either true or
5954 false
5955 By default, Open vSwitch samples and reports flows at bridge
5956 port input in IPFIX flow records. Set this column to false to
5957 disable input sampling.
5958 other_config : enable-output-sampling: optional string, either true or
5960 false
5961 By default, Open vSwitch samples and reports flows at bridge
5962 port output in IPFIX flow records. Set this column to false to
5963 disable output sampling.
5964 Common Columns:
5966 The overall purpose of these columns is described under Common Columns
5968 at the beginning of this document.
5969 external_ids: map of string-string pairs
5971
5973 A set of IPFIX collectors of packet samples generated by OpenFlow sam‐
5974 ple actions. This table is used only for IPFIX flow-based sampling, not
5975 for per-bridge sampling (see the IPFIX table for a description of the
5976 two forms).
5977 Summary:
5979 id integer, in range 0 to 4,294,967,295
5980 bridge Bridge
5981 ipfix optional IPFIX
5982 Common Columns:
5983 external_ids map of string-string pairs
5984 Details:
5986 id: integer, in range 0 to 4,294,967,295
5987 The ID of this collector set, unique among the bridge’s collec‐
5988 tor sets, to be used as the collector_set_id in OpenFlow sample
5989 actions.
5990 bridge: Bridge
5992 The bridge into which OpenFlow sample actions can be added to
5993 send packet samples to this set of IPFIX collectors.
5994 ipfix: optional IPFIX
5996 Configuration of the set of IPFIX collectors to send one flow
5997 record per sampled packet to.
5998 Common Columns:
6000 The overall purpose of these columns is described under Common Columns
6002 at the beginning of this document.
6003 external_ids: map of string-string pairs
6005
6007 Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM
6008 draft standard describes a compact method of using IEEE 802.1AB Link
6009 Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
6010 Path Bridging (SPB) network to automatically attach network devices to
6011 individual services in a SPB network. The intent here is to allow net‐
6012 work applications and devices using OVS to be able to easily take ad‐
6013 vantage of features offered by industry standard SPB networks.
6014 Auto Attach (AA) uses LLDP to communicate between a directly connected
6016 Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP proto‐
6017 col is extended to add two new Type-Length-Value tuples (TLVs). The
6018 first new TLV supports the ongoing discovery of directly connected AA
6019 correspondents. Auto Attach operates by regularly transmitting AA dis‐
6020 covery TLVs between the AA client and AA server. By exchanging these
6021 discovery messages, both the AAC and AAS learn the system name and sys‐
6022 tem description of their peer. In the OVS context, OVS operates as the
6023 AA client and the AA server resides on a switch at the edge of the SPB
6024 network.
6025 Once AA discovery has been completed the AAC then uses the second new
6027 TLV to deliver identifier mappings from the AAC to the AAS. A primary
6028 feature of Auto Attach is to facilitate the mapping of VLANs defined
6029 outside the SPB network onto service ids (ISIDs) defined within the SPM
6030 network. By doing so individual external VLANs can be mapped onto spe‐
6031 cific SPB network services. These VLAN id to ISID mappings can be con‐
6032 figured and managed locally using new options added to the ovs-vsctl
6033 command.
6034 The Auto Attach OVS feature does not provide a full implementation of
6036 the LLDP protocol. Support for the mandatory TLVs as defined by the
6037 LLDP standard and support for the AA TLV extensions is provided. LLDP
6038 protocol support in OVS can be enabled or disabled on a port by port
6039 basis. LLDP support is disabled by default.
6040 Summary:
6042 system_name string
6043 system_description string
6044 mappings map of integer-integer pairs, key in
6045 range 0 to 16,777,215, value in range 0
6046 to 4,095
6047 Details:
6049 system_name: string
6050 The system_name string is exported in LLDP messages. It should
6051 uniquely identify the bridge in the network.
6052 system_description: string
6054 The system_description string is exported in LLDP messages. It
6055 should describe the type of software and hardware.
6056 mappings: map of integer-integer pairs, key in range 0 to 16,777,215,
6058 value in range 0 to 4,095
6059 A mapping from SPB network Individual Service Identifier (ISID)
6060 to VLAN id.
6061Open vSwitch 2.15.0 DB Schema 8.2.0 ovs-vswitchd.conf.db(5)