1vtep(5) Open vSwitch Manual vtep(5)
2
3
4
6 vtep - hardware_vtep database schema
7
8 This schema specifies relations that a VTEP can use to integrate physi‐
9 cal ports into logical switches maintained by a network virtualization
10 controller such as NSX.
11
12 Glossary:
13
14 VTEP VXLAN Tunnel End Point, an entity which originates and/or
15 terminates VXLAN tunnels.
16
17 HSC Hardware Switch Controller.
18
19 NVC Network Virtualization Controller, e.g. NSX.
20
21 VRF Virtual Routing and Forwarding instance.
22
23 Common Column
24 Some tables contain a column, named other_config. This column has the
25 same form and purpose each place that it appears, so we describe it
26 here to save space later.
27
28 other_config: map of string-string pairs
29 Key-value pairs for configuring rarely used or propri‐
30 etary features.
31
32 Some tables do not have other_config column because no
33 key-value pairs have yet been defined for them.
34
36 The following list summarizes the purpose of each of the tables in the
37 hardware_vtep database. Each table is described in more detail on a
38 later page.
39
40 Table Purpose
41 Global Top-level configuration.
42 Manager OVSDB management connection.
43 Physical_Switch
44 A physical switch.
45 Tunnel A tunnel created by a physical switch.
46 Physical_Port
47 A port within a physical switch.
48 Logical_Binding_Stats
49 Statistics for a VLAN on a physical port bound to a logical
50 network.
51 Logical_Switch
52 A layer-2 domain.
53 Ucast_Macs_Local
54 Unicast MACs (local)
55 Ucast_Macs_Remote
56 Unicast MACs (remote)
57 Mcast_Macs_Local
58 Multicast MACs (local)
59 Mcast_Macs_Remote
60 Multicast MACs (remote)
61 Logical_Router
62 A logical L3 router.
63 Arp_Sources_Local
64 ARP source addresses for logical routers
65 Arp_Sources_Remote
66 ARP source addresses for logical routers
67 Physical_Locator_Set
68 Physical_Locator_Set configuration.
69 Physical_Locator
70 Physical_Locator configuration.
71 ACL_entry ACL_entry configuration.
72 ACL ACL configuration.
73
75 Top-level configuration for a hardware VTEP. There must be exactly one
76 record in the Global table.
77
78 Summary:
79 switches set of Physical_Switchs
80 Database Configuration:
81 managers set of Managers
82 Common Column:
83 other_config map of string-string pairs
84
85 Details:
86 switches: set of Physical_Switchs
87 The physical switch or switches managed by the VTEP.
88
89 When a physical switch integrates support for this VTEP schema,
90 which is expected to be the most common case, this column should
91 point to one Physical_Switch record that represents the switch
92 itself. In another possible implementation, a server or a VM
93 presents a VTEP schema front-end interface to one or more physi‐
94 cal switches, presumably communicating with those physical
95 switches over a proprietary protocol. In that case, this column
96 would point to one Physical_Switch for each physical switch, and
97 the set might change over time as the front-end server comes to
98 represent a differing set of switches.
99
100 Database Configuration:
101
102 These columns primarily configure the database server (ovsdb-server),
103 not the hardware VTEP itself.
104
105 managers: set of Managers
106 Database clients to which the database server should connect or
107 to which it should listen, along with options for how these con‐
108 nection should be configured. See the Manager table for more in‐
109 formation.
110
111 Common Column:
112
113 The overall purpose of this column is described under Common Column at
114 the beginning of this document.
115
116 other_config: map of string-string pairs
117
119 Configuration for a database connection to an Open vSwitch Database
120 (OVSDB) client.
121
122 The database server can initiate and maintain active connections to re‐
123 mote clients. It can also listen for database connections.
124
125 Summary:
126 Core Features:
127 target string (must be unique within table)
128 Client Failure Detection and Handling:
129 max_backoff optional integer, at least 1,000
130 inactivity_probe optional integer
131 Status:
132 is_connected boolean
133 status : last_error optional string
134 status : state optional string, one of ACTIVE, BACKOFF,
135 CONNECTING, IDLE, or VOID
136 status : sec_since_connect optional string, containing an integer,
137 at least 0
138 status : sec_since_disconnect
139 optional string, containing an integer,
140 at least 0
141 status : locks_held optional string
142 status : locks_waiting optional string
143 status : locks_lost optional string
144 status : n_connections optional string, containing an integer,
145 at least 2
146 Connection Parameters:
147 other_config : dscp optional string, containing an integer
148
149 Details:
150 Core Features:
151
152 target: string (must be unique within table)
153 Connection method for managers.
154
155 The following connection methods are currently supported:
156
157 ssl:host[:port]
158 The specified SSL port (default: 6640) on the given host,
159 which can either be a DNS name (if built with unbound li‐
160 brary) or an IP address.
161
162 SSL key and certificate configuration happens outside the
163 database.
164
165 tcp:host[:port]
166 The specified TCP port (default: 6640) on the given host,
167 which can either be a DNS name (if built with unbound li‐
168 brary) or an IP address.
169
170 pssl:[port][:host]
171 Listens for SSL connections on the specified TCP port
172 (default: 6640). If host, which can either be a DNS name
173 (if built with unbound library) or an IP address, is
174 specified, then connections are restricted to the re‐
175 solved or specified local IP address.
176
177 ptcp:[port][:host]
178 Listens for connections on the specified TCP port (de‐
179 fault: 6640). If host, which can either be a DNS name (if
180 built with unbound library) or an IP address, is speci‐
181 fied, then connections are restricted to the resolved or
182 specified local IP address.
183
184 Client Failure Detection and Handling:
185
186 max_backoff: optional integer, at least 1,000
187 Maximum number of milliseconds to wait between connection at‐
188 tempts. Default is implementation-specific.
189
190 inactivity_probe: optional integer
191 Maximum number of milliseconds of idle time on connection to the
192 client before sending an inactivity probe message. If the Open
193 vSwitch database does not communicate with the client for the
194 specified number of seconds, it will send a probe. If a response
195 is not received for the same additional amount of time, the
196 database server assumes the connection has been broken and at‐
197 tempts to reconnect. Default is implementation-specific. A value
198 of 0 disables inactivity probes.
199
200 Status:
201
202 is_connected: boolean
203 true if currently connected to this manager, false otherwise.
204
205 status : last_error: optional string
206 A human-readable description of the last error on the connection
207 to the manager; i.e. strerror(errno). This key will exist only
208 if an error has occurred.
209
210 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
211 IDLE, or VOID
212 The state of the connection to the manager:
213
214 VOID Connection is disabled.
215
216 BACKOFF
217 Attempting to reconnect at an increasing period.
218
219 CONNECTING
220 Attempting to connect.
221
222 ACTIVE Connected, remote host responsive.
223
224 IDLE Connection is idle. Waiting for response to keep-alive.
225
226 These values may change in the future. They are provided only
227 for human consumption.
228
229 status : sec_since_connect: optional string, containing an integer, at
230 least 0
231 The amount of time since this manager last successfully con‐
232 nected to the database (in seconds). Value is empty if manager
233 has never successfully connected.
234
235 status : sec_since_disconnect: optional string, containing an integer,
236 at least 0
237 The amount of time since this manager last disconnected from the
238 database (in seconds). Value is empty if manager has never dis‐
239 connected.
240
241 status : locks_held: optional string
242 Space-separated list of the names of OVSDB locks that the con‐
243 nection holds. Omitted if the connection does not hold any
244 locks.
245
246 status : locks_waiting: optional string
247 Space-separated list of the names of OVSDB locks that the con‐
248 nection is currently waiting to acquire. Omitted if the connec‐
249 tion is not waiting for any locks.
250
251 status : locks_lost: optional string
252 Space-separated list of the names of OVSDB locks that the con‐
253 nection has had stolen by another OVSDB client. Omitted if no
254 locks have been stolen from this connection.
255
256 status : n_connections: optional string, containing an integer, at
257 least 2
258 When target specifies a connection method that listens for in‐
259 bound connections (e.g. ptcp: or pssl:) and more than one con‐
260 nection is actually active, the value is the number of active
261 connections. Otherwise, this key-value pair is omitted.
262
263 When multiple connections are active, status columns and key-
264 value pairs (other than this one) report the status of one arbi‐
265 trarily chosen connection.
266
267 Connection Parameters:
268
269 Additional configuration for a connection between the manager and the
270 database server.
271
272 other_config : dscp: optional string, containing an integer
273 The Differentiated Service Code Point (DSCP) is specified using
274 6 bits in the Type of Service (TOS) field in the IP header. DSCP
275 provides a mechanism to classify the network traffic and provide
276 Quality of Service (QoS) on IP networks. The DSCP value speci‐
277 fied here is used when establishing the connection between the
278 manager and the database server. If no value is specified, a de‐
279 fault value of 48 is chosen. Valid DSCP values must be in the
280 range 0 to 63.
281
283 A physical switch that implements a VTEP.
284
285 Summary:
286 ports set of Physical_Ports
287 tunnels set of Tunnels
288 Network Status:
289 management_ips set of strings
290 tunnel_ips set of strings
291 Identification:
292 name string (must be unique within table)
293 description string
294 Error Notification:
295 switch_fault_status : mac_table_exhaustion
296 none
297 switch_fault_status : tunnel_exhaustion
298 none
299 switch_fault_status : lr_switch_bindings_fault
300 none
301 switch_fault_status : lr_static_routes_fault
302 none
303 switch_fault_status : lr_creation_fault
304 none
305 switch_fault_status : lr_support_fault
306 none
307 switch_fault_status : unspecified_fault
308 none
309 switch_fault_status : unsupported_source_node_replication
310 none
311 Common Column:
312 other_config map of string-string pairs
313
314 Details:
315 ports: set of Physical_Ports
316 The physical ports within the switch.
317
318 tunnels: set of Tunnels
319 Tunnels created by this switch as instructed by the NVC.
320
321 Network Status:
322
323 management_ips: set of strings
324 IPv4 or IPv6 addresses at which the switch may be contacted for
325 management purposes.
326
327 tunnel_ips: set of strings
328 IPv4 or IPv6 addresses on which the switch may originate or ter‐
329 minate tunnels.
330
331 This column is intended to allow a Manager to determine the
332 Physical_Switch that terminates the tunnel represented by a
333 Physical_Locator.
334
335 Identification:
336
337 name: string (must be unique within table)
338 Symbolic name for the switch, such as its hostname.
339
340 description: string
341 An extended description for the switch, such as its switch login
342 banner.
343
344 Error Notification:
345
346 An entry in this column indicates to the NVC that this switch has en‐
347 countered a fault. The switch must clear this column when the fault has
348 been cleared.
349
350 switch_fault_status : mac_table_exhaustion: none
351 Indicates that the switch has been unable to process MAC entries
352 requested by the NVC due to lack of table resources.
353
354 switch_fault_status : tunnel_exhaustion: none
355 Indicates that the switch has been unable to create tunnels re‐
356 quested by the NVC due to lack of resources.
357
358 switch_fault_status : lr_switch_bindings_fault: none
359 Indicates that the switch has been unable to create the logical
360 router interfaces requested by the NVC due to conflicting con‐
361 figurations or a lack of hardware resources.
362
363 switch_fault_status : lr_static_routes_fault: none
364 Indicates that the switch has been unable to create the static
365 routes requested by the NVC due to conflicting configurations or
366 a lack of hardware resources.
367
368 switch_fault_status : lr_creation_fault: none
369 Indicates that the switch has been unable to create the logical
370 router requested by the NVC due to conflicting configurations or
371 a lack of hardware resources.
372
373 switch_fault_status : lr_support_fault: none
374 Indicates that the switch does not support logical routing.
375
376 switch_fault_status : unspecified_fault: none
377 Indicates that an error has occurred in the switch but that no
378 more specific information is available.
379
380 switch_fault_status : unsupported_source_node_replication: none
381 Indicates that the requested source node replication mode cannot
382 be supported by the physical switch; this specifically means in
383 this context that the physical switch lacks the capability to
384 support source node replication mode. This error occurs when a
385 controller attempts to set source node replication mode for one
386 of the logical switches that the physical switch is keeping con‐
387 text for. An NVC that observes this error should take appropri‐
388 ate action (for example reverting the logical switch to service
389 node replication mode). It is recommended that an NVC be proac‐
390 tive and test for support of source node replication by using a
391 test logical switch on vtep physical switch nodes and then try‐
392 ing to change the replication mode to source node on this logi‐
393 cal switch, checking for error. The NVC could remember this ca‐
394 pability per vtep physical switch. Using mixed replication modes
395 on a given logical switch is not recommended. Service node
396 replication mode is considered a basic requirement since it only
397 requires sending a packet to a single transport node, hence it
398 is not expected that a switch should report that service node
399 mode cannot be supported.
400
401 Common Column:
402
403 The overall purpose of this column is described under Common Column at
404 the beginning of this document.
405
406 other_config: map of string-string pairs
407
409 A tunnel created by a Physical_Switch.
410
411 Summary:
412 local Physical_Locator
413 remote Physical_Locator
414 Bidirectional Forwarding Detection (BFD):
415 BFD Local Configuration:
416 bfd_config_local : bfd_dst_mac
417 optional string
418 bfd_config_local : bfd_dst_ip
419 optional string
420 BFD Remote Configuration:
421 bfd_config_remote : bfd_dst_mac
422 optional string
423 bfd_config_remote : bfd_dst_ip
424 optional string
425 BFD Parameters:
426 bfd_params : enable optional string, either true or false
427 bfd_params : min_rx optional string, containing an integer,
428 at least 1
429 bfd_params : min_tx optional string, containing an integer,
430 at least 1
431 bfd_params : decay_min_rx
432 optional string, containing an integer
433 bfd_params : forwarding_if_rx
434 optional string, either true or false
435 bfd_params : cpath_down optional string, either true or false
436 bfd_params : check_tnl_key
437 optional string, either true or false
438 BFD Status:
439 bfd_status : enabled optional string, either true or false
440 bfd_status : state optional string, one of admin_down, down,
441 init, or up
442 bfd_status : forwarding optional string, either true or false
443 bfd_status : diagnostic optional string
444 bfd_status : remote_state
445 optional string, one of admin_down, down,
446 init, or up
447 bfd_status : remote_diagnostic
448 optional string
449 bfd_status : info optional string
450
451 Details:
452 local: Physical_Locator
453 Tunnel end-point local to the physical switch.
454
455 remote: Physical_Locator
456 Tunnel end-point remote to the physical switch.
457
458 Bidirectional Forwarding Detection (BFD):
459
460 BFD, defined in RFC 5880, allows point to point detection of connectiv‐
461 ity failures by occasional transmission of BFD control messages. VTEPs
462 are expected to implement BFD.
463
464 BFD operates by regularly transmitting BFD control messages at a rate
465 negotiated independently in each direction. Each endpoint specifies the
466 rate at which it expects to receive control messages, and the rate at
467 which it’s willing to transmit them. An endpoint which fails to receive
468 BFD control messages for a period of three times the expected reception
469 rate will signal a connectivity fault. In the case of a unidirectional
470 connectivity issue, the system not receiving BFD control messages will
471 signal the problem to its peer in the messages it transmits.
472
473 A hardware VTEP is expected to use BFD to determine reachability of de‐
474 vices at the end of the tunnels with which it exchanges data. This can
475 enable the VTEP to choose a functioning service node among a set of
476 service nodes providing high availability. It also enables the NVC to
477 report the health status of tunnels.
478
479 In many cases the BFD peer of a hardware VTEP will be an Open vSwitch
480 instance. The Open vSwitch implementation of BFD aims to comply faith‐
481 fully with the requirements put forth in RFC 5880. Open vSwitch does
482 not implement the optional Authentication or ``Echo Mode’’ features.
483
484 BFD Local Configuration:
485
486 The HSC writes the key-value pairs in the bfd_config_local column to
487 specify the local configurations to be used for BFD sessions on this
488 tunnel.
489
490 bfd_config_local : bfd_dst_mac: optional string
491 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
492 the MAC expected as destination for received BFD packets. The
493 default is 00:23:20:00:00:01.
494
495 bfd_config_local : bfd_dst_ip: optional string
496 Set to an IPv4 address to set the IP address that is expected as
497 destination for received BFD packets. The default is
498 169.254.1.0.
499
500 BFD Remote Configuration:
501
502 The bfd_config_remote column is the remote counterpart of the bfd_con‐
503 fig_local column. The NVC writes the key-value pairs in this column.
504
505 bfd_config_remote : bfd_dst_mac: optional string
506 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
507 the destination MAC to be used for transmitted BFD packets. The
508 default is 00:23:20:00:00:01.
509
510 bfd_config_remote : bfd_dst_ip: optional string
511 Set to an IPv4 address to set the IP address used as destination
512 for transmitted BFD packets. The default is 169.254.1.1.
513
514 BFD Parameters:
515
516 The NVC sets up key-value pairs in the bfd_params column to enable and
517 configure BFD.
518
519 bfd_params : enable: optional string, either true or false
520 True to enable BFD on this Tunnel. If not specified, BFD will
521 not be enabled by default.
522
523 bfd_params : min_rx: optional string, containing an integer, at least 1
524 The shortest interval, in milliseconds, at which this BFD ses‐
525 sion offers to receive BFD control messages. The remote endpoint
526 may choose to send messages at a slower rate. Defaults to 1000.
527
528 bfd_params : min_tx: optional string, containing an integer, at least 1
529 The shortest interval, in milliseconds, at which this BFD ses‐
530 sion is willing to transmit BFD control messages. Messages will
531 actually be transmitted at a slower rate if the remote endpoint
532 is not willing to receive as quickly as specified. Defaults to
533 100.
534
535 bfd_params : decay_min_rx: optional string, containing an integer
536 An alternate receive interval, in milliseconds, that must be
537 greater than or equal to bfd_params:min_rx. The implementation
538 should switch from bfd_params:min_rx to bfd_params:decay_min_rx
539 when there is no obvious incoming data traffic at the tunnel, to
540 reduce the CPU and bandwidth cost of monitoring an idle tunnel.
541 This feature may be disabled by setting a value of 0. This fea‐
542 ture is reset whenever bfd_params:decay_min_rx or
543 bfd_params:min_rx changes.
544
545 bfd_params : forwarding_if_rx: optional string, either true or false
546 When true, traffic received on the Tunnel is used to indicate
547 the capability of packet I/O. BFD control packets are still
548 transmitted and received. At least one BFD control packet must
549 be received every 100 * bfd_params:min_rx amount of time. Other‐
550 wise, even if traffic is received, the bfd_params:forwarding
551 will be false.
552
553 bfd_params : cpath_down: optional string, either true or false
554 Set to true to notify the remote endpoint that traffic should
555 not be forwarded to this system for some reason other than a
556 connectivity failure on the interface being monitored. The typi‐
557 cal underlying reason is ``concatenated path down,’’ that is,
558 that connectivity beyond the local system is down. Defaults to
559 false.
560
561 bfd_params : check_tnl_key: optional string, either true or false
562 Set to true to make BFD accept only control messages with a tun‐
563 nel key of zero. By default, BFD accepts control messages with
564 any tunnel key.
565
566 BFD Status:
567
568 The VTEP sets key-value pairs in the bfd_status column to report the
569 status of BFD on this tunnel. When BFD is not enabled, with
570 bfd_params:enable, the HSC clears all key-value pairs from bfd_status.
571
572 bfd_status : enabled: optional string, either true or false
573 Set to true if the BFD session has been successfully enabled.
574 Set to false if the VTEP cannot support BFD or has insufficient
575 resources to enable BFD on this tunnel. The NVC will disable the
576 BFD monitoring on the other side of the tunnel once this value
577 is set to false.
578
579 bfd_status : state: optional string, one of admin_down, down, init, or
580 up
581 Reports the state of the BFD session. The BFD session is fully
582 healthy and negotiated if UP.
583
584 bfd_status : forwarding: optional string, either true or false
585 Reports whether the BFD session believes this Tunnel may be used
586 to forward traffic. Typically this means the local session is
587 signaling UP, and the remote system isn’t signaling a problem
588 such as concatenated path down.
589
590 bfd_status : diagnostic: optional string
591 A diagnostic code specifying the local system’s reason for the
592 last change in session state. The error messages are defined in
593 section 4.1 of [RFC 5880].
594
595 bfd_status : remote_state: optional string, one of admin_down, down,
596 init, or up
597 Reports the state of the remote endpoint’s BFD session.
598
599 bfd_status : remote_diagnostic: optional string
600 A diagnostic code specifying the remote system’s reason for the
601 last change in session state. The error messages are defined in
602 section 4.1 of [RFC 5880].
603
604 bfd_status : info: optional string
605 A short message providing further information about the BFD sta‐
606 tus (possibly including reasons why BFD could not be enabled).
607
609 A port within a Physical_Switch.
610
611 Summary:
612 vlan_bindings map of integer-Logical_Switch pairs, key
613 in range 0 to 4,095
614 acl_bindings map of integer-ACL pairs, key in range 0
615 to 4,095
616 vlan_stats map of integer-Logical_Binding_Stats
617 pairs, key in range 0 to 4,095
618 Identification:
619 name string
620 description string
621 Error Notification:
622 port_fault_status : invalid_vlan_map
623 none
624 port_fault_status : invalid_ACL_binding
625 none
626 port_fault_status : unspecified_fault
627 none
628 Common Column:
629 other_config map of string-string pairs
630
631 Details:
632 vlan_bindings: map of integer-Logical_Switch pairs, key in range 0 to
633 4,095
634 Identifies how VLANs on the physical port are bound to logical
635 switches. If, for example, the map contains a (VLAN, logical
636 switch) pair, a packet that arrives on the port in the VLAN is
637 considered to belong to the paired logical switch. A value of
638 zero in the VLAN field means that untagged traffic on the physi‐
639 cal port is mapped to the logical switch.
640
641 acl_bindings: map of integer-ACL pairs, key in range 0 to 4,095
642 Attach Access Control Lists (ACLs) to the physical port. The
643 column consists of a map of VLAN tags to ACLs. If the value of
644 the VLAN tag in the map is 0, this means that the ACL is associ‐
645 ated with the entire physical port. Non-zero values mean that
646 the ACL is to be applied only on packets carrying that VLAN tag
647 value. Switches will not necessarily support matching on the
648 VLAN tag for all ACLs, and unsupported ACL bindings will cause
649 errors to be reported. The binding of an ACL to a specific VLAN
650 and the binding of an ACL to the entire physical port should not
651 be combined on a single physical port. That is, a mix of zero
652 and non-zero keys in the map is not recommended.
653
654 vlan_stats: map of integer-Logical_Binding_Stats pairs, key in range 0
655 to 4,095
656 Statistics for VLANs bound to logical switches on the physical
657 port. An implementation that fully supports such statistics
658 would populate this column with a mapping for every VLAN that is
659 bound in vlan_bindings. An implementation that does not support
660 such statistics or only partially supports them would not popu‐
661 late this column or partially populate it, respectively. A value
662 of zero in the VLAN field refers to untagged traffic on the
663 physical port.
664
665 Identification:
666
667 name: string
668 Symbolic name for the port. The name ought to be unique within a
669 given Physical_Switch, but the database is not capable of en‐
670 forcing this.
671
672 description: string
673 An extended description for the port.
674
675 Error Notification:
676
677 An entry in this column indicates to the NVC that the physical port has
678 encountered a fault. The switch must clear this column when the error
679 has been cleared.
680
681 port_fault_status : invalid_vlan_map: none
682 Indicates that a VLAN-to-logical-switch mapping requested by the
683 controller could not be instantiated by the switch because of a
684 conflict with local configuration.
685
686 port_fault_status : invalid_ACL_binding: none
687 Indicates that an error has occurred in associating an ACL with
688 a port.
689
690 port_fault_status : unspecified_fault: none
691 Indicates that an error has occurred on the port but that no
692 more specific information is available.
693
694 Common Column:
695
696 The overall purpose of this column is described under Common Column at
697 the beginning of this document.
698
699 other_config: map of string-string pairs
700
702 Reports statistics for the Logical_Switch with which a VLAN on a Physi‐
703 cal_Port is associated.
704
705 Summary:
706 Statistics:
707 packets_from_local integer
708 bytes_from_local integer
709 packets_to_local integer
710 bytes_to_local integer
711
712 Details:
713 Statistics:
714
715 These statistics count only packets to which the binding applies.
716
717 packets_from_local: integer
718 Number of packets sent by the Physical_Switch.
719
720 bytes_from_local: integer
721 Number of bytes in packets sent by the Physical_Switch.
722
723 packets_to_local: integer
724 Number of packets received by the Physical_Switch.
725
726 bytes_to_local: integer
727 Number of bytes in packets received by the Physical_Switch.
728
730 A logical Ethernet switch, whose implementation may span physical and
731 virtual media, possibly crossing L3 domains via tunnels; a logical
732 layer-2 domain; an Ethernet broadcast domain.
733
734 Summary:
735 Per Logical-Switch Tunnel Key:
736 tunnel_key optional integer
737 Replication Mode:
738 replication_mode optional string, either service_node or
739 source_node
740 Identification:
741 name string (must be unique within table)
742 description string
743 Common Column:
744 other_config map of string-string pairs
745
746 Details:
747 Per Logical-Switch Tunnel Key:
748
749 Tunnel protocols tend to have a field that allows the tunnel to be par‐
750 titioned into sub-tunnels: VXLAN has a VNI, GRE and STT have a key,
751 CAPWAP has a WSI, and so on. We call these generically ``tunnel keys.’’
752 Given that one needs to use a tunnel key at all, there are at least two
753 reasonable ways to assign their values:
754
755 • Per Logical_Switch+Physical_Locator pair. That is, each
756 logical switch may be assigned a different tunnel key on
757 every Physical_Locator. This model is especially flexi‐
758 ble.
759
760 In this model, Physical_Locator carries the tunnel key.
761 Therefore, one Physical_Locator record will exist for
762 each logical switch carried at a given IP destination.
763
764 • Per Logical_Switch. That is, every tunnel associated with
765 a particular logical switch carries the same tunnel key,
766 regardless of the Physical_Locator to which the tunnel is
767 addressed. This model may ease switch implementation be‐
768 cause it imposes fewer requirements on the hardware data‐
769 path.
770
771 In this model, Logical_Switch carries the tunnel key.
772 Therefore, one Physical_Locator record will exist for
773 each IP destination.
774
775 tunnel_key: optional integer
776 This column is used only in the tunnel key per Logical_Switch
777 model (see above), because only in that model is there a tunnel
778 key associated with a logical switch.
779
780 For vxlan_over_ipv4 encapsulation, when the tunnel key per Logi‐
781 cal_Switch model is in use, this column is the VXLAN VNI that
782 identifies a logical switch. It must be in the range 0 to
783 16,777,215.
784
785 Replication Mode:
786
787 For handling L2 broadcast, multicast and unknown unicast traffic, pack‐
788 ets can be sent to all members of a logical switch referenced by a
789 physical switch. There are different modes to replicate the packets.
790 The default mode of replication is to send the traffic to a service
791 node, which can be a hypervisor, server or appliance, and let the ser‐
792 vice node handle replication to other transport nodes (hypervisors or
793 other VTEP physical switches). This mode is called service node repli‐
794 cation. An alternate mode of replication, called source node replica‐
795 tion involves the source node sending to all other transport nodes. Hy‐
796 pervisors are always responsible for doing their own replication for
797 locally attached VMs in both modes. Service node replication mode is
798 the default and considered a basic requirement because it only requires
799 sending the packet to a single transport node.
800
801 replication_mode: optional string, either service_node or source_node
802 This optional column defines the replication mode per Logi‐
803 cal_Switch. There are 2 valid values, service_node and
804 source_node. If the column is not set, the replication mode de‐
805 faults to service_node.
806
807 Identification:
808
809 name: string (must be unique within table)
810 Symbolic name for the logical switch.
811
812 description: string
813 An extended description for the logical switch, such as its
814 switch login banner.
815
816 Common Column:
817
818 The overall purpose of this column is described under Common Column at
819 the beginning of this document.
820
821 other_config: map of string-string pairs
822
824 Mapping of unicast MAC addresses to tunnels (physical locators). This
825 table is written by the HSC, so it contains the MAC addresses that have
826 been learned on physical ports by a VTEP.
827
828 Summary:
829 MAC string
830 logical_switch Logical_Switch
831 locator Physical_Locator
832 ipaddr string
833
834 Details:
835 MAC: string
836 A MAC address that has been learned by the VTEP.
837
838 logical_switch: Logical_Switch
839 The Logical switch to which this mapping applies.
840
841 locator: Physical_Locator
842 The physical locator to be used to reach this MAC address. In
843 this table, the physical locator will be one of the tunnel IP
844 addresses of the appropriate VTEP.
845
846 ipaddr: string
847 The IP address to which this MAC corresponds. Optional field for
848 the purpose of ARP supression.
849
851 Mapping of unicast MAC addresses to tunnels (physical locators). This
852 table is written by the NVC, so it contains the MAC addresses that the
853 NVC has learned. These include VM MAC addresses, in which case the
854 physical locators will be hypervisor IP addresses. The NVC will also
855 report MACs that it has learned from other HSCs in the network, in
856 which case the physical locators will be tunnel IP addresses of the
857 corresponding VTEPs.
858
859 Summary:
860 MAC string
861 logical_switch Logical_Switch
862 locator Physical_Locator
863 ipaddr string
864
865 Details:
866 MAC: string
867 A MAC address that has been learned by the NVC.
868
869 logical_switch: Logical_Switch
870 The Logical switch to which this mapping applies.
871
872 locator: Physical_Locator
873 The physical locator to be used to reach this MAC address. In
874 this table, the physical locator will be either a hypervisor IP
875 address or a tunnel IP addresses of another VTEP.
876
877 ipaddr: string
878 The IP address to which this MAC corresponds. Optional field for
879 the purpose of ARP supression.
881 Mapping of multicast MAC addresses to tunnels (physical locators). This
882 table is written by the HSC, so it contains the MAC addresses that have
883 been learned on physical ports by a VTEP. These may be learned by IGMP
884 snooping, for example. This table also specifies how to handle unknown
885 unicast and broadcast packets.
886
887 Summary:
888 MAC string
889 logical_switch Logical_Switch
890 locator_set Physical_Locator_Set
891 ipaddr string
892
893 Details:
894 MAC: string
895 A MAC address that has been learned by the VTEP.
896
897 The keyword unknown-dst is used as a special ``Ethernet ad‐
898 dress’’ that indicates the locations to which packets in a logi‐
899 cal switch whose destination addresses do not otherwise appear
900 in Ucast_Macs_Local (for unicast addresses) or Mcast_Macs_Local
901 (for multicast addresses) should be sent.
902
903 logical_switch: Logical_Switch
904 The Logical switch to which this mapping applies.
905
906 locator_set: Physical_Locator_Set
907 The physical locator set to be used to reach this MAC address.
908 In this table, the physical locator set will be contain one or
909 more tunnel IP addresses of the appropriate VTEP(s).
910
911 ipaddr: string
912 The IP address to which this MAC corresponds. Optional field for
913 the purpose of ARP supression.
914
916 Mapping of multicast MAC addresses to tunnels (physical locators). This
917 table is written by the NVC, so it contains the MAC addresses that the
918 NVC has learned. This table also specifies how to handle unknown uni‐
919 cast and broadcast packets.
920
921 Multicast packet replication may be handled by a service node, in which
922 case the physical locators will be IP addresses of service nodes. If
923 the VTEP supports replication onto multiple tunnels, using source node
924 replication, then this may be used to replicate directly onto VTEP-hy‐
925 pervisor or VTEP-VTEP tunnels.
926
927 Summary:
928 MAC string
929 logical_switch Logical_Switch
930 locator_set Physical_Locator_Set
931 ipaddr string
932
933 Details:
934 MAC: string
935 A MAC address that has been learned by the NVC.
936
937 The keyword unknown-dst is used as a special ``Ethernet ad‐
938 dress’’ that indicates the locations to which packets in a logi‐
939 cal switch whose destination addresses do not otherwise appear
940 in Ucast_Macs_Remote (for unicast addresses) or Mcast_Macs_Re‐
941 mote (for multicast addresses) should be sent.
942
943 logical_switch: Logical_Switch
944 The Logical switch to which this mapping applies.
945
946 locator_set: Physical_Locator_Set
947 The physical locator set to be used to reach this MAC address.
948 In this table, the physical locator set will be either a set of
949 service nodes when service node replication is used or the set
950 of transport nodes (defined as hypervisors or VTEPs) participat‐
951 ing in the associated logical switch, when source node replica‐
952 tion is used. When service node replication is used, the VTEP
953 should send packets to one member of the locator set that is
954 known to be healthy and reachable, which could be determined by
955 BFD. When source node replication is used, the VTEP should send
956 packets to all members of the locator set.
957
958 ipaddr: string
959 The IP address to which this MAC corresponds. Optional field for
960 the purpose of ARP supression.
962 A logical router, or VRF. A logical router may be connected to one or
963 more logical switches. Subnet addresses and interface addresses may be
964 configured on the interfaces.
965
966 Summary:
967 switch_binding map of string-Logical_Switch pairs
968 static_routes map of string-string pairs
969 acl_binding map of string-ACL pairs
970 Identification:
971 name string (must be unique within table)
972 description string
973 Error Notification:
974 LR_fault_status : invalid_ACL_binding
975 none
976 LR_fault_status : unspecified_fault
977 none
978 Common Column:
979 other_config map of string-string pairs
980
981 Details:
982 switch_binding: map of string-Logical_Switch pairs
983 Maps from an IPv4 or IPv6 address prefix in CIDR notation to a
984 logical switch. Multiple prefixes may map to the same switch. By
985 writing a 32-bit (or 128-bit for v6) address with a /N prefix
986 length, both the router’s interface address and the subnet pre‐
987 fix can be configured. For example, 192.68.1.1/24 creates a /24
988 subnet for the logical switch attached to the interface and as‐
989 signs the address 192.68.1.1 to the router interface.
990
991 static_routes: map of string-string pairs
992 One or more static routes, mapping IP prefixes to next hop IP
993 addresses.
994
995 acl_binding: map of string-ACL pairs
996 Maps ACLs to logical router interfaces. The router interfaces
997 are indicated using IP address notation, and must be the same
998 interfaces created in the switch_binding column. For example, an
999 ACL could be associated with the logical router interface with
1000 an address of 192.68.1.1 as defined in the example above.
1001
1002 Identification:
1003
1004 name: string (must be unique within table)
1005 Symbolic name for the logical router.
1006
1007 description: string
1008 An extended description for the logical router.
1009
1010 Error Notification:
1011
1012 An entry in this column indicates to the NVC that the HSC has encoun‐
1013 tered a fault in configuring state related to the logical router.
1014
1015 LR_fault_status : invalid_ACL_binding: none
1016 Indicates that an error has occurred in associating an ACL with
1017 a logical router port.
1018
1019 LR_fault_status : unspecified_fault: none
1020 Indicates that an error has occurred in configuring the logical
1021 router but that no more specific information is available.
1022
1023 Common Column:
1024
1025 The overall purpose of this column is described under Common Column at
1026 the beginning of this document.
1027
1028 other_config: map of string-string pairs
1029
1031 MAC address to be used when a VTEP issues ARP requests on behalf of a
1032 logical router.
1033
1034 A distributed logical router is implemented by a set of VTEPs (both
1035 hardware VTEPs and vswitches). In order for a given VTEP to populate
1036 the local ARP cache for a logical router, it issues ARP requests with a
1037 source MAC address that is unique to the VTEP. A single per-VTEP MAC
1038 can be re-used across all logical networks. This table contains the
1039 MACs that are used by the VTEPs of a given HSC. The table provides the
1040 mapping from MAC to physical locator for each VTEP so that replies to
1041 the ARP requests can be sent back to the correct VTEP using the appro‐
1042 priate physical locator.
1043
1044 Summary:
1045 src_mac string
1046 locator Physical_Locator
1047
1048 Details:
1049 src_mac: string
1050 The source MAC to be used by a given VTEP.
1051
1052 locator: Physical_Locator
1053 The Physical_Locator to use for replies to ARP requests from
1054 this MAC address.
1055
1057 MAC address to be used when a remote VTEP issues ARP requests on behalf
1058 of a logical router.
1059
1060 This table is the remote counterpart of Arp_sources_local. The NVC
1061 writes this table to notify the HSC of the MACs that will be used by
1062 remote VTEPs when they issue ARP requests on behalf of a distributed
1063 logical router.
1064
1065 Summary:
1066 src_mac string
1067 locator Physical_Locator
1068
1069 Details:
1070 src_mac: string
1071 The source MAC to be used by a given VTEP.
1072
1073 locator: Physical_Locator
1074 The Physical_Locator to use for replies to ARP requests from
1075 this MAC address.
1076
1078 A set of one or more Physical_Locators.
1079
1080 This table exists only because OVSDB does not have a way to express the
1081 type ``map from string to one or more Physical_Locator records.’’
1082
1083 Summary:
1084 locators immutable set of 1 or more Physical_Loca‐
1085 tors
1086
1087 Details:
1088 locators: immutable set of 1 or more Physical_Locators
1089
1091 Identifies an endpoint to which logical switch traffic may be encapsu‐
1092 lated and forwarded.
1093
1094 The vxlan_over_ipv4 encapsulation, the only encapsulation defined so
1095 far, can use either tunnel key model described in the ``Per Logical-
1096 Switch Tunnel Key’’ section in the Logical_Switch table. When the tun‐
1097 nel key per Logical_Switch model is in use, the tunnel_key column in
1098 the Logical_Switch table is filled with a VNI and the tunnel_key column
1099 in this table is empty; in the key-per-tunnel model, the opposite is
1100 true. The former model is older, and thus likely to be more widely sup‐
1101 ported. See the ``Per Logical-Switch Tunnel Key’’ section in the Logi‐
1102 cal_Switch table for further discussion of the model.
1103
1104 Summary:
1105 encapsulation_type immutable string, must be vxlan_over_ipv4
1106 dst_ip immutable string
1107 tunnel_key optional integer
1108
1109 Details:
1110 encapsulation_type: immutable string, must be vxlan_over_ipv4
1111 The type of tunneling encapsulation.
1112
1113 dst_ip: immutable string
1114 For vxlan_over_ipv4 encapsulation, the IPv4 address of the VXLAN
1115 tunnel endpoint.
1116
1117 We expect that this column could be used for IPv4 or IPv6 ad‐
1118 dresses in encapsulations to be introduced later.
1119
1120 tunnel_key: optional integer
1121 This column is used only in the tunnel key per Logi‐
1122 cal_Switch+Physical_Locator model (see above).
1123
1124 For vxlan_over_ipv4 encapsulation, when the Logical_Switch+Phys‐
1125 ical_Locator model is in use, this column is the VXLAN VNI. It
1126 must be in the range 0 to 16,777,215.
1127
1129 Describes the individual entries that comprise an Access Control List.
1130
1131 Each entry in the table is a single rule to match on certain header
1132 fields. While there are a large number of fields that can be matched
1133 on, most hardware cannot match on arbitrary combinations of fields. It
1134 is common to match on either L2 fields (described below in the L2 group
1135 of columns) or L3/L4 fields (the L3/L4 group of columns) but not both.
1136 The hardware switch controller may log an error if an ACL entry re‐
1137 quires it to match on an incompatible mixture of fields.
1138
1139 Summary:
1140 sequence integer
1141 L2 fields:
1142 source_mac optional string
1143 dest_mac optional string
1144 ethertype optional string
1145 L3/L4 fields:
1146 source_ip optional string
1147 source_mask optional string
1148 dest_ip optional string
1149 dest_mask optional string
1150 protocol optional integer
1151 source_port_min optional integer
1152 source_port_max optional integer
1153 dest_port_min optional integer
1154 dest_port_max optional integer
1155 tcp_flags optional integer
1156 tcp_flags_mask optional integer
1157 icmp_type optional integer
1158 icmp_code optional integer
1159 direction string, either egress or ingress
1160 action string, either deny or permit
1161 Error Notification:
1162 acle_fault_status : invalid_acl_entry
1163 none
1164 acle_fault_status : unspecified_fault
1165 none
1166
1167 Details:
1168 sequence: integer
1169 The sequence number for the ACL entry for the purpose of order‐
1170 ing entries in an ACL. Lower numbered entries are matched before
1171 higher numbered entries.
1172
1173 L2 fields:
1174
1175 source_mac: optional string
1176 Source MAC address, in the form xx:xx:xx:xx:xx:xx
1177
1178 dest_mac: optional string
1179 Destination MAC address, in the form xx:xx:xx:xx:xx:xx
1180
1181 ethertype: optional string
1182 Ethertype in hexadecimal, in the form 0xAAAA
1183
1184 L3/L4 fields:
1185
1186 source_ip: optional string
1187 Source IP address, in the form xx.xx.xx.xx for IPv4 or appropri‐
1188 ate colon-separated hexadecimal notation for IPv6.
1189
1190 source_mask: optional string
1191 Mask that determines which bits of source_ip to match on, in the
1192 form xx.xx.xx.xx for IPv4 or appropriate colon-separated hexa‐
1193 decimal notation for IPv6.
1194
1195 dest_ip: optional string
1196 Destination IP address, in the form xx.xx.xx.xx for IPv4 or ap‐
1197 propriate colon-separated hexadecimal notation for IPv6.
1198
1199 dest_mask: optional string
1200 Mask that determines which bits of dest_ip to match on, in the
1201 form xx.xx.xx.xx for IPv4 or appropriate colon-separated hexa‐
1202 decimal notation for IPv6.
1203
1204 protocol: optional integer
1205 Protocol number in the IPv4 header, or value of the "next
1206 header" field in the IPv6 header.
1207
1208 source_port_min: optional integer
1209 Lower end of the range of source port values. The value speci‐
1210 fied is included in the range.
1211
1212 source_port_max: optional integer
1213 Upper end of the range of source port values. The value speci‐
1214 fied is included in the range.
1215
1216 dest_port_min: optional integer
1217 Lower end of the range of destination port values. The value
1218 specified is included in the range.
1219
1220 dest_port_max: optional integer
1221 Upper end of the range of destination port values. The value
1222 specified is included in the range.
1223
1224 tcp_flags: optional integer
1225 Integer representing the value of TCP flags to match. For exam‐
1226 ple, the SYN flag is the second least significant bit in the TCP
1227 flags. Hence a value of 2 would indicate that the "SYN" flag
1228 should be set (assuming an appropriate mask).
1229
1230 tcp_flags_mask: optional integer
1231 Integer representing the mask to apply when matching TCP flags.
1232 For example, a value of 2 would imply that the "SYN" flag should
1233 be matched and all other flags ignored.
1234
1235 icmp_type: optional integer
1236 ICMP type to be matched.
1237
1238 icmp_code: optional integer
1239 ICMP code to be matched.
1240
1241 direction: string, either egress or ingress
1242 Direction of traffic to match on the specified port, either
1243 "ingress" (toward the logical switch or router) or "egress"
1244 (leaving the logical switch or router).
1245
1246 action: string, either deny or permit
1247 Action to take for this rule, either "permit" or "deny".
1248
1249 Error Notification:
1250
1251 An entry in this column indicates to the NVC that the ACL could not be
1252 configured as requested. The switch must clear this column when the er‐
1253 ror has been cleared.
1254
1255 acle_fault_status : invalid_acl_entry: none
1256 Indicates that an ACL entry requested by the controller could
1257 not be instantiated by the switch, e.g. because it requires an
1258 unsupported combination of fields to be matched.
1259
1260 acle_fault_status : unspecified_fault: none
1261 Indicates that an error has occurred in configuring the ACL en‐
1262 try but no more specific information is available.
1263
1265 Access Control List table. Each ACL is constructed as a set of entries
1266 from the ACL_entry table. Packets that are not matched by any entry in
1267 the ACL are allowed by default.
1268
1269 Summary:
1270 acl_entries set of 1 or more ACL_entrys
1271 acl_name string (must be unique within table)
1272 Error Notification:
1273 acl_fault_status : invalid_acl
1274 none
1275 acl_fault_status : resource_shortage
1276 none
1277 acl_fault_status : unspecified_fault
1278 none
1279
1280 Details:
1281 acl_entries: set of 1 or more ACL_entrys
1282 A set of references to entries in the ACL_entry table.
1283
1284 acl_name: string (must be unique within table)
1285 A human readable name for the ACL, which may (for example) be
1286 displayed on the switch CLI.
1287
1288 Error Notification:
1289
1290 An entry in this column indicates to the NVC that the ACL could not be
1291 configured as requested. The switch must clear this column when the er‐
1292 ror has been cleared.
1293
1294 acl_fault_status : invalid_acl: none
1295 Indicates that an ACL requested by the controller could not be
1296 instantiated by the switch, e.g., because it requires an unsup‐
1297 ported combination of fields to be matched.
1298
1299 acl_fault_status : resource_shortage: none
1300 Indicates that an ACL requested by the controller could not be
1301 instantiated by the switch due to a shortage of resources (e.g.
1302 TCAM space).
1303
1304 acl_fault_status : unspecified_fault: none
1305 Indicates that an error has occurred in configuring the ACL but
1306 no more specific information is available.
1307
1308
1309
1310Open vSwitch 2.17.0 DB Schema 1.7.0 vtep(5)