1ovs-vswitchd.conf.db(5) Open vSwitch Manual ovs-vswitchd.conf.db(5)
2
6 ovs-vswitchd.conf.db - Open_vSwitch database schema
7 A database with this schema holds the configuration for one Open
9 vSwitch daemon. The top-level configuration for the daemon is the
10 Open_vSwitch table, which must have exactly one record. Records in
11 other tables are significant only when they can be reached directly or
12 indirectly from the Open_vSwitch table. Records that are not reachable
13 from the Open_vSwitch table are automatically deleted from the data‐
14 base, except for records in a few distinguished ``root set’’ tables.
15 Common Columns
17 Most tables contain two special columns, named other_config and exter‐
18 nal_ids. These columns have the same form and purpose each place that
19 they appear, so we describe them here to save space later.
20 other_config: map of string-string pairs
22 Key-value pairs for configuring rarely used features.
23 Supported keys, along with the forms taken by their val‐
24 ues, are documented individually for each table.
25 A few tables do not have other_config columns because no
27 key-value pairs have yet been defined for them.
28 external_ids: map of string-string pairs
30 Key-value pairs for use by external frameworks that inte‐
31 grate with Open vSwitch, rather than by Open vSwitch it‐
32 self. System integrators should either use the Open
33 vSwitch development mailing list to coordinate on common
34 key-value definitions, or choose key names that are
35 likely to be unique. In some cases, where key-value pairs
36 have been defined that are likely to be widely useful,
37 they are documented individually for each table.
38
40 The following list summarizes the purpose of each of the tables in the
41 Open_vSwitch database. Each table is described in more detail on a
42 later page.
43 Table Purpose
45 Open_vSwitch
46 Open vSwitch configuration.
47 Bridge Bridge configuration.
48 Port Port configuration.
49 Interface One physical network device in a Port.
50 Flow_Table
51 OpenFlow table configuration
52 QoS Quality of Service configuration
53 Queue QoS output queue.
54 Mirror Port mirroring.
55 Controller
56 OpenFlow controller configuration.
57 Manager OVSDB management connection.
58 NetFlow NetFlow configuration.
59 Datapath Datapath configuration.
60 CT_Zone CT_Zone configuration.
61 CT_Timeout_Policy
62 CT_Timeout_Policy configuration.
63 SSL SSL configuration.
64 sFlow sFlow configuration.
65 IPFIX IPFIX configuration.
66 Flow_Sample_Collector_Set
67 Flow_Sample_Collector_Set configuration.
68 AutoAttach
69 AutoAttach configuration.
70
72 Configuration for an Open vSwitch daemon. There must be exactly one
73 record in the Open_vSwitch table.
74 Summary:
76 Configuration:
77 datapaths map of string-Datapath pairs
78 bridges set of Bridges
79 ssl optional SSL
80 external_ids : system-id optional string
81 external_ids : hostname optional string
82 external_ids : rundir optional string
83 other_config : stats-update-interval
84 optional string, containing an integer,
85 at least 5,000
86 other_config : flow-restore-wait
87 optional string, either true or false
88 other_config : flow-limit optional string, containing an integer,
89 at least 0
90 other_config : max-idle optional string, containing an integer,
91 at least 500
92 other_config : max-revalidator
93 optional string, containing an integer,
94 at least 100
95 other_config : min-revalidate-pps
96 optional string, containing an integer,
97 at least 1
98 other_config : offloaded-stats-delay
99 optional string, containing an integer,
100 at least 0
101 other_config : hw-offload optional string, either true or false
102 other_config : n-offload-threads
103 optional string, containing an integer,
104 in range 1 to 10
105 other_config : tc-policy optional string, one of none, skip_hw, or
106 skip_sw
107 other_config : dpdk-init optional string, one of false, true, or
108 try
109 other_config : dpdk-lcore-mask
110 optional string, containing an integer,
111 at least 1
112 other_config : pmd-cpu-mask
113 optional string
114 other_config : dpdk-alloc-mem
115 optional string, containing an integer,
116 at least 0
117 other_config : dpdk-socket-mem
118 optional string
119 other_config : dpdk-socket-limit
120 optional string
121 other_config : dpdk-hugepage-dir
122 optional string
123 other_config : dpdk-extra optional string
124 other_config : vhost-sock-dir
125 optional string
126 other_config : vhost-iommu-support
127 optional string, either true or false
128 other_config : vhost-postcopy-support
129 optional string, either true or false
130 other_config : per-port-memory
131 optional string, either true or false
132 other_config : shared-mempool-config
133 optional string
134 other_config : tx-flush-interval
135 optional string, containing an integer,
136 in range 0 to 1,000,000
137 other_config : pmd-perf-metrics
138 optional string, either true or false
139 other_config : smc-enable optional string, either true or false
140 other_config : pmd-rxq-assign
141 optional string, one of cycles, group, or
142 roundrobin
143 other_config : pmd-rxq-isolate
144 optional string, either true or false
145 other_config : n-handler-threads
146 optional string, containing an integer,
147 at least 1
148 other_config : n-revalidator-threads
149 optional string, containing an integer,
150 at least 1
151 other_config : emc-insert-inv-prob
152 optional string, containing an integer,
153 in range 0 to 4,294,967,295
154 other_config : vlan-limit optional string, containing an integer,
155 at least 0
156 other_config : bundle-idle-timeout
157 optional string, containing an integer,
158 at least 1
159 other_config : offload-rebalance
160 optional string, either true or false
161 other_config : pmd-auto-lb optional string, either true or false
162 other_config : pmd-auto-lb-rebal-interval
163 optional string, containing an integer,
164 in range 0 to 20,000
165 other_config : pmd-auto-lb-load-threshold
166 optional string, containing an integer,
167 in range 0 to 100
168 other_config : pmd-auto-lb-improvement-threshold
169 optional string, containing an integer,
170 in range 0 to 100
171 other_config : pmd-maxsleep
172 optional string, containing an integer,
173 in range 0 to 10,000
174 other_config : userspace-tso-enable
175 optional string, either true or false
176 Status:
177 next_cfg integer
178 cur_cfg integer
179 dpdk_initialized boolean
180 Statistics:
181 other_config : enable-statistics
182 optional string, either true or false
183 statistics : cpu optional string, containing an integer,
184 at least 1
185 statistics : load_average
186 optional string
187 statistics : memory optional string
188 statistics : process_NAME
189 optional string
190 statistics : file_systems
191 optional string
192 Version Reporting:
193 ovs_version optional string
194 db_version optional string
195 system_type optional string
196 system_version optional string
197 dpdk_version optional string
198 Capabilities:
199 datapath_types set of strings
200 iface_types set of strings
201 Database Configuration:
202 manager_options set of Managers
203 IPsec:
204 other_config : private_key optional string
205 other_config : certificate optional string
206 other_config : ca_cert optional string
207 Plaintext Tunnel Policy:
208 other_config : ipsec_skb_mark
209 optional string
210 Common Columns:
211 other_config map of string-string pairs
212 external_ids map of string-string pairs
213 Details:
215 Configuration:
216 datapaths: map of string-Datapath pairs
218 Map of datapath types to datapaths. The datapath_type column of
219 the Bridge table is used as a key for this map. The value points
220 to a row in the Datapath table.
221 bridges: set of Bridges
223 Set of bridges managed by the daemon.
224 ssl: optional SSL
226 SSL used globally by the daemon.
227 external_ids : system-id: optional string
229 A unique identifier for the Open vSwitch’s physical host. The
230 form of the identifier depends on the type of the host.
231 external_ids : hostname: optional string
233 The hostname for the host running Open vSwitch. This is a fully
234 qualified domain name since version 2.6.2.
235 external_ids : rundir: optional string
237 In Open vSwitch 2.8 and later, the run directory of the running
238 Open vSwitch daemon. This directory is used for runtime state
239 such as control and management sockets. The value of other_con‐
240 fig:vhost-sock-dir is relative to this directory.
241 other_config : stats-update-interval: optional string, containing an
243 integer, at least 5,000
244 Interval for updating statistics to the database, in millisec‐
245 onds. This option will affect the update of the statistics col‐
246 umn in the following tables: Port, Interface , Mirror.
247 Default value is 5000 ms.
249 Getting statistics more frequently can be achieved via OpenFlow.
251 other_config : flow-restore-wait: optional string, either true or false
253 When ovs-vswitchd starts up, it has an empty flow table and
254 therefore it handles all arriving packets in its default fashion
255 according to its configuration, by dropping them or sending them
256 to an OpenFlow controller or switching them as a standalone
257 switch. This behavior is ordinarily desirable. However, if
258 ovs-vswitchd is restarting as part of a ``hot-upgrade,’’ then
259 this leads to a relatively long period during which packets are
260 mishandled.
261 This option allows for improvement. When ovs-vswitchd starts
263 with this value set as true, it will neither flush or expire
264 previously set datapath flows nor will it send and receive any
265 packets to or from the datapath. When this value is later set to
266 false, ovs-vswitchd will start receiving packets from the data‐
267 path and re-setup the flows.
268 Additionally, ovs-vswitchd is prevented from connecting to con‐
270 trollers when this value is set to true. This prevents con‐
271 trollers from making changes to the flow table in the middle of
272 flow restoration, which could result in undesirable intermediate
273 states. Once this value has been set to false and the desired
274 flow state has been restored, ovs-vswitchd will be able to re‐
275 connect to controllers and process any new flow table modifica‐
276 tions.
277 Thus, with this option, the procedure for a hot-upgrade of
279 ovs-vswitchd becomes roughly the following:
280 1. Stop ovs-vswitchd.
282 2. Set other_config:flow-restore-wait to true.
284 3. Start ovs-vswitchd.
286 4. Use ovs-ofctl (or some other program, such as an OpenFlow
288 controller) to restore the OpenFlow flow table to the de‐
289 sired state.
290 5. Set other_config:flow-restore-wait to false (or remove it
292 entirely from the database).
293 The ovs-ctl’s ``restart’’ and ``force-reload-kmod’’ functions
295 use the above config option during hot upgrades.
296 other_config : flow-limit: optional string, containing an integer, at
298 least 0
299 The maximum number of flows allowed in the datapath flow table.
300 Internally OVS will choose a flow limit which will likely be
301 lower than this number, based on real time network conditions.
302 Tweaking this value is discouraged unless you know exactly what
303 you’re doing.
304 The default is 200000.
306 other_config : max-idle: optional string, containing an integer, at
308 least 500
309 The maximum time (in ms) that idle flows will remain cached in
310 the datapath. Internally OVS will check the validity and activ‐
311 ity for datapath flows regularly and may expire flows quicker
312 than this number, based on real time network conditions. Tweak‐
313 ing this value is discouraged unless you know exactly what
314 you’re doing.
315 The default is 10000.
317 other_config : max-revalidator: optional string, containing an integer,
319 at least 100
320 The maximum time (in ms) that revalidator threads will wait be‐
321 fore executing flow revalidation. Note that this is maximum al‐
322 lowed value. Actual timeout used by OVS is minimum of max-idle
323 and max-revalidator values. Tweaking this value is discouraged
324 unless you know exactly what you’re doing.
325 The default is 500.
327 other_config : min-revalidate-pps: optional string, containing an inte‐
329 ger, at least 1
330 Set minimum pps that flow must have in order to be revalidated
331 when revalidation duration exceeds half of max-revalidator con‐
332 fig variable.
333 The default is 5.
335 other_config : offloaded-stats-delay: optional string, containing an
337 integer, at least 0
338 Set worst case delay (in ms) it might take before statistics of
339 offloaded flows are updated. Offloaded flows younger than this
340 delay will always be revalidated regardless of other_config:min-
341 revalidate-pps.
342 The default is 2000.
344 other_config : hw-offload: optional string, either true or false
346 Set this value to true to enable netdev flow offload.
347 The default value is false. Changing this value requires
349 restarting the daemon
350 Currently Open vSwitch supports hardware offloading on Linux
352 systems. On other systems, this value is ignored. This function‐
353 ality is considered ’experimental’. Depending on which OpenFlow
354 matches and actions are configured, which kernel version is
355 used, and what hardware is available, Open vSwitch may not be
356 able to offload functionality to hardware.
357 In order to dump HW offloaded flows use ovs-appctl
359 dpctl/dump-flows, ovs-dpctl doesn’t support this functionality.
360 See ovs-vswitchd(8) for details.
361 other_config : n-offload-threads: optional string, containing an inte‐
363 ger, in range 1 to 10
364 Set this value to the number of threads created to manage hard‐
365 ware offloads.
366 The default value is 1. Changing this value requires restarting
368 the daemon.
369 This is only relevant for userspace datapath and only if
371 other_config:hw-offload is enabled.
372 other_config : tc-policy: optional string, one of none, skip_hw, or
374 skip_sw
375 Specified the policy used with HW offloading. Options:
376 none Add software rule and offload rule to HW.
378 skip_sw
380 Offload rule to HW only.
381 skip_hw
383 Add software rule without offloading rule to HW.
384 This is only relevant if other_config:hw-offload is enabled.
386 The default value is none.
388 other_config : dpdk-init: optional string, one of false, true, or try
390 Set this value to true or try to enable runtime support for DPDK
391 ports. The vswitch must have compile-time support for DPDK as
392 well.
393 A value of true will cause the ovs-vswitchd process to abort if
395 DPDK cannot be initialized. A value of try will allow the ovs-
396 vswitchd process to continue running even if DPDK cannot be ini‐
397 tialized.
398 The default value is false. Changing this value requires
400 restarting the daemon
401 If this value is false at startup, any dpdk ports which are con‐
403 figured in the bridge will fail due to memory errors.
404 other_config : dpdk-lcore-mask: optional string, containing an integer,
406 at least 1
407 Specifies the CPU cores where dpdk lcore threads should be
408 spawned. The DPDK lcore threads are used for DPDK library tasks,
409 such as library internal message processing, logging, etc. Value
410 should be in the form of a hex string (so ’0x123’) similar to
411 the ’taskset’ mask input.
412 The lowest order bit corresponds to the first CPU core. A set
414 bit means the corresponding core is available and an lcore
415 thread will be created and pinned to it. If the input does not
416 cover all cores, those uncovered cores are considered not set.
417 For performance reasons, it is best to set this to a single core
419 on the system, rather than allow lcore threads to float.
420 If not specified, the value will be determined by choosing the
422 lowest CPU core from initial cpu affinity list. Otherwise, the
423 value will be passed directly to the DPDK library.
424 other_config : pmd-cpu-mask: optional string
426 Specifies CPU mask for setting the cpu affinity of PMD (Poll
427 Mode Driver) threads. Value should be in the form of hex string,
428 similar to the dpdk EAL ’-c COREMASK’ option input or the
429 ’taskset’ mask input.
430 The lowest order bit corresponds to the first CPU core. A set
432 bit means the corresponding core is available and a pmd thread
433 will be created and pinned to it. If the input does not cover
434 all cores, those uncovered cores are considered not set.
435 If not specified, one pmd thread will be created for each numa
437 node and pinned to any available core on the numa node by de‐
438 fault.
439 other_config : dpdk-alloc-mem: optional string, containing an integer,
441 at least 0
442 Specifies the amount of memory to preallocate from the hugepage
443 pool, regardless of socket. It is recommended that dpdk-socket-
444 mem is used instead.
445 other_config : dpdk-socket-mem: optional string
447 Specifies the amount of memory to preallocate from the hugepage
448 pool, on a per-socket basis.
449 The specifier is a comma-separated string, in ascending order of
451 CPU socket. E.g. On a four socket system 1024,0,2048 would set
452 socket 0 to preallocate 1024MB, socket 1 to preallocate 0MB,
453 socket 2 to preallocate 2048MB and socket 3 (no value given) to
454 preallocate 0MB.
455 If other_config:dpdk-socket-mem and other_config:dpdk-alloc-mem
457 are not specified, neither will be used and there will be no de‐
458 fault value for each numa node. DPDK defaults will be used in‐
459 stead. If other_config:dpdk-socket-mem and other_config:dpdk-al‐
460 loc-mem are specified at the same time, other_config:dpdk-
461 socket-mem will be used as default. Changing this value requires
462 restarting the daemon.
463 other_config : dpdk-socket-limit: optional string
465 Limits the maximum amount of memory that can be used from the
466 hugepage pool, on a per-socket basis.
467 The specifier is a comma-separated list of memory limits per
469 socket. 0 will disable the limit for a particular socket.
470 If not specified, OVS will not configure limits by default.
472 Changing this value requires restarting the daemon.
473 other_config : dpdk-hugepage-dir: optional string
475 Specifies the path to the hugetlbfs mount point.
476 If not specified, this will be guessed by the DPDK library (de‐
478 fault is /dev/hugepages). Changing this value requires restart‐
479 ing the daemon.
480 other_config : dpdk-extra: optional string
482 Specifies additional eal command line arguments for DPDK.
483 The default is empty. Changing this value requires restarting
485 the daemon
486 other_config : vhost-sock-dir: optional string
488 Specifies a relative path from external_ids:rundir to the vhost-
489 user unix domain socket files. If this value is unset, the sock‐
490 ets are put directly in external_ids:rundir.
491 Changing this value requires restarting the daemon.
493 other_config : vhost-iommu-support: optional string, either true or
495 false
496 vHost IOMMU is a security feature, which restricts the vhost
497 memory that a virtio device may access. vHost IOMMU support is
498 disabled by default, due to a bug in QEMU implementations of the
499 vhost REPLY_ACK protocol, (on which vHost IOMMU relies) prior to
500 v2.9.1. Setting this value to true enables vHost IOMMU support
501 for vHost User Client ports in OvS-DPDK, starting from DPDK
502 v17.11.
503 Changing this value requires restarting the daemon.
505 other_config : vhost-postcopy-support: optional string, either true or
507 false
508 vHost post-copy is a feature which allows switching live migra‐
509 tion of VM attached to dpdkvhostuserclient port to post-copy
510 mode if default pre-copy migration can not be converged or takes
511 too long to converge. Setting this value to true enables vHost
512 post-copy support for all dpdkvhostuserclient ports. Available
513 starting from DPDK v18.11 and QEMU 2.12.
514 Changing this value requires restarting the daemon.
516 other_config : per-port-memory: optional string, either true or false
518 By default OVS DPDK uses a shared memory model wherein devices
519 that have the same MTU and socket values can share the same mem‐
520 pool. Setting this value to true changes this behaviour. Per
521 port memory allow DPDK devices to use private memory per device.
522 This can provide greater transparency as regards memory usage
523 but potentially at the cost of greater memory requirements.
524 Changing this value requires restarting the daemon if dpdk-init
526 has already been set to true.
527 other_config : shared-mempool-config: optional string
529 Specifies dpdk shared mempool config.
530 Value should be set in the following form:
532 other_config:shared-mempool-config=< user-shared-mem‐
534 pool-mtu-list>
535 where
537 • <user-shared-mempool-mtu-list> ::= NULL | <non-empty-
539 list>
540 • <non-empty-list> ::= <user-mtus> | <user-mtus> , <non-
542 empty-list>
543 • <user-mtus> ::= <mtu-all-socket> | <mtu-socket-pair>
545 • <mtu-all-socket> ::= <mtu>
547 • <mtu-socket-pair> ::= <mtu> : <socket-id>
549 Changing this value requires restarting the daemon if dpdk-init
551 has already been set to true.
552 other_config : tx-flush-interval: optional string, containing an inte‐
554 ger, in range 0 to 1,000,000
555 Specifies the time in microseconds that a packet can wait in
556 output batch for sending i.e. amount of time that packet can
557 spend in an intermediate output queue before sending to netdev.
558 This option can be used to configure balance between throughput
559 and latency. Lower values decreases latency while higher values
560 may be useful to achieve higher performance.
561 Defaults to 0 i.e. instant packet sending (latency optimized).
563 other_config : pmd-perf-metrics: optional string, either true or false
565 Enables recording of detailed PMD performance metrics for analy‐
566 sis and trouble-shooting. This can have a performance impact in
567 the order of 1%.
568 Defaults to false but can be changed at any time.
570 other_config : smc-enable: optional string, either true or false
572 Signature match cache or SMC is a cache between EMC and megaflow
573 cache. It does not store the full key of the flow, so it is more
574 memory efficient comparing to EMC cache. SMC is especially use‐
575 ful when flow count is larger than EMC capacity.
576 Defaults to false but can be changed at any time.
578 other_config : pmd-rxq-assign: optional string, one of cycles, group,
580 or roundrobin
581 Specifies how RX queues will be automatically assigned to CPU
582 cores. Options:
583 cycles Rxqs will be sorted by order of measured processing cy‐
585 cles before being assigned to CPU cores.
586 roundrobin
588 Rxqs will be round-robined across CPU cores.
589 group Rxqs will be sorted by order of measured processing cy‐
591 cles before being assigned to CPU cores with lowest esti‐
592 mated load.
593 The default value is cycles.
595 Changing this value will affect an automatic re-assignment of
597 Rxqs to CPUs. Note: Rxqs mapped to CPU cores with pmd-rxq-affin‐
598 ity are unaffected.
599 other_config : pmd-rxq-isolate: optional string, either true or false
601 Specifies if a CPU core will be isolated after being pinned with
602 an Rx queue.
603 Set this value to false to non-isolate a CPU core after it is
605 pinned with an Rxq using pmd-rxq-affinity. This will allow OVS
606 to assign other Rxqs to that CPU core.
607 The default value is true.
609 This can only be false when pmd-rxq-assign is set to group.
611 other_config : n-handler-threads: optional string, containing an inte‐
613 ger, at least 1
614 Attempts to specify the number of threads for software datapaths
615 to use for handling new flows. Some datapaths may choose to ig‐
616 nore this and it will be set to a sensible option for the data‐
617 path type.
618 This configuration is per datapath. If you have more than one
620 software datapath (e.g. some system bridges and some netdev
621 bridges), then the total number of threads is n-handler-threads
622 times the number of software datapaths.
623 other_config : n-revalidator-threads: optional string, containing an
625 integer, at least 1
626 Attempts to specify the number of threads for software datapaths
627 to use for revalidating flows in the datapath. Some datapaths
628 may choose to ignore this and will set to a sensible option for
629 the datapath type.
630 Typically, there is a direct correlation between the number of
632 revalidator threads, and the number of flows allowed in the
633 datapath. The default is the number of cpu cores divided by four
634 plus one. If n-handler-threads is set, the default changes to
635 the number of cpu cores minus the number of handler threads.
636 This configuration is per datapath. If you have more than one
638 software datapath (e.g. some system bridges and some netdev
639 bridges), then the total number of threads is n-handler-threads
640 times the number of software datapaths.
641 other_config : emc-insert-inv-prob: optional string, containing an in‐
643 teger, in range 0 to 4,294,967,295
644 Specifies the inverse probability (1/emc-insert-inv-prob) of a
645 flow being inserted into the Exact Match Cache (EMC). On average
646 one in every emc-insert-inv-prob packets that generate a unique
647 flow will cause an insertion into the EMC. A value of 1 will re‐
648 sult in an insertion for every flow (1/1 = 100%) whereas a value
649 of zero will result in no insertions and essentially disable the
650 EMC.
651 Defaults to 100 ie. there is (1/100 =) 1% chance of EMC inser‐
653 tion.
654 other_config : vlan-limit: optional string, containing an integer, at
656 least 0
657 Limits the number of VLAN headers that can be matched to the
658 specified number. Further VLAN headers will be treated as pay‐
659 load, e.g. a packet with more 802.1q headers will match Ethernet
660 type 0x8100.
661 Open vSwitch userspace currently supports at most 2 VLANs, and
663 each datapath has its own limit. If vlan-limit is nonzero, it
664 acts as a further limit.
665 If this value is absent, the default is currently 1. This main‐
667 tains backward compatibility with controllers that were designed
668 for use with Open vSwitch versions earlier than 2.8, which only
669 supported one VLAN.
670 other_config : bundle-idle-timeout: optional string, containing an in‐
672 teger, at least 1
673 The maximum time (in seconds) that idle bundles will wait to be
674 expired since it was either opened, modified or closed.
675 OpenFlow specification mandates the timeout to be at least one
677 second. The default is 10 seconds.
678 other_config : offload-rebalance: optional string, either true or false
680 Configures HW offload rebalancing, that allows to dynamically
681 offload and un-offload flows while an offload-device is out of
682 resources (OOR). This policy allows flows to be selected for of‐
683 floading based on the packets-per-second (pps) rate of flows.
684 Set this value to true to enable this option.
686 The default value is false. Changing this value requires
688 restarting the daemon.
689 This is only relevant if HW offloading is enabled (hw-offload).
691 When this policy is enabled, it also requires ’tc-policy’ to be
692 set to ’skip_sw’.
693 other_config : pmd-auto-lb: optional string, either true or false
695 Configures PMD Auto Load Balancing that allows automatic assign‐
696 ment of RX queues to PMDs if any of PMDs is overloaded (i.e. a
697 processing cycles > other_config:pmd-auto-lb-load-threshold).
698 It uses current scheme of cycle based assignment of RX queues
700 that are not statically pinned to PMDs.
701 The default value is false.
703 Set this value to true to enable this option. It is currently
705 disabled by default and an experimental feature.
706 This only comes in effect if cycle based assignment is enabled
708 and there are more than one non-isolated PMDs present and at
709 least one of it polls more than one queue.
710 other_config : pmd-auto-lb-rebal-interval: optional string, containing
712 an integer, in range 0 to 20,000
713 The minimum time (in minutes) 2 consecutive PMD Auto Load Bal‐
714 ancing iterations.
715 The default value is 1 min. If configured to 0 then it would be
717 converted to default value i.e. 1 min
718 This option can be configured to avoid frequent trigger of auto
720 load balancing of PMDs. For e.g. set the value (in min) such
721 that it occurs once in few hours or a day or a week.
722 other_config : pmd-auto-lb-load-threshold: optional string, containing
724 an integer, in range 0 to 100
725 Specifies the minimum PMD thread load threshold (% of used cy‐
726 cles) of any non-isolated PMD threads when a PMD Auto Load Bal‐
727 ance may be triggered.
728 The default value is 95%.
730 other_config : pmd-auto-lb-improvement-threshold: optional string, con‐
732 taining an integer, in range 0 to 100
733 Specifies the minimum evaluated % improvement in load distribu‐
734 tion across the non-isolated PMD threads that will allow a PMD
735 Auto Load Balance to occur.
736 Note, setting this parameter to 0 will always allow an auto load
738 balance to occur regardless of estimated improvement or not.
739 The default value is 25%.
741 other_config : pmd-maxsleep: optional string, containing an integer, in
743 range 0 to 10,000
744 Specifies the maximum sleep time that will be requested in mi‐
745 croseconds per iteration for a PMD thread which has received
746 zero or a small amount of packets from the Rx queues it is
747 polling.
748 The actual sleep time requested is based on the load of the Rx
750 queues that the PMD polls and may be less than the maximum
751 value.
752 The default value is 0 microseconds, which means that the PMD
754 will not sleep regardless of the load from the Rx queues that it
755 polls.
756 The maximum value is 10000 microseconds.
758 other_config : userspace-tso-enable: optional string, either true or
760 false
761 Set this value to true to enable userspace support for TCP Seg‐
762 mentation Offloading (TSO). When it is enabled, the interfaces
763 can provide an oversized TCP segment to the datapath and the
764 datapath will offload the TCP segmentation and checksum calcula‐
765 tion to the interfaces when necessary.
766 The default value is false. Changing this value requires
768 restarting the daemon.
769 The feature only works if Open vSwitch is built with DPDK sup‐
771 port.
772 The feature is considered experimental.
774 Status:
776 next_cfg: integer
778 Sequence number for client to increment. When a client modifies
779 any part of the database configuration and wishes to wait for
780 Open vSwitch to finish applying the changes, it may increment
781 this sequence number.
782 cur_cfg: integer
784 Sequence number that Open vSwitch sets to the current value of
785 next_cfg after it finishes applying a set of configuration
786 changes.
787 dpdk_initialized: boolean
789 True if other_config:dpdk-init is set to true and the DPDK li‐
790 brary is successfully initialized.
791 Statistics:
793 The statistics column contains key-value pairs that report statistics
795 about a system running an Open vSwitch. These are updated periodically
796 (currently, every 5 seconds). Key-value pairs that cannot be determined
797 or that do not apply to a platform are omitted.
798 other_config : enable-statistics: optional string, either true or false
800 Statistics are disabled by default to avoid overhead in the com‐
801 mon case when statistics gathering is not useful. Set this value
802 to true to enable populating the statistics column or to false
803 to explicitly disable it.
804 statistics : cpu: optional string, containing an integer, at least 1
806 Number of CPU processors, threads, or cores currently online and
807 available to the operating system on which Open vSwitch is run‐
808 ning, as an integer. This may be less than the number installed,
809 if some are not online or if they are not available to the oper‐
810 ating system.
811 Open vSwitch userspace processes are not multithreaded, but the
813 Linux kernel-based datapath is.
814 statistics : load_average: optional string
816 A comma-separated list of three floating-point numbers, repre‐
817 senting the system load average over the last 1, 5, and 15 min‐
818 utes, respectively.
819 statistics : memory: optional string
821 A comma-separated list of integers, each of which represents a
822 quantity of memory in kilobytes that describes the operating
823 system on which Open vSwitch is running. In respective order,
824 these values are:
825 1. Total amount of RAM allocated to the OS.
827 2. RAM allocated to the OS that is in use.
829 3. RAM that can be flushed out to disk or otherwise discarded
831 if that space is needed for another purpose. This number is
832 necessarily less than or equal to the previous value.
833 4. Total disk space allocated for swap.
835 5. Swap space currently in use.
837 On Linux, all five values can be determined and are included. On
839 other operating systems, only the first two values can be deter‐
840 mined, so the list will only have two values.
841 statistics : process_NAME: optional string
843 One such key-value pair, with NAME replaced by a process name,
844 will exist for each running Open vSwitch daemon process, with
845 name replaced by the daemon’s name (e.g. process_ovs-vswitchd).
846 The value is a comma-separated list of integers. The integers
847 represent the following, with memory measured in kilobytes and
848 durations in milliseconds:
849 1. The process’s virtual memory size.
851 2. The process’s resident set size.
853 3. The amount of user and system CPU time consumed by the
855 process.
856 4. The number of times that the process has crashed and been
858 automatically restarted by the monitor.
859 5. The duration since the process was started.
861 6. The duration for which the process has been running.
863 The interpretation of some of these values depends on whether
865 the process was started with the --monitor. If it was not, then
866 the crash count will always be 0 and the two durations will al‐
867 ways be the same. If --monitor was given, then the crash count
868 may be positive; if it is, the latter duration is the amount of
869 time since the most recent crash and restart.
870 There will be one key-value pair for each file in Open vSwitch’s
872 ``run directory’’ (usually /var/run/openvswitch) whose name ends
873 in .pid, whose contents are a process ID, and which is locked by
874 a running process. The name is taken from the pidfile’s name.
875 Currently Open vSwitch is only able to obtain all of the above
877 detail on Linux systems. On other systems, the same key-value
878 pairs will be present but the values will always be the empty
879 string.
880 statistics : file_systems: optional string
882 A space-separated list of information on local, writable file
883 systems. Each item in the list describes one file system and
884 consists in turn of a comma-separated list of the following:
885 1. Mount point, e.g. / or /var/log. Any spaces or commas in the
887 mount point are replaced by underscores.
888 2. Total size, in kilobytes, as an integer.
890 3. Amount of storage in use, in kilobytes, as an integer.
892 This key-value pair is omitted if there are no local, writable
894 file systems or if Open vSwitch cannot obtain the needed infor‐
895 mation.
896 Version Reporting:
898 These columns report the types and versions of the hardware and soft‐
900 ware running Open vSwitch. We recommend in general that software should
901 test whether specific features are supported instead of relying on ver‐
902 sion number checks. These values are primarily intended for reporting
903 to human administrators.
904 ovs_version: optional string
906 The Open vSwitch version number, e.g. 1.1.0.
907 db_version: optional string
909 The database schema version number, e.g. 1.2.3. See ovsdb-
910 tool(1) for an explanation of the numbering scheme.
911 The schema version is part of the database schema, so it can
913 also be retrieved by fetching the schema using the Open vSwitch
914 database protocol.
915 system_type: optional string
917 An identifier for the type of system on top of which Open
918 vSwitch runs, e.g. KVM.
919 System integrators are responsible for choosing and setting an
921 appropriate value for this column.
922 system_version: optional string
924 The version of the system identified by system_type, e.g.
925 4.18.0-372.19.1.el8_6 on RHEL 8.6 with kernel 4.18.0-372.19.1.
926 System integrators are responsible for choosing and setting an
928 appropriate value for this column.
929 dpdk_version: optional string
931 The version of the linked DPDK library.
932 Capabilities:
934 These columns report capabilities of the Open vSwitch instance.
936 datapath_types: set of strings
938 This column reports the different dpifs registered with the sys‐
939 tem. These are the values that this instance supports in the
940 datapath_type column of the Bridge table.
941 iface_types: set of strings
943 This column reports the different netdevs registered with the
944 system. These are the values that this instance supports in the
945 type column of the Interface table.
946 Database Configuration:
948 These columns primarily configure the Open vSwitch database
950 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The OVSDB
951 database also uses the ssl settings.
952 The Open vSwitch switch does read the database configuration to deter‐
954 mine remote IP addresses to which in-band control should apply.
955 manager_options: set of Managers
957 Database clients to which the Open vSwitch database server
958 should connect or to which it should listen, along with options
959 for how these connections should be configured. See the Manager
960 table for more information.
961 For this column to serve its purpose, ovsdb-server must be con‐
963 figured to honor it. The easiest way to do this is to invoke
964 ovsdb-server with the option --re‐
965 mote=db:Open_vSwitch,Open_vSwitch,manager_options The startup
966 scripts that accompany Open vSwitch do this by default.
967 IPsec:
969 These settings control the global configuration of IPsec tunnels. The
971 options column of the Interface table configures IPsec for individual
972 tunnels. The options column also allows for custom options prefixed
973 with ipsec_ to be passed to the individual connections.
974 OVS IPsec supports the following three forms of authentication. Cur‐
976 rently, all IPsec tunnels must use the same form:
977 1. Pre-shared keys: Omit the global settings. On each tunnel,
979 set options:psk.
980 2. Self-signed certificates: Set the private_key and certifi‐
982 cate global settings. On each tunnel, set options:re‐
983 mote_cert. The remote certificate can be self-signed.
984 3. CA-signed certificates: Set all of the global settings. On
986 each tunnel, set options:remote_name to the common name (CN)
987 of the remote certificate. The remote certificate must be
988 signed by the CA.
989 other_config : private_key: optional string
991 Name of a PEM file containing the private key used as the
992 switch’s identity for IPsec tunnels.
993 other_config : certificate: optional string
995 Name of a PEM file containing a certificate that certifies the
996 switch’s private key, and identifies a trustworthy switch for
997 IPsec tunnels. The certificate must be x.509 version 3 and with
998 the string in common name (CN) also set in the subject alterna‐
999 tive name (SAN).
1000 other_config : ca_cert: optional string
1002 Name of a PEM file containing the CA certificate used to verify
1003 that a remote switch of the IPsec tunnel is trustworthy.
1004 Plaintext Tunnel Policy:
1006 When an IPsec tunnel is configured in this database, multiple indepen‐
1008 dent components take responsibility for implementing it. ovs-vswitchd
1009 and its datapath handle packet forwarding to the tunnel and a separate
1010 daemon pushes the tunnel’s IPsec policy configuration to the kernel or
1011 other entity that implements it. There is a race: if the former config‐
1012 uration completes before the latter, then packets sent by the local
1013 host over the tunnel can be transmitted in plaintext. Using this set‐
1014 ting, OVS users can avoid this undesirable situation.
1015 other_config : ipsec_skb_mark: optional string
1017 This setting takes the form value/mask. If it is specified, then
1018 the skb_mark field in every outgoing tunneled packet sent in
1019 plaintext is compared against it and, if it matches, the packet
1020 is dropped. This is a global setting that is applied to every
1021 tunneled packet, regardless of whether IPsec encryption is en‐
1022 abled for the tunnel, the type of tunnel, or whether OVS is in‐
1023 volved.
1024 Example policies:
1026 1/1 Drop all unencrypted tunneled packets in which the least-
1028 significant bit of skb_mark is 1. This would be a useful
1029 policy given an OpenFlow flow table that sets skb_mark to
1030 1 for traffic that should be encrypted. The default
1031 skb_mark is 0, so this would not affect other traffic.
1032 0/1 Drop all unencrypted tunneled packets in which the least-
1034 significant bit of skb_mark is 0. This would be a useful
1035 policy if no unencrypted tunneled traffic should exit the
1036 system without being specially permitted by setting
1037 skb_mark to 1.
1038 (empty)
1040 If this setting is empty or unset, then all unencrypted
1041 tunneled packets are transmitted in the usual way.
1042 Common Columns:
1044 The overall purpose of these columns is described under Common Columns
1046 at the beginning of this document.
1047 other_config: map of string-string pairs
1049 external_ids: map of string-string pairs
1051
1053 Configuration for a bridge within an Open_vSwitch.
1054 A Bridge record represents an Ethernet switch with one or more
1056 ``ports,’’ which are the Port records pointed to by the Bridge’s ports
1057 column.
1058 Summary:
1060 Core Features:
1061 name immutable string (must be unique within
1062 table)
1063 ports set of Ports
1064 mirrors set of Mirrors
1065 netflow optional NetFlow
1066 sflow optional sFlow
1067 ipfix optional IPFIX
1068 flood_vlans set of up to 4,096 integers, in range 0
1069 to 4,095
1070 auto_attach optional AutoAttach
1071 OpenFlow Configuration:
1072 controller set of Controllers
1073 flow_tables map of integer-Flow_Table pairs, key in
1074 range 0 to 254
1075 fail_mode optional string, either secure or stand‐
1076 alone
1077 datapath_id optional string
1078 datapath_version string
1079 other_config : datapath-id optional string
1080 other_config : dp-desc optional string
1081 other_config : dp-sn optional string
1082 other_config : disable-in-band
1083 optional string, either true or false
1084 other_config : in-band-queue
1085 optional string, containing an integer,
1086 in range 0 to 4,294,967,295
1087 other_config : controller-queue-size
1088 optional string, containing an integer,
1089 in range 1 to 512
1090 protocols set of strings, one of OpenFlow10, Open‐
1091 Flow11, OpenFlow12, OpenFlow13, Open‐
1092 Flow14, or OpenFlow15
1093 Spanning Tree Configuration:
1094 STP Configuration:
1095 stp_enable boolean
1096 other_config : stp-system-id
1097 optional string
1098 other_config : stp-priority
1099 optional string, containing an integer,
1100 in range 0 to 65,535
1101 other_config : stp-hello-time
1102 optional string, containing an integer,
1103 in range 1 to 10
1104 other_config : stp-max-age
1105 optional string, containing an integer,
1106 in range 6 to 40
1107 other_config : stp-forward-delay
1108 optional string, containing an integer,
1109 in range 4 to 30
1110 other_config : mcast-snooping-aging-time
1111 optional string, containing an integer,
1112 at least 1
1113 other_config : mcast-snooping-table-size
1114 optional string, containing an integer,
1115 at least 1
1116 other_config : mcast-snooping-disable-flood-unregistered
1117 optional string, either true or false
1118 STP Status:
1119 status : stp_bridge_id optional string
1120 status : stp_designated_root
1121 optional string
1122 status : stp_root_path_cost
1123 optional string
1124 Rapid Spanning Tree:
1125 RSTP Configuration:
1126 rstp_enable boolean
1127 other_config : rstp-address
1128 optional string
1129 other_config : rstp-priority
1130 optional string, containing an integer,
1131 in range 0 to 61,440
1132 other_config : rstp-ageing-time
1133 optional string, containing an integer,
1134 in range 10 to 1,000,000
1135 other_config : rstp-force-protocol-version
1136 optional string, containing an integer
1137 other_config : rstp-max-age
1138 optional string, containing an integer,
1139 in range 6 to 40
1140 other_config : rstp-forward-delay
1141 optional string, containing an integer,
1142 in range 4 to 30
1143 other_config : rstp-transmit-hold-count
1144 optional string, containing an integer,
1145 in range 1 to 10
1146 RSTP Status:
1147 rstp_status : rstp_bridge_id
1148 optional string
1149 rstp_status : rstp_root_id
1150 optional string
1151 rstp_status : rstp_root_path_cost
1152 optional string, containing an integer,
1153 at least 0
1154 rstp_status : rstp_designated_id
1155 optional string
1156 rstp_status : rstp_designated_port_id
1157 optional string
1158 rstp_status : rstp_bridge_port_id
1159 optional string
1160 Multicast Snooping Configuration:
1161 mcast_snooping_enable boolean
1162 Other Features:
1163 datapath_type string
1164 external_ids : bridge-id optional string
1165 other_config : hwaddr optional string
1166 other_config : forward-bpdu
1167 optional string, either true or false
1168 other_config : mac-aging-time
1169 optional string, containing an integer,
1170 at least 1
1171 other_config : mac-table-size
1172 optional string, containing an integer,
1173 at least 1
1174 Common Columns:
1175 other_config map of string-string pairs
1176 external_ids map of string-string pairs
1177 Details:
1179 Core Features:
1180 name: immutable string (must be unique within table)
1182 Bridge identifier. Must be unique among the names of ports, in‐
1183 terfaces, and bridges on a host.
1184 The name must be alphanumeric and must not contain forward or
1186 backward slashes. The name of a bridge is also the name of an
1187 Interface (and a Port) within the bridge, so the restrictions on
1188 the name column in the Interface table, particularly on length,
1189 also apply to bridge names. Refer to the documentation for In‐
1190 terface names for details.
1191 ports: set of Ports
1193 Ports included in the bridge.
1194 mirrors: set of Mirrors
1196 Port mirroring configuration.
1197 netflow: optional NetFlow
1199 NetFlow configuration.
1200 sflow: optional sFlow
1202 sFlow(R) configuration.
1203 ipfix: optional IPFIX
1205 IPFIX configuration.
1206 flood_vlans: set of up to 4,096 integers, in range 0 to 4,095
1208 VLAN IDs of VLANs on which MAC address learning should be dis‐
1209 abled, so that packets are flooded instead of being sent to spe‐
1210 cific ports that are believed to contain packets’ destination
1211 MACs. This should ordinarily be used to disable MAC learning on
1212 VLANs used for mirroring (RSPAN VLANs). It may also be useful
1213 for debugging.
1214 SLB bonding (see the bond_mode column in the Port table) is in‐
1216 compatible with flood_vlans. Consider using another bonding mode
1217 or a different type of mirror instead.
1218 auto_attach: optional AutoAttach
1220 Auto Attach configuration.
1221 OpenFlow Configuration:
1223 controller: set of Controllers
1225 OpenFlow controller set. If unset, then no OpenFlow controllers
1226 will be used.
1227 If there are primary controllers, removing all of them clears
1229 the OpenFlow flow tables, group table, and meter table. If there
1230 are no primary controllers, adding one also clears these tables.
1231 Other changes to the set of controllers, such as adding or re‐
1232 moving a service controller, adding another primary controller
1233 to supplement an existing primary controller, or removing only
1234 one of two primary controllers, have no effect on these tables.
1235 flow_tables: map of integer-Flow_Table pairs, key in range 0 to 254
1237 Configuration for OpenFlow tables. Each pair maps from an Open‐
1238 Flow table ID to configuration for that table.
1239 fail_mode: optional string, either secure or standalone
1241 When a controller is configured, it is, ordinarily, responsible
1242 for setting up all flows on the switch. Thus, if the connection
1243 to the controller fails, no new network connections can be set
1244 up. If the connection to the controller stays down long enough,
1245 no packets can pass through the switch at all. This setting de‐
1246 termines the switch’s response to such a situation. It may be
1247 set to one of the following:
1248 standalone
1250 If no message is received from the controller for three
1251 times the inactivity probe interval (see inactiv‐
1252 ity_probe), then Open vSwitch will take over responsibil‐
1253 ity for setting up flows. In this mode, Open vSwitch
1254 causes the bridge to act like an ordinary MAC-learning
1255 switch. Open vSwitch will continue to retry connecting to
1256 the controller in the background and, when the connection
1257 succeeds, it will discontinue its standalone behavior.
1258 secure Open vSwitch will not set up flows on its own when the
1260 controller connection fails or when no controllers are
1261 defined. The bridge will continue to retry connecting to
1262 any defined controllers forever.
1263 The default is standalone if the value is unset, but future ver‐
1265 sions of Open vSwitch may change the default.
1266 The standalone mode can create forwarding loops on a bridge that
1268 has more than one uplink port unless STP is enabled. To avoid
1269 loops on such a bridge, configure secure mode or enable STP (see
1270 stp_enable).
1271 The fail_mode setting applies only to primary controllers. When
1273 more than one primary controller is configured, fail_mode is
1274 considered only when none of the configured controllers can be
1275 contacted.
1276 Changing fail_mode when no primary controllers are configured
1278 clears the OpenFlow flow tables, group table, and meter table.
1279 datapath_id: optional string
1281 Reports the OpenFlow datapath ID in use. Exactly 16 hex digits.
1282 (Setting this column has no useful effect. Set other-con‐
1283 fig:datapath-id instead.)
1284 datapath_version: string
1286 Reports the datapath version. This column is maintained for
1287 backwards compatibility. The preferred locatation is the data‐
1288 path_id column of the Datapath table. The full documentation for
1289 this column is there.
1290 other_config : datapath-id: optional string
1292 Overrides the default OpenFlow datapath ID, setting it to the
1293 specified value specified in hex. The value must either have a
1294 0x prefix or be exactly 16 hex digits long. May not be all-zero.
1295 other_config : dp-desc: optional string
1297 Human readable description of datapath. It is a maximum 256
1298 byte-long free-form string to describe the datapath for debug‐
1299 ging purposes, e.g. switch3 in room 3120. The value is returned
1300 by the switch as a part of reply to OFPMP_DESC request
1301 (ofp_desc). The OpenFlow specification (e.g. 1.3.5) describes
1302 the ofp_desc structure to contaion "NULL terminated ASCII
1303 strings". For the compatibility reasons no more than 255 ASCII
1304 characters should be used.
1305 other_config : dp-sn: optional string
1307 Serial number. It is a maximum 32 byte-long free-form string to
1308 provide an additional switch identification. The value is re‐
1309 turned by the switch as a part of reply to OFPMP_DESC request
1310 (ofp_desc). Same as mentioned in the description of other-con‐
1311 fig:dp-desc, the string should be no more than 31 ASCII charac‐
1312 ters for the compatibility.
1313 other_config : disable-in-band: optional string, either true or false
1315 If set to true, disable in-band control on the bridge regardless
1316 of controller and manager settings.
1317 other_config : in-band-queue: optional string, containing an integer,
1319 in range 0 to 4,294,967,295
1320 A queue ID as a nonnegative integer. This sets the OpenFlow
1321 queue ID that will be used by flows set up by in-band control on
1322 this bridge. If unset, or if the port used by an in-band control
1323 flow does not have QoS configured, or if the port does not have
1324 a queue with the specified ID, the default queue is used in‐
1325 stead.
1326 other_config : controller-queue-size: optional string, containing an
1328 integer, in range 1 to 512
1329 This sets the maximum size of the queue of packets that need to
1330 be sent to the OpenFlow management controller. The value must be
1331 less than 512. If not specified the queue size is limited to 100
1332 packets by default. Note: increasing the queue size might have a
1333 negative impact on latency.
1334 protocols: set of strings, one of OpenFlow10, OpenFlow11, OpenFlow12,
1336 OpenFlow13, OpenFlow14, or OpenFlow15
1337 List of OpenFlow protocols that may be used when negotiating a
1338 connection with a controller. OpenFlow 1.0, 1.1, 1.2, 1.3, 1.4,
1339 and 1.5 are enabled by default if this column is empty.
1340 Spanning Tree Configuration:
1342 The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol that
1344 ensures loop-free topologies. It allows redundant links to be included
1345 in the network to provide automatic backup paths if the active links
1346 fails.
1347 These settings configure the slower-to-converge but still widely sup‐
1349 ported version of Spanning Tree Protocol, sometimes known as
1350 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree
1351 Protocol (RSTP), documented later in the section titled Rapid Spanning
1352 Tree Configuration.
1353 STP Configuration:
1355 stp_enable: boolean
1357 Enable spanning tree on the bridge. By default, STP is disabled
1358 on bridges. Bond, internal, and mirror ports are not supported
1359 and will not participate in the spanning tree.
1360 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1362 will be used.
1363 other_config : stp-system-id: optional string
1365 The bridge’s STP identifier (the lower 48 bits of the bridge-id)
1366 in the form xx:xx:xx:xx:xx:xx. By default, the identifier is the
1367 MAC address of the bridge.
1368 other_config : stp-priority: optional string, containing an integer, in
1370 range 0 to 65,535
1371 The bridge’s relative priority value for determining the root
1372 bridge (the upper 16 bits of the bridge-id). A bridge with the
1373 lowest bridge-id is elected the root. By default, the priority
1374 is 0x8000.
1375 other_config : stp-hello-time: optional string, containing an integer,
1377 in range 1 to 10
1378 The interval between transmissions of hello messages by desig‐
1379 nated ports, in seconds. By default the hello interval is 2 sec‐
1380 onds.
1381 other_config : stp-max-age: optional string, containing an integer, in
1383 range 6 to 40
1384 The maximum age of the information transmitted by the bridge
1385 when it is the root bridge, in seconds. By default, the maximum
1386 age is 20 seconds.
1387 other_config : stp-forward-delay: optional string, containing an inte‐
1389 ger, in range 4 to 30
1390 The delay to wait between transitioning root and designated
1391 ports to forwarding, in seconds. By default, the forwarding de‐
1392 lay is 15 seconds.
1393 other_config : mcast-snooping-aging-time: optional string, containing
1395 an integer, at least 1
1396 The maximum number of seconds to retain a multicast snooping en‐
1397 try for which no packets have been seen. The default is cur‐
1398 rently 300 seconds (5 minutes). The value, if specified, is
1399 forced into a reasonable range, currently 15 to 3600 seconds.
1400 other_config : mcast-snooping-table-size: optional string, containing
1402 an integer, at least 1
1403 The maximum number of multicast snooping addresses to learn. The
1404 default is currently 2048. The value, if specified, is forced
1405 into a reasonable range, currently 10 to 1,000,000.
1406 other_config : mcast-snooping-disable-flood-unregistered: optional
1408 string, either true or false
1409 If set to false, unregistered multicast packets are forwarded to
1410 all ports. If set to true, unregistered multicast packets are
1411 forwarded to ports connected to multicast routers.
1412 STP Status:
1414 These key-value pairs report the status of 802.1D-1998. They are
1416 present only if STP is enabled (via the stp_enable column).
1417 status : stp_bridge_id: optional string
1419 The bridge ID used in spanning tree advertisements, in the form
1420 xxxx.yyyyyyyyyyyy where the xs are the STP priority, the ys are
1421 the STP system ID, and each x and y is a hex digit.
1422 status : stp_designated_root: optional string
1424 The designated root for this spanning tree, in the same form as
1425 status:stp_bridge_id. If this bridge is the root, this will have
1426 the same value as status:stp_bridge_id, otherwise it will dif‐
1427 fer.
1428 status : stp_root_path_cost: optional string
1430 The path cost of reaching the designated bridge. A lower number
1431 is better. The value is 0 if this bridge is the root, otherwise
1432 it is higher.
1433 Rapid Spanning Tree:
1435 Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol
1437 that ensures loop-free topologies. RSTP superseded STP with the publi‐
1438 cation of 802.1D-2004. Compared to STP, RSTP converges more quickly and
1439 recovers more quickly from failures.
1440 RSTP Configuration:
1442 rstp_enable: boolean
1444 Enable Rapid Spanning Tree on the bridge. By default, RSTP is
1445 disabled on bridges. Bond, internal, and mirror ports are not
1446 supported and will not participate in the spanning tree.
1447 STP and RSTP are mutually exclusive. If both are enabled, RSTP
1449 will be used.
1450 other_config : rstp-address: optional string
1452 The bridge’s RSTP address (the lower 48 bits of the bridge-id)
1453 in the form xx:xx:xx:xx:xx:xx. By default, the address is the
1454 MAC address of the bridge.
1455 other_config : rstp-priority: optional string, containing an integer,
1457 in range 0 to 61,440
1458 The bridge’s relative priority value for determining the root
1459 bridge (the upper 16 bits of the bridge-id). A bridge with the
1460 lowest bridge-id is elected the root. By default, the priority
1461 is 0x8000 (32768). This value needs to be a multiple of 4096,
1462 otherwise it’s rounded to the nearest inferior one.
1463 other_config : rstp-ageing-time: optional string, containing an inte‐
1465 ger, in range 10 to 1,000,000
1466 The Ageing Time parameter for the Bridge. The default value is
1467 300 seconds.
1468 other_config : rstp-force-protocol-version: optional string, containing
1470 an integer
1471 The Force Protocol Version parameter for the Bridge. This can
1472 take the value 0 (STP Compatibility mode) or 2 (the default,
1473 normal operation).
1474 other_config : rstp-max-age: optional string, containing an integer, in
1476 range 6 to 40
1477 The maximum age of the information transmitted by the Bridge
1478 when it is the Root Bridge. The default value is 20.
1479 other_config : rstp-forward-delay: optional string, containing an inte‐
1481 ger, in range 4 to 30
1482 The delay used by STP Bridges to transition Root and Designated
1483 Ports to Forwarding. The default value is 15.
1484 other_config : rstp-transmit-hold-count: optional string, containing an
1486 integer, in range 1 to 10
1487 The Transmit Hold Count used by the Port Transmit state machine
1488 to limit transmission rate. The default value is 6.
1489 RSTP Status:
1491 These key-value pairs report the status of 802.1D-2004. They are
1493 present only if RSTP is enabled (via the rstp_enable column).
1494 rstp_status : rstp_bridge_id: optional string
1496 The bridge ID used in rapid spanning tree advertisements, in the
1497 form x.yyy.zzzzzzzzzzzz where x is the RSTP priority, the ys are
1498 a locally assigned system ID extension, the zs are the STP sys‐
1499 tem ID, and each x, y, or z is a hex digit.
1500 rstp_status : rstp_root_id: optional string
1502 The root of this spanning tree, in the same form as rstp_sta‐
1503 tus:rstp_bridge_id. If this bridge is the root, this will have
1504 the same value as rstp_status:rstp_bridge_id, otherwise it will
1505 differ.
1506 rstp_status : rstp_root_path_cost: optional string, containing an inte‐
1508 ger, at least 0
1509 The path cost of reaching the root. A lower number is better.
1510 The value is 0 if this bridge is the root, otherwise it is
1511 higher.
1512 rstp_status : rstp_designated_id: optional string
1514 The RSTP designated ID, in the same form as rstp_sta‐
1515 tus:rstp_bridge_id.
1516 rstp_status : rstp_designated_port_id: optional string
1518 The RSTP designated port ID, as a 4-digit hex number.
1519 rstp_status : rstp_bridge_port_id: optional string
1521 The RSTP bridge port ID, as a 4-digit hex number.
1522 Multicast Snooping Configuration:
1524 Multicast snooping (RFC 4541) monitors the Internet Group Management
1526 Protocol (IGMP) and Multicast Listener Discovery traffic between hosts
1527 and multicast routers. The switch uses what IGMP and MLD snooping
1528 learns to forward multicast traffic only to interfaces that are con‐
1529 nected to interested receivers. Currently it supports IGMPv1, IGMPv2,
1530 IGMPv3, MLDv1 and MLDv2 protocols.
1531 mcast_snooping_enable: boolean
1533 Enable multicast snooping on the bridge. For now, the default is
1534 disabled.
1535 Other Features:
1537 datapath_type: string
1539 Name of datapath provider. The kernel datapath has type system.
1540 The userspace datapath has type netdev. A manager may refer to
1541 the datapath_types column of the Open_vSwitch table for a list
1542 of the types accepted by this Open vSwitch instance.
1543 external_ids : bridge-id: optional string
1545 A unique identifier of the bridge.
1546 other_config : hwaddr: optional string
1548 An Ethernet address in the form xx:xx:xx:xx:xx:xx to set the
1549 hardware address of the local port and influence the datapath
1550 ID.
1551 other_config : forward-bpdu: optional string, either true or false
1553 Controls forwarding of BPDUs and other network control frames
1554 when NORMAL action is invoked. When this option is false or un‐
1555 set, frames with reserved Ethernet addresses (see table below)
1556 will not be forwarded. When this option is true, such frames
1557 will not be treated specially.
1558 The above general rule has the following exceptions:
1560 • If STP is enabled on the bridge (see the stp_enable col‐
1562 umn in the Bridge table), the bridge processes all re‐
1563 ceived STP packets and never passes them to OpenFlow or
1564 forwards them. This is true even if STP is disabled on an
1565 individual port.
1566 • If LLDP is enabled on an interface (see the lldp column
1568 in the Interface table), the interface processes received
1569 LLDP packets and never passes them to OpenFlow or for‐
1570 wards them.
1571 Set this option to true if the Open vSwitch bridge connects dif‐
1573 ferent Ethernet networks and is not configured to participate in
1574 STP.
1575 This option affects packets with the following destination MAC
1577 addresses:
1578 01:80:c2:00:00:00
1580 IEEE 802.1D Spanning Tree Protocol (STP).
1581 01:80:c2:00:00:01
1583 IEEE Pause frame.
1584 01:80:c2:00:00:0x
1586 Other reserved protocols.
1587 00:e0:2b:00:00:00
1589 Extreme Discovery Protocol (EDP).
1590 00:e0:2b:00:00:04 and 00:e0:2b:00:00:06
1592 Ethernet Automatic Protection Switching (EAPS).
1593 01:00:0c:cc:cc:cc
1595 Cisco Discovery Protocol (CDP), VLAN Trunking Protocol
1596 (VTP), Dynamic Trunking Protocol (DTP), Port Aggregation
1597 Protocol (PAgP), and others.
1598 01:00:0c:cc:cc:cd
1600 Cisco Shared Spanning Tree Protocol PVSTP+.
1601 01:00:0c:cd:cd:cd
1603 Cisco STP Uplink Fast.
1604 01:00:0c:00:00:00
1606 Cisco Inter Switch Link.
1607 01:00:0c:cc:cc:cx
1609 Cisco CFM.
1610 other_config : mac-aging-time: optional string, containing an integer,
1612 at least 1
1613 The maximum number of seconds to retain a MAC learning entry for
1614 which no packets have been seen. The default is currently 300
1615 seconds (5 minutes). The value, if specified, is forced into a
1616 reasonable range, currently 15 to 3600 seconds.
1617 A short MAC aging time allows a network to more quickly detect
1619 that a host is no longer connected to a switch port. However, it
1620 also makes it more likely that packets will be flooded unneces‐
1621 sarily, when they are addressed to a connected host that rarely
1622 transmits packets. To reduce the incidence of unnecessary flood‐
1623 ing, use a MAC aging time longer than the maximum interval at
1624 which a host will ordinarily transmit packets.
1625 other_config : mac-table-size: optional string, containing an integer,
1627 at least 1
1628 The maximum number of MAC addresses to learn. The default is
1629 currently 8192. The value, if specified, is forced into a rea‐
1630 sonable range, currently 10 to 1,000,000.
1631 Common Columns:
1633 The overall purpose of these columns is described under Common Columns
1635 at the beginning of this document.
1636 other_config: map of string-string pairs
1638 external_ids: map of string-string pairs
1640
1642 A port within a Bridge.
1643 Most commonly, a port has exactly one ``interface,’’ pointed to by its
1645 interfaces column. Such a port logically corresponds to a port on a
1646 physical Ethernet switch. A port with more than one interface is a
1647 ``bonded port’’ (see Bonding Configuration).
1648 Some properties that one might think as belonging to a port are actu‐
1650 ally part of the port’s Interface members.
1651 Summary:
1653 name immutable string (must be unique within
1654 table)
1655 interfaces set of 1 or more Interfaces
1656 VLAN Configuration:
1657 vlan_mode optional string, one of access,
1658 dot1q-tunnel, native-tagged, native-un‐
1659 tagged, or trunk
1660 tag optional integer, in range 0 to 4,095
1661 trunks set of up to 4,096 integers, in range 0
1662 to 4,095
1663 cvlans set of up to 4,096 integers, in range 0
1664 to 4,095
1665 other_config : qinq-ethtype
1666 optional string, either 802.1ad or 802.1q
1667 other_config : priority-tags
1668 optional string, one of always, if-non‐
1669 zero, or never
1670 Bonding Configuration:
1671 bond_mode optional string, one of active-backup,
1672 balance-slb, or balance-tcp
1673 other_config : bond-hash-basis
1674 optional string, containing an integer
1675 other_config : lb-output-action
1676 optional string, either true or false
1677 other_config : bond-primary
1678 optional string
1679 other_config : all-members-active
1680 optional string, either true or false
1681 Link Failure Detection:
1682 other_config : bond-detect-mode
1683 optional string, either carrier or miimon
1684 other_config : bond-miimon-interval
1685 optional string, containing an integer
1686 bond_updelay integer
1687 bond_downdelay integer
1688 LACP Configuration:
1689 lacp optional string, one of active, off, or
1690 passive
1691 other_config : lacp-system-id
1692 optional string
1693 other_config : lacp-system-priority
1694 optional string, containing an integer,
1695 in range 1 to 65,535
1696 other_config : lacp-time optional string, either fast or slow
1697 other_config : lacp-fallback-ab
1698 optional string, either true or false
1699 Rebalancing Configuration:
1700 other_config : bond-rebalance-interval
1701 optional string, containing an integer,
1702 in range 0 to 2,147,483,647
1703 bond_fake_iface boolean
1704 Spanning Tree Protocol:
1705 STP Configuration:
1706 other_config : stp-enable
1707 optional string, either true or false
1708 other_config : stp-port-num
1709 optional string, containing an integer,
1710 in range 1 to 255
1711 other_config : stp-port-priority
1712 optional string, containing an integer,
1713 in range 0 to 255
1714 other_config : stp-path-cost
1715 optional string, containing an integer,
1716 in range 0 to 65,535
1717 STP Status:
1718 status : stp_port_id optional string
1719 status : stp_state optional string, one of blocking, dis‐
1720 abled, forwarding, learning, or listening
1721 status : stp_sec_in_state
1722 optional string, containing an integer,
1723 at least 0
1724 status : stp_role optional string, one of alternate, desig‐
1725 nated, or root
1726 Rapid Spanning Tree Protocol:
1727 RSTP Configuration:
1728 other_config : rstp-enable
1729 optional string, either true or false
1730 other_config : rstp-port-priority
1731 optional string, containing an integer,
1732 in range 0 to 240
1733 other_config : rstp-port-num
1734 optional string, containing an integer,
1735 in range 1 to 4,095
1736 other_config : rstp-path-cost
1737 optional string, containing an integer
1738 other_config : rstp-port-admin-edge
1739 optional string, either true or false
1740 other_config : rstp-port-auto-edge
1741 optional string, either true or false
1742 other_config : rstp-port-mcheck
1743 optional string, either true or false
1744 RSTP Status:
1745 rstp_status : rstp_port_id
1746 optional string
1747 rstp_status : rstp_port_role
1748 optional string, one of Alternate,
1749 Backup, Designated, Disabled, or Root
1750 rstp_status : rstp_port_state
1751 optional string, one of Disabled, Dis‐
1752 carding, Forwarding, or Learning
1753 rstp_status : rstp_designated_bridge_id
1754 optional string
1755 rstp_status : rstp_designated_port_id
1756 optional string
1757 rstp_status : rstp_designated_path_cost
1758 optional string, containing an integer
1759 RSTP Statistics:
1760 rstp_statistics : rstp_tx_count
1761 optional integer
1762 rstp_statistics : rstp_rx_count
1763 optional integer
1764 rstp_statistics : rstp_error_count
1765 optional integer
1766 rstp_statistics : rstp_uptime
1767 optional integer
1768 Multicast Snooping:
1769 other_config : mcast-snooping-flood
1770 optional string, either true or false
1771 other_config : mcast-snooping-flood-reports
1772 optional string, either true or false
1773 Other Features:
1774 qos optional QoS
1775 mac optional string
1776 fake_bridge boolean
1777 protected boolean
1778 external_ids : fake-bridge-*
1779 optional string
1780 other_config : transient optional string, either true or false
1781 bond_active_slave optional string
1782 Port Statistics:
1783 Statistics: STP transmit and receive counters:
1784 statistics : stp_tx_count
1785 optional integer
1786 statistics : stp_rx_count
1787 optional integer
1788 statistics : stp_error_count
1789 optional integer
1790 Common Columns:
1791 other_config map of string-string pairs
1792 external_ids map of string-string pairs
1793 Details:
1795 name: immutable string (must be unique within table)
1796 Port name. For a non-bonded port, this should be the same as its
1797 interface’s name. Port names must otherwise be unique among the
1798 names of ports, interfaces, and bridges on a host. Because port
1799 and interfaces names are usually the same, the restrictions on
1800 the name column in the Interface table, particularly on length,
1801 also apply to port names. Refer to the documentation for Inter‐
1802 face names for details.
1803 interfaces: set of 1 or more Interfaces
1805 The port’s interfaces. If there is more than one, this is a
1806 bonded Port.
1807 VLAN Configuration:
1809 In short, a VLAN (short for ``virtual LAN’’) is a way to partition a
1811 single switch into multiple switches. VLANs can be confusing, so for an
1812 introduction, please refer to the question ``What’s a VLAN?’’ in the
1813 Open vSwitch FAQ.
1814 A VLAN is sometimes encoded into a packet using a 802.1Q or 802.1ad
1816 VLAN header, but every packet is part of some VLAN whether or not it is
1817 encoded in the packet. (A packet that appears to have no VLAN is part
1818 of VLAN 0, by default.) As a result, it’s useful to think of a VLAN as
1819 a metadata property of a packet, separate from how the VLAN is encoded.
1820 For a given port, this column determines how the encoding of a packet
1821 that ingresses or egresses the port maps to the packet’s VLAN. When a
1822 packet enters the switch, its VLAN is determined based on its setting
1823 in this column and its VLAN headers, if any, and then, conceptually,
1824 the VLAN headers are then stripped off. Conversely, when a packet exits
1825 the switch, its VLAN and the settings in this column determine what
1826 VLAN headers, if any, are pushed onto the packet before it egresses the
1827 port.
1828 The VLAN configuration in this column affects Open vSwitch only when it
1830 is doing ``normal switching.’’ It does not affect flows set up by an
1831 OpenFlow controller, outside of the OpenFlow ``normal action.’’
1832 Bridge ports support the following types of VLAN configuration:
1834 trunk A trunk port carries packets on one or more specified
1836 VLANs specified in the trunks column (often, on every
1837 VLAN). A packet that ingresses on a trunk port is in the
1838 VLAN specified in its 802.1Q header, or VLAN 0 if the
1839 packet has no 802.1Q header. A packet that egresses
1840 through a trunk port will have an 802.1Q header if it has
1841 a nonzero VLAN ID.
1842 Any packet that ingresses on a trunk port tagged with a
1844 VLAN that the port does not trunk is dropped.
1845 access An access port carries packets on exactly one VLAN speci‐
1847 fied in the tag column. Packets egressing on an access
1848 port have no 802.1Q header.
1849 Any packet with an 802.1Q header with a nonzero VLAN ID
1851 that ingresses on an access port is dropped, regardless
1852 of whether the VLAN ID in the header is the access port’s
1853 VLAN ID.
1854 native-tagged
1856 A native-tagged port resembles a trunk port, with the ex‐
1857 ception that a packet without an 802.1Q header that in‐
1858 gresses on a native-tagged port is in the ``native VLAN’’
1859 (specified in the tag column).
1860 native-untagged
1862 A native-untagged port resembles a native-tagged port,
1863 with the exception that a packet that egresses on a na‐
1864 tive-untagged port in the native VLAN will not have an
1865 802.1Q header.
1866 dot1q-tunnel
1868 A dot1q-tunnel port is somewhat like an access port. Like
1869 an access port, it carries packets on the single VLAN
1870 specified in the tag column and this VLAN, called the
1871 service VLAN, does not appear in an 802.1Q header for
1872 packets that ingress or egress on the port. The main dif‐
1873 ference lies in the behavior when packets that include a
1874 802.1Q header ingress on the port. Whereas an access port
1875 drops such packets, a dot1q-tunnel port treats these as
1876 double-tagged with the outer service VLAN tag and the in‐
1877 ner customer VLAN taken from the 802.1Q header. Corre‐
1878 spondingly, to egress on the port, a packet outer VLAN
1879 (or only VLAN) must be tag, which is removed before
1880 egress, which exposes the inner (customer) VLAN if one is
1881 present.
1882 If cvlans is set, only allows packets in the specified
1884 customer VLANs.
1885 A packet will only egress through bridge ports that carry the VLAN of
1887 the packet, as described by the rules above.
1888 vlan_mode: optional string, one of access, dot1q-tunnel, native-tagged,
1890 native-untagged, or trunk
1891 The VLAN mode of the port, as described above. When this column
1892 is empty, a default mode is selected as follows:
1893 • If tag contains a value, the port is an access port. The
1895 trunks column should be empty.
1896 • Otherwise, the port is a trunk port. The trunks column
1898 value is honored if it is present.
1899 tag: optional integer, in range 0 to 4,095
1901 For an access port, the port’s implicitly tagged VLAN. For a na‐
1902 tive-tagged or native-untagged port, the port’s native VLAN.
1903 Must be empty if this is a trunk port.
1904 trunks: set of up to 4,096 integers, in range 0 to 4,095
1906 For a trunk, native-tagged, or native-untagged port, the 802.1Q
1907 VLAN or VLANs that this port trunks; if it is empty, then the
1908 port trunks all VLANs. Must be empty if this is an access port.
1909 A native-tagged or native-untagged port always trunks its native
1911 VLAN, regardless of whether trunks includes that VLAN.
1912 cvlans: set of up to 4,096 integers, in range 0 to 4,095
1914 For a dot1q-tunnel port, the customer VLANs that this port in‐
1915 cludes. If this is empty, the port includes all customer VLANs.
1916 For other kinds of ports, this setting is ignored.
1918 other_config : qinq-ethtype: optional string, either 802.1ad or 802.1q
1920 For a dot1q-tunnel port, this is the TPID for the service tag,
1921 that is, for the 802.1Q header that contains the service VLAN
1922 ID. Because packets that actually ingress and egress a dot1q-
1923 tunnel port do not include an 802.1Q header for the service
1924 VLAN, this does not affect packets on the dot1q-tunnel port it‐
1925 self. Rather, it determines the service VLAN for a packet that
1926 ingresses on a dot1q-tunnel port and egresses on a trunk port.
1927 The value 802.1ad specifies TPID 0x88a8, which is also the de‐
1929 fault if the setting is omitted. The value 802.1q specifies TPID
1930 0x8100.
1931 For other kinds of ports, this setting is ignored.
1933 other_config : priority-tags: optional string, one of always, if-non‐
1935 zero, or never
1936 An 802.1Q header contains two important pieces of information: a
1937 VLAN ID and a priority. A frame with a zero VLAN ID, called a
1938 ``priority-tagged’’ frame, is supposed to be treated the same
1939 way as a frame without an 802.1Q header at all (except for the
1940 priority).
1941 However, some network elements ignore any frame that has 802.1Q
1943 header at all, even when the VLAN ID is zero. Therefore, by de‐
1944 fault Open vSwitch does not output priority-tagged frames, in‐
1945 stead omitting the 802.1Q header entirely if the VLAN ID is
1946 zero. Set this key to if-nonzero to enable priority-tagged
1947 frames on a port.
1948 For if-nonzero Open vSwitch omits the 802.1Q header on output if
1950 both the VLAN ID and priority would be zero. Set to always to
1951 retain the 802.1Q header in such frames as well.
1952 All frames output to native-tagged ports have a nonzero VLAN ID,
1954 so this setting is not meaningful on native-tagged ports.
1955 Bonding Configuration:
1957 A port that has more than one interface is a ``bonded port.’’ Bonding
1959 allows for load balancing and fail-over.
1960 The following types of bonding will work with any kind of upstream
1962 switch. On the upstream switch, do not configure the interfaces as a
1963 bond:
1964 balance-slb
1966 Balances flows among members based on source MAC address
1967 and output VLAN, with periodic rebalancing as traffic
1968 patterns change.
1969 active-backup
1971 Assigns all flows to one member, failing over to a backup
1972 member when the active member is disabled. This is the
1973 only bonding mode in which interfaces may be plugged into
1974 different upstream switches.
1975 The following modes require the upstream switch to support 802.3ad with
1977 successful LACP negotiation. If LACP negotiation fails and other-con‐
1978 fig:lacp-fallback-ab is true, then active-backup mode is used:
1979 balance-tcp
1981 Balances flows among members based on L3 and L4 protocol
1982 information such as IP addresses and TCP/UDP ports.
1983 These columns apply only to bonded ports. Their values are otherwise
1985 ignored.
1986 bond_mode: optional string, one of active-backup, balance-slb, or bal‐
1988 ance-tcp
1989 The type of bonding used for a bonded port. Defaults to ac‐
1990 tive-backup if unset.
1991 other_config : bond-hash-basis: optional string, containing an integer
1993 An integer hashed along with flows when choosing output members
1994 in load balanced bonds. When changed, all flows will be assigned
1995 different hash values possibly causing member selection deci‐
1996 sions to change. Does not affect bonding modes which do not em‐
1997 ploy load balancing such as active-backup.
1998 other_config : lb-output-action: optional string, either true or false
2000 Enable/disable usage of optimized lb_output action for balancing
2001 flows among output members in load balanced bonds in bal‐
2002 ance-tcp. When enabled, it uses optimized path for balance-tcp
2003 mode by using rss hash and avoids recirculation. This knob does
2004 not affect other balancing modes.
2005 other_config : bond-primary: optional string
2007 If a slave interface with this name exists in the bond and is
2008 up, it will be made active. Relevant only when other_con‐
2009 fig:bond_mode is active-backup or if balance-tcp falls back to
2010 active-backup (e.g., LACP negotiation fails and other_con‐
2011 fig:lacp-fallback-ab is true).
2012 other_config : all-members-active: optional string, either true or
2014 false
2015 Enable/Disable delivery of broadcast/multicast packets on sec‐
2016 ondary interface of a balance-slb bond. Relevant only when lacp
2017 is off.
2018 This parameter is identical to all_slaves_active for Linux ker‐
2020 nel bonds. Disabled by default as it is not a desirable configu‐
2021 ration for most users.
2022 Link Failure Detection:
2024 An important part of link bonding is detecting that links are down so
2026 that they may be disabled. These settings determine how Open vSwitch
2027 detects link failure.
2028 other_config : bond-detect-mode: optional string, either carrier or mi‐
2030 imon
2031 The means used to detect link failures. Defaults to carrier
2032 which uses each interface’s carrier to detect failures. When set
2033 to miimon, will check for failures by polling each interface’s
2034 MII.
2035 other_config : bond-miimon-interval: optional string, containing an in‐
2037 teger
2038 The interval, in milliseconds, between successive attempts to
2039 poll each interface’s MII. Relevant only when other_config:bond-
2040 detect-mode is miimon.
2041 bond_updelay: integer
2043 The number of milliseconds for which the link must stay up on an
2044 interface before the interface is considered to be up. Specify 0
2045 to enable the interface immediately.
2046 This setting is honored only when at least one bonded interface
2048 is already enabled. When no interfaces are enabled, then the
2049 first bond interface to come up is enabled immediately.
2050 bond_downdelay: integer
2052 The number of milliseconds for which the link must stay down on
2053 an interface before the interface is considered to be down.
2054 Specify 0 to disable the interface immediately.
2055 LACP Configuration:
2057 LACP, the Link Aggregation Control Protocol, is an IEEE standard that
2059 allows switches to automatically detect that they are connected by mul‐
2060 tiple links and aggregate across those links. These settings control
2061 LACP behavior.
2062 lacp: optional string, one of active, off, or passive
2064 Configures LACP on this port. LACP allows directly connected
2065 switches to negotiate which links may be bonded. LACP may be en‐
2066 abled on non-bonded ports for the benefit of any switches they
2067 may be connected to. active ports are allowed to initiate LACP
2068 negotiations. passive ports are allowed to participate in LACP
2069 negotiations initiated by a remote switch, but not allowed to
2070 initiate such negotiations themselves. If LACP is enabled on a
2071 port whose partner switch does not support LACP, the bond will
2072 be disabled, unless other-config:lacp-fallback-ab is set to
2073 true. Defaults to off if unset.
2074 other_config : lacp-system-id: optional string
2076 The LACP system ID of this Port. The system ID of a LACP bond is
2077 used to identify itself to its partners. Must be a nonzero MAC
2078 address. Defaults to the bridge Ethernet address if unset.
2079 other_config : lacp-system-priority: optional string, containing an in‐
2081 teger, in range 1 to 65,535
2082 The LACP system priority of this Port. In LACP negotiations,
2083 link status decisions are made by the system with the numeri‐
2084 cally lower priority.
2085 other_config : lacp-time: optional string, either fast or slow
2087 The LACP timing which should be used on this Port. By default
2088 slow is used. When configured to be fast LACP heartbeats are re‐
2089 quested at a rate of once per second causing connectivity prob‐
2090 lems to be detected more quickly. In slow mode, heartbeats are
2091 requested at a rate of once every 30 seconds.
2092 other_config : lacp-fallback-ab: optional string, either true or false
2094 Determines the behavior of openvswitch bond in LACP mode. If the
2095 partner switch does not support LACP, setting this option to
2096 true allows openvswitch to fallback to active-backup. If the op‐
2097 tion is set to false, the bond will be disabled. In both the
2098 cases, once the partner switch is configured to LACP mode, the
2099 bond will use LACP.
2100 Rebalancing Configuration:
2102 These settings control behavior when a bond is in balance-slb or bal‐
2104 ance-tcp mode.
2105 other_config : bond-rebalance-interval: optional string, containing an
2107 integer, in range 0 to 2,147,483,647
2108 For a load balanced bonded port, the number of milliseconds be‐
2109 tween successive attempts to rebalance the bond, that is, to
2110 move flows from one interface on the bond to another in an at‐
2111 tempt to keep usage of each interface roughly equal. If zero,
2112 load balancing is disabled on the bond (link failure still cause
2113 flows to move). If less than 1000ms, the rebalance interval will
2114 be 1000ms.
2115 bond_fake_iface: boolean
2117 For a bonded port, whether to create a fake internal interface
2118 with the name of the port. Use only for compatibility with
2119 legacy software that requires this.
2120 Spanning Tree Protocol:
2122 The configuration here is only meaningful, and the status is only popu‐
2124 lated, when 802.1D-1998 Spanning Tree Protocol is enabled on the port’s
2125 Bridge with its stp_enable column.
2126 STP Configuration:
2128 other_config : stp-enable: optional string, either true or false
2130 When STP is enabled on a bridge, it is enabled by default on all
2131 of the bridge’s ports except bond, internal, and mirror ports
2132 (which do not work with STP). If this column’s value is false,
2133 STP is disabled on the port.
2134 other_config : stp-port-num: optional string, containing an integer, in
2136 range 1 to 255
2137 The port number used for the lower 8 bits of the port-id. By de‐
2138 fault, the numbers will be assigned automatically. If any port’s
2139 number is manually configured on a bridge, then they must all
2140 be.
2141 other_config : stp-port-priority: optional string, containing an inte‐
2143 ger, in range 0 to 255
2144 The port’s relative priority value for determining the root port
2145 (the upper 8 bits of the port-id). A port with a lower port-id
2146 will be chosen as the root port. By default, the priority is
2147 0x80.
2148 other_config : stp-path-cost: optional string, containing an integer,
2150 in range 0 to 65,535
2151 Spanning tree path cost for the port. A lower number indicates a
2152 faster link. By default, the cost is based on the maximum speed
2153 of the link.
2154 STP Status:
2156 status : stp_port_id: optional string
2158 The port ID used in spanning tree advertisements for this port,
2159 as 4 hex digits. Configuring the port ID is described in the
2160 stp-port-num and stp-port-priority keys of the other_config sec‐
2161 tion earlier.
2162 status : stp_state: optional string, one of blocking, disabled, for‐
2164 warding, learning, or listening
2165 STP state of the port.
2166 status : stp_sec_in_state: optional string, containing an integer, at
2168 least 0
2169 The amount of time this port has been in the current STP state,
2170 in seconds.
2171 status : stp_role: optional string, one of alternate, designated, or
2173 root
2174 STP role of the port.
2175 Rapid Spanning Tree Protocol:
2177 The configuration here is only meaningful, and the status and statis‐
2179 tics are only populated, when 802.1D-1998 Spanning Tree Protocol is en‐
2180 abled on the port’s Bridge with its stp_enable column.
2181 RSTP Configuration:
2183 other_config : rstp-enable: optional string, either true or false
2185 When RSTP is enabled on a bridge, it is enabled by default on
2186 all of the bridge’s ports except bond, internal, and mirror
2187 ports (which do not work with RSTP). If this column’s value is
2188 false, RSTP is disabled on the port.
2189 other_config : rstp-port-priority: optional string, containing an inte‐
2191 ger, in range 0 to 240
2192 The port’s relative priority value for determining the root
2193 port, in multiples of 16. By default, the port priority is 0x80
2194 (128). Any value in the lower 4 bits is rounded off. The signif‐
2195 icant upper 4 bits become the upper 4 bits of the port-id. A
2196 port with the lowest port-id is elected as the root.
2197 other_config : rstp-port-num: optional string, containing an integer,
2199 in range 1 to 4,095
2200 The local RSTP port number, used as the lower 12 bits of the
2201 port-id. By default the port numbers are assigned automatically,
2202 and typically may not correspond to the OpenFlow port numbers. A
2203 port with the lowest port-id is elected as the root.
2204 other_config : rstp-path-cost: optional string, containing an integer
2206 The port path cost. The Port’s contribution, when it is the Root
2207 Port, to the Root Path Cost for the Bridge. By default the cost
2208 is automatically calculated from the port’s speed.
2209 other_config : rstp-port-admin-edge: optional string, either true or
2211 false
2212 The admin edge port parameter for the Port. Default is false.
2213 other_config : rstp-port-auto-edge: optional string, either true or
2215 false
2216 The auto edge port parameter for the Port. Default is true.
2217 other_config : rstp-port-mcheck: optional string, either true or false
2219 The mcheck port parameter for the Port. Default is false. May be
2220 set to force the Port Protocol Migration state machine to trans‐
2221 mit RST BPDUs for a MigrateTime period, to test whether all STP
2222 Bridges on the attached LAN have been removed and the Port can
2223 continue to transmit RSTP BPDUs. Setting mcheck has no effect if
2224 the Bridge is operating in STP Compatibility mode.
2225 Changing the value from true to false has no effect, but needs
2227 to be done if this behavior is to be triggered again by subse‐
2228 quently changing the value from false to true.
2229 RSTP Status:
2231 rstp_status : rstp_port_id: optional string
2233 The port ID used in spanning tree advertisements for this port,
2234 as 4 hex digits. Configuring the port ID is described in the
2235 rstp-port-num and rstp-port-priority keys of the other_config
2236 section earlier.
2237 rstp_status : rstp_port_role: optional string, one of Alternate,
2239 Backup, Designated, Disabled, or Root
2240 RSTP role of the port.
2241 rstp_status : rstp_port_state: optional string, one of Disabled, Dis‐
2243 carding, Forwarding, or Learning
2244 RSTP state of the port.
2245 rstp_status : rstp_designated_bridge_id: optional string
2247 The port’s RSTP designated bridge ID, in the same form as
2248 rstp_status:rstp_bridge_id in the Bridge table.
2249 rstp_status : rstp_designated_port_id: optional string
2251 The port’s RSTP designated port ID, as 4 hex digits.
2252 rstp_status : rstp_designated_path_cost: optional string, containing an
2254 integer
2255 The port’s RSTP designated path cost. Lower is better.
2256 RSTP Statistics:
2258 rstp_statistics : rstp_tx_count: optional integer
2260 Number of RSTP BPDUs transmitted through this port.
2261 rstp_statistics : rstp_rx_count: optional integer
2263 Number of valid RSTP BPDUs received by this port.
2264 rstp_statistics : rstp_error_count: optional integer
2266 Number of invalid RSTP BPDUs received by this port.
2267 rstp_statistics : rstp_uptime: optional integer
2269 The duration covered by the other RSTP statistics, in seconds.
2270 Multicast Snooping:
2272 other_config : mcast-snooping-flood: optional string, either true or
2274 false
2275 If set to true, multicast packets (except Reports) are uncondi‐
2276 tionally forwarded to the specific port.
2277 other_config : mcast-snooping-flood-reports: optional string, either
2279 true or false
2280 If set to true, multicast Reports are unconditionally forwarded
2281 to the specific port.
2282 Other Features:
2284 qos: optional QoS
2286 Quality of Service configuration for this port.
2287 mac: optional string
2289 The MAC address to use for this port for the purpose of choosing
2290 the bridge’s MAC address. This column does not necessarily re‐
2291 flect the port’s actual MAC address, nor will setting it change
2292 the port’s actual MAC address.
2293 fake_bridge: boolean
2295 Does this port represent a sub-bridge for its tagged VLAN within
2296 the Bridge? See ovs-vsctl(8) for more information.
2297 protected: boolean
2299 The protected ports feature allows certain ports to be desig‐
2300 nated as protected. Traffic between protected ports is blocked.
2301 Protected ports can send traffic to unprotected ports. Unpro‐
2302 tected ports can send traffic to any port. Default is false.
2303 external_ids : fake-bridge-*: optional string
2305 External IDs for a fake bridge (see the fake_bridge column) are
2306 defined by prefixing a Bridge external_ids key with
2307 fake-bridge-, e.g. fake-bridge-bridge-id.
2308 other_config : transient: optional string, either true or false
2310 If set to true, the port will be removed when ovs-ctl start
2311 --delete-transient-ports is used.
2312 bond_active_slave: optional string
2314 For a bonded port, record the MAC address of the current active
2315 member.
2316 Port Statistics:
2318 Key-value pairs that report port statistics. The update period is con‐
2320 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
2321 ble.
2322 Statistics: STP transmit and receive counters:
2324 statistics : stp_tx_count: optional integer
2326 Number of STP BPDUs sent on this port by the spanning tree li‐
2327 brary.
2328 statistics : stp_rx_count: optional integer
2330 Number of STP BPDUs received on this port and accepted by the
2331 spanning tree library.
2332 statistics : stp_error_count: optional integer
2334 Number of bad STP BPDUs received on this port. Bad BPDUs include
2335 runt packets and those with an unexpected protocol ID.
2336 Common Columns:
2338 The overall purpose of these columns is described under Common Columns
2340 at the beginning of this document.
2341 other_config: map of string-string pairs
2343 external_ids: map of string-string pairs
2345
2347 An interface within a Port.
2348 Summary:
2350 Core Features:
2351 name immutable string (must be unique within
2352 table)
2353 ifindex optional integer, in range 0 to
2354 4,294,967,295
2355 mac_in_use optional string
2356 mac optional string
2357 error optional string
2358 OpenFlow Port Number:
2359 ofport optional integer
2360 ofport_request optional integer, in range 1 to 65,279
2361 System-Specific Details:
2362 type string
2363 Tunnel Options:
2364 options : remote_ip optional string
2365 options : local_ip optional string
2366 options : in_key optional string
2367 options : out_key optional string
2368 options : dst_port optional string
2369 options : key optional string
2370 options : tos optional string
2371 options : ttl optional string
2372 options : df_default optional string, either true or false
2373 options : egress_pkt_mark optional string
2374 Tunnel Options: lisp only:
2375 options : packet_type optional string, either legacy_l3 or ptap
2376 Tunnel Options: vxlan only:
2377 options : exts optional string
2378 options : packet_type optional string, one of legacy_l2,
2379 legacy_l3, or ptap
2380 Tunnel Options: gre only:
2381 options : packet_type optional string, one of legacy_l2,
2382 legacy_l3, or ptap
2383 options : seq optional string, either true or false
2384 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2385 options : csum optional string, either true or false
2386 Tunnel Options: IPsec:
2387 options : psk optional string
2388 options : remote_cert optional string
2389 options : remote_name optional string
2390 Tunnel Options: erspan only:
2391 options : erspan_idx optional string
2392 options : erspan_ver optional string
2393 options : erspan_dir optional string
2394 options : erspan_hwid optional string
2395 Tunnel Options: Bareudp only:
2396 options : payload_type optional string
2397 Patch Options:
2398 options : peer optional string
2399 PMD (Poll Mode Driver) Options:
2400 options : n_rxq optional string, containing an integer,
2401 at least 1
2402 options : dpdk-devargs optional string
2403 other_config : pmd-rxq-affinity
2404 optional string
2405 options : xdp-mode optional string, one of best-effort,
2406 generic, native-with-zerocopy, or native
2407 options : use-need-wakeup optional string, either true or false
2408 options : vhost-server-path
2409 optional string
2410 options : tx-retries-max optional string, containing an integer,
2411 in range 0 to 32
2412 options : n_rxq_desc optional string, containing an integer,
2413 in range 1 to 4,096
2414 options : n_txq_desc optional string, containing an integer,
2415 in range 1 to 4,096
2416 options : dpdk-vf-mac optional string
2417 other_config : tx-steering optional string, either hash or thread
2418 EMC (Exact Match Cache) Configuration:
2419 other_config : emc-enable optional string, either true or false
2420 MTU:
2421 mtu optional integer
2422 mtu_request optional integer, at least 1
2423 Interface Status:
2424 admin_state optional string, either down or up
2425 link_state optional string, either down or up
2426 link_resets optional integer
2427 link_speed optional integer
2428 duplex optional string, either full or half
2429 lacp_current optional boolean
2430 status map of string-string pairs
2431 status : driver_name optional string
2432 status : driver_version optional string
2433 status : firmware_version optional string
2434 status : source_ip optional string
2435 status : tunnel_egress_iface
2436 optional string
2437 status : tunnel_egress_iface_carrier
2438 optional string, either down or up
2439 dpdk:
2440 status : port_no optional string
2441 status : numa_id optional string
2442 status : min_rx_bufsize optional string
2443 status : max_rx_pktlen optional string
2444 status : max_rx_queues optional string
2445 status : max_tx_queues optional string
2446 status : max_mac_addrs optional string
2447 status : max_hash_mac_addrs
2448 optional string
2449 status : max_vfs optional string
2450 status : max_vmdq_pools optional string
2451 status : if_type optional string
2452 status : if_descr optional string
2453 status : pci-vendor_id optional string
2454 status : pci-device_id optional string
2455 Statistics:
2456 Statistics: Successful transmit and receive counters:
2457 statistics : rx_packets optional integer
2458 statistics : rx_bytes optional integer
2459 statistics : tx_packets optional integer
2460 statistics : tx_bytes optional integer
2461 Statistics: Receive errors:
2462 statistics : rx_dropped optional integer
2463 statistics : rx_frame_err
2464 optional integer
2465 statistics : rx_over_err optional integer
2466 statistics : rx_crc_err optional integer
2467 statistics : rx_errors optional integer
2468 Statistics: Transmit errors:
2469 statistics : tx_dropped optional integer
2470 statistics : collisions optional integer
2471 statistics : tx_errors optional integer
2472 Ingress Policing:
2473 ingress_policing_rate integer, at least 0
2474 ingress_policing_kpkts_rate
2475 integer, at least 0
2476 ingress_policing_burst integer, at least 0
2477 ingress_policing_kpkts_burst
2478 integer, at least 0
2479 Bidirectional Forwarding Detection (BFD):
2480 BFD Configuration:
2481 bfd : enable optional string, either true or false
2482 bfd : min_rx optional string, containing an integer,
2483 at least 1
2484 bfd : min_tx optional string, containing an integer,
2485 at least 1
2486 bfd : decay_min_rx optional string, containing an integer
2487 bfd : forwarding_if_rx optional string, either true or false
2488 bfd : cpath_down optional string, either true or false
2489 bfd : check_tnl_key optional string, either true or false
2490 bfd : bfd_local_src_mac optional string
2491 bfd : bfd_local_dst_mac optional string
2492 bfd : bfd_remote_dst_mac optional string
2493 bfd : bfd_src_ip optional string
2494 bfd : bfd_dst_ip optional string
2495 bfd : oam optional string
2496 bfd : mult optional string, containing an integer,
2497 in range 1 to 255
2498 BFD Status:
2499 bfd_status : state optional string, one of admin_down, down,
2500 init, or up
2501 bfd_status : forwarding optional string, either true or false
2502 bfd_status : diagnostic optional string
2503 bfd_status : remote_state
2504 optional string, one of admin_down, down,
2505 init, or up
2506 bfd_status : remote_diagnostic
2507 optional string
2508 bfd_status : flap_count optional string, containing an integer,
2509 at least 0
2510 Connectivity Fault Management:
2511 cfm_mpid optional integer
2512 cfm_flap_count optional integer
2513 cfm_fault optional boolean
2514 cfm_fault_status : recv none
2515 cfm_fault_status : rdi none
2516 cfm_fault_status : maid none
2517 cfm_fault_status : loopback
2518 none
2519 cfm_fault_status : overflow
2520 none
2521 cfm_fault_status : override
2522 none
2523 cfm_fault_status : interval
2524 none
2525 cfm_remote_opstate optional string, either down or up
2526 cfm_health optional integer, in range 0 to 100
2527 cfm_remote_mpids set of integers
2528 other_config : cfm_interval
2529 optional string, containing an integer
2530 other_config : cfm_extended
2531 optional string, either true or false
2532 other_config : cfm_demand optional string, either true or false
2533 other_config : cfm_opstate optional string, either down or up
2534 other_config : cfm_ccm_vlan
2535 optional string, containing an integer,
2536 in range 1 to 4,095
2537 other_config : cfm_ccm_pcp optional string, containing an integer,
2538 in range 1 to 7
2539 Bonding Configuration:
2540 other_config : lacp-port-id
2541 optional string, containing an integer,
2542 in range 1 to 65,535
2543 other_config : lacp-port-priority
2544 optional string, containing an integer,
2545 in range 1 to 65,535
2546 other_config : lacp-aggregation-key
2547 optional string, containing an integer,
2548 in range 1 to 65,535
2549 Virtual Machine Identifiers:
2550 external_ids : attached-mac
2551 optional string
2552 external_ids : iface-id optional string
2553 external_ids : iface-status
2554 optional string, either active or inac‐
2555 tive
2556 external_ids : vm-id optional string
2557 Auto Attach Configuration:
2558 lldp : enable optional string, either true or false
2559 Flow control Configuration:
2560 options : rx-flow-ctrl optional string, either true or false
2561 options : tx-flow-ctrl optional string, either true or false
2562 options : flow-ctrl-autoneg
2563 optional string, either true or false
2564 Link State Change detection mode:
2565 options : dpdk-lsc-interrupt
2566 optional string, either true or false
2567 Common Columns:
2568 other_config map of string-string pairs
2569 external_ids map of string-string pairs
2570 Details:
2572 Core Features:
2573 name: immutable string (must be unique within table)
2575 Interface name. Should be alphanumeric. For non-bonded port,
2576 this should be the same as the port name. It must otherwise be
2577 unique among the names of ports, interfaces, and bridges on a
2578 host.
2579 The maximum length of an interface name depends on the underly‐
2581 ing datapath:
2582 • The names of interfaces implemented as Linux and BSD net‐
2584 work devices, including interfaces with type internal,
2585 tap, or system plus the different types of tunnel ports,
2586 are limited to 15 bytes. Windows limits these names to
2587 255 bytes.
2588 • The names of patch ports are not used in the underlying
2590 datapath, so operating system restrictions do not apply.
2591 Thus, they may have arbitrary length.
2592 Regardless of other restrictions, OpenFlow only supports 15-byte
2594 names, which means that ovs-ofctl and OpenFlow controllers will
2595 show names truncated to 15 bytes.
2596 ifindex: optional integer, in range 0 to 4,294,967,295
2598 A positive interface index as defined for SNMP MIB-II in RFCs
2599 1213 and 2863, if the interface has one, otherwise 0. The
2600 ifindex is useful for seamless integration with protocols such
2601 as SNMP and sFlow.
2602 mac_in_use: optional string
2604 The MAC address in use by this interface.
2605 mac: optional string
2607 Ethernet address to set for this interface. If unset then the
2608 default MAC address is used:
2609 • For the local interface, the default is the lowest-num‐
2611 bered MAC address among the other bridge ports, either
2612 the value of the mac in its Port record, if set, or its
2613 actual MAC (for bonded ports, the MAC of its member whose
2614 name is first in alphabetical order). Internal ports and
2615 bridge ports that are used as port mirroring destinations
2616 (see the Mirror table) are ignored.
2617 • For other internal interfaces, the default MAC is ran‐
2619 domly generated.
2620 • External interfaces typically have a MAC address associ‐
2622 ated with their hardware.
2623 Some interfaces may not have a software-controllable MAC ad‐
2625 dress. This option only affects internal ports. For other type
2626 ports, you can change the MAC address outside Open vSwitch, us‐
2627 ing ip command.
2628 error: optional string
2630 If the configuration of the port failed, as indicated by -1 in
2631 ofport, Open vSwitch sets this column to an error description in
2632 human readable form. Otherwise, Open vSwitch clears this column.
2633 OpenFlow Port Number:
2635 When a client adds a new interface, Open vSwitch chooses an OpenFlow
2637 port number for the new port. If the client that adds the port fills in
2638 ofport_request, then Open vSwitch tries to use its value as the Open‐
2639 Flow port number. Otherwise, or if the requested port number is already
2640 in use or cannot be used for another reason, Open vSwitch automatically
2641 assigns a free port number. Regardless of how the port number was ob‐
2642 tained, Open vSwitch then reports in ofport the port number actually
2643 assigned.
2644 Open vSwitch limits the port numbers that it automatically assigns to
2646 the range 1 through 32,767, inclusive. Controllers therefore have free
2647 use of ports 32,768 and up.
2648 ofport: optional integer
2650 OpenFlow port number for this interface. Open vSwitch sets this
2651 column’s value, so other clients should treat it as read-only.
2652 The OpenFlow ``local’’ port (OFPP_LOCAL) is 65,534. The other
2654 valid port numbers are in the range 1 to 65,279, inclusive.
2655 Value -1 indicates an error adding the interface.
2656 ofport_request: optional integer, in range 1 to 65,279
2658 Requested OpenFlow port number for this interface.
2659 A client should ideally set this column’s value in the same
2661 database transaction that it uses to create the interface. Open
2662 vSwitch version 2.1 and later will honor a later request for a
2663 specific port number, althuogh it might confuse some con‐
2664 trollers: OpenFlow does not have a way to announce a port number
2665 change, so Open vSwitch represents it over OpenFlow as a port
2666 deletion followed immediately by a port addition.
2667 If ofport_request is set or changed to some other port’s auto‐
2669 matically assigned port number, Open vSwitch chooses a new port
2670 number for the latter port.
2671 System-Specific Details:
2673 type: string
2675 The interface type. The types supported by a particular instance
2676 of Open vSwitch are listed in the iface_types column in the
2677 Open_vSwitch table. The following types are defined:
2678 system An ordinary network device, e.g. eth0 on Linux. Sometimes
2680 referred to as ``external interfaces’’ since they are
2681 generally connected to hardware external to that on which
2682 the Open vSwitch is running. The empty string is a syn‐
2683 onym for system.
2684 internal
2686 A simulated network device that sends and receives traf‐
2687 fic. An internal interface whose name is the same as its
2688 bridge’s name is called the ``local interface.’’ It does
2689 not make sense to bond an internal interface, so the
2690 terms ``port’’ and ``interface’’ are often used impre‐
2691 cisely for internal interfaces.
2692 tap A TUN/TAP device managed by Open vSwitch.
2694 Open vSwitch checks the interface state before send pack‐
2696 ets to the device. When it is down, the packets are
2697 dropped and the tx_dropped statistic is updated accord‐
2698 ingly. Older versions of Open vSwitch did not check the
2699 interface state and then the tx_packets was incremented
2700 along with tx_dropped.
2701 geneve An Ethernet over Geneve
2703 (http://tools.ietf.org/html/draft-ietf-nvo3-geneve)
2704 IPv4/IPv6 tunnel. A description of how to match and set
2705 Geneve options can be found in the ovs-ofctl manual page.
2706 gre Generic Routing Encapsulation (GRE) over IPv4 tunnel,
2708 configurable to encapsulate layer 2 or layer 3 traffic.
2709 ip6gre Generic Routing Encapsulation (GRE) over IPv6 tunnel, en‐
2711 capsulate layer 2 traffic.
2712 vxlan An Ethernet tunnel over the UDP-based VXLAN protocol de‐
2714 scribed in RFC 7348.
2715 Open vSwitch uses IANA-assigned UDP destination port
2717 4789. The source port used for VXLAN traffic varies on a
2718 per-flow basis and is in the ephemeral port range.
2719 lisp A layer 3 tunnel over the experimental, UDP-based Loca‐
2721 tor/ID Separation Protocol (RFC 6830).
2722 Only IPv4 and IPv6 packets are supported by the protocol,
2724 and they are sent and received without an Ethernet
2725 header. Traffic to/from LISP ports is expected to be con‐
2726 figured explicitly, and the ports are not intended to
2727 participate in learning based switching. As such, they
2728 are always excluded from packet flooding.
2729 stt The Stateless TCP Tunnel (STT) is particularly useful
2731 when tunnel endpoints are in end-systems, as it utilizes
2732 the capabilities of standard network interface cards to
2733 improve performance. STT utilizes a TCP-like header in‐
2734 side the IP header. It is stateless, i.e., there is no
2735 TCP connection state of any kind associated with the tun‐
2736 nel. The TCP-like header is used to leverage the capabil‐
2737 ities of existing network interface cards, but should not
2738 be interpreted as implying any sort of connection state
2739 between endpoints. Since the STT protocol does not engage
2740 in the usual TCP 3-way handshake, so it will have diffi‐
2741 culty traversing stateful firewalls. The protocol is doc‐
2742 umented at https://tools.ietf.org/html/draft-davie-stt
2743 All traffic uses a default destination port of 7471.
2744 patch A pair of virtual devices that act as a patch cable.
2746 gtpu GPRS Tunneling Protocol (GTP) is a group of IP-based com‐
2748 munications protocols used to carry general packet radio
2749 service (GPRS) within GSM, UMTS and LTE networks. GTP-U
2750 is used for carrying user data within the GPRS core net‐
2751 work and between the radio access network and the core
2752 network. The user data transported can be packets in any
2753 of IPv4, IPv6, or PPP formats.
2754 The protocol is documented at http://www.3gpp.org/DynaRe‐
2756 port/29281.htm
2757 Open vSwitch uses UDP destination port 2152. The source
2759 port used for GTP traffic varies on a per-flow basis and
2760 is in the ephemeral port range.
2761 Bareudp
2763 The Bareudp tunnel provides a generic L3 encapsulation
2764 support for tunnelling different L3 protocols like MPLS,
2765 IP, NSH etc. inside a UDP tunnel.
2766 Tunnel Options:
2768 These options apply to interfaces with type of geneve, bareudp, gre,
2770 ip6gre, vxlan, lisp and stt.
2771 Each tunnel must be uniquely identified by the combination of type, op‐
2773 tions:remote_ip, options:local_ip, and options:in_key. If two ports are
2774 defined that are the same except one has an optional identifier and the
2775 other does not, the more specific one is matched first. options:in_key
2776 is considered more specific than options:local_ip if a port defines one
2777 and another port defines the other. options:in_key is not applicable
2778 for bareudp tunnels. Hence it is not considered while identifying a
2779 bareudp tunnel.
2780 options : remote_ip: optional string
2782 Required. The remote tunnel endpoint, one of:
2783 • An IPv4 or IPv6 address (not a DNS name), e.g.
2785 192.168.0.123. Only unicast endpoints are supported.
2786 • The word flow. The tunnel accepts packets from any remote
2788 tunnel endpoint. To process only packets from a specific
2789 remote tunnel endpoint, the flow entries may match on the
2790 tun_src or tun_ipv6_srcfield. When sending packets to a
2791 remote_ip=flow tunnel, the flow actions must explicitly
2792 set the tun_dst or tun_ipv6_dst field to the IP address
2793 of the desired remote tunnel endpoint, e.g. with a
2794 set_field action.
2795 The remote tunnel endpoint for any packet received from a tunnel
2797 is available in the tun_src field for matching in the flow ta‐
2798 ble.
2799 options : local_ip: optional string
2801 Optional. The tunnel destination IP that received packets must
2802 match. Default is to match all addresses. If specified, may be
2803 one of:
2804 • An IPv4/IPv6 address (not a DNS name), e.g. 192.168.12.3.
2806 • The word flow. The tunnel accepts packets sent to any of
2808 the local IP addresses of the system running OVS. To
2809 process only packets sent to a specific IP address, the
2810 flow entries may match on the tun_dst or tun_ipv6_dst
2811 field. When sending packets to a local_ip=flow tunnel,
2812 the flow actions may explicitly set the tun_src or
2813 tun_ipv6_src field to the desired IP address, e.g. with a
2814 set_field action. However, while routing the tunneled
2815 packet out, the local system may override the specified
2816 address with the local IP address configured for the out‐
2817 going system interface.
2818 This option is valid only for tunnels also configured
2820 with the remote_ip=flow option.
2821 The tunnel destination IP address for any packet received from a
2823 tunnel is available in the tun_dst or tun_ipv6_dst field for
2824 matching in the flow table.
2825 options : in_key: optional string
2827 Optional, not applicable for bareudp. The key that received
2828 packets must contain, one of:
2829 • 0. The tunnel receives packets with no key or with a key
2831 of 0. This is equivalent to specifying no options:in_key
2832 at all.
2833 • A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit
2835 (for GRE) or 64-bit (for STT) number. The tunnel receives
2836 only packets with the specified key.
2837 • The word flow. The tunnel accepts packets with any key.
2839 The key will be placed in the tun_id field for matching
2840 in the flow table. The ovs-fields(7) manual page contains
2841 additional information about matching fields in OpenFlow
2842 flows.
2843 options : out_key: optional string
2845 Optional, not applicable for bareudp. The key to be set on out‐
2846 going packets, one of:
2847 • 0. Packets sent through the tunnel will have no key. This
2849 is equivalent to specifying no options:out_key at all.
2850 • A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit
2852 (for GRE) or 64-bit (for STT) number. Packets sent
2853 through the tunnel will have the specified key.
2854 • The word flow. Packets sent through the tunnel will have
2856 the key set using the set_tunnel Nicira OpenFlow vendor
2857 extension (0 is used in the absence of an action). The
2858 ovs-fields(7) manual page contains additional information
2859 about the Nicira OpenFlow vendor extensions.
2860 options : dst_port: optional string
2862 Optional. The tunnel transport layer destination port, for UDP
2863 and TCP based tunnel protocols (Geneve, VXLAN, LISP, and STT).
2864 options : key: optional string
2866 Optional. Shorthand to set in_key and out_key at the same time.
2867 options : tos: optional string
2869 Optional. The value of the ToS bits to be set on the encapsulat‐
2870 ing packet. ToS is interpreted as DSCP and ECN bits, ECN part
2871 must be zero. It may also be the word inherit, in which case the
2872 ToS will be copied from the inner packet if it is IPv4 or IPv6
2873 (otherwise it will be 0). The ECN fields are always inherited.
2874 Default is 0.
2875 options : ttl: optional string
2877 Optional. The TTL to be set on the encapsulating packet. It may
2878 also be the word inherit, in which case the TTL will be copied
2879 from the inner packet if it is IPv4 or IPv6 (otherwise it will
2880 be the system default, typically 64). Default is the system de‐
2881 fault TTL.
2882 options : df_default: optional string, either true or false
2884 Optional. If enabled, the Don’t Fragment bit will be set on tun‐
2885 nel outer headers to allow path MTU discovery. Default is en‐
2886 abled; set to false to disable.
2887 options : egress_pkt_mark: optional string
2889 Optional. The pkt_mark to be set on the encapsulating packet.
2890 This option sets packet mark for the tunnel endpoint for all
2891 tunnel packets including tunnel monitoring.
2892 Tunnel Options: lisp only:
2894 options : packet_type: optional string, either legacy_l3 or ptap
2896 A LISP tunnel sends and receives only IPv4 and IPv6 packets.
2897 This option controls what how the tunnel represents the packets
2898 that it sends and receives:
2899 • By default, or if this option is legacy_l3, the tunnel
2901 represents packets as Ethernet frames for compatibility
2902 with legacy OpenFlow controllers that expect this behav‐
2903 ior.
2904 • If this option is ptap, the tunnel represents packets us‐
2906 ing the packet_type mechanism introduced in OpenFlow 1.5.
2907 Tunnel Options: vxlan only:
2909 options : exts: optional string
2911 Optional. Comma separated list of optional VXLAN extensions to
2912 enable. The following extensions are supported:
2913 • gbp: VXLAN-GBP allows to transport the group policy con‐
2915 text of a packet across the VXLAN tunnel to other network
2916 peers. See the description of tun_gbp_id and
2917 tun_gbp_flags in ovs-fields(7) for additional informa‐
2918 tion.
2919 (https://tools.ietf.org/html/draft-smith-vxlan-group-pol‐
2920 icy)
2921 • gpe: Support for Generic Protocol Encapsulation in accor‐
2923 dance with IETF draft
2924 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe.
2925 Without this option, a VXLAN packet always encapsulates
2926 an Ethernet frame. With this option, an VXLAN packet may
2927 also encapsulate an IPv4, IPv6, NSH, or MPLS packet.
2928 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2930 ptap
2931 This option controls what types of packets the tunnel sends and
2932 receives and how it represents them:
2933 • By default, or if this option is legacy_l2, the tunnel
2935 sends and receives only Ethernet frames.
2936 • If this option is legacy_l3, the tunnel sends and re‐
2938 ceives only non-Ethernet (L3) packet, but the packets are
2939 represented as Ethernet frames for compatibility with
2940 legacy OpenFlow controllers that expect this behavior.
2941 This requires enabling gpe in options:exts.
2942 • If this option is ptap, Open vSwitch represents packets
2944 in the tunnel using the packet_type mechanism introduced
2945 in OpenFlow 1.5. This mechanism supports any kind of
2946 packet, but actually sending and receiving non-Ethernet
2947 packets requires additionally enabling gpe in op‐
2948 tions:exts.
2949 Tunnel Options: gre only:
2951 gre interfaces support these options.
2953 options : packet_type: optional string, one of legacy_l2, legacy_l3, or
2955 ptap
2956 This option controls what types of packets the tunnel sends and
2957 receives and how it represents them:
2958 • By default, or if this option is legacy_l2, the tunnel
2960 sends and receives only Ethernet frames.
2961 • If this option is legacy_l3, the tunnel sends and re‐
2963 ceives only non-Ethernet (L3) packet, but the packets are
2964 represented as Ethernet frames for compatibility with
2965 legacy OpenFlow controllers that expect this behavior.
2966 • The legacy_l3 option is only available via the user space
2968 datapath. The OVS kernel datapath does not support de‐
2969 vices of type ARPHRD_IPGRE which is the requirement for
2970 legacy_l3 type packets.
2971 • If this option is ptap, the tunnel sends and receives any
2973 kind of packet. Open vSwitch represents packets in the
2974 tunnel using the packet_type mechanism introduced in
2975 OpenFlow 1.5.
2976 options : seq: optional string, either true or false
2978 Optional. A 4-byte sequence number field for GRE tunnel only.
2979 Default is disabled, set to true to enable. Sequence number is
2980 incremented by one on each outgoing packet.
2981 Tunnel Options: gre, ip6gre, geneve, bareudp and vxlan:
2983 gre, ip6gre, geneve, bareudp and vxlan interfaces support these op‐
2985 tions.
2986 options : csum: optional string, either true or false
2988 Optional. Compute encapsulation header (either GRE or UDP)
2989 checksums on outgoing packets. Default is disabled, set to true
2990 to enable. Checksums present on incoming packets will be vali‐
2991 dated regardless of this setting.
2992 When using the upstream Linux kernel module, computation of
2994 checksums for geneve and vxlan requires Linux kernel version 4.0
2995 or higher. gre and ip6gre support checksums for all versions of
2996 Open vSwitch that support GRE. The out of tree kernel module
2997 distributed as part of OVS can compute all tunnel checksums on
2998 any kernel version that it is compatible with.
2999 Tunnel Options: IPsec:
3001 Setting any of these options enables IPsec support for a given tunnel.
3003 gre, geneve, vxlan and stt interfaces support these options. See the
3004 IPsec section in the Open_vSwitch table for a description of each mode.
3005 options : psk: optional string
3007 In PSK mode only, the preshared secret to negotiate tunnel. This
3008 value must match on both tunnel ends.
3009 options : remote_cert: optional string
3011 In self-signed certificate mode only, name of a PEM file con‐
3012 taining a certificate of the remote switch. The certificate must
3013 be x.509 version 3 and with the string in common name (CN) also
3014 set in the subject alternative name (SAN).
3015 options : remote_name: optional string
3017 In CA-signed certificate mode only, common name (CN) of the re‐
3018 mote certificate.
3019 Tunnel Options: erspan only:
3021 Only erspan interfaces support these options.
3023 options : erspan_idx: optional string
3025 20 bit index/port number associated with the ERSPAN traffic’s
3026 source port and direction (ingress/egress). This field is plat‐
3027 form dependent.
3028 options : erspan_ver: optional string
3030 ERSPAN version: 1 for version 1 (type II) or 2 for version 2
3031 (type III).
3032 options : erspan_dir: optional string
3034 Specifies the ERSPAN v2 mirrored traffic’s direction. 1 for
3035 egress traffic, and 0 for ingress traffic.
3036 options : erspan_hwid: optional string
3038 ERSPAN hardware ID is a 6-bit unique identifier of an ERSPAN v2
3039 engine within a system.
3040 Tunnel Options: Bareudp only:
3042 options : payload_type: optional string
3044 Specifies the ethertype of the l3 protocol the bareudp device is
3045 tunnelling. For the tunnels which supports multiple ethertypes
3046 of a l3 protocol (IP, MPLS) this field specifies the protocol
3047 name as a string.
3048 Patch Options:
3050 These options apply only to patch ports, that is, interfaces whose type
3052 column is patch. Patch ports are mainly a way to connect otherwise in‐
3053 dependent bridges to one another, similar to how one might plug an Eth‐
3054 ernet cable (a ``patch cable’’) into two physical switches to connect
3055 those switches. The effect of plugging a patch port into two switches
3056 is conceptually similar to that of plugging the two ends of a Linux
3057 veth device into those switches, but the implementation of patch ports
3058 makes them much more efficient.
3059 Patch ports may connect two different bridges (the usual case) or the
3061 same bridge. In the latter case, take special care to avoid loops, e.g.
3062 by programming appropriate flows with OpenFlow. Patch ports do not work
3063 if its ends are attached to bridges on different datapaths, e.g. to
3064 connect bridges in system and netdev datapaths.
3065 The following command creates and connects patch ports p0 and p1 and
3067 adds them to bridges br0 and br1, respectively:
3068 ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
3070 -- add-port br1 p1 -- set Interface p1 type=patch options:peer=p0
3071 options : peer: optional string
3074 The name of the Interface for the other side of the patch. The
3075 named Interface’s own peer option must specify this Interface’s
3076 name. That is, the two patch interfaces must have reversed name
3077 and peer values.
3078 PMD (Poll Mode Driver) Options:
3080 Only PMD netdevs support these options.
3082 options : n_rxq: optional string, containing an integer, at least 1
3084 Specifies the maximum number of rx queues to be created for PMD
3085 netdev. If not specified or specified to 0, one rx queue will be
3086 created by default. Not supported by DPDK vHost interfaces.
3087 options : dpdk-devargs: optional string
3089 Specifies the PCI address associated with the port for physical
3090 devices, or the virtual driver to be used for the port when a
3091 virtual PMD is intended to be used. For the latter, the argument
3092 string typically takes the form of eth_driver_namex, where
3093 driver_name is a valid virtual DPDK PMD driver name and x is a
3094 unique identifier of your choice for the given port. Only sup‐
3095 ported by the dpdk port type.
3096 other_config : pmd-rxq-affinity: optional string
3098 Specifies mapping of RX queues of this interface to CPU cores.
3099 Value should be set in the following form:
3101 other_config:pmd-rxq-affinity=<rxq-affinity-list>
3103 where
3105 • <rxq-affinity-list> ::= NULL | <non-empty-list>
3107 • <non-empty-list> ::= <affinity-pair> | <affinity-pair> ,
3109 <non-empty-list>
3110 • <affinity-pair> ::= <queue-id> : <core-id>
3112 options : xdp-mode: optional string, one of best-effort, generic, na‐
3114 tive-with-zerocopy, or native
3115 Specifies the operational mode of the XDP program.
3116 In native-with-zerocopy mode the XDP program is loaded into the
3118 device driver with zero-copy RX and TX enabled. This mode re‐
3119 quires device driver support and has the best performance be‐
3120 cause there should be no copying of packets.
3121 native is the same as native-with-zerocopy, but without zero-
3123 copy capability. This requires at least one copy between kernel
3124 and the userspace. This mode also requires support from device
3125 driver.
3126 In generic case the XDP program in kernel works after skb allo‐
3128 cation on early stages of packet processing inside the network
3129 stack. This mode doesn’t require driver support, but has much
3130 lower performance.
3131 best-effort tries to detect and choose the best (fastest) from
3133 the available modes for current interface.
3134 Note that this option is specific to netdev-afxdp. Defaults to
3136 best-effort mode.
3137 options : use-need-wakeup: optional string, either true or false
3139 Specifies whether to use need_wakeup feature in afxdp netdev. If
3140 enabled, OVS explicitly wakes up the kernel RX, using poll()
3141 syscall and wakes up TX, using sendto() syscall. For physical
3142 devices, this feature improves the performance by avoiding un‐
3143 necessary sendto syscalls. Defaults to true if supported by
3144 libbpf.
3145 options : vhost-server-path: optional string
3147 The value specifies the path to the socket associated with a
3148 vHost User client mode device that has been or will be created
3149 by QEMU. Only supported by dpdkvhostuserclient interfaces.
3150 options : tx-retries-max: optional string, containing an integer, in
3152 range 0 to 32
3153 The value specifies the maximum amount of vhost tx retries that
3154 can be made while trying to send a batch of packets to an inter‐
3155 face. Only supported by dpdkvhostuserclient interfaces.
3156 Default value is 8.
3158 options : n_rxq_desc: optional string, containing an integer, in range
3160 1 to 4,096
3161 Specifies the rx queue size (number rx descriptors) for dpdk
3162 ports. The value must be a power of 2, less than 4096 and sup‐
3163 ported by the hardware of the device being configured. If not
3164 specified or an incorrect value is specified, 2048 rx descrip‐
3165 tors will be used by default.
3166 options : n_txq_desc: optional string, containing an integer, in range
3168 1 to 4,096
3169 Specifies the tx queue size (number tx descriptors) for dpdk
3170 ports. The value must be a power of 2, less than 4096 and sup‐
3171 ported by the hardware of the device being configured. If not
3172 specified or an incorrect value is specified, 2048 tx descrip‐
3173 tors will be used by default.
3174 options : dpdk-vf-mac: optional string
3176 Ethernet address to set for this VF interface. If unset then the
3177 default MAC address is used:
3178 • For most drivers, the default MAC address assigned by
3180 their hardware.
3181 • For bifurcated drivers, the MAC currently used by the
3183 kernel netdevice.
3184 This option may only be used with dpdk VF representors.
3186 other_config : tx-steering: optional string, either hash or thread
3188 Specifies the Tx steering mode for the interface.
3189 thread enables static (1:1) thread-to-txq mapping when the num‐
3191 ber of Tx queues is greater than number of PMD threads, and dy‐
3192 namic (N:1) mapping if equal or lower. In this mode a single
3193 thread can not use more than 1 transmit queue of a given port.
3194 hash enables hash-based Tx steering, which distributes the pack‐
3196 ets on all the transmit queues based on their 5-tuples hashes.
3197 Defaults to thread.
3199 EMC (Exact Match Cache) Configuration:
3201 These settings controls behaviour of EMC lookups/insertions for packets
3203 received from the interface.
3204 other_config : emc-enable: optional string, either true or false
3206 Specifies if Exact Match Cache (EMC) should be used while pro‐
3207 cessing packets received from this interface. If true,
3208 other_config:emc-insert-inv-prob will have effect on this inter‐
3209 face.
3210 Defaults to true.
3212 MTU:
3214 The MTU (maximum transmission unit) is the largest amount of data that
3216 can fit into a single Ethernet frame. The standard Ethernet MTU is 1500
3217 bytes. Some physical media and many kinds of virtual interfaces can be
3218 configured with higher MTUs.
3219 A client may change an interface MTU by filling in mtu_request. Open
3221 vSwitch then reports in mtu the currently configured value.
3222 mtu: optional integer
3224 The currently configured MTU for the interface.
3225 This column will be empty for an interface that does not have an
3227 MTU as, for example, some kinds of tunnels do not.
3228 Open vSwitch sets this column’s value, so other clients should
3230 treat it as read-only.
3231 mtu_request: optional integer, at least 1
3233 Requested MTU (Maximum Transmission Unit) for the interface. A
3234 client can fill this column to change the MTU of an interface.
3235 RFC 791 requires every internet module to be able to forward a
3237 datagram of 68 octets without further fragmentation. The maximum
3238 size of an IP packet is 65535 bytes.
3239 If this is not set and if the interface has internal type, Open
3241 vSwitch will change the MTU to match the minimum of the other
3242 interfaces in the bridge.
3243 Interface Status:
3245 Status information about interfaces attached to bridges, updated every
3247 5 seconds. Not all interfaces have all of these properties; virtual in‐
3248 terfaces don’t have a link speed, for example. Non-applicable columns
3249 will have empty values.
3250 admin_state: optional string, either down or up
3252 The administrative state of the physical network link.
3253 link_state: optional string, either down or up
3255 The observed state of the physical network link. This is ordi‐
3256 narily the link’s carrier status. If the interface’s Port is a
3257 bond configured for miimon monitoring, it is instead the network
3258 link’s miimon status.
3259 link_resets: optional integer
3261 The number of times Open vSwitch has observed the link_state of
3262 this Interface change.
3263 link_speed: optional integer
3265 The negotiated speed of the physical network link. Valid values
3266 are positive integers greater than 0.
3267 duplex: optional string, either full or half
3269 The duplex mode of the physical network link.
3270 lacp_current: optional boolean
3272 Boolean value indicating LACP status for this interface. If
3273 true, this interface has current LACP information about its LACP
3274 partner. This information may be used to monitor the health of
3275 interfaces in a LACP enabled port. This column will be empty if
3276 LACP is not enabled.
3277 status: map of string-string pairs
3279 Key-value pairs that report port status. Supported status values
3280 are type-dependent; some interfaces may not have a valid sta‐
3281 tus:driver_name, for example.
3282 status : driver_name: optional string
3284 The name of the device driver controlling the network adapter.
3285 status : driver_version: optional string
3287 The version string of the device driver controlling the network
3288 adapter.
3289 status : firmware_version: optional string
3291 The version string of the network adapter’s firmware, if avail‐
3292 able.
3293 status : source_ip: optional string
3295 The source IP address used for an IPv4/IPv6 tunnel end-point,
3296 such as gre.
3297 status : tunnel_egress_iface: optional string
3299 Egress interface for tunnels. Currently only relevant for tun‐
3300 nels on Linux systems, this column will show the name of the in‐
3301 terface which is responsible for routing traffic destined for
3302 the configured options:remote_ip. This could be an internal in‐
3303 terface such as a bridge port.
3304 status : tunnel_egress_iface_carrier: optional string, either down or
3306 up
3307 Whether carrier is detected on status:tunnel_egress_iface.
3308 dpdk:
3310 DPDK specific interface status options.
3312 status : port_no: optional string
3314 DPDK port ID.
3315 status : numa_id: optional string
3317 NUMA socket ID to which an Ethernet device is connected.
3318 status : min_rx_bufsize: optional string
3320 Minimum size of RX buffer.
3321 status : max_rx_pktlen: optional string
3323 Maximum configurable length of RX pkt.
3324 status : max_rx_queues: optional string
3326 Maximum number of RX queues.
3327 status : max_tx_queues: optional string
3329 Maximum number of TX queues.
3330 status : max_mac_addrs: optional string
3332 Maximum number of MAC addresses.
3333 status : max_hash_mac_addrs: optional string
3335 Maximum number of hash MAC addresses for MTA and UTA.
3336 status : max_vfs: optional string
3338 Maximum number of hash MAC addresses for MTA and UTA. Maximum
3339 number of VFs.
3340 status : max_vmdq_pools: optional string
3342 Maximum number of VMDq pools.
3343 status : if_type: optional string
3345 Interface type ID according to IANA ifTYPE MIB definitions.
3346 status : if_descr: optional string
3348 Interface description string.
3349 status : pci-vendor_id: optional string
3351 Vendor ID of PCI device.
3352 status : pci-device_id: optional string
3354 Device ID of PCI device.
3355 Statistics:
3357 Key-value pairs that report interface statistics. The current implemen‐
3359 tation updates these counters periodically. The update period is con‐
3360 trolled by other_config:stats-update-interval in the Open_vSwitch ta‐
3361 ble. Future implementations may update them when an interface is cre‐
3362 ated, when they are queried (e.g. using an OVSDB select operation), and
3363 just before an interface is deleted due to virtual interface hot-unplug
3364 or VM shutdown, and perhaps at other times, but not on any regular pe‐
3365 riodic basis.
3366 These are the same statistics reported by OpenFlow in its struct
3368 ofp_port_stats structure. If an interface does not support a given
3369 statistic, then that pair is omitted.
3370 Statistics: Successful transmit and receive counters:
3372 statistics : rx_packets: optional integer
3374 Number of received packets.
3375 statistics : rx_bytes: optional integer
3377 Number of received bytes.
3378 statistics : tx_packets: optional integer
3380 Number of transmitted packets.
3381 statistics : tx_bytes: optional integer
3383 Number of transmitted bytes.
3384 Statistics: Receive errors:
3386 statistics : rx_dropped: optional integer
3388 Number of packets dropped by RX.
3389 statistics : rx_frame_err: optional integer
3391 Number of frame alignment errors.
3392 statistics : rx_over_err: optional integer
3394 Number of packets with RX overrun.
3395 statistics : rx_crc_err: optional integer
3397 Number of CRC errors.
3398 statistics : rx_errors: optional integer
3400 Total number of receive errors, greater than or equal to the sum
3401 of the above.
3402 Statistics: Transmit errors:
3404 statistics : tx_dropped: optional integer
3406 Number of packets dropped by TX.
3407 statistics : collisions: optional integer
3409 Number of collisions.
3410 statistics : tx_errors: optional integer
3412 Total number of transmit errors, greater than or equal to the
3413 sum of the above.
3414 Ingress Policing:
3416 These settings control ingress policing for packets received on this
3418 interface. On a physical interface, this limits the rate at which traf‐
3419 fic is allowed into the system from the outside; on a virtual interface
3420 (one connected to a virtual machine), this limits the rate at which the
3421 VM is able to transmit.
3422 Policing is a simple form of quality-of-service that simply drops pack‐
3424 ets received in excess of the configured rate. Due to its simplicity,
3425 policing is usually less accurate and less effective than egress QoS
3426 (which is configured using the QoS and Queue tables).
3427 Policing settings can be set with byte rate or packet rate, and they
3429 can be configured together, in which case they take effect together,
3430 that means the smaller speed limit of them is in effect.
3431 Currently, byte rate policing is implemented on Linux and OVS with
3433 DPDK, while packet rate policing is only implemented on Linux. Both
3434 Linux and OVS DPDK implementations use a simple ``token bucket’’ ap‐
3435 proach.
3436 Byte rate policing:
3438 • The size of the bucket corresponds to ingress_polic‐
3440 ing_burst. Initially the bucket is full.
3441 • Whenever a packet is received, its size (converted to to‐
3443 kens) is compared to the number of tokens currently in
3444 the bucket. If the required number of tokens are avail‐
3445 able, they are removed and the packet is forwarded. Oth‐
3446 erwise, the packet is dropped.
3447 • Whenever it is not full, the bucket is refilled with to‐
3449 kens at the rate specified by ingress_policing_rate.
3450 Packet rate policing:
3452 • The size of the bucket corresponds to ingress_polic‐
3454 ing_kpkts_burst. Initially the bucket is full.
3455 • Whenever a packet is received, it will consume one token
3457 from the current bucket. If the token is available in the
3458 bucket, it’s removed and the packet is forwarded. Other‐
3459 wise, the packet is dropped.
3460 • Whenever it is not full, the bucket is refilled with to‐
3462 kens at the rate specified by ingress_policing_kp‐
3463 kts_rate.
3464 Policing interacts badly with some network protocols, and especially
3466 with fragmented IP packets. Suppose that there is enough network activ‐
3467 ity to keep the bucket nearly empty all the time. Then this token
3468 bucket algorithm will forward a single packet every so often, with the
3469 period depending on packet size and on the configured rate. All of the
3470 fragments of an IP packets are normally transmitted back-to-back, as a
3471 group. In such a situation, therefore, only one of these fragments will
3472 be forwarded and the rest will be dropped. IP does not provide any way
3473 for the intended recipient to ask for only the remaining fragments. In
3474 such a case there are two likely possibilities for what will happen
3475 next: either all of the fragments will eventually be retransmitted (as
3476 TCP will do), in which case the same problem will recur, or the sender
3477 will not realize that its packet has been dropped and data will simply
3478 be lost (as some UDP-based protocols will do). Either way, it is possi‐
3479 ble that no forward progress will ever occur.
3480 ingress_policing_rate: integer, at least 0
3482 Maximum rate for data received on this interface, in kbps. Data
3483 received faster than this rate is dropped. Set to 0 (the de‐
3484 fault) to disable policing.
3485 ingress_policing_kpkts_rate: integer, at least 0
3487 Maximum rate for data received on this interface, in kpps (1
3488 kpps is 1000 pps). Data received faster than this rate is
3489 dropped. Set to 0 (the default) to disable policing.
3490 ingress_policing_burst: integer, at least 0
3492 Maximum burst size for data received on this interface, in kb.
3493 The default burst size if set to 0 is 8000 kbit. This value has
3494 no effect if ingress_policing_rate is 0.
3495 Specifying a larger burst size lets the algorithm be more for‐
3497 giving, which is important for protocols like TCP that react se‐
3498 verely to dropped packets. The burst size should be at least the
3499 size of the interface’s MTU. Specifying a value that is numeri‐
3500 cally at least as large as 80% of ingress_policing_rate helps
3501 TCP come closer to achieving the full rate.
3502 ingress_policing_kpkts_burst: integer, at least 0
3504 Maximum burst size for data received on this interface, in kpkts
3505 (1 kpkts is 1000 packets). The default burst size if set to 0 is
3506 16 kpkts. This value has no effect if ingress_policing_kp‐
3507 kts_rate is 0.
3508 Specifying a larger burst size lets the algorithm be more for‐
3510 giving, which is important for protocols like TCP that react se‐
3511 verely to dropped packets. Specifying a value that is numeri‐
3512 cally at least as large as 80% of ingress_policing_kpkts_rate
3513 helps TCP come closer to achieving the full rate.
3514 Bidirectional Forwarding Detection (BFD):
3516 BFD, defined in RFC 5880 and RFC 5881, allows point-to-point detection
3518 of connectivity failures by occasional transmission of BFD control mes‐
3519 sages. Open vSwitch implements BFD to serve as a more popular and stan‐
3520 dards compliant alternative to CFM.
3521 BFD operates by regularly transmitting BFD control messages at a rate
3523 negotiated independently in each direction. Each endpoint specifies the
3524 rate at which it expects to receive control messages, and the rate at
3525 which it is willing to transmit them. By default, Open vSwitch uses a
3526 detection multiplier of three, meaning that an endpoint signals a con‐
3527 nectivity fault if three consecutive BFD control messages fail to ar‐
3528 rive. In the case of a unidirectional connectivity issue, the system
3529 not receiving BFD control messages signals the problem to its peer in
3530 the messages it transmits.
3531 The Open vSwitch implementation of BFD aims to comply faithfully with
3533 RFC 5880 requirements. Open vSwitch does not implement the optional Au‐
3534 thentication or ``Echo Mode’’ features.
3535 OVS 2.13 and earlier intercepted and processed all BFD packets. OVS
3537 2.14 and later only intercept and process BFD packets destined to a
3538 configured BFD instance, and other BFD packets are made available to
3539 the OVS flow table for forwarding.
3540 BFD Configuration:
3542 A controller sets up key-value pairs in the bfd column to enable and
3544 configure BFD.
3545 bfd : enable: optional string, either true or false
3547 True to enable BFD on this Interface. If not specified, BFD will
3548 not be enabled by default.
3549 bfd : min_rx: optional string, containing an integer, at least 1
3551 The shortest interval, in milliseconds, at which this BFD ses‐
3552 sion offers to receive BFD control messages. The remote endpoint
3553 may choose to send messages at a slower rate. Defaults to 1000.
3554 bfd : min_tx: optional string, containing an integer, at least 1
3556 The shortest interval, in milliseconds, at which this BFD ses‐
3557 sion is willing to transmit BFD control messages. Messages will
3558 actually be transmitted at a slower rate if the remote endpoint
3559 is not willing to receive as quickly as specified. Defaults to
3560 100.
3561 bfd : decay_min_rx: optional string, containing an integer
3563 An alternate receive interval, in milliseconds, that must be
3564 greater than or equal to bfd:min_rx. The implementation switches
3565 from bfd:min_rx to bfd:decay_min_rx when there is no obvious in‐
3566 coming data traffic at the interface, to reduce the CPU and
3567 bandwidth cost of monitoring an idle interface. This feature may
3568 be disabled by setting a value of 0. This feature is reset when‐
3569 ever bfd:decay_min_rx or bfd:min_rx changes.
3570 bfd : forwarding_if_rx: optional string, either true or false
3572 When true, traffic received on the Interface is used to indicate
3573 the capability of packet I/O. BFD control packets are still
3574 transmitted and received. At least one BFD control packet must
3575 be received every 100 * bfd:min_rx amount of time. Otherwise,
3576 even if traffic are received, the bfd:forwarding will be false.
3577 bfd : cpath_down: optional string, either true or false
3579 Set to true to notify the remote endpoint that traffic should
3580 not be forwarded to this system for some reason other than a
3581 connectivty failure on the interface being monitored. The typi‐
3582 cal underlying reason is ``concatenated path down,’’ that is,
3583 that connectivity beyond the local system is down. Defaults to
3584 false.
3585 bfd : check_tnl_key: optional string, either true or false
3587 Set to true to make BFD accept only control messages with a tun‐
3588 nel key of zero. By default, BFD accepts control messages with
3589 any tunnel key.
3590 bfd : bfd_local_src_mac: optional string
3592 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3593 the MAC used as source for transmitted BFD packets. The default
3594 is the mac address of the BFD enabled interface.
3595 bfd : bfd_local_dst_mac: optional string
3597 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3598 the MAC used as destination for transmitted BFD packets. The de‐
3599 fault is 00:23:20:00:00:01.
3600 bfd : bfd_remote_dst_mac: optional string
3602 Set to an Ethernet address in the form xx:xx:xx:xx:xx:xx to set
3603 the MAC used for checking the destination of received BFD pack‐
3604 ets. Packets with different destination MAC will not be consid‐
3605 ered as BFD packets. If not specified the destination MAC ad‐
3606 dress of received BFD packets are not checked.
3607 bfd : bfd_src_ip: optional string
3609 Set to an IPv4 address to set the IP address used as source for
3610 transmitted BFD packets. The default is 169.254.1.1.
3611 bfd : bfd_dst_ip: optional string
3613 Set to an IPv4 address to set the IP address used as destination
3614 for transmitted BFD packets. The default is 169.254.1.0.
3615 bfd : oam: optional string
3617 Some tunnel protocols (such as Geneve) include a bit in the
3618 header to indicate that the encapsulated packet is an OAM frame.
3619 By setting this to true, BFD packets will be marked as OAM if
3620 encapsulated in one of these tunnels.
3621 bfd : mult: optional string, containing an integer, in range 1 to 255
3623 The BFD detection multiplier, which defaults to 3. An endpoint
3624 signals a connectivity fault if the given number of consecutive
3625 BFD control messages fail to arrive.
3626 BFD Status:
3628 The switch sets key-value pairs in the bfd_status column to report the
3630 status of BFD on this interface. When BFD is not enabled, with bfd:en‐
3631 able, the switch clears all key-value pairs from bfd_status.
3632 bfd_status : state: optional string, one of admin_down, down, init, or
3634 up
3635 Reports the state of the BFD session. The BFD session is fully
3636 healthy and negotiated if UP.
3637 bfd_status : forwarding: optional string, either true or false
3639 Reports whether the BFD session believes this Interface may be
3640 used to forward traffic. Typically this means the local session
3641 is signaling UP, and the remote system isn’t signaling a problem
3642 such as concatenated path down.
3643 bfd_status : diagnostic: optional string
3645 A diagnostic code specifying the local system’s reason for the
3646 last change in session state. The error messages are defined in
3647 section 4.1 of [RFC 5880].
3648 bfd_status : remote_state: optional string, one of admin_down, down,
3650 init, or up
3651 Reports the state of the remote endpoint’s BFD session.
3652 bfd_status : remote_diagnostic: optional string
3654 A diagnostic code specifying the remote system’s reason for the
3655 last change in session state. The error messages are defined in
3656 section 4.1 of [RFC 5880].
3657 bfd_status : flap_count: optional string, containing an integer, at
3659 least 0
3660 Counts the number of bfd_status:forwarding flaps since start. A
3661 flap is considered as a change of the bfd_status:forwarding
3662 value.
3663 Connectivity Fault Management:
3665 802.1ag Connectivity Fault Management (CFM) allows a group of Mainte‐
3667 nance Points (MPs) called a Maintenance Association (MA) to detect con‐
3668 nectivity problems with each other. MPs within a MA should have com‐
3669 plete and exclusive interconnectivity. This is verified by occasionally
3670 broadcasting Continuity Check Messages (CCMs) at a configurable trans‐
3671 mission interval.
3672 According to the 802.1ag specification, each Maintenance Point should
3674 be configured out-of-band with a list of Remote Maintenance Points it
3675 should have connectivity to. Open vSwitch differs from the specifica‐
3676 tion in this area. It simply assumes the link is faulted if no Remote
3677 Maintenance Points are reachable, and considers it not faulted other‐
3678 wise.
3679 When operating over tunnels which have no in_key, or an in_key of flow.
3681 CFM will only accept CCMs with a tunnel key of zero.
3682 cfm_mpid: optional integer
3684 A Maintenance Point ID (MPID) uniquely identifies each endpoint
3685 within a Maintenance Association. The MPID is used to identify
3686 this endpoint to other Maintenance Points in the MA. Each end of
3687 a link being monitored should have a different MPID. Must be
3688 configured to enable CFM on this Interface.
3689 According to the 802.1ag specification, MPIDs can only range be‐
3691 tween [1, 8191]. However, extended mode (see other_con‐
3692 fig:cfm_extended) supports eight byte MPIDs.
3693 cfm_flap_count: optional integer
3695 Counts the number of cfm fault flapps since boot. A flap is con‐
3696 sidered to be a change of the cfm_fault value.
3697 cfm_fault: optional boolean
3699 Indicates a connectivity fault triggered by an inability to re‐
3700 ceive heartbeats from any remote endpoint. When a fault is trig‐
3701 gered on Interfaces participating in bonds, they will be dis‐
3702 abled.
3703 Faults can be triggered for several reasons. Most importantly
3705 they are triggered when no CCMs are received for a period of 3.5
3706 times the transmission interval. Faults are also triggered when
3707 any CCMs indicate that a Remote Maintenance Point is not receiv‐
3708 ing CCMs but able to send them. Finally, a fault is triggered if
3709 a CCM is received which indicates unexpected configuration. No‐
3710 tably, this case arises when a CCM is received which advertises
3711 the local MPID.
3712 cfm_fault_status : recv: none
3714 Indicates a CFM fault was triggered due to a lack of CCMs re‐
3715 ceived on the Interface.
3716 cfm_fault_status : rdi: none
3718 Indicates a CFM fault was triggered due to the reception of a
3719 CCM with the RDI bit flagged. Endpoints set the RDI bit in their
3720 CCMs when they are not receiving CCMs themselves. This typically
3721 indicates a unidirectional connectivity failure.
3722 cfm_fault_status : maid: none
3724 Indicates a CFM fault was triggered due to the reception of a
3725 CCM with a MAID other than the one Open vSwitch uses. CFM broad‐
3726 casts are tagged with an identification number in addition to
3727 the MPID called the MAID. Open vSwitch only supports receiving
3728 CCM broadcasts tagged with the MAID it uses internally.
3729 cfm_fault_status : loopback: none
3731 Indicates a CFM fault was triggered due to the reception of a
3732 CCM advertising the same MPID configured in the cfm_mpid column
3733 of this Interface. This may indicate a loop in the network.
3734 cfm_fault_status : overflow: none
3736 Indicates a CFM fault was triggered because the CFM module re‐
3737 ceived CCMs from more remote endpoints than it can keep track
3738 of.
3739 cfm_fault_status : override: none
3741 Indicates a CFM fault was manually triggered by an administrator
3742 using an ovs-appctl command.
3743 cfm_fault_status : interval: none
3745 Indicates a CFM fault was triggered due to the reception of a
3746 CCM frame having an invalid interval.
3747 cfm_remote_opstate: optional string, either down or up
3749 When in extended mode, indicates the operational state of the
3750 remote endpoint as either up or down. See other_config:cfm_op‐
3751 state.
3752 cfm_health: optional integer, in range 0 to 100
3754 Indicates the health of the interface as a percentage of CCM
3755 frames received over 21 other_config:cfm_intervals. The health
3756 of an interface is undefined if it is communicating with more
3757 than one cfm_remote_mpids. It reduces if healthy heartbeats are
3758 not received at the expected rate, and gradually improves as
3759 healthy heartbeats are received at the desired rate. Every 21
3760 other_config:cfm_intervals, the health of the interface is re‐
3761 freshed.
3762 As mentioned above, the faults can be triggered for several rea‐
3764 sons. The link health will deteriorate even if heartbeats are
3765 received but they are reported to be unhealthy. An unhealthy
3766 heartbeat in this context is a heartbeat for which either some
3767 fault is set or is out of sequence. The interface health can be
3768 100 only on receiving healthy heartbeats at the desired rate.
3769 cfm_remote_mpids: set of integers
3771 When CFM is properly configured, Open vSwitch will occasionally
3772 receive CCM broadcasts. These broadcasts contain the MPID of the
3773 sending Maintenance Point. The list of MPIDs from which this In‐
3774 terface is receiving broadcasts from is regularly collected and
3775 written to this column.
3776 other_config : cfm_interval: optional string, containing an integer
3778 The interval, in milliseconds, between transmissions of CFM
3779 heartbeats. Three missed heartbeat receptions indicate a connec‐
3780 tivity fault.
3781 In standard operation only intervals of 3, 10, 100, 1,000,
3783 10,000, 60,000, or 600,000 ms are supported. Other values will
3784 be rounded down to the nearest value on the list. Extended mode
3785 (see other_config:cfm_extended) supports any interval up to
3786 65,535 ms. In either mode, the default is 1000 ms.
3787 We do not recommend using intervals less than 100 ms.
3789 other_config : cfm_extended: optional string, either true or false
3791 When true, the CFM module operates in extended mode. This causes
3792 it to use a nonstandard destination address to avoid conflicting
3793 with compliant implementations which may be running concurrently
3794 on the network. Furthermore, extended mode increases the accu‐
3795 racy of the cfm_interval configuration parameter by breaking
3796 wire compatibility with 802.1ag compliant implementations. And
3797 extended mode allows eight byte MPIDs. Defaults to false.
3798 other_config : cfm_demand: optional string, either true or false
3800 When true, and other_config:cfm_extended is true, the CFM module
3801 operates in demand mode. When in demand mode, traffic received
3802 on the Interface is used to indicate liveness. CCMs are still
3803 transmitted and received. At least one CCM must be received ev‐
3804 ery 100 * other_config:cfm_interval amount of time. Otherwise,
3805 even if traffic are received, the CFM module will raise the con‐
3806 nectivity fault.
3807 Demand mode has a couple of caveats:
3809 • To ensure that ovs-vswitchd has enough time to pull sta‐
3811 tistics from the datapath, the fault detection interval
3812 is set to 3.5 * MAX(other_config:cfm_interval, 500) ms.
3813 • To avoid ambiguity, demand mode disables itself when
3815 there are multiple remote maintenance points.
3816 • If the Interface is heavily congested, CCMs containing
3818 the other_config:cfm_opstate status may be dropped caus‐
3819 ing changes in the operational state to be delayed. Simi‐
3820 larly, if CCMs containing the RDI bit are not received,
3821 unidirectional link failures may not be detected.
3822 other_config : cfm_opstate: optional string, either down or up
3824 When down, the CFM module marks all CCMs it generates as opera‐
3825 tionally down without triggering a fault. This allows remote
3826 maintenance points to choose not to forward traffic to the In‐
3827 terface on which this CFM module is running. Currently, in Open
3828 vSwitch, the opdown bit of CCMs affects Interfaces participating
3829 in bonds, and the bundle OpenFlow action. This setting is ig‐
3830 nored when CFM is not in extended mode. Defaults to up.
3831 other_config : cfm_ccm_vlan: optional string, containing an integer, in
3833 range 1 to 4,095
3834 When set, the CFM module will apply a VLAN tag to all CCMs it
3835 generates with the given value. May be the string random in
3836 which case each CCM will be tagged with a different randomly
3837 generated VLAN.
3838 other_config : cfm_ccm_pcp: optional string, containing an integer, in
3840 range 1 to 7
3841 When set, the CFM module will apply a VLAN tag to all CCMs it
3842 generates with the given PCP value, the VLAN ID of the tag is
3843 governed by the value of other_config:cfm_ccm_vlan. If
3844 other_config:cfm_ccm_vlan is unset, a VLAN ID of zero is used.
3845 Bonding Configuration:
3847 other_config : lacp-port-id: optional string, containing an integer, in
3849 range 1 to 65,535
3850 The LACP port ID of this Interface. Port IDs are used in LACP
3851 negotiations to identify individual ports participating in a
3852 bond.
3853 other_config : lacp-port-priority: optional string, containing an inte‐
3855 ger, in range 1 to 65,535
3856 The LACP port priority of this Interface. In LACP negotiations
3857 Interfaces with numerically lower priorities are preferred for
3858 aggregation.
3859 other_config : lacp-aggregation-key: optional string, containing an in‐
3861 teger, in range 1 to 65,535
3862 The LACP aggregation key of this Interface. Interfaces with dif‐
3863 ferent aggregation keys may not be active within a given Port at
3864 the same time.
3865 Virtual Machine Identifiers:
3867 These key-value pairs specifically apply to an interface that repre‐
3869 sents a virtual Ethernet interface connected to a virtual machine.
3870 These key-value pairs should not be present for other types of inter‐
3871 faces. Keys whose names end in -uuid have values that uniquely identify
3872 the entity in question.
3873 external_ids : attached-mac: optional string
3875 The MAC address programmed into the ``virtual hardware’’ for
3876 this interface, in the form xx:xx:xx:xx:xx:xx.
3877 external_ids : iface-id: optional string
3879 A system-unique identifier for the interface.
3880 external_ids : iface-status: optional string, either active or inactive
3882 Hypervisors may sometimes have more than one interface associ‐
3883 ated with a given external_ids:iface-id, only one of which is
3884 actually in use at a given time. For example, in some circum‐
3885 stances hypervisor may have both a ``tap’’ and a ``vif’’ inter‐
3886 face for a single external_ids:iface-id, but only uses one of
3887 them at a time. A hypervisor that behaves this way must mark the
3888 currently in use interface active and the others inactive. A hy‐
3889 pervisor that never has more than one interface for a given ex‐
3890 ternal_ids:iface-id may mark that interface active or omit ex‐
3891 ternal_ids:iface-status entirely.
3892 During VM migration, a given external_ids:iface-id might tran‐
3894 siently be marked active on two different hypervisors. That is,
3895 active means that this external_ids:iface-id is the active in‐
3896 stance within a single hypervisor, not in a broader scope. There
3897 is one exception: some hypervisors support ``migration’’ from a
3898 given hypervisor to itself (most often for test purposes). Dur‐
3899 ing such a ``migration,’’ two instances of a single exter‐
3900 nal_ids:iface-id might both be briefly marked active on a single
3901 hypervisor.
3902 external_ids : vm-id: optional string
3904 The VM to which this interface belongs.
3905 Auto Attach Configuration:
3907 Auto Attach configuration for a particular interface.
3909 lldp : enable: optional string, either true or false
3911 True to enable LLDP on this Interface. If not specified, LLDP
3912 will be disabled by default.
3913 Flow control Configuration:
3915 Ethernet flow control defined in IEEE 802.1Qbb provides link level flow
3917 control using MAC pause frames. Implemented only for interfaces with
3918 type dpdk.
3919 options : rx-flow-ctrl: optional string, either true or false
3921 Set to true to enable Rx flow control on physical ports. By de‐
3922 fault, Rx flow control is disabled.
3923 options : tx-flow-ctrl: optional string, either true or false
3925 Set to true to enable Tx flow control on physical ports. By de‐
3926 fault, Tx flow control is disabled.
3927 options : flow-ctrl-autoneg: optional string, either true or false
3929 Set to true to enable flow control auto negotiation on physical
3930 ports. By default, auto-neg is disabled.
3931 Link State Change detection mode:
3933 options : dpdk-lsc-interrupt: optional string, either true or false
3935 Set this value to true to configure interrupt mode for Link
3936 State Change (LSC) detection instead of poll mode for the DPDK
3937 interface.
3938 If this value is not set, poll mode is configured.
3940 This parameter has an effect only on netdev dpdk interfaces.
3942 Common Columns:
3944 The overall purpose of these columns is described under Common Columns
3946 at the beginning of this document.
3947 other_config: map of string-string pairs
3949 external_ids: map of string-string pairs
3951
3953 Configuration for a particular OpenFlow table.
3954 Summary:
3956 name optional string
3957 Eviction Policy:
3958 flow_limit optional integer, at least 0
3959 overflow_policy optional string, either evict or refuse
3960 groups set of strings
3961 Classifier Optimization:
3962 prefixes set of up to 3 strings
3963 Common Columns:
3964 external_ids map of string-string pairs
3965 Details:
3967 name: optional string
3968 The table’s name. Set this column to change the name that con‐
3969 trollers will receive when they request table statistics, e.g.
3970 ovs-ofctl dump-tables. The name does not affect switch behavior.
3971 Eviction Policy:
3973 Open vSwitch supports limiting the number of flows that may be in‐
3975 stalled in a flow table, via the flow_limit column. When adding a flow
3976 would exceed this limit, by default Open vSwitch reports an error, but
3977 there are two ways to configure Open vSwitch to instead delete
3978 (``evict’’) a flow to make room for the new one:
3979 • Set the overflow_policy column to evict.
3981 • Send an OpenFlow 1.4+ ``table mod request’’ to enable
3983 eviction for the flow table (e.g. ovs-ofctl -O OpenFlow14
3984 mod-table br0 0 evict to enable eviction on flow table 0
3985 of bridge br0).
3986 When a flow must be evicted due to overflow, the flow to evict is cho‐
3988 sen through an approximation of the following algorithm. This algorithm
3989 is used regardless of how eviction was enabled:
3990 1. Divide the flows in the table into groups based on the val‐
3992 ues of the fields or subfields specified in the groups col‐
3993 umn, so that all of the flows in a given group have the same
3994 values for those fields. If a flow does not specify a given
3995 field, that field’s value is treated as 0. If groups is
3996 empty, then all of the flows in the flow table are treated
3997 as a single group.
3998 2. Consider the flows in the largest group, that is, the group
4000 that contains the greatest number of flows. If two or more
4001 groups all have the same largest number of flows, consider
4002 the flows in all of those groups.
4003 3. If the flows under consideration have different importance
4005 values, eliminate from consideration any flows except those
4006 with the lowest importance. (``Importance,’’ a 16-bit inte‐
4007 ger value attached to each flow, was introduced in OpenFlow
4008 1.4. Flows inserted with older versions of OpenFlow always
4009 have an importance of 0.)
4010 4. Among the flows under consideration, choose the flow that
4012 expires soonest for eviction.
4013 The eviction process only considers flows that have an idle timeout or
4015 a hard timeout. That is, eviction never deletes permanent flows. (Per‐
4016 manent flows do count against flow_limit.)
4017 flow_limit: optional integer, at least 0
4019 If set, limits the number of flows that may be added to the ta‐
4020 ble. Open vSwitch may limit the number of flows in a table for
4021 other reasons, e.g. due to hardware limitations or for resource
4022 availability or performance reasons.
4023 overflow_policy: optional string, either evict or refuse
4025 Controls the switch’s behavior when an OpenFlow flow table modi‐
4026 fication request would add flows in excess of flow_limit. The
4027 supported values are:
4028 refuse Refuse to add the flow or flows. This is also the default
4030 policy when overflow_policy is unset.
4031 evict Delete a flow chosen according to the algorithm described
4033 above.
4034 groups: set of strings
4036 When overflow_policy is evict, this controls how flows are cho‐
4037 sen for eviction when the flow table would otherwise exceed
4038 flow_limit flows. Its value is a set of NXM fields or sub-
4039 fields, each of which takes one of the forms field[] or
4040 field[start..end], e.g. NXM_OF_IN_PORT[]. Please see meta-flow.h
4041 for a complete list of NXM field names.
4042 Open vSwitch ignores any invalid or unknown field specifica‐
4044 tions.
4045 When eviction is not enabled, via overflow_policy or an OpenFlow
4047 1.4+ ``table mod,’’ this column has no effect.
4048 Classifier Optimization:
4050 prefixes: set of up to 3 strings
4052 This string set specifies which fields should be used for ad‐
4053 dress prefix tracking. Prefix tracking allows the classifier to
4054 skip rules with longer than necessary prefixes, resulting in
4055 better wildcarding for datapath flows.
4056 Prefix tracking may be beneficial when a flow table contains
4058 matches on IP address fields with different prefix lengths. For
4059 example, when a flow table contains IP address matches on both
4060 full addresses and proper prefixes, the full address matches
4061 will typically cause the datapath flow to un-wildcard the whole
4062 address field (depending on flow entry priorities). In this case
4063 each packet with a different address gets handed to the
4064 userspace for flow processing and generates its own datapath
4065 flow. With prefix tracking enabled for the address field in
4066 question packets with addresses matching shorter prefixes would
4067 generate datapath flows where the irrelevant address bits are
4068 wildcarded, allowing the same datapath flow to handle all the
4069 packets within the prefix in question. In this case many
4070 userspace upcalls can be avoided and the overall performance can
4071 be better.
4072 This is a performance optimization only, so packets will receive
4074 the same treatment with or without prefix tracking.
4075 The supported fields are: tun_id, tun_src, tun_dst,
4077 tun_ipv6_src, tun_ipv6_dst, nw_src, nw_dst (or aliases ip_src
4078 and ip_dst), ipv6_src, and ipv6_dst. (Using this feature for
4079 tun_id would only make sense if the tunnel IDs have prefix
4080 structure similar to IP addresses.)
4081 By default, the prefixes=ip_dst,ip_src are used on each flow ta‐
4083 ble. This instructs the flow classifier to track the IP destina‐
4084 tion and source addresses used by the rules in this specific
4085 flow table.
4086 The keyword none is recognized as an explicit override of the
4088 default values, causing no prefix fields to be tracked.
4089 To set the prefix fields, the flow table record needs to exist:
4091 ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create
4093 Flow_Table name=table0
4094 Creates a flow table record for the OpenFlow table number
4095 0.
4096 ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
4098 Enables prefix tracking for IP source and destination ad‐
4099 dress fields.
4100 There is a maximum number of fields that can be enabled for any
4102 one flow table. Currently this limit is 3.
4103 Common Columns:
4105 The overall purpose of these columns is described under Common Columns
4107 at the beginning of this document.
4108 external_ids: map of string-string pairs
4110
4112 Quality of Service (QoS) configuration for each Port that references
4113 it.
4114 Summary:
4116 type string
4117 queues map of integer-Queue pairs, key in range
4118 0 to 4,294,967,295
4119 Configuration for linux-htb and linux-hfsc:
4120 other_config : max-rate optional string, containing an integer
4121 Configuration for egress-policer QoS:
4122 other_config : cir optional string, containing an integer
4123 other_config : cbs optional string, containing an integer
4124 other_config : eir optional string, containing an integer
4125 other_config : ebs optional string, containing an integer
4126 Configuration for linux-sfq:
4127 other_config : perturb optional string, containing an integer
4128 other_config : quantum optional string, containing an integer
4129 Configuration for linux-netem:
4130 other_config : latency optional string, containing an integer
4131 other_config : limit optional string, containing an integer
4132 other_config : loss optional string, containing an integer
4133 Common Columns:
4134 other_config map of string-string pairs
4135 external_ids map of string-string pairs
4136 Details:
4138 type: string
4139 The type of QoS to implement. The currently defined types are
4140 listed below:
4141 linux-htb
4143 Linux ``hierarchy token bucket’’ classifier. See tc-
4144 htb(8) (also at http://linux.die.net/man/8/tc-htb) and
4145 the HTB manual (http://luxik.cdi.cz/~devik/qos/htb/man‐
4146 ual/userg.htm) for information on how this classifier
4147 works and how to configure it.
4148 linux-hfsc
4150 Linux "Hierarchical Fair Service Curve" classifier. See
4151 http://linux-ip.net/articles/hfsc.en/ for information on
4152 how this classifier works.
4153 linux-sfq
4155 Linux ``Stochastic Fairness Queueing’’ classifier. See
4156 tc-sfq(8) (also at http://linux.die.net/man/8/tc-sfq) for
4157 information on how this classifier works.
4158 linux-codel
4160 Linux ``Controlled Delay’’ classifier. See tc-codel(8)
4161 (also at
4162 http://man7.org/linux/man-pages/man8/tc-codel.8.html) for
4163 information on how this classifier works.
4164 linux-fq_codel
4166 Linux ``Fair Queuing with Controlled Delay’’ classifier.
4167 See tc-fq_codel(8) (also at
4168 http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html)
4169 for information on how this classifier works.
4170 linux-netem
4172 Linux ``Network Emulator’’ classifier. See tc-netem(8)
4173 (also at
4174 http://man7.org/linux/man-pages/man8/tc-netem.8.html) for
4175 information on how this classifier works.
4176 linux-noop
4178 Linux ``No operation.’’ By default, Open vSwitch manages
4179 quality of service on all of its configured ports. This
4180 can be helpful, but sometimes administrators prefer to
4181 use other software to manage QoS. This type prevents Open
4182 vSwitch from changing the QoS configuration for a port.
4183 egress-policer
4185 A DPDK egress policer algorithm using the DPDK rte_meter
4186 library. The rte_meter library provides an implementation
4187 which allows the metering and policing of traffic. The
4188 implementation in OVS essentially creates a single token
4189 bucket used to police traffic. It should be noted that
4190 when the rte_meter is configured as part of QoS there
4191 will be a performance overhead as the rte_meter itself
4192 will consume CPU cycles in order to police traffic. These
4193 CPU cycles ordinarily are used for packet proccessing. As
4194 such the drop in performance will be noticed in terms of
4195 overall aggregate traffic throughput.
4196 trtcm-policer
4198 A DPDK egress policer algorithm using RFC 4115’s Two-
4199 Rate, Three-Color marker. It’s a two-level hierarchical
4200 policer which first does a color-blind marking of the
4201 traffic at the queue level, followed by a color-aware
4202 marking at the port level. At the end traffic marked as
4203 Green or Yellow is forwarded, Red is dropped. For details
4204 on how traffic is marked, see RFC 4115. If the ``default
4205 queue’’, 0, is not configured it’s automatically created
4206 with the same other_config values as the physical port.
4207 queues: map of integer-Queue pairs, key in range 0 to 4,294,967,295
4209 A map from queue numbers to Queue records. The supported range
4210 of queue numbers depend on type. The queue numbers are the same
4211 as the queue_id used in OpenFlow in struct ofp_action_enqueue
4212 and other structures.
4213 Queue 0 is the ``default queue.’’ It is used by OpenFlow output
4215 actions when no specific queue has been set. When no configura‐
4216 tion for queue 0 is present, it is automatically configured as
4217 if a Queue record with empty dscp and other_config columns had
4218 been specified. (Before version 1.6, Open vSwitch would leave
4219 queue 0 unconfigured in this case. With some queuing disci‐
4220 plines, this dropped all packets destined for the default
4221 queue.)
4222 Configuration for linux-htb and linux-hfsc:
4224 The linux-htb and linux-hfsc classes support the following key-value
4226 pair:
4227 other_config : max-rate: optional string, containing an integer
4229 Maximum rate shared by all queued traffic, in bit/s. Optional.
4230 If not specified, for physical interfaces, the default is the
4231 link rate. For other interfaces or if the link rate cannot be
4232 determined, the default is currently 10 Gbps.
4233 Configuration for egress-policer QoS:
4235 QoS type egress-policer provides egress policing for userspace port
4237 types with DPDK. It has the following key-value pairs defined.
4238 other_config : cir: optional string, containing an integer
4240 The Committed Information Rate (CIR) is measured in bytes of IP
4241 packets per second, i.e. it includes the IP header, but not link
4242 specific (e.g. Ethernet) headers. This represents the bytes per
4243 second rate at which the token bucket will be updated. The cir
4244 value is calculated by (pps x packet data size). For example as‐
4245 suming a user wishes to limit a stream consisting of 64 byte
4246 packets to 1 million packets per second the CIR would be set to
4247 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4248 Where 1,000,000 is the policing rate for the number of packets
4249 per second and 46 represents the size of the packet data for a
4250 64 bytes IP packet without 14 bytes Ethernet and 4 bytes FCS
4251 header.
4252 other_config : cbs: optional string, containing an integer
4254 The Committed Burst Size (CBS) is measured in bytes and repre‐
4255 sents a token bucket. At a minimum this value should be be set
4256 to the expected largest size packet in the traffic stream. In
4257 practice larger values may be used to increase the size of the
4258 token bucket. If a packet can be transmitted then the cbs will
4259 be decremented by the number of bytes/tokens of the packet. If
4260 there are not enough tokens in the cbs bucket the packet will be
4261 dropped.
4262 other_config : eir: optional string, containing an integer
4264 The Excess Information Rate (EIR) is measured in bytes of IP
4265 packets per second, i.e. it includes the IP header, but not link
4266 specific (e.g. Ethernet) headers. This represents the bytes per
4267 second rate at which the token bucket will be updated. The eir
4268 value is calculated by (pps x packet data size). For example as‐
4269 suming a user wishes to limit a stream consisting of 64 byte
4270 packets to 1 million packets per second the EIR would be set to
4271 to to 46000000. This value can be broken into ’1,000,000 x 46’.
4272 Where 1,000,000 is the policing rate for the number of packets
4273 per second and 46 represents the size of the packet data for a
4274 64 bytes IP packet without 14 bytes Ethernet and 4 bytes FCS
4275 header.
4276 other_config : ebs: optional string, containing an integer
4278 The Excess Burst Size (EBS) is measured in bytes and represents
4279 a token bucket. At a minimum this value should be be set to the
4280 expected largest size packet in the traffic stream. In practice
4281 larger values may be used to increase the size of the token
4282 bucket. If a packet can be transmitted then the ebs will be
4283 decremented by the number of bytes/tokens of the packet. If
4284 there are not enough tokens in the cbs bucket the packet might
4285 be dropped.
4286 Configuration for linux-sfq:
4288 The linux-sfq QoS supports the following key-value pairs:
4290 other_config : perturb: optional string, containing an integer
4292 Number of seconds between consecutive perturbations in hashing
4293 algorithm. Different flows can end up in the same hash bucket
4294 causing unfairness. Perturbation’s goal is to remove possible
4295 unfairness. The default and recommended value is 10. Too low a
4296 value is discouraged because each perturbation can cause packet
4297 reordering.
4298 other_config : quantum: optional string, containing an integer
4300 Number of bytes linux-sfq QoS can dequeue in one turn in round-
4301 robin from one flow. The default and recommended value is equal
4302 to interface’s MTU.
4303 Configuration for linux-netem:
4305 The linux-netem QoS supports the following key-value pairs:
4307 other_config : latency: optional string, containing an integer
4309 Adds the chosen delay to the packets outgoing to chosen network
4310 interface. The latency value expressed in us.
4311 other_config : limit: optional string, containing an integer
4313 Maximum number of packets the qdisc may hold queued at a time.
4314 The default value is 1000.
4315 other_config : loss: optional string, containing an integer
4317 Adds an independent loss probability to the packets outgoing
4318 from the chosen network interface.
4319 Common Columns:
4321 The overall purpose of these columns is described under Common Columns
4323 at the beginning of this document.
4324 other_config: map of string-string pairs
4326 external_ids: map of string-string pairs
4328
4330 A configuration for a port output queue, used in configuring Quality of
4331 Service (QoS) features. May be referenced by queues column in QoS ta‐
4332 ble.
4333 Summary:
4335 dscp optional integer, in range 0 to 63
4336 Configuration for linux-htb QoS:
4337 other_config : min-rate optional string, containing an integer,
4338 at least 1
4339 other_config : max-rate optional string, containing an integer,
4340 at least 1
4341 other_config : burst optional string, containing an integer,
4342 at least 1
4343 other_config : priority optional string, containing an integer,
4344 in range 0 to 4,294,967,295
4345 Configuration for linux-hfsc QoS:
4346 other_config : min-rate optional string, containing an integer,
4347 at least 1
4348 other_config : max-rate optional string, containing an integer,
4349 at least 1
4350 Common Columns:
4351 other_config map of string-string pairs
4352 external_ids map of string-string pairs
4353 Details:
4355 dscp: optional integer, in range 0 to 63
4356 If set, Open vSwitch will mark all traffic egressing this Queue
4357 with the given DSCP bits. Traffic egressing the default Queue is
4358 only marked if it was explicitly selected as the Queue at the
4359 time the packet was output. If unset, the DSCP bits of traffic
4360 egressing this Queue will remain unchanged.
4361 Configuration for linux-htb QoS:
4363 QoS type linux-htb may use queue_ids less than 61440. It has the fol‐
4365 lowing key-value pairs defined.
4366 other_config : min-rate: optional string, containing an integer, at
4368 least 1
4369 Minimum guaranteed bandwidth, in bit/s.
4370 other_config : max-rate: optional string, containing an integer, at
4372 least 1
4373 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4374 queue’s rate will not be allowed to exceed the specified value,
4375 even if excess bandwidth is available. If unspecified, defaults
4376 to no limit.
4377 other_config : burst: optional string, containing an integer, at least
4379 1
4380 Burst size, in bits. This is the maximum amount of ``credits’’
4381 that a queue can accumulate while it is idle. Optional. Details
4382 of the linux-htb implementation require a minimum burst size, so
4383 a too-small burst will be silently ignored.
4384 other_config : priority: optional string, containing an integer, in
4386 range 0 to 4,294,967,295
4387 A queue with a smaller priority will receive all the excess
4388 bandwidth that it can use before a queue with a larger value re‐
4389 ceives any. Specific priority values are unimportant; only rela‐
4390 tive ordering matters. Defaults to 0 if unspecified.
4391 Configuration for linux-hfsc QoS:
4393 QoS type linux-hfsc may use queue_ids less than 61440. It has the fol‐
4395 lowing key-value pairs defined.
4396 other_config : min-rate: optional string, containing an integer, at
4398 least 1
4399 Minimum guaranteed bandwidth, in bit/s.
4400 other_config : max-rate: optional string, containing an integer, at
4402 least 1
4403 Maximum allowed bandwidth, in bit/s. Optional. If specified, the
4404 queue’s rate will not be allowed to exceed the specified value,
4405 even if excess bandwidth is available. If unspecified, defaults
4406 to no limit.
4407 Common Columns:
4409 The overall purpose of these columns is described under Common Columns
4411 at the beginning of this document.
4412 other_config: map of string-string pairs
4414 external_ids: map of string-string pairs
4416
4418 A port mirror within a Bridge.
4419 A port mirror configures a bridge to send selected frames to special
4421 ``mirrored’’ ports, in addition to their normal destinations. Mirroring
4422 traffic may also be referred to as SPAN or RSPAN, depending on how the
4423 mirrored traffic is sent.
4424 When a packet enters an Open vSwitch bridge, it becomes eligible for
4426 mirroring based on its ingress port and VLAN. As the packet travels
4427 through the flow tables, each time it is output to a port, it becomes
4428 eligible for mirroring based on the egress port and VLAN. In Open
4429 vSwitch 2.5 and later, mirroring occurs just after a packet first be‐
4430 comes eligible, using the packet as it exists at that point; in Open
4431 vSwitch 2.4 and earlier, mirroring occurs only after a packet has tra‐
4432 versed all the flow tables, using the original packet as it entered the
4433 bridge. This makes a difference only when the flow table modifies the
4434 packet: in Open vSwitch 2.4, the modifications are never visible to
4435 mirrors, whereas in Open vSwitch 2.5 and later modifications made be‐
4436 fore the first output that makes it eligible for mirroring to a partic‐
4437 ular destination are visible.
4438 A packet that enters an Open vSwitch bridge is mirrored to a particular
4440 destination only once, even if it is eligible for multiple reasons. For
4441 example, a packet would be mirrored to a particular output_port only
4442 once, even if it is selected for mirroring to that port by se‐
4443 lect_dst_port and select_src_port in the same or different Mirror
4444 records.
4445 Summary:
4447 name string
4448 Selecting Packets for Mirroring:
4449 select_all boolean
4450 select_dst_port set of weak reference to Ports
4451 select_src_port set of weak reference to Ports
4452 select_vlan set of up to 4,096 integers, in range 0
4453 to 4,095
4454 Mirroring Destination Configuration:
4455 output_port optional weak reference to Port
4456 output_vlan optional integer, in range 1 to 4,095
4457 snaplen optional integer, in range 14 to 65,535
4458 Statistics: Mirror counters:
4459 statistics : tx_packets optional integer
4460 statistics : tx_bytes optional integer
4461 Common Columns:
4462 external_ids map of string-string pairs
4463 Details:
4465 name: string
4466 Arbitrary identifier for the Mirror.
4467 Selecting Packets for Mirroring:
4469 To be selected for mirroring, a given packet must enter or leave the
4471 bridge through a selected port and it must also be in one of the se‐
4472 lected VLANs.
4473 select_all: boolean
4475 If true, every packet arriving or departing on any port is se‐
4476 lected for mirroring.
4477 select_dst_port: set of weak reference to Ports
4479 Ports on which departing packets are selected for mirroring.
4480 select_src_port: set of weak reference to Ports
4482 Ports on which arriving packets are selected for mirroring.
4483 select_vlan: set of up to 4,096 integers, in range 0 to 4,095
4485 VLANs on which packets are selected for mirroring. An empty set
4486 selects packets on all VLANs.
4487 Mirroring Destination Configuration:
4489 These columns are mutually exclusive. Exactly one of them must be
4491 nonempty.
4492 output_port: optional weak reference to Port
4494 Output port for selected packets, if nonempty.
4495 Specifying a port for mirror output reserves that port exclu‐
4497 sively for mirroring. No frames other than those selected for
4498 mirroring via this column will be forwarded to the port, and any
4499 frames received on the port will be discarded.
4500 The output port may be any kind of port supported by Open
4502 vSwitch. It may be, for example, a physical port (sometimes
4503 called SPAN) or a GRE tunnel.
4504 output_vlan: optional integer, in range 1 to 4,095
4506 Output VLAN for selected packets, if nonempty.
4507 The frames will be sent out all ports that trunk output_vlan, as
4509 well as any ports with implicit VLAN output_vlan. When a mir‐
4510 rored frame is sent out a trunk port, the frame’s VLAN tag will
4511 be set to output_vlan, replacing any existing tag; when it is
4512 sent out an implicit VLAN port, the frame will not be tagged.
4513 This type of mirroring is sometimes called RSPAN.
4514 See the documentation for other_config:forward-bpdu in the In‐
4516 terface table for a list of destination MAC addresses which will
4517 not be mirrored to a VLAN to avoid confusing switches that in‐
4518 terpret the protocols that they represent.
4519 Please note: Mirroring to a VLAN can disrupt a network that con‐
4521 tains unmanaged switches. Consider an unmanaged physical switch
4522 with two ports: port 1, connected to an end host, and port 2,
4523 connected to an Open vSwitch configured to mirror received pack‐
4524 ets into VLAN 123 on port 2. Suppose that the end host sends a
4525 packet on port 1 that the physical switch forwards to port 2.
4526 The Open vSwitch forwards this packet to its destination and
4527 then reflects it back on port 2 in VLAN 123. This reflected
4528 packet causes the unmanaged physical switch to replace the MAC
4529 learning table entry, which correctly pointed to port 1, with
4530 one that incorrectly points to port 2. Afterward, the physical
4531 switch will direct packets destined for the end host to the Open
4532 vSwitch on port 2, instead of to the end host on port 1, dis‐
4533 rupting connectivity. If mirroring to a VLAN is desired in this
4534 scenario, then the physical switch must be replaced by one that
4535 learns Ethernet addresses on a per-VLAN basis. In addition,
4536 learning should be disabled on the VLAN containing mirrored
4537 traffic. If this is not done then intermediate switches will
4538 learn the MAC address of each end host from the mirrored traf‐
4539 fic. If packets being sent to that end host are also mirrored,
4540 then they will be dropped since the switch will attempt to send
4541 them out the input port. Disabling learning for the VLAN will
4542 cause the switch to correctly send the packet out all ports con‐
4543 figured for that VLAN. If Open vSwitch is being used as an in‐
4544 termediate switch, learning can be disabled by adding the mir‐
4545 rored VLAN to flood_vlans in the appropriate Bridge table or ta‐
4546 bles.
4547 Mirroring to a GRE tunnel has fewer caveats than mirroring to a
4549 VLAN and should generally be preferred.
4550 snaplen: optional integer, in range 14 to 65,535
4552 Maximum per-packet number of bytes to mirror.
4553 A mirrored packet with size larger than snaplen will be trun‐
4555 cated in datapath to snaplen bytes before sending to the mirror
4556 output port. If omitted, packets are not truncated.
4557 Statistics: Mirror counters:
4559 Key-value pairs that report mirror statistics. The update period is
4561 controlled by other_config:stats-update-interval in the Open_vSwitch
4562 table.
4563 statistics : tx_packets: optional integer
4565 Number of packets transmitted through this mirror.
4566 statistics : tx_bytes: optional integer
4568 Number of bytes transmitted through this mirror.
4569 Common Columns:
4571 The overall purpose of these columns is described under Common Columns
4573 at the beginning of this document.
4574 external_ids: map of string-string pairs
4576
4578 An OpenFlow controller.
4579 Summary:
4581 Core Features:
4582 type optional string, either primary or ser‐
4583 vice
4584 target string
4585 connection_mode optional string, either in-band or
4586 out-of-band
4587 Controller Failure Detection and Handling:
4588 max_backoff optional integer, at least 1,000
4589 inactivity_probe optional integer
4590 Asynchronous Messages:
4591 enable_async_messages optional boolean
4592 Controller Rate Limiting:
4593 controller_queue_size optional integer, in range 1 to 512
4594 controller_rate_limit optional integer, at least 100
4595 controller_burst_limit optional integer, at least 25
4596 Controller Rate Limiting Statistics:
4597 status : packet-in-TYPE-bypassed
4598 optional string, containing an integer,
4599 at least 0
4600 status : packet-in-TYPE-queued
4601 optional string, containing an integer,
4602 at least 0
4603 status : packet-in-TYPE-dropped
4604 optional string, containing an integer,
4605 at least 0
4606 status : packet-in-TYPE-backlog
4607 optional string, containing an integer,
4608 at least 0
4609 Additional In-Band Configuration:
4610 local_ip optional string
4611 local_netmask optional string
4612 local_gateway optional string
4613 Controller Status:
4614 is_connected boolean
4615 role optional string, one of master, other, or
4616 slave
4617 status : last_error optional string
4618 status : state optional string, one of ACTIVE, BACKOFF,
4619 CONNECTING, IDLE, or VOID
4620 status : sec_since_connect optional string, containing an integer,
4621 at least 0
4622 status : sec_since_disconnect
4623 optional string, containing an integer,
4624 at least 1
4625 Connection Parameters:
4626 other_config : dscp optional string, containing an integer
4627 Common Columns:
4628 external_ids map of string-string pairs
4629 other_config map of string-string pairs
4630 Details:
4632 Core Features:
4633 type: optional string, either primary or service
4635 Open vSwitch supports two kinds of OpenFlow controllers. A
4636 bridge may have any number of each kind:
4637 Primary controllers
4639 This is the kind of controller envisioned by the OpenFlow
4640 specifications. Usually, a primary controller implements
4641 a network policy by taking charge of the switch’s flow
4642 table.
4643 The fail_mode column in the Bridge table applies to pri‐
4645 mary controllers.
4646 When multiple primary controllers are configured, Open
4648 vSwitch connects to all of them simultaneously. OpenFlow
4649 provides few facilities to allow multiple controllers to
4650 coordinate in interacting with a single switch, so more
4651 than one primary controller should be specified only if
4652 the controllers are themselves designed to coordinate
4653 with each other.
4654 Service controllers
4656 These kinds of OpenFlow controller connections are in‐
4657 tended for occasional support and maintenance use, e.g.
4658 with ovs-ofctl. Usually a service controller connects
4659 only briefly to inspect or modify some of a switch’s
4660 state.
4661 The fail_mode column in the Bridge table does not apply
4663 to service controllers.
4664 By default, Open vSwitch treats controllers with active connec‐
4666 tion methods as primary controllers and those with passive con‐
4667 nection methods as service controllers. Set this column to the
4668 desired type to override this default.
4669 target: string
4671 Connection method for controller.
4672 The following active connection methods are currently supported:
4674 ssl:host[:port]
4676 The specified SSL port on the host at the given host,
4677 which can either be a DNS name (if built with unbound li‐
4678 brary) or an IP address. The ssl column in the
4679 Open_vSwitch table must point to a valid SSL configura‐
4680 tion when this form is used.
4681 If port is not specified, it defaults to 6653.
4683 SSL support is an optional feature that is not always
4685 built as part of Open vSwitch.
4686 tcp:host[:port]
4688 The specified TCP port on the host at the given host,
4689 which can either be a DNS name (if built with unbound li‐
4690 brary) or an IP address (IPv4 or IPv6). If host is an
4691 IPv6 address, wrap it in square brackets, e.g.
4692 tcp:[::1]:6653.
4693 If port is not specified, it defaults to 6653.
4695 The following passive connection methods are currently sup‐
4697 ported:
4698 pssl:[port][:host]
4700 Listens for SSL connections on the specified TCP port. If
4701 host, which can either be a DNS name (if built with un‐
4702 bound library) or an IP address, is specified, then con‐
4703 nections are restricted to the resolved or specified lo‐
4704 cal IP address (either IPv4 or IPv6). If host is an IPv6
4705 address, wrap it in square brackets, e.g.
4706 pssl:6653:[::1].
4707 If port is not specified, it defaults to 6653. If host is
4709 not specified then it listens only on IPv4 (but not IPv6)
4710 addresses. The ssl column in the Open_vSwitch table must
4711 point to a valid SSL configuration when this form is
4712 used.
4713 If port is not specified, it currently to 6653.
4715 SSL support is an optional feature that is not always
4717 built as part of Open vSwitch.
4718 ptcp:[port][:host]
4720 Listens for connections on the specified TCP port. If
4721 host, which can either be a DNS name (if built with un‐
4722 bound library) or an IP address, is specified, then con‐
4723 nections are restricted to the resolved or specified lo‐
4724 cal IP address (either IPv4 or IPv6). If host is an IPv6
4725 address, wrap it in square brackets, e.g.
4726 ptcp:6653:[::1]. If host is not specified then it listens
4727 only on IPv4 addresses.
4728 If port is not specified, it defaults to 6653.
4730 When multiple controllers are configured for a single bridge,
4732 the target values must be unique. Duplicate target values yield
4733 unspecified results.
4734 connection_mode: optional string, either in-band or out-of-band
4736 If it is specified, this setting must be one of the following
4737 strings that describes how Open vSwitch contacts this OpenFlow
4738 controller over the network:
4739 in-band
4741 In this mode, this controller’s OpenFlow traffic travels
4742 over the bridge associated with the controller. With this
4743 setting, Open vSwitch allows traffic to and from the con‐
4744 troller regardless of the contents of the OpenFlow flow
4745 table. (Otherwise, Open vSwitch would never be able to
4746 connect to the controller, because it did not have a flow
4747 to enable it.) This is the most common connection mode
4748 because it is not necessary to maintain two independent
4749 networks.
4750 out-of-band
4752 In this mode, OpenFlow traffic uses a control network
4753 separate from the bridge associated with this controller,
4754 that is, the bridge does not use any of its own network
4755 devices to communicate with the controller. The control
4756 network must be configured separately, before or after
4757 ovs-vswitchd is started.
4758 If not specified, the default is implementation-specific.
4760 Controller Failure Detection and Handling:
4762 max_backoff: optional integer, at least 1,000
4764 Maximum number of milliseconds to wait between connection at‐
4765 tempts. Default is implementation-specific.
4766 inactivity_probe: optional integer
4768 Maximum number of milliseconds of idle time on connection to
4769 controller before sending an inactivity probe message. If Open
4770 vSwitch does not communicate with the controller for the speci‐
4771 fied number of seconds, it will send a probe. If a response is
4772 not received for the same additional amount of time, Open
4773 vSwitch assumes the connection has been broken and attempts to
4774 reconnect. Default is implementation-specific. A value of 0 dis‐
4775 ables inactivity probes.
4776 Asynchronous Messages:
4778 OpenFlow switches send certain messages to controllers spontanenously,
4780 that is, not in response to any request from the controller. These mes‐
4781 sages are called ``asynchronous messages.’’ These columns allow asyn‐
4782 chronous messages to be limited or disabled to ensure the best use of
4783 network resources.
4784 enable_async_messages: optional boolean
4786 The OpenFlow protocol enables asynchronous messages at time of
4787 connection establishment, which means that a controller can re‐
4788 ceive asynchronous messages, potentially many of them, even if
4789 it turns them off immediately after connecting. Set this column
4790 to false to change Open vSwitch behavior to disable, by default,
4791 all asynchronous messages. The controller can use the
4792 NXT_SET_ASYNC_CONFIG Nicira extension to OpenFlow to turn on any
4793 messages that it does want to receive, if any.
4794 Controller Rate Limiting:
4796 A switch can forward packets to a controller over the OpenFlow proto‐
4798 col. Forwarding packets this way at too high a rate can overwhelm a
4799 controller, frustrate use of the OpenFlow connection for other pur‐
4800 poses, increase the latency of flow setup, and use an unreasonable
4801 amount of bandwidth. Therefore, Open vSwitch supports limiting the rate
4802 of packet forwarding to a controller.
4803 There are two main reasons in OpenFlow for a packet to be sent to a
4805 controller: either the packet ``misses’’ in the flow table, that is,
4806 there is no matching flow, or a flow table action says to send the
4807 packet to the controller. Open vSwitch limits the rate of each kind of
4808 packet separately at the configured rate. Therefore, the actual rate
4809 that packets are sent to the controller can be up to twice the config‐
4810 ured rate, when packets are sent for both reasons.
4811 This feature is specific to forwarding packets over an OpenFlow connec‐
4813 tion. It is not general-purpose QoS. See the QoS table for quality of
4814 service configuration, and ingress_policing_rate in the Interface table
4815 for ingress policing configuration.
4816 controller_queue_size: optional integer, in range 1 to 512
4818 This sets the maximum size of the queue of packets that need to
4819 be sent to this OpenFlow controller. The value must be less than
4820 512. If not specified the queue size is limited to the value set
4821 for the management controller in other_config:controller-queue-
4822 size if present or 100 packets by default. Note: increasing the
4823 queue size might have a negative impact on latency.
4824 controller_rate_limit: optional integer, at least 100
4826 The maximum rate at which the switch will forward packets to the
4827 OpenFlow controller, in packets per second. If no value is spec‐
4828 ified, rate limiting is disabled.
4829 controller_burst_limit: optional integer, at least 25
4831 When a high rate triggers rate-limiting, Open vSwitch queues
4832 packets to the controller for each port and transmits them to
4833 the controller at the configured rate. This value limits the
4834 number of queued packets. Ports on a bridge share the packet
4835 queue fairly.
4836 This value has no effect unless controller_rate_limit is config‐
4838 ured. The current default when this value is not specified is
4839 one-quarter of controller_rate_limit, meaning that queuing can
4840 delay forwarding a packet to the controller by up to 250 ms.
4841 Controller Rate Limiting Statistics:
4843 These values report the effects of rate limiting. Their values are rel‐
4845 ative to establishment of the most recent OpenFlow connection, or since
4846 rate limiting was enabled, whichever happened more recently. Each con‐
4847 sists of two values, one with TYPE replaced by miss for rate limiting
4848 flow table misses, and the other with TYPE replaced by action for rate
4849 limiting packets sent by OpenFlow actions.
4850 These statistics are reported only when controller rate limiting is en‐
4852 abled.
4853 status : packet-in-TYPE-bypassed: optional string, containing an inte‐
4855 ger, at least 0
4856 Number of packets sent directly to the controller, without queu‐
4857 ing, because the rate did not exceed the configured maximum.
4858 status : packet-in-TYPE-queued: optional string, containing an integer,
4860 at least 0
4861 Number of packets added to the queue to send later.
4862 status : packet-in-TYPE-dropped: optional string, containing an inte‐
4864 ger, at least 0
4865 Number of packets added to the queue that were later dropped due
4866 to overflow. This value is less than or equal to status:packet-
4867 in-TYPE-queued.
4868 status : packet-in-TYPE-backlog: optional string, containing an inte‐
4870 ger, at least 0
4871 Number of packets currently queued. The other statistics in‐
4872 crease monotonically, but this one fluctuates between 0 and the
4873 controller_burst_limit as conditions change.
4874 Additional In-Band Configuration:
4876 These values are considered only in in-band control mode (see connec‐
4878 tion_mode).
4879 When multiple controllers are configured on a single bridge, there
4881 should be only one set of unique values in these columns. If different
4882 values are set for these columns in different controllers, the effect
4883 is unspecified.
4884 local_ip: optional string
4886 The IP address to configure on the local port, e.g.
4887 192.168.0.123. If this value is unset, then local_netmask and
4888 local_gateway are ignored.
4889 local_netmask: optional string
4891 The IP netmask to configure on the local port, e.g.
4892 255.255.255.0. If local_ip is set but this value is unset, then
4893 the default is chosen based on whether the IP address is class
4894 A, B, or C.
4895 local_gateway: optional string
4897 The IP address of the gateway to configure on the local port, as
4898 a string, e.g. 192.168.0.1. Leave this column unset if this net‐
4899 work has no gateway.
4900 Controller Status:
4902 is_connected: boolean
4904 true if currently connected to this controller, false otherwise.
4905 role: optional string, one of master, other, or slave
4907 The level of authority this controller has on the associated
4908 bridge. Possible values are:
4909 other Allows the controller access to all OpenFlow features.
4911 master Equivalent to other, except that there may be at most one
4913 such controller at a time. If a given controller promotes
4914 itself to this role, ovs-vswitchd demotes any existing
4915 controller with the role to slave.
4916 slave Allows the controller read-only access to OpenFlow fea‐
4918 tures. Attempts to modify the flow table will be rejected
4919 with an error. Such controllers do not receive
4920 OFPT_PACKET_IN or OFPT_FLOW_REMOVED messages, but they do
4921 receive OFPT_PORT_STATUS messages.
4922 status : last_error: optional string
4924 A human-readable description of the last error on the connection
4925 to the controller; i.e. strerror(errno). This key will exist
4926 only if an error has occurred.
4927 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
4929 IDLE, or VOID
4930 The state of the connection to the controller:
4931 VOID Connection is disabled.
4933 BACKOFF
4935 Attempting to reconnect at an increasing period.
4936 CONNECTING
4938 Attempting to connect.
4939 ACTIVE Connected, remote host responsive.
4941 IDLE Connection is idle. Waiting for response to keep-alive.
4943 These values may change in the future. They are provided only
4945 for human consumption.
4946 status : sec_since_connect: optional string, containing an integer, at
4948 least 0
4949 The amount of time since this controller last successfully con‐
4950 nected to the switch (in seconds). Value is empty if controller
4951 has never successfully connected.
4952 status : sec_since_disconnect: optional string, containing an integer,
4954 at least 1
4955 The amount of time since this controller last disconnected from
4956 the switch (in seconds). Value is empty if controller has never
4957 disconnected.
4958 Connection Parameters:
4960 Additional configuration for a connection between the controller and
4962 the Open vSwitch.
4963 other_config : dscp: optional string, containing an integer
4965 The Differentiated Service Code Point (DSCP) is specified using
4966 6 bits in the Type of Service (TOS) field in the IP header. DSCP
4967 provides a mechanism to classify the network traffic and provide
4968 Quality of Service (QoS) on IP networks. The DSCP value speci‐
4969 fied here is used when establishing the connection between the
4970 controller and the Open vSwitch. If no value is specified, a de‐
4971 fault value of 48 is chosen. Valid DSCP values must be in the
4972 range 0 to 63.
4973 Common Columns:
4975 The overall purpose of these columns is described under Common Columns
4977 at the beginning of this document.
4978 external_ids: map of string-string pairs
4980 other_config: map of string-string pairs
4982
4984 Configuration for a database connection to an Open vSwitch database
4985 (OVSDB) client.
4986 This table primarily configures the Open vSwitch database
4988 (ovsdb-server), not the Open vSwitch switch (ovs-vswitchd). The switch
4989 does read the table to determine what connections should be treated as
4990 in-band.
4991 The Open vSwitch database server can initiate and maintain active con‐
4993 nections to remote clients. It can also listen for database connec‐
4994 tions.
4995 Summary:
4997 Core Features:
4998 target string (must be unique within table)
4999 connection_mode optional string, either in-band or
5000 out-of-band
5001 Client Failure Detection and Handling:
5002 max_backoff optional integer, at least 1,000
5003 inactivity_probe optional integer
5004 Status:
5005 is_connected boolean
5006 status : last_error optional string
5007 status : state optional string, one of ACTIVE, BACKOFF,
5008 CONNECTING, IDLE, or VOID
5009 status : sec_since_connect optional string, containing an integer,
5010 at least 0
5011 status : sec_since_disconnect
5012 optional string, containing an integer,
5013 at least 0
5014 status : locks_held optional string
5015 status : locks_waiting optional string
5016 status : locks_lost optional string
5017 status : n_connections optional string, containing an integer,
5018 at least 2
5019 status : bound_port optional string, containing an integer
5020 Connection Parameters:
5021 other_config : dscp optional string, containing an integer
5022 Common Columns:
5023 external_ids map of string-string pairs
5024 other_config map of string-string pairs
5025 Details:
5027 Core Features:
5028 target: string (must be unique within table)
5030 Connection method for managers.
5031 The following connection methods are currently supported:
5033 ssl:host[:port]
5035 The specified SSL port on the host at the given host,
5036 which can either be a DNS name (if built with unbound li‐
5037 brary) or an IP address. The ssl column in the
5038 Open_vSwitch table must point to a valid SSL configura‐
5039 tion when this form is used.
5040 If port is not specified, it defaults to 6640.
5042 SSL support is an optional feature that is not always
5044 built as part of Open vSwitch.
5045 tcp:host[:port]
5047 The specified TCP port on the host at the given host,
5048 which can either be a DNS name (if built with unbound li‐
5049 brary) or an IP address (IPv4 or IPv6). If host is an
5050 IPv6 address, wrap it in square brackets, e.g.
5051 tcp:[::1]:6640.
5052 If port is not specified, it defaults to 6640.
5054 pssl:[port][:host]
5056 Listens for SSL connections on the specified TCP port.
5057 Specify 0 for port to have the kernel automatically
5058 choose an available port. If host, which can either be a
5059 DNS name (if built with unbound library) or an IP ad‐
5060 dress, is specified, then connections are restricted to
5061 the resolved or specified local IP address (either IPv4
5062 or IPv6 address). If host is an IPv6 address, wrap in
5063 square brackets, e.g. pssl:6640:[::1]. If host is not
5064 specified then it listens only on IPv4 (but not IPv6) ad‐
5065 dresses. The ssl column in the Open_vSwitch table must
5066 point to a valid SSL configuration when this form is
5067 used.
5068 If port is not specified, it defaults to 6640.
5070 SSL support is an optional feature that is not always
5072 built as part of Open vSwitch.
5073 ptcp:[port][:host]
5075 Listens for connections on the specified TCP port. Spec‐
5076 ify 0 for port to have the kernel automatically choose an
5077 available port. If host, which can either be a DNS name
5078 (if built with unbound library) or an IP address, is
5079 specified, then connections are restricted to the re‐
5080 solved or specified local IP address (either IPv4 or IPv6
5081 address). If host is an IPv6 address, wrap it in square
5082 brackets, e.g. ptcp:6640:[::1]. If host is not specified
5083 then it listens only on IPv4 addresses.
5084 If port is not specified, it defaults to 6640.
5086 When multiple managers are configured, the target values must be
5088 unique. Duplicate target values yield unspecified results.
5089 connection_mode: optional string, either in-band or out-of-band
5091 If it is specified, this setting must be one of the following
5092 strings that describes how Open vSwitch contacts this OVSDB
5093 client over the network:
5094 in-band
5096 In this mode, this connection’s traffic travels over a
5097 bridge managed by Open vSwitch. With this setting, Open
5098 vSwitch allows traffic to and from the client regardless
5099 of the contents of the OpenFlow flow table. (Otherwise,
5100 Open vSwitch would never be able to connect to the
5101 client, because it did not have a flow to enable it.)
5102 This is the most common connection mode because it is not
5103 necessary to maintain two independent networks.
5104 out-of-band
5106 In this mode, the client’s traffic uses a control network
5107 separate from that managed by Open vSwitch, that is, Open
5108 vSwitch does not use any of its own network devices to
5109 communicate with the client. The control network must be
5110 configured separately, before or after ovs-vswitchd is
5111 started.
5112 If not specified, the default is implementation-specific.
5114 Client Failure Detection and Handling:
5116 max_backoff: optional integer, at least 1,000
5118 Maximum number of milliseconds to wait between connection at‐
5119 tempts. Default is implementation-specific.
5120 inactivity_probe: optional integer
5122 Maximum number of milliseconds of idle time on connection to the
5123 client before sending an inactivity probe message. If Open
5124 vSwitch does not communicate with the client for the specified
5125 number of seconds, it will send a probe. If a response is not
5126 received for the same additional amount of time, Open vSwitch
5127 assumes the connection has been broken and attempts to recon‐
5128 nect. Default is implementation-specific. A value of 0 disables
5129 inactivity probes.
5130 Status:
5132 Key-value pair of is_connected is always updated. Other key-value pairs
5134 in the status columns may be updated depends on the target type.
5135 When target specifies a connection method that listens for inbound con‐
5137 nections (e.g. ptcp: or punix:), both n_connections and is_connected
5138 may also be updated while the remaining key-value pairs are omitted.
5139 On the other hand, when target specifies an outbound connection, all
5141 key-value pairs may be updated, except the above-mentioned two key-
5142 value pairs associated with inbound connection targets. They are omit‐
5143 ted.
5144 is_connected: boolean
5146 true if currently connected to this manager, false otherwise.
5147 status : last_error: optional string
5149 A human-readable description of the last error on the connection
5150 to the manager; i.e. strerror(errno). This key will exist only
5151 if an error has occurred.
5152 status : state: optional string, one of ACTIVE, BACKOFF, CONNECTING,
5154 IDLE, or VOID
5155 The state of the connection to the manager:
5156 VOID Connection is disabled.
5158 BACKOFF
5160 Attempting to reconnect at an increasing period.
5161 CONNECTING
5163 Attempting to connect.
5164 ACTIVE Connected, remote host responsive.
5166 IDLE Connection is idle. Waiting for response to keep-alive.
5168 These values may change in the future. They are provided only
5170 for human consumption.
5171 status : sec_since_connect: optional string, containing an integer, at
5173 least 0
5174 The amount of time since this manager last successfully con‐
5175 nected to the database (in seconds). Value is empty if manager
5176 has never successfully connected.
5177 status : sec_since_disconnect: optional string, containing an integer,
5179 at least 0
5180 The amount of time since this manager last disconnected from the
5181 database (in seconds). Value is empty if manager has never dis‐
5182 connected.
5183 status : locks_held: optional string
5185 Space-separated list of the names of OVSDB locks that the con‐
5186 nection holds. Omitted if the connection does not hold any
5187 locks.
5188 status : locks_waiting: optional string
5190 Space-separated list of the names of OVSDB locks that the con‐
5191 nection is currently waiting to acquire. Omitted if the connec‐
5192 tion is not waiting for any locks.
5193 status : locks_lost: optional string
5195 Space-separated list of the names of OVSDB locks that the con‐
5196 nection has had stolen by another OVSDB client. Omitted if no
5197 locks have been stolen from this connection.
5198 status : n_connections: optional string, containing an integer, at
5200 least 2
5201 When target specifies a connection method that listens for in‐
5202 bound connections (e.g. ptcp: or pssl:) and more than one con‐
5203 nection is actually active, the value is the number of active
5204 connections. Otherwise, this key-value pair is omitted.
5205 status : bound_port: optional string, containing an integer
5207 When target is ptcp: or pssl:, this is the TCP port on which the
5208 OVSDB server is listening. (This is particularly useful when
5209 target specifies a port of 0, allowing the kernel to choose any
5210 available port.)
5211 Connection Parameters:
5213 Additional configuration for a connection between the manager and the
5215 Open vSwitch Database.
5216 other_config : dscp: optional string, containing an integer
5218 The Differentiated Service Code Point (DSCP) is specified using
5219 6 bits in the Type of Service (TOS) field in the IP header. DSCP
5220 provides a mechanism to classify the network traffic and provide
5221 Quality of Service (QoS) on IP networks. The DSCP value speci‐
5222 fied here is used when establishing the connection between the
5223 manager and the Open vSwitch. If no value is specified, a de‐
5224 fault value of 48 is chosen. Valid DSCP values must be in the
5225 range 0 to 63.
5226 Common Columns:
5228 The overall purpose of these columns is described under Common Columns
5230 at the beginning of this document.
5231 external_ids: map of string-string pairs
5233 other_config: map of string-string pairs
5235
5237 A NetFlow target. NetFlow is a protocol that exports a number of de‐
5238 tails about terminating IP flows, such as the principals involved and
5239 duration.
5240 Summary:
5242 targets set of 1 or more strings
5243 engine_id optional integer, in range 0 to 255
5244 engine_type optional integer, in range 0 to 255
5245 active_timeout integer, at least -1
5246 add_id_to_interface boolean
5247 Common Columns:
5248 external_ids map of string-string pairs
5249 Details:
5251 targets: set of 1 or more strings
5252 NetFlow targets in the form ip:port. The ip must be specified
5253 numerically, not as a DNS name.
5254 engine_id: optional integer, in range 0 to 255
5256 Engine ID to use in NetFlow messages. Defaults to datapath index
5257 if not specified.
5258 engine_type: optional integer, in range 0 to 255
5260 Engine type to use in NetFlow messages. Defaults to datapath in‐
5261 dex if not specified.
5262 active_timeout: integer, at least -1
5264 The interval at which NetFlow records are sent for flows that
5265 are still active, in seconds. A value of 0 requests the default
5266 timeout (currently 600 seconds); a value of -1 disables active
5267 timeouts.
5268 The NetFlow passive timeout, for flows that become inactive, is
5270 not configurable. It will vary depending on the Open vSwitch
5271 version, the forms and contents of the OpenFlow flow tables, CPU
5272 and memory usage, and network activity. A typical passive time‐
5273 out is about a second.
5274 add_id_to_interface: boolean
5276 If this column’s value is false, the ingress and egress inter‐
5277 face fields of NetFlow flow records are derived from OpenFlow
5278 port numbers. When it is true, the 7 most significant bits of
5279 these fields will be replaced by the least significant 7 bits of
5280 the engine id. This is useful because many NetFlow collectors do
5281 not expect multiple switches to be sending messages from the
5282 same host, so they do not store the engine information which
5283 could be used to disambiguate the traffic.
5284 When this option is enabled, a maximum of 508 ports are sup‐
5286 ported.
5287 Common Columns:
5289 The overall purpose of these columns is described under Common Columns
5291 at the beginning of this document.
5292 external_ids: map of string-string pairs
5294
5296 Configuration for a datapath within Open_vSwitch.
5297 A datapath is responsible for providing the packet handling in Open
5299 vSwitch. There are two primary datapath implementations used by Open
5300 vSwitch: kernel and userspace. Kernel datapath implementations are
5301 available for Linux and Hyper-V, and selected as system in the data‐
5302 path_type column of the Bridge table. The userspace datapath is used by
5303 DPDK and AF-XDP, and is selected as netdev in the datapath_type column
5304 of the Bridge table.
5305 A datapath of a particular type is shared by all the bridges that use
5307 that datapath. Thus, configurations applied to this table affect all
5308 bridges that use this datapath.
5309 Summary:
5311 datapath_version string
5312 ct_zones map of integer-CT_Zone pairs, key in
5313 range 0 to 65,535
5314 Capabilities:
5315 capabilities : max_vlan_headers
5316 optional string, containing an integer,
5317 at least 0
5318 capabilities : recirc optional string, either true or false
5319 capabilities : lb_output_action
5320 optional string, either true or false
5321 Connection-Tracking Capabilities:
5322 capabilities : ct_state optional string, either true or false
5323 capabilities : ct_state_nat
5324 optional string, either true or false
5325 capabilities : ct_zone optional string, either true or false
5326 capabilities : ct_mark optional string, either true or false
5327 capabilities : ct_label optional string, either true or false
5328 capabilities : ct_orig_tuple
5329 optional string, either true or false
5330 capabilities : ct_orig_tuple6
5331 optional string, either true or false
5332 capabilities : masked_set_action
5333 optional string, either true or false
5334 capabilities : tnl_push_pop
5335 optional string, either true or false
5336 capabilities : ufid optional string, either true or false
5337 capabilities : trunc optional string, either true or false
5338 capabilities : nd_ext optional string, either true or false
5339 Clone Actions:
5340 capabilities : clone optional string, either true or false
5341 capabilities : sample_nesting
5342 optional string, containing an integer,
5343 at least 0
5344 capabilities : ct_eventmask
5345 optional string, either true or false
5346 capabilities : ct_clear optional string, either true or false
5347 capabilities : max_hash_alg
5348 optional string, containing an integer,
5349 at least 0
5350 capabilities : check_pkt_len
5351 optional string, either true or false
5352 capabilities : ct_timeout optional string, either true or false
5353 capabilities : explicit_drop_action
5354 optional string, either true or false
5355 capabilities : ct_zero_snat
5356 optional string, either true or false
5357 capabilities : ct_flush optional string, either true or false
5358 Common Columns:
5359 external_ids map of string-string pairs
5360 Details:
5362 datapath_version: string
5363 Reports the version number of the Open vSwitch datapath in use.
5364 This allows management software to detect and report discrepan‐
5365 cies between Open vSwitch userspace and datapath versions. (The
5366 ovs_version column in the Open_vSwitch reports the Open vSwitch
5367 userspace version.) The version reported depends on the datapath
5368 in use:
5369 • When the kernel module included in the Open vSwitch
5371 source tree is used, this column reports the Open vSwitch
5372 version from which the module was taken.
5373 • When the kernel module that is part of the upstream Linux
5375 kernel is used, this column reports <unknown>.
5376 • When the datapath is built into the ovs-vswitchd binary,
5378 this column reports <built-in>. A built-in datapath is by
5379 definition the same version as the rest of the Open
5380 vSwitch userspace.
5381 • Other datapaths (such as the Hyper-V kernel datapath)
5383 currently report <unknown>.
5384 A version discrepancy between ovs-vswitchd and the datapath in
5386 use is not normally cause for alarm. The Open vSwitch kernel
5387 datapaths for Linux and Hyper-V, in particular, are designed for
5388 maximum inter-version compatibility: any userspace version works
5389 with with any kernel version. Some reasons do exist to insist on
5390 particular user/kernel pairings. First, newer kernel versions
5391 add new features, that can only be used by new-enough userspace,
5392 e.g. VXLAN tunneling requires certain minimal userspace and ker‐
5393 nel versions. Second, as an extension to the first reason, some
5394 newer kernel versions add new features for enhancing performance
5395 that only new-enough userspace versions can take advantage of.
5396 ct_zones: map of integer-CT_Zone pairs, key in range 0 to 65,535
5398 Configuration for connection tracking zones. Each pair maps from
5399 a zone id to a configuration for that zone. Zone 0 applies to
5400 the default zone (ie, the one used if a zone is not specified in
5401 connection tracking-related OpenFlow matches and actions).
5402 Capabilities:
5404 The capabilities column reports a datapath’s features. For the netdev
5406 datapath, the capabilities are fixed for a given version of Open
5407 vSwitch because this datapath is built into the ovs-vswitchd binary.
5408 The Linux kernel and Windows and other datapaths, which are external to
5409 OVS userspace, can vary in version and capabilities independently from
5410 ovs-vswitchd.
5411 Some of these features indicate whether higher-level Open vSwitch fea‐
5413 tures are available. For example, OpenFlow features for connection-
5414 tracking are available only when capabilities:ct_state is true. A con‐
5415 troller that wishes to determine whether a feature is supported could,
5416 therefore, consult the relevant capabilities in this table. However, as
5417 a general rule, it is better for a controller to try to use the higher-
5418 level feature and use the result as an indication of support, since the
5419 low-level capabilities are more likely to shift over time than the
5420 high-level features that rely on them.
5421 capabilities : max_vlan_headers: optional string, containing an inte‐
5423 ger, at least 0
5424 Number of 802.1q VLAN headers supported by the datapath, as
5425 probed by the ovs-vswitchd slow path. If the datapath supports
5426 more VLAN headers than the slow path, this reports the slow
5427 path’s limit. The value of other-config:vlan-limit in the
5428 Open_vSwitch table does not influence the number reported here.
5429 capabilities : recirc: optional string, either true or false
5431 If this is true, then the datapath supports recirculation,
5432 specifically OVS_KEY_ATTR_RECIRC_ID. Recirculation enables
5433 higher performance for MPLS and active-active load balancing
5434 bonding modes.
5435 capabilities : lb_output_action: optional string, either true or false
5437 If this is true, then the datapath supports optimized balance-
5438 tcp bond mode. This capability replaces existing hash and recirc
5439 actions with new action lb_output and avoids recirculation of
5440 packet in datapath. It is supported only for balance-tcp bond
5441 mode in netdev datapath. The new action gives higher performance
5442 by using bond buckets instead of post recirculation flows for
5443 selection of slave port from bond. By default this new action is
5444 disabled, however it can be enabled by setting other-config:lb-
5445 output-action in Port table.
5446 Connection-Tracking Capabilities:
5448 These capabilities are granular because Open vSwitch and its datapaths
5450 added support for connection tracking over several releases, with fea‐
5451 tures added individually over that time.
5452 capabilities : ct_state: optional string, either true or false
5454 If true, datapath supports OVS_KEY_ATTR_CT_STATE, which indi‐
5455 cates support for the bits in the OpenFlow ct_state field (see
5456 ovs-fields(7)) other than snat and dnat, which have a separate
5457 capability.
5458 If this is false, the datapath does not support connection-
5460 tracking at all and the remaining connection-tracking capabili‐
5461 ties should all be false. In this case, Open vSwitch will reject
5462 flows that match on the ct_state field or use the ct action.
5463 capabilities : ct_state_nat: optional string, either true or false
5465 If true, it means that the datapath supports the snat and dnat
5466 flags in the OpenFlow ct_state field. The ct_state capability
5467 must be true for this to make sense.
5468 If false, Open vSwitch will reject flows that match on the snat
5470 or dnat bits in ct_state or use nat in the ct action.
5471 capabilities : ct_zone: optional string, either true or false
5473 If true, datapath supports OVS_KEY_ATTR_CT_ZONE. If false, Open
5474 vSwitch rejects flows that match on the ct_zone field or that
5475 specify a nonzero zone or a zone field on the ct action.
5476 capabilities : ct_mark: optional string, either true or false
5478 If true, datapath supports OVS_KEY_ATTR_CT_MARK. If false, Open
5479 vSwitch rejects flows that match on the ct_mark field or that
5480 set ct_mark in the ct action.
5481 capabilities : ct_label: optional string, either true or false
5483 If true, datapath supports OVS_KEY_ATTR_CT_LABEL. If false, Open
5484 vSwitch rejects flows that match on the ct_label field or that
5485 set ct_label in the ct action.
5486 capabilities : ct_orig_tuple: optional string, either true or false
5488 If true, the datapath supports matching the 5-tuple from the
5489 connection’s original direction for IPv4 traffic. If false, Open
5490 vSwitch rejects flows that match on ct_nw_src or ct_nw_dst, that
5491 use the ct feature of the resubmit action, or the force keyword
5492 in the ct action. (The latter isn’t tied to connection tracking
5493 support of original tuples in any technical way. They are con‐
5494 flated because all current datapaths implemented the two fea‐
5495 tures at the same time.)
5496 If this and capabilities:ct_orig_tuple6 are both false, Open
5498 vSwitch rejects flows that match on ct_nw_proto, ct_tp_src, or
5499 ct_tp_dst.
5500 capabilities : ct_orig_tuple6: optional string, either true or false
5502 If true, the datapath supports matching the 5-tuple from the
5503 connection’s original direction for IPv6 traffic. If false, Open
5504 vSwitch rejects flows that match on ct_ipv6_src or ct_ipv6_dst.
5505 capabilities : masked_set_action: optional string, either true or false
5507 True if the datapath supports masked data in OVS_ACTION_ATTR_SET
5508 actions. Masked data can improve performance by allowing
5509 megaflows to match on fewer fields.
5510 capabilities : tnl_push_pop: optional string, either true or false
5512 True if the datapath supports tnl_push and pop actions. This is
5513 a prerequisite for a datapath to support native tunneling.
5514 capabilities : ufid: optional string, either true or false
5516 True if the datapath supports OVS_FLOW_ATTR_UFID. UFID support
5517 improves revalidation performance by transferring less data be‐
5518 tween the slow path and the datapath.
5519 capabilities : trunc: optional string, either true or false
5521 True if the datapath supports OVS_ACTION_ATTR_TRUNC action. If
5522 false, the output action with packet truncation requires every
5523 packet to be sent to the Open vSwitch slow path, which is likely
5524 to make it too slow for mirroring traffic in bulk.
5525 capabilities : nd_ext: optional string, either true or false
5527 True if the datapath supports OVS_KEY_ATTR_ND_EXTENSIONS to
5528 match on ICMPv6 "ND reserved" and "ND option type" header
5529 fields. If false, the datapath reports error if the feature is
5530 used.
5531 Clone Actions:
5533 When Open vSwitch translates actions from OpenFlow into the datapath
5535 representation, some of the datapath actions may modify the packet or
5536 have other side effects that later datapath actions can’t undo. The
5537 OpenFlow ct, meter, output with truncation, encap, decap, and
5538 dec_nsh_ttl actions fall into this category. Often, this is not a prob‐
5539 lem because nothing later on needs the original packet.
5540 Such actions can, however, occur in circumstances where the translation
5542 does require the original packet. For example, an OpenFlow output ac‐
5543 tion might direct a packet to a patch port, which might in turn lead to
5544 a ct action that NATs the packet (which cannot be undone), and then af‐
5545 terward when control flow pops back across the patch port some other
5546 action might need to act on the original packet.
5547 Open vSwitch has two different ways to implement this ``save and re‐
5549 store’’ via datapath actions. These capabilities indicate which one
5550 Open vSwitch will choose. When neither is available, Open vSwitch sim‐
5551 ply fails in situations that require this feature.
5552 capabilities : clone: optional string, either true or false
5554 True if the datapath supports OVS_ACTION_ATTR_CLONE action. This
5555 is the preferred option for saving and restoring packets, since
5556 it is intended for the purpose, but old datapaths do not support
5557 it. Open vSwitch will use it whenever it is available.
5558 (The OpenFlow clone action does not always yield a OVS_AC‐
5560 TION_ATTR_CLONE action. It only does so when the datapath sup‐
5561 ports it and the clone brackets actions that otherwise cannot be
5562 undone.)
5563 capabilities : sample_nesting: optional string, containing an integer,
5565 at least 0
5566 Maximum level of nesting allowed by OVS_ACTION_ATTR_SAMPLE ac‐
5567 tion. Open vSwitch misuses this action for saving and restoring
5568 packets when the datapath supports more than 3 levels of nesting
5569 and OVS_ACTION_ATTR_CLONE is not available.
5570 capabilities : ct_eventmask: optional string, either true or false
5572 True if the datapath’s OVS_ACTION_ATTR_CT action implements the
5573 OVS_CT_ATTR_EVENTMASK attribute. When this is true, Open vSwitch
5574 uses the event mask feature to limit the kinds of events re‐
5575 ported to conntrack update listeners. When Open vSwitch doesn’t
5576 limit the event mask, listeners receive reports of numerous usu‐
5577 ally unimportant events, such as TCP state machine changes,
5578 which can waste CPU time.
5579 capabilities : ct_clear: optional string, either true or false
5581 True if the datapath supports OVS_ACTION_ATTR_CT_CLEAR action.
5582 If false, the OpenFlow ct_clear action has no effect on the
5583 datapath.
5584 capabilities : max_hash_alg: optional string, containing an integer, at
5586 least 0
5587 Highest supported dp_hash algorithm. This allows Open vSwitch to
5588 avoid requesting a packet hash that the datapath does not sup‐
5589 port.
5590 capabilities : check_pkt_len: optional string, either true or false
5592 True if the datapath supports OVS_ACTION_ATTR_CHECK_PKT_LEN. If
5593 false, Open vSwitch implements the check_pkt_larger action by
5594 sending every packet through the Open vSwitch slow path, which
5595 is likely to make it too slow for handling traffic in bulk.
5596 capabilities : ct_timeout: optional string, either true or false
5598 True if the datapath supports OVS_CT_ATTR_TIMEOUT in the OVS_AC‐
5599 TION_ATTR_CT action. If false, Open vswitch cannot implement
5600 timeout policies based on connection tracking zones, as config‐
5601 ured through the CT_Timeout_Policy table.
5602 capabilities : explicit_drop_action: optional string, either true or
5604 false
5605 True if the datapath supports OVS_ACTION_ATTR_DROP. If false,
5606 explicit drop action will not be sent to the datapath.
5607 capabilities : ct_zero_snat: optional string, either true or false
5609 True if the datapath supports all-zero SNAT. This is a special
5610 case if the src IP address is configured as all 0’s, i.e.,
5611 nat(src=0.0.0.0). In this case, when a source port collision is
5612 detected during the commit, the source port will be translated
5613 to an ephemeral port. If there is no collision, no SNAT is per‐
5614 formed.
5615 capabilities : ct_flush: optional string, either true or false
5617 True if the datapath supports CT flush OpenFlow Nicira extension
5618 called NXT_CT_FLUSH. The NXT_CT_FLUSH extensions allows to flush
5619 CT entries based on specified parameters.
5620 Common Columns:
5622 The overall purpose of these columns is described under Common Columns
5624 at the beginning of this document.
5625 external_ids: map of string-string pairs
5627
5629 Connection tracking zone configuration
5630 Summary:
5632 timeout_policy optional CT_Timeout_Policy
5633 Common Columns:
5634 external_ids map of string-string pairs
5635 Details:
5637 timeout_policy: optional CT_Timeout_Policy
5638 Connection tracking timeout policy for this zone. If a timeout
5639 policy is not specified, it defaults to the timeout policy in
5640 the system.
5641 Common Columns:
5643 The overall purpose of these columns is described under Common Columns
5645 at the beginning of this document.
5646 external_ids: map of string-string pairs
5648
5650 Connection tracking timeout policy configuration
5651 Summary:
5653 Timeouts:
5654 timeouts map of string-integer pairs, key one of
5655 icmp_first, icmp_reply, tcp_close,
5656 tcp_close_wait, tcp_established,
5657 tcp_fin_wait, tcp_last_ack, tcp_retrans‐
5658 mit, tcp_syn_recv, tcp_syn_sent2,
5659 tcp_syn_sent, tcp_time_wait, tcp_unack,
5660 udp_first, udp_multiple, or udp_single,
5661 value in range 0 to 4,294,967,295
5662 TCP Timeouts:
5663 timeouts : tcp_syn_sent optional integer, in range 0 to
5664 4,294,967,295
5665 timeouts : tcp_syn_recv optional integer, in range 0 to
5666 4,294,967,295
5667 timeouts : tcp_established
5668 optional integer, in range 0 to
5669 4,294,967,295
5670 timeouts : tcp_fin_wait optional integer, in range 0 to
5671 4,294,967,295
5672 timeouts : tcp_close_wait
5673 optional integer, in range 0 to
5674 4,294,967,295
5675 timeouts : tcp_last_ack optional integer, in range 0 to
5676 4,294,967,295
5677 timeouts : tcp_time_wait optional integer, in range 0 to
5678 4,294,967,295
5679 timeouts : tcp_close optional integer, in range 0 to
5680 4,294,967,295
5681 timeouts : tcp_syn_sent2 optional integer, in range 0 to
5682 4,294,967,295
5683 timeouts : tcp_retransmit
5684 optional integer, in range 0 to
5685 4,294,967,295
5686 timeouts : tcp_unack optional integer, in range 0 to
5687 4,294,967,295
5688 UDP Timeouts:
5689 timeouts : udp_first optional integer, in range 0 to
5690 4,294,967,295
5691 timeouts : udp_single optional integer, in range 0 to
5692 4,294,967,295
5693 timeouts : udp_multiple optional integer, in range 0 to
5694 4,294,967,295
5695 ICMP Timeouts:
5696 timeouts : icmp_first optional integer, in range 0 to
5697 4,294,967,295
5698 timeouts : icmp_reply optional integer, in range 0 to
5699 4,294,967,295
5700 Common Columns:
5701 external_ids map of string-string pairs
5702 Details:
5704 Timeouts:
5705 timeouts: map of string-integer pairs, key one of icmp_first, icmp_re‐
5707 ply, tcp_close, tcp_close_wait, tcp_established, tcp_fin_wait,
5708 tcp_last_ack, tcp_retransmit, tcp_syn_recv, tcp_syn_sent2,
5709 tcp_syn_sent, tcp_time_wait, tcp_unack, udp_first, udp_multiple, or
5710 udp_single, value in range 0 to 4,294,967,295
5711 The timeouts column contains key-value pairs used to configure
5712 connection tracking timeouts in a datapath. Key-value pairs that
5713 are not supported by a datapath are ignored. The timeout value
5714 is in seconds.
5715 TCP Timeouts:
5717 timeouts : tcp_syn_sent: optional integer, in range 0 to 4,294,967,295
5719 The timeout for the connection after the first TCP SYN packet
5720 has been seen by conntrack.
5721 timeouts : tcp_syn_recv: optional integer, in range 0 to 4,294,967,295
5723 The timeout of the connection after the first TCP SYN-ACK packet
5724 has been seen by conntrack.
5725 timeouts : tcp_established: optional integer, in range 0 to
5727 4,294,967,295
5728 The timeout of the connection after the connection has been
5729 fully established.
5730 timeouts : tcp_fin_wait: optional integer, in range 0 to 4,294,967,295
5732 The timeout of the connection after the first TCP FIN packet has
5733 been seen by conntrack.
5734 timeouts : tcp_close_wait: optional integer, in range 0 to
5736 4,294,967,295
5737 The timeout of the connection after the first TCP ACK packet has
5738 been seen after it receives TCP FIN packet. This timeout is only
5739 supported by the Linux kernel datapath.
5740 timeouts : tcp_last_ack: optional integer, in range 0 to 4,294,967,295
5742 The timeout of the connection after TCP FIN packets have been
5743 seen by conntrack from both directions. This timeout is only
5744 supported by the Linux kernel datapath.
5745 timeouts : tcp_time_wait: optional integer, in range 0 to 4,294,967,295
5747 The timeout of the connection after conntrack has seen the TCP
5748 ACK packet for the second TCP FIN packet.
5749 timeouts : tcp_close: optional integer, in range 0 to 4,294,967,295
5751 The timeout of the connection after the first TCP RST packet has
5752 been seen by conntrack.
5753 timeouts : tcp_syn_sent2: optional integer, in range 0 to 4,294,967,295
5755 The timeout of the connection when only a TCP SYN packet has
5756 been seen by conntrack from both directions (simultaneous open).
5757 This timeout is only supported by the Linux kernel datapath.
5758 timeouts : tcp_retransmit: optional integer, in range 0 to
5760 4,294,967,295
5761 The timeout of the connection when it exceeds the maximum number
5762 of retransmissions. This timeout is only supported by the Linux
5763 kernel datapath.
5764 timeouts : tcp_unack: optional integer, in range 0 to 4,294,967,295
5766 The timeout of the connection when non-SYN packets create an es‐
5767 tablished connection in TCP loose tracking mode. This timeout is
5768 only supported by the Linux kernel datapath.
5769 UDP Timeouts:
5771 timeouts : udp_first: optional integer, in range 0 to 4,294,967,295
5773 The timeout of the connection after the first UDP packet has
5774 been seen by conntrack. This timeout is only supported by the
5775 userspace datapath.
5776 timeouts : udp_single: optional integer, in range 0 to 4,294,967,295
5778 The timeout of the connection when conntrack only seen UDP
5779 packet from the source host, but the destination host has never
5780 sent one back.
5781 timeouts : udp_multiple: optional integer, in range 0 to 4,294,967,295
5783 The timeout of the connection when UDP packets have been seen in
5784 both directions.
5785 ICMP Timeouts:
5787 timeouts : icmp_first: optional integer, in range 0 to 4,294,967,295
5789 The timeout of the connection after the first ICMP packet has
5790 been seen by conntrack.
5791 timeouts : icmp_reply: optional integer, in range 0 to 4,294,967,295
5793 The timeout of the connection when ICMP packets have been seen
5794 in both direction. This timeout is only supported by the
5795 userspace datapath.
5796 Common Columns:
5798 The overall purpose of these columns is described under Common Columns
5800 at the beginning of this document.
5801 external_ids: map of string-string pairs
5803
5805 SSL configuration for an Open_vSwitch.
5806 Summary:
5808 private_key string
5809 certificate string
5810 ca_cert string
5811 bootstrap_ca_cert boolean
5812 Common Columns:
5813 external_ids map of string-string pairs
5814 Details:
5816 private_key: string
5817 Name of a PEM file containing the private key used as the
5818 switch’s identity for SSL connections to the controller.
5819 certificate: string
5821 Name of a PEM file containing a certificate, signed by the cer‐
5822 tificate authority (CA) used by the controller and manager, that
5823 certifies the switch’s private key, identifying a trustworthy
5824 switch.
5825 ca_cert: string
5827 Name of a PEM file containing the CA certificate used to verify
5828 that the switch is connected to a trustworthy controller.
5829 bootstrap_ca_cert: boolean
5831 If set to true, then Open vSwitch will attempt to obtain the CA
5832 certificate from the controller on its first SSL connection and
5833 save it to the named PEM file. If it is successful, it will im‐
5834 mediately drop the connection and reconnect, and from then on
5835 all SSL connections must be authenticated by a certificate
5836 signed by the CA certificate thus obtained. This option exposes
5837 the SSL connection to a man-in-the-middle attack obtaining the
5838 initial CA certificate. It may still be useful for bootstrap‐
5839 ping.
5840 Common Columns:
5842 The overall purpose of these columns is described under Common Columns
5844 at the beginning of this document.
5845 external_ids: map of string-string pairs
5847
5849 A set of sFlow(R) targets. sFlow is a protocol for remote monitoring of
5850 switches.
5851 Summary:
5853 agent optional string
5854 header optional integer
5855 polling optional integer
5856 sampling optional integer
5857 targets set of 1 or more strings
5858 Common Columns:
5859 external_ids map of string-string pairs
5860 Details:
5862 agent: optional string
5863 Determines the agent address, that is, the IP address reported
5864 to collectors as the source of the sFlow data. It may be an IP
5865 address or the name of a network device. In the latter case, the
5866 network device’s IP address is used,
5867 If not specified, the agent device is figured from the first
5869 target address and the routing table. If the routing table does
5870 not contain a route to the target, the IP address defaults to
5871 the local_ip in the collector’s Controller.
5872 If an agent IP address cannot be determined, sFlow is disabled.
5874 header: optional integer
5876 Number of bytes of a sampled packet to send to the collector. If
5877 not specified, the default is 128 bytes.
5878 polling: optional integer
5880 Polling rate in seconds to send port statistics to the collec‐
5881 tor. If not specified, defaults to 30 seconds.
5882 sampling: optional integer
5884 Rate at which packets should be sampled and sent to the collec‐
5885 tor. If not specified, defaults to 400, which means one out of
5886 400 packets, on average, will be sent to the collector.
5887 targets: set of 1 or more strings
5889 sFlow targets in the form ip:port.
5890 Common Columns:
5892 The overall purpose of these columns is described under Common Columns
5894 at the beginning of this document.
5895 external_ids: map of string-string pairs
5897
5899 Configuration for sending packets to IPFIX collectors.
5900 IPFIX is a protocol that exports a number of details about flows. The
5902 IPFIX implementation in Open vSwitch samples packets at a configurable
5903 rate, extracts flow information from those packets, optionally caches
5904 and aggregates the flow information, and sends the result to one or
5905 more collectors.
5906 IPFIX in Open vSwitch can be configured two different ways:
5908 • With per-bridge sampling, Open vSwitch performs IPFIX
5910 sampling automatically on all packets that pass through a
5911 bridge. To configure per-bridge sampling, create an IPFIX
5912 record and point a Bridge table’s ipfix column to it. The
5913 Flow_Sample_Collector_Set table is not used for per-
5914 bridge sampling.
5915 • With flow-based sampling, sample actions in the OpenFlow
5917 flow table drive IPFIX sampling. See ovs-actions(7) for a
5918 description of the sample action.
5919 Flow-based sampling also requires database configuration:
5921 create a IPFIX record that describes the IPFIX configura‐
5922 tion and a Flow_Sample_Collector_Set record that points
5923 to the Bridge whose flow table holds the sample actions
5924 and to IPFIX record. The ipfix in the Bridge table is not
5925 used for flow-based sampling.
5926 Summary:
5928 targets set of strings
5929 cache_active_timeout optional integer, in range 0 to 4,200
5930 cache_max_flows optional integer, in range 0 to
5931 4,294,967,295
5932 other_config : enable-tunnel-sampling
5933 optional string, either true or false
5934 other_config : virtual_obs_id optional string
5935 Per-Bridge Sampling:
5936 sampling optional integer, in range 1 to
5937 4,294,967,295
5938 obs_domain_id optional integer, in range 0 to
5939 4,294,967,295
5940 obs_point_id optional integer, in range 0 to
5941 4,294,967,295
5942 other_config : enable-input-sampling
5943 optional string, either true or false
5944 other_config : enable-output-sampling
5945 optional string, either true or false
5946 Common Columns:
5947 external_ids map of string-string pairs
5948 Details:
5950 targets: set of strings
5951 IPFIX target collectors in the form ip:port.
5952 cache_active_timeout: optional integer, in range 0 to 4,200
5954 The maximum period in seconds for which an IPFIX flow record is
5955 cached and aggregated before being sent. If not specified, de‐
5956 faults to 0. If 0, caching is disabled.
5957 cache_max_flows: optional integer, in range 0 to 4,294,967,295
5959 The maximum number of IPFIX flow records that can be cached at a
5960 time. If not specified, defaults to 0. If 0, caching is dis‐
5961 abled.
5962 other_config : enable-tunnel-sampling: optional string, either true or
5964 false
5965 Set to true to enable sampling and reporting tunnel header 7-tu‐
5966 ples in IPFIX flow records. Tunnel sampling is enabled by de‐
5967 fault.
5968 The following enterprise entities report the sampled tunnel
5970 info:
5971 tunnelType:
5973 ID: 891, and enterprise ID 6876 (VMware).
5974 type: unsigned 8-bit integer.
5976 data type semantics: identifier.
5978 description: Identifier of the layer 2 network overlay
5980 network encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03
5981 LISP, 0x07 GENEVE.
5982 tunnelKey:
5984 ID: 892, and enterprise ID 6876 (VMware).
5985 type: variable-length octetarray.
5987 data type semantics: identifier.
5989 description: Key which is used for identifying an indi‐
5991 vidual traffic flow within a VxLAN (24-bit VNI), GENEVE
5992 (24-bit VNI), GRE (32-bit key), or LISP (24-bit instance
5993 ID) tunnel. The key is encoded in this octetarray as a
5994 3-, 4-, or 8-byte integer ID in network byte order.
5995 tunnelSourceIPv4Address:
5997 ID: 893, and enterprise ID 6876 (VMware).
5998 type: unsigned 32-bit integer.
6000 data type semantics: identifier.
6002 description: The IPv4 source address in the tunnel IP
6004 packet header.
6005 tunnelDestinationIPv4Address:
6007 ID: 894, and enterprise ID 6876 (VMware).
6008 type: unsigned 32-bit integer.
6010 data type semantics: identifier.
6012 description: The IPv4 destination address in the tunnel
6014 IP packet header.
6015 tunnelProtocolIdentifier:
6017 ID: 895, and enterprise ID 6876 (VMware).
6018 type: unsigned 8-bit integer.
6020 data type semantics: identifier.
6022 description: The value of the protocol number in the tun‐
6024 nel IP packet header. The protocol number identifies the
6025 tunnel IP packet payload type.
6026 tunnelSourceTransportPort:
6028 ID: 896, and enterprise ID 6876 (VMware).
6029 type: unsigned 16-bit integer.
6031 data type semantics: identifier.
6033 description: The source port identifier in the tunnel
6035 transport header. For the transport protocols UDP, TCP,
6036 and SCTP, this is the source port number given in the re‐
6037 spective header.
6038 tunnelDestinationTransportPort:
6040 ID: 897, and enterprise ID 6876 (VMware).
6041 type: unsigned 16-bit integer.
6043 data type semantics: identifier.
6045 description: The destination port identifier in the tun‐
6047 nel transport header. For the transport protocols UDP,
6048 TCP, and SCTP, this is the destination port number given
6049 in the respective header.
6050 Before Open vSwitch 2.5.90, other_config:enable-tunnel-sampling
6052 was only supported with per-bridge sampling, and ignored other‐
6053 wise. Open vSwitch 2.5.90 and later support other_config:enable-
6054 tunnel-sampling for per-bridge and per-flow sampling.
6055 other_config : virtual_obs_id: optional string
6057 A string that accompanies each IPFIX flow record. Its intended
6058 use is for the ``virtual observation ID,’’ an identifier of a
6059 virtual observation point that is locally unique in a virtual
6060 network. It describes a location in the virtual network where IP
6061 packets can be observed. The maximum length is 254 bytes. If not
6062 specified, the field is omitted from the IPFIX flow record.
6063 The following enterprise entity reports the specified virtual
6065 observation ID:
6066 virtualObsID:
6068 ID: 898, and enterprise ID 6876 (VMware).
6069 type: variable-length string.
6071 data type semantics: identifier.
6073 description: A virtual observation domain ID that is lo‐
6075 cally unique in a virtual network.
6076 This feature was introduced in Open vSwitch 2.5.90.
6078 Per-Bridge Sampling:
6080 These values affect only per-bridge sampling. See above for a descrip‐
6082 tion of the differences between per-bridge and flow-based sampling.
6083 sampling: optional integer, in range 1 to 4,294,967,295
6085 The rate at which packets should be sampled and sent to each
6086 target collector. If not specified, defaults to 400, which means
6087 one out of 400 packets, on average, will be sent to each target
6088 collector.
6089 obs_domain_id: optional integer, in range 0 to 4,294,967,295
6091 The IPFIX Observation Domain ID sent in each IPFIX packet. If
6092 not specified, defaults to 0.
6093 obs_point_id: optional integer, in range 0 to 4,294,967,295
6095 The IPFIX Observation Point ID sent in each IPFIX flow record.
6096 If not specified, defaults to 0.
6097 other_config : enable-input-sampling: optional string, either true or
6099 false
6100 By default, Open vSwitch samples and reports flows at bridge
6101 port input in IPFIX flow records. Set this column to false to
6102 disable input sampling.
6103 other_config : enable-output-sampling: optional string, either true or
6105 false
6106 By default, Open vSwitch samples and reports flows at bridge
6107 port output in IPFIX flow records. Set this column to false to
6108 disable output sampling.
6109 Common Columns:
6111 The overall purpose of these columns is described under Common Columns
6113 at the beginning of this document.
6114 external_ids: map of string-string pairs
6116
6118 A set of IPFIX collectors of packet samples generated by OpenFlow sam‐
6119 ple actions. This table is used only for IPFIX flow-based sampling, not
6120 for per-bridge sampling (see the IPFIX table for a description of the
6121 two forms).
6122 Summary:
6124 id integer, in range 0 to 4,294,967,295
6125 bridge Bridge
6126 ipfix optional IPFIX
6127 Common Columns:
6128 external_ids map of string-string pairs
6129 Details:
6131 id: integer, in range 0 to 4,294,967,295
6132 The ID of this collector set, unique among the bridge’s collec‐
6133 tor sets, to be used as the collector_set_id in OpenFlow sample
6134 actions.
6135 bridge: Bridge
6137 The bridge into which OpenFlow sample actions can be added to
6138 send packet samples to this set of IPFIX collectors.
6139 ipfix: optional IPFIX
6141 Configuration of the set of IPFIX collectors to send one flow
6142 record per sampled packet to.
6143 Common Columns:
6145 The overall purpose of these columns is described under Common Columns
6147 at the beginning of this document.
6148 external_ids: map of string-string pairs
6150
6152 Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM
6153 draft standard describes a compact method of using IEEE 802.1AB Link
6154 Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest
6155 Path Bridging (SPB) network to automatically attach network devices to
6156 individual services in a SPB network. The intent here is to allow net‐
6157 work applications and devices using OVS to be able to easily take ad‐
6158 vantage of features offered by industry standard SPB networks.
6159 Auto Attach (AA) uses LLDP to communicate between a directly connected
6161 Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP proto‐
6162 col is extended to add two new Type-Length-Value tuples (TLVs). The
6163 first new TLV supports the ongoing discovery of directly connected AA
6164 correspondents. Auto Attach operates by regularly transmitting AA dis‐
6165 covery TLVs between the AA client and AA server. By exchanging these
6166 discovery messages, both the AAC and AAS learn the system name and sys‐
6167 tem description of their peer. In the OVS context, OVS operates as the
6168 AA client and the AA server resides on a switch at the edge of the SPB
6169 network.
6170 Once AA discovery has been completed the AAC then uses the second new
6172 TLV to deliver identifier mappings from the AAC to the AAS. A primary
6173 feature of Auto Attach is to facilitate the mapping of VLANs defined
6174 outside the SPB network onto service ids (ISIDs) defined within the SPM
6175 network. By doing so individual external VLANs can be mapped onto spe‐
6176 cific SPB network services. These VLAN id to ISID mappings can be con‐
6177 figured and managed locally using new options added to the ovs-vsctl
6178 command.
6179 The Auto Attach OVS feature does not provide a full implementation of
6181 the LLDP protocol. Support for the mandatory TLVs as defined by the
6182 LLDP standard and support for the AA TLV extensions is provided. LLDP
6183 protocol support in OVS can be enabled or disabled on a port by port
6184 basis. LLDP support is disabled by default.
6185 Summary:
6187 system_name string
6188 system_description string
6189 mappings map of integer-integer pairs, key in
6190 range 0 to 16,777,215, value in range 0
6191 to 4,095
6192 Details:
6194 system_name: string
6195 The system_name string is exported in LLDP messages. It should
6196 uniquely identify the bridge in the network.
6197 system_description: string
6199 The system_description string is exported in LLDP messages. It
6200 should describe the type of software and hardware.
6201 mappings: map of integer-integer pairs, key in range 0 to 16,777,215,
6203 value in range 0 to 4,095
6204 A mapping from SPB network Individual Service Identifier (ISID)
6205 to VLAN id.
6206Open vSwitch 3.1.1 DB Schema 8.3.1 ovs-vswitchd.conf.db(5)