1 <?xml version="1.0" encoding="utf-8"?>
2 <database name="vtep" title="Hardware VTEP Database">
4 This schema specifies relations that a VTEP can use to integrate
5 physical ports into logical switches maintained by a network
6 virtualization controller such as NSX.
14 VXLAN Tunnel End Point, an entity which originates and/or terminates
20 Hardware Switch Controller.
25 Network Virtualization Controller, e.g. NSX.
30 Virtual Routing and Forwarding instance.
34 <h2>Common Column</h2>
37 Some tables contain a column, named <code>other_config</code>.
38 This column has the same form and purpose each place that it appears,
39 so we describe it here to save space later.
43 <dt><code>other_config</code>: map of string-string pairs</dt>
46 Key-value pairs for configuring rarely used or proprietary features.
49 Some tables do not have <code>other_config</code> column because no
50 key-value pairs have yet been defined for them.
55 <table name="Global" title="Top-level configuration.">
56 Top-level configuration for a hardware VTEP. There must be
57 exactly one record in the <ref table="Global"/> table.
59 <column name="switches">
61 The physical switch or switches managed by the VTEP.
65 When a physical switch integrates support for this VTEP schema, which
66 is expected to be the most common case, this column should point to one
67 <ref table="Physical_Switch"/> record that represents the switch
68 itself. In another possible implementation, a server or a VM presents
69 a VTEP schema front-end interface to one or more physical switches,
70 presumably communicating with those physical switches over a
71 proprietary protocol. In that case, this column would point to one
72 <ref table="Physical_Switch"/> for each physical switch, and the set
73 might change over time as the front-end server comes to represent a
74 differing set of switches.
78 <group title="Database Configuration">
80 These columns primarily configure the database server
81 (<code>ovsdb-server</code>), not the hardware VTEP itself.
84 <column name="managers">
85 Database clients to which the database server should connect or
86 to which it should listen, along with options for how these
87 connection should be configured. See the <ref table="Manager"/>
88 table for more information.
92 <group title="Common Column">
93 The overall purpose of this column is described under <code>Common
94 Column</code> at the beginning of this document.
96 <column name="other_config"/>
101 <table name="Manager" title="OVSDB management connection.">
103 Configuration for a database connection to an Open vSwitch Database
108 The database server can initiate and maintain active connections
109 to remote clients. It can also listen for database connections.
112 <group title="Core Features">
113 <column name="target">
114 <p>Connection method for managers.</p>
116 The following connection methods are currently supported:
119 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
122 The specified SSL <var>port</var> (default: 6640) on the host at
123 the given <var>ip</var>, which must be expressed as an IP address
127 SSL key and certificate configuration happens outside the
132 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
134 The specified TCP <var>port</var> (default: 6640) on the host at
135 the given <var>ip</var>, which must be expressed as an IP address
138 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
141 Listens for SSL connections on the specified TCP <var>port</var>
142 (default: 6640). If <var>ip</var>, which must be expressed as an
143 IP address (not a DNS name), is specified, then connections are
144 restricted to the specified local IP address.
147 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
149 Listens for connections on the specified TCP <var>port</var>
150 (default: 6640). If <var>ip</var>, which must be expressed as an
151 IP address (not a DNS name), is specified, then connections are
152 restricted to the specified local IP address.
158 <group title="Client Failure Detection and Handling">
159 <column name="max_backoff">
160 Maximum number of milliseconds to wait between connection attempts.
161 Default is implementation-specific.
164 <column name="inactivity_probe">
165 Maximum number of milliseconds of idle time on connection to the
166 client before sending an inactivity probe message. If the Open
167 vSwitch database does not communicate with the client for the
168 specified number of seconds, it will send a probe. If a
169 response is not received for the same additional amount of time,
170 the database server assumes the connection has been broken
171 and attempts to reconnect. Default is implementation-specific.
172 A value of 0 disables inactivity probes.
176 <group title="Status">
177 <column name="is_connected">
178 <code>true</code> if currently connected to this manager,
179 <code>false</code> otherwise.
182 <column name="status" key="last_error">
183 A human-readable description of the last error on the connection
184 to the manager; i.e. <code>strerror(errno)</code>. This key
185 will exist only if an error has occurred.
188 <column name="status" key="state"
189 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
191 The state of the connection to the manager:
194 <dt><code>VOID</code></dt>
195 <dd>Connection is disabled.</dd>
197 <dt><code>BACKOFF</code></dt>
198 <dd>Attempting to reconnect at an increasing period.</dd>
200 <dt><code>CONNECTING</code></dt>
201 <dd>Attempting to connect.</dd>
203 <dt><code>ACTIVE</code></dt>
204 <dd>Connected, remote host responsive.</dd>
206 <dt><code>IDLE</code></dt>
207 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
210 These values may change in the future. They are provided only for
215 <column name="status" key="sec_since_connect"
216 type='{"type": "integer", "minInteger": 0}'>
217 The amount of time since this manager last successfully connected
218 to the database (in seconds). Value is empty if manager has never
219 successfully connected.
222 <column name="status" key="sec_since_disconnect"
223 type='{"type": "integer", "minInteger": 0}'>
224 The amount of time since this manager last disconnected from the
225 database (in seconds). Value is empty if manager has never
229 <column name="status" key="locks_held">
230 Space-separated list of the names of OVSDB locks that the connection
231 holds. Omitted if the connection does not hold any locks.
234 <column name="status" key="locks_waiting">
235 Space-separated list of the names of OVSDB locks that the connection is
236 currently waiting to acquire. Omitted if the connection is not waiting
240 <column name="status" key="locks_lost">
241 Space-separated list of the names of OVSDB locks that the connection
242 has had stolen by another OVSDB client. Omitted if no locks have been
243 stolen from this connection.
246 <column name="status" key="n_connections"
247 type='{"type": "integer", "minInteger": 2}'>
249 When <ref column="target"/> specifies a connection method that
250 listens for inbound connections (e.g. <code>ptcp:</code> or
251 <code>pssl:</code>) and more than one connection is actually active,
252 the value is the number of active connections. Otherwise, this
253 key-value pair is omitted.
256 When multiple connections are active, status columns and key-value
257 pairs (other than this one) report the status of one arbitrarily
263 <group title="Connection Parameters">
265 Additional configuration for a connection between the manager
266 and the database server.
269 <column name="other_config" key="dscp"
270 type='{"type": "integer"}'>
271 The Differentiated Service Code Point (DSCP) is specified using 6 bits
272 in the Type of Service (TOS) field in the IP header. DSCP provides a
273 mechanism to classify the network traffic and provide Quality of
274 Service (QoS) on IP networks.
276 The DSCP value specified here is used when establishing the
277 connection between the manager and the database server. If no
278 value is specified, a default value of 48 is chosen. Valid DSCP
279 values must be in the range 0 to 63.
284 <table name="Physical_Switch" title="A physical switch.">
285 A physical switch that implements a VTEP.
287 <column name="ports">
288 The physical ports within the switch.
291 <column name="tunnels">
292 Tunnels created by this switch as instructed by the NVC.
295 <group title="Network Status">
296 <column name="management_ips">
297 IPv4 or IPv6 addresses at which the switch may be contacted
298 for management purposes.
301 <column name="tunnel_ips">
303 IPv4 or IPv6 addresses on which the switch may originate or
308 This column is intended to allow a <ref table="Manager"/> to
309 determine the <ref table="Physical_Switch"/> that terminates
310 the tunnel represented by a <ref table="Physical_Locator"/>.
315 <group title="Identification">
317 Symbolic name for the switch, such as its hostname.
320 <column name="description">
321 An extended description for the switch, such as its switch login
325 <group title="Error Notification">
327 An entry in this column indicates to the NVC that this switch
328 has encountered a fault. The switch must clear this column
329 when the fault has been cleared.
332 <column name="switch_fault_status" key="mac_table_exhaustion">
333 Indicates that the switch has been unable to process MAC
334 entries requested by the NVC due to lack of table resources.
337 <column name="switch_fault_status" key="tunnel_exhaustion">
338 Indicates that the switch has been unable to create tunnels
339 requested by the NVC due to lack of resources.
342 <column name="switch_fault_status" key="lr_switch_bindings_fault">
343 Indicates that the switch has been unable to create the logical router
344 interfaces requested by the NVC due to conflicting configurations or a
345 lack of hardware resources.
348 <column name="switch_fault_status" key="lr_static_routes_fault">
349 Indicates that the switch has been unable to create the static routes
350 requested by the NVC due to conflicting configurations or a lack of
354 <column name="switch_fault_status" key="lr_creation_fault">
355 Indicates that the switch has been unable to create the logical router
356 requested by the NVC due to conflicting configurations or a lack of
360 <column name="switch_fault_status" key="lr_support_fault">
361 Indicates that the switch does not support logical routing.
364 <column name="switch_fault_status" key="unspecified_fault">
365 Indicates that an error has occurred in the switch but that no
366 more specific information is available.
369 <column name="switch_fault_status"
370 key="unsupported_source_node_replication">
371 Indicates that the requested source node replication mode cannot be
372 supported by the physical switch; this specifically means in this
373 context that the physical switch lacks the capability to support
374 source node replication mode. This error occurs when a controller
375 attempts to set source node replication mode for one of the logical
376 switches that the physical switch is keeping context for. An NVC
377 that observes this error should take appropriate action (for example
378 reverting the logical switch to service node replication mode).
379 It is recommended that an NVC be proactive and test for support of
380 source node replication by using a test logical switch on vtep
381 physical switch nodes and then trying to change the replication mode
382 to source node on this logical switch, checking for error. The NVC
383 could remember this capability per vtep physical switch. Using
384 mixed replication modes on a given logical switch is not recommended.
385 Service node replication mode is considered a basic requirement
386 since it only requires sending a packet to a single transport node,
387 hence it is not expected that a switch should report that service
388 node mode cannot be supported.
392 <group title="Common Column">
393 The overall purpose of this column is described under <code>Common
394 Column</code> at the beginning of this document.
396 <column name="other_config"/>
401 <table name="Tunnel" title="A tunnel created by a physical switch.">
402 A tunnel created by a <ref table="Physical_Switch"/>.
404 <column name="local">
405 Tunnel end-point local to the physical switch.
408 <column name="remote">
409 Tunnel end-point remote to the physical switch.
412 <group title="Bidirectional Forwarding Detection (BFD)">
414 BFD, defined in RFC 5880, allows point to point detection of
415 connectivity failures by occasional transmission of BFD control
416 messages. VTEPs are expected to implement BFD.
420 BFD operates by regularly transmitting BFD control messages at a
421 rate negotiated independently in each direction. Each endpoint
422 specifies the rate at which it expects to receive control messages,
423 and the rate at which it's willing to transmit them. An endpoint
424 which fails to receive BFD control messages for a period of three
425 times the expected reception rate will signal a connectivity
426 fault. In the case of a unidirectional connectivity issue, the
427 system not receiving BFD control messages will signal the problem
428 to its peer in the messages it transmits.
432 A hardware VTEP is expected to use BFD to determine reachability of
433 devices at the end of the tunnels with which it exchanges data. This
434 can enable the VTEP to choose a functioning service node among a set of
435 service nodes providing high availability. It also enables the NVC to
436 report the health status of tunnels.
440 In many cases the BFD peer of a hardware VTEP will be an Open vSwitch
441 instance. The Open vSwitch implementation of BFD aims to comply
442 faithfully with the requirements put forth in RFC 5880. Open vSwitch
443 does not implement the optional Authentication or ``Echo Mode''
447 <group title="BFD Local Configuration">
449 The HSC writes the key-value pairs in the
450 <ref column="bfd_config_local"/> column to specify the local
451 configurations to be used for BFD sessions on this tunnel.
454 <column name="bfd_config_local" key="bfd_dst_mac">
455 Set to an Ethernet address in the form
456 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
457 to set the MAC expected as destination for received BFD packets.
458 The default is <code>00:23:20:00:00:01</code>.
461 <column name="bfd_config_local" key="bfd_dst_ip">
462 Set to an IPv4 address to set the IP address that is expected as destination
463 for received BFD packets. The default is <code>169.254.1.0</code>.
468 <group title="BFD Remote Configuration">
470 The <ref column="bfd_config_remote"/> column is the remote
471 counterpart of the <ref column="bfd_config_local"/> column.
472 The NVC writes the key-value pairs in this column.
475 <column name="bfd_config_remote" key="bfd_dst_mac">
476 Set to an Ethernet address in the form
477 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
478 to set the destination MAC to be used for transmitted BFD packets.
479 The default is <code>00:23:20:00:00:01</code>.
482 <column name="bfd_config_remote" key="bfd_dst_ip">
483 Set to an IPv4 address to set the IP address used as destination
484 for transmitted BFD packets. The default is <code>169.254.1.1</code>.
489 <group title="BFD Parameters">
491 The NVC sets up key-value pairs in the <ref column="bfd_params"/>
492 column to enable and configure BFD.
495 <column name="bfd_params" key="enable" type='{"type": "boolean"}'>
496 True to enable BFD on this <ref table="Tunnel"/>. If not
497 specified, BFD will not be enabled by default.
500 <column name="bfd_params" key="min_rx"
501 type='{"type": "integer", "minInteger": 1}'>
502 The shortest interval, in milliseconds, at which this BFD session
503 offers to receive BFD control messages. The remote endpoint may
504 choose to send messages at a slower rate. Defaults to
508 <column name="bfd_params" key="min_tx"
509 type='{"type": "integer", "minInteger": 1}'>
510 The shortest interval, in milliseconds, at which this BFD session is
511 willing to transmit BFD control messages. Messages will actually be
512 transmitted at a slower rate if the remote endpoint is not willing to
513 receive as quickly as specified. Defaults to <code>100</code>.
516 <column name="bfd_params" key="decay_min_rx" type='{"type": "integer"}'>
517 An alternate receive interval, in milliseconds, that must be greater
518 than or equal to <ref column="bfd_params" key="min_rx"/>. The
519 implementation should switch from <ref column="bfd_params" key="min_rx"/>
520 to <ref column="bfd_params" key="decay_min_rx"/> when there is no obvious
521 incoming data traffic at the tunnel, to reduce the CPU and bandwidth
522 cost of monitoring an idle tunnel. This feature may be disabled by
523 setting a value of 0. This feature is reset whenever
524 <ref column="bfd_params" key="decay_min_rx"/> or
525 <ref column="bfd_params" key="min_rx"/> changes.
528 <column name="bfd_params" key="forwarding_if_rx" type='{"type": "boolean"}'>
529 When <code>true</code>, traffic received on the <ref table="Tunnel"/>
530 is used to indicate the capability of packet I/O.
531 BFD control packets are still transmitted and received. At least one
532 BFD control packet must be received every
533 100 * <ref column="bfd_params" key="min_rx"/> amount of time.
534 Otherwise, even if traffic is received, the
535 <ref column="bfd_params" key="forwarding"/> will be <code>false</code>.
538 <column name="bfd_params" key="cpath_down" type='{"type": "boolean"}'>
539 Set to true to notify the remote endpoint that traffic should not be
540 forwarded to this system for some reason other than a connectivity
541 failure on the interface being monitored. The typical underlying
542 reason is ``concatenated path down,'' that is, that connectivity
543 beyond the local system is down. Defaults to false.
546 <column name="bfd_params" key="check_tnl_key" type='{"type": "boolean"}'>
547 Set to true to make BFD accept only control messages with a tunnel
548 key of zero. By default, BFD accepts control messages with any
554 <group title="BFD Status">
556 The VTEP sets key-value pairs in the <ref column="bfd_status"/>
557 column to report the status of BFD on this tunnel. When BFD is
558 not enabled, with <ref column="bfd_params" key="enable"/>, the
559 HSC clears all key-value pairs from <ref column="bfd_status"/>.
562 <column name="bfd_status" key="enabled" type='{"type": "boolean"}'>
563 Set to true if the BFD session has been successfully enabled.
564 Set to false if the VTEP cannot support BFD or has insufficient
565 resources to enable BFD on this tunnel. The NVC will disable
566 the BFD monitoring on the other side of the tunnel once this
567 value is set to false.
570 <column name="bfd_status" key="state"
571 type='{"type": "string",
572 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
573 Reports the state of the BFD session. The BFD session is fully
574 healthy and negotiated if <code>UP</code>.
577 <column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
578 Reports whether the BFD session believes this <ref table="Tunnel"/>
579 may be used to forward traffic. Typically this means the local session
580 is signaling <code>UP</code>, and the remote system isn't signaling a
581 problem such as concatenated path down.
584 <column name="bfd_status" key="diagnostic">
585 A diagnostic code specifying the local system's reason for the
586 last change in session state. The error messages are defined in
587 section 4.1 of [RFC 5880].
590 <column name="bfd_status" key="remote_state"
591 type='{"type": "string",
592 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
593 Reports the state of the remote endpoint's BFD session.
596 <column name="bfd_status" key="remote_diagnostic">
597 A diagnostic code specifying the remote system's reason for the
598 last change in session state. The error messages are defined in
599 section 4.1 of [RFC 5880].
602 <column name="bfd_status" key="info">
603 A short message providing further information about the BFD status
604 (possibly including reasons why BFD could not be enabled).
610 <table name="Physical_Port" title="A port within a physical switch.">
611 A port within a <ref table="Physical_Switch"/>.
613 <column name="vlan_bindings">
614 Identifies how VLANs on the physical port are bound to logical switches.
615 If, for example, the map contains a (VLAN, logical switch) pair, a packet
616 that arrives on the port in the VLAN is considered to belong to the
617 paired logical switch. A value of zero in the VLAN field means
618 that untagged traffic on the physical port is mapped to the
622 <column name="acl_bindings">
624 Attach Access Control Lists (ACLs) to the physical port. The
625 column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
626 the VLAN tag in the map is 0, this means that the ACL is
627 associated with the entire physical port. Non-zero values mean
628 that the ACL is to be applied only on packets carrying that VLAN
629 tag value. Switches will not necessarily support matching on the
630 VLAN tag for all ACLs, and unsupported ACL bindings will cause
631 errors to be reported. The binding of an ACL to a specific
632 VLAN and the binding of an ACL to the entire physical port
633 should not be combined on a single physical port. That is, a
634 mix of zero and non-zero keys in the map is not recommended.
638 <column name="vlan_stats">
639 Statistics for VLANs bound to logical switches on the physical port. An
640 implementation that fully supports such statistics would populate this
641 column with a mapping for every VLAN that is bound in <ref
642 column="vlan_bindings"/>. An implementation that does not support such
643 statistics or only partially supports them would not populate this column
644 or partially populate it, respectively. A value of zero in the
645 VLAN field refers to untagged traffic on the physical port.
648 <group title="Identification">
650 Symbolic name for the port. The name ought to be unique within a given
651 <ref table="Physical_Switch"/>, but the database is not capable of
655 <column name="description">
656 An extended description for the port.
659 <group title="Error Notification">
661 An entry in this column indicates to the NVC that the physical port has
662 encountered a fault. The switch must clear this column when the error
665 <column name="port_fault_status" key="invalid_vlan_map">
667 Indicates that a VLAN-to-logical-switch mapping requested by
668 the controller could not be instantiated by the switch
669 because of a conflict with local configuration.
672 <column name="port_fault_status" key="invalid_ACL_binding">
674 Indicates that an error has occurred in associating an ACL
678 <column name="port_fault_status" key="unspecified_fault">
680 Indicates that an error has occurred on the port but that no
681 more specific information is available.
686 <group title="Common Column">
687 The overall purpose of this column is described under <code>Common
688 Column</code> at the beginning of this document.
690 <column name="other_config"/>
695 <table name="Logical_Binding_Stats" title="Statistics for a VLAN on a physical port bound to a logical network.">
696 Reports statistics for the <ref table="Logical_Switch"/> with which a VLAN
697 on a <ref table="Physical_Port"/> is associated.
699 <group title="Statistics">
700 These statistics count only packets to which the binding applies.
702 <column name="packets_from_local">
703 Number of packets sent by the <ref table="Physical_Switch"/>.
706 <column name="bytes_from_local">
707 Number of bytes in packets sent by the <ref table="Physical_Switch"/>.
710 <column name="packets_to_local">
711 Number of packets received by the <ref table="Physical_Switch"/>.
714 <column name="bytes_to_local">
715 Number of bytes in packets received by the <ref
716 table="Physical_Switch"/>.
721 <table name="Logical_Switch" title="A layer-2 domain.">
722 A logical Ethernet switch, whose implementation may span physical and
723 virtual media, possibly crossing L3 domains via tunnels; a logical layer-2
724 domain; an Ethernet broadcast domain.
728 <group title="Per Logical-Switch Tunnel Key">
730 Tunnel protocols tend to have a field that allows the tunnel
731 to be partitioned into sub-tunnels: VXLAN has a VNI, GRE and
732 STT have a key, CAPWAP has a WSI, and so on. We call these
733 generically ``tunnel keys.'' Given that one needs to use a
734 tunnel key at all, there are at least two reasonable ways to
741 Per <ref table="Logical_Switch"/>+<ref table="Physical_Locator"/>
742 pair. That is, each logical switch may be assigned a different
743 tunnel key on every <ref table="Physical_Locator"/>. This model is
748 In this model, <ref table="Physical_Locator"/> carries the tunnel
749 key. Therefore, one <ref table="Physical_Locator"/> record will
750 exist for each logical switch carried at a given IP destination.
756 Per <ref table="Logical_Switch"/>. That is, every tunnel
757 associated with a particular logical switch carries the same tunnel
758 key, regardless of the <ref table="Physical_Locator"/> to which the
759 tunnel is addressed. This model may ease switch implementation
760 because it imposes fewer requirements on the hardware datapath.
764 In this model, <ref table="Logical_Switch"/> carries the tunnel
765 key. Therefore, one <ref table="Physical_Locator"/> record will
766 exist for each IP destination.
771 <column name="tunnel_key">
773 This column is used only in the tunnel key per <ref
774 table="Logical_Switch"/> model (see above), because only in that
775 model is there a tunnel key associated with a logical switch.
779 For <code>vxlan_over_ipv4</code> encapsulation, when the tunnel key
780 per <ref table="Logical_Switch"/> model is in use, this column is the
781 VXLAN VNI that identifies a logical switch. It must be in the range
787 <group title="Replication Mode">
789 For handling L2 broadcast, multicast and unknown unicast traffic,
790 packets can be sent to all members of a logical switch referenced by
791 a physical switch. There are different modes to replicate the
792 packets. The default mode of replication is to send the traffic to
793 a service node, which can be a hypervisor, server or appliance, and
794 let the service node handle replication to other transport nodes
795 (hypervisors or other VTEP physical switches). This mode is called
796 service node replication. An alternate mode of replication, called
797 source node replication involves the source node sending to all
798 other transport nodes. Hypervisors are always responsible for doing
799 their own replication for locally attached VMs in both modes.
800 Service node replication mode is the default and considered a
801 basic requirement because it only requires sending the packet to
802 a single transport node.
805 <column name="replication_mode">
807 This optional column defines the replication mode per
808 <ref table="Logical_Switch"/>. There are 2 valid values,
809 <code>service_node</code> and <code>source_node</code>. If the
810 column is not set, the replication mode defaults to service_node.
816 <group title="Identification">
818 Symbolic name for the logical switch.
821 <column name="description">
822 An extended description for the logical switch, such as its switch
827 <group title="Common Column">
828 The overall purpose of this column is described under <code>Common
829 Column</code> at the beginning of this document.
831 <column name="other_config"/>
836 <table name="Ucast_Macs_Local" title="Unicast MACs (local)">
838 Mapping of unicast MAC addresses to tunnels (physical
839 locators). This table is written by the HSC, so it contains the
840 MAC addresses that have been learned on physical ports by a
845 A MAC address that has been learned by the VTEP.
848 <column name="logical_switch">
849 The Logical switch to which this mapping applies.
852 <column name="locator">
853 The physical locator to be used to reach this MAC address. In
854 this table, the physical locator will be one of the tunnel IP
855 addresses of the appropriate VTEP.
858 <column name="ipaddr">
859 The IP address to which this MAC corresponds. Optional field for
860 the purpose of ARP supression.
865 <table name="Ucast_Macs_Remote" title="Unicast MACs (remote)">
867 Mapping of unicast MAC addresses to tunnels (physical
868 locators). This table is written by the NVC, so it contains the
869 MAC addresses that the NVC has learned. These include VM MAC
870 addresses, in which case the physical locators will be
871 hypervisor IP addresses. The NVC will also report MACs that it
872 has learned from other HSCs in the network, in which case the
873 physical locators will be tunnel IP addresses of the
878 A MAC address that has been learned by the NVC.
881 <column name="logical_switch">
882 The Logical switch to which this mapping applies.
885 <column name="locator">
886 The physical locator to be used to reach this MAC address. In
887 this table, the physical locator will be either a hypervisor IP
888 address or a tunnel IP addresses of another VTEP.
891 <column name="ipaddr">
892 The IP address to which this MAC corresponds. Optional field for
893 the purpose of ARP supression.
898 <table name="Mcast_Macs_Local" title="Multicast MACs (local)">
900 Mapping of multicast MAC addresses to tunnels (physical
901 locators). This table is written by the HSC, so it contains the
902 MAC addresses that have been learned on physical ports by a
903 VTEP. These may be learned by IGMP snooping, for example. This
904 table also specifies how to handle unknown unicast and broadcast packets.
909 A MAC address that has been learned by the VTEP.
912 The keyword <code>unknown-dst</code> is used as a special
913 ``Ethernet address'' that indicates the locations to which
914 packets in a logical switch whose destination addresses do not
915 otherwise appear in <ref table="Ucast_Macs_Local"/> (for
916 unicast addresses) or <ref table="Mcast_Macs_Local"/> (for
917 multicast addresses) should be sent.
921 <column name="logical_switch">
922 The Logical switch to which this mapping applies.
925 <column name="locator_set">
926 The physical locator set to be used to reach this MAC address. In
927 this table, the physical locator set will be contain one or more tunnel IP
928 addresses of the appropriate VTEP(s).
931 <column name="ipaddr">
932 The IP address to which this MAC corresponds. Optional field for
933 the purpose of ARP supression.
937 <table name="Mcast_Macs_Remote" title="Multicast MACs (remote)">
939 Mapping of multicast MAC addresses to tunnels (physical
940 locators). This table is written by the NVC, so it contains the
941 MAC addresses that the NVC has learned. This
942 table also specifies how to handle unknown unicast and broadcast
946 Multicast packet replication may be handled by a service node,
947 in which case the physical locators will be IP addresses of
948 service nodes. If the VTEP supports replication onto multiple
949 tunnels, using source node replication, then this may be used to
950 replicate directly onto VTEP-hypervisor or VTEP-VTEP tunnels.
955 A MAC address that has been learned by the NVC.
958 The keyword <code>unknown-dst</code> is used as a special
959 ``Ethernet address'' that indicates the locations to which
960 packets in a logical switch whose destination addresses do not
961 otherwise appear in <ref table="Ucast_Macs_Remote"/> (for
962 unicast addresses) or <ref table="Mcast_Macs_Remote"/> (for
963 multicast addresses) should be sent.
967 <column name="logical_switch">
968 The Logical switch to which this mapping applies.
971 <column name="locator_set">
972 The physical locator set to be used to reach this MAC address. In
973 this table, the physical locator set will be either a set of service
974 nodes when service node replication is used or the set of transport
975 nodes (defined as hypervisors or VTEPs) participating in the associated
976 logical switch, when source node replication is used. When service node
977 replication is used, the VTEP should send packets to one member of the
978 locator set that is known to be healthy and reachable, which could be
979 determined by BFD. When source node replication is used, the VTEP
980 should send packets to all members of the locator set.
983 <column name="ipaddr">
984 The IP address to which this MAC corresponds. Optional field for
985 the purpose of ARP supression.
990 <table name="Logical_Router" title="A logical L3 router.">
992 A logical router, or VRF. A logical router may be connected to one or more
993 logical switches. Subnet addresses and interface addresses may be configured on the
997 <column name="switch_binding">
998 Maps from an IPv4 or IPv6 address prefix in CIDR notation to a
999 logical switch. Multiple prefixes may map to the same switch. By
1000 writing a 32-bit (or 128-bit for v6) address with a /N prefix
1001 length, both the router's interface address and the subnet
1002 prefix can be configured. For example, 192.68.1.1/24 creates a
1003 /24 subnet for the logical switch attached to the interface and
1004 assigns the address 192.68.1.1 to the router interface.
1007 <column name="static_routes">
1008 One or more static routes, mapping IP prefixes to next hop IP addresses.
1011 <column name="acl_binding">
1012 Maps ACLs to logical router interfaces. The router interfaces
1013 are indicated using IP address notation, and must be the same
1014 interfaces created in the <ref column="switch_binding"/>
1015 column. For example, an ACL could be associated with the logical
1016 router interface with an address of 192.68.1.1 as defined in the
1020 <group title="Identification">
1021 <column name="name">
1022 Symbolic name for the logical router.
1025 <column name="description">
1026 An extended description for the logical router.
1030 <group title="Error Notification">
1032 An entry in this column indicates to the NVC that the HSC has
1033 encountered a fault in configuring state related to the
1036 <column name="LR_fault_status" key="invalid_ACL_binding">
1038 Indicates that an error has occurred in associating an ACL
1039 with a logical router port.
1042 <column name="LR_fault_status" key="unspecified_fault">
1044 Indicates that an error has occurred in configuring the
1045 logical router but that no
1046 more specific information is available.
1051 <group title="Common Column">
1052 The overall purpose of this column is described under <code>Common
1053 Column</code> at the beginning of this document.
1055 <column name="other_config"/>
1060 <table name="Arp_Sources_Local" title="ARP source addresses for logical routers">
1062 MAC address to be used when a VTEP issues ARP requests on behalf
1063 of a logical router.
1067 A distributed logical router is implemented by a set of VTEPs
1068 (both hardware VTEPs and vswitches). In order for a given VTEP
1069 to populate the local ARP cache for a logical router, it issues
1070 ARP requests with a source MAC address that is unique to the VTEP. A
1071 single per-VTEP MAC can be re-used across all logical
1072 networks. This table contains the MACs that are used by the
1073 VTEPs of a given HSC. The table provides the mapping from MAC to
1074 physical locator for each VTEP so that replies to the ARP
1075 requests can be sent back to the correct VTEP using the
1076 appropriate physical locator.
1079 <column name="src_mac">
1080 The source MAC to be used by a given VTEP.
1083 <column name="locator">
1084 The <ref table="Physical_Locator"/> to use for replies to ARP
1085 requests from this MAC address.
1089 <table name="Arp_Sources_Remote" title="ARP source addresses for logical routers">
1091 MAC address to be used when a remote VTEP issues ARP requests on behalf
1092 of a logical router.
1096 This table is the remote counterpart of <ref
1097 table="Arp_sources_local"/>. The NVC writes this table to notify
1098 the HSC of the MACs that will be used by remote VTEPs when they
1099 issue ARP requests on behalf of a distributed logical router.
1102 <column name="src_mac">
1103 The source MAC to be used by a given VTEP.
1106 <column name="locator">
1107 The <ref table="Physical_Locator"/> to use for replies to ARP
1108 requests from this MAC address.
1112 <table name="Physical_Locator_Set">
1114 A set of one or more <ref table="Physical_Locator"/>s.
1118 This table exists only because OVSDB does not have a way to
1119 express the type ``map from string to one or more <ref
1120 table="Physical_Locator"/> records.''
1123 <column name="locators"/>
1126 <table name="Physical_Locator">
1128 Identifies an endpoint to which logical switch traffic may be
1129 encapsulated and forwarded.
1133 The <code>vxlan_over_ipv4</code> encapsulation, the only encapsulation
1134 defined so far, can use either tunnel key model described in the ``Per
1135 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1136 table. When the tunnel key per <ref table="Logical_Switch"/> model is in
1137 use, the <ref table="Logical_Switch" column="tunnel_key"/> column in the
1138 <ref table="Logical_Switch"/> table is filled with a VNI and the <ref
1139 column="tunnel_key"/> column in this table is empty; in the
1140 key-per-tunnel model, the opposite is true. The former model is older,
1141 and thus likely to be more widely supported. See the ``Per
1142 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1143 table for further discussion of the model.
1146 <column name="encapsulation_type">
1147 The type of tunneling encapsulation.
1150 <column name="dst_ip">
1152 For <code>vxlan_over_ipv4</code> encapsulation, the IPv4 address of the
1153 VXLAN tunnel endpoint.
1157 We expect that this column could be used for IPv4 or IPv6 addresses in
1158 encapsulations to be introduced later.
1162 <column name="tunnel_key">
1164 This column is used only in the tunnel key per <ref
1165 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model (see
1170 For <code>vxlan_over_ipv4</code> encapsulation, when the <ref
1171 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model is in
1172 use, this column is the VXLAN VNI. It must be in the range 0 to
1178 <table name="ACL_entry">
1180 Describes the individual entries that comprise an Access Control List.
1183 Each entry in the table is a single rule to match on certain
1184 header fields. While there are a large number of fields that can
1185 be matched on, most hardware cannot match on arbitrary
1186 combinations of fields. It is common to match on either L2
1187 fields (described below in the L2 group of columns) or L3/L4 fields
1188 (the L3/L4 group of columns) but not both. The hardware switch
1189 controller may log an error if an ACL entry requires it to match
1190 on an incompatible mixture of fields.
1192 <column name="sequence">
1194 The sequence number for the ACL entry for the purpose of
1195 ordering entries in an ACL. Lower numbered entries are matched
1196 before higher numbered entries.
1199 <group title="L2 fields">
1200 <column name="source_mac">
1202 Source MAC address, in the form
1203 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1206 <column name="dest_mac">
1208 Destination MAC address, in the form
1209 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1212 <column name="ethertype">
1214 Ethertype in hexadecimal, in the form
1219 <group title="L3/L4 fields">
1220 <column name="source_ip">
1222 Source IP address, in the form
1223 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1224 colon-separated hexadecimal notation for IPv6.
1227 <column name="source_mask">
1229 Mask that determines which bits of source_ip to match on, in the form
1230 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1231 colon-separated hexadecimal notation for IPv6.
1234 <column name="dest_ip">
1236 Destination IP address, in the form
1237 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1238 colon-separated hexadecimal notation for IPv6.
1241 <column name="dest_mask">
1243 Mask that determines which bits of dest_ip to match on, in the form
1244 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1245 colon-separated hexadecimal notation for IPv6.
1248 <column name="protocol">
1250 Protocol number in the IPv4 header, or value of the "next
1251 header" field in the IPv6 header.
1254 <column name="source_port_min">
1256 Lower end of the range of source port values. The value
1257 specified is included in the range.
1260 <column name="source_port_max">
1262 Upper end of the range of source port values. The value
1263 specified is included in the range.
1266 <column name="dest_port_min">
1268 Lower end of the range of destination port values. The value
1269 specified is included in the range.
1272 <column name="dest_port_max">
1274 Upper end of the range of destination port values. The value
1275 specified is included in the range.
1278 <column name="tcp_flags">
1280 Integer representing the value of TCP flags to match. For
1281 example, the SYN flag is the second least significant bit in
1282 the TCP flags. Hence a value of 2 would indicate that the "SYN"
1283 flag should be set (assuming an appropriate mask).
1286 <column name="tcp_flags_mask">
1288 Integer representing the mask to apply when matching TCP
1289 flags. For example, a value of 2 would imply that the "SYN"
1290 flag should be matched and all other flags ignored.
1293 <column name="icmp_type">
1295 ICMP type to be matched.
1298 <column name="icmp_code">
1300 ICMP code to be matched.
1304 <column name="direction">
1306 Direction of traffic to match on the specified port, either
1307 "ingress" (toward the logical switch or router) or "egress"
1308 (leaving the logical switch or router).
1311 <column name="action">
1313 Action to take for this rule, either "permit" or "deny".
1316 <group title="Error Notification">
1318 An entry in this column indicates to the NVC that the ACL
1319 could not be configured as requested. The switch must clear this column when the error
1322 <column name="acle_fault_status" key="invalid_acl_entry">
1324 Indicates that an ACL entry requested by
1325 the controller could not be instantiated by the switch,
1326 e.g. because it requires an unsupported combination of
1327 fields to be matched.
1330 <column name="acle_fault_status" key="unspecified_fault">
1332 Indicates that an error has occurred in configuring the ACL
1334 more specific information is available.
1341 Access Control List table. Each ACL is constructed as a set of
1342 entries from the <ref table="ACL_entry"/> table. Packets that
1343 are not matched by any entry in the ACL are allowed by default.
1345 <column name="acl_entries">
1347 A set of references to entries in the <ref table="ACL_entry"/> table.
1350 <column name="acl_name">
1352 A human readable name for the ACL, which may (for example) be displayed on
1356 <group title="Error Notification">
1358 An entry in this column indicates to the NVC that the ACL
1359 could not be configured as requested. The switch must clear this column when the error
1362 <column name="acl_fault_status" key="invalid_acl">
1364 Indicates that an ACL requested by
1365 the controller could not be instantiated by the switch,
1366 e.g., because it requires an unsupported combination of
1367 fields to be matched.
1370 <column name="acl_fault_status" key="resource_shortage">
1372 Indicates that an ACL requested by
1373 the controller could not be instantiated by the switch due
1374 to a shortage of resources (e.g. TCAM space).
1377 <column name="acl_fault_status" key="unspecified_fault">
1379 Indicates that an error has occurred in configuring the ACL
1381 more specific information is available.