1 <?xml version="1.0" encoding="utf-8"?>
2 <database name="vtep" title="Hardware VTEP Database">
4 This schema specifies relations that a VTEP can use to integrate
5 physical ports into logical switches maintained by a network
6 virtualization controller such as NSX.
14 VXLAN Tunnel End Point, an entity which originates and/or terminates
20 Hardware Switch Controller.
25 Network Virtualization Controller, e.g. NSX.
30 Virtual Routing and Forwarding instance.
34 <table name="Global" title="Top-level configuration.">
35 Top-level configuration for a hardware VTEP. There must be
36 exactly one record in the <ref table="Global"/> table.
38 <column name="switches">
40 The physical switch or switches managed by the VTEP.
44 When a physical switch integrates support for this VTEP schema, which
45 is expected to be the most common case, this column should point to one
46 <ref table="Physical_Switch"/> record that represents the switch
47 itself. In another possible implementation, a server or a VM presents
48 a VTEP schema front-end interface to one or more physical switches,
49 presumably communicating with those physical switches over a
50 proprietary protocol. In that case, this column would point to one
51 <ref table="Physical_Switch"/> for each physical switch, and the set
52 might change over time as the front-end server comes to represent a
53 differing set of switches.
57 <group title="Database Configuration">
59 These columns primarily configure the database server
60 (<code>ovsdb-server</code>), not the hardware VTEP itself.
63 <column name="managers">
64 Database clients to which the database server should connect or
65 to which it should listen, along with options for how these
66 connection should be configured. See the <ref table="Manager"/>
67 table for more information.
72 <table name="Manager" title="OVSDB management connection.">
74 Configuration for a database connection to an Open vSwitch Database
79 The database server can initiate and maintain active connections
80 to remote clients. It can also listen for database connections.
83 <group title="Core Features">
84 <column name="target">
85 <p>Connection method for managers.</p>
87 The following connection methods are currently supported:
90 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
93 The specified SSL <var>port</var> (default: 6640) on the host at
94 the given <var>ip</var>, which must be expressed as an IP address
98 SSL key and certificate configuration happens outside the
103 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
105 The specified TCP <var>port</var> (default: 6640) on the host at
106 the given <var>ip</var>, which must be expressed as an IP address
109 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
112 Listens for SSL connections on the specified TCP <var>port</var>
113 (default: 6640). If <var>ip</var>, which must be expressed as an
114 IP address (not a DNS name), is specified, then connections are
115 restricted to the specified local IP address.
118 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
120 Listens for connections on the specified TCP <var>port</var>
121 (default: 6640). If <var>ip</var>, which must be expressed as an
122 IP address (not a DNS name), is specified, then connections are
123 restricted to the specified local IP address.
129 <group title="Client Failure Detection and Handling">
130 <column name="max_backoff">
131 Maximum number of milliseconds to wait between connection attempts.
132 Default is implementation-specific.
135 <column name="inactivity_probe">
136 Maximum number of milliseconds of idle time on connection to the
137 client before sending an inactivity probe message. If the Open
138 vSwitch database does not communicate with the client for the
139 specified number of seconds, it will send a probe. If a
140 response is not received for the same additional amount of time,
141 the database server assumes the connection has been broken
142 and attempts to reconnect. Default is implementation-specific.
143 A value of 0 disables inactivity probes.
147 <group title="Status">
148 <column name="is_connected">
149 <code>true</code> if currently connected to this manager,
150 <code>false</code> otherwise.
153 <column name="status" key="last_error">
154 A human-readable description of the last error on the connection
155 to the manager; i.e. <code>strerror(errno)</code>. This key
156 will exist only if an error has occurred.
159 <column name="status" key="state"
160 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
162 The state of the connection to the manager:
165 <dt><code>VOID</code></dt>
166 <dd>Connection is disabled.</dd>
168 <dt><code>BACKOFF</code></dt>
169 <dd>Attempting to reconnect at an increasing period.</dd>
171 <dt><code>CONNECTING</code></dt>
172 <dd>Attempting to connect.</dd>
174 <dt><code>ACTIVE</code></dt>
175 <dd>Connected, remote host responsive.</dd>
177 <dt><code>IDLE</code></dt>
178 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
181 These values may change in the future. They are provided only for
186 <column name="status" key="sec_since_connect"
187 type='{"type": "integer", "minInteger": 0}'>
188 The amount of time since this manager last successfully connected
189 to the database (in seconds). Value is empty if manager has never
190 successfully connected.
193 <column name="status" key="sec_since_disconnect"
194 type='{"type": "integer", "minInteger": 0}'>
195 The amount of time since this manager last disconnected from the
196 database (in seconds). Value is empty if manager has never
200 <column name="status" key="locks_held">
201 Space-separated list of the names of OVSDB locks that the connection
202 holds. Omitted if the connection does not hold any locks.
205 <column name="status" key="locks_waiting">
206 Space-separated list of the names of OVSDB locks that the connection is
207 currently waiting to acquire. Omitted if the connection is not waiting
211 <column name="status" key="locks_lost">
212 Space-separated list of the names of OVSDB locks that the connection
213 has had stolen by another OVSDB client. Omitted if no locks have been
214 stolen from this connection.
217 <column name="status" key="n_connections"
218 type='{"type": "integer", "minInteger": 2}'>
220 When <ref column="target"/> specifies a connection method that
221 listens for inbound connections (e.g. <code>ptcp:</code> or
222 <code>pssl:</code>) and more than one connection is actually active,
223 the value is the number of active connections. Otherwise, this
224 key-value pair is omitted.
227 When multiple connections are active, status columns and key-value
228 pairs (other than this one) report the status of one arbitrarily
234 <group title="Connection Parameters">
236 Additional configuration for a connection between the manager
237 and the database server.
240 <column name="other_config" key="dscp"
241 type='{"type": "integer"}'>
242 The Differentiated Service Code Point (DSCP) is specified using 6 bits
243 in the Type of Service (TOS) field in the IP header. DSCP provides a
244 mechanism to classify the network traffic and provide Quality of
245 Service (QoS) on IP networks.
247 The DSCP value specified here is used when establishing the
248 connection between the manager and the database server. If no
249 value is specified, a default value of 48 is chosen. Valid DSCP
250 values must be in the range 0 to 63.
255 <table name="Physical_Switch" title="A physical switch.">
256 A physical switch that implements a VTEP.
258 <column name="ports">
259 The physical ports within the switch.
262 <column name="tunnels">
263 Tunnels created by this switch as instructed by the NVC.
266 <group title="Network Status">
267 <column name="management_ips">
268 IPv4 or IPv6 addresses at which the switch may be contacted
269 for management purposes.
272 <column name="tunnel_ips">
274 IPv4 or IPv6 addresses on which the switch may originate or
279 This column is intended to allow a <ref table="Manager"/> to
280 determine the <ref table="Physical_Switch"/> that terminates
281 the tunnel represented by a <ref table="Physical_Locator"/>.
286 <group title="Identification">
288 Symbolic name for the switch, such as its hostname.
291 <column name="description">
292 An extended description for the switch, such as its switch login
296 <group title="Error Notification">
298 An entry in this column indicates to the NVC that this switch
299 has encountered a fault. The switch must clear this column
300 when the fault has been cleared.
303 <column name="switch_fault_status" key="mac_table_exhaustion">
304 Indicates that the switch has been unable to process MAC
305 entries requested by the NVC due to lack of table resources.
308 <column name="switch_fault_status" key="tunnel_exhaustion">
309 Indicates that the switch has been unable to create tunnels
310 requested by the NVC due to lack of resources.
313 <column name="switch_fault_status" key="lr_switch_bindings_fault">
314 Indicates that the switch has been unable to create the logical router
315 interfaces requested by the NVC due to conflicting configurations or a
316 lack of hardware resources.
319 <column name="switch_fault_status" key="lr_static_routes_fault">
320 Indicates that the switch has been unable to create the static routes
321 requested by the NVC due to conflicting configurations or a lack of
325 <column name="switch_fault_status" key="lr_creation_fault">
326 Indicates that the switch has been unable to create the logical router
327 requested by the NVC due to conflicting configurations or a lack of
331 <column name="switch_fault_status" key="lr_support_fault">
332 Indicates that the switch does not support logical routing.
335 <column name="switch_fault_status" key="unspecified_fault">
336 Indicates that an error has occurred in the switch but that no
337 more specific information is available.
343 <table name="Tunnel" title="A tunnel created by a physical switch.">
344 A tunnel created by a <ref table="Physical_Switch"/>.
346 <column name="local">
347 Tunnel end-point local to the physical switch.
350 <column name="remote">
351 Tunnel end-point remote to the physical switch.
354 <group title="Bidirectional Forwarding Detection (BFD)">
356 BFD, defined in RFC 5880, allows point to point detection of
357 connectivity failures by occasional transmission of BFD control
358 messages. VTEPs are expected to implement BFD.
362 BFD operates by regularly transmitting BFD control messages at a
363 rate negotiated independently in each direction. Each endpoint
364 specifies the rate at which it expects to receive control messages,
365 and the rate at which it's willing to transmit them. An endpoint
366 which fails to receive BFD control messages for a period of three
367 times the expected reception rate will signal a connectivity
368 fault. In the case of a unidirectional connectivity issue, the
369 system not receiving BFD control messages will signal the problem
370 to its peer in the messages it transmits.
374 A hardware VTEP is expected to use BFD to determine reachability of
375 devices at the end of the tunnels with which it exchanges data. This
376 can enable the VTEP to choose a functioning service node among a set of
377 service nodes providing high availability. It also enables the NVC to
378 report the health status of tunnels.
382 In many cases the BFD peer of a hardware VTEP will be an Open vSwitch
383 instance. The Open vSwitch implementation of BFD aims to comply
384 faithfully with the requirements put forth in RFC 5880. Open vSwitch
385 does not implement the optional Authentication or ``Echo Mode''
389 <group title="BFD Local Configuration">
391 The HSC writes the key-value pairs in the
392 <ref column="bfd_config_local"/> column to specify the local
393 configurations to be used for BFD sessions on this tunnel.
396 <column name="bfd_config_local" key="bfd_dst_mac">
397 Set to an Ethernet address in the form
398 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
399 to set the MAC expected as destination for received BFD packets.
400 The default is <code>00:23:20:00:00:01</code>.
403 <column name="bfd_config_local" key="bfd_dst_ip">
404 Set to an IPv4 address to set the IP address that is expected as destination
405 for received BFD packets. The default is <code>169.254.1.0</code>.
410 <group title="BFD Remote Configuration">
412 The <ref column="bfd_config_remote"/> column is the remote
413 counterpart of the <ref column="bfd_config_local"/> column.
414 The NVC writes the key-value pairs in this column.
417 <column name="bfd_config_remote" key="bfd_dst_mac">
418 Set to an Ethernet address in the form
419 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
420 to set the destination MAC to be used for transmitted BFD packets.
421 The default is <code>00:23:20:00:00:01</code>.
424 <column name="bfd_config_remote" key="bfd_dst_ip">
425 Set to an IPv4 address to set the IP address used as destination
426 for transmitted BFD packets. The default is <code>169.254.1.1</code>.
431 <group title="BFD Parameters">
433 The NVC sets up key-value pairs in the <ref column="bfd_params"/>
434 column to enable and configure BFD.
437 <column name="bfd_params" key="enable" type='{"type": "boolean"}'>
438 True to enable BFD on this <ref table="Tunnel"/>. If not
439 specified, BFD will not be enabled by default.
442 <column name="bfd_params" key="min_rx"
443 type='{"type": "integer", "minInteger": 1}'>
444 The shortest interval, in milliseconds, at which this BFD session
445 offers to receive BFD control messages. The remote endpoint may
446 choose to send messages at a slower rate. Defaults to
450 <column name="bfd_params" key="min_tx"
451 type='{"type": "integer", "minInteger": 1}'>
452 The shortest interval, in milliseconds, at which this BFD session is
453 willing to transmit BFD control messages. Messages will actually be
454 transmitted at a slower rate if the remote endpoint is not willing to
455 receive as quickly as specified. Defaults to <code>100</code>.
458 <column name="bfd_params" key="decay_min_rx" type='{"type": "integer"}'>
459 An alternate receive interval, in milliseconds, that must be greater
460 than or equal to <ref column="bfd_params" key="min_rx"/>. The
461 implementation should switch from <ref column="bfd_params" key="min_rx"/>
462 to <ref column="bfd_params" key="decay_min_rx"/> when there is no obvious
463 incoming data traffic at the tunnel, to reduce the CPU and bandwidth
464 cost of monitoring an idle tunnel. This feature may be disabled by
465 setting a value of 0. This feature is reset whenever
466 <ref column="bfd_params" key="decay_min_rx"/> or
467 <ref column="bfd_params" key="min_rx"/> changes.
470 <column name="bfd_params" key="forwarding_if_rx" type='{"type": "boolean"}'>
471 When <code>true</code>, traffic received on the <ref table="Tunnel"/>
472 is used to indicate the capability of packet I/O.
473 BFD control packets are still transmitted and received. At least one
474 BFD control packet must be received every
475 100 * <ref column="bfd_params" key="min_rx"/> amount of time.
476 Otherwise, even if traffic is received, the
477 <ref column="bfd_params" key="forwarding"/> will be <code>false</code>.
480 <column name="bfd_params" key="cpath_down" type='{"type": "boolean"}'>
481 Set to true to notify the remote endpoint that traffic should not be
482 forwarded to this system for some reason other than a connectivity
483 failure on the interface being monitored. The typical underlying
484 reason is ``concatenated path down,'' that is, that connectivity
485 beyond the local system is down. Defaults to false.
488 <column name="bfd_params" key="check_tnl_key" type='{"type": "boolean"}'>
489 Set to true to make BFD accept only control messages with a tunnel
490 key of zero. By default, BFD accepts control messages with any
496 <group title="BFD Status">
498 The VTEP sets key-value pairs in the <ref column="bfd_status"/>
499 column to report the status of BFD on this tunnel. When BFD is
500 not enabled, with <ref column="bfd_params" key="enable"/>, the
501 HSC clears all key-value pairs from <ref column="bfd_status"/>.
504 <column name="bfd_status" key="enabled" type='{"type": "boolean"}'>
505 Set to true if the BFD session has been successfully enabled.
506 Set to false if the VTEP cannot support BFD or has insufficient
507 resources to enable BFD on this tunnel. The NVC will disable
508 the BFD monitoring on the other side of the tunnel once this
509 value is set to false.
512 <column name="bfd_status" key="state"
513 type='{"type": "string",
514 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
515 Reports the state of the BFD session. The BFD session is fully
516 healthy and negotiated if <code>UP</code>.
519 <column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
520 Reports whether the BFD session believes this <ref table="Tunnel"/>
521 may be used to forward traffic. Typically this means the local session
522 is signaling <code>UP</code>, and the remote system isn't signaling a
523 problem such as concatenated path down.
526 <column name="bfd_status" key="diagnostic">
527 A diagnostic code specifying the local system's reason for the
528 last change in session state. The error messages are defined in
529 section 4.1 of [RFC 5880].
532 <column name="bfd_status" key="remote_state"
533 type='{"type": "string",
534 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
535 Reports the state of the remote endpoint's BFD session.
538 <column name="bfd_status" key="remote_diagnostic">
539 A diagnostic code specifying the remote system's reason for the
540 last change in session state. The error messages are defined in
541 section 4.1 of [RFC 5880].
544 <column name="bfd_status" key="info">
545 A short message providing further information about the BFD status
546 (possibly including reasons why BFD could not be enabled).
552 <table name="Physical_Port" title="A port within a physical switch.">
553 A port within a <ref table="Physical_Switch"/>.
555 <column name="vlan_bindings">
556 Identifies how VLANs on the physical port are bound to logical switches.
557 If, for example, the map contains a (VLAN, logical switch) pair, a packet
558 that arrives on the port in the VLAN is considered to belong to the
559 paired logical switch. A value of zero in the VLAN field means
560 that untagged traffic on the physical port is mapped to the
564 <column name="acl_bindings">
566 Attach Access Control Lists (ACLs) to the physical port. The
567 column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
568 the VLAN tag in the map is 0, this means that the ACL is
569 associated with the entire physical port. Non-zero values mean
570 that the ACL is to be applied only on packets carrying that VLAN
571 tag value. Switches will not necessarily support matching on the
572 VLAN tag for all ACLs, and unsupported ACL bindings will cause
573 errors to be reported. The binding of an ACL to a specific
574 VLAN and the binding of an ACL to the entire physical port
575 should not be combined on a single physical port. That is, a
576 mix of zero and non-zero keys in the map is not recommended.
580 <column name="vlan_stats">
581 Statistics for VLANs bound to logical switches on the physical port. An
582 implementation that fully supports such statistics would populate this
583 column with a mapping for every VLAN that is bound in <ref
584 column="vlan_bindings"/>. An implementation that does not support such
585 statistics or only partially supports them would not populate this column
586 or partially populate it, respectively. A value of zero in the
587 VLAN field refers to untagged traffic on the physical port.
590 <group title="Identification">
592 Symbolic name for the port. The name ought to be unique within a given
593 <ref table="Physical_Switch"/>, but the database is not capable of
597 <column name="description">
598 An extended description for the port.
601 <group title="Error Notification">
603 An entry in this column indicates to the NVC that the physical port has
604 encountered a fault. The switch must clear this column when the error
607 <column name="port_fault_status" key="invalid_vlan_map">
609 Indicates that a VLAN-to-logical-switch mapping requested by
610 the controller could not be instantiated by the switch
611 because of a conflict with local configuration.
614 <column name="port_fault_status" key="invalid_ACL_binding">
616 Indicates that an error has occurred in associating an ACL
620 <column name="port_fault_status" key="unspecified_fault">
622 Indicates that an error has occurred on the port but that no
623 more specific information is available.
630 <table name="Logical_Binding_Stats" title="Statistics for a VLAN on a physical port bound to a logical network.">
631 Reports statistics for the <ref table="Logical_Switch"/> with which a VLAN
632 on a <ref table="Physical_Port"/> is associated.
634 <group title="Statistics">
635 These statistics count only packets to which the binding applies.
637 <column name="packets_from_local">
638 Number of packets sent by the <ref table="Physical_Switch"/>.
641 <column name="bytes_from_local">
642 Number of bytes in packets sent by the <ref table="Physical_Switch"/>.
645 <column name="packets_to_local">
646 Number of packets received by the <ref table="Physical_Switch"/>.
649 <column name="bytes_to_local">
650 Number of bytes in packets received by the <ref
651 table="Physical_Switch"/>.
656 <table name="Logical_Switch" title="A layer-2 domain.">
657 A logical Ethernet switch, whose implementation may span physical and
658 virtual media, possibly crossing L3 domains via tunnels; a logical layer-2
659 domain; an Ethernet broadcast domain.
663 <group title="Per Logical-Switch Tunnel Key">
665 Tunnel protocols tend to have a field that allows the tunnel
666 to be partitioned into sub-tunnels: VXLAN has a VNI, GRE and
667 STT have a key, CAPWAP has a WSI, and so on. We call these
668 generically ``tunnel keys.'' Given that one needs to use a
669 tunnel key at all, there are at least two reasonable ways to
676 Per <ref table="Logical_Switch"/>+<ref table="Physical_Locator"/>
677 pair. That is, each logical switch may be assigned a different
678 tunnel key on every <ref table="Physical_Locator"/>. This model is
683 In this model, <ref table="Physical_Locator"/> carries the tunnel
684 key. Therefore, one <ref table="Physical_Locator"/> record will
685 exist for each logical switch carried at a given IP destination.
691 Per <ref table="Logical_Switch"/>. That is, every tunnel
692 associated with a particular logical switch carries the same tunnel
693 key, regardless of the <ref table="Physical_Locator"/> to which the
694 tunnel is addressed. This model may ease switch implementation
695 because it imposes fewer requirements on the hardware datapath.
699 In this model, <ref table="Logical_Switch"/> carries the tunnel
700 key. Therefore, one <ref table="Physical_Locator"/> record will
701 exist for each IP destination.
706 <column name="tunnel_key">
708 This column is used only in the tunnel key per <ref
709 table="Logical_Switch"/> model (see above), because only in that
710 model is there a tunnel key associated with a logical switch.
714 For <code>vxlan_over_ipv4</code> encapsulation, when the tunnel key
715 per <ref table="Logical_Switch"/> model is in use, this column is the
716 VXLAN VNI that identifies a logical switch. It must be in the range
722 <group title="Identification">
724 Symbolic name for the logical switch.
727 <column name="description">
728 An extended description for the logical switch, such as its switch
734 <table name="Ucast_Macs_Local" title="Unicast MACs (local)">
736 Mapping of unicast MAC addresses to tunnels (physical
737 locators). This table is written by the HSC, so it contains the
738 MAC addresses that have been learned on physical ports by a
743 A MAC address that has been learned by the VTEP.
746 <column name="logical_switch">
747 The Logical switch to which this mapping applies.
750 <column name="locator">
751 The physical locator to be used to reach this MAC address. In
752 this table, the physical locator will be one of the tunnel IP
753 addresses of the appropriate VTEP.
756 <column name="ipaddr">
757 The IP address to which this MAC corresponds. Optional field for
758 the purpose of ARP supression.
763 <table name="Ucast_Macs_Remote" title="Unicast MACs (remote)">
765 Mapping of unicast MAC addresses to tunnels (physical
766 locators). This table is written by the NVC, so it contains the
767 MAC addresses that the NVC has learned. These include VM MAC
768 addresses, in which case the physical locators will be
769 hypervisor IP addresses. The NVC will also report MACs that it
770 has learned from other HSCs in the network, in which case the
771 physical locators will be tunnel IP addresses of the
776 A MAC address that has been learned by the NVC.
779 <column name="logical_switch">
780 The Logical switch to which this mapping applies.
783 <column name="locator">
784 The physical locator to be used to reach this MAC address. In
785 this table, the physical locator will be either a hypervisor IP
786 address or a tunnel IP addresses of another VTEP.
789 <column name="ipaddr">
790 The IP address to which this MAC corresponds. Optional field for
791 the purpose of ARP supression.
796 <table name="Mcast_Macs_Local" title="Multicast MACs (local)">
798 Mapping of multicast MAC addresses to tunnels (physical
799 locators). This table is written by the HSC, so it contains the
800 MAC addresses that have been learned on physical ports by a
801 VTEP. These may be learned by IGMP snooping, for example. This
802 table also specifies how to handle unknown unicast and broadcast packets.
807 A MAC address that has been learned by the VTEP.
810 The keyword <code>unknown-dst</code> is used as a special
811 ``Ethernet address'' that indicates the locations to which
812 packets in a logical switch whose destination addresses do not
813 otherwise appear in <ref table="Ucast_Macs_Local"/> (for
814 unicast addresses) or <ref table="Mcast_Macs_Local"/> (for
815 multicast addresses) should be sent.
819 <column name="logical_switch">
820 The Logical switch to which this mapping applies.
823 <column name="locator_set">
824 The physical locator set to be used to reach this MAC address. In
825 this table, the physical locator set will be contain one or more tunnel IP
826 addresses of the appropriate VTEP(s).
829 <column name="ipaddr">
830 The IP address to which this MAC corresponds. Optional field for
831 the purpose of ARP supression.
835 <table name="Mcast_Macs_Remote" title="Multicast MACs (remote)">
837 Mapping of multicast MAC addresses to tunnels (physical
838 locators). This table is written by the NVC, so it contains the
839 MAC addresses that the NVC has learned. This
840 table also specifies how to handle unknown unicast and broadcast
844 Multicast packet replication may be handled by a service node,
845 in which case the physical locators will be IP addresses of
846 service nodes. If the VTEP supports replication onto multiple
847 tunnels, then this may be used to replicate directly onto
848 VTEP-hypervisor tunnels.
853 A MAC address that has been learned by the NVC.
856 The keyword <code>unknown-dst</code> is used as a special
857 ``Ethernet address'' that indicates the locations to which
858 packets in a logical switch whose destination addresses do not
859 otherwise appear in <ref table="Ucast_Macs_Remote"/> (for
860 unicast addresses) or <ref table="Mcast_Macs_Remote"/> (for
861 multicast addresses) should be sent.
865 <column name="logical_switch">
866 The Logical switch to which this mapping applies.
869 <column name="locator_set">
870 The physical locator set to be used to reach this MAC address. In
871 this table, the physical locator set will be either a service node IP
872 address or a set of tunnel IP addresses of hypervisors (and
873 potentially other VTEPs).
876 <column name="ipaddr">
877 The IP address to which this MAC corresponds. Optional field for
878 the purpose of ARP supression.
883 <table name="Logical_Router" title="A logical L3 router.">
885 A logical router, or VRF. A logical router may be connected to one or more
886 logical switches. Subnet addresses and interface addresses may be configured on the
890 <column name="switch_binding">
891 Maps from an IPv4 or IPv6 address prefix in CIDR notation to a
892 logical switch. Multiple prefixes may map to the same switch. By
893 writing a 32-bit (or 128-bit for v6) address with a /N prefix
894 length, both the router's interface address and the subnet
895 prefix can be configured. For example, 192.68.1.1/24 creates a
896 /24 subnet for the logical switch attached to the interface and
897 assigns the address 192.68.1.1 to the router interface.
900 <column name="static_routes">
901 One or more static routes, mapping IP prefixes to next hop IP addresses.
904 <column name="acl_binding">
905 Maps ACLs to logical router interfaces. The router interfaces
906 are indicated using IP address notation, and must be the same
907 interfaces created in the <ref column="switch_binding"/>
908 column. For example, an ACL could be associated with the logical
909 router interface with an address of 192.68.1.1 as defined in the
913 <group title="Identification">
915 Symbolic name for the logical router.
918 <column name="description">
919 An extended description for the logical router.
923 <group title="Error Notification">
925 An entry in this column indicates to the NVC that the HSC has
926 encountered a fault in configuring state related to the
929 <column name="LR_fault_status" key="invalid_ACL_binding">
931 Indicates that an error has occurred in associating an ACL
932 with a logical router port.
935 <column name="LR_fault_status" key="unspecified_fault">
937 Indicates that an error has occurred in configuring the
938 logical router but that no
939 more specific information is available.
946 <table name="Arp_Sources_Local" title="ARP source addresses for logical routers">
948 MAC address to be used when a VTEP issues ARP requests on behalf
953 A distributed logical router is implemented by a set of VTEPs
954 (both hardware VTEPs and vswitches). In order for a given VTEP
955 to populate the local ARP cache for a logical router, it issues
956 ARP requests with a source MAC address that is unique to the VTEP. A
957 single per-VTEP MAC can be re-used across all logical
958 networks. This table contains the MACs that are used by the
959 VTEPs of a given HSC. The table provides the mapping from MAC to
960 physical locator for each VTEP so that replies to the ARP
961 requests can be sent back to the correct VTEP using the
962 appropriate physical locator.
965 <column name="src_mac">
966 The source MAC to be used by a given VTEP.
969 <column name="locator">
970 The <ref table="Physical_Locator"/> to use for replies to ARP
971 requests from this MAC address.
975 <table name="Arp_Sources_Remote" title="ARP source addresses for logical routers">
977 MAC address to be used when a remote VTEP issues ARP requests on behalf
982 This table is the remote counterpart of <ref
983 table="Arp_sources_local"/>. The NVC writes this table to notify
984 the HSC of the MACs that will be used by remote VTEPs when they
985 issue ARP requests on behalf of a distributed logical router.
988 <column name="src_mac">
989 The source MAC to be used by a given VTEP.
992 <column name="locator">
993 The <ref table="Physical_Locator"/> to use for replies to ARP
994 requests from this MAC address.
998 <table name="Physical_Locator_Set">
1000 A set of one or more <ref table="Physical_Locator"/>s.
1004 This table exists only because OVSDB does not have a way to
1005 express the type ``map from string to one or more <ref
1006 table="Physical_Locator"/> records.''
1009 <column name="locators"/>
1012 <table name="Physical_Locator">
1014 Identifies an endpoint to which logical switch traffic may be
1015 encapsulated and forwarded.
1019 The <code>vxlan_over_ipv4</code> encapsulation, the only encapsulation
1020 defined so far, can use either tunnel key model described in the ``Per
1021 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1022 table. When the tunnel key per <ref table="Logical_Switch"/> model is in
1023 use, the <ref table="Logical_Switch" column="tunnel_key"/> column in the
1024 <ref table="Logical_Switch"/> table is filled with a VNI and the <ref
1025 column="tunnel_key"/> column in this table is empty; in the
1026 key-per-tunnel model, the opposite is true. The former model is older,
1027 and thus likely to be more widely supported. See the ``Per
1028 Logical-Switch Tunnel Key'' section in the <ref table="Logical_Switch"/>
1029 table for further discussion of the model.
1032 <column name="encapsulation_type">
1033 The type of tunneling encapsulation.
1036 <column name="dst_ip">
1038 For <code>vxlan_over_ipv4</code> encapsulation, the IPv4 address of the
1039 VXLAN tunnel endpoint.
1043 We expect that this column could be used for IPv4 or IPv6 addresses in
1044 encapsulations to be introduced later.
1048 <column name="tunnel_key">
1050 This column is used only in the tunnel key per <ref
1051 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model (see
1056 For <code>vxlan_over_ipv4</code> encapsulation, when the <ref
1057 table="Logical_Switch"/>+<ref table="Physical_Locator"/> model is in
1058 use, this column is the VXLAN VNI. It must be in the range 0 to
1064 <table name="ACL_entry">
1066 Describes the individual entries that comprise an Access Control List.
1069 Each entry in the table is a single rule to match on certain
1070 header fields. While there are a large number of fields that can
1071 be matched on, most hardware cannot match on arbitrary
1072 combinations of fields. It is common to match on either L2
1073 fields (described below in the L2 group of columns) or L3/L4 fields
1074 (the L3/L4 group of columns) but not both. The hardware switch
1075 controller may log an error if an ACL entry requires it to match
1076 on an incompatible mixture of fields.
1078 <column name="sequence">
1080 The sequence number for the ACL entry for the purpose of
1081 ordering entries in an ACL. Lower numbered entries are matched
1082 before higher numbered entries.
1085 <group title="L2 fields">
1086 <column name="source_mac">
1088 Source MAC address, in the form
1089 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1092 <column name="dest_mac">
1094 Destination MAC address, in the form
1095 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1098 <column name="ethertype">
1100 Ethertype in hexadecimal, in the form
1105 <group title="L3/L4 fields">
1106 <column name="source_ip">
1108 Source IP address, in the form
1109 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1110 colon-separated hexadecimal notation for IPv6.
1113 <column name="source_mask">
1115 Mask that determines which bits of source_ip to match on, in the form
1116 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1117 colon-separated hexadecimal notation for IPv6.
1120 <column name="dest_ip">
1122 Destination IP address, in the form
1123 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1124 colon-separated hexadecimal notation for IPv6.
1127 <column name="dest_mask">
1129 Mask that determines which bits of dest_ip to match on, in the form
1130 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1131 colon-separated hexadecimal notation for IPv6.
1134 <column name="protocol">
1136 Protocol number in the IPv4 header, or value of the "next
1137 header" field in the IPv6 header.
1140 <column name="source_port_min">
1142 Lower end of the range of source port values. The value
1143 specified is included in the range.
1146 <column name="source_port_max">
1148 Upper end of the range of source port values. The value
1149 specified is included in the range.
1152 <column name="dest_port_min">
1154 Lower end of the range of destination port values. The value
1155 specified is included in the range.
1158 <column name="dest_port_max">
1160 Upper end of the range of destination port values. The value
1161 specified is included in the range.
1164 <column name="tcp_flags">
1166 Integer representing the value of TCP flags to match. For
1167 example, the SYN flag is the second least significant bit in
1168 the TCP flags. Hence a value of 2 would indicate that the "SYN"
1169 flag should be set (assuming an appropriate mask).
1172 <column name="tcp_flags_mask">
1174 Integer representing the mask to apply when matching TCP
1175 flags. For example, a value of 2 would imply that the "SYN"
1176 flag should be matched and all other flags ignored.
1179 <column name="icmp_type">
1181 ICMP type to be matched.
1184 <column name="icmp_code">
1186 ICMP code to be matched.
1190 <column name="direction">
1192 Direction of traffic to match on the specified port, either
1193 "ingress" (toward the logical switch or router) or "egress"
1194 (leaving the logical switch or router).
1197 <column name="action">
1199 Action to take for this rule, either "permit" or "deny".
1202 <group title="Error Notification">
1204 An entry in this column indicates to the NVC that the ACL
1205 could not be configured as requested. The switch must clear this column when the error
1208 <column name="acle_fault_status" key="invalid_acl_entry">
1210 Indicates that an ACL entry requested by
1211 the controller could not be instantiated by the switch,
1212 e.g. because it requires an unsupported combination of
1213 fields to be matched.
1216 <column name="acle_fault_status" key="unspecified_fault">
1218 Indicates that an error has occurred in configuring the ACL
1220 more specific information is available.
1227 Access Control List table. Each ACL is constructed as a set of
1228 entries from the <ref table="ACL_entry"/> table. Packets that
1229 are not matched by any entry in the ACL are allowed by default.
1231 <column name="acl_entries">
1233 A set of references to entries in the <ref table="ACL_entry"/> table.
1236 <column name="acl_name">
1238 A human readable name for the ACL, which may (for example) be displayed on
1242 <group title="Error Notification">
1244 An entry in this column indicates to the NVC that the ACL
1245 could not be configured as requested. The switch must clear this column when the error
1248 <column name="acl_fault_status" key="invalid_acl">
1250 Indicates that an ACL requested by
1251 the controller could not be instantiated by the switch,
1252 e.g., because it requires an unsupported combination of
1253 fields to be matched.
1256 <column name="acl_fault_status" key="resource_shortage">
1258 Indicates that an ACL requested by
1259 the controller could not be instantiated by the switch due
1260 to a shortage of resources (e.g. TCAM space).
1263 <column name="acl_fault_status" key="unspecified_fault">
1265 Indicates that an error has occurred in configuring the ACL
1267 more specific information is available.