X-Git-Url: http://git.cascardo.eti.br/?a=blobdiff_plain;f=vswitchd%2Fvswitch.xml;h=b1d30f6562d52d3ce7b7bee33542232c1edd1318;hb=06994f879c9d;hp=2af04bd1d21daf8f2a57b8c2dee34265c6d08fef;hpb=6802c96db8e73d0319c2634f069404edceff7d54;p=cascardo%2Fovs.git diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index 2af04bd1d..b1d30f656 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -1,5 +1,5 @@ - +

A database with this schema holds the configuration for one Open vSwitch daemon. The top-level configuration for the daemon is the @@ -71,6 +71,150 @@ The Citrix XenServer universally unique identifier for the physical host as displayed by xe host-list. + + +

+ Interval for updating statistics to the database, in milliseconds. + This option will affect the update of the statistics + column in the following tables: Port, Interface + , Mirror. +

+

+ Default value is 5000 ms. +

+

+ Getting statistics more frequently can be achieved via OpenFlow. +

+ + + +

+ When ovs-vswitchd starts up, it has an empty flow table + and therefore it handles all arriving packets in its default fashion + according to its configuration, by dropping them or sending them to + an OpenFlow controller or switching them as a standalone switch. + This behavior is ordinarily desirable. However, if + ovs-vswitchd is restarting as part of a ``hot-upgrade,'' + then this leads to a relatively long period during which packets are + mishandled. +

+

+ This option allows for improvement. When ovs-vswitchd + starts with this value set as true, it will neither + flush or expire previously set datapath flows nor will it send and + receive any packets to or from the datapath. When this value is + later set to false, ovs-vswitchd will + start receiving packets from the datapath and re-setup the flows. +

+

+ Thus, with this option, the procedure for a hot-upgrade of + ovs-vswitchd becomes roughly the following: +

+
    +
  1. + Stop ovs-vswitchd. +
    2. +
  2. + Set + to true. +
    3. +
  3. + Start ovs-vswitchd. +
    4. +
  4. + Use ovs-ofctl (or some other program, such as an + OpenFlow controller) to restore the OpenFlow flow table + to the desired state. +
    5. +
  5. + Set + to false (or remove it entirely from the database). +
    6. +
+

+ The ovs-ctl's ``restart'' and ``force-reload-kmod'' + functions use the above config option during hot upgrades. +

+ + + +

+ The maximum + number of flows allowed in the datapath flow table. Internally OVS + will choose a flow limit which will likely be lower than this number, + based on real time network conditions. +

+

+ The default is 200000. +

+ + + +

+ Specifies the maximum number of rx queues to be created for each dpdk + interface. If not specified or specified to 0, one rx queue will + be created for each dpdk interface by default. +

+ + + +

+ Specifies CPU mask for setting the cpu affinity of PMD (Poll + Mode Driver) threads. Value should be in the form of hex string, + similar to the dpdk EAL '-c COREMASK' option input or the 'taskset' + mask input. +

+

+ The lowest order bit corresponds to the first CPU core. A set bit + means the corresponding core is available and a pmd thread will be + created and pinned to it. If the input does not cover all cores, + those uncovered cores are considered not set. +

+

+ If not specified, one pmd thread will be created for each numa node + and pinned to any available core on the numa node by default. +

+ + + +

+ Specifies the number of threads for software datapaths to use for + handling new flows. The default the number of online CPU cores minus + the number of revalidators. +

+

+ This configuration is per datapath. If you have more than one + software datapath (e.g. some system bridges and some + netdev bridges), then the total number of threads is + n-handler-threads times the number of software + datapaths. +

+ + + +

+ Specifies the number of threads for software datapaths to use for + revalidating flows in the datapath. Typically, there is a direct + correlation between the number of revalidator threads, and the number + of flows allowed in the datapath. The default is the number of cpu + cores divided by four plus one. If n-handler-threads is + set, the default changes to the number of cpu cores minus the number + of handler threads. +

+

+ This configuration is per datapath. If you have more than one + software datapath (e.g. some system bridges and some + netdev bridges), then the total number of threads is + n-handler-threads times the number of software + datapaths. +

+ @@ -279,6 +423,28 @@ + +

+ These columns report capabilities of the Open vSwitch instance. +

+ +

+ This column reports the different dpifs registered with the system. + These are the values that this instance supports in the column of the table. +

+ + +

+ This column reports the different netdevs registered with the system. + These are the values that this instance supports in the column of the table. +

+ + +

These columns primarily configure the Open vSwitch database @@ -340,7 +506,11 @@ - sFlow configuration. + sFlow(R) configuration. + + + + IPFIX configuration. @@ -358,6 +528,10 @@ a different type of mirror instead.

+ + + Auto Attach configuration. + @@ -434,6 +608,56 @@ column="other-config" key="datapath-id"/> instead.) + +

+ Reports the version number of the Open vSwitch datapath in use. + This allows management software to detect and report discrepancies + between Open vSwitch userspace and datapath versions. (The column in the reports the Open vSwitch userspace version.) + The version reported depends on the datapath in use: +

+ +
    +
  • + When the kernel module included in the Open vSwitch source tree is + used, this column reports the Open vSwitch version from which the + module was taken. +
    • + +
  • + When the kernel module that is part of the upstream Linux kernel is + used, this column reports <unknown>. +
    • + +
  • + When the datapath is built into the ovs-vswitchd + binary, this column reports <built-in>. A + built-in datapath is by definition the same version as the rest of + the Open VSwitch userspace. +
    • + +
  • + Other datapaths (such as the Hyper-V kernel datapath) currently + report <unknown>. +
    • +
+ +

+ A version discrepancy between ovs-vswitchd and the + datapath in use is not normally cause for alarm. The Open vSwitch + kernel datapaths for Linux and Hyper-V, in particular, are designed + for maximum inter-version compatibility: any userspace version works + with with any kernel version. Some reasons do exist to insist on + particular user/kernel pairings. First, newer kernel versions add + new features, that can only be used by new-enough userspace, e.g. + VXLAN tunneling requires certain minimal userspace and kernel + versions. Second, as an extension to the first reason, some newer + kernel versions add new features for enhancing performance that only + new-enough userspace versions can take advantage of. +

+ + Exactly 16 hex digits to set the OpenFlow datapath ID to a specific value. May not be all-zero. @@ -461,66 +685,278 @@ - List of OpenFlow protocols that may be used when negotiating a - connection with a controller. A default value of - OpenFlow10 will be used if this column is empty. +

+ List of OpenFlow protocols that may be used when negotiating + a connection with a controller. OpenFlow 1.0, 1.1, 1.2, and + 1.3 are enabled by default if this column is empty. +

+ +

+ OpenFlow 1.4 is not enabled by default because its implementation is + missing features. +

+ +

+ OpenFlow 1.5 has the same risks as OpenFlow 1.4, but it is even more + experimental because the OpenFlow 1.5 specification is still under + development and thus subject to change. Pass + --enable-of15 to ovs-vswitchd to allow + OpenFlow 1.5 to be enabled. +

- The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol - that ensures loop-free topologies. It allows redundant links to - be included in the network to provide automatic backup paths if - the active links fails. +

+ The IEEE 802.1D Spanning Tree Protocol (STP) is a network protocol + that ensures loop-free topologies. It allows redundant links to + be included in the network to provide automatic backup paths if + the active links fails. +

- - Enable spanning tree on the bridge. By default, STP is disabled - on bridges. Bond, internal, and mirror ports are not supported - and will not participate in the spanning tree. - +

+ These settings configure the slower-to-converge but still widely + supported version of Spanning Tree Protocol, sometimes known as + 802.1D-1998. Open vSwitch also supports the newer Rapid Spanning Tree + Protocol (RSTP), documented later in the section titled Rapid + Spanning Tree Configuration. +

- - The bridge's STP identifier (the lower 48 bits of the bridge-id) - in the form - xx:xx:xx:xx:xx:xx. - By default, the identifier is the MAC address of the bridge. - + + +

+ Enable spanning tree on the bridge. By default, STP is disabled + on bridges. Bond, internal, and mirror ports are not supported + and will not participate in the spanning tree. +

- - The bridge's relative priority value for determining the root - bridge (the upper 16 bits of the bridge-id). A bridge with the - lowest bridge-id is elected the root. By default, the priority - is 0x8000. - +

+ STP and RSTP are mutually exclusive. If both are enabled, RSTP + will be used. +

+ - - The interval between transmissions of hello messages by - designated ports, in seconds. By default the hello interval is - 2 seconds. - + + The bridge's STP identifier (the lower 48 bits of the bridge-id) + in the form + xx:xx:xx:xx:xx:xx. + By default, the identifier is the MAC address of the bridge. + - - The maximum age of the information transmitted by the bridge - when it is the root bridge, in seconds. By default, the maximum - age is 20 seconds. - + + The bridge's relative priority value for determining the root + bridge (the upper 16 bits of the bridge-id). A bridge with the + lowest bridge-id is elected the root. By default, the priority + is 0x8000. + + + + The interval between transmissions of hello messages by + designated ports, in seconds. By default the hello interval is + 2 seconds. + + + + The maximum age of the information transmitted by the bridge + when it is the root bridge, in seconds. By default, the maximum + age is 20 seconds. + + + + The delay to wait between transitioning root and designated + ports to forwarding, in seconds. By default, the + forwarding delay is 15 seconds. + + + +

+ The maximum number of seconds to retain a multicast snooping entry for + which no packets have been seen. The default is currently 300 + seconds (5 minutes). The value, if specified, is forced into a + reasonable range, currently 15 to 3600 seconds. +

+ + + +

+ The maximum number of multicast snooping addresses to learn. The + default is currently 2048. The value, if specified, is forced into + a reasonable range, currently 10 to 1,000,000. +

+ + +

+ If set to false, unregistered multicast packets are forwarded + to all ports. + If set to true, unregistered multicast packets are forwarded + to ports connected to multicast routers. +

+ + + + +

+ These key-value pairs report the status of 802.1D-1998. They are + present only if STP is enabled (via the + column). +

+ + The bridge ID used in spanning tree advertisements, in the form + xxxx.yyyyyyyyyyyy where the xs are + the STP priority, the ys are the STP system ID, and each + x and y is a hex digit. + + + The designated root for this spanning tree, in the same form as . If this bridge is the root, + this will have the same value as , otherwise it will differ. + + + The path cost of reaching the designated bridge. A lower number is + better. The value is 0 if this bridge is the root, otherwise it is + higher. + + + + + +

+ Rapid Spanning Tree Protocol (RSTP), like STP, is a network protocol + that ensures loop-free topologies. RSTP superseded STP with the + publication of 802.1D-2004. Compared to STP, RSTP converges more + quickly and recovers more quickly from failures. +

+ + + +

+ Enable Rapid Spanning Tree on the bridge. By default, RSTP is disabled + on bridges. Bond, internal, and mirror ports are not supported + and will not participate in the spanning tree. +

+ +

+ STP and RSTP are mutually exclusive. If both are enabled, RSTP + will be used. +

+ + + + The bridge's RSTP address (the lower 48 bits of the bridge-id) + in the form + xx:xx:xx:xx:xx:xx. + By default, the address is the MAC address of the bridge. + + + + The bridge's relative priority value for determining the root + bridge (the upper 16 bits of the bridge-id). A bridge with the + lowest bridge-id is elected the root. By default, the priority + is 0x8000 (32768). This value needs to be a multiple of 4096, + otherwise it's rounded to the nearest inferior one. + + + + The Ageing Time parameter for the Bridge. The default value + is 300 seconds. + + + + The Force Protocol Version parameter for the Bridge. This + can take the value 0 (STP Compatibility mode) or 2 + (the default, normal operation). + - - The delay to wait between transitioning root and designated - ports to forwarding, in seconds. By default, the - forwarding delay is 15 seconds. + + The maximum age of the information transmitted by the Bridge + when it is the Root Bridge. The default value is 20. + + + + The delay used by STP Bridges to transition Root and Designated + Ports to Forwarding. The default value is 15. + + + + The Transmit Hold Count used by the Port Transmit state machine + to limit transmission rate. The default value is 6. + + + + +

+ These key-value pairs report the status of 802.1D-2004. They are + present only if RSTP is enabled (via the + column). +

+ + The bridge ID used in rapid spanning tree advertisements, in the form + x.yyy.zzzzzzzzzzzz where + x is the RSTP priority, the ys are a locally + assigned system ID extension, the zs are the STP system + ID, and each x, y, or z is a hex + digit. + + + The root of this spanning tree, in the same form as . If this bridge is the + root, this will have the same value as , otherwise it will differ. + + + The path cost of reaching the root. A lower number is better. The + value is 0 if this bridge is the root, otherwise it is higher. + + + The RSTP designated ID, in the same form as . + + + The RSTP designated port ID, as a 4-digit hex number. + + + The RSTP bridge port ID, as a 4-digit hex number. + + + + + + Multicast snooping (RFC 4541) monitors the Internet Group Management + Protocol (IGMP) and Multicast Listener Discovery traffic between hosts + and multicast routers. The switch uses what IGMP and MLD snooping + learns to forward multicast traffic only to interfaces that are connected + to interested receivers. Currently it supports IGMPv1, IGMPv2, IGMPv3, + MLDv1 and MLDv2 protocols. + + + Enable multicast snooping on the bridge. For now, the default + is disabled. - Name of datapath provider. The kernel datapath has - type system. The userspace datapath has - type netdev. + Name of datapath provider. The kernel datapath has type + system. The userspace datapath has type + netdev. A manager may refer to the column of the table for a list of the types accepted by this + Open vSwitch instance. @@ -543,34 +979,49 @@ datapath ID. - -

- A number of flows as a nonnegative integer. This sets number of - flows at which eviction from the kernel flow table will be triggered. - If there are a large number of flows then increasing this value to - around the number of flows present can result in reduced CPU usage - and packet loss. -

-

- The default is 1000. Values below 100 will be rounded up to 100. -

- - - Option to allow forwarding of BPDU frames when NORMAL action is - invoked. Frames with reserved Ethernet addresses (e.g. STP - BPDU) will be forwarded when this option is enabled and the - switch is not providing that functionality. If STP is enabled - on the port, STP BPDUs will never be forwarded. If the Open - vSwitch bridge is used to connect different Ethernet networks, - and if Open vSwitch node does not run STP, then this option - should be enabled. Default is disabled, set to - true to enable. - - The following destination MAC addresss will not be forwarded when this - option is enabled. + +

+ Controls forwarding of BPDUs and other network control frames when + NORMAL action is invoked. When this option is false or + unset, frames with reserved Ethernet addresses (see table below) will + not be forwarded. When this option is true, such frames + will not be treated specially. +

+ +

+ The above general rule has the following exceptions: +

+ +
    +
  • + If STP is enabled on the bridge (see the column in the table), the + bridge processes all received STP packets and never passes them to + OpenFlow or forwards them. This is true even if STP is disabled on + an individual port. +
    • + +
  • + If LLDP is enabled on an interface (see the column in the table), + the interface processes received LLDP packets and never passes them + to OpenFlow or forwards them. +
    • +
+ +

+ Set this option to true if the Open vSwitch bridge + connects different Ethernet networks and is not configured to + participate in STP. +

+ +

+ This option affects packets with the following destination MAC + addresses: +

+
01:80:c2:00:00:00
IEEE 802.1D Spanning Tree Protocol (STP).
@@ -640,34 +1091,6 @@ - -

- Status information about bridges. -

- - Key-value pairs that report bridge status. - - -

- The bridge-id (in hex) used in spanning tree advertisements. - Configuring the bridge-id is described in the - stp-system-id and stp-priority keys - of the other_config section earlier. -

- - -

- The designated root (in hex) for this spanning tree. -

- - -

- The path cost of reaching the designated bridge. A lower - number is better. -

- - - The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -676,8 +1099,8 @@ - - + +

A port within a .

Most commonly, a port has exactly one ``interface,'' pointed to by its column. Such a port logically @@ -848,7 +1271,9 @@

The following modes require the upstream switch to support 802.3ad with - successful LACP negotiation: + successful LACP negotiation. If LACP negotiation fails and + other-config:lacp-fallback-ab is true, then active-backup + mode is used:

@@ -938,7 +1363,8 @@ in LACP negotiations initiated by a remote switch, but not allowed to initiate such negotiations themselves. If LACP is enabled on a port whose partner switch does not support LACP, the bond will be - disabled. Defaults to off if unset. + disabled, unless other-config:lacp-fallback-ab is set to true. + Defaults to off if unset. @@ -966,6 +1392,18 @@ rate of once every 30 seconds.

+ + +

+ Determines the behavior of openvswitch bond in LACP mode. If + the partner switch does not support LACP, setting this option + to true allows openvswitch to fallback to + active-backup. If the option is set to false, the + bond will be disabled. In both the cases, once the partner switch + is configured to LACP mode, the bond will use LACP. +

+ @@ -992,37 +1430,208 @@ - - - If spanning tree is enabled on the bridge, member ports are - enabled by default (with the exception of bond, internal, and - mirror ports which do not work with STP). If this column's - value is false spanning tree is disabled on the - port. - + +

+ The configuration here is only meaningful, and the status is only + populated, when 802.1D-1998 Spanning Tree Protocol is enabled on the + port's with its + column. +

- - The port number used for the lower 8 bits of the port-id. By - default, the numbers will be assigned automatically. If any - port's number is manually configured on a bridge, then they - must all be. - + + + When STP is enabled on a bridge, it is enabled by default on all of + the bridge's ports except bond, internal, and mirror ports (which do + not work with STP). If this column's value is false, + STP is disabled on the port. + - - The port's relative priority value for determining the root - port (the upper 8 bits of the port-id). A port with a lower - port-id will be chosen as the root port. By default, the - priority is 0x80. - + + The port number used for the lower 8 bits of the port-id. By + default, the numbers will be assigned automatically. If any + port's number is manually configured on a bridge, then they + must all be. + + + + The port's relative priority value for determining the root + port (the upper 8 bits of the port-id). A port with a lower + port-id will be chosen as the root port. By default, the + priority is 0x80. + + + + Spanning tree path cost for the port. A lower number indicates + a faster link. By default, the cost is based on the maximum + speed of the link. + + + + + + The port ID used in spanning tree advertisements for this port, as 4 + hex digits. Configuring the port ID is described in the + stp-port-num and stp-port-priority keys of + the other_config section earlier. + + + STP state of the port. + + + The amount of time this port has been in the current STP state, in + seconds. + + + STP role of the port. + + + + + +

+ The configuration here is only meaningful, and the status and + statistics are only populated, when 802.1D-1998 Spanning Tree Protocol + is enabled on the port's with its column. +

+ + + + When RSTP is enabled on a bridge, it is enabled by default on all of + the bridge's ports except bond, internal, and mirror ports (which do + not work with RSTP). If this column's value is false, + RSTP is disabled on the port. + + + + The port's relative priority value for determining the root port, in + multiples of 16. By default, the port priority is 0x80 (128). Any + value in the lower 4 bits is rounded off. The significant upper 4 + bits become the upper 4 bits of the port-id. A port with the lowest + port-id is elected as the root. + + + + The local RSTP port number, used as the lower 12 bits of the port-id. + By default the port numbers are assigned automatically, and typically + may not correspond to the OpenFlow port numbers. A port with the + lowest port-id is elected as the root. + + + + The port path cost. The Port's contribution, when it is + the Root Port, to the Root Path Cost for the Bridge. By default the + cost is automatically calculated from the port's speed. + + + + The admin edge port parameter for the Port. Default is + false. + + + + The auto edge port parameter for the Port. Default is + true. + + + +

+ The mcheck port parameter for the Port. Default is + false. May be set to force the Port Protocol + Migration state machine to transmit RST BPDUs for a + MigrateTime period, to test whether all STP Bridges on the + attached LAN have been removed and the Port can continue to + transmit RSTP BPDUs. Setting mcheck has no effect if the + Bridge is operating in STP Compatibility mode. +

+

+ Changing the value from true to + false has no effect, but needs to be done if + this behavior is to be triggered again by subsequently + changing the value from false to + true. +

+ + + + + + The port ID used in spanning tree advertisements for this port, as 4 + hex digits. Configuring the port ID is described in the + rstp-port-num and rstp-port-priority keys + of the other_config section earlier. + + + RSTP role of the port. + + + RSTP state of the port. + + + The port's RSTP designated bridge ID, in the same form as in the table. + + + The port's RSTP designated port ID, as 4 hex digits. + + + The port's RSTP designated path cost. Lower is better. + + + + + + Number of RSTP BPDUs transmitted through this port. + + + Number of valid RSTP BPDUs received by this port. + + + Number of invalid RSTP BPDUs received by this port. + + + The duration covered by the other RSTP statistics, in seconds. + + + - - Spanning tree path cost for the port. A lower number indicates - a faster link. By default, the cost is based on the maximum - speed of the link. + + +

+ If set to true, multicast packets (except Reports) are + unconditionally forwarded to the specific port. +

+ + +

+ If set to true, multicast Reports are unconditionally + forwarded to the specific port. +

@@ -1052,48 +1661,15 @@ - -

- Status information about ports attached to bridges. -

- - Key-value pairs that report port status. - - -

- The port-id (in hex) used in spanning tree advertisements for - this port. Configuring the port-id is described in the - stp-port-num and stp-port-priority - keys of the other_config section earlier. -

- - -

- STP state of the port. -

- - -

- The amount of time (in seconds) port has been in the current - STP state. -

- - -

- STP role of the port. -

- - + + For a bonded port, record the mac address of the current active slave. +

- Key-value pairs that report port statistics. + Key-value pairs that report port statistics. The update period + is controlled by in the Open_vSwitch table.

@@ -1131,6 +1707,12 @@ on a host. + + A positive interface index as defined for SNMP MIB-II in RFCs 1213 and + 2863, if the interface has one, otherwise 0. The ifindex is useful for + seamless integration with protocols such as SNMP and sFlow. + + The MAC address in use by this interface. @@ -1155,39 +1737,75 @@ address.

- -

OpenFlow port number for this interface. Unlike most columns, this - column's value should be set only by Open vSwitch itself. Other - clients should set this column to an empty set (the default) when - creating an .

-

Open vSwitch populates this column when the port number becomes - known. If the interface is successfully added, - will be set to a number between 1 and 65535 - (generally either in the range 1 to 65279, inclusive, or 65534, the - port number for the OpenFlow ``local port''). If the interface - cannot be added then Open vSwitch sets this column - to -1.

-

When is not set, Open vSwitch picks - an appropriate value for this column and then tries to keep the value - constant across restarts.

- - - -

Requested OpenFlow port number for this interface. The port - number must be between 1 and 65279, inclusive. Some datapaths - cannot satisfy all requests for particular port numbers. When - this column is empty or the request cannot be fulfilled, the - system will choose a free port. The - column reports the assigned OpenFlow port number.

-

The port number must be requested in the same transaction - that creates the port.

- + + If the configuration of the port failed, as indicated by -1 in , Open vSwitch sets this column to an error + description in human readable form. Otherwise, Open vSwitch clears + this column. + + + +

+ When a client adds a new interface, Open vSwitch chooses an OpenFlow + port number for the new port. If the client that adds the port fills + in , then Open vSwitch tries to use its + value as the OpenFlow port number. Otherwise, or if the requested + port number is already in use or cannot be used for another reason, + Open vSwitch automatically assigns a free port number. Regardless of + how the port number was obtained, Open vSwitch then reports in the port number actually assigned. +

+ +

+ Open vSwitch limits the port numbers that it automatically assigns to + the range 1 through 32,767, inclusive. Controllers therefore have + free use of ports 32,768 and up. +

+ + +

+ OpenFlow port number for this interface. Open vSwitch sets this + column's value, so other clients should treat it as read-only. +

+

+ The OpenFlow ``local'' port (OFPP_LOCAL) is 65,534. + The other valid port numbers are in the range 1 to 65,279, + inclusive. Value -1 indicates an error adding the interface. +

+ + + +

+ Requested OpenFlow port number for this interface. +

+ +

+ A client should ideally set this column's value in the same + database transaction that it uses to create the interface. Open + vSwitch version 2.1 and later will honor a later request for a + specific port number, althuogh it might confuse some controllers: + OpenFlow does not have a way to announce a port number change, so + Open vSwitch represents it over OpenFlow as a port deletion + followed immediately by a port addition. +

+ +

+ If is set or changed to some other + port's automatically assigned port number, Open vSwitch chooses a + new port number for the latter port. +

+ +

- The interface type, one of: + The interface type. The types supported by a particular instance of + Open vSwitch are listed in the column in the + table. The following types are defined:

@@ -1209,6 +1827,15 @@
tap
A TUN/TAP device managed by Open vSwitch.
+
geneve
+
+ An Ethernet over Geneve (http://tools.ietf.org/html/draft-ietf-nvo3-geneve-00) + IPv4 tunnel. + + A description of how to match and set Geneve options can be found + in the ovs-ofctl manual page. +
+
gre
An Ethernet over RFC 2890 Generic Routing Encapsulation over IPv4 @@ -1239,25 +1866,49 @@
vxlan

- An Ethernet tunnel over the experimental, UDP-based VXLAN - protocol described at - http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-03. - VXLAN is currently supported only with the Linux kernel datapath - with kernel version 2.6.26 or later. + An Ethernet tunnel over the UDP-based VXLAN protocol described in + RFC 7348.

- As an experimental protocol, VXLAN has no officially assigned UDP - port. Open vSwitch currently uses UDP destination port 8472. - The source port used for VXLAN traffic varies on a per-flow basis - and is in the ephemeral port range. + Open vSwitch uses UDP destination port 4789. The source port used for + VXLAN traffic varies on a per-flow basis and is in the ephemeral port + range.

lisp
- A layer 3 tunnel over the experimental, UDP-based Locator/ID - Separation Protocol (RFC 6830). LISP is currently supported only - with the Linux kernel datapath with kernel version 2.6.26 or later. +

+ A layer 3 tunnel over the experimental, UDP-based Locator/ID + Separation Protocol (RFC 6830). +

+

+ Only IPv4 and IPv6 packets are supported by the protocol, and + they are sent and received without an Ethernet header. Traffic + to/from LISP ports is expected to be configured explicitly, and + the ports are not intended to participate in learning based + switching. As such, they are always excluded from packet + flooding. +

+
+ +
stt
+
+ The Stateless TCP Tunnel (STT) is particularly useful when tunnel + endpoints are in end-systems, as it utilizes the capabilities of + standard network interface cards to improve performance. STT utilizes + a TCP-like header inside the IP header. It is stateless, i.e., there is + no TCP connection state of any kind associated with the tunnel. The + TCP-like header is used to leverage the capabilities of existing + network interface cards, but should not be interpreted as implying + any sort of connection state between endpoints. + Since the STT protocol does not engage in the usual TCP 3-way handshake, + so it will have difficulty traversing stateful firewalls. + The protocol is documented at + http://www.ietf.org/archive/id/draft-davie-stt-06.txt + + All traffic uses a default destination port of 7471. STT is only + available in kernel datapath on kernel 3.5 or newer.
patch
@@ -1275,8 +1926,9 @@

These options apply to interfaces with of - gre, ipsec_gre, gre64, - ipsec_gre64, vxlan, and lisp. + geneve, gre, ipsec_gre, + gre64, ipsec_gre64, vxlan, + lisp and stt.

@@ -1291,12 +1943,67 @@

- Required. The tunnel endpoint. Only unicast endpoints are supported. +

Required. The remote tunnel endpoint, one of:

+ +
    +
  • + An IPv4 address (not a DNS name), e.g. 192.168.0.123. + Only unicast endpoints are supported. +
    • +
  • + The word flow. The tunnel accepts packets from any + remote tunnel endpoint. To process only packets from a specific + remote tunnel endpoint, the flow entries may match on the + tun_src field. When sending packets to a + remote_ip=flow tunnel, the flow actions must + explicitly set the tun_dst field to the IP address of + the desired remote tunnel endpoint, e.g. with a + set_field action. +
    • +
+ +

+ The remote tunnel endpoint for any packet received from a tunnel + is available in the tun_src field for matching in the + flow table. +

- Optional. The destination IP that received packets must match. - Default is to match all addresses. +

+ Optional. The tunnel destination IP that received packets must + match. Default is to match all addresses. If specified, may be one + of: +

+ +
    +
  • + An IPv4 address (not a DNS name), e.g. 192.168.12.3. +
    • +
  • + The word flow. The tunnel accepts packets sent to any + of the local IP addresses of the system running OVS. To process + only packets sent to a specific IP address, the flow entries may + match on the tun_dst field. When sending packets to a + local_ip=flow tunnel, the flow actions may + explicitly set the tun_src field to the desired IP + address, e.g. with a set_field action. However, while + routing the tunneled packet out, the local system may override the + specified address with the local IP address configured for the + outgoing system interface. + +

    + This option is valid only for tunnels also configured with the + remote_ip=flow option. +

    +
    • +
+ +

+ The tunnel destination IP address for any packet received from a + tunnel is available in the tun_dst field for matching in + the flow table. +

@@ -1309,9 +2016,9 @@ key="in_key"/> at all.
  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. The tunnel receives only packets with the - specified key. + A positive 24-bit (for Geneve, VXLAN, and LISP), 32-bit (for GRE) + or 64-bit (for GRE64 and STT) number. The tunnel receives only + packets with the specified key.
  • The word flow. The tunnel accepts packets with any @@ -1336,9 +2043,9 @@ key="out_key"/> at all.
  • - A positive 24-bit (for VXLAN and LISP), 32-bit (for GRE) or 64-bit - (for GRE64) number. Packets sent through the tunnel will have the - specified key. + A positive 24-bit (for Geneve, VXLAN and LISP), 32-bit (for GRE) or + 64-bit (for GRE64 and STT) number. Packets sent through the tunnel + will have the specified key.
  • The word flow. Packets sent through the tunnel will @@ -1371,31 +2078,55 @@ system default, typically 64). Default is the system default TTL. - - Optional. If enabled, the Don't Fragment bit will be set on tunnel - outer headers to allow path MTU discovery. Default is enabled; set - to false to disable. - + + Optional. If enabled, the Don't Fragment bit will be set on tunnel + outer headers to allow path MTU discovery. Default is enabled; set + to false to disable. + + + + + +

    Optional. Comma separated list of optional VXLAN extensions to + enable. The following extensions are supported:

    + +
      +
    • + gbp: VXLAN-GBP allows to transport the group policy + context of a packet across the VXLAN tunnel to other network + peers. See the field description of tun_gbp_id and + tun_gbp_flags in ovs-ofctl(8) for additional + information. + (https://tools.ietf.org/html/draft-smith-vxlan-group-policy) +
      • +
    +     + +     - +

    - Only gre and ipsec_gre interfaces support - these options. + gre, ipsec_gre, geneve, and + vxlan interfaces support these options.

    - Optional. Compute GRE checksums on outgoing packets. Default is - disabled, set to true to enable. Checksums present on - incoming packets will be validated regardless of this setting. + Optional. Compute encapsulation header (either GRE or UDP) + checksums on outgoing packets. Default is disabled, set to + true to enable. Checksums present on incoming + packets will be validated regardless of this setting.

    -

    - GRE checksums impose a significant performance penalty because they - cover the entire packet. The encapsulated L3, L4, and L7 packet - contents typically have their own checksums, so this additional - checksum only adds value for the GRE and encapsulated L2 headers. +

    + When using the upstream Linux kernel module, computation of + checksums for geneve and vxlan requires + Linux kernel version 4.0 or higher. gre supports + checksums for all versions of Open vSwitch that support GRE. + The out of tree kernel module distributed as part of OVS + can compute all tunnel checksums on any kernel version that it + is compatible with.

    @@ -1541,8 +2272,8 @@ - Egress interface for tunnels. Currently only relevant for GRE tunnels - On Linux systems, this column will show the name of the interface + Egress interface for tunnels. Currently only relevant for tunnels + on Linux systems, this column will show the name of the interface which is responsible for routing traffic destined for the configured . This could be an internal interface such as a bridge port. @@ -1558,12 +2289,14 @@

    Key-value pairs that report interface statistics. The current - implementation updates these counters periodically. Future - implementations may update them when an interface is created, when they - are queried (e.g. using an OVSDB select operation), and - just before an interface is deleted due to virtual interface hot-unplug - or VM shutdown, and perhaps at other times, but not on any regular - periodic basis. + implementation updates these counters periodically. The update period + is controlled by in the Open_vSwitch table. + Future implementations may update them when an interface is created, + when they are queried (e.g. using an OVSDB select + operation), and just before an interface is deleted due to virtual + interface hot-unplug or VM shutdown, and perhaps at other times, but + not on any regular periodic basis.

    These are the same statistics reported by OpenFlow in its struct @@ -1692,6 +2425,178 @@ + +

    + BFD, defined in RFC 5880 and RFC 5881, allows point-to-point + detection of connectivity failures by occasional transmission of + BFD control messages. Open vSwitch implements BFD to serve + as a more popular and standards compliant alternative to CFM. +

    + +

    + BFD operates by regularly transmitting BFD control messages at a rate + negotiated independently in each direction. Each endpoint specifies + the rate at which it expects to receive control messages, and the rate + at which it is willing to transmit them. Open vSwitch uses a detection + multiplier of three, meaning that an endpoint signals a connectivity + fault if three consecutive BFD control messages fail to arrive. In the + case of a unidirectional connectivity issue, the system not receiving + BFD control messages signals the problem to its peer in the messages it + transmits. +

    + +

    + The Open vSwitch implementation of BFD aims to comply faithfully + with RFC 5880 requirements. Open vSwitch does not implement the + optional Authentication or ``Echo Mode'' features. +

    + + +

    + A controller sets up key-value pairs in the + column to enable and configure BFD. +

    + + + True to enable BFD on this . If not + specified, BFD will not be enabled by default. + + + + The shortest interval, in milliseconds, at which this BFD session + offers to receive BFD control messages. The remote endpoint may + choose to send messages at a slower rate. Defaults to + 1000. + + + + The shortest interval, in milliseconds, at which this BFD session is + willing to transmit BFD control messages. Messages will actually be + transmitted at a slower rate if the remote endpoint is not willing to + receive as quickly as specified. Defaults to 100. + + + + An alternate receive interval, in milliseconds, that must be greater + than or equal to . The + implementation switches from to when there is no obvious incoming + data traffic at the interface, to reduce the CPU and bandwidth cost + of monitoring an idle interface. This feature may be disabled by + setting a value of 0. This feature is reset whenever or + changes. + + + + When true, traffic received on the + is used to indicate the capability of packet + I/O. BFD control packets are still transmitted and received. At + least one BFD control packet must be received every 100 * amount of time. Otherwise, even if + traffic are received, the + will be false. + + + + Set to true to notify the remote endpoint that traffic should not be + forwarded to this system for some reason other than a connectivty + failure on the interface being monitored. The typical underlying + reason is ``concatenated path down,'' that is, that connectivity + beyond the local system is down. Defaults to false. + + + + Set to true to make BFD accept only control messages with a tunnel + key of zero. By default, BFD accepts control messages with any + tunnel key. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used as source for transmitted BFD packets. The + default is the mac address of the BFD enabled interface. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used as destination for transmitted BFD packets. The + default is 00:23:20:00:00:01. + + + + Set to an Ethernet address in the form + xx:xx:xx:xx:xx:xx + to set the MAC used for checking the destination of received BFD packets. + Packets with different destination MAC will not be considered as BFD packets. + If not specified the destination MAC address of received BFD packets + are not checked. + + + + Set to an IPv4 address to set the IP address used as source for + transmitted BFD packets. The default is 169.254.1.1. + + + + Set to an IPv4 address to set the IP address used as destination + for transmitted BFD packets. The default is 169.254.1.0. + +     + + +

    + The switch sets key-value pairs in the + column to report the status of BFD on this interface. When BFD is + not enabled, with , the switch clears + all key-value pairs from . +

    + + + Reports the state of the BFD session. The BFD session is fully + healthy and negotiated if UP. + + + + Reports whether the BFD session believes this may be used to forward traffic. Typically this + means the local session is signaling UP, and the remote + system isn't signaling a problem such as concatenated path down. + + + + In case of a problem, set to an error message that reports what the + local BFD session thinks is wrong. The error messages are defined + in section 4.1 of [RFC 5880]. + + + + Reports the state of the remote endpoint's BFD session. + + + + In case of a problem, set to an error message that reports what the + remote endpoint's BFD session thinks is wrong. The error messages + are defined in section 4.1 of [RFC 5880]. + + + + Counts the number of + flaps since start. A flap is considered as a change of the + value. + +     +     +

    802.1ag Connectivity Fault Management (CFM) allows a group of @@ -1718,11 +2623,23 @@

    - A Maintenance Point ID (MPID) uniquely identifies each endpoint within - a Maintenance Association. The MPID is used to identify this endpoint - to other Maintenance Points in the MA. Each end of a link being - monitored should have a different MPID. Must be configured to enable - CFM on this . +

    + A Maintenance Point ID (MPID) uniquely identifies each endpoint + within a Maintenance Association. The MPID is used to identify this + endpoint to other Maintenance Points in the MA. Each end of a link + being monitored should have a different MPID. Must be configured to + enable CFM on this . +

    +

    + According to the 802.1ag specification, MPIDs can only range between + [1, 8191]. However, extended mode (see ) supports eight byte MPIDs. +

    +     + + + Counts the number of cfm fault flapps since boot. A flap is + considered to be a change of the value. @@ -1847,9 +2764,48 @@ with compliant implementations which may be running concurrently on the network. Furthermore, extended mode increases the accuracy of the cfm_interval configuration parameter by breaking wire - compatibility with 802.1ag compliant implementations. Defaults to - false. + compatibility with 802.1ag compliant implementations. And extended + mode allows eight byte MPIDs. Defaults to false. + + + +

    + When true, and + is true, the CFM + module operates in demand mode. When in demand mode, traffic + received on the is used to indicate + liveness. CCMs are still transmitted and received. At least one + CCM must be received every 100 * amount of time. Otherwise, even if traffic + are received, the CFM module will raise the connectivity fault. +

    + +

    + Demand mode has a couple of caveats: +

      +
    • + To ensure that ovs-vswitchd has enough time to pull statistics + from the datapath, the fault detection interval is set to + 3.5 * MAX(, 500) + ms. +
      • + +
    • + To avoid ambiguity, demand mode disables itself when there are + multiple remote maintenance points. +
      • + +
    • + If the is heavily congested, CCMs + containing the + status may be dropped causing changes in the operational state to + be delayed. Similarly, if CCMs containing the RDI bit are not + received, unidirectional link failures may not be detected. +
      • +
    +

    + When down, the CFM module marks all CCMs it generates as @@ -2054,6 +3010,17 @@     + +

    + Auto Attach configuration for a particular interface. +

    + + + True to enable LLDP on this . If not + specified, LLDP will be disabled by default. + +     + The overall purpose of these columns is described under Common Columns at the beginning of this document. @@ -2154,6 +3121,88 @@ column has no effect.

    + + +

    + This string set specifies which fields should be used for + address prefix tracking. Prefix tracking allows the + classifier to skip rules with longer than necessary prefixes, + resulting in better wildcarding for datapath flows. +

    +

    + Prefix tracking may be beneficial when a flow table contains + matches on IP address fields with different prefix lengths. + For example, when a flow table contains IP address matches on + both full addresses and proper prefixes, the full address + matches will typically cause the datapath flow to un-wildcard + the whole address field (depending on flow entry priorities). + In this case each packet with a different address gets handed + to the userspace for flow processing and generates its own + datapath flow. With prefix tracking enabled for the address + field in question packets with addresses matching shorter + prefixes would generate datapath flows where the irrelevant + address bits are wildcarded, allowing the same datapath flow + to handle all the packets within the prefix in question. In + this case many userspace upcalls can be avoided and the + overall performance can be better. +

    +

    + This is a performance optimization only, so packets will + receive the same treatment with or without prefix tracking. +

    +

    + The supported fields are: tun_id, + tun_src, tun_dst, + nw_src, nw_dst (or aliases + ip_src and ip_dst), + ipv6_src, and ipv6_dst. (Using this + feature for tun_id would only make sense if the + tunnel IDs have prefix structure similar to IP addresses.) +

    + +

    + By default, the prefixes=ip_dst,ip_src are used + on each flow table. This instructs the flow classifier to + track the IP destination and source addresses used by the + rules in this specific flow table. +

    + +

    + The keyword none is recognized as an explicit + override of the default values, causing no prefix fields to be + tracked. +

    + +

    + To set the prefix fields, the flow table record needs to + exist: +

    + +
    +
    ovs-vsctl set Bridge br0 flow_tables:0=@N1 -- --id=@N1 create Flow_Table name=table0
    +
    + Creates a flow table record for the OpenFlow table number 0. +
    + +
    ovs-vsctl set Flow_Table table0 prefixes=ip_dst,ip_src
    +
    + Enables prefix tracking for IP source and destination + address fields. +
    +
    + +

    + There is a maximum number of fields that can be enabled for any + one flow table. Currently this limit is 3. +

    +     + + + The overall purpose of these columns is described under Common + Columns at the beginning of this document. + + +
    • @@ -2180,6 +3229,33 @@ information on how this classifier works. +
    +
    linux-sfq
    +
    + Linux ``Stochastic Fairness Queueing'' classifier. See + tc-sfq(8) (also at + http://linux.die.net/man/8/tc-sfq) for information on + how this classifier works. +
    +
    +
    +
    linux-codel
    +
    + Linux ``Controlled Delay'' classifier. See tc-codel(8) + (also at + http://man7.org/linux/man-pages/man8/tc-codel.8.html) + for information on how this classifier works. +
    +
    +
    +
    linux-fq_codel
    +
    + Linux ``Fair Queuing with Controlled Delay'' classifier. See + tc-fq_codel(8) (also at + http://man7.org/linux/man-pages/man8/tc-fq_codel.8.html) + for information on how this classifier works. +
    +
    @@ -2413,7 +3489,9 @@

    - Key-value pairs that report mirror statistics. + Key-value pairs that report mirror statistics. The update period + is controlled by in the Open_vSwitch table.

    Number of packets transmitted through this mirror. @@ -2503,18 +3581,29 @@
    ssl:ip[:port]
    -

    The specified SSL port (default: 6633) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). The - column in the table must point to a - valid SSL configuration when this form is used.

    +

    The specified SSL port on the host at the + given ip, which must be expressed as an IP + address (not a DNS name). The column in the + table must point to a valid SSL configuration when this form + is used.

    +

    If port is not specified, it defaults to 6653.

    SSL support is an optional feature that is not always built as part of Open vSwitch.

    tcp:ip[:port]
    -
    The specified TCP port (default: 6633) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name).
    +
    +

    + The specified TCP port on the host at the given + ip, which must be expressed as an IP address (not a + DNS name), where ip can be IPv4 or IPv6 address. If + ip is an IPv6 address, wrap it in square brackets, + e.g. tcp:[::1]:6653. +

    +

    + If port is not specified, it defaults to 6653. +

    +

    The following connection methods are currently supported for service @@ -2524,25 +3613,43 @@

    pssl:[port][:ip]

    - Listens for SSL connections on the specified TCP port - (default: 6633). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. + Listens for SSL connections on the specified TCP port. + If ip, which must be expressed as an IP address (not a + DNS name), is specified, then connections are restricted to the + specified local IP address (either IPv4 or IPv6). If + ip is an IPv6 address, wrap it in square brackets, + e.g. pssl:6653:[::1].

    - The column in the table must point to a valid SSL - configuration when this form is used. + If port is not specified, it defaults to + 6653. If ip is not specified then it listens only on + IPv4 (but not IPv6) addresses. The + + column in the table must point to a + valid SSL configuration when this form is used. +

    +

    + If port is not specified, it currently to 6653. +

    +

    + SSL support is an optional feature that is not always built as + part of Open vSwitch.

    -

    SSL support is an optional feature that is not always built as - part of Open vSwitch.

    ptcp:[port][:ip]
    - Listens for connections on the specified TCP port - (default: 6633). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. +

    + Listens for connections on the specified TCP port. If + ip, which must be expressed as an IP address (not a + DNS name), is specified, then connections are restricted to the + specified local IP address (either IPv4 or IPv6). If + ip is an IPv6 address, wrap it in square brackets, + e.g. ptcp:6653:[::1]. If ip is not + specified then it listens only on IPv4 addresses. +

    +

    + If port is not specified, it defaults to 6653. +

    When multiple controllers are configured for a single bridge, the @@ -2596,7 +3703,7 @@ - +

    OpenFlow switches send certain messages to controllers spontanenously, that is, not in response to any request from the controller. These @@ -2616,38 +3723,102 @@ on any messages that it does want to receive, if any. - +

    - The maximum rate at which the switch will forward packets to the - OpenFlow controller, in packets per second. This feature prevents a - single bridge from overwhelming the controller. If not specified, - the default is implementation-specific. + A switch can forward packets to a controller over the OpenFlow + protocol. Forwarding packets this way at too high a rate can + overwhelm a controller, frustrate use of the OpenFlow connection for + other purposes, increase the latency of flow setup, and use an + unreasonable amount of bandwidth. Therefore, Open vSwitch supports + limiting the rate of packet forwarding to a controller.

    - In addition, when a high rate triggers rate-limiting, Open vSwitch - queues controller packets for each port and transmits them to the - controller at the configured rate. The value limits the number of queued - packets. Ports on a bridge share the packet queue fairly. + There are two main reasons in OpenFlow for a packet to be sent to a + controller: either the packet ``misses'' in the flow table, that is, + there is no matching flow, or a flow table action says to send the + packet to the controller. Open vSwitch limits the rate of each kind + of packet separately at the configured rate. Therefore, the actual + rate that packets are sent to the controller can be up to twice the + configured rate, when packets are sent for both reasons.

    - Open vSwitch maintains two such packet rate-limiters per bridge: one - for packets sent up to the controller because they do not correspond - to any flow, and the other for packets sent up to the controller by - request through flow actions. When both rate-limiters are filled with - packets, the actual rate that packets are sent to the controller is - up to twice the specified rate. + This feature is specific to forwarding packets over an OpenFlow + connection. It is not general-purpose QoS. See the table for quality of service configuration, and in the table for ingress policing configuration.

    -     - - In conjunction with , - the maximum number of unused packet credits that the bridge will - allow to accumulate, in packets. If not specified, the default - is implementation-specific. - + +

    + The maximum rate at which the switch will forward packets to the + OpenFlow controller, in packets per second. If no value is + specified, rate limiting is disabled. +

    +     + + +

    + When a high rate triggers rate-limiting, Open vSwitch queues + packets to the controller for each port and transmits them to the + controller at the configured rate. This value limits the number of + queued packets. Ports on a bridge share the packet queue fairly. +

    + +

    + This value has no effect unless is configured. The current + default when this value is not specified is one-quarter of , meaning that queuing can delay + forwarding a packet to the controller by up to 250 ms. +

    +     + + +

    + These values report the effects of rate limiting. Their values are + relative to establishment of the most recent OpenFlow connection, + or since rate limiting was enabled, whichever happened more + recently. Each consists of two values, one with TYPE + replaced by miss for rate limiting flow table misses, + and the other with TYPE replaced by + action for rate limiting packets sent by OpenFlow + actions. +

    + +

    + These statistics are reported only when controller rate limiting is + enabled. +

    + + + Number of packets sent directly to the controller, without queuing, + because the rate did not exceed the configured maximum. + + + + Number of packets added to the queue to send later. + + + + Number of packets added to the queue that were later dropped due to + overflow. This value is less than or equal to . + + + + Number of packets currently queued. The other statistics increase + monotonically, but this one fluctuates between 0 and the as conditions change. + +     +     @@ -2697,7 +3868,7 @@
    Equivalent to other, except that there may be at most one master controller at a time. When a controller configures itself as master, any existing master is demoted to - the slaverole.
    + the slave role.
    slave
    Allows the controller read-only access to OpenFlow features. Attempts to modify the flow table will be rejected with an @@ -2814,37 +3985,54 @@
    ssl:ip[:port]

    - The specified SSL port (default: 6632) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). The - column in the table must point to a - valid SSL configuration when this form is used. + The specified SSL port on the host at the given + ip, which must be expressed as an IP address + (not a DNS name). The column in the + table must point to a valid SSL configuration when this + form is used.

    - SSL support is an optional feature that is not always built as - part of Open vSwitch. + If port is not specified, it defaults to 6640. +

    +

    + SSL support is an optional feature that is not always + built as part of Open vSwitch.

    tcp:ip[:port]
    - The specified TCP port (default: 6632) on the host at - the given ip, which must be expressed as an IP address - (not a DNS name). +

    + The specified TCP port on the host at the given + ip, which must be expressed as an IP address (not a + DNS name), where ip can be IPv4 or IPv6 address. If + ip is an IPv6 address, wrap it in square brackets, + e.g. tcp:[::1]:6640. +

    +

    + If port is not specified, it defaults to 6640. +

    pssl:[port][:ip]

    - Listens for SSL connections on the specified TCP port - (default: 6632). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. -

    -

    + Listens for SSL connections on the specified TCP port. + Specify 0 for port to have the kernel automatically + choose an available port. If ip, which must be + expressed as an IP address (not a DNS name), is specified, then + connections are restricted to the specified local IP address + (either IPv4 or IPv6 address). If ip is an IPv6 + address, wrap in square brackets, + e.g. pssl:6640:[::1]. If ip is not + specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL configuration when this form is used.

    +

    + If port is not specified, it defaults to 6640. +

    SSL support is an optional feature that is not always built as part of Open vSwitch. @@ -2852,10 +4040,20 @@

    ptcp:[port][:ip]
    - Listens for connections on the specified TCP port - (default: 6632). If ip, which must be expressed as an - IP address (not a DNS name), is specified, then connections are - restricted to the specified local IP address. +

    + Listens for connections on the specified TCP port. + Specify 0 for port to have the kernel automatically + choose an available port. If ip, which must be + expressed as an IP address (not a DNS name), is specified, then + connections are restricted to the specified local IP address + (either IPv4 or IPv6 address). If ip is an IPv6 + address, wrap it in square brackets, + e.g. ptcp:6640:[::1]. If ip is not + specified then it listens only on IPv4 addresses. +

    +

    + If port is not specified, it defaults to 6640. +

    When multiple managers are configured, the @@ -2999,6 +4197,14 @@ chosen connection.

    + + + When is ptcp: or + pssl:, this is the TCP port on which the OVSDB server is + listening. (This is is particularly useful when specifies a port of 0, allowing the kernel to + choose any available port.) + @@ -3052,10 +4258,20 @@ - The interval at which NetFlow records are sent for flows that are - still active, in seconds. A value of 0 requests the - default timeout (currently 600 seconds); a value of -1 - disables active timeouts. +

    + The interval at which NetFlow records are sent for flows that + are still active, in seconds. A value of 0 + requests the default timeout (currently 600 seconds); a value + of -1 disables active timeouts. +

    + +

    + The NetFlow passive timeout, for flows that become inactive, + is not configurable. It will vary depending on the Open + vSwitch version, the forms and contents of the OpenFlow flow + tables, CPU and memory usage, and network activity. A typical + passive timeout is about a second. +

    @@ -3118,8 +4334,8 @@
    -

    An sFlow(R) target. sFlow is a protocol for remote monitoring - of switches.

    +

    A set of sFlow(R) targets. sFlow is a protocol for remote + monitoring of switches.

    Name of the network device whose IP address should be reported as the @@ -3160,4 +4376,273 @@
    + +

    Configuration for sending packets to IPFIX collectors.

    + +

    + IPFIX is a protocol that exports a number of details about flows. The + IPFIX implementation in Open vSwitch samples packets at a configurable + rate, extracts flow information from those packets, optionally caches and + aggregates the flow information, and sends the result to one or more + collectors. +

    + +

    + IPFIX in Open vSwitch can be configured two different ways: +

    + +
      +
    • + With per-bridge sampling, Open vSwitch performs IPFIX sampling + automatically on all packets that pass through a bridge. To configure + per-bridge sampling, create an record and point a + table's + column to it. The table is + not used for per-bridge sampling. +
      • + +
    • +

      + With flow-based sampling, sample actions in the + OpenFlow flow table drive IPFIX sampling. See + ovs-ofctl(8) for a description of the + sample action. +

      + +

      + Flow-based sampling also requires database configuration: create a + record that describes the IPFIX configuration + and a record that points to + the whose flow table holds the + sample actions and to record. The + in the + table is not used for flow-based sampling. +

      +
      • +
    + + + IPFIX target collectors in the form + ip:port. + + + + The maximum period in seconds for which an IPFIX flow record is + cached and aggregated before being sent. If not specified, + defaults to 0. If 0, caching is disabled. + + + + The maximum number of IPFIX flow records that can be cached at a + time. If not specified, defaults to 0. If 0, caching is + disabled. + + + +

    + These values affect only per-bridge sampling. See above for a + description of the differences between per-bridge and flow-based + sampling. +

    + + + The rate at which packets should be sampled and sent to each target + collector. If not specified, defaults to 400, which means one out of + 400 packets, on average, will be sent to each target collector. + + + + The IPFIX Observation Domain ID sent in each IPFIX packet. If not + specified, defaults to 0. + + + + The IPFIX Observation Point ID sent in each IPFIX flow record. If not + specified, defaults to 0. + + + +

    + Set to true to enable sampling and reporting tunnel + header 7-tuples in IPFIX flow records. Tunnel sampling is disabled + by default. +

    + +

    + The following enterprise entities report the sampled tunnel info: +

    + +
    +
    tunnelType:
    +
    +

    ID: 891, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: Identifier of the layer 2 network overlay network + encapsulation type: 0x01 VxLAN, 0x02 GRE, 0x03 LISP, 0x05 IPsec+GRE, + 0x07 GENEVE.

    +
    +
    tunnelKey:
    +
    +

    ID: 892, and enterprise ID 6876 (VMware).

    +

    type: variable-length octetarray.

    +

    data type semantics: identifier.

    +

    description: Key which is used for identifying an individual + traffic flow within a VxLAN (24-bit VNI), GENEVE (24-bit VNI), + GRE (32- or 64-bit key), or LISP (24-bit instance ID) tunnel. The + key is encoded in this octetarray as a 3-, 4-, or 8-byte integer + ID in network byte order.

    +
    +
    tunnelSourceIPv4Address:
    +
    +

    ID: 893, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 source address in the tunnel IP packet + header.

    +
    +
    tunnelDestinationIPv4Address:
    +
    +

    ID: 894, and enterprise ID 6876 (VMware).

    +

    type: unsigned 32-bit integer.

    +

    data type semantics: identifier.

    +

    description: The IPv4 destination address in the tunnel IP + packet header.

    +
    +
    tunnelProtocolIdentifier:
    +
    +

    ID: 895, and enterprise ID 6876 (VMware).

    +

    type: unsigned 8-bit integer.

    +

    data type semantics: identifier.

    +

    description: The value of the protocol number in the tunnel + IP packet header. The protocol number identifies the tunnel IP + packet payload type.

    +
    +
    tunnelSourceTransportPort:
    +
    +

    ID: 896, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The source port identifier in the tunnel transport + header. For the transport protocols UDP, TCP, and SCTP, this is + the source port number given in the respective header.

    +
    +
    tunnelDestinationTransportPort:
    +
    +

    ID: 897, and enterprise ID 6876 (VMware).

    +

    type: unsigned 16-bit integer.

    +

    data type semantics: identifier.

    +

    description: The destination port identifier in the tunnel + transport header. For the transport protocols UDP, TCP, and SCTP, + this is the destination port number given in the respective header. +

    +
    +
    +     + + + By default, Open vSwitch samples and reports flows at bridge port input + in IPFIX flow records. Set this column to false to + disable input sampling. + + + + By default, Open vSwitch samples and reports flows at bridge port + output in IPFIX flow records. Set this column to false to + disable output sampling. + +     + + + The overall purpose of these columns is described under Common + Columns at the beginning of this document. + + + +
    + + +

    + A set of IPFIX collectors of packet samples generated by OpenFlow + sample actions. This table is used only for IPFIX + flow-based sampling, not for per-bridge sampling (see the table for a description of the two forms). +

    + + + The ID of this collector set, unique among the bridge's + collector sets, to be used as the collector_set_id + in OpenFlow sample actions. + + + + The bridge into which OpenFlow sample actions can + be added to send packet samples to this set of IPFIX collectors. + + + + Configuration of the set of IPFIX collectors to send one flow + record per sampled packet to. + + + + The overall purpose of these columns is described under Common + Columns at the beginning of this document. + + + +
    + + +

    Auto Attach configuration within a bridge. The IETF Auto-Attach SPBM + draft standard describes a compact method of using IEEE 802.1AB Link + Layer Discovery Protocol (LLDP) together with a IEEE 802.1aq Shortest + Path Bridging (SPB) network to automatically attach network devices + to individual services in a SPB network. The intent here is to allow + network applications and devices using OVS to be able to easily take + advantage of features offered by industry standard SPB networks.

    + +

    Auto Attach (AA) uses LLDP to communicate between a directly connected + Auto Attach Client (AAC) and Auto Attach Server (AAS). The LLDP protocol + is extended to add two new Type-Length-Value tuples (TLVs). The first + new TLV supports the ongoing discovery of directly connected AA + correspondents. Auto Attach operates by regularly transmitting AA + discovery TLVs between the AA client and AA server. By exchanging these + discovery messages, both the AAC and AAS learn the system name and + system description of their peer. In the OVS context, OVS operates as + the AA client and the AA server resides on a switch at the edge of the + SPB network.

    + +

    Once AA discovery has been completed the AAC then uses the + second new TLV to deliver identifier mappings from the AAC to the AAS. A primary + feature of Auto Attach is to facilitate the mapping of VLANs defined + outside the SPB network onto service ids (ISIDs) defined within the SPM + network. By doing so individual external VLANs can be mapped onto + specific SPB network services. These VLAN id to ISID mappings can be + configured and managed locally using new options added to the ovs-vsctl + command.

    + +

    The Auto Attach OVS feature does not provide a full implementation of + the LLDP protocol. Support for the mandatory TLVs as defined by the LLDP + standard and support for the AA TLV extensions is provided. LLDP + protocol support in OVS can be enabled or disabled on a port by port + basis. LLDP support is disabled by default.

    + + + The system_name string is exported in LLDP messages. It should uniquely + identify the bridge in the network. + + + + The system_description string is exported in LLDP messages. It should + describe the type of software and hardware. + + + + A mapping from SPB network Individual Service Identifier (ISID) to VLAN id. + +