Merge "master" into "ovn".

[cascardo/ovs.git] / tutorial / Tutorial.md

Open vSwitch Advanced Features Tutorial
=======================================

Many tutorials cover the basics of OpenFlow.  This is not such a
tutorial.  Rather, a knowledge of the basics of OpenFlow is a
prerequisite.  If you do not already understand how an OpenFlow flow
table works, please go read a basic tutorial and then continue reading
here afterward.

It is also important to understand the basics of Open vSwitch before
you begin.  If you have never used `ovs-vsctl` or `ovs-ofctl` before,
you should learn a little about them before proceeding.

Most of the features covered in this tutorial are Open vSwitch
extensions to OpenFlow.  Also, most of the features in this tutorial
are specific to the software Open vSwitch implementation.  If you are
using an Open vSwitch port to an ASIC-based hardware switch, this
tutorial will not help you.

This tutorial does not cover every aspect of the features that it
mentions.  You can find the details elsewhere in the Open vSwitch
documentation, especially `ovs-ofctl(8)` and the comments in the
`include/openflow/nicira-ext.h` header file.

> In this tutorial, paragraphs set off like this designate notes
> with additional information that readers may wish to skip on a
> first read.

Getting Started
---------------

This is a hands-on tutorial.  To get the most out of it, you will need
Open vSwitch binaries.  You do not, on the other hand, need any
physical networking hardware or even supervisor privilege on your
system.  Instead, we will use a script called `ovs-sandbox`, which
accompanies the tutorial, that constructs a software simulated network
environment based on Open vSwitch.

You can use `ovs-sandbox` three ways:

  * If you have already installed Open vSwitch on your system, then
    you should be able to just run `ovs-sandbox` from this directory
    without any options.

  * If you have not installed Open vSwitch (and you do not want to
    install it), then you can build Open vSwitch according to the
    instructions in [INSTALL.md], without installing it.  Then run
    `./ovs-sandbox -b DIRECTORY` from this directory, substituting
    the Open vSwitch build directory for `DIRECTORY`.

  * As a slight variant on the latter, you can run `make sandbox`
    from an Open vSwitch build directory.

When you run `ovs-sandbox`, it does the following:

  1. **CAUTION:** Deletes any subdirectory of the current directory
     named "sandbox" and any files in that directory.

  2. Creates a new directory "sandbox" in the current directory.

  3. Sets up special environment variables that ensure that Open
     vSwitch programs will look inside the "sandbox" directory
     instead of in the Open vSwitch installation directory.

  4. If you are using a built but not installed Open vSwitch,
     installs the Open vSwitch manpages in a subdirectory of
     "sandbox" and adjusts the `MANPATH` environment variable to point
     to this directory.  This means that you can use, for example,
     `man ovs-vsctl` to see a manpage for the `ovs-vsctl` program that
     you built.

  5. Creates an empty Open vSwitch configuration database under
     "sandbox".

  6. Starts `ovsdb-server` running under "sandbox".

  7. Starts `ovs-vswitchd` running under "sandbox", passing special
     options that enable a special "dummy" mode for testing.

  8. Starts a nested interactive shell inside "sandbox".

At this point, you can run all the usual Open vSwitch utilities from
the nested shell environment.  You can, for example, use `ovs-vsctl`
to create a bridge:

    ovs-vsctl add-br br0

From Open vSwitch's perspective, the bridge that you create this way
is as real as any other.  You can, for example, connect it to an
OpenFlow controller or use `ovs-ofctl` to examine and modify it and
its OpenFlow flow table.  On the other hand, the bridge is not visible
to the operating system's network stack, so `ifconfig` or `ip` cannot
see it or affect it, which means that utilities like `ping` and
`tcpdump` will not work either.  (That has its good side, too: you
can't screw up your computer's network stack by manipulating a
sandboxed OVS.)

When you're done using OVS from the sandbox, exit the nested shell (by
entering the "exit" shell command or pressing Control+D).  This will
kill the daemons that `ovs-sandbox` started, but it leaves the "sandbox"
directory and its contents in place.

The sandbox directory contains log files for the Open vSwitch dameons.
You can examine them while you're running in the sandboxed environment
or after you exit.

Using GDB
---------

GDB support is not required to go through the tutorial. It is added in case
user wants to explore the internals of OVS programs.

GDB can already be used to debug any running process, with the usual
'gdb <program> <process-id>' command.

'ovs-sandbox' also has a '-g' option for launching ovs-vswitchd under GDB.
This option can be handy for setting break points before ovs-vswitchd runs,
or for catching early segfaults. Similarly, a '-d' option can be used to
run ovsdb-server under GDB. Both options can be specified at the same time.

To avoid GDB mangling with the sandbox sub shell terminal, 'ovs-sandbox'
starts a new xterm to run each GDB session.  For systems that do not support
X windows, GDB support is effectively disabled.

When launching sandbox through the build tree's make file, the '-g' option
can be passed via the 'SANDBOXFLAGS' environment variable.
'make sandbox SANDBOXFLAGS=-g' will start the sandbox with ovs-vswitchd
running under GDB in its own xterm if X is available.

Motivation
----------

The goal of this tutorial is to demonstrate the power of Open vSwitch
flow tables.  The tutorial works through the implementation of a
MAC-learning switch with VLAN trunk and access ports.  Outside of the
Open vSwitch features that we will discuss, OpenFlow provides at least
two ways to implement such a switch:

  1. An OpenFlow controller to implement MAC learning in a
     "reactive" fashion.  Whenever a new MAC appears on the switch,
     or a MAC moves from one switch port to another, the controller
     adjusts the OpenFlow flow table to match.

  2. The "normal" action.  OpenFlow defines this action to submit a
     packet to "the traditional non-OpenFlow pipeline of the
     switch".  That is, if a flow uses this action, then the packets
     in the flow go through the switch in the same way that they
     would if OpenFlow was not configured on the switch.

Each of these approaches has unfortunate pitfalls.  In the first
approach, using an OpenFlow controller to implement MAC learning, has
a significant cost in terms of network bandwidth and latency.  It also
makes the controller more difficult to scale to large numbers of
switches, which is especially important in environments with thousands
of hypervisors (each of which contains a virtual OpenFlow switch).
MAC learning at an OpenFlow controller also behaves poorly if the
OpenFlow controller fails, slows down, or becomes unavailable due to
network problems.

The second approach, using the "normal" action, has different
problems.  First, little about the "normal" action is standardized, so
it behaves differently on switches from different vendors, and the
available features and how those features are configured (usually not
through OpenFlow) varies widely.  Second, "normal" does not work well
with other OpenFlow actions.  It is "all-or-nothing", with little
potential to adjust its behavior slightly or to compose it with other
features.


Scenario
--------

We will construct Open vSwitch flow tables for a VLAN-capable,
MAC-learning switch that has four ports:

  * p1, a trunk port that carries all VLANs, on OpenFlow port 1.

  * p2, an access port for VLAN 20, on OpenFlow port 2.

  * p3 and p4, both access ports for VLAN 30, on OpenFlow ports 3
    and 4, respectively.

> The ports' names are not significant.  You could call them eth1
> through eth4, or any other names you like.

> An OpenFlow switch always has a "local" port as well.  This
> scenario won't use the local port.

Our switch design will consist of five main flow tables, each of which
implements one stage in the switch pipeline:

  Table 0: Admission control.

  Table 1: VLAN input processing.

  Table 2: Learn source MAC and VLAN for ingress port.

  Table 3: Look up learned port for destination MAC and VLAN.

  Table 4: Output processing.

The section below describes how to set up the scenario, followed by a
section for each OpenFlow table.

You can cut and paste the `ovs-vsctl` and `ovs-ofctl` commands in each
of the sections below into your `ovs-sandbox` shell.  They are also
available as shell scripts in this directory, named `t-setup`, `t-stage0`,
`t-stage1`, ..., `t-stage4`.  The `ovs-appctl` test commands are intended
for cutting and pasting and are not supplied separately.


Setup
-----

To get started, start `ovs-sandbox`.  Inside the interactive shell
that it starts, run this command:

    ovs-vsctl add-br br0 -- set Bridge br0 fail-mode=secure

This command creates a new bridge "br0" and puts "br0" into so-called
"fail-secure" mode.  For our purpose, this just means that the
OpenFlow flow table starts out empty.

> If we did not do this, then the flow table would start out with a
> single flow that executes the "normal" action.  We could use that
> feature to yield a switch that behaves the same as the switch we
> are currently building, but with the caveats described under
> "Motivation" above.)

The new bridge has only one port on it so far, the "local port" br0.
We need to add p1, p2, p3, and p4.  A shell "for" loop is one way to
do it:

    for i in 1 2 3 4; do
        ovs-vsctl add-port br0 p$i -- set Interface p$i ofport_request=$i
              ovs-ofctl mod-port br0 p$i up
    done

In addition to adding a port, the `ovs-vsctl` command above sets its
"ofport_request" column to ensure that port p1 is assigned OpenFlow
port 1, p2 is assigned OpenFlow port 2, and so on.

> We could omit setting the ofport_request and let Open vSwitch
> choose port numbers for us, but it's convenient for the purposes
> of this tutorial because we can talk about OpenFlow port 1 and
> know that it corresponds to p1.

The `ovs-ofctl` command above brings up the simulated interfaces, which
are down initially, using an OpenFlow request.  The effect is similar
to `ifconfig up`, but the sandbox's interfaces are not visible to the
operating system and therefore `ifconfig` would not affect them.

We have not configured anything related to VLANs or MAC learning.
That's because we're going to implement those features in the flow
table.

To see what we've done so far to set up the scenario, you can run a
command like `ovs-vsctl show` or `ovs-ofctl show br0`.


Implementing Table 0: Admission control
---------------------------------------

Table 0 is where packets enter the switch.  We use this stage to
discard packets that for one reason or another are invalid.  For
example, packets with a multicast source address are not valid, so we
can add a flow to drop them at ingress to the switch with:

    ovs-ofctl add-flow br0 \
        "table=0, dl_src=01:00:00:00:00:00/01:00:00:00:00:00, actions=drop"

A switch should also not forward IEEE 802.1D Spanning Tree Protocol
(STP) packets, so we can also add a flow to drop those and other
packets with reserved multicast protocols:

    ovs-ofctl add-flow br0 \
        "table=0, dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0, actions=drop"

We could add flows to drop other protocols, but these demonstrate the
pattern.

We need one more flow, with a priority lower than the default, so that
flows that don't match either of the "drop" flows we added above go on
to pipeline stage 1 in OpenFlow table 1:

    ovs-ofctl add-flow br0 "table=0, priority=0, actions=resubmit(,1)"

(The "resubmit" action is an Open vSwitch extension to OpenFlow.)


### Testing Table 0

If we were using Open vSwitch to set up a physical or a virtual
switch, then we would naturally test it by sending packets through it
one way or another, perhaps with common network testing tools like
`ping` and `tcpdump` or more specialized tools like Scapy.  That's
difficult with our simulated switch, since it's not visible to the
operating system.

But our simulated switch has a few specialized testing tools.  The
most powerful of these tools is `ofproto/trace`.  Given a switch and
the specification of a flow, `ofproto/trace` shows, step-by-step, how
such a flow would be treated as it goes through the switch.


### EXAMPLE 1

Try this command:

    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=01:80:c2:00:00:05

The output should look something like this:

    Flow: metadata=0,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=01:80:c2:00:00:05,dl_type=0x0000
    Rule: table=0 cookie=0 dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0
    OpenFlow actions=drop

    Final flow: unchanged
    Datapath actions: drop

The first block of lines describes an OpenFlow table lookup.  The
first line shows the fields used for the table lookup (which is mostly
zeros because that's the default if we don't specify everything).  The
second line gives the OpenFlow flow that the fields matched (called a
"rule" because that is the name used inside Open vSwitch for an
OpenFlow flow).  In this case, we see that this packet that has a
reserved multicast destination address matches the rule that drops
those packets.  The third line gives the rule's OpenFlow actions.

The second block of lines summarizes the results, which are not very
interesting here.


### EXAMPLE 2

Try another command:

    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=01:80:c2:00:00:10

The output should be:

    Flow: metadata=0,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=01:80:c2:00:00:10,dl_type=0x0000
    Rule: table=0 cookie=0 priority=0
    OpenFlow actions=resubmit(,1)

            Resubmitted flow: unchanged
            Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
            Resubmitted  odp: drop
            No match

    Final flow: unchanged
    Datapath actions: drop

This time the flow we handed to `ofproto/trace` doesn't match any of
our "drop" rules, so it falls through to the low-priority "resubmit"
rule, which we see in the rule and the actions selected in the first
block.  The "resubmit" causes a second lookup in OpenFlow table 1,
described by the additional block of indented text in the output.  We
haven't yet added any flows to OpenFlow table 1, so no flow actually
matches in the second lookup.  Therefore, the packet is still actually
dropped, which means that the externally observable results would be
identical to our first example.


Implementing Table 1: VLAN Input Processing
-------------------------------------------

A packet that enters table 1 has already passed basic validation in
table 0.  The purpose of table 1 is validate the packet's VLAN, based
on the VLAN configuration of the switch port through which the packet
entered the switch.  We will also use it to attach a VLAN header to
packets that arrive on an access port, which allows later processing
stages to rely on the packet's VLAN always being part of the VLAN
header, reducing special cases.

Let's start by adding a low-priority flow that drops all packets,
before we add flows that pass through acceptable packets.  You can
think of this as a "default drop" rule:

    ovs-ofctl add-flow br0 "table=1, priority=0, actions=drop"

Our trunk port p1, on OpenFlow port 1, is an easy case.  p1 accepts
any packet regardless of whether it has a VLAN header or what the VLAN
was, so we can add a flow that resubmits everything on input port 1 to
the next table:

    ovs-ofctl add-flow br0 \
        "table=1, priority=99, in_port=1, actions=resubmit(,2)"

On the access ports, we want to accept any packet that has no VLAN
header, tag it with the access port's VLAN number, and then pass it
along to the next stage:

    ovs-ofctl add-flows br0 - <<'EOF'
          table=1, priority=99, in_port=2, vlan_tci=0, actions=mod_vlan_vid:20, resubmit(,2)
          table=1, priority=99, in_port=3, vlan_tci=0, actions=mod_vlan_vid:30, resubmit(,2)
          table=1, priority=99, in_port=4, vlan_tci=0, actions=mod_vlan_vid:30, resubmit(,2)
    EOF

We don't write any rules that match packets with 802.1Q that enter
this stage on any of the access ports, so the "default drop" rule we
added earlier causes them to be dropped, which is ordinarily what we
want for access ports.

> Another variation of access ports allows ingress of packets tagged
> with VLAN 0 (aka 802.1p priority tagged packets).  To allow such
> packets, replace "vlan_tci=0" by "vlan_tci=0/0xfff" above.


### Testing Table 1

`ofproto/trace` allows us to test the ingress VLAN rules that we added
above.


### EXAMPLE 1: Packet on Trunk Port

Here's a test of a packet coming in on the trunk port:

    ovs-appctl ofproto/trace br0 in_port=1,vlan_tci=5

The output shows the lookup in table 0, the resubmit to table 1, and
the resubmit to table 2 (which does nothing because we haven't put
anything there yet):

    Flow: metadata=0,in_port=1,vlan_tci=0x0005,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000
    Rule: table=0 cookie=0 priority=0
    OpenFlow actions=resubmit(,1)

            Resubmitted flow: unchanged
            Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
            Resubmitted  odp: drop
            Rule: table=1 cookie=0 priority=99,in_port=1
            OpenFlow actions=resubmit(,2)

                    Resubmitted flow: unchanged
                    Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                    Resubmitted  odp: drop
                    No match

    Final flow: unchanged
    Datapath actions: drop


### EXAMPLE 2: Valid Packet on Access Port

Here's a test of a valid packet (a packet without an 802.1Q header)
coming in on access port p2:

    ovs-appctl ofproto/trace br0 in_port=2

The output is similar to that for the previous case, except that it
additionally tags the packet with p2's VLAN 20 before it passes it
along to table 2:

    Flow: metadata=0,in_port=2,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000
    Rule: table=0 cookie=0 priority=0
    OpenFlow actions=resubmit(,1)

            Resubmitted flow: unchanged
            Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
            Resubmitted  odp: drop
            Rule: table=1 cookie=0 priority=99,in_port=2,vlan_tci=0x0000
            OpenFlow actions=mod_vlan_vid:20,resubmit(,2)

                    Resubmitted flow: metadata=0,in_port=2,dl_vlan=20,dl_vlan_pcp=0,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000
                    Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                    Resubmitted  odp: drop
                    No match

    Final flow: unchanged
    Datapath actions: drop


### EXAMPLE 3: Invalid Packet on Access Port

This tests an invalid packet (one that includes an 802.1Q header)
coming in on access port p2:

    ovs-appctl ofproto/trace br0 in_port=2,vlan_tci=5

The output shows the packet matching the default drop rule:

    Flow: metadata=0,in_port=2,vlan_tci=0x0005,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000
    Rule: table=0 cookie=0 priority=0
    OpenFlow actions=resubmit(,1)

            Resubmitted flow: unchanged
            Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
            Resubmitted  odp: drop
            Rule: table=1 cookie=0 priority=0
            OpenFlow actions=drop

    Final flow: unchanged
    Datapath actions: drop


Implementing Table 2: MAC+VLAN Learning for Ingress Port
--------------------------------------------------------

This table allows the switch we're implementing to learn that the
packet's source MAC is located on the packet's ingress port in the
packet's VLAN.

> This table is a good example why table 1 added a VLAN tag to
> packets that entered the switch through an access port.  We want
> to associate a MAC+VLAN with a port regardless of whether the VLAN
> in question was originally part of the packet or whether it was an
> assumed VLAN associated with an access port.

It only takes a single flow to do this.  The following command adds
it:

    ovs-ofctl add-flow br0 \
        "table=2 actions=learn(table=10, NXM_OF_VLAN_TCI[0..11], \
                               NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[], \
                               load:NXM_OF_IN_PORT[]->NXM_NX_REG0[0..15]), \
                         resubmit(,3)"

The "learn" action (an Open vSwitch extension to OpenFlow) modifies a
flow table based on the content of the flow currently being processed.
Here's how you can interpret each part of the "learn" action above:

    table=10

        Modify flow table 10.  This will be the MAC learning table.

    NXM_OF_VLAN_TCI[0..11]

        Make the flow that we add to flow table 10 match the same VLAN
        ID that the packet we're currently processing contains.  This
        effectively scopes the MAC learning entry to a single VLAN,
        which is the ordinary behavior for a VLAN-aware switch.

    NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[]

        Make the flow that we add to flow table 10 match, as Ethernet
        destination, the Ethernet source address of the packet we're
        currently processing.

    load:NXM_OF_IN_PORT[]->NXM_NX_REG0[0..15]

        Whereas the preceding parts specify fields for the new flow to
        match, this specifies an action for the flow to take when it
        matches.  The action is for the flow to load the ingress port
        number of the current packet into register 0 (a special field
        that is an Open vSwitch extension to OpenFlow).

> A real use of "learn" for MAC learning would probably involve two
> additional elements.  First, the "learn" action would specify a
> hard_timeout for the new flow, to enable a learned MAC to
> eventually expire if no new packets were seen from a given source
> within a reasonable interval.  Second, one would usually want to
> limit resource consumption by using the Flow_Table table in the
> Open vSwitch configuration database to specify a maximum number of
> flows in table 10.

This definitely calls for examples.


### Testing Table 2

### EXAMPLE 1

Try the following test command:

    ovs-appctl ofproto/trace br0 in_port=1,vlan_tci=20,dl_src=50:00:00:00:00:01 -generate

The output shows that "learn" was executed, but it isn't otherwise
informative, so we won't include it here.

The `-generate` keyword is new.  Ordinarily, `ofproto/trace` has no
side effects: "output" actions do not actually output packets, "learn"
actions do not actually modify the flow table, and so on.  With
`-generate`, though, `ofproto/trace` does execute "learn" actions.
That's important now, because we want to see the effect of the "learn"
action on table 10.  You can see that by running:

    ovs-ofctl dump-flows br0 table=10

which (omitting the "duration" and "idle_age" fields, which will vary
based on how soon you ran this command after the previous one, as well
as some other uninteresting fields) prints something like:

    NXST_FLOW reply (xid=0x4):
     table=10, vlan_tci=0x0014/0x0fff,dl_dst=50:00:00:00:00:01 actions=load:0x1->NXM_NX_REG0[0..15]

You can see that the packet coming in on VLAN 20 with source MAC
50:00:00:00:00:01 became a flow that matches VLAN 20 (written in
hexadecimal) and destination MAC 50:00:00:00:00:01.  The flow loads
port number 1, the input port for the flow we tested, into register 0.


### EXAMPLE 2

Here's a second test command:

    ovs-appctl ofproto/trace br0 in_port=2,dl_src=50:00:00:00:00:01 -generate

The flow that this command tests has the same source MAC and VLAN as
example 1, although the VLAN comes from an access port VLAN rather
than an 802.1Q header.  If we again dump the flows for table 10 with:

    ovs-ofctl dump-flows br0 table=10

then we see that the flow we saw previously has changed to indicate
that the learned port is port 2, as we would expect:

    NXST_FLOW reply (xid=0x4):
     table=10, vlan_tci=0x0014/0x0fff,dl_dst=50:00:00:00:00:01 actions=load:0x2->NXM_NX_REG0[0..15]


Implementing Table 3: Look Up Destination Port
----------------------------------------------

This table figures out what port we should send the packet to based on
the destination MAC and VLAN.  That is, if we've learned the location
of the destination (from table 2 processing some previous packet with
that destination as its source), then we want to send the packet
there.

We need only one flow to do the lookup:

    ovs-ofctl add-flow br0 \
        "table=3 priority=50 actions=resubmit(,10), resubmit(,4)"

The flow's first action resubmits to table 10, the table that the
"learn" action modifies.  As you saw previously, the learned flows in
this table write the learned port into register 0.  If the destination
for our packet hasn't been learned, then there will be no matching
flow, and so the "resubmit" turns into a no-op.  Because registers are
initialized to 0, we can use a register 0 value of 0 in our next
pipeline stage as a signal to flood the packet.

The second action resubmits to table 4, continuing to the next
pipeline stage.

We can add another flow to skip the learning table lookup for
multicast and broadcast packets, since those should always be flooded:

    ovs-ofctl add-flow br0 \
        "table=3 priority=99 dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 \
          actions=resubmit(,4)"

> We don't strictly need to add this flow, because multicast
> addresses will never show up in our learning table.  (In turn,
> that's because we put a flow into table 0 to drop packets that
> have a multicast source address.)


### Testing Table 3

### EXAMPLE

Here's a command that should cause OVS to learn that f0:00:00:00:00:01
is on p1 in VLAN 20:

    ovs-appctl ofproto/trace br0 in_port=1,dl_vlan=20,dl_src=f0:00:00:00:00:01,dl_dst=90:00:00:00:00:01 -generate

Here's an excerpt from the output that shows (from the "no match"
looking up the resubmit to table 10) that the flow's destination was
unknown:

                        Resubmitted flow: unchanged
                        Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                        Resubmitted  odp: drop
                        Rule: table=3 cookie=0 priority=50
                        OpenFlow actions=resubmit(,10),resubmit(,4)

                                Resubmitted flow: unchanged
                                Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                                Resubmitted  odp: drop
                                No match

You can verify that the packet's source was learned two ways.  The
most direct way is to dump the learning table with:

    ovs-ofctl dump-flows br0 table=10

which ought to show roughly the following, with extraneous details
removed:

    table=10, vlan_tci=0x0014/0x0fff,dl_dst=f0:00:00:00:00:01 actions=load:0x1->NXM_NX_REG0[0..15]

> If you tried the examples for the previous step, or if you did
> some of your own experiments, then you might see additional flows
> there.  These additional flows are harmless.  If they bother you,
> then you can remove them with `ovs-ofctl del-flows br0 table=10`.

The other way is to inject a packet to take advantage of the learning
entry.  For example, we can inject a packet on p2 whose destination is
the MAC address that we just learned on p1:

    ovs-appctl ofproto/trace br0 in_port=2,dl_src=90:00:00:00:00:01,dl_dst=f0:00:00:00:00:01 -generate

Here's an interesting excerpt from that command's output.  This group
of lines traces the "resubmit(,10)", showing that the packet matched
the learned flow for the first MAC we used, loading the OpenFlow port
number for the learned port p1 into register 0:

                                Resubmitted flow: unchanged
                                Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                                Resubmitted  odp: drop
                                Rule: table=10 cookie=0 vlan_tci=0x0014/0x0fff,dl_dst=f0:00:00:00:00:01
                                OpenFlow actions=load:0x1->NXM_NX_REG0[0..15]


If you read the commands above carefully, then you might have noticed
that they simply have the Ethernet source and destination addresses
exchanged.  That means that if we now rerun the first `ovs-appctl`
command above, e.g.:

    ovs-appctl ofproto/trace br0 in_port=1,dl_vlan=20,dl_src=f0:00:00:00:00:01,dl_dst=90:00:00:00:00:01 -generate

then we see in the output that the destination has now been learned:

                                Resubmitted flow: unchanged
                                Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x0 reg6=0x0 reg7=0x0
                                Resubmitted  odp: drop
                                Rule: table=10 cookie=0 vlan_tci=0x0014/0x0fff,dl_dst=90:00:00:00:00:01
                                OpenFlow actions=load:0x2->NXM_NX_REG0[0..15]


Implementing Table 4: Output Processing
---------------------------------------

At entry to stage 4, we know that register 0 contains either the
desired output port or is zero if the packet should be flooded.  We
also know that the packet's VLAN is in its 802.1Q header, even if the
VLAN was implicit because the packet came in on an access port.

The job of the final pipeline stage is to actually output packets.
The job is trivial for output to our trunk port p1:

    ovs-ofctl add-flow br0 "table=4 reg0=1 actions=1"

For output to the access ports, we just have to strip the VLAN header
before outputting the packet:

    ovs-ofctl add-flows br0 - <<'EOF'
    table=4 reg0=2 actions=strip_vlan,2
    table=4 reg0=3 actions=strip_vlan,3
    table=4 reg0=4 actions=strip_vlan,4
    EOF

The only slightly tricky part is flooding multicast and broadcast
packets and unicast packets with unlearned destinations.  For those,
we need to make sure that we only output the packets to the ports that
carry our packet's VLAN, and that we include the 802.1Q header in the
copy output to the trunk port but not in copies output to access
ports:

    ovs-ofctl add-flows br0 - <<'EOF'
    table=4 reg0=0 priority=99 dl_vlan=20 actions=1,strip_vlan,2
    table=4 reg0=0 priority=99 dl_vlan=30 actions=1,strip_vlan,3,4
    table=4 reg0=0 priority=50            actions=1
    EOF

> Our rules rely on the standard OpenFlow behavior that an output
> action will not forward a packet back out the port it came in on.
> That is, if a packet comes in on p1, and we've learned that the
> packet's destination MAC is also on p1, so that we end up with
> "actions=1" as our actions, the switch will not forward the packet
> back out its input port.  The multicast/broadcast/unknown
> destination cases above also rely on this behavior.


### Testing Table 4

### EXAMPLE 1: Broadcast, Multicast, and Unknown Destination

Try tracing a broadcast packet arriving on p1 in VLAN 30:

    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=ff:ff:ff:ff:ff:ff,dl_vlan=30

The interesting part of the output is the final line, which shows that
the switch would remove the 802.1Q header and then output the packet to
p3 and p4, which are access ports for VLAN 30:

    Datapath actions: pop_vlan,3,4

Similarly, if we trace a broadcast packet arriving on p3:

    ovs-appctl ofproto/trace br0 in_port=3,dl_dst=ff:ff:ff:ff:ff:ff

then we see that it is output to p1 with an 802.1Q tag and then to p4
without one:

    Datapath actions: push_vlan(vid=30,pcp=0),1,pop_vlan,4

> Open vSwitch could simplify the datapath actions here to just
> "4,push_vlan(vid=30,pcp=0),1" but it is not smart enough to do so.

The following are also broadcasts, but the result is to drop the
packets because the VLAN only belongs to the input port:

    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=ff:ff:ff:ff:ff:ff
    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=ff:ff:ff:ff:ff:ff,dl_vlan=55

Try some other broadcast cases on your own:

    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=ff:ff:ff:ff:ff:ff,dl_vlan=20
    ovs-appctl ofproto/trace br0 in_port=2,dl_dst=ff:ff:ff:ff:ff:ff
    ovs-appctl ofproto/trace br0 in_port=4,dl_dst=ff:ff:ff:ff:ff:ff

You can see the same behavior with multicast packets and with unicast
packets whose destination has not been learned, e.g.:

    ovs-appctl ofproto/trace br0 in_port=4,dl_dst=01:00:00:00:00:00
    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=90:12:34:56:78:90,dl_vlan=20
    ovs-appctl ofproto/trace br0 in_port=1,dl_dst=90:12:34:56:78:90,dl_vlan=30


### EXAMPLE 2: MAC Learning

Let's follow the same pattern as we did for table 3.  First learn a
MAC on port p1 in VLAN 30:

    ovs-appctl ofproto/trace br0 in_port=1,dl_vlan=30,dl_src=10:00:00:00:00:01,dl_dst=20:00:00:00:00:01 -generate

You can see from the last line of output that the packet's destination
is unknown, so it gets flooded to both p3 and p4, the other ports in
VLAN 30:

    Datapath actions: pop_vlan,3,4

Then reverse the MACs and learn the first flow's destination on port
p4:

    ovs-appctl ofproto/trace br0 in_port=4,dl_src=20:00:00:00:00:01,dl_dst=10:00:00:00:00:01 -generate

The last line of output shows that the this packet's destination is
known to be p1, as learned from our previous command:

    Datapath actions: push_vlan(vid=30,pcp=0),1

Now, if we rerun our first command:

    ovs-appctl ofproto/trace br0 in_port=1,dl_vlan=30,dl_src=10:00:00:00:00:01,dl_dst=20:00:00:00:00:01 -generate

we can see that the result is no longer a flood but to the specified
learned destination port p4:

    Datapath actions: pop_vlan,4


Contact 
=======

bugs@openvswitch.org
http://openvswitch.org/

[INSTALL.md]:../INSTALL.md