1 <?xml version="1.0" encoding="utf-8"?>
2 <database name="vtep" title="Hardware VTEP Database">
4 This schema specifies relations that a VTEP can use to integrate
5 physical ports into logical switches maintained by a network
6 virtualization controller such as NSX.
14 VXLAN Tunnel End Point, an entity which originates and/or terminates
20 Hardware Switch Controller.
25 Network Virtualization Controller, e.g. NSX.
30 Virtual Routing and Forwarding instance.
34 <table name="Global" title="Top-level configuration.">
35 Top-level configuration for a hardware VTEP. There must be
36 exactly one record in the <ref table="Global"/> table.
38 <column name="switches">
40 The physical switch or switches managed by the VTEP.
44 When a physical switch integrates support for this VTEP schema, which
45 is expected to be the most common case, this column should point to one
46 <ref table="Physical_Switch"/> record that represents the switch
47 itself. In another possible implementation, a server or a VM presents
48 a VTEP schema front-end interface to one or more physical switches,
49 presumably communicating with those physical switches over a
50 proprietary protocol. In that case, this column would point to one
51 <ref table="Physical_Switch"/> for each physical switch, and the set
52 might change over time as the front-end server comes to represent a
53 differing set of switches.
57 <group title="Database Configuration">
59 These columns primarily configure the database server
60 (<code>ovsdb-server</code>), not the hardware VTEP itself.
63 <column name="managers">
64 Database clients to which the database server should connect or
65 to which it should listen, along with options for how these
66 connection should be configured. See the <ref table="Manager"/>
67 table for more information.
72 <table name="Manager" title="OVSDB management connection.">
74 Configuration for a database connection to an Open vSwitch Database
79 The database server can initiate and maintain active connections
80 to remote clients. It can also listen for database connections.
83 <group title="Core Features">
84 <column name="target">
85 <p>Connection method for managers.</p>
87 The following connection methods are currently supported:
90 <dt><code>ssl:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
93 The specified SSL <var>port</var> (default: 6640) on the host at
94 the given <var>ip</var>, which must be expressed as an IP address
98 SSL key and certificate configuration happens outside the
103 <dt><code>tcp:<var>ip</var></code>[<code>:<var>port</var></code>]</dt>
105 The specified TCP <var>port</var> (default: 6640) on the host at
106 the given <var>ip</var>, which must be expressed as an IP address
109 <dt><code>pssl:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
112 Listens for SSL connections on the specified TCP <var>port</var>
113 (default: 6640). If <var>ip</var>, which must be expressed as an
114 IP address (not a DNS name), is specified, then connections are
115 restricted to the specified local IP address.
118 <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>ip</var></code>]</dt>
120 Listens for connections on the specified TCP <var>port</var>
121 (default: 6640). If <var>ip</var>, which must be expressed as an
122 IP address (not a DNS name), is specified, then connections are
123 restricted to the specified local IP address.
129 <group title="Client Failure Detection and Handling">
130 <column name="max_backoff">
131 Maximum number of milliseconds to wait between connection attempts.
132 Default is implementation-specific.
135 <column name="inactivity_probe">
136 Maximum number of milliseconds of idle time on connection to the
137 client before sending an inactivity probe message. If the Open
138 vSwitch database does not communicate with the client for the
139 specified number of seconds, it will send a probe. If a
140 response is not received for the same additional amount of time,
141 the database server assumes the connection has been broken
142 and attempts to reconnect. Default is implementation-specific.
143 A value of 0 disables inactivity probes.
147 <group title="Status">
148 <column name="is_connected">
149 <code>true</code> if currently connected to this manager,
150 <code>false</code> otherwise.
153 <column name="status" key="last_error">
154 A human-readable description of the last error on the connection
155 to the manager; i.e. <code>strerror(errno)</code>. This key
156 will exist only if an error has occurred.
159 <column name="status" key="state"
160 type='{"type": "string", "enum": ["set", ["VOID", "BACKOFF", "CONNECTING", "ACTIVE", "IDLE"]]}'>
162 The state of the connection to the manager:
165 <dt><code>VOID</code></dt>
166 <dd>Connection is disabled.</dd>
168 <dt><code>BACKOFF</code></dt>
169 <dd>Attempting to reconnect at an increasing period.</dd>
171 <dt><code>CONNECTING</code></dt>
172 <dd>Attempting to connect.</dd>
174 <dt><code>ACTIVE</code></dt>
175 <dd>Connected, remote host responsive.</dd>
177 <dt><code>IDLE</code></dt>
178 <dd>Connection is idle. Waiting for response to keep-alive.</dd>
181 These values may change in the future. They are provided only for
186 <column name="status" key="sec_since_connect"
187 type='{"type": "integer", "minInteger": 0}'>
188 The amount of time since this manager last successfully connected
189 to the database (in seconds). Value is empty if manager has never
190 successfully connected.
193 <column name="status" key="sec_since_disconnect"
194 type='{"type": "integer", "minInteger": 0}'>
195 The amount of time since this manager last disconnected from the
196 database (in seconds). Value is empty if manager has never
200 <column name="status" key="locks_held">
201 Space-separated list of the names of OVSDB locks that the connection
202 holds. Omitted if the connection does not hold any locks.
205 <column name="status" key="locks_waiting">
206 Space-separated list of the names of OVSDB locks that the connection is
207 currently waiting to acquire. Omitted if the connection is not waiting
211 <column name="status" key="locks_lost">
212 Space-separated list of the names of OVSDB locks that the connection
213 has had stolen by another OVSDB client. Omitted if no locks have been
214 stolen from this connection.
217 <column name="status" key="n_connections"
218 type='{"type": "integer", "minInteger": 2}'>
220 When <ref column="target"/> specifies a connection method that
221 listens for inbound connections (e.g. <code>ptcp:</code> or
222 <code>pssl:</code>) and more than one connection is actually active,
223 the value is the number of active connections. Otherwise, this
224 key-value pair is omitted.
227 When multiple connections are active, status columns and key-value
228 pairs (other than this one) report the status of one arbitrarily
234 <group title="Connection Parameters">
236 Additional configuration for a connection between the manager
237 and the database server.
240 <column name="other_config" key="dscp"
241 type='{"type": "integer"}'>
242 The Differentiated Service Code Point (DSCP) is specified using 6 bits
243 in the Type of Service (TOS) field in the IP header. DSCP provides a
244 mechanism to classify the network traffic and provide Quality of
245 Service (QoS) on IP networks.
247 The DSCP value specified here is used when establishing the
248 connection between the manager and the database server. If no
249 value is specified, a default value of 48 is chosen. Valid DSCP
250 values must be in the range 0 to 63.
255 <table name="Physical_Switch" title="A physical switch.">
256 A physical switch that implements a VTEP.
258 <column name="ports">
259 The physical ports within the switch.
262 <column name="tunnels">
263 Tunnels created by this switch as instructed by the NVC.
266 <group title="Network Status">
267 <column name="management_ips">
268 IPv4 or IPv6 addresses at which the switch may be contacted
269 for management purposes.
272 <column name="tunnel_ips">
274 IPv4 or IPv6 addresses on which the switch may originate or
279 This column is intended to allow a <ref table="Manager"/> to
280 determine the <ref table="Physical_Switch"/> that terminates
281 the tunnel represented by a <ref table="Physical_Locator"/>.
286 <group title="Identification">
288 Symbolic name for the switch, such as its hostname.
291 <column name="description">
292 An extended description for the switch, such as its switch login
296 <group title="Error Notification">
298 An entry in this column indicates to the NVC that this switch
299 has encountered a fault. The switch must clear this column
300 when the fault has been cleared.
303 <column name="switch_fault_status" key="mac_table_exhaustion">
304 Indicates that the switch has been unable to process MAC
305 entries requested by the NVC due to lack of table resources.
308 <column name="switch_fault_status" key="tunnel_exhaustion">
309 Indicates that the switch has been unable to create tunnels
310 requested by the NVC due to lack of resources.
313 <column name="switch_fault_status" key="unspecified_fault">
314 Indicates that an error has occurred in the switch but that no
315 more specific information is available.
321 <table name="Tunnel" title="A tunnel created by a physical switch.">
322 A tunnel created by a <ref table="Physical_Switch"/>.
324 <column name="local">
325 Tunnel end-point local to the physical switch.
328 <column name="remote">
329 Tunnel end-point remote to the physical switch.
332 <group title="Bidirectional Forwarding Detection (BFD)">
334 BFD, defined in RFC 5880, allows point to point detection of
335 connectivity failures by occasional transmission of BFD control
336 messages. VTEPs are expected to implement BFD.
340 BFD operates by regularly transmitting BFD control messages at a
341 rate negotiated independently in each direction. Each endpoint
342 specifies the rate at which it expects to receive control messages,
343 and the rate at which it's willing to transmit them. An endpoint
344 which fails to receive BFD control messages for a period of three
345 times the expected reception rate will signal a connectivity
346 fault. In the case of a unidirectional connectivity issue, the
347 system not receiving BFD control messages will signal the problem
348 to its peer in the messages it transmits.
352 A hardware VTEP is expected to use BFD to determine reachability of
353 devices at the end of the tunnels with which it exchanges data. This
354 can enable the VTEP to choose a functioning service node among a set of
355 service nodes providing high availability. It also enables the NVC to
356 report the health status of tunnels.
360 In most cases the BFD peer of a hardware VTEP will be an Open vSwitch
361 instance. The Open vSwitch implementation of BFD aims to comply
362 faithfully with the requirements put forth in RFC 5880. Open vSwitch
363 does not implement the optional Authentication or ``Echo Mode''
367 <group title="BFD Local Configuration">
369 The HSC writes the key-value pairs in the
370 <ref column="bfd_config_local"/> column to specify the local
371 configurations to be used for BFD sessions on this tunnel.
374 <column name="bfd_config_local" key="bfd_dst_mac">
375 Set to an Ethernet address in the form
376 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
377 to set the MAC expected as destination for received BFD packets.
378 The default is <code>00:23:20:00:00:01</code>.
381 <column name="bfd_config_local" key="bfd_dst_ip">
382 Set to an IPv4 address to set the IP address that is expected as destination
383 for received BFD packets. The default is <code>169.254.1.0</code>.
388 <group title="BFD Remote Configuration">
390 The <ref column="bfd_config_remote"/> column is the remote
391 counterpart of the <ref column="bfd_config_local"/> column.
392 The NVC writes the key-value pairs in this column.
395 <column name="bfd_config_remote" key="bfd_dst_mac">
396 Set to an Ethernet address in the form
397 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
398 to set the destination MAC to be used for transmitted BFD packets.
399 The default is <code>00:23:20:00:00:01</code>.
402 <column name="bfd_config_remote" key="bfd_dst_ip">
403 Set to an IPv4 address to set the IP address used as destination
404 for transmitted BFD packets. The default is <code>169.254.1.1</code>.
409 <group title="BFD Parameters">
411 The NVC sets up key-value pairs in the <ref column="bfd_params"/>
412 column to enable and configure BFD.
415 <column name="bfd_params" key="enable" type='{"type": "boolean"}'>
416 True to enable BFD on this tunnel.
417 The default is False.
420 <column name="bfd_params" key="min_rx"
421 type='{"type": "integer", "minInteger": 1}'>
422 The shortest interval, in milliseconds, at which this BFD session
423 offers to receive BFD control messages. The remote endpoint may
424 choose to send messages at a slower rate. Defaults to
428 <column name="bfd_params" key="min_tx"
429 type='{"type": "integer", "minInteger": 1}'>
430 The shortest interval, in milliseconds, at which this BFD session is
431 willing to transmit BFD control messages. Messages will actually be
432 transmitted at a slower rate if the remote endpoint is not willing to
433 receive as quickly as specified. Defaults to <code>100</code>.
436 <column name="bfd_params" key="decay_min_rx" type='{"type": "integer"}'>
437 An alternate receive interval, in milliseconds, that must be greater
438 than or equal to <ref column="bfd" key="min_rx"/>. The
439 implementation switches from <ref column="bfd" key="min_rx"/> to <ref
440 column="bfd" key="decay_min_rx"/> when there is no obvious incoming
441 data traffic at the interface, to reduce the CPU and bandwidth cost
442 of monitoring an idle interface. This feature may be disabled by
443 setting a value of 0. This feature is reset whenever <ref
444 column="bfd" key="decay_min_rx"/> or <ref column="bfd" key="min_rx"/>
448 <column name="bfd_params" key="forwarding_if_rx" type='{"type": "boolean"}'>
449 True to consider the interface capable of packet I/O as long as it
450 continues to receive any packets (not just BFD packets). This
451 prevents link congestion that causes consecutive BFD control packets
452 to be lost from marking the interface down.
455 <column name="bfd_params" key="cpath_down" type='{"type": "boolean"}'>
456 Set to true to notify the remote endpoint that traffic should not be
457 forwarded to this system for some reason other than a connectivity
458 failure on the interface being monitored. The typical underlying
459 reason is ``concatenated path down,'' that is, that connectivity
460 beyond the local system is down. Defaults to false.
463 <column name="bfd_params" key="check_tnl_key" type='{"type": "boolean"}'>
464 Set to true to make BFD accept only control messages with a tunnel
465 key of zero. By default, BFD accepts control messages with any
471 <group title="BFD Status">
473 The VTEP sets key-value pairs in the <ref column="bfd_status"/>
474 column to report the status of BFD on this tunnel. When BFD is
475 not enabled, with <ref column="bfd_params" key="enable"/>, the
476 HSC clears all key-value pairs from <ref column="bfd_status"/>.
479 <column name="bfd_status" key="enabled"
480 type='{"type": "boolean"}'>
481 Set to true if the BFD session has been successfully
482 enabled. Set to false if the VTEP cannot support BFD or has
483 insufficient resources to enable BFD on this tunnel. The NVC
484 will disable the BFD monitoring on the other side of the tunnel
485 once this value is set to false.
488 <column name="bfd_status" key="state"
489 type='{"type": "string",
490 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
491 Reports the state of the BFD session. The BFD session is fully
492 healthy and negotiated if <code>UP</code>.
495 <column name="bfd_status" key="forwarding" type='{"type": "boolean"}'>
496 Reports whether the BFD session believes this tunnel
497 may be used to forward traffic. Typically this means the local session
498 is signaling <code>UP</code>, and the remote system isn't signaling a
499 problem such as concatenated path down.
502 <column name="bfd_status" key="diagnostic">
503 In case of a problem, set to an error message that reports what the
504 local BFD session thinks is wrong. The error messages are defined
505 in section 4.1 of [RFC 5880].
508 <column name="bfd_status" key="remote_state"
509 type='{"type": "string",
510 "enum": ["set", ["admin_down", "down", "init", "up"]]}'>
511 Reports the state of the remote endpoint's BFD session.
514 <column name="bfd_status" key="remote_diagnostic">
515 In case of a problem, set to an error message that reports what the
516 remote endpoint's BFD session thinks is wrong. The error messages
517 are defined in section 4.1 of [RFC 5880].
520 <column name="bfd_status" key="info">
521 A short message providing further information about the BFD status
522 (possibly including reasons why BFD could not be enabled).
528 <table name="Physical_Port" title="A port within a physical switch.">
529 A port within a <ref table="Physical_Switch"/>.
531 <column name="vlan_bindings">
532 Identifies how VLANs on the physical port are bound to logical switches.
533 If, for example, the map contains a (VLAN, logical switch) pair, a packet
534 that arrives on the port in the VLAN is considered to belong to the
535 paired logical switch. A value of zero in the VLAN field means
536 that untagged traffic on the physical port is mapped to the
540 <column name="acl_bindings">
542 Attach Access Control Lists (ACLs) to the physical port. The
543 column consists of a map of VLAN tags to <ref table="ACL"/>s. If the value of
544 the VLAN tag in the map is 0, this means that the ACL is
545 associated with the entire physical port. Non-zero values mean
546 that the ACL is to be applied only on packets carrying that VLAN
547 tag value. Switches will not necessarily support matching on the
548 VLAN tag for all ACLs, and unsupported ACL bindings will cause
549 errors to be reported. The binding of an ACL to a specific
550 VLAN and the binding of an ACL to the entire physical port
551 should not be combined on a single physical port. That is, a
552 mix of zero and non-zero keys in the map is not recommended.
556 <column name="vlan_stats">
557 Statistics for VLANs bound to logical switches on the physical port. An
558 implementation that fully supports such statistics would populate this
559 column with a mapping for every VLAN that is bound in <ref
560 column="vlan_bindings"/>. An implementation that does not support such
561 statistics or only partially supports them would not populate this column
562 or partially populate it, respectively. A value of zero in the
563 VLAN field refers to untagged traffic on the physical port.
566 <group title="Identification">
568 Symbolic name for the port. The name ought to be unique within a given
569 <ref table="Physical_Switch"/>, but the database is not capable of
573 <column name="description">
574 An extended description for the port.
577 <group title="Error Notification">
579 An entry in this column indicates to the NVC that the physical port has
580 encountered a fault. The switch must clear this column when the error
583 <column name="port_fault_status" key="invalid_vlan_map">
585 Indicates that a VLAN-to-logical-switch mapping requested by
586 the controller could not be instantiated by the switch
587 because of a conflict with local configuration.
590 <column name="port_fault_status" key="invalid_ACL_binding">
592 Indicates that an error has occurred in associating an ACL
596 <column name="port_fault_status" key="unspecified_fault">
598 Indicates that an error has occurred on the port but that no
599 more specific information is available.
606 <table name="Logical_Binding_Stats" title="Statistics for a VLAN on a physical port bound to a logical network.">
607 Reports statistics for the <ref table="Logical_Switch"/> with which a VLAN
608 on a <ref table="Physical_Port"/> is associated.
610 <group title="Statistics">
611 These statistics count only packets to which the binding applies.
613 <column name="packets_from_local">
614 Number of packets sent by the <ref table="Physical_Switch"/>.
617 <column name="bytes_from_local">
618 Number of bytes in packets sent by the <ref table="Physical_Switch"/>.
621 <column name="packets_to_local">
622 Number of packets received by the <ref table="Physical_Switch"/>.
625 <column name="bytes_to_local">
626 Number of bytes in packets received by the <ref
627 table="Physical_Switch"/>.
632 <table name="Logical_Switch" title="A layer-2 domain.">
633 A logical Ethernet switch, whose implementation may span physical and
634 virtual media, possibly crossing L3 domains via tunnels; a logical layer-2
635 domain; an Ethernet broadcast domain.
639 <group title="Per Logical-Switch Tunnel Key">
641 Tunnel protocols tend to have a field that allows the tunnel
642 to be partitioned into sub-tunnels: VXLAN has a VNI, GRE and
643 STT have a key, CAPWAP has a WSI, and so on. We call these
644 generically ``tunnel keys.'' Given that one needs to use a
645 tunnel key at all, there are at least two reasonable ways to
652 Per <ref table="Logical_Switch"/>+<ref table="Physical_Locator"/>
653 pair. That is, each logical switch may be assigned a different
654 tunnel key on every <ref table="Physical_Locator"/>. This model is
659 In this model, <ref table="Physical_Locator"/> carries the tunnel
660 key. Therefore, one <ref table="Physical_Locator"/> record will
661 exist for each logical switch carried at a given IP destination.
667 Per <ref table="Logical_Switch"/>. That is, every tunnel
668 associated with a particular logical switch carries the same tunnel
669 key, regardless of the <ref table="Physical_Locator"/> to which the
670 tunnel is addressed. This model may ease switch implementation
671 because it imposes fewer requirements on the hardware datapath.
675 In this model, <ref table="Logical_Switch"/> carries the tunnel
676 key. Therefore, one <ref table="Physical_Locator"/> record will
677 exist for each IP destination.
682 <column name="tunnel_key">
684 This column is used only in the tunnel key per <ref
685 table="Logical_Switch"/> model (see above), because only in that
686 model is there a tunnel key associated with a logical switch.
690 For <code>vxlan_over_ipv4</code> encapsulation, this column
691 is the VXLAN VNI that identifies a logical switch. It must
692 be in the range 0 to 16,777,215.
697 <group title="Identification">
699 Symbolic name for the logical switch.
702 <column name="description">
703 An extended description for the logical switch, such as its switch
709 <table name="Ucast_Macs_Local" title="Unicast MACs (local)">
711 Mapping of unicast MAC addresses to tunnels (physical
712 locators). This table is written by the HSC, so it contains the
713 MAC addresses that have been learned on physical ports by a
718 A MAC address that has been learned by the VTEP.
721 <column name="logical_switch">
722 The Logical switch to which this mapping applies.
725 <column name="locator">
726 The physical locator to be used to reach this MAC address. In
727 this table, the physical locator will be one of the tunnel IP
728 addresses of the appropriate VTEP.
731 <column name="ipaddr">
732 The IP address to which this MAC corresponds. Optional field for
733 the purpose of ARP supression.
738 <table name="Ucast_Macs_Remote" title="Unicast MACs (remote)">
740 Mapping of unicast MAC addresses to tunnels (physical
741 locators). This table is written by the NVC, so it contains the
742 MAC addresses that the NVC has learned. These include VM MAC
743 addresses, in which case the physical locators will be
744 hypervisor IP addresses. The NVC will also report MACs that it
745 has learned from other HSCs in the network, in which case the
746 physical locators will be tunnel IP addresses of the
751 A MAC address that has been learned by the NVC.
754 <column name="logical_switch">
755 The Logical switch to which this mapping applies.
758 <column name="locator">
759 The physical locator to be used to reach this MAC address. In
760 this table, the physical locator will be either a hypervisor IP
761 address or a tunnel IP addresses of another VTEP.
764 <column name="ipaddr">
765 The IP address to which this MAC corresponds. Optional field for
766 the purpose of ARP supression.
771 <table name="Mcast_Macs_Local" title="Multicast MACs (local)">
773 Mapping of multicast MAC addresses to tunnels (physical
774 locators). This table is written by the HSC, so it contains the
775 MAC addresses that have been learned on physical ports by a
776 VTEP. These may be learned by IGMP snooping, for example. This
777 table also specifies how to handle unknown unicast and broadcast packets.
782 A MAC address that has been learned by the VTEP.
785 The keyword <code>unknown-dst</code> is used as a special
786 ``Ethernet address'' that indicates the locations to which
787 packets in a logical switch whose destination addresses do not
788 otherwise appear in <ref table="Ucast_Macs_Local"/> (for
789 unicast addresses) or <ref table="Mcast_Macs_Local"/> (for
790 multicast addresses) should be sent.
794 <column name="logical_switch">
795 The Logical switch to which this mapping applies.
798 <column name="locator_set">
799 The physical locator set to be used to reach this MAC address. In
800 this table, the physical locator set will be contain one or more tunnel IP
801 addresses of the appropriate VTEP(s).
804 <column name="ipaddr">
805 The IP address to which this MAC corresponds. Optional field for
806 the purpose of ARP supression.
810 <table name="Mcast_Macs_Remote" title="Multicast MACs (remote)">
812 Mapping of multicast MAC addresses to tunnels (physical
813 locators). This table is written by the NVC, so it contains the
814 MAC addresses that the NVC has learned. This
815 table also specifies how to handle unknown unicast and broadcast
819 Multicast packet replication may be handled by a service node,
820 in which case the physical locators will be IP addresses of
821 service nodes. If the VTEP supports replication onto multiple
822 tunnels, then this may be used to replicate directly onto
823 VTEP-hypervisor tunnels.
828 A MAC address that has been learned by the NVC.
831 The keyword <code>unknown-dst</code> is used as a special
832 ``Ethernet address'' that indicates the locations to which
833 packets in a logical switch whose destination addresses do not
834 otherwise appear in <ref table="Ucast_Macs_Remote"/> (for
835 unicast addresses) or <ref table="Mcast_Macs_Remote"/> (for
836 multicast addresses) should be sent.
840 <column name="logical_switch">
841 The Logical switch to which this mapping applies.
844 <column name="locator_set">
845 The physical locator set to be used to reach this MAC address. In
846 this table, the physical locator set will be either a service node IP
847 address or a set of tunnel IP addresses of hypervisors (and
848 potentially other VTEPs).
851 <column name="ipaddr">
852 The IP address to which this MAC corresponds. Optional field for
853 the purpose of ARP supression.
858 <table name="Logical_Router" title="A logical L3 router.">
860 A logical router, or VRF. A logical router may be connected to one or more
861 logical switches. Subnet addresses and interface addresses may be configured on the
865 <column name="switch_binding">
866 Maps from an IPv4 or IPv6 address prefix in CIDR notation to a
867 logical switch. Multiple prefixes may map to the same switch. By
868 writing a 32-bit (or 128-bit for v6) address with a /N prefix
869 length, both the router's interface address and the subnet
870 prefix can be configured. For example, 192.68.1.1/24 creates a
871 /24 subnet for the logical switch attached to the interface and
872 assigns the address 192.68.1.1 to the router interface.
875 <column name="static_routes">
876 One or more static routes, mapping IP prefixes to next hop IP addresses.
879 <column name="acl_binding">
880 Maps ACLs to logical router interfaces. The router interfaces
881 are indicated using IP address notation, and must be the same
882 interfaces created in the <ref column="switch_binding"/>
883 column. For example, an ACL could be associated with the logical
884 router interface with an address of 192.68.1.1 as defined in the
888 <group title="Identification">
890 Symbolic name for the logical router.
893 <column name="description">
894 An extended description for the logical router.
898 <group title="Error Notification">
900 An entry in this column indicates to the NVC that the HSC has
901 encountered a fault in configuring state related to the
904 <column name="LR_fault_status" key="invalid_ACL_binding">
906 Indicates that an error has occurred in associating an ACL
907 with a logical router port.
910 <column name="LR_fault_status" key="unspecified_fault">
912 Indicates that an error has occurred in configuring the
913 logical router but that no
914 more specific information is available.
921 <table name="Arp_Sources_Local" title="ARP source addresses for logical routers">
923 MAC address to be used when a VTEP issues ARP requests on behalf
928 A distributed logical router is implemented by a set of VTEPs
929 (both hardware VTEPs and vswitches). In order for a given VTEP
930 to populate the local ARP cache for a logical router, it issues
931 ARP requests with a source MAC address that is unique to the VTEP. A
932 single per-VTEP MAC can be re-used across all logical
933 networks. This table contains the MACs that are used by the
934 VTEPs of a given HSC. The table provides the mapping from MAC to
935 physical locator for each VTEP so that replies to the ARP
936 requests can be sent back to the correct VTEP using the
937 appropriate physical locator.
940 <column name="src_mac">
941 The source MAC to be used by a given VTEP.
944 <column name="locator">
945 The <ref table="Physical_Locator"/> to use for replies to ARP
946 requests from this MAC address.
950 <table name="Arp_Sources_Remote" title="ARP source addresses for logical routers">
952 MAC address to be used when a remote VTEP issues ARP requests on behalf
957 This table is the remote counterpart of <ref
958 table="Arp_sources_local"/>. The NVC writes this table to notify
959 the HSC of the MACs that will be used by remote VTEPs when they
960 issue ARP requests on behalf of a distributed logical router.
963 <column name="src_mac">
964 The source MAC to be used by a given VTEP.
967 <column name="locator">
968 The <ref table="Physical_Locator"/> to use for replies to ARP
969 requests from this MAC address.
973 <table name="Physical_Locator_Set">
975 A set of one or more <ref table="Physical_Locator"/>s.
979 This table exists only because OVSDB does not have a way to
980 express the type ``map from string to one or more <ref
981 table="Physical_Locator"/> records.''
984 <column name="locators"/>
987 <table name="Physical_Locator">
989 Identifies an endpoint to which logical switch traffic may be
990 encapsulated and forwarded.
994 For the <code>vxlan_over_ipv4</code> encapsulation, the only
995 encapsulation defined so far, all endpoints associated with a given <ref
996 table="Logical_Switch"/> must use a common tunnel key, which is carried
997 in the <ref table="Logical_Switch" column="tunnel_key"/> column of <ref
998 table="Logical_Switch"/>.
1002 For some encapsulations yet to be defined, we expect <ref
1003 table="Physical_Locator"/> to identify both an endpoint and a tunnel key.
1004 When the first such encapsulation is defined, we expect to add a
1005 ``tunnel_key'' column to <ref table="Physical_Locator"/> to allow the
1006 tunnel key to be defined.
1010 See the ``Per Logical-Switch Tunnel Key'' section in the <ref
1011 table="Logical_Switch"/> table for further discussion of the model.
1014 <column name="encapsulation_type">
1015 The type of tunneling encapsulation.
1018 <column name="dst_ip">
1020 For <code>vxlan_over_ipv4</code> encapsulation, the IPv4 address of the
1021 VXLAN tunnel endpoint.
1025 We expect that this column could be used for IPv4 or IPv6 addresses in
1026 encapsulations to be introduced later.
1031 <table name="ACL_entry">
1033 Describes the individual entries that comprise an Access Control List.
1036 Each entry in the table is a single rule to match on certain
1037 header fields. While there are a large number of fields that can
1038 be matched on, most hardware cannot match on arbitrary
1039 combinations of fields. It is common to match on either L2
1040 fields (described below in the L2 group of columns) or L3/L4 fields
1041 (the L3/L4 group of columns) but not both. The hardware switch
1042 controller may log an error if an ACL entry requires it to match
1043 on an incompatible mixture of fields.
1045 <column name="sequence">
1047 The sequence number for the ACL entry for the purpose of
1048 ordering entries in an ACL. Lower numbered entries are matched
1049 before higher numbered entries.
1052 <group title="L2 fields">
1053 <column name="source_mac">
1055 Source MAC address, in the form
1056 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1059 <column name="dest_mac">
1061 Destination MAC address, in the form
1062 <var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>:<var>xx</var>
1065 <column name="ethertype">
1067 Ethertype in hexadecimal, in the form
1072 <group title="L3/L4 fields">
1073 <column name="source_ip">
1075 Source IP address, in the form
1076 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1077 colon-separated hexadecimal notation for IPv6.
1080 <column name="source_mask">
1082 Mask that determines which bits of source_ip to match on, in the form
1083 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1084 colon-separated hexadecimal notation for IPv6.
1087 <column name="dest_ip">
1089 Destination IP address, in the form
1090 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1091 colon-separated hexadecimal notation for IPv6.
1094 <column name="dest_mask">
1096 Mask that determines which bits of dest_ip to match on, in the form
1097 <var>xx.xx.xx.xx</var> for IPv4 or appropriate
1098 colon-separated hexadecimal notation for IPv6.
1101 <column name="protocol">
1103 Protocol number in the IPv4 header, or value of the "next
1104 header" field in the IPv6 header.
1107 <column name="source_port_min">
1109 Lower end of the range of source port values. The value
1110 specified is included in the range.
1113 <column name="source_port_max">
1115 Upper end of the range of source port values. The value
1116 specified is included in the range.
1119 <column name="dest_port_min">
1121 Lower end of the range of destination port values. The value
1122 specified is included in the range.
1125 <column name="dest_port_max">
1127 Upper end of the range of destination port values. The value
1128 specified is included in the range.
1131 <column name="tcp_flags">
1133 Integer representing the value of TCP flags to match. For
1134 example, the SYN flag is the second least significant bit in
1135 the TCP flags. Hence a value of 2 would indicate that the "SYN"
1136 flag should be set (assuming an appropriate mask).
1139 <column name="tcp_flags_mask">
1141 Integer representing the mask to apply when matching TCP
1142 flags. For example, a value of 2 would imply that the "SYN"
1143 flag should be matched and all other flags ignored.
1146 <column name="icmp_type">
1148 ICMP type to be matched.
1151 <column name="icmp_code">
1153 ICMP code to be matched.
1157 <column name="direction">
1159 Direction of traffic to match on the specified port, either
1160 "ingress" (toward the logical switch or router) or "egress"
1161 (leaving the logical switch or router).
1164 <column name="action">
1166 Action to take for this rule, either "permit" or "deny".
1169 <group title="Error Notification">
1171 An entry in this column indicates to the NVC that the ACL
1172 could not be configured as requested. The switch must clear this column when the error
1175 <column name="acle_fault_status" key="invalid_acl_entry">
1177 Indicates that an ACL entry requested by
1178 the controller could not be instantiated by the switch,
1179 e.g. because it requires an unsupported combination of
1180 fields to be matched.
1183 <column name="acle_fault_status" key="unspecified_fault">
1185 Indicates that an error has occurred in configuring the ACL
1187 more specific information is available.
1194 Access Control List table. Each ACL is constructed as a set of
1195 entries from the <ref table="ACL_entry"/> table. Packets that
1196 are not matched by any entry in the ACL are allowed by default.
1198 <column name="acl_entries">
1200 A set of references to entries in the <ref table="ACL_entry"/> table.
1203 <column name="acl_name">
1205 A human readable name for the ACL, which may (for example) be displayed on
1209 <group title="Error Notification">
1211 An entry in this column indicates to the NVC that the ACL
1212 could not be configured as requested. The switch must clear this column when the error
1215 <column name="acl_fault_status" key="invalid_acl">
1217 Indicates that an ACL requested by
1218 the controller could not be instantiated by the switch,
1219 e.g., because it requires an unsupported combination of
1220 fields to be matched.
1223 <column name="acl_fault_status" key="resource_shortage">
1225 Indicates that an ACL requested by
1226 the controller could not be instantiated by the switch due
1227 to a shortage of resources (e.g. TCAM space).
1230 <column name="acl_fault_status" key="unspecified_fault">
1232 Indicates that an error has occurred in configuring the ACL
1234 more specific information is available.
projects / cascardo / ovs.git / blob