Quality of Service (QoS) configuration for each Port that
- references it.
+
- Key-value pairs for use by external frameworks that integrate with Open
- vSwitch, rather than by Open vSwitch itself. System integrators should
- either use the Open vSwitch development mailing list to coordinate on
- common key-value definitions, or choose key names that are likely to be
- unique. No common key-value pairs are currently defined.
+
+
+ Only gre
and ipsec_gre
interfaces support
+ these options.
+
+
+
+
+ Optional. Compute GRE checksums on outgoing packets. Default is
+ disabled, set to true
to enable. Checksums present on
+ incoming packets will be validated regardless of this setting.
+
+
+
+ GRE checksums impose a significant performance penalty because they
+ cover the entire packet. The encapsulated L3, L4, and L7 packet
+ contents typically have their own checksums, so this additional
+ checksum only adds value for the GRE and encapsulated L2 headers.
+
+
+
+ This option is supported for ipsec_gre
, but not useful
+ because GRE checksums are weaker than, and redundant with, IPsec
+ payload authentication.
+
+
+
+
+
+
+ Only ipsec_gre
interfaces support these options.
+
+
+
+ Required for certificate authentication. A string containing the
+ peer's certificate in PEM format. Additionally the host's
+ certificate must be specified with the certificate
+ option.
+
+
+
+ Required for certificate authentication. The name of a PEM file
+ containing a certificate that will be presented to the peer during
+ authentication.
+
+
+
+ Optional for certificate authentication. The name of a PEM file
+ containing the private key associated with certificate
.
+ If certificate
contains the private key, this option may
+ be omitted.
+
+
+
+ Required for pre-shared key authentication. Specifies a pre-shared
+ key for authentication that must be identical on both sides of the
+ tunnel.
+
+
+
+
+
+
+ Only patch
interfaces support these options.
+
+
+
+ The of the for the other
+ side of the patch. The named 's own
+ peer
option must specify this 's
+ name. That is, the two patch interfaces must have reversed and peer
values.
+
+
+
+
+
+ Status information about interfaces attached to bridges, updated every
+ 5 seconds. Not all interfaces have all of these properties; virtual
+ interfaces don't have a link speed, for example. Non-applicable
+ columns will have empty values.
+
+
+
+ The administrative state of the physical network link.
+
+
+
+
+
+ The observed state of the physical network link. This is ordinarily
+ the link's carrier status. If the interface's is
+ a bond configured for miimon monitoring, it is instead the network
+ link's miimon status.
+
+
+
+
+
+ The number of times Open vSwitch has observed the
+ of this change.
+
+
+
+
+
+ The negotiated speed of the physical network link.
+ Valid values are positive integers greater than 0.
+
+
+
+
+
+ The duplex mode of the physical network link.
+
+
+
+
+
+ The MTU (maximum transmission unit); i.e. the largest
+ amount of data that can fit into a single Ethernet frame.
+ The standard Ethernet MTU is 1500 bytes. Some physical media
+ and many kinds of virtual interfaces can be configured with
+ higher MTUs.
+
+
+ This column will be empty for an interface that does not
+ have an MTU as, for example, some kinds of tunnels do not.
+
+
+
+
+ Boolean value indicating LACP status for this interface. If true, this
+ interface has current LACP information about its LACP partner. This
+ information may be used to monitor the health of interfaces in a LACP
+ enabled port. This column will be empty if LACP is not enabled.
+
+
+
+ Key-value pairs that report port status. Supported status values are
+ -dependent; some interfaces may not have a valid
+ , for example.
+
+
+
+ The name of the device driver controlling the network adapter.
+
+
+
+ The version string of the device driver controlling the network
+ adapter.
+
+
+
+ The version string of the network adapter's firmware, if available.
+
+
+
+ The source IP address used for an IPv4 tunnel end-point, such as
+ gre
.
+
+
+
+ Egress interface for tunnels. Currently only relevant for GRE tunnels
+ On Linux systems, this column will show the name of the interface
+ which is responsible for routing traffic destined for the configured
+ . This could be an internal
+ interface such as a bridge port.
+
+
+
+ Whether carrier is detected on .
+
+
+
+
+
+ Key-value pairs that report interface statistics. The current
+ implementation updates these counters periodically. Future
+ implementations may update them when an interface is created, when they
+ are queried (e.g. using an OVSDB select
operation), and
+ just before an interface is deleted due to virtual interface hot-unplug
+ or VM shutdown, and perhaps at other times, but not on any regular
+ periodic basis.
+
+
+ These are the same statistics reported by OpenFlow in its struct
+ ofp_port_stats
structure. If an interface does not support a
+ given statistic, then that pair is omitted.
+
+
+
+ Number of received packets.
+
+
+ Number of received bytes.
+
+
+ Number of transmitted packets.
+
+
+ Number of transmitted bytes.
+
+
+
+
+ Number of packets dropped by RX.
+
+
+ Number of frame alignment errors.
+
+
+ Number of packets with RX overrun.
+
+
+ Number of CRC errors.
+
+
+ Total number of receive errors, greater than or equal to the sum of
+ the above.
+
+
+
+
+ Number of packets dropped by TX.
+
+
+ Number of collisions.
+
+
+ Total number of transmit errors, greater than or equal to the sum of
+ the above.
+
+
+
+
+
+
+ These settings control ingress policing for packets received on this
+ interface. On a physical interface, this limits the rate at which
+ traffic is allowed into the system from the outside; on a virtual
+ interface (one connected to a virtual machine), this limits the rate at
+ which the VM is able to transmit.
+
+
+ Policing is a simple form of quality-of-service that simply drops
+ packets received in excess of the configured rate. Due to its
+ simplicity, policing is usually less accurate and less effective than
+ egress QoS (which is configured using the and tables).
+
+
+ Policing is currently implemented only on Linux. The Linux
+ implementation uses a simple ``token bucket'' approach:
+
+
+ -
+ The size of the bucket corresponds to
. Initially the bucket is full.
+
+ -
+ Whenever a packet is received, its size (converted to tokens) is
+ compared to the number of tokens currently in the bucket. If the
+ required number of tokens are available, they are removed and the
+ packet is forwarded. Otherwise, the packet is dropped.
+
+ -
+ Whenever it is not full, the bucket is refilled with tokens at the
+ rate specified by
.
+
+
+
+ Policing interacts badly with some network protocols, and especially
+ with fragmented IP packets. Suppose that there is enough network
+ activity to keep the bucket nearly empty all the time. Then this token
+ bucket algorithm will forward a single packet every so often, with the
+ period depending on packet size and on the configured rate. All of the
+ fragments of an IP packets are normally transmitted back-to-back, as a
+ group. In such a situation, therefore, only one of these fragments
+ will be forwarded and the rest will be dropped. IP does not provide
+ any way for the intended recipient to ask for only the remaining
+ fragments. In such a case there are two likely possibilities for what
+ will happen next: either all of the fragments will eventually be
+ retransmitted (as TCP will do), in which case the same problem will
+ recur, or the sender will not realize that its packet has been dropped
+ and data will simply be lost (as some UDP-based protocols will do).
+ Either way, it is possible that no forward progress will ever occur.
+
+
+
+ Maximum rate for data received on this interface, in kbps. Data
+ received faster than this rate is dropped. Set to 0
+ (the default) to disable policing.
+
+
+
+
+ Maximum burst size for data received on this interface, in kb. The
+ default burst size if set to 0
is 1000 kb. This value
+ has no effect if
+ is 0
.
+
+ Specifying a larger burst size lets the algorithm be more forgiving,
+ which is important for protocols like TCP that react severely to
+ dropped packets. The burst size should be at least the size of the
+ interface's MTU. Specifying a value that is numerically at least as
+ large as 10% of helps TCP come
+ closer to achieving the full rate.
+
+
+
+
+
+
+ BFD, defined in RFC 5880 and RFC 5881, allows point-to-point
+ detection of connectivity failures by occasional transmission of
+ BFD control messages. Open vSwitch implements BFD to serve
+ as a more popular and standards compliant alternative to CFM.
+
+
+
+ BFD operates by regularly transmitting BFD control messages at a rate
+ negotiated independently in each direction. Each endpoint specifies
+ the rate at which it expects to receive control messages, and the rate
+ at which it is willing to transmit them. Open vSwitch uses a detection
+ multiplier of three, meaning that an endpoint signals a connectivity
+ fault if three consecutive BFD control messages fail to arrive. In the
+ case of a unidirectional connectivity issue, the system not receiving
+ BFD control messages signals the problem to its peer in the messages it
+ transmits.
+
+
+
+ The Open vSwitch implementation of BFD aims to comply faithfully
+ with RFC 5880 requirements. Open vSwitch does not implement the
+ optional Authentication or ``Echo Mode'' features.
+
+
+
+
+ A controller sets up key-value pairs in the
+ column to enable and configure BFD.
+
+
+
+ True to enable BFD on this .
+
+
+
+ The shortest interval, in milliseconds, at which this BFD session
+ offers to receive BFD control messages. The remote endpoint may
+ choose to send messages at a slower rate. Defaults to
+ 1000
.
+
+
+
+ The shortest interval, in milliseconds, at which this BFD session is
+ willing to transmit BFD control messages. Messages will actually be
+ transmitted at a slower rate if the remote endpoint is not willing to
+ receive as quickly as specified. Defaults to 100
.
+
+
+
+ An alternate receive interval, in milliseconds, that must be greater
+ than or equal to . The
+ implementation switches from to when there is no obvious incoming
+ data traffic at the interface, to reduce the CPU and bandwidth cost
+ of monitoring an idle interface. This feature may be disabled by
+ setting a value of 0. This feature is reset whenever or
+ changes.
+
+
+
+ True to consider the interface capable of packet I/O as long as it
+ continues to receive any packets (not just BFD packets). This
+ prevents link congestion that causes consecutive BFD control packets
+ to be lost from marking the interface down.
+
+
+
+ Set to true to notify the remote endpoint that traffic should not be
+ forwarded to this system for some reason other than a connectivty
+ failure on the interface being monitored. The typical underlying
+ reason is ``concatenated path down,'' that is, that connectivity
+ beyond the local system is down. Defaults to false.
+
+
+
+ Set to true to make BFD accept only control messages with a tunnel
+ key of zero. By default, BFD accepts control messages with any
+ tunnel key.
+
+
+
+ Set to an Ethernet address in the form
+ xx:xx:xx:xx:xx:xx
+ to set the MAC used as destination for transmitted BFD packets and
+ expected as destination for received BFD packets. The default is
+ 00:23:20:00:00:01
.
+
+
+
+
+
+ The switch sets key-value pairs in the
+ column to report the status of BFD on this interface. When BFD is
+ not enabled, with , the switch clears
+ all key-value pairs from .
+
+
+
+ Reports the state of the BFD session. The BFD session is fully
+ healthy and negotiated if UP
.
+
+
+
+ Reports whether the BFD session believes this may be used to forward traffic. Typically this
+ means the local session is signaling UP
, and the remote
+ system isn't signaling a problem such as concatenated path down.
+
+
+
+ In case of a problem, set to a short message that reports what the
+ local BFD session thinks is wrong.
+
+
+
+ Reports the state of the remote endpoint's BFD session.
+
+
+
+ In case of a problem, set to a short message that reports what the
+ remote endpoint's BFD session thinks is wrong.
+
+
+
+
+
+
+ 802.1ag Connectivity Fault Management (CFM) allows a group of
+ Maintenance Points (MPs) called a Maintenance Association (MA) to
+ detect connectivity problems with each other. MPs within a MA should
+ have complete and exclusive interconnectivity. This is verified by
+ occasionally broadcasting Continuity Check Messages (CCMs) at a
+ configurable transmission interval.
+
+
+
+ According to the 802.1ag specification, each Maintenance Point should
+ be configured out-of-band with a list of Remote Maintenance Points it
+ should have connectivity to. Open vSwitch differs from the
+ specification in this area. It simply assumes the link is faulted if
+ no Remote Maintenance Points are reachable, and considers it not
+ faulted otherwise.
+
+
+
+ When operating over tunnels which have no in_key
, or an
+ in_key
of flow
. CFM will only accept CCMs
+ with a tunnel key of zero.
+
+
+
+ A Maintenance Point ID (MPID) uniquely identifies each endpoint within
+ a Maintenance Association. The MPID is used to identify this endpoint
+ to other Maintenance Points in the MA. Each end of a link being
+ monitored should have a different MPID. Must be configured to enable
+ CFM on this .
+
+
+
+ Counts the number of cfm fault flapps since boot. A flap is
+ considered to be a change of the value.
+
+
+
+
+ Indicates a connectivity fault triggered by an inability to receive
+ heartbeats from any remote endpoint. When a fault is triggered on
+ s participating in bonds, they will be
+ disabled.
+
+
+ Faults can be triggered for several reasons. Most importantly they
+ are triggered when no CCMs are received for a period of 3.5 times the
+ transmission interval. Faults are also triggered when any CCMs
+ indicate that a Remote Maintenance Point is not receiving CCMs but
+ able to send them. Finally, a fault is triggered if a CCM is
+ received which indicates unexpected configuration. Notably, this
+ case arises when a CCM is received which advertises the local MPID.
+
+
+
+
+ Indicates a CFM fault was triggered due to a lack of CCMs received on
+ the .
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM with
+ the RDI bit flagged. Endpoints set the RDI bit in their CCMs when they
+ are not receiving CCMs themselves. This typically indicates a
+ unidirectional connectivity failure.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM with
+ a MAID other than the one Open vSwitch uses. CFM broadcasts are tagged
+ with an identification number in addition to the MPID called the MAID.
+ Open vSwitch only supports receiving CCM broadcasts tagged with the
+ MAID it uses internally.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM
+ advertising the same MPID configured in the
+ column of this . This may indicate a loop in
+ the network.
+
+
+
+ Indicates a CFM fault was triggered because the CFM module received
+ CCMs from more remote endpoints than it can keep track of.
+
+
+
+ Indicates a CFM fault was manually triggered by an administrator using
+ an ovs-appctl
command.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM
+ frame having an invalid interval.
+
+
+
+ When in extended mode, indicates the operational state of the
+ remote endpoint as either up
or down
. See
+ .
+
+
+
+
+
+ Indicates the health of the interface as a percentage of CCM frames
+ received over 21 s.
+ The health of an interface is undefined if it is communicating with
+ more than one . It reduces if
+ healthy heartbeats are not received at the expected rate, and
+ gradually improves as healthy heartbeats are received at the desired
+ rate. Every 21 s, the
+ health of the interface is refreshed.
+
+
+ As mentioned above, the faults can be triggered for several reasons.
+ The link health will deteriorate even if heartbeats are received but
+ they are reported to be unhealthy. An unhealthy heartbeat in this
+ context is a heartbeat for which either some fault is set or is out
+ of sequence. The interface health can be 100 only on receiving
+ healthy heartbeats at the desired rate.
+
+
+
+
+ When CFM is properly configured, Open vSwitch will occasionally
+ receive CCM broadcasts. These broadcasts contain the MPID of the
+ sending Maintenance Point. The list of MPIDs from which this
+ is receiving broadcasts from is regularly
+ collected and written to this column.
+
+
+
+
+ The interval, in milliseconds, between transmissions of CFM
+ heartbeats. Three missed heartbeat receptions indicate a
+ connectivity fault.
+
+
+
+ In standard operation only intervals of 3, 10, 100, 1,000, 10,000,
+ 60,000, or 600,000 ms are supported. Other values will be rounded
+ down to the nearest value on the list. Extended mode (see ) supports any interval up
+ to 65,535 ms. In either mode, the default is 1000 ms.
+
+
+ We do not recommend using intervals less than 100 ms.
+
+
+
+ When true
, the CFM module operates in extended mode. This
+ causes it to use a nonstandard destination address to avoid conflicting
+ with compliant implementations which may be running concurrently on the
+ network. Furthermore, extended mode increases the accuracy of the
+ cfm_interval
configuration parameter by breaking wire
+ compatibility with 802.1ag compliant implementations. Defaults to
+ false
.
+
+
+
+
+ When true
, and
+ is true, the CFM
+ module operates in demand mode. When in demand mode, traffic
+ received on the is used to indicate
+ liveness. CCMs are still transmitted and received, but if the
+ is receiving traffic, their absence does not
+ cause a connectivity fault.
+
+
+
+ Demand mode has a couple of caveats:
+
+ -
+ To ensure that ovs-vswitchd has enough time to pull statistics
+ from the datapath, the fault detection interval is set to
+ 3.5 * MAX(
, 500)
+ ms.
+
+
+ -
+ To avoid ambiguity, demand mode disables itself when there are
+ multiple remote maintenance points.
+
+
+ -
+ If the
is heavily congested, CCMs
+ containing the
+ status may be dropped causing changes in the operational state to
+ be delayed. Similarly, if CCMs containing the RDI bit are not
+ received, unidirectional link failures may not be detected.
+
+
+
+
+
+
+ When down
, the CFM module marks all CCMs it generates as
+ operationally down without triggering a fault. This allows remote
+ maintenance points to choose not to forward traffic to the
+ on which this CFM module is running.
+ Currently, in Open vSwitch, the opdown bit of CCMs affects
+ s participating in bonds, and the bundle
+ OpenFlow action. This setting is ignored when CFM is not in extended
+ mode. Defaults to up
.
+
+
+
+ When set, the CFM module will apply a VLAN tag to all CCMs it generates
+ with the given value. May be the string random
in which
+ case each CCM will be tagged with a different randomly generated VLAN.
+
+
+
+ When set, the CFM module will apply a VLAN tag to all CCMs it generates
+ with the given PCP value, the VLAN ID of the tag is governed by the
+ value of . If
+ is unset, a VLAN ID of
+ zero is used.
+
+
+
+
+
+
+ The LACP port ID of this . Port IDs are
+ used in LACP negotiations to identify individual ports
+ participating in a bond.
+
+
+
+ The LACP port priority of this . In LACP
+ negotiations s with numerically lower
+ priorities are preferred for aggregation.
+
+
+
+ The LACP aggregation key of this . s with different aggregation keys may not be active
+ within a given at the same time.
+
+
+
+
+
+ These key-value pairs specifically apply to an interface that
+ represents a virtual Ethernet interface connected to a virtual
+ machine. These key-value pairs should not be present for other types
+ of interfaces. Keys whose names end in -uuid
have
+ values that uniquely identify the entity in question. For a Citrix
+ XenServer hypervisor, these values are UUIDs in RFC 4122 format.
+ Other hypervisors may use other formats.
+
+
+
+ The MAC address programmed into the ``virtual hardware'' for this
+ interface, in the form
+ xx:xx:xx:xx:xx:xx.
+ For Citrix XenServer, this is the value of the MAC
field
+ in the VIF record for this interface.
+
+
+
+ A system-unique identifier for the interface. On XenServer, this will
+ commonly be the same as .
+
+
+
+
+ Hypervisors may sometimes have more than one interface associated
+ with a given , only one of
+ which is actually in use at a given time. For example, in some
+ circumstances XenServer has both a ``tap'' and a ``vif'' interface
+ for a single , but only
+ uses one of them at a time. A hypervisor that behaves this way must
+ mark the currently in use interface active
and the
+ others inactive
. A hypervisor that never has more than
+ one interface for a given
+ may mark that interface active
or omit entirely.
+
+
+
+ During VM migration, a given might transiently be marked active
on
+ two different hypervisors. That is, active
means that
+ this is the active
+ instance within a single hypervisor, not in a broader scope.
+ There is one exception: some hypervisors support ``migration'' from a
+ given hypervisor to itself (most often for test purposes). During
+ such a ``migration,'' two instances of a single might both be briefly marked
+ active
on a single hypervisor.
+
+
+
+
+ The virtual interface associated with this interface.
+
+
+
+ The virtual network to which this interface is attached.
+
+
+
+ The VM to which this interface belongs. On XenServer, this will be the
+ same as .
+
+
+
+ The VM to which this interface belongs.
+
+
+
+
+
+ The ``VLAN splinters'' feature increases Open vSwitch compatibility
+ with buggy network drivers in old versions of Linux that do not
+ properly support VLANs when VLAN devices are not used, at some cost
+ in memory and performance.
+
+
+
+ When VLAN splinters are enabled on a particular interface, Open vSwitch
+ creates a VLAN device for each in-use VLAN. For sending traffic tagged
+ with a VLAN on the interface, it substitutes the VLAN device. Traffic
+ received on the VLAN device is treated as if it had been received on
+ the interface on the particular VLAN.
+
+
+
+ VLAN splinters consider a VLAN to be in use if:
+
+
+
+ -
+ The VLAN is the
value in any record.
+
+
+ -
+ The VLAN is listed within the
+ column of the record of an interface on which
+ VLAN splinters are enabled.
+
+ An empty does not influence the
+ in-use VLANs: creating 4,096 VLAN devices is impractical because it
+ will exceed the current 1,024 port per datapath limit.
+
+
+ -
+ An OpenFlow flow within any bridge matches the VLAN.
+
+
+
+
+ The same set of in-use VLANs applies to every interface on which VLAN
+ splinters are enabled. That is, the set is not chosen separately for
+ each interface but selected once as the union of all in-use VLANs based
+ on the rules above.
+
+
+
+ It does not make sense to enable VLAN splinters on an interface for an
+ access port, or on an interface that is not a physical port.
+
+
+
+ VLAN splinters are deprecated. When broken device drivers are no
+ longer in widespread use, we will delete this feature.
+
+
+
+
+ Set to true
to enable VLAN splinters on this interface.
+ Defaults to false
.
+
+
+
+ VLAN splinters increase kernel and userspace memory overhead, so do
+ not use them unless they are needed.
+
+
+
+ VLAN splinters do not support 802.1p priority tags. Received
+ priorities will appear to be 0, regardless of their actual values,
+ and priorities on transmitted packets will also be cleared to 0.
+
+
+
+
+
+ The overall purpose of these columns is described under Common
+ Columns
at the beginning of this document.
+
+
+
+
+