+
A port mirror within a .
A port mirror configures a bridge to send selected frames to special
- ``mirrored'' ports, in addition to their normal destinations. Mirroring
- traffic may also be referred to as SPAN or RSPAN, depending on the
- mechanism used for delivery.
+ ``mirrored'' ports, in addition to their normal destinations. Mirroring
+ traffic may also be referred to as SPAN or RSPAN, depending on how
+ the mirrored traffic is sent.
Arbitrary identifier for the .
@@ -1641,88 +2857,84 @@
Output port for selected packets, if nonempty.
Specifying a port for mirror output reserves that port exclusively
- for mirroring. No frames other than those selected for mirroring
- will be forwarded to the port, and any frames received on the port
- will be discarded.
- This type of mirroring is sometimes called SPAN.
+ for mirroring. No frames other than those selected for mirroring
+ via this column
+ will be forwarded to the port, and any frames received on the port
+ will be discarded.
+
+ The output port may be any kind of port supported by Open vSwitch.
+ It may be, for example, a physical port (sometimes called SPAN) or a
+ GRE tunnel.
+
Output VLAN for selected packets, if nonempty.
The frames will be sent out all ports that trunk
- , as well as any ports with implicit VLAN
- . When a mirrored frame is sent out a
- trunk port, the frame's VLAN tag will be set to
- , replacing any existing tag; when it is
- sent out an implicit VLAN port, the frame will not be tagged. This
- type of mirroring is sometimes called RSPAN.
+ , as well as any ports with implicit VLAN
+ . When a mirrored frame is sent out a
+ trunk port, the frame's VLAN tag will be set to
+ , replacing any existing tag; when it is
+ sent out an implicit VLAN port, the frame will not be tagged. This
+ type of mirroring is sometimes called RSPAN.
- The following destination MAC addresses will not be mirrored to a
- VLAN to avoid confusing switches that interpret the protocols that
- they represent:
+ See the documentation for
+ in the
+ table for a list of destination MAC
+ addresses which will not be mirrored to a VLAN to avoid confusing
+ switches that interpret the protocols that they represent.
-
- 01:80:c2:00:00:00
- - IEEE 802.1D Spanning Tree Protocol (STP).
-
- 01:80:c2:00:00:01
- - IEEE Pause frame.
-
- 01:80:c2:00:00:0x
- - Other reserved protocols.
-
- 01:00:0c:cc:cc:cc
- -
- Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP),
- Dynamic Trunking Protocol (DTP), Port Aggregation Protocol (PAgP),
- and others.
-
-
- 01:00:0c:cc:cc:cd
- - Cisco Shared Spanning Tree Protocol PVSTP+.
-
- 01:00:0c:cd:cd:cd
- - Cisco STP Uplink Fast.
-
- 01:00:0c:00:00:00
- - Cisco Inter Switch Link.
-
Please note: Mirroring to a VLAN can disrupt a network that
- contains unmanaged switches. Consider an unmanaged physical switch
- with two ports: port 1, connected to an end host, and port 2,
- connected to an Open vSwitch configured to mirror received packets
- into VLAN 123 on port 2. Suppose that the end host sends a packet on
- port 1 that the physical switch forwards to port 2. The Open vSwitch
- forwards this packet to its destination and then reflects it back on
- port 2 in VLAN 123. This reflected packet causes the unmanaged
- physical switch to replace the MAC learning table entry, which
- correctly pointed to port 1, with one that incorrectly points to port
- 2. Afterward, the physical switch will direct packets destined for
- the end host to the Open vSwitch on port 2, instead of to the end
- host on port 1, disrupting connectivity. If mirroring to a VLAN is
- desired in this scenario, then the physical switch must be replaced
- by one that learns Ethernet addresses on a per-VLAN basis. In
- addition, learning should be disabled on the VLAN containing mirrored
- traffic. If this is not done then intermediate switches will learn
- the MAC address of each end host from the mirrored traffic. If
- packets being sent to that end host are also mirrored, then they will
- be dropped since the switch will attempt to send them out the input
- port. Disabling learning for the VLAN will cause the switch to
- correctly send the packet out all ports configured for that VLAN. If
- Open vSwitch is being used as an intermediate switch, learning can be
- disabled by adding the mirrored VLAN to
- in the appropriate table or tables.
+ contains unmanaged switches. Consider an unmanaged physical switch
+ with two ports: port 1, connected to an end host, and port 2,
+ connected to an Open vSwitch configured to mirror received packets
+ into VLAN 123 on port 2. Suppose that the end host sends a packet on
+ port 1 that the physical switch forwards to port 2. The Open vSwitch
+ forwards this packet to its destination and then reflects it back on
+ port 2 in VLAN 123. This reflected packet causes the unmanaged
+ physical switch to replace the MAC learning table entry, which
+ correctly pointed to port 1, with one that incorrectly points to port
+ 2. Afterward, the physical switch will direct packets destined for
+ the end host to the Open vSwitch on port 2, instead of to the end
+ host on port 1, disrupting connectivity. If mirroring to a VLAN is
+ desired in this scenario, then the physical switch must be replaced
+ by one that learns Ethernet addresses on a per-VLAN basis. In
+ addition, learning should be disabled on the VLAN containing mirrored
+ traffic. If this is not done then intermediate switches will learn
+ the MAC address of each end host from the mirrored traffic. If
+ packets being sent to that end host are also mirrored, then they will
+ be dropped since the switch will attempt to send them out the input
+ port. Disabling learning for the VLAN will cause the switch to
+ correctly send the packet out all ports configured for that VLAN. If
+ Open vSwitch is being used as an intermediate switch, learning can be
+ disabled by adding the mirrored VLAN to
+ in the appropriate table or tables.
+
+ Mirroring to a GRE tunnel has fewer caveats than mirroring to a
+ VLAN and should generally be preferred.
+
-
-
- Key-value pairs for use by external frameworks that integrate with Open
- vSwitch, rather than by Open vSwitch itself. System integrators should
- either use the Open vSwitch development mailing list to coordinate on
- common key-value definitions, or choose key names that are likely to be
- unique. No common key-value pairs are currently defined.
+
+
+ Key-value pairs that report mirror statistics. The update period
+ is controlled by in the Open_vSwitch
table.
+
+
+ Number of packets transmitted through this mirror.
+
+ Number of bytes transmitted through this mirror.
+
+
+
+
+ The overall purpose of these columns is described under Common
+ Columns
at the beginning of this document.
+
+
@@ -1798,18 +3010,33 @@
ssl:ip
[:port
]
-
-
The specified SSL port (default: 6633) on the host at
- the given ip, which must be expressed as an IP address
- (not a DNS name). The
- column in the table must point to a
- valid SSL configuration when this form is used.
+ The specified SSL port on the host at the
+ given ip, which must be expressed as an IP
+ address (not a DNS name). The column in the
+ table must point to a valid SSL configuration when this form
+ is used.
+ If port is not specified, it currently
+ defaults to 6633. In the future, the default will change to
+ 6653, which is the IANA-defined value.
SSL support is an optional feature that is not always built as
- part of Open vSwitch.
+ part of Open vSwitch.
tcp:ip
[:port
]
- - The specified TCP port (default: 6633) on the host at
- the given ip, which must be expressed as an IP address
- (not a DNS name).
+ -
+
+ The specified TCP port on the host at the given
+ ip, which must be expressed as an IP address (not a
+ DNS name), where ip can be IPv4 or IPv6 address. If
+ ip is an IPv6 address, wrap it in square brackets,
+ e.g. tcp:[::1]:6632
.
+
+
+ If port is not specified, it currently defaults to
+ 6633. In the future, the default will change to 6653, which is
+ the IANA-defined value.
+
+
The following connection methods are currently supported for service
@@ -1819,30 +3046,52 @@
pssl:
[port][:ip
]
- Listens for SSL connections on the specified TCP port
- (default: 6633). If ip, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
+ Listens for SSL connections on the specified TCP port.
+ If ip, which must be expressed as an IP address (not a
+ DNS name), is specified, then connections are restricted to the
+ specified local IP address (either IPv4 or IPv6). If
+ ip is an IPv6 address, wrap it in square brackets,
+ e.g. pssl:6632:[::1]
.
- The column in the table must point to a valid SSL
- configuration when this form is used.
+ If port is not specified, it currently defaults to
+ 6633. If ip is not specified then it listens only on
+ IPv4 (but not IPv6) addresses. The
+
+ column in the table must point to a
+ valid SSL configuration when this form is used.
+
+
+ If port is not specified, it currently defaults to
+ 6633. In the future, the default will change to 6653, which is
+ the IANA-defined value.
+
+
+ SSL support is an optional feature that is not always built as
+ part of Open vSwitch.
- SSL support is an optional feature that is not always built as
- part of Open vSwitch.
ptcp:
[port][:ip
]
- Listens for connections on the specified TCP port
- (default: 6633). If ip, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
+
+ Listens for connections on the specified TCP port. If
+ ip, which must be expressed as an IP address (not a
+ DNS name), is specified, then connections are restricted to the
+ specified local IP address (either IPv4 or IPv6). If
+ ip is an IPv6 address, wrap it in square brackets,
+ e.g. ptcp:6632:[::1]
. If ip is not
+ specified then it listens only on IPv4 addresses.
+
+
+ If port is not specified, it currently defaults to
+ 6633. In the future, the default will change to 6653, which is
+ the IANA-defined value.
+
When multiple controllers are configured for a single bridge, the
- values must be unique. Duplicate
- values yield unspecified results.
+ values must be unique. Duplicate
+ values yield unspecified results.
@@ -1853,19 +3102,19 @@
in-band
- In this mode, this controller's OpenFlow traffic travels over the
- bridge associated with the controller. With this setting, Open
- vSwitch allows traffic to and from the controller regardless of the
- contents of the OpenFlow flow table. (Otherwise, Open vSwitch
- would never be able to connect to the controller, because it did
- not have a flow to enable it.) This is the most common connection
- mode because it is not necessary to maintain two independent
- networks.
+ bridge associated with the controller. With this setting, Open
+ vSwitch allows traffic to and from the controller regardless of the
+ contents of the OpenFlow flow table. (Otherwise, Open vSwitch
+ would never be able to connect to the controller, because it did
+ not have a flow to enable it.) This is the most common connection
+ mode because it is not necessary to maintain two independent
+ networks.
out-of-band
- In this mode, OpenFlow traffic uses a control network separate
- from the bridge associated with this controller, that is, the
- bridge does not use any of its own network devices to communicate
- with the controller. The control network must be configured
- separately, before or after
ovs-vswitchd
is started.
+ from the bridge associated with this controller, that is, the
+ bridge does not use any of its own network devices to communicate
+ with the controller. The control network must be configured
+ separately, before or after ovs-vswitchd
is started.
@@ -1891,43 +3140,68 @@
-
-
- The maximum rate at which packets in unknown flows will be
- forwarded to the OpenFlow controller, in packets per second. This
- feature prevents a single bridge from overwhelming the controller.
- If not specified, the default is implementation-specific.
- In addition, when a high rate triggers rate-limiting, Open
- vSwitch queues controller packets for each port and transmits
- them to the controller at the configured rate. The number of
- queued packets is limited by
- the value. The packet
- queue is shared fairly among the ports on a bridge.
Open
- vSwitch maintains two such packet rate-limiters per bridge.
- One of these applies to packets sent up to the controller
- because they do not correspond to any flow. The other applies
- to packets sent up to the controller by request through flow
- actions. When both rate-limiters are filled with packets, the
- actual rate that packets are sent to the controller is up to
- twice the specified rate.
-
+
+
+ OpenFlow switches send certain messages to controllers spontanenously,
+ that is, not in response to any request from the controller. These
+ messages are called ``asynchronous messages.'' These columns allow
+ asynchronous messages to be limited or disabled to ensure the best use
+ of network resources.
+
-
- In conjunction with ,
- the maximum number of unused packet credits that the bridge will
- allow to accumulate, in packets. If not specified, the default
- is implementation-specific.
-
+
+ The OpenFlow protocol enables asynchronous messages at time of
+ connection establishment, which means that a controller can receive
+ asynchronous messages, potentially many of them, even if it turns them
+ off immediately after connecting. Set this column to
+ false
to change Open vSwitch behavior to disable, by
+ default, all asynchronous messages. The controller can use the
+ NXT_SET_ASYNC_CONFIG
Nicira extension to OpenFlow to turn
+ on any messages that it does want to receive, if any.
+
+
+
+
+ The maximum rate at which the switch will forward packets to the
+ OpenFlow controller, in packets per second. This feature prevents a
+ single bridge from overwhelming the controller. If not specified,
+ the default is implementation-specific.
+
+
+
+ In addition, when a high rate triggers rate-limiting, Open vSwitch
+ queues controller packets for each port and transmits them to the
+ controller at the configured rate. The value limits the number of queued
+ packets. Ports on a bridge share the packet queue fairly.
+
+
+
+ Open vSwitch maintains two such packet rate-limiters per bridge: one
+ for packets sent up to the controller because they do not correspond
+ to any flow, and the other for packets sent up to the controller by
+ request through flow actions. When both rate-limiters are filled with
+ packets, the actual rate that packets are sent to the controller is
+ up to twice the specified rate.
+
+
+
+
+ In conjunction with ,
+ the maximum number of unused packet credits that the bridge will
+ allow to accumulate, in packets. If not specified, the default
+ is implementation-specific.
+
These values are considered only in in-band control mode (see
- ).
+ ).
When multiple controllers are configured on a single bridge, there
- should be only one set of unique values in these columns. If different
- values are set for these columns in different controllers, the effect
- is unspecified.
+ should be only one set of unique values in these columns. If different
+ values are set for these columns in different controllers, the effect
+ is unspecified.
The IP address to configure on the local port,
@@ -1950,69 +3224,109 @@
-
-
- Key-value pairs for use by external frameworks that integrate with Open
- vSwitch, rather than by Open vSwitch itself. System integrators should
- either use the Open vSwitch development mailing list to coordinate on
- common key-value definitions, or choose key names that are likely to be
- unique. No common key-value pairs are currently defined.
-
-
-
true
if currently connected to this controller,
false
otherwise.
-
+
The level of authority this controller has on the associated
- bridge. Possible values are:
+ bridge. Possible values are:
other
- Allows the controller access to all OpenFlow features.
master
- Equivalent to
other
, except that there may be at
- most one master controller at a time. When a controller configures
- itself as master
, any existing master is demoted to
- the slave
role.
+ most one master controller at a time. When a controller configures
+ itself as master
, any existing master is demoted to
+ the slave
role.
slave
- Allows the controller read-only access to OpenFlow features.
- Attempts to modify the flow table will be rejected with an
- error. Slave controllers do not receive OFPT_PACKET_IN or
- OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS
- messages.
+ Attempts to modify the flow table will be rejected with an
+ error. Slave controllers do not receive OFPT_PACKET_IN or
+ OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS
+ messages.
-
- Key-value pairs that report controller status.
+
+ A human-readable description of the last error on the connection
+ to the controller; i.e. strerror(errno)
. This key
+ will exist only if an error has occurred.
+
+
+
+
+ The state of the connection to the controller:
+
- last_error
- - A human-readable description of the last error on the connection
- to the controller; i.e.
strerror(errno)
. This key
- will exist only if an error has occurred.
- state
- - The state of the connection to the controller. Possible values
- are:
VOID
(connection is disabled),
- BACKOFF
(attempting to reconnect at an increasing
- period), CONNECTING
(attempting to connect),
- ACTIVE
(connected, remote host responsive), and
- IDLE
(remote host idle, sending keep-alive). These
- values may change in the future. They are provided only for human
- consumption.
- sec_since_connect
- - The amount of time since this controller last successfully
- connected to the switch (in seconds). Value is empty if controller
- has never successfully connected.
- sec_since_disconnect
- - The amount of time since this controller last disconnected from
- the switch (in seconds). Value is empty if controller has never
- disconnected.
+ VOID
+ - Connection is disabled.
+
+ BACKOFF
+ - Attempting to reconnect at an increasing period.
+
+ CONNECTING
+ - Attempting to connect.
+
+ ACTIVE
+ - Connected, remote host responsive.
+
+ IDLE
+ - Connection is idle. Waiting for response to keep-alive.
+
+ These values may change in the future. They are provided only for
+ human consumption.
+
+
+
+
+ The amount of time since this controller last successfully connected to
+ the switch (in seconds). Value is empty if controller has never
+ successfully connected.
+
+
+
+ The amount of time since this controller last disconnected from
+ the switch (in seconds). Value is empty if controller has never
+ disconnected.
+
+
+
+ Additional configuration for a connection between the controller
+ and the Open vSwitch.
+
+
+
+ The Differentiated Service Code Point (DSCP) is specified using 6 bits
+ in the Type of Service (TOS) field in the IP header. DSCP provides a
+ mechanism to classify the network traffic and provide Quality of
+ Service (QoS) on IP networks.
+
+ The DSCP value specified here is used when establishing the connection
+ between the controller and the Open vSwitch. If no value is specified,
+ a default value of 48 is chosen. Valid DSCP values must be in the
+ range 0 to 63.
+
+
+
+
+
+ The overall purpose of these columns is described under Common
+ Columns
at the beginning of this document.
+
+
+
+
@@ -2044,37 +3358,60 @@
ssl:ip
[:port
]
- The specified SSL port (default: 6632) on the host at
- the given ip, which must be expressed as an IP address
- (not a DNS name). The
- column in the table must point to a
- valid SSL configuration when this form is used.
+ The specified SSL port on the host at the given
+ ip, which must be expressed as an IP address
+ (not a DNS name). The column in the
+ table must point to a valid SSL configuration when this
+ form is used.
- SSL support is an optional feature that is not always built as
- part of Open vSwitch.
+ If port is not specified, it currently defaults
+ to 6632. In the future, the default will change to 6640,
+ which is the IANA-defined value.
+
+
+ SSL support is an optional feature that is not always
+ built as part of Open vSwitch.
tcp:ip
[:port
]
- The specified TCP port (default: 6632) on the host at
- the given ip, which must be expressed as an IP address
- (not a DNS name).
+
+ The specified TCP port on the host at the given
+ ip, which must be expressed as an IP address (not a
+ DNS name), where ip can be IPv4 or IPv6 address. If
+ ip is an IPv6 address, wrap it in square brackets,
+ e.g. tcp:[::1]:6632
.
+
+
+ If port is not specified, it currently defaults
+ to 6632. In the future, the default will change to 6640,
+ which is the IANA-defined value.
+
pssl:
[port][:ip
]
- Listens for SSL connections on the specified TCP port
- (default: 6632). If ip, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
-
-
+ Listens for SSL connections on the specified TCP port.
+ Specify 0 for port to have the kernel automatically
+ choose an available port. If ip, which must be
+ expressed as an IP address (not a DNS name), is specified, then
+ connections are restricted to the specified local IP address
+ (either IPv4 or IPv6 address). If ip is an IPv6
+ address, wrap in square brackets,
+ e.g. pssl:6632:[::1]
. If ip is not
+ specified then it listens only on IPv4 (but not IPv6) addresses.
The column in the table must point to a valid SSL
configuration when this form is used.
+
+ If port is not specified, it currently defaults
+ to 6632. In the future, the default will change to 6640,
+ which is the IANA-defined value.
+
SSL support is an optional feature that is not always built as
part of Open vSwitch.
@@ -2082,10 +3419,22 @@
ptcp:
[port][:ip
]
- Listens for connections on the specified TCP port
- (default: 6632). If ip, which must be expressed as an
- IP address (not a DNS name), is specified, then connections are
- restricted to the specified local IP address.
+
+ Listens for connections on the specified TCP port.
+ Specify 0 for port to have the kernel automatically
+ choose an available port. If ip, which must be
+ expressed as an IP address (not a DNS name), is specified, then
+ connections are restricted to the specified local IP address
+ (either IPv4 or IPv6 address). If ip is an IPv6
+ address, wrap it in square brackets,
+ e.g. ptcp:6632:[::1]
. If ip is not
+ specified then it listens only on IPv4 addresses.
+
+
+ If port is not specified, it currently defaults
+ to 6632. In the future, the default will change to 6640,
+ which is the IANA-defined value.
+
When multiple managers are configured, the
@@ -2144,72 +3493,128 @@
-
-
- Key-value pairs for use by external frameworks that integrate with Open
- vSwitch, rather than by Open vSwitch itself. System integrators should
- either use the Open vSwitch development mailing list to coordinate on
- common key-value definitions, or choose key names that are likely to be
- unique. No common key-value pairs are currently defined.
-
-
-
true
if currently connected to this manager,
false
otherwise.
-
- Key-value pairs that report manager status.
-
- last_error
- - A human-readable description of the last error on the connection
- to the manager; i.e.
strerror(errno)
. This key
- will exist only if an error has occurred.
-
-
- state
- - The state of the connection to the manager. Possible values
- are:
VOID
(connection is disabled),
- BACKOFF
(attempting to reconnect at an increasing
- period), CONNECTING
(attempting to connect),
- ACTIVE
(connected, remote host responsive), and
- IDLE
(remote host idle, sending keep-alive). These
- values may change in the future. They are provided only for human
- consumption.
-
-
- sec_since_connect
- - The amount of time since this manager last successfully connected
- to the database (in seconds). Value is empty if manager has never
- successfully connected.
-
-
- sec_since_disconnect
- - The amount of time since this manager last disconnected from the
- database (in seconds). Value is empty if manager has never
- disconnected.
-
+
+ A human-readable description of the last error on the connection
+ to the manager; i.e. strerror(errno)
. This key
+ will exist only if an error has occurred.
+
+
+
+
+ The state of the connection to the manager:
+
- n_connections
- -
-
- When specifies a connection method that
- listens for inbound connections (e.g. ptcp:
or
- pssl:
) and more than one connection is actually
- active, the value is the number of active connections.
- Otherwise, this key-value pair is omitted.
-
-
- When multiple connections are active, status columns and
- key-value pairs (other than this one) report the status of one
- arbitrarily chosen connection.
-
-
+ VOID
+ - Connection is disabled.
+
+ BACKOFF
+ - Attempting to reconnect at an increasing period.
+
+ CONNECTING
+ - Attempting to connect.
+
+ ACTIVE
+ - Connected, remote host responsive.
+
+ IDLE
+ - Connection is idle. Waiting for response to keep-alive.
+
+ These values may change in the future. They are provided only for
+ human consumption.
+
+
+
+
+ The amount of time since this manager last successfully connected
+ to the database (in seconds). Value is empty if manager has never
+ successfully connected.
+
+
+
+ The amount of time since this manager last disconnected from the
+ database (in seconds). Value is empty if manager has never
+ disconnected.
+
+
+
+ Space-separated list of the names of OVSDB locks that the connection
+ holds. Omitted if the connection does not hold any locks.
+
+
+
+ Space-separated list of the names of OVSDB locks that the connection is
+ currently waiting to acquire. Omitted if the connection is not waiting
+ for any locks.
+
+
+
+ Space-separated list of the names of OVSDB locks that the connection
+ has had stolen by another OVSDB client. Omitted if no locks have been
+ stolen from this connection.
+
+
+
+
+ When specifies a connection method that
+ listens for inbound connections (e.g. ptcp:
or
+ pssl:
) and more than one connection is actually active,
+ the value is the number of active connections. Otherwise, this
+ key-value pair is omitted.
+
+
+ When multiple connections are active, status columns and key-value
+ pairs (other than this one) report the status of one arbitrarily
+ chosen connection.
+
+
+
+
+ When is ptcp:
or
+ pssl:
, this is the TCP port on which the OVSDB server is
+ listening. (This is is particularly useful when specifies a port of 0, allowing the kernel to
+ choose any available port.)
+
+
+
+
+
+ Additional configuration for a connection between the manager
+ and the Open vSwitch Database.
+
+
+
+ The Differentiated Service Code Point (DSCP) is specified using 6 bits
+ in the Type of Service (TOS) field in the IP header. DSCP provides a
+ mechanism to classify the network traffic and provide Quality of
+ Service (QoS) on IP networks.
+
+ The DSCP value specified here is used when establishing the connection
+ between the manager and the Open vSwitch. If no value is specified, a
+ default value of 48 is chosen. Valid DSCP values must be in the range
+ 0 to 63.
+
+
+ The overall purpose of these columns is described under Common
+ Columns
at the beginning of this document.
+
+
+
+