FAQ: Add FAQ entries from website.

[sliver-openvswitch.git] / FAQ

                 Open vSwitch <http://openvswitch.org>

Frequently Asked Questions
==========================

General
-------

Q: What is Open vSwitch?

A: Open vSwitch is a production quality open source software switch
   designed to be used as a vswitch in virtualized server environments.  A
   vswitch forwards traffic between different VMs on the same physical host
   and also forwards traffic between VMs and the physical network.  Open
   vSwitch supports standard management interfaces (e.g. sFlow, NetFlow,
   RSPAN, CLI), and is open to programmatic extension and control using
   OpenFlow and the OVSDB management protocol.

   Open vSwitch as designed to be compatible with modern switching
   chipsets.  This means that it can be ported to existing high-fanout
   switches allowing the same flexible control of the physical
   infrastructure as the virtual infrastructure.  It also means that
   Open vSwitch will be able to take advantage of on-NIC switching
   chipsets as their functionality matures.

Q: What virtualization platforms can use Open vSwitch?

A: Open vSwitch can currently run on any Linux-based virtualization
   platform (kernel 2.6.18 and newer), including: KVM, VirtualBox, Xen,
   Xen Cloud Platform, XenServer. As of Linux 3.3 it is part of the
   mainline kernel.  The bulk of the code is written in platform-
   independent C and is easily ported to other environments.  We welcome
   inquires about integrating Open vSwitch with other virtualization
   platforms.

Q: How can I try Open vSwitch?

A: Open vSwitch is as source code to be built on a Linux system.  You
   can build and experiment with Open vSwitch on any Linux machine.
   Packages for various Linux distributions are underway and will be linked
   to from this website as they materialize.

   You may also download and run a virtualization platform that already
   has Open vSwitch integrated.  For example, download the ISO for Xen
   Cloud Platform.  Be aware that the version integrated with a
   particular platform may not be the most recent Open vSwitch release.

Q: Why would I use Open vSwitch instead of the Linux bridge?

A: Open vSwitch is specially designed to make it easier to manage VM
   network configuration and monitoring state spread across many
   physical hosts in dynamic virtualized environments.  Please see
   WHY-OVS for a more detailed description of how Open vSwitch relates
   to the Linux Bridge.

Q: How is Open vSwitch related to distributed virtual switches like the
   VMware vNetwork distributed switch or the Cisco Nexus 1000V?

A: Distributed vswitch applications (e.g., VMware vNetwork distributed
   switch, Cisco Nexus 1000V) provide a centralized way to configure and
   monitor the network state of VMs that are spread across many physical
   hosts.  Open vSwitch is not a distributed vswitch itself, rather it
   runs on each physical host and supports remote management in a way
   that makes it easier for developers of virtualization/cloud
   management platforms to offer distributed vswitch capabilities.

   To aid in distribution, Open vSwitch provides two open protocols that
   are specially designed for remote management in virtualized network
   environments: OpenFlow, which exposes flow-based forwarding state,
   and the OVSDB management protocol, which exposes switch port state.
   In addition to the switch implementation itself, Open vSwitch
   includes tools (ovs-controller, ovs-ofctl, ovs-vsctl) that developers
   can script and extend to provide distributed vswitch capabilities
   that are closely integrated with their virtualization management
   platform.

Q: Why doesn't Open vSwitch support distribution?

A: Open vSwitch is intended to be a useful component for building
   flexible network infrastructure. There are many different approaches
   to distribution which balance trade-offs between simplicity,
   scalability, hardware compatibility, convergence times, logical
   forwarding model, etc. The goal of Open vSwitch is to be able to
   support all as a primitive building block rather than choose a
   particular point in the distributed design space.

Q: What does it mean for an Open vSwitch release to be "stable"?

A: A stable Open vSwitch release is code that has been through a
   comprehensive testing process and is suitable for production use.
   Planned stable releases will occur several times a year.  If a
   significant bug is identified in a stable release, we will provide an
   updated stable release that includes the fix.  Developers looking to
   test the latest Open vSwitch code can use an "unstable" release or
   directly access the code via git.

Q: How can I contribute to the Open vSwitch Community?

A: You can start by joining the mailing lists and helping to answer
   questions.  You can also suggest improvements to documentation or offer
   to write a configuration cookbook entry.

   If you have a feature or bug you would like to work on send a mail to
   dev mailing list.


Configuration Problems
----------------------

Q: I created a bridge and added my Ethernet port to it, using commands
   like these:

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0

   and as soon as I ran the "add-port" command I lost all connectivity
   through eth0.  Help!

A: A physical Ethernet device that is part of an Open vSwitch bridge
   should not have an IP address.  If one does, then that IP address
   will not be fully functional.

   You can restore functionality by moving the IP address to an Open
   vSwitch "internal" device, such as the network device named after
   the bridge itself.  For example, assuming that eth0's IP address is
   192.168.128.5, you could run the commands below to fix up the
   situation:

       ifconfig eth0 0.0.0.0
       ifconfig br0 192.168.128.5

   (If your only connection to the machine running OVS is through the
   IP address in question, then you would want to run all of these
   commands on a single command line, or put them into a script.)  If
   there were any additional routes assigned to eth0, then you would
   also want to use commands to adjust these routes to go through br0.

   If you use DHCP to obtain an IP address, then you should kill the
   DHCP client that was listening on the physical Ethernet interface
   (e.g. eth0) and start one listening on the internal interface
   (e.g. br0).  You might still need to manually clear the IP address
   from the physical interface (e.g. with "ifconfig eth0 0.0.0.0").

   There is no compelling reason why Open vSwitch must work this way.
   However, this is the way that the Linux kernel bridge module has
   always worked, so it's a model that those accustomed to Linux
   bridging are already used to.  Also, the model that most people
   expect is not implementable without kernel changes on all the
   versions of Linux that Open vSwitch supports.

   By the way, this issue is not specific to physical Ethernet
   devices.  It applies to all network devices except Open vswitch
   "internal" devices.

Q: I created a bridge and added a couple of Ethernet ports to it,
   using commands like these:

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0
       ovs-vsctl add-port br0 eth1

   and now my network seems to have melted: connectivity is unreliable
   (even connectivity that doesn't go through Open vSwitch), all the
   LEDs on my physical switches are blinking, wireshark shows
   duplicated packets, and CPU usage is very high.

A: More than likely, you've looped your network.  Probably, eth0 and
   eth1 are connected to the same physical Ethernet switch.  This
   yields a scenario where OVS receives a broadcast packet on eth0 and
   sends it out on eth1, then the physical switch connected to eth1
   sends the packet back on eth0, and so on forever.  More complicated
   scenarios, involving a loop through multiple switches, are possible
   too.

   The solution depends on what you are trying to do:

       - If you added eth0 and eth1 to get higher bandwidth or higher
         reliability between OVS and your physical Ethernet switch,
         use a bond.  The following commands create br0 and then add
         eth0 and eth1 as a bond:

             ovs-vsctl add-br br0
             ovs-vsctl add-bond br0 bond0 eth0 eth1

         Bonds have tons of configuration options.  Please read the
         documentation on the Port table in ovs-vswitchd.conf.db(5)
         for all the details.

       - Perhaps you don't actually need eth0 and eth1 to be on the
         same bridge.  For example, if you simply want to be able to
         connect each of them to virtual machines, then you can put
         each of them on a bridge of its own:

             ovs-vsctl add-br br0
             ovs-vsctl add-port br0 eth0

             ovs-vsctl add-br br1
             ovs-vsctl add-port br1 eth1

         and then connect VMs to br0 and br1.  (A potential
         disadvantage is that traffic cannot directly pass between br0
         and br1.  Instead, it will go out eth0 and come back in eth1,
         or vice versa.)

       - If you have a redundant or complex network topology and you
         want to prevent loops, turn on spanning tree protocol (STP).
         The following commands create br0, enable STP, and add eth0
         and eth1 to the bridge.  The order is important because you
         don't want have to have a loop in your network even
         transiently:

             ovs-vsctl add-br br0
             ovs-vsctl set bridge br0 stp_enable=true
             ovs-vsctl add-port br0 eth0
             ovs-vsctl add-port br0 eth1

         The Open vSwitch implementation of STP is not well tested.
         Please report any bugs you observe, but if you'd rather avoid
         acting as a beta tester then another option might be your
         best shot.

Q: I can't seem to use Open vSwitch in a wireless network.

A: Wireless base stations generally only allow packets with the source
   MAC address of NIC that completed the initial handshake.
   Therefore, without MAC rewriting, only a single device can
   communicate over a single wireless link.

   This isn't specific to Open vSwitch, it's enforced by the access
   point, so the same problems will show up with the Linux bridge or
   any other way to do bridging.


VLANs
-----

Q: VLANs don't work.

A: Many drivers in Linux kernels before version 3.3 had VLAN-related
   bugs.  If you are having problems with VLANs that you suspect to be
   driver related, then you have several options:

       - Upgrade to Linux 3.3 or later.

       - Build and install a fixed version of the particular driver
         that is causing trouble, if one is available.

       - Use a NIC whose driver does not have VLAN problems.

       - Use "VLAN splinters", a feature in Open vSwitch 1.4 and later
         that works around bugs in kernel drivers.  To enable VLAN
         splinters on interface eth0, use the command:

             ovs-vsctl set interface eth0 other-config:enable-vlan-splinters=true

         For VLAN splinters to be effective, Open vSwitch must know
         which VLANs are in use.  See the "VLAN splinters" section in
         the Interface table in ovs-vswitchd.conf.db(5) for details on
         how Open vSwitch infers in-use VLANs.

         VLAN splinters increase memory use and reduce performance, so
         use them only if needed.

       - Apply the "vlan workaround" patch from the XenServer kernel
         patch queue, build Open vSwitch against this patched kernel,
         and then use ovs-vlan-bug-workaround(8) to enable the VLAN
         workaround for each interface whose driver is buggy.

         (This is a nontrivial exercise, so this option is included
         only for completeness.)

   It is not always easy to tell whether a Linux kernel driver has
   buggy VLAN support.  The ovs-vlan-test(8) and ovs-test(8) utilities
   can help you test.  See their manpages for details.  Of the two
   utilities, ovs-test(8) is newer and more thorough, but
   ovs-vlan-test(8) may be easier to use.

Q: VLANs still don't work.  I've tested the driver so I know that it's OK.

A: Do you have VLANs enabled on the physical switch that OVS is
   attached to?  Make sure that the port is configured to trunk the
   VLAN or VLANs that you are using with OVS.

Q: Outgoing VLAN-tagged traffic goes through OVS to my physical switch
   and to its destination host, but OVS seems to drop incoming return
   traffic.

A: It's possible that you have the VLAN configured on your physical
   switch as the "native" VLAN.  In this mode, the switch treats
   incoming packets either tagged with the native VLAN or untagged as
   part of the native VLAN.  It may also send outgoing packets in the
   native VLAN without a VLAN tag.

   If this is the case, you have two choices:

       - Change the physical switch port configuration to tag packets
         it forwards to OVS with the native VLAN instead of forwarding
         them untagged.

       - Change the OVS configuration for the physical port to a
         native VLAN mode.  For example, the following sets up a
         bridge with port eth0 in "native-tagged" mode in VLAN 9:

             ovs-vsctl add-br br0
             ovs-vsctl add-port br0 eth0 tag=9 vlan_mode=native-tagged

         In this situation, "native-untagged" mode will probably work
         equally well.  Refer to the documentation for the Port table
         in ovs-vswitchd.conf.db(5) for more information.

Q: Can I configure an IP address on a VLAN?

A: Yes.  Use an "internal port" configured as an access port.  For
   example, the following configures IP address 192.168.0.7 on VLAN 9.
   That is, OVS will forward packets from eth0 to 192.168.0.7 only if
   they have an 802.1Q header with VLAN 9.  Conversely, traffic
   forwarded from 192.168.0.7 to eth0 will be tagged with an 802.1Q
   header with VLAN 9:

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0
       ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
       ifconfig vlan9 192.168.0.7

Q: My OpenFlow controller doesn't see the VLANs that I expect.

A: The configuration for VLANs in the Open vSwitch database (e.g. via
   ovs-vsctl) only affects traffic that goes through Open vSwitch's
   implementation of the OpenFlow "normal switching" action.  By
   default, when Open vSwitch isn't connected to a controller and
   nothing has been manually configured in the flow table, all traffic
   goes through the "normal switching" action.  But, if you set up
   OpenFlow flows on your own, through a controller or using ovs-ofctl
   or through other means, then you have to implement VLAN handling
   yourself.

   You can use "normal switching" as a component of your OpenFlow
   actions, e.g. by putting "normal" into the lists of actions on
   ovs-ofctl or by outputting to OFPP_NORMAL from an OpenFlow
   controller.  This will only be suitable for some situations,
   though.


Controllers
-----------

Q: I'm getting "error type 45250 code 0".  What's that?

A: This is a Open vSwitch extension to OpenFlow error codes.  Open
   vSwitch uses this extension when it must report an error to an
   OpenFlow controller but no standard OpenFlow error code is
   suitable.

   Open vSwitch logs the errors that it sends to controllers, so the
   easiest thing to do is probably to look at the ovs-vswitchd log to
   find out what the error was.

   If you want to dissect the extended error message yourself, the
   format is documented in include/openflow/nicira-ext.h in the Open
   vSwitch source distribution.  The extended error codes are
   documented in lib/ofp-errors.h.

Q1: Some of the traffic that I'd expect my OpenFlow controller to see
    doesn't actually appear through the OpenFlow connection, even
    though I know that it's going through.
Q2: Some of the OpenFlow flows that my controller sets up don't seem
    to apply to certain traffic, especially traffic between OVS and
    the controller itself.

A: By default, Open vSwitch assumes that OpenFlow controllers are
   connected "in-band", that is, that the controllers are actually
   part of the network that is being controlled.  In in-band mode,
   Open vSwitch sets up special "hidden" flows to make sure that
   traffic can make it back and forth between OVS and the controllers.
   These hidden flows are higher priority than any flows that can be
   set up through OpenFlow, and they are not visible through normal
   OpenFlow flow table dumps.

   Usually, the hidden flows are desirable and helpful, but
   occasionally they can cause unexpected behavior.  You can view the
   full OpenFlow flow table, including hidden flows, on bridge br0
   with the command:

       ovs-appctl bridge/dump-flows br0

   to help you debug.  The hidden flows are those with priorities
   greater than 65535 (the maximum priority that can be set with
   OpenFlow).

   The DESIGN file at the top level of the Open vSwitch source
   distribution describes the in-band model in detail.

   If your controllers are not actually in-band (e.g. they are on
   localhost via 127.0.0.1, or on a separate network), then you should
   configure your controllers in "out-of-band" mode.  If you have one
   controller on bridge br0, then you can configure out-of-band mode
   on it with:

       ovs-vsctl set controller br0 connection-mode=out-of-band

Q: I configured all my controllers for out-of-band control mode but
   "ovs-appctl bridge/dump-flows" still shows some hidden flows.

A: You probably have a remote manager configured (e.g. with "ovs-vsctl
   set-manager").  By default, Open vSwitch assumes that managers need
   in-band rules set up on every bridge.  You can disable these rules
   on bridge br0 with:

       ovs-vsctl set bridge br0 other-config:disable-in-band=true

   This actually disables in-band control entirely for the bridge, as
   if all the bridge's controllers were configured for out-of-band
   control.

Q: My OpenFlow controller doesn't see the VLANs that I expect.

A: See answer under "VLANs", above.

Contact 
-------

bugs@openvswitch.org
http://openvswitch.org/