A port mirror within a .
A port mirror configures a bridge to send selected frames to special
- ``mirrored'' ports, in addition to their normal destinations. Mirroring
- traffic may also be referred to as SPAN or RSPAN, depending on the
- mechanism used for delivery.
+ ``mirrored'' ports, in addition to their normal destinations. Mirroring
+ traffic may also be referred to as SPAN, RSPAN, or ERSPAN, depending on how
+ the mirrored traffic is sent.
Arbitrary identifier for the .
+
+ To be selected for mirroring, a given packet must enter or leave the
+ bridge through a selected port and it must also be in one of the
+ selected VLANs.
+
+
If true, every packet arriving or departing on any port is
selected for mirroring.
@@ -995,19 +1663,26 @@
+
+ These columns are mutually exclusive. Exactly one of them must be
+ nonempty.
+
+
- Output port for selected packets, if nonempty. Mutually exclusive
- with .
+ Output port for selected packets, if nonempty.
Specifying a port for mirror output reserves that port exclusively
- for mirroring. No frames other than those selected for mirroring
- will be forwarded to the port, and any frames received on the port
- will be discarded.
- This type of mirroring is sometimes called SPAN.
+ for mirroring. No frames other than those selected for mirroring
+ will be forwarded to the port, and any frames received on the port
+ will be discarded.
+
+ The output port may be any kind of port supported by Open vSwitch.
+ It may be, for example, a physical port (sometimes called SPAN), or a
+ GRE tunnel (sometimes called ERSPAN).
+
- Output VLAN for selected packets, if nonempty. Mutually exclusive
- with .
+ Output VLAN for selected packets, if nonempty.
The frames will be sent out all ports that trunk
, as well as any ports with implicit VLAN
. When a mirrored frame is sent out a
@@ -1015,6 +1690,37 @@
, replacing any existing tag; when it is
sent out an implicit VLAN port, the frame will not be tagged. This
type of mirroring is sometimes called RSPAN.
+
+ The following destination MAC addresses will not be mirrored to a
+ VLAN to avoid confusing switches that interpret the protocols that
+ they represent:
+
+
+ 01:80:c2:00:00:00
+ - IEEE 802.1D Spanning Tree Protocol (STP).
+
+ 01:80:c2:00:00:01
+ - IEEE Pause frame.
+
+ 01:80:c2:00:00:0x
+ - Other reserved protocols.
+
+ 01:00:0c:cc:cc:cc
+ -
+ Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP),
+ Dynamic Trunking Protocol (DTP), Port Aggregation Protocol (PAgP),
+ and others.
+
+
+ 01:00:0c:cc:cc:cd
+ - Cisco Shared Spanning Tree Protocol PVSTP+.
+
+ 01:00:0c:cd:cd:cd
+ - Cisco STP Uplink Fast.
+
+ 01:00:0c:00:00:00
+ - Cisco Inter Switch Link.
+
Please note: Mirroring to a VLAN can disrupt a network that
contains unmanaged switches. Consider an unmanaged physical switch
with two ports: port 1, connected to an end host, and port 2,
@@ -1040,6 +1746,10 @@
Open vSwitch is being used as an intermediate switch, learning can be
disabled by adding the mirrored VLAN to
in the appropriate table or tables.
+
+ Mirroring to a GRE tunnel has fewer caveats than mirroring to a
+ VLAN and should generally be preferred.
+
@@ -1060,7 +1770,7 @@
Open vSwitch supports two kinds of OpenFlow controllers:
-
+
- Primary controllers
-
@@ -1138,23 +1848,6 @@
- The specified TCP port (default: 6633) on the host at
the given ip, which must be expressed as an IP address
(not a DNS name).
- discover
- -
-
Enables controller discovery.
- In controller discovery mode, Open vSwitch broadcasts a DHCP
- request with vendor class identifier OpenFlow
across
- all of the bridge's network devices. It will accept any valid
- DHCP reply that has the same vendor class identifier and includes
- a vendor-specific option with code 1 whose contents are a string
- specifying the location of the controller in the same format as
- .
- The DHCP reply may also, optionally, include a vendor-specific
- option with code 2 whose contents are a string specifying the URI
- to the base of the OpenFlow PKI
- (e.g. http://192.168.0.1/openflow/pki
). This URI is
- used only for bootstrapping the OpenFlow PKI at initial switch
- setup; ovs-vswitchd
does not use it at all.
-
The following connection methods are currently supported for service
@@ -1185,39 +1878,36 @@
restricted to the specified local IP address.
-
When multiple controllers are configured for a single bridge, the
- values must be unique. Duplicate
- values yield unspecified results.
+ When multiple controllers are configured for a single bridge, the
+ values must be unique. Duplicate
+ values yield unspecified results.
- If it is specified, this setting must be one of the following
- strings that describes how Open vSwitch contacts this OpenFlow
- controller over the network:
-
-
- in-band
- - In this mode, this controller's OpenFlow traffic travels over the
- bridge associated with the controller. With this setting, Open
- vSwitch allows traffic to and from the controller regardless of the
- contents of the OpenFlow flow table. (Otherwise, Open vSwitch
- would never be able to connect to the controller, because it did
- not have a flow to enable it.) This is the most common connection
- mode because it is not necessary to maintain two independent
- networks.
- out-of-band
- - In this mode, OpenFlow traffic uses a control network separate
- from the bridge associated with this controller, that is, the
- bridge does not use any of its own network devices to communicate
- with the controller. The control network must be configured
- separately, before or after
ovs-vswitchd
is started.
-
-
+ If it is specified, this setting must be one of the following
+ strings that describes how Open vSwitch contacts this OpenFlow
+ controller over the network:
+
+
+ in-band
+ - In this mode, this controller's OpenFlow traffic travels over the
+ bridge associated with the controller. With this setting, Open
+ vSwitch allows traffic to and from the controller regardless of the
+ contents of the OpenFlow flow table. (Otherwise, Open vSwitch
+ would never be able to connect to the controller, because it did
+ not have a flow to enable it.) This is the most common connection
+ mode because it is not necessary to maintain two independent
+ networks.
+ out-of-band
+ - In this mode, OpenFlow traffic uses a control network separate
+ from the bridge associated with this controller, that is, the
+ bridge does not use any of its own network devices to communicate
+ with the controller. The control network must be configured
+ separately, before or after
ovs-vswitchd
is started.
+
+
- If not specified, the default is implementation-specific. If
- is discover
, the connection mode
- is always treated as in-band
regardless of the actual
- setting.
+ If not specified, the default is implementation-specific.
@@ -1234,7 +1924,8 @@
number of seconds, it will send a probe. If a response is not
received for the same additional amount of time, Open vSwitch
assumes the connection has been broken and attempts to reconnect.
- Default is implementation-specific.
+ Default is implementation-specific. A value of 0 disables
+ inactivity probes.
@@ -1267,38 +1958,14 @@
-
- These values are considered only when
- is discover
.
-
-
- A POSIX
- extended regular expression against which the discovered controller
- location is validated. The regular expression is implicitly
- anchored at the beginning of the controller location string, as
- if it begins with ^
. If not specified, the default
- is implementation-specific.
-
-
-
- Whether to update /etc/resolv.conf
when the
- controller is discovered. If not specified, the default
- is implementation-specific. Open vSwitch will only modify
- /etc/resolv.conf
if the DHCP response that it receives
- specifies one or more DNS servers.
-
-
-
These values are considered only in in-band control mode (see
- ) and only when
- is not discover
. (For controller discovery, the network
- configuration obtained via DHCP is used instead.)
+ ).
When multiple controllers are configured on a single bridge, there
- should be only one set of unique values in these columns. If different
- values are set for these columns in different controllers, the effect
- is unspecified.
+ should be only one set of unique values in these columns. If different
+ values are set for these columns in different controllers, the effect
+ is unspecified.
The IP address to configure on the local port,
@@ -1330,6 +1997,268 @@
unique. No common key-value pairs are currently defined.
+
+
+
+ true
if currently connected to this controller,
+ false
otherwise.
+
+
+
+ The level of authority this controller has on the associated
+ bridge. Possible values are:
+
+ other
+ - Allows the controller access to all OpenFlow features.
+ master
+ - Equivalent to
other
, except that there may be at
+ most one master controller at a time. When a controller configures
+ itself as master
, any existing master is demoted to
+ the slave
role.
+ slave
+ - Allows the controller read-only access to OpenFlow features.
+ Attempts to modify the flow table will be rejected with an
+ error. Slave controllers do not receive OFPT_PACKET_IN or
+ OFPT_FLOW_REMOVED messages, but they do receive OFPT_PORT_STATUS
+ messages.
+
+
+
+
+ Key-value pairs that report controller status.
+
+ last_error
+ - A human-readable description of the last error on the connection
+ to the controller; i.e.
strerror(errno)
. This key
+ will exist only if an error has occurred.
+ state
+ - The state of the connection to the controller. Possible values
+ are:
VOID
(connection is disabled),
+ BACKOFF
(attempting to reconnect at an increasing
+ period), CONNECTING
(attempting to connect),
+ ACTIVE
(connected, remote host responsive), and
+ IDLE
(remote host idle, sending keep-alive). These
+ values may change in the future. They are provided only for human
+ consumption.
+ sec_since_connect
+ - The amount of time since this controller last successfully
+ connected to the switch (in seconds). Value is empty if controller
+ has never successfully connected.
+ sec_since_disconnect
+ - The amount of time since this controller last disconnected from
+ the switch (in seconds). Value is empty if controller has never
+ disconnected.
+
+
+
+
+
+
+
+ Configuration for a database connection to an Open vSwitch database
+ (OVSDB) client.
+
+
+
+ This table primarily configures the Open vSwitch database
+ (ovsdb-server
), not the Open vSwitch switch
+ (ovs-vswitchd
). The switch does read the table to determine
+ what connections should be treated as in-band.
+
+
+
+ The Open vSwitch database server can initiate and maintain active
+ connections to remote clients. It can also listen for database
+ connections.
+
+
+
+
+ Connection method for managers.
+
+ The following connection methods are currently supported:
+
+
+ ssl:ip
[:port
]
+ -
+
+ The specified SSL port (default: 6632) on the host at
+ the given ip, which must be expressed as an IP address
+ (not a DNS name). The
+ column in the table must point to a
+ valid SSL configuration when this form is used.
+
+
+ SSL support is an optional feature that is not always built as
+ part of Open vSwitch.
+
+
+
+ tcp:ip
[:port
]
+ -
+ The specified TCP port (default: 6632) on the host at
+ the given ip, which must be expressed as an IP address
+ (not a DNS name).
+
+ pssl:
[port][:ip
]
+ -
+
+ Listens for SSL connections on the specified TCP port
+ (default: 6632). If ip, which must be expressed as an
+ IP address (not a DNS name), is specified, then connections are
+ restricted to the specified local IP address.
+
+
+ The column in the table must point to a valid SSL
+ configuration when this form is used.
+
+
+ SSL support is an optional feature that is not always built as
+ part of Open vSwitch.
+
+
+ ptcp:
[port][:ip
]
+ -
+ Listens for connections on the specified TCP port
+ (default: 6632). If ip, which must be expressed as an
+ IP address (not a DNS name), is specified, then connections are
+ restricted to the specified local IP address.
+
+
+ When multiple managers are configured, the
+ values must be unique. Duplicate values yield
+ unspecified results.
+
+
+
+
+ If it is specified, this setting must be one of the following strings
+ that describes how Open vSwitch contacts this OVSDB client over the
+ network:
+
+
+
+ in-band
+ -
+ In this mode, this connection's traffic travels over a bridge
+ managed by Open vSwitch. With this setting, Open vSwitch allows
+ traffic to and from the client regardless of the contents of the
+ OpenFlow flow table. (Otherwise, Open vSwitch would never be able
+ to connect to the client, because it did not have a flow to enable
+ it.) This is the most common connection mode because it is not
+ necessary to maintain two independent networks.
+
+ out-of-band
+ -
+ In this mode, the client's traffic uses a control network separate
+ from that managed by Open vSwitch, that is, Open vSwitch does not
+ use any of its own network devices to communicate with the client.
+ The control network must be configured separately, before or after
+
ovs-vswitchd
is started.
+
+
+
+
+ If not specified, the default is implementation-specific.
+
+
+
+
+
+
+ Maximum number of milliseconds to wait between connection attempts.
+ Default is implementation-specific.
+
+
+
+ Maximum number of milliseconds of idle time on connection to the client
+ before sending an inactivity probe message. If Open vSwitch does not
+ communicate with the client for the specified number of seconds, it
+ will send a probe. If a response is not received for the same
+ additional amount of time, Open vSwitch assumes the connection has been
+ broken and attempts to reconnect. Default is implementation-specific.
+ A value of 0 disables inactivity probes.
+
+
+
+
+
+ Key-value pairs for use by external frameworks that integrate with Open
+ vSwitch, rather than by Open vSwitch itself. System integrators should
+ either use the Open vSwitch development mailing list to coordinate on
+ common key-value definitions, or choose key names that are likely to be
+ unique. No common key-value pairs are currently defined.
+
+
+
+
+
+ true
if currently connected to this manager,
+ false
otherwise.
+
+
+
+ Key-value pairs that report manager status.
+
+ last_error
+ - A human-readable description of the last error on the connection
+ to the manager; i.e.
strerror(errno)
. This key
+ will exist only if an error has occurred.
+
+
+ state
+ - The state of the connection to the manager. Possible values
+ are:
VOID
(connection is disabled),
+ BACKOFF
(attempting to reconnect at an increasing
+ period), CONNECTING
(attempting to connect),
+ ACTIVE
(connected, remote host responsive), and
+ IDLE
(remote host idle, sending keep-alive). These
+ values may change in the future. They are provided only for human
+ consumption.
+
+
+ sec_since_connect
+ - The amount of time since this manager last successfully connected
+ to the database (in seconds). Value is empty if manager has never
+ successfully connected.
+
+
+ sec_since_disconnect
+ - The amount of time since this manager last disconnected from the
+ database (in seconds). Value is empty if manager has never
+ disconnected.
+
+
+ locks_held
+ locks_waiting
+ locks_lost
+ -
+ Space-separated lists of the names of OVSDB locks that the
+ connection holds, is currently waiting to acquire, or has had
+ stolen by another OVSDB client, respectively. Key-value pairs for
+ lists that would be empty are omitted.
+
+
+
+ n_connections
+ -
+
+ When specifies a connection method that
+ listens for inbound connections (e.g. ptcp:
or
+ pssl:
) and more than one connection is actually
+ active, the value is the number of active connections.
+ Otherwise, this key-value pair is omitted.
+
+
+ When multiple connections are active, status columns and
+ key-value pairs (other than this one) report the status of one
+ arbitrarily chosen connection.
+
+
+
+
+