A port mirror configures a bridge to send selected frames to special
- ``mirrored'' ports, in addition to their normal destinations. Mirroring
- traffic may also be referred to as SPAN or RSPAN, depending on the
- mechanism used for delivery.
+
+ Optional. The key that received packets must contain, one of:
-
+
+ -
+
0
. The tunnel receives packets with no key or with a
+ key of 0. This is equivalent to specifying no at all.
+
+ -
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. The
+ tunnel receives only packets with the specified key.
+
+ -
+ The word
flow
. The tunnel accepts packets with any
+ key. The key will be placed in the tun_id
field for
+ matching in the flow table. The ovs-ofctl
manual page
+ contains additional information about matching fields in OpenFlow
+ flows.
+
+
+
+
+
+
+
+
+ Optional. The key to be set on outgoing packets, one of:
+
+
+ -
+
0
. Packets sent through the tunnel will have no key.
+ This is equivalent to specifying no at all.
+
+ -
+ A positive 32-bit (for GRE) or 64-bit (for CAPWAP) number. Packets
+ sent through the tunnel will have the specified key.
+
+ -
+ The word
flow
. Packets sent through the tunnel will
+ have the key set using the set_tunnel
Nicira OpenFlow
+ vendor extension (0 is used in the absence of an action). The
+ ovs-ofctl
manual page contains additional information
+ about the Nicira OpenFlow vendor extensions.
+
+
+
+
+
+ Optional. Shorthand to set in_key
and
+ out_key
at the same time.
+
+
+
+ Optional. The value of the ToS bits to be set on the encapsulating
+ packet. ToS is interpreted as DSCP and ECN bits, ECN part must be
+ zero. It may also be the word inherit
, in which case
+ the ToS will be copied from the inner packet if it is IPv4 or IPv6
+ (otherwise it will be 0). The ECN fields are always inherited.
+ Default is 0.
+
+
+
+ Optional. The TTL to be set on the encapsulating packet. It may also
+ be the word inherit
, in which case the TTL will be copied
+ from the inner packet if it is IPv4 or IPv6 (otherwise it will be the
+ system default, typically 64). Default is the system default TTL.
+
+
+
+ Optional. If enabled, the Don't Fragment bit will be copied from the
+ inner IP headers (those of the encapsulated traffic) to the outer
+ (tunnel) headers. Default is disabled; set to true
to
+ enable.
+
+
+
+ Optional. If enabled, the Don't Fragment bit will be set by default on
+ tunnel headers if the df_inherit
option is not set, or if
+ the encapsulated packet is not IP. Default is enabled; set to
+ false
to disable.
+
+
+
+ Optional. Enable tunnel path MTU discovery. If enabled ``ICMP
+ Destination Unreachable - Fragmentation Needed'' messages will be
+ generated for IPv4 packets with the DF bit set and IPv6 packets above
+ the minimum MTU if the packet size exceeds the path MTU minus the size
+ of the tunnel headers. Note that this option causes behavior that is
+ typically reserved for routers and therefore is not entirely in
+ compliance with the IEEE 802.1D specification for bridges. Default is
+ disabled; set to true
to enable. This feature is
+ deprecated and will be removed soon.
+
+
+
+
+ Only gre
interfaces support these options.
+
+
+
+
+
+ Only gre
and ipsec_gre
interfaces support
+ these options.
+
+
+
+
+ Optional. Compute GRE checksums on outgoing packets. Default is
+ disabled, set to true
to enable. Checksums present on
+ incoming packets will be validated regardless of this setting.
+
+
+
+ GRE checksums impose a significant performance penalty because they
+ cover the entire packet. The encapsulated L3, L4, and L7 packet
+ contents typically have their own checksums, so this additional
+ checksum only adds value for the GRE and encapsulated L2 headers.
+
+
+
+ This option is supported for ipsec_gre
, but not useful
+ because GRE checksums are weaker than, and redundant with, IPsec
+ payload authentication.
+
+
+
+
+
+
+ Only ipsec_gre
interfaces support these options.
+
+
+
+ Required for certificate authentication. A string containing the
+ peer's certificate in PEM format. Additionally the host's
+ certificate must be specified with the certificate
+ option.
+
+
+
+ Required for certificate authentication. The name of a PEM file
+ containing a certificate that will be presented to the peer during
+ authentication.
+
+
+
+ Optional for certificate authentication. The name of a PEM file
+ containing the private key associated with certificate
.
+ If certificate
contains the private key, this option may
+ be omitted.
+
+
+
+ Required for pre-shared key authentication. Specifies a pre-shared
+ key for authentication that must be identical on both sides of the
+ tunnel.
+
+
+
+
+
+
+ Only patch
interfaces support these options.
+
+
+
+ The of the for the other
+ side of the patch. The named 's own
+ peer
option must specify this 's
+ name. That is, the two patch interfaces must have reversed and peer
values.
+
+
+
+
+
+ Status information about interfaces attached to bridges, updated every
+ 5 seconds. Not all interfaces have all of these properties; virtual
+ interfaces don't have a link speed, for example. Non-applicable
+ columns will have empty values.
+
+
+
+ The administrative state of the physical network link.
+
+
+
+
+
+ The observed state of the physical network link. This is ordinarily
+ the link's carrier status. If the interface's is
+ a bond configured for miimon monitoring, it is instead the network
+ link's miimon status.
+
+
+
+
+
+ The number of times Open vSwitch has observed the
+ of this change.
+
+
+
+
+
+ The negotiated speed of the physical network link.
+ Valid values are positive integers greater than 0.
+
+
+
+
+
+ The duplex mode of the physical network link.
+
+
+
+
+
+ The MTU (maximum transmission unit); i.e. the largest
+ amount of data that can fit into a single Ethernet frame.
+ The standard Ethernet MTU is 1500 bytes. Some physical media
+ and many kinds of virtual interfaces can be configured with
+ higher MTUs.
+
+
+ This column will be empty for an interface that does not
+ have an MTU as, for example, some kinds of tunnels do not.
+
+
+
+
+ Boolean value indicating LACP status for this interface. If true, this
+ interface has current LACP information about its LACP partner. This
+ information may be used to monitor the health of interfaces in a LACP
+ enabled port. This column will be empty if LACP is not enabled.
+
+
+
+ Key-value pairs that report port status. Supported status values are
+ -dependent; some interfaces may not have a valid
+ , for example.
+
+
+
+ The name of the device driver controlling the network adapter.
+
+
+
+ The version string of the device driver controlling the network
+ adapter.
+
+
+
+ The version string of the network adapter's firmware, if available.
+
+
+
+ The source IP address used for an IPv4 tunnel end-point, such as
+ gre
or capwap
.
+
+
+
+ Egress interface for tunnels. Currently only relevant for GRE and
+ CAPWAP tunnels. On Linux systems, this column will show the name of
+ the interface which is responsible for routing traffic destined for the
+ configured . This could be an
+ internal interface such as a bridge port.
+
+
+
+ Whether carrier is detected on .
+
+
+
+
+
+ Key-value pairs that report interface statistics. The current
+ implementation updates these counters periodically. Future
+ implementations may update them when an interface is created, when they
+ are queried (e.g. using an OVSDB select
operation), and
+ just before an interface is deleted due to virtual interface hot-unplug
+ or VM shutdown, and perhaps at other times, but not on any regular
+ periodic basis.
+
+
+ These are the same statistics reported by OpenFlow in its struct
+ ofp_port_stats
structure. If an interface does not support a
+ given statistic, then that pair is omitted.
+
+
+
+ Number of received packets.
+
+
+ Number of received bytes.
+
+
+ Number of transmitted packets.
+
+
+ Number of transmitted bytes.
+
+
+
+
+ Number of packets dropped by RX.
+
+
+ Number of frame alignment errors.
+
+
+ Number of packets with RX overrun.
+
+
+ Number of CRC errors.
+
+
+ Total number of receive errors, greater than or equal to the sum of
+ the above.
+
+
+
+
+ Number of packets dropped by TX.
+
+
+ Number of collisions.
+
+
+ Total number of transmit errors, greater than or equal to the sum of
+ the above.
+
+
+
+
+
+
+ These settings control ingress policing for packets received on this
+ interface. On a physical interface, this limits the rate at which
+ traffic is allowed into the system from the outside; on a virtual
+ interface (one connected to a virtual machine), this limits the rate at
+ which the VM is able to transmit.
+
+
+ Policing is a simple form of quality-of-service that simply drops
+ packets received in excess of the configured rate. Due to its
+ simplicity, policing is usually less accurate and less effective than
+ egress QoS (which is configured using the and tables).
+
+
+ Policing is currently implemented only on Linux. The Linux
+ implementation uses a simple ``token bucket'' approach:
+
+
+ -
+ The size of the bucket corresponds to
. Initially the bucket is full.
+
+ -
+ Whenever a packet is received, its size (converted to tokens) is
+ compared to the number of tokens currently in the bucket. If the
+ required number of tokens are available, they are removed and the
+ packet is forwarded. Otherwise, the packet is dropped.
+
+ -
+ Whenever it is not full, the bucket is refilled with tokens at the
+ rate specified by
.
+
+
+
+ Policing interacts badly with some network protocols, and especially
+ with fragmented IP packets. Suppose that there is enough network
+ activity to keep the bucket nearly empty all the time. Then this token
+ bucket algorithm will forward a single packet every so often, with the
+ period depending on packet size and on the configured rate. All of the
+ fragments of an IP packets are normally transmitted back-to-back, as a
+ group. In such a situation, therefore, only one of these fragments
+ will be forwarded and the rest will be dropped. IP does not provide
+ any way for the intended recipient to ask for only the remaining
+ fragments. In such a case there are two likely possibilities for what
+ will happen next: either all of the fragments will eventually be
+ retransmitted (as TCP will do), in which case the same problem will
+ recur, or the sender will not realize that its packet has been dropped
+ and data will simply be lost (as some UDP-based protocols will do).
+ Either way, it is possible that no forward progress will ever occur.
+
+
+
+ Maximum rate for data received on this interface, in kbps. Data
+ received faster than this rate is dropped. Set to 0
+ (the default) to disable policing.
+
+
+
+
+ Maximum burst size for data received on this interface, in kb. The
+ default burst size if set to 0
is 1000 kb. This value
+ has no effect if
+ is 0
.
+
+ Specifying a larger burst size lets the algorithm be more forgiving,
+ which is important for protocols like TCP that react severely to
+ dropped packets. The burst size should be at least the size of the
+ interface's MTU. Specifying a value that is numerically at least as
+ large as 10% of helps TCP come
+ closer to achieving the full rate.
+
+
+
+
+
+
+ 802.1ag Connectivity Fault Management (CFM) allows a group of
+ Maintenance Points (MPs) called a Maintenance Association (MA) to
+ detect connectivity problems with each other. MPs within a MA should
+ have complete and exclusive interconnectivity. This is verified by
+ occasionally broadcasting Continuity Check Messages (CCMs) at a
+ configurable transmission interval.
+
+
+
+ According to the 802.1ag specification, each Maintenance Point should
+ be configured out-of-band with a list of Remote Maintenance Points it
+ should have connectivity to. Open vSwitch differs from the
+ specification in this area. It simply assumes the link is faulted if
+ no Remote Maintenance Points are reachable, and considers it not
+ faulted otherwise.
+
+
+
+ When operating over tunnels which have no in_key
, or an
+ in_key
of flow
. CFM will only accept CCMs
+ with a tunnel key of zero.
+
+
+
+ A Maintenance Point ID (MPID) uniquely identifies each endpoint within
+ a Maintenance Association. The MPID is used to identify this endpoint
+ to other Maintenance Points in the MA. Each end of a link being
+ monitored should have a different MPID. Must be configured to enable
+ CFM on this .
+
+
+
+
+ Indicates a connectivity fault triggered by an inability to receive
+ heartbeats from any remote endpoint. When a fault is triggered on
+ s participating in bonds, they will be
+ disabled.
+
+
+ Faults can be triggered for several reasons. Most importantly they
+ are triggered when no CCMs are received for a period of 3.5 times the
+ transmission interval. Faults are also triggered when any CCMs
+ indicate that a Remote Maintenance Point is not receiving CCMs but
+ able to send them. Finally, a fault is triggered if a CCM is
+ received which indicates unexpected configuration. Notably, this
+ case arises when a CCM is received which advertises the local MPID.
+
+
+
+
+ Indicates a CFM fault was triggered due to a lack of CCMs received on
+ the .
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM with
+ the RDI bit flagged. Endpoints set the RDI bit in their CCMs when they
+ are not receiving CCMs themselves. This typically indicates a
+ unidirectional connectivity failure.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM with
+ a MAID other than the one Open vSwitch uses. CFM broadcasts are tagged
+ with an identification number in addition to the MPID called the MAID.
+ Open vSwitch only supports receiving CCM broadcasts tagged with the
+ MAID it uses internally.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM
+ advertising the same MPID configured in the
+ column of this . This may indicate a loop in
+ the network.
+
+
+
+ Indicates a CFM fault was triggered because the CFM module received
+ CCMs from more remote endpoints than it can keep track of.
+
+
+
+ Indicates a CFM fault was manually triggered by an administrator using
+ an ovs-appctl
command.
+
+
+
+ Indicates a CFM fault was triggered due to the reception of a CCM
+ frame having an invalid interval.
+
+
+
+ When in extended mode, indicates the operational state of the
+ remote endpoint as either up
or down
. See
+ .
+
+
+
+
+
+ Indicates the health of the interface as a percentage of CCM frames
+ received over 21 s.
+ The health of an interface is undefined if it is communicating with
+ more than one . It reduces if
+ healthy heartbeats are not received at the expected rate, and
+ gradually improves as healthy heartbeats are received at the desired
+ rate. Every 21 s, the
+ health of the interface is refreshed.
+
+
+ As mentioned above, the faults can be triggered for several reasons.
+ The link health will deteriorate even if heartbeats are received but
+ they are reported to be unhealthy. An unhealthy heartbeat in this
+ context is a heartbeat for which either some fault is set or is out
+ of sequence. The interface health can be 100 only on receiving
+ healthy heartbeats at the desired rate.
+
+
+
+
+ When CFM is properly configured, Open vSwitch will occasionally
+ receive CCM broadcasts. These broadcasts contain the MPID of the
+ sending Maintenance Point. The list of MPIDs from which this
+ is receiving broadcasts from is regularly
+ collected and written to this column.
+
+
+
+
+ The interval, in milliseconds, between transmissions of CFM
+ heartbeats. Three missed heartbeat receptions indicate a
+ connectivity fault.
+
+
+
+ In standard operation only intervals of 3, 10, 100, 1,000, 10,000,
+ 60,000, or 600,000 ms are supported. Other values will be rounded
+ down to the nearest value on the list. Extended mode (see ) supports any interval up
+ to 65,535 ms. In either mode, the default is 1000 ms.
+
+
+ We do not recommend using intervals less than 100 ms.
+
+
+
+ When true
, the CFM module operates in extended mode. This
+ causes it to use a nonstandard destination address to avoid conflicting
+ with compliant implementations which may be running concurrently on the
+ network. Furthermore, extended mode increases the accuracy of the
+ cfm_interval
configuration parameter by breaking wire
+ compatibility with 802.1ag compliant implementations. Defaults to
+ false
.
+
+
+ When down
, the CFM module marks all CCMs it generates as
+ operationally down without triggering a fault. This allows remote
+ maintenance points to choose not to forward traffic to the
+ on which this CFM module is running.
+ Currently, in Open vSwitch, the opdown bit of CCMs affects
+ s participating in bonds, and the bundle
+ OpenFlow action. This setting is ignored when CFM is not in extended
+ mode. Defaults to up
.
+
+
+
+ When set, the CFM module will apply a VLAN tag to all CCMs it generates
+ with the given value. May be the string random
in which
+ case each CCM will be tagged with a different randomly generated VLAN.
+
+
+
+ When set, the CFM module will apply a VLAN tag to all CCMs it generates
+ with the given PCP value, the VLAN ID of the tag is governed by the
+ value of . If
+ is unset, a VLAN ID of
+ zero is used.
+
+
+
+
+
+
+ Used in stable
bond mode to make slave
+ selection decisions. Allocating values consistently across interfaces
+ participating in a bond will guarantee consistent slave selection
+ decisions across ovs-vswitchd
instances when using
+ stable
bonding mode.
+
+
+
+ The LACP port ID of this . Port IDs are
+ used in LACP negotiations to identify individual ports
+ participating in a bond.
+
+
+
+ The LACP port priority of this . In LACP
+ negotiations s with numerically lower
+ priorities are preferred for aggregation.
+
+
+
+ The LACP aggregation key of this . s with different aggregation keys may not be active
+ within a given at the same time.
+
+
+
+
+
+ These key-value pairs specifically apply to an interface that
+ represents a virtual Ethernet interface connected to a virtual
+ machine. These key-value pairs should not be present for other types
+ of interfaces. Keys whose names end in -uuid
have
+ values that uniquely identify the entity in question. For a Citrix
+ XenServer hypervisor, these values are UUIDs in RFC 4122 format.
+ Other hypervisors may use other formats.
+
+
+
+ The MAC address programmed into the ``virtual hardware'' for this
+ interface, in the form
+ xx:xx:xx:xx:xx:xx.
+ For Citrix XenServer, this is the value of the MAC
field
+ in the VIF record for this interface.
+
+
+
+ A system-unique identifier for the interface. On XenServer, this will
+ commonly be the same as .
+
+
+
+
+ Hypervisors may sometimes have more than one interface associated
+ with a given , only one of
+ which is actually in use at a given time. For example, in some
+ circumstances XenServer has both a ``tap'' and a ``vif'' interface
+ for a single , but only
+ uses one of them at a time. A hypervisor that behaves this way must
+ mark the currently in use interface active
and the
+ others inactive
. A hypervisor that never has more than
+ one interface for a given
+ may mark that interface active
or omit entirely.
+
+
+
+ During VM migration, a given might transiently be marked active
on
+ two different hypervisors. That is, active
means that
+ this is the active
+ instance within a single hypervisor, not in a broader scope.
+
+
+
+
+ The virtual interface associated with this interface.
+
+
+
+ The virtual network to which this interface is attached.
+
+
+
+ The VM to which this interface belongs. On XenServer, this will be the
+ same as .
+
+
+
+ The VM to which this interface belongs.
+
+
+
+
+
+ The ``VLAN splinters'' feature increases Open vSwitch compatibility
+ with buggy network drivers in old versions of Linux that do not
+ properly support VLANs when VLAN devices are not used, at some cost
+ in memory and performance.
+
+
+
+ When VLAN splinters are enabled on a particular interface, Open vSwitch
+ creates a VLAN device for each in-use VLAN. For sending traffic tagged
+ with a VLAN on the interface, it substitutes the VLAN device. Traffic
+ received on the VLAN device is treated as if it had been received on
+ the interface on the particular VLAN.
+
+
+
+ VLAN splinters consider a VLAN to be in use if:
+
+
+
+ -
+ The VLAN is the
value in any record.
+
+
+ -
+ The VLAN is listed within the
+ column of the record of an interface on which
+ VLAN splinters are enabled.
+
+ An empty does not influence the
+ in-use VLANs: creating 4,096 VLAN devices is impractical because it
+ will exceed the current 1,024 port per datapath limit.
+
+
+ -
+ An OpenFlow flow within any bridge matches the VLAN.
+
+
+
+
+ The same set of in-use VLANs applies to every interface on which VLAN
+ splinters are enabled. That is, the set is not chosen separately for
+ each interface but selected once as the union of all in-use VLANs based
+ on the rules above.
+
+
+
+ It does not make sense to enable VLAN splinters on an interface for an
+ access port, or on an interface that is not a physical port.
+
+
+
+ VLAN splinters are deprecated. When broken device drivers are no
+ longer in widespread use, we will delete this feature.
+
+
+
+
+ Set to true
to enable VLAN splinters on this interface.
+ Defaults to false
.
+
+
+
+ VLAN splinters increase kernel and userspace memory overhead, so do
+ not use them unless they are needed.
+
+
+
+ VLAN splinters do not support 802.1p priority tags. Received
+ priorities will appear to be 0, regardless of their actual values,
+ and priorities on transmitted packets will also be cleared to 0.
+
+
+
+
+
+ The overall purpose of these columns is described under Common
+ Columns
at the beginning of this document.
+
+
+
+
+