mirror of
				https://github.com/openvswitch/ovs
				synced 2025-10-25 15:07:05 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			748 lines
		
	
	
		
			31 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			748 lines
		
	
	
		
			31 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
|                  Open vSwitch <http://openvswitch.org>
 | |
| 
 | |
| Frequently Asked Questions
 | |
| ==========================
 | |
| 
 | |
| General
 | |
| -------
 | |
| 
 | |
| Q: What is Open vSwitch?
 | |
| 
 | |
| A: Open vSwitch is a production quality open source software switch
 | |
|    designed to be used as a vswitch in virtualized server environments.  A
 | |
|    vswitch forwards traffic between different VMs on the same physical host
 | |
|    and also forwards traffic between VMs and the physical network.  Open
 | |
|    vSwitch supports standard management interfaces (e.g. sFlow, NetFlow,
 | |
|    RSPAN, CLI), and is open to programmatic extension and control using
 | |
|    OpenFlow and the OVSDB management protocol.
 | |
| 
 | |
|    Open vSwitch as designed to be compatible with modern switching
 | |
|    chipsets.  This means that it can be ported to existing high-fanout
 | |
|    switches allowing the same flexible control of the physical
 | |
|    infrastructure as the virtual infrastructure.  It also means that
 | |
|    Open vSwitch will be able to take advantage of on-NIC switching
 | |
|    chipsets as their functionality matures.
 | |
| 
 | |
| Q: What virtualization platforms can use Open vSwitch?
 | |
| 
 | |
| A: Open vSwitch can currently run on any Linux-based virtualization
 | |
|    platform (kernel 2.6.18 and newer), including: KVM, VirtualBox, Xen,
 | |
|    Xen Cloud Platform, XenServer. As of Linux 3.3 it is part of the
 | |
|    mainline kernel.  The bulk of the code is written in platform-
 | |
|    independent C and is easily ported to other environments.  We welcome
 | |
|    inquires about integrating Open vSwitch with other virtualization
 | |
|    platforms.
 | |
| 
 | |
| Q: How can I try Open vSwitch?
 | |
| 
 | |
| A: The Open vSwitch source code can be built on a Linux system.  You can
 | |
|    build and experiment with Open vSwitch on any Linux machine.
 | |
|    Packages for various Linux distributions are available on many
 | |
|    platforms, including: Debian, Ubuntu, Fedora.
 | |
| 
 | |
|    You may also download and run a virtualization platform that already
 | |
|    has Open vSwitch integrated.  For example, download a recent ISO for
 | |
|    XenServer or Xen Cloud Platform.  Be aware that the version
 | |
|    integrated with a particular platform may not be the most recent Open
 | |
|    vSwitch release.
 | |
| 
 | |
| Q: Does Open vSwitch only work on Linux?
 | |
| 
 | |
| A: No, Open vSwitch has been ported to a number of different operating
 | |
|    systems and hardware platforms.  Most of the development work occurs
 | |
|    on Linux, but the code should be portable to any POSIX system.  We've
 | |
|    seen Open vSwitch ported to a number of different platforms,
 | |
|    including FreeBSD, Windows, and even non-POSIX embedded systems.
 | |
| 
 | |
|    By definition, the Open vSwitch Linux kernel module only works on
 | |
|    Linux and will provide the highest performance.  However, a userspace
 | |
|    datapath is available that should be very portable.
 | |
| 
 | |
| Q: What's involved with porting Open vSwitch to a new platform or
 | |
|    switching ASIC?
 | |
| 
 | |
| A: The PORTING document describes how one would go about porting Open
 | |
|    vSwitch to a new operating system or hardware platform.
 | |
| 
 | |
| Q: Why would I use Open vSwitch instead of the Linux bridge?
 | |
| 
 | |
| A: Open vSwitch is specially designed to make it easier to manage VM
 | |
|    network configuration and monitor state spread across many physical
 | |
|    hosts in dynamic virtualized environments.  Please see WHY-OVS for a
 | |
|    more detailed description of how Open vSwitch relates to the Linux
 | |
|    Bridge.
 | |
| 
 | |
| Q: How is Open vSwitch related to distributed virtual switches like the
 | |
|    VMware vNetwork distributed switch or the Cisco Nexus 1000V?
 | |
| 
 | |
| A: Distributed vswitch applications (e.g., VMware vNetwork distributed
 | |
|    switch, Cisco Nexus 1000V) provide a centralized way to configure and
 | |
|    monitor the network state of VMs that are spread across many physical
 | |
|    hosts.  Open vSwitch is not a distributed vswitch itself, rather it
 | |
|    runs on each physical host and supports remote management in a way
 | |
|    that makes it easier for developers of virtualization/cloud
 | |
|    management platforms to offer distributed vswitch capabilities.
 | |
| 
 | |
|    To aid in distribution, Open vSwitch provides two open protocols that
 | |
|    are specially designed for remote management in virtualized network
 | |
|    environments: OpenFlow, which exposes flow-based forwarding state,
 | |
|    and the OVSDB management protocol, which exposes switch port state.
 | |
|    In addition to the switch implementation itself, Open vSwitch
 | |
|    includes tools (ovs-controller, ovs-ofctl, ovs-vsctl) that developers
 | |
|    can script and extend to provide distributed vswitch capabilities
 | |
|    that are closely integrated with their virtualization management
 | |
|    platform.
 | |
| 
 | |
| Q: Why doesn't Open vSwitch support distribution?
 | |
| 
 | |
| A: Open vSwitch is intended to be a useful component for building
 | |
|    flexible network infrastructure. There are many different approaches
 | |
|    to distribution which balance trade-offs between simplicity,
 | |
|    scalability, hardware compatibility, convergence times, logical
 | |
|    forwarding model, etc. The goal of Open vSwitch is to be able to
 | |
|    support all as a primitive building block rather than choose a
 | |
|    particular point in the distributed design space.
 | |
| 
 | |
| Q: How can I contribute to the Open vSwitch Community?
 | |
| 
 | |
| A: You can start by joining the mailing lists and helping to answer
 | |
|    questions.  You can also suggest improvements to documentation.  If
 | |
|    you have a feature or bug you would like to work on, send a mail to
 | |
|    one of the mailing lists:
 | |
| 
 | |
|        http://openvswitch.org/mlists/
 | |
| 
 | |
| 
 | |
| 
 | |
| Releases
 | |
| --------
 | |
| 
 | |
| Q: What does it mean for an Open vSwitch release to be LTS (long-term
 | |
|    support)?
 | |
| 
 | |
| A: All official releases have been through a comprehensive testing
 | |
|    process and are suitable for production use.  Planned releases will
 | |
|    occur several times a year.  If a significant bug is identified in an
 | |
|    LTS release, we will provide an updated release that includes the
 | |
|    fix.  Releases that are not LTS may not be fixed and may just be
 | |
|    supplanted by the next major release.  The current LTS release is
 | |
|    1.4.x.
 | |
| 
 | |
| Q: What features are not available in the Open vSwitch kernel datapath
 | |
|    that ships as part of the upstream Linux kernel?
 | |
| 
 | |
| A: The kernel module in upstream Linux 3.3 and later does not include
 | |
|    the following features:
 | |
| 
 | |
|        - Bridge compatibility, that is, support for the ovs-brcompatd
 | |
|          daemon that (if you enable it) lets "brctl" and other Linux
 | |
|          bridge tools transparently work with Open vSwitch instead.
 | |
| 
 | |
|          We do not expect bridge compatibility to ever be available in
 | |
|          upstream Linux.  If you need bridge compatibility, use the
 | |
|          kernel module from the Open vSwitch distribution instead of the
 | |
|          upstream Linux kernel module.
 | |
| 
 | |
|        - Tunnel virtual ports, that is, interfaces with type "gre",
 | |
|          "ipsec_gre", "capwap".  It is possible to create tunnels in
 | |
|          Linux and attach them to Open vSwitch as system devices.
 | |
|          However, they cannot be dynamically created through the OVSDB
 | |
|          protocol or set the tunnel ids as a flow action.
 | |
| 
 | |
|          Work is in progress in adding these features to the upstream
 | |
|          Linux version of the Open vSwitch kernel module.  For now, if
 | |
|          you need these features, use the kernel module from the Open
 | |
|          vSwitch distribution instead of the upstream Linux kernel
 | |
|          module.
 | |
| 
 | |
|        - Patch virtual ports, that is, interfaces with type "patch".
 | |
|          You can use Linux "veth" devices as a substitute.
 | |
| 
 | |
|          We don't have any plans to add patch ports upstream.
 | |
| 
 | |
| Q: What features are not available when using the userspace datapath?
 | |
| 
 | |
| A: Tunnel and patch virtual ports are not supported, as described in the
 | |
|    previous answer.  It is also not possible to use queue-related
 | |
|    actions.  On Linux kernels before 2.6.39, maximum-sized VLAN packets
 | |
|    may not be transmitted.
 | |
| 
 | |
| 
 | |
| Basic Configuration
 | |
| -------------------
 | |
| 
 | |
| Q: How do I configure a port as an access port?
 | |
| 
 | |
| A: Add "tag=VLAN" to your "ovs-vsctl add-port" command.  For example,
 | |
|    the following commands configure br0 with eth0 as a trunk port (the
 | |
|    default) and tap0 as an access port for VLAN 9:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 tap0 tag=9
 | |
| 
 | |
|    If you want to configure an already added port as an access port,
 | |
|    use "ovs-vsctl set", e.g.:
 | |
| 
 | |
|        ovs-vsctl set port tap0 tag=9
 | |
| 
 | |
| Q: How do I configure a port as a SPAN port, that is, enable mirroring
 | |
|    of all traffic to that port?
 | |
| 
 | |
| A: The following commands configure br0 with eth0 and tap0 as trunk
 | |
|    ports.  All traffic coming in or going out on eth0 or tap0 is also
 | |
|    mirrored to tap1; any traffic arriving on tap1 is dropped:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 tap0
 | |
|        ovs-vsctl add-port br0 tap1 \
 | |
|            -- --id=@p get port tap1 \
 | |
| 	   -- --id=@m create mirror name=m0 select-all=true output-port=@p \
 | |
| 	   -- set bridge br0 mirrors=@m
 | |
| 
 | |
|    To later disable mirroring, run:
 | |
| 
 | |
|        ovs-vsctl clear bridge br0 mirrors
 | |
| 
 | |
| Q: How do I configure a VLAN as an RSPAN VLAN, that is, enable
 | |
|    mirroring of all traffic to that VLAN?
 | |
| 
 | |
| A: The following commands configure br0 with eth0 as a trunk port and
 | |
|    tap0 as an access port for VLAN 10.  All traffic coming in or going
 | |
|    out on tap0, as well as traffic coming in or going out on eth0 in
 | |
|    VLAN 10, is also mirrored to VLAN 15 on eth0.  The original tag for
 | |
|    VLAN 10, in cases where one is present, is dropped as part of
 | |
|    mirroring:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 tap0 tag=10
 | |
|        ovs-vsctl \
 | |
| 	   -- --id=@m create mirror name=m0 select-all=true select-vlan=10 \
 | |
|                                     output-vlan=15 \
 | |
| 	   -- set bridge br0 mirrors=@m
 | |
| 
 | |
|    To later disable mirroring, run:
 | |
| 
 | |
|        ovs-vsctl clear bridge br0 mirrors
 | |
| 
 | |
|    Mirroring to a VLAN can disrupt a network that contains unmanaged
 | |
|    switches.  See ovs-vswitchd.conf.db(5) for details.  Mirroring to a
 | |
|    GRE tunnel has fewer caveats than mirroring to a VLAN and should
 | |
|    generally be preferred.
 | |
| 
 | |
| Q: Can I mirror more than one input VLAN to an RSPAN VLAN?
 | |
| 
 | |
| A: Yes, but mirroring to a VLAN strips the original VLAN tag in favor
 | |
|    of the specified output-vlan.  This loss of information may make
 | |
|    the mirrored traffic too hard to interpret.
 | |
| 
 | |
|    To mirror multiple VLANs, use the commands above, but specify a
 | |
|    comma-separated list of VLANs as the value for select-vlan.  To
 | |
|    mirror every VLAN, use the commands above, but omit select-vlan and
 | |
|    its value entirely.
 | |
| 
 | |
|    When a packet arrives on a VLAN that is used as a mirror output
 | |
|    VLAN, the mirror is disregarded.  Instead, in standalone mode, OVS
 | |
|    floods the packet across all the ports for which the mirror output
 | |
|    VLAN is configured.  (If an OpenFlow controller is in use, then it
 | |
|    can override this behavior through the flow table.)  If OVS is used
 | |
|    as an intermediate switch, rather than an edge switch, this ensures
 | |
|    that the RSPAN traffic is distributed through the network.
 | |
| 
 | |
|    Mirroring to a VLAN can disrupt a network that contains unmanaged
 | |
|    switches.  See ovs-vswitchd.conf.db(5) for details.  Mirroring to a
 | |
|    GRE tunnel has fewer caveats than mirroring to a VLAN and should
 | |
|    generally be preferred.
 | |
| 
 | |
| Q: How do I configure mirroring of all traffic to a GRE tunnel?
 | |
| 
 | |
| A: The following commands configure br0 with eth0 and tap0 as trunk
 | |
|    ports.  All traffic coming in or going out on eth0 or tap0 is also
 | |
|    mirrored to gre0, a GRE tunnel to the remote host 192.168.1.10; any
 | |
|    traffic arriving on gre0 is dropped:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 tap0
 | |
|        ovs-vsctl add-port br0 gre0 \
 | |
|            -- set interface gre0 type=gre options:remote_ip=192.168.1.10 \
 | |
|            -- --id=@p get port gre0 \
 | |
| 	   -- --id=@m create mirror name=m0 select-all=true output-port=@p \
 | |
| 	   -- set bridge br0 mirrors=@m
 | |
| 
 | |
|    To later disable mirroring and destroy the GRE tunnel:
 | |
| 
 | |
|        ovs-vsctl clear bridge br0 mirrors
 | |
|        ovs-vcstl del-port br0 gre0
 | |
| 
 | |
| Q: Does Open vSwitch support ERSPAN?
 | |
| 
 | |
| A: No.  ERSPAN is an undocumented proprietary protocol.  As an
 | |
|    alternative, Open vSwitch supports mirroring to a GRE tunnel (see
 | |
|    above).
 | |
| 
 | |
| 
 | |
| Configuration Problems
 | |
| ----------------------
 | |
| 
 | |
| Q: I created a bridge and added my Ethernet port to it, using commands
 | |
|    like these:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
| 
 | |
|    and as soon as I ran the "add-port" command I lost all connectivity
 | |
|    through eth0.  Help!
 | |
| 
 | |
| A: A physical Ethernet device that is part of an Open vSwitch bridge
 | |
|    should not have an IP address.  If one does, then that IP address
 | |
|    will not be fully functional.
 | |
| 
 | |
|    You can restore functionality by moving the IP address to an Open
 | |
|    vSwitch "internal" device, such as the network device named after
 | |
|    the bridge itself.  For example, assuming that eth0's IP address is
 | |
|    192.168.128.5, you could run the commands below to fix up the
 | |
|    situation:
 | |
| 
 | |
|        ifconfig eth0 0.0.0.0
 | |
|        ifconfig br0 192.168.128.5
 | |
| 
 | |
|    (If your only connection to the machine running OVS is through the
 | |
|    IP address in question, then you would want to run all of these
 | |
|    commands on a single command line, or put them into a script.)  If
 | |
|    there were any additional routes assigned to eth0, then you would
 | |
|    also want to use commands to adjust these routes to go through br0.
 | |
| 
 | |
|    If you use DHCP to obtain an IP address, then you should kill the
 | |
|    DHCP client that was listening on the physical Ethernet interface
 | |
|    (e.g. eth0) and start one listening on the internal interface
 | |
|    (e.g. br0).  You might still need to manually clear the IP address
 | |
|    from the physical interface (e.g. with "ifconfig eth0 0.0.0.0").
 | |
| 
 | |
|    There is no compelling reason why Open vSwitch must work this way.
 | |
|    However, this is the way that the Linux kernel bridge module has
 | |
|    always worked, so it's a model that those accustomed to Linux
 | |
|    bridging are already used to.  Also, the model that most people
 | |
|    expect is not implementable without kernel changes on all the
 | |
|    versions of Linux that Open vSwitch supports.
 | |
| 
 | |
|    By the way, this issue is not specific to physical Ethernet
 | |
|    devices.  It applies to all network devices except Open vswitch
 | |
|    "internal" devices.
 | |
| 
 | |
| Q: I created a bridge and added a couple of Ethernet ports to it,
 | |
|    using commands like these:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 eth1
 | |
| 
 | |
|    and now my network seems to have melted: connectivity is unreliable
 | |
|    (even connectivity that doesn't go through Open vSwitch), all the
 | |
|    LEDs on my physical switches are blinking, wireshark shows
 | |
|    duplicated packets, and CPU usage is very high.
 | |
| 
 | |
| A: More than likely, you've looped your network.  Probably, eth0 and
 | |
|    eth1 are connected to the same physical Ethernet switch.  This
 | |
|    yields a scenario where OVS receives a broadcast packet on eth0 and
 | |
|    sends it out on eth1, then the physical switch connected to eth1
 | |
|    sends the packet back on eth0, and so on forever.  More complicated
 | |
|    scenarios, involving a loop through multiple switches, are possible
 | |
|    too.
 | |
| 
 | |
|    The solution depends on what you are trying to do:
 | |
| 
 | |
|        - If you added eth0 and eth1 to get higher bandwidth or higher
 | |
|          reliability between OVS and your physical Ethernet switch,
 | |
|          use a bond.  The following commands create br0 and then add
 | |
|          eth0 and eth1 as a bond:
 | |
| 
 | |
|              ovs-vsctl add-br br0
 | |
|              ovs-vsctl add-bond br0 bond0 eth0 eth1
 | |
| 
 | |
|          Bonds have tons of configuration options.  Please read the
 | |
|          documentation on the Port table in ovs-vswitchd.conf.db(5)
 | |
|          for all the details.
 | |
| 
 | |
|        - Perhaps you don't actually need eth0 and eth1 to be on the
 | |
|          same bridge.  For example, if you simply want to be able to
 | |
|          connect each of them to virtual machines, then you can put
 | |
|          each of them on a bridge of its own:
 | |
| 
 | |
|              ovs-vsctl add-br br0
 | |
|              ovs-vsctl add-port br0 eth0
 | |
| 
 | |
|              ovs-vsctl add-br br1
 | |
|              ovs-vsctl add-port br1 eth1
 | |
| 
 | |
|          and then connect VMs to br0 and br1.  (A potential
 | |
|          disadvantage is that traffic cannot directly pass between br0
 | |
|          and br1.  Instead, it will go out eth0 and come back in eth1,
 | |
|          or vice versa.)
 | |
| 
 | |
|        - If you have a redundant or complex network topology and you
 | |
|          want to prevent loops, turn on spanning tree protocol (STP).
 | |
|          The following commands create br0, enable STP, and add eth0
 | |
|          and eth1 to the bridge.  The order is important because you
 | |
|          don't want have to have a loop in your network even
 | |
|          transiently:
 | |
| 
 | |
|              ovs-vsctl add-br br0
 | |
|              ovs-vsctl set bridge br0 stp_enable=true
 | |
|              ovs-vsctl add-port br0 eth0
 | |
|              ovs-vsctl add-port br0 eth1
 | |
| 
 | |
|          The Open vSwitch implementation of STP is not well tested.
 | |
|          Please report any bugs you observe, but if you'd rather avoid
 | |
|          acting as a beta tester then another option might be your
 | |
|          best shot.
 | |
| 
 | |
| Q: I can't seem to use Open vSwitch in a wireless network.
 | |
| 
 | |
| A: Wireless base stations generally only allow packets with the source
 | |
|    MAC address of NIC that completed the initial handshake.
 | |
|    Therefore, without MAC rewriting, only a single device can
 | |
|    communicate over a single wireless link.
 | |
| 
 | |
|    This isn't specific to Open vSwitch, it's enforced by the access
 | |
|    point, so the same problems will show up with the Linux bridge or
 | |
|    any other way to do bridging.
 | |
| 
 | |
| Q: Is there any documentation on the database tables and fields?
 | |
| 
 | |
| A: Yes.  ovs-vswitchd.conf.db(5) is a comprehensive reference.
 | |
| 
 | |
| 
 | |
| VLANs
 | |
| -----
 | |
| 
 | |
| Q: What's a VLAN?
 | |
| 
 | |
| A: At the simplest level, a VLAN (short for "virtual LAN") is a way to
 | |
|    partition a single switch into multiple switches.  Suppose, for
 | |
|    example, that you have two groups of machines, group A and group B.
 | |
|    You want the machines in group A to be able to talk to each other,
 | |
|    and you want the machine in group B to be able to talk to each
 | |
|    other, but you don't want the machines in group A to be able to
 | |
|    talk to the machines in group B.  You can do this with two
 | |
|    switches, by plugging the machines in group A into one switch and
 | |
|    the machines in group B into the other switch.
 | |
| 
 | |
|    If you only have one switch, then you can use VLANs to do the same
 | |
|    thing, by configuring the ports for machines in group A as VLAN
 | |
|    "access ports" for one VLAN and the ports for group B as "access
 | |
|    ports" for a different VLAN.  The switch will only forward packets
 | |
|    between ports that are assigned to the same VLAN, so this
 | |
|    effectively subdivides your single switch into two independent
 | |
|    switches, one for each group of machines.
 | |
| 
 | |
|    So far we haven't said anything about VLAN headers.  With access
 | |
|    ports, like we've described so far, no VLAN header is present in
 | |
|    the Ethernet frame.  This means that the machines (or switches)
 | |
|    connected to access ports need not be aware that VLANs are
 | |
|    involved, just like in the case where we use two different physical
 | |
|    switches.
 | |
| 
 | |
|    Now suppose that you have a whole bunch of switches in your
 | |
|    network, instead of just one, and that some machines in group A are
 | |
|    connected directly to both switches 1 and 2.  To allow these
 | |
|    machines to talk to each other, you could add an access port for
 | |
|    group A's VLAN to switch 1 and another to switch 2, and then
 | |
|    connect an Ethernet cable between those ports.  That works fine,
 | |
|    but it doesn't scale well as the number of switches and the number
 | |
|    of VLANs increases, because you use up a lot of valuable switch
 | |
|    ports just connecting together your VLANs.
 | |
| 
 | |
|    This is where VLAN headers come in.  Instead of using one cable and
 | |
|    two ports per VLAN to connect a pair of switches, we configure a
 | |
|    port on each switch as a VLAN "trunk port".  Packets sent and
 | |
|    received on a trunk port carry a VLAN header that says what VLAN
 | |
|    the packet belongs to, so that only two ports total are required to
 | |
|    connect the switches, regardless of the number of VLANs in use.
 | |
|    Normally, only switches (either physical or virtual) are connected
 | |
|    to a trunk port, not individual hosts, because individual hosts
 | |
|    don't expect to see a VLAN header in the traffic that they receive.
 | |
| 
 | |
|    None of the above discussion says anything about particular VLAN
 | |
|    numbers.  This is because VLAN numbers are completely arbitrary.
 | |
|    One must only ensure that a given VLAN is numbered consistently
 | |
|    throughout a network and that different VLANs are given different
 | |
|    numbers.  (That said, VLAN 0 is usually synonymous with a packet
 | |
|    that has no VLAN header, and VLAN 4095 is reserved.)
 | |
| 
 | |
| Q: VLANs don't work.
 | |
| 
 | |
| A: Many drivers in Linux kernels before version 3.3 had VLAN-related
 | |
|    bugs.  If you are having problems with VLANs that you suspect to be
 | |
|    driver related, then you have several options:
 | |
| 
 | |
|        - Upgrade to Linux 3.3 or later.
 | |
| 
 | |
|        - Build and install a fixed version of the particular driver
 | |
|          that is causing trouble, if one is available.
 | |
| 
 | |
|        - Use a NIC whose driver does not have VLAN problems.
 | |
| 
 | |
|        - Use "VLAN splinters", a feature in Open vSwitch 1.4 and later
 | |
|          that works around bugs in kernel drivers.  To enable VLAN
 | |
|          splinters on interface eth0, use the command:
 | |
| 
 | |
|            ovs-vsctl set interface eth0 other-config:enable-vlan-splinters=true
 | |
| 
 | |
|          For VLAN splinters to be effective, Open vSwitch must know
 | |
|          which VLANs are in use.  See the "VLAN splinters" section in
 | |
|          the Interface table in ovs-vswitchd.conf.db(5) for details on
 | |
|          how Open vSwitch infers in-use VLANs.
 | |
| 
 | |
|          VLAN splinters increase memory use and reduce performance, so
 | |
|          use them only if needed.
 | |
| 
 | |
|        - Apply the "vlan workaround" patch from the XenServer kernel
 | |
|          patch queue, build Open vSwitch against this patched kernel,
 | |
|          and then use ovs-vlan-bug-workaround(8) to enable the VLAN
 | |
|          workaround for each interface whose driver is buggy.
 | |
| 
 | |
|          (This is a nontrivial exercise, so this option is included
 | |
|          only for completeness.)
 | |
| 
 | |
|    It is not always easy to tell whether a Linux kernel driver has
 | |
|    buggy VLAN support.  The ovs-vlan-test(8) and ovs-test(8) utilities
 | |
|    can help you test.  See their manpages for details.  Of the two
 | |
|    utilities, ovs-test(8) is newer and more thorough, but
 | |
|    ovs-vlan-test(8) may be easier to use.
 | |
| 
 | |
| Q: VLANs still don't work.  I've tested the driver so I know that it's OK.
 | |
| 
 | |
| A: Do you have VLANs enabled on the physical switch that OVS is
 | |
|    attached to?  Make sure that the port is configured to trunk the
 | |
|    VLAN or VLANs that you are using with OVS.
 | |
| 
 | |
| Q: Outgoing VLAN-tagged traffic goes through OVS to my physical switch
 | |
|    and to its destination host, but OVS seems to drop incoming return
 | |
|    traffic.
 | |
| 
 | |
| A: It's possible that you have the VLAN configured on your physical
 | |
|    switch as the "native" VLAN.  In this mode, the switch treats
 | |
|    incoming packets either tagged with the native VLAN or untagged as
 | |
|    part of the native VLAN.  It may also send outgoing packets in the
 | |
|    native VLAN without a VLAN tag.
 | |
| 
 | |
|    If this is the case, you have two choices:
 | |
| 
 | |
|        - Change the physical switch port configuration to tag packets
 | |
|          it forwards to OVS with the native VLAN instead of forwarding
 | |
|          them untagged.
 | |
| 
 | |
|        - Change the OVS configuration for the physical port to a
 | |
|          native VLAN mode.  For example, the following sets up a
 | |
|          bridge with port eth0 in "native-tagged" mode in VLAN 9:
 | |
| 
 | |
|              ovs-vsctl add-br br0
 | |
|              ovs-vsctl add-port br0 eth0 tag=9 vlan_mode=native-tagged
 | |
| 
 | |
|          In this situation, "native-untagged" mode will probably work
 | |
|          equally well.  Refer to the documentation for the Port table
 | |
|          in ovs-vswitchd.conf.db(5) for more information.
 | |
| 
 | |
| Q: Can I configure an IP address on a VLAN?
 | |
| 
 | |
| A: Yes.  Use an "internal port" configured as an access port.  For
 | |
|    example, the following configures IP address 192.168.0.7 on VLAN 9.
 | |
|    That is, OVS will forward packets from eth0 to 192.168.0.7 only if
 | |
|    they have an 802.1Q header with VLAN 9.  Conversely, traffic
 | |
|    forwarded from 192.168.0.7 to eth0 will be tagged with an 802.1Q
 | |
|    header with VLAN 9:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
 | |
|        ifconfig vlan9 192.168.0.7
 | |
| 
 | |
| Q: My OpenFlow controller doesn't see the VLANs that I expect.
 | |
| 
 | |
| A: The configuration for VLANs in the Open vSwitch database (e.g. via
 | |
|    ovs-vsctl) only affects traffic that goes through Open vSwitch's
 | |
|    implementation of the OpenFlow "normal switching" action.  By
 | |
|    default, when Open vSwitch isn't connected to a controller and
 | |
|    nothing has been manually configured in the flow table, all traffic
 | |
|    goes through the "normal switching" action.  But, if you set up
 | |
|    OpenFlow flows on your own, through a controller or using ovs-ofctl
 | |
|    or through other means, then you have to implement VLAN handling
 | |
|    yourself.
 | |
| 
 | |
|    You can use "normal switching" as a component of your OpenFlow
 | |
|    actions, e.g. by putting "normal" into the lists of actions on
 | |
|    ovs-ofctl or by outputting to OFPP_NORMAL from an OpenFlow
 | |
|    controller.  This will only be suitable for some situations,
 | |
|    though.
 | |
| 
 | |
| Q: I configured ports on a bridge as access ports with different VLAN
 | |
|    tags, like this:
 | |
| 
 | |
|        ovs-vsctl add-br br0
 | |
|        ovs-vsctl set-controller br0 tcp:192.168.0.10:6633
 | |
|        ovs-vsctl add-port br0 eth0
 | |
|        ovs-vsctl add-port br0 tap0 tag=9
 | |
|        ovs-vsctl add-port br0 tap1 tag=10
 | |
| 
 | |
|    but the VMs running behind tap0 and tap1 can still communicate,
 | |
|    that is, they are not isolated from each other even though they are
 | |
|    on different VLANs.
 | |
| 
 | |
| A: Do you have a controller configured on br0 (as the commands above
 | |
|    do)?  If so, then this is a variant on the previous question, "My
 | |
|    OpenFlow controller doesn't see the VLANs that I expect," and you
 | |
|    can refer to the answer there for more information.
 | |
| 
 | |
| 
 | |
| Controllers
 | |
| -----------
 | |
| 
 | |
| Q: What versions of OpenFlow does Open vSwitch support?
 | |
| 
 | |
| A: Open vSwitch supports OpenFlow 1.0.  It also includes a number of
 | |
|    extensions that bring many of the features from later versions of
 | |
|    OpenFlow.  Work is underway to provide support for later versions and
 | |
|    can be tracked here:
 | |
| 
 | |
|        http://openvswitch.org/development/openflow-1-x-plan/
 | |
| 
 | |
| Q: I'm getting "error type 45250 code 0".  What's that?
 | |
| 
 | |
| A: This is a Open vSwitch extension to OpenFlow error codes.  Open
 | |
|    vSwitch uses this extension when it must report an error to an
 | |
|    OpenFlow controller but no standard OpenFlow error code is
 | |
|    suitable.
 | |
| 
 | |
|    Open vSwitch logs the errors that it sends to controllers, so the
 | |
|    easiest thing to do is probably to look at the ovs-vswitchd log to
 | |
|    find out what the error was.
 | |
| 
 | |
|    If you want to dissect the extended error message yourself, the
 | |
|    format is documented in include/openflow/nicira-ext.h in the Open
 | |
|    vSwitch source distribution.  The extended error codes are
 | |
|    documented in lib/ofp-errors.h.
 | |
| 
 | |
| Q1: Some of the traffic that I'd expect my OpenFlow controller to see
 | |
|     doesn't actually appear through the OpenFlow connection, even
 | |
|     though I know that it's going through.
 | |
| Q2: Some of the OpenFlow flows that my controller sets up don't seem
 | |
|     to apply to certain traffic, especially traffic between OVS and
 | |
|     the controller itself.
 | |
| 
 | |
| A: By default, Open vSwitch assumes that OpenFlow controllers are
 | |
|    connected "in-band", that is, that the controllers are actually
 | |
|    part of the network that is being controlled.  In in-band mode,
 | |
|    Open vSwitch sets up special "hidden" flows to make sure that
 | |
|    traffic can make it back and forth between OVS and the controllers.
 | |
|    These hidden flows are higher priority than any flows that can be
 | |
|    set up through OpenFlow, and they are not visible through normal
 | |
|    OpenFlow flow table dumps.
 | |
| 
 | |
|    Usually, the hidden flows are desirable and helpful, but
 | |
|    occasionally they can cause unexpected behavior.  You can view the
 | |
|    full OpenFlow flow table, including hidden flows, on bridge br0
 | |
|    with the command:
 | |
| 
 | |
|        ovs-appctl bridge/dump-flows br0
 | |
| 
 | |
|    to help you debug.  The hidden flows are those with priorities
 | |
|    greater than 65535 (the maximum priority that can be set with
 | |
|    OpenFlow).
 | |
| 
 | |
|    The DESIGN file at the top level of the Open vSwitch source
 | |
|    distribution describes the in-band model in detail.
 | |
| 
 | |
|    If your controllers are not actually in-band (e.g. they are on
 | |
|    localhost via 127.0.0.1, or on a separate network), then you should
 | |
|    configure your controllers in "out-of-band" mode.  If you have one
 | |
|    controller on bridge br0, then you can configure out-of-band mode
 | |
|    on it with:
 | |
| 
 | |
|        ovs-vsctl set controller br0 connection-mode=out-of-band
 | |
| 
 | |
| Q: I configured all my controllers for out-of-band control mode but
 | |
|    "ovs-appctl bridge/dump-flows" still shows some hidden flows.
 | |
| 
 | |
| A: You probably have a remote manager configured (e.g. with "ovs-vsctl
 | |
|    set-manager").  By default, Open vSwitch assumes that managers need
 | |
|    in-band rules set up on every bridge.  You can disable these rules
 | |
|    on bridge br0 with:
 | |
| 
 | |
|        ovs-vsctl set bridge br0 other-config:disable-in-band=true
 | |
| 
 | |
|    This actually disables in-band control entirely for the bridge, as
 | |
|    if all the bridge's controllers were configured for out-of-band
 | |
|    control.
 | |
| 
 | |
| Q: My OpenFlow controller doesn't see the VLANs that I expect.
 | |
| 
 | |
| A: See answer under "VLANs", above.
 | |
| 
 | |
| Q: I ran "ovs-ofctl add-flow br0 nw_dst=192.168.0.1,actions=drop"
 | |
|    but I got a funny message like this:
 | |
| 
 | |
|        ofp_util|INFO|normalization changed ofp_match, details:
 | |
|        ofp_util|INFO| pre: nw_dst=192.168.0.1
 | |
|        ofp_util|INFO|post:
 | |
| 
 | |
|    and when I ran "ovs-ofctl dump-flows br0" I saw that my nw_dst
 | |
|    match had disappeared, so that the flow ends up matching every
 | |
|    packet.
 | |
| 
 | |
| A: The term "normalization" in the log message means that a flow
 | |
|    cannot match on an L3 field without saying what L3 protocol is in
 | |
|    use.  The "ovs-ofctl" command above didn't specify an L3 protocol,
 | |
|    so the L3 field match was dropped.
 | |
| 
 | |
|    In this case, the L3 protocol could be IP or ARP.  A correct
 | |
|    command for each possibility is, respectively:
 | |
| 
 | |
|        ovs-ofctl add-flow br0 ip,nw_dst=192.168.0.1,actions=drop
 | |
| 
 | |
|    and 
 | |
| 
 | |
|        ovs-ofctl add-flow br0 arp,nw_dst=192.168.0.1,actions=drop
 | |
| 
 | |
|    Similarly, a flow cannot match on an L4 field without saying what
 | |
|    L4 protocol is in use.  For example, the flow match "tp_src=1234"
 | |
|    is, by itself, meaningless and will be ignored.  Instead, to match
 | |
|    TCP source port 1234, write "tcp,tp_src=1234", or to match UDP
 | |
|    source port 1234, write "udp,tp_src=1234".
 | |
| 
 | |
| Q: How can I figure out the OpenFlow port number for a given port?
 | |
| 
 | |
| A: The OFPT_FEATURES_REQUEST message requests an OpenFlow switch to
 | |
|    respond with an OFPT_FEATURES_REPLY that, among other information,
 | |
|    includes a mapping between OpenFlow port names and numbers.  From a
 | |
|    command prompt, "ovs-ofctl show br0" makes such a request and
 | |
|    prints the response for switch br0.
 | |
| 
 | |
|    The Interface table in the Open vSwitch database also maps OpenFlow
 | |
|    port names to numbers.  To print the OpenFlow port number
 | |
|    associated with interface eth0, run:
 | |
| 
 | |
|        ovs-vsctl get Interface eth0 ofport
 | |
| 
 | |
|    You can print the entire mapping with:
 | |
| 
 | |
|        ovs-vsctl -- --columns=name,ofport list Interface
 | |
| 
 | |
|    but the output mixes together interfaces from all bridges in the
 | |
|    database, so it may be confusing if more than one bridge exists.
 | |
| 
 | |
|    In the Open vSwitch database, ofport value -1 means that the
 | |
|    interface could not be created due to an error.  (The Open vSwitch
 | |
|    log should indicate the reason.)  ofport value [] (the empty set)
 | |
|    means that the interface hasn't been created yet.  The latter is
 | |
|    normally an intermittent condition (unless ovs-vswitchd is not
 | |
|    running).
 | |
| 
 | |
| Contact 
 | |
| -------
 | |
| 
 | |
| bugs@openvswitch.org
 | |
| http://openvswitch.org/
 |