Open VSwitch FAQ (i)

Basic configurationq:how do I Configure a port as an access port?

A:add "Tag=vlan" to your "ovs-vsctl add-port" command. For example, the following commands configure BR0 with eth0 as a trunk port (the default) and Tap0 as an access port for V LAN 9:

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 eth0   ovs-vsctl add-port br0 tap0 tag=9

If you want to configure an already added port as a access port, use "ovs-vsctl set", e.g.:

   ovs-vsctl set port tap0 tag=9

Q:How do I Configure a port as a SPAN port, which is, enable mirroring of any traffic to that port?

A:The following commands configure BR0 with eth0 and tap0 as trunk ports. All traffic coming in or going out on eth0 or tap0 are also mirrored to TAP1; Any traffic arriving on Tap1 is dropped:

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 eth0   ovs-vsctl add-port br0 tap0   ovs-vsctl add-port br0 tap1        -- [email protected] get port tap1        -- [email protected] create mirror name=m0 select-all=true [email protected]        -- set bridge br0 [email protected]

To later disable mirroring, run:

   ovs-vsctl clear bridge br0 mirrors

Q:Does Open vSwitch Support Configuring a port in promiscuous mode?

A:Yes. How do you configure it depends on the what are mean by "promiscuous mode":

• Conventionally, "promiscuous mode" is a feature of a network interface card. Ordinarily, a NIC passes to the CPU is only the packets actually destined to the IT host machine. It discards the rest to avoid wasting memory and CPU cycles. When promiscuous mode was enabled, however, it passes every packet to the CPU. On a old-style shared-media or hub-based network, this allows the host to spy on all packets on the network. But in the switched networks that is almost everywhere these days, promiscuous mode doesn ' t has much effect, because few Packets not destined to a host is delivered to the host ' s NIC.

  This form of promiscuous mode was configured in the guest OS of the VMs on your bridge, e.g. with "ifconfig".

• The VMware VSwitch uses a different definition of "promiscuous mode". When you configure promiscuous mode in a VMware VNIC, the vSwitch sends a copy of every packet received by the VSwitch to That VNIC. that have a much bigger effect than just enabling promiscuous mode in a guest OS. Rather than getting a few stray packets for which the switch does not yet know the correct destination, the VNIC gets ever Y packet. The effect is similar to replacing, the VSwitch by a virtual hub.

  This "promiscuous mode" is "switches normally" "Port mirroring" or "SPAN". For information on what to configure SPAN, see "How does I Configure a port as a SPAN port, that's, enable mirroring of all Traffic to that port? "

Q:How do I Configure a DPDK port as an access port?

A:firstly, you must has a dpdk-enabled version of Open VSwitch.

If your version is dpdk-enabled it would support the--DPDK argument on the command line and would display lines with "EAL:." : "During startup when--DPDK is supplied.

Secondly, when adding a DPDK port, unlike a system port, the type for the interface must is specified. for example;

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 dpdk0 -- set Interface dpdk0 type=dpdk

Finally, it is required this DPDK port names begin with ' DPDK '.

See INSTALL. DPDK.MD for more information in enabling and using DPDK with Open VSwitch.

Q:How do I Configure a VLAN as an RSPAN VLAN, that's, enable mirroring of all traffic to that VLAN?

A:The following commands configure BR0 with eth0 as a trunk ports and tap0 as an access port for VLAN 10. All traffic coming-in or going-out on tap0, as-well as traffic-coming in or going out-on eth0 in VLAN, is also mirrored To VLAN at eth0. The original tag for VLAN Ten, in cases where one is present, is dropped as part of mirroring:

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 eth0   ovs-vsctl add-port br0 tap0 tag=10   ovs-vsctl        -- [email protected] create mirror name=m0 select-all=true select-vlan=10                                 output-vlan=15        -- set bridge br0 [email protected]

To later disable mirroring, run:

   ovs-vsctl clear bridge br0 mirrors

Mirroring to a VLANs can disrupt a network that contains unmanaged switches. See Ovs-vswitchd.conf.db (5) for details. Mirroring to a GRE tunnel have fewer caveats than mirroring to a VLAN and should generally be preferred.

Q:Can I Mirror more than one input VLANs to an RSPAN VLAN?

A:Yes, but mirroring to a VLAN strips the original VLAN tags in favor of the specified Output-vlan. This loss of information is the mirrored traffic too hard to interpret.

To mirror multiple VLANs, with the commands above, but specify a comma-separated list of VLANs as the value for Select-vlan . To mirror every VLANs, use the commands above, but omit Select-vlan and its value entirely.

When a packet arrives in a VLAN that's used as a mirror output VLAN, the mirror is disregarded. Instead, in standalone mode, OVS floods the packet across all the ports for which the mirror output VLAN is configured. (If an OpenFlow controller was in use and then it can override this behavior through the flow table.) If OVS is used as a intermediate switch, rather than an edge switch, this ensures then the RSPAN traffic is distributed t Hrough the network.

Mirroring to a VLANs can disrupt a network that contains unmanaged switches. See Ovs-vswitchd.conf.db (5) for details. Mirroring to a GRE tunnel have fewer caveats than mirroring to a VLAN and should generally be preferred.

Q:How do I Configure mirroring of all traffic to a GRE tunnel?

A:The following commands configure BR0 with eth0 and tap0 as trunk ports. All traffic coming in or going out on eth0 or tap0 are also mirrored to GRE0, a GRE tunnel to the remote host 192.168.1.10; Any traffic arriving on GRE0 is dropped:

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 eth0   ovs-vsctl add-port br0 tap0   ovs-vsctl add-port br0 gre0        -- set interface gre0 type=gre options:remote_ip=192.168.1.10        -- [email protected] get port gre0        -- [email protected] create mirror name=m0 select-all=true [email protected]        -- set bridge br0 [email protected]

To later disable mirroring and destroy the GRE tunnel:

   ovs-vsctl clear bridge br0 mirrors   ovs-vcstl del-port br0 gre0

Q:Does Open vSwitch support ERSPAN?

A:no. ERSPAN is an undocumented proprietary protocol. As an alternative, Open VSwitch supports mirroring to a GRE tunnel (see above).

Q:How do I Connect II bridges?

A:first, why does the want to does this? Connected bridges is not much different from a single bridge, so you might as well just has a single bridge with all Your ports on it.

If you still want to connect the bridges, you can use a pair of patch ports. The following example creates Bridges Br0 and BR1, adds eth0 and tap0 to Br0, adds Tap1 to BR1, and then connects Br0 and BR1 with a pair of patch ports.

   ovs-vsctl add-br br0   ovs-vsctl add-port br0 eth0   ovs-vsctl add-port br0 tap0   ovs-vsctl add-br br1   ovs-vsctl add-port br1 tap1   ovs-vsctl        -- add-port br0 patch0        -- set interface patch0 type=patch options:peer=patch1        -- add-port br1 patch1        -- set interface patch1 type=patch options:peer=patch0

Bridges connected with patch ports is much like a single bridge. For instance, if the example above also added eth1 to BR1, and both eth0 and eth1 happened to being connected to the same NEX T-hop switch, then you could loop your network just as a would if you added eth0 and eth1 to the same bridge (see the "C onfiguration problems "section below for more information).

If you is using the open VSwitch 1.9 or an earlier version and then you need to be using the kernel module bundled with open vSw Itch rather than the one that's integrated into Linux 3.3 and later, because Open VSwitch 1.9 and earlier versions need K Ernel support for Patch ports. This also means it in Open vSwitch 1.9 and earlier, patch ports won't work with the userspace datapath Kernel module.

Q:How do I Configure a bridge without an OpenFlow local port? (Local port in the sense of ofpp_local)

A:open VSwitch does not support such a configuration. Bridges always has their local ports.

Implementation DETAILSQ:I hear OVS has a couple of kinds of flows. Can you tell me about them?

A:open VSwitch uses different kinds of flows for different purposes:

• OpenFlow flows is the most important kind of flow. OpenFlow controllers use these flows to define a switch ' s policy. OpenFlow flows support wildcards, priorities, and multiple tables.

  When In-band control was in use, Open VSwitch sets-a few "hidden" flows, with priority higher than a controller or th E user can configure, that is not visible via OpenFlow. (See the "Controller" sections of the FAQ for more information about hidden flows.)

• The Open vSwitch software switch implementation uses a second kind of flow internally. These flows, called "datapath" or "kernel" flows, do not support priorities and comprise only a single table, which makes them suitable for caching. (like OpenFlow flows, DataPath flows does support wildcarding, in Open vSwitch 1.11 and later.) OpenFlow flows and DataPath flows also support different actions and number ports differently.

  Datapath flows is a implementation detail that's subject to change in the future versions of Open VSwitch. Even with the current version of Open VSwitch, hardware switch implementations does not necessarily use this architecture.

  Users and controllers directly control only the OpenFlow flow table. Open VSwitch manages the datapath flow table itself, so users should not normally is concerned with it.

Q:why is there so many different ways to dump flows?

A:open VSwitch has both kinds of flows (see the previous question), so it had commands with different purposes for dump ing each kind of flow:

• ovs-ofctl dump-flows <br> dumps OpenFlow flows, excluding hidden flows. The most commonly useful form of flow dump. (unlike the other commands, this should work with any OpenFlow switch, not just Open vSwitch.)

• ovs-appctl bridge/dump-flows <br> dumps OpenFlow flows, including hidden flows. This is occasionally useful for troubleshooting suspected issues with In-band control.

• ovs-dpctl dump-flows [DP] dumps the DataPath flow table entries for a Linux kernel-based datapath. In Open VSwitch 1.10 and later, Ovs-vswitchd merges multiple switches to a single datapath, so it'll show all the flow s on all your kernel-based switches. This command can occasionally is useful for debugging.

• ovs-appctl dpif/dump-flows <br> , New in Open VSwitch 1.10, dumps datapath flows for only the SPE Cified Bridge, regardless of the type.

Q:How does multicast snooping works with VLANs?

A:open VSwitch maintains snooping tables for each VLAN.

PERFORMANCEQ:I just upgraded and I see a performance drop. Why?

A:The OVS kernel datapath May has been updated to a newer version than the OVS userspace components. Sometimes new versions of OVS kernel module add functionality that's backwards compatible with older userspace components But could cause a drop in performance with them. Especially, if a kernel module from OVS 2.1 or newer are paired with OVS userspace 1.10 or older, there'll be a performan Ce drop for TCP traffic.

Updating the OVS userspace components to the latest released version should fix the performance degradation.

To get the best possible performance and functionality, it's recommended to pair the same versions of the kernel module a nd OVS userspace.

Open VSwitch FAQ (i)