-
Notifications
You must be signed in to change notification settings - Fork 254
/
ovn-nb.xml
5337 lines (4686 loc) · 208 KB
/
ovn-nb.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<database name="ovn-nb" title="OVN Northbound Database">
<p>
This database is the interface between OVN and the cloud management system
(CMS), such as OpenStack, running above it. The CMS produces almost all of
the contents of the database. The <code>ovn-northd</code> program
monitors the database contents, transforms it, and stores it into the <ref
db="OVN_Southbound"/> database.
</p>
<p>
We generally speak of ``the'' CMS, but one can imagine scenarios in
which multiple CMSes manage different parts of an OVN deployment.
</p>
<h2>External IDs</h2>
<p>
Each of the tables in this database contains a special column, named
<code>external_ids</code>. This column has the same form and purpose each
place it appears.
</p>
<dl>
<dt><code>external_ids</code>: map of string-string pairs</dt>
<dd>
Key-value pairs for use by the CMS. The CMS might use certain pairs, for
example, to identify entities in its own configuration that correspond to
those in this database.
</dd>
</dl>
<table name="NB_Global" title="Northbound configuration">
<p>
Northbound configuration for an OVN system. This table must have exactly
one row.
</p>
<group title="Identity">
<column name="name">
The name of the OVN cluster, which uniquely identifies the OVN cluster
throughout all OVN clusters supposed to interconnect with each other.
</column>
</group>
<group title="Status">
These columns allow a client to track the overall configuration state of
the system.
<column name="nb_cfg">
Sequence number for client to increment. When a client modifies any
part of the northbound database configuration and wishes to wait for
<code>ovn-northd</code> and possibly all of the hypervisors to finish
applying the changes, it may increment this sequence number.
</column>
<column name="nb_cfg_timestamp">
<p>
The timestamp, in milliseconds since the epoch, when
<code>ovn-northd</code> sees the latest <code>nb_cfg</code> and starts
processing.
</p>
<p>
To print the timestamp as a human-readable date:
</p>
<pre>
date -d "@$(ovn-nbctl get NB_Global . nb_cfg_timestamp | sed 's/...$//')"
</pre>
</column>
<column name="sb_cfg">
Sequence number that <code>ovn-northd</code> sets to the value of <ref
column="nb_cfg"/> after it finishes applying the corresponding
configuration changes to the <ref db="OVN_Southbound"/> database.
</column>
<column name="sb_cfg_timestamp">
The timestamp, in milliseconds since the epoch, when
<code>ovn-northd</code> finishes applying the
corresponding configuration changes to the <ref db="OVN_Southbound"/>
database successfully.
</column>
<column name="hv_cfg">
<p>
Sequence number that <code>ovn-northd</code> sets to the smallest
sequence number of all the chassis in the system, as reported in the
<code>Chassis_Private</code> table in the southbound database. Thus,
<ref column="hv_cfg"/> equals <ref column="nb_cfg"/> if all chassis
are caught up with the northbound configuration (which may never
happen, if any chassis is down). This value can regress, if a
chassis was removed from the system and rejoins before catching up.
</p>
<p>
If there are no chassis, then <code>ovn-northd</code> copies
<code>nb_cfg</code> to <ref column="hv_cfg"/>. Thus, in this case,
the (nonexistent) hypervisors are always considered to be caught up.
This means that hypervisors can be "caught up" even in cases where
<ref column="sb_cfg"/> would show that the southbound database is
not. To detect when both the hypervisors and the southbound database
are caught up, a client should take the smaller of <ref
column="sb_cfg"/> and <ref column="hv_cfg"/>.
</p>
</column>
<column name="hv_cfg_timestamp">
The largest timestamp, in milliseconds since the epoch, of the smallest
sequence number of all the
chassis in the system, as reported in the <code>Chassis_Private</code>
table in the southbound database. In other words, this timestamp
reflects the time when the slowest chassis catches up with the
northbound configuration, which is useful for end-to-end control plane
latency measurement.
</column>
</group>
<group title="Common Columns">
<column name="external_ids">
See <em>External IDs</em> at the beginning of this document.
</column>
</group>
<group title="Common options">
<column name="options">
This column provides general key/value settings. The supported
options are described individually below.
</column>
<group title="Options for configuring OVS BFD">
<p>
These options apply when <code>ovn-controller</code> configures
OVS BFD on tunnels interfaces. Please note these parameters refer
to legacy OVS BFD implementation and not to OVN BFD one.
</p>
<column name="options" key="bfd-min-rx">
BFD option <code>min-rx</code> value to use when configuring BFD on
tunnel interfaces.
</column>
<column name="options" key="bfd-decay-min-rx">
BFD option <code>decay-min-rx</code> value to use when configuring
BFD on tunnel interfaces.
</column>
<column name="options" key="bfd-min-tx">
BFD option <code>min-tx</code> value to use when configuring BFD on
tunnel interfaces.
</column>
<column name="options" key="bfd-mult">
BFD option <code>mult</code> value to use when configuring BFD on
tunnel interfaces.
</column>
</group>
<column name="options" key="ignore_chassis_features">
<p>
When set to <code>false</code>, the <code>ovn-northd</code> will
evaluate the features supported by each chassis and will only
activate features that are universally supported by all chassis. This
approach is crucial for maintaining backward compatibility during an
upgrade when the <code>ovn-northd</code> is updated prior to the
<code>ovn-controller</code>. However, if any chassis is poorly
managed and the upgrade is unsuccessful, it will restrict
<code>ovn-northd</code> from activating the new features.
</p>
<p>
Alternatively, setting this option to <code>true</code> instructs
<code>ovn-northd</code> to bypass the support status of features on
each chassis and to directly implement the latest features. This
approach safeguards the operation of <code>ovn-northd</code> from
being adversely affected by a mismatched configuration of a chassis.
</p>
<p>
The default setting for this option is <code>false</code>.
</p>
</column>
<column name="options" key="mac_prefix">
Configure a given OUI to be used as prefix when L2 address is
dynamically assigned, e.g. <code>00:11:22</code>
</column>
<column name="options" key="mac_binding_removal_limit"
type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
MAC binding aging bulk removal limit. This limits how many rows
can expire in a single transaction. Default value is 0 which
is unlimited. When we hit the limit next batch removal is delayed by
5 s.
</column>
<column name="options" key="fdb_removal_limit"
type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
FDB aging bulk removal limit. This limits how many rows
can expire in a single transaction. Default value is 0 which
is unlimited. When we hit the limit next batch removal is delayed by
5 s.
</column>
<column name="options" key="controller_event" type='{"type": "boolean"}'>
Value set by the CMS to enable/disable ovn-controller event reporting.
Traffic into OVS can raise a 'controller' event that results in a
Controller_Event being written to the <ref table="Controller_Event"/>
table in SBDB. When the CMS has seen the event and taken appropriate
action, it can remove the corresponding row in
<ref table="Controller_Event"/> table.
The intention is for a CMS to see the events and take some sort of
action. Please see the <ref table="Controller_Event"/> table in SBDB.
It is possible to associate a meter to each controller event type
in order to not overload the pinctrl thread under heavy load.
Each event type relies on a meter with a defined name:
<ul>
<li>empty_lb_backends: event-elb</li>
</ul>
</column>
<column name="options" key="northd_probe_interval">
<p>
The inactivity probe interval of the connection to the OVN Northbound
and Southbound databases from <code>ovn-northd</code>, in milliseconds.
If the value is zero, it disables the connection keepalive feature.
</p>
<p>
If the value is nonzero, then it will be forced to a value of
at least 1000 ms.
</p>
</column>
<column name="options" key="ic_probe_interval">
<p>
The inactivity probe interval of the connection to the OVN Northbound
and Southbound databases from <code>ovn-ic</code>, in milliseconds.
If the value is zero, it disables the connection keepalive feature.
</p>
<p>
If the value is nonzero, then it will be forced to a value of
at least 1000 ms.
</p>
</column>
<column name="options" key="nbctl_probe_interval">
<p>
The inactivity probe interval of the connection to the OVN Northbound
database from <code>ovn-nbctl</code> utility, in milliseconds.
If the value is zero, it disables the connection keepalive feature.
</p>
<p>
If the value is nonzero, then it will be forced to a value of
at least 1000 ms.
</p>
<p>
If the value is less than zero, then the default inactivity probe
interval for <code>ovn-nbctl</code> would be left intact (120000 ms).
</p>
</column>
<column name="options" key="northd_trim_timeout">
<p>
When used, this configuration value specifies the time, in
milliseconds, since the last <code>ovn-northd</code> active operation
after which memory trimming is performed. By default this is set to
30000 (30 seconds).
</p>
</column>
<column name="options" key="use_logical_dp_groups">
<p>
Note: This option is deprecated, the only behavior is to always
combine logical flows by datapath groups. Changing the value or
removing this option all toghether will have no effect.
</p>
<p>
<code>ovn-northd</code> combines logical flows that differs
only by logical datapath into a single logical flow with
logical datapath group attached.
</p>
</column>
<column name="options" key="use_parallel_build">
<p>
If set to <code>true</code>, <code>ovn-northd</code> will attempt
to compute logical flows in parallel.
</p>
<p>
Parallel computation is enabled only if the system has 4 or more
cores/threads available to be used by ovn-northd.
</p>
<p>
The default value is <code>false</code>.
</p>
</column>
<column name="options" key="ignore_lsp_down">
<p>
If set to false, ARP/ND reply flows for logical switch ports will be
installed only if the port is up, i.e. claimed by a Chassis. If set
to true, these flows are installed regardless of the status of the
port, which can result in a situation that ARP request to an IP is
resolved even before the relevant VM/container is running. For
environments where this is not an issue, setting it to
<code>true</code> can reduce the load and latency of the control
plane. The default value is <code>true</code>.
</p>
</column>
<column name="options" key="use_ct_inv_match">
<p>
If set to false, <code>ovn-northd</code> will not use the
<code>ct.inv</code> field in any of the logical flow matches.
The default value is true. If the NIC supports offloading
OVS datapath flows but doesn't support offloading ct_state
<code>inv</code> flag, then the datapath flows matching on this flag
(either <code>+inv</code> or <code>-inv</code>) will not be
offloaded. CMS should consider setting <code>use_ct_inv_match</code>
to <code>false</code> in such cases. This results in a side effect
of the invalid packets getting delivered to the destination VIF,
which otherwise would have been dropped by <code>OVN</code>.
</p>
</column>
<column name="options" key="default_acl_drop">
<p>
If set to <code>true</code>., <code>ovn-northd</code> will
generate a logical flow to drop all traffic in the ACL stages.
By default this option is set to <code>false</code>.
</p>
</column>
<column name="options" key="debug_drop_domain_id">
<p>
If set to a 8-bit number and if
<code>debug_drop_collector_set</code> is also configured,
<code>ovn-northd</code> will add a <code>sample</code> action to
every logical flow that contains a 'drop' action.
The 8 most significant bits of the observation_domain_id field will
be those specified in the
<code> debug_drop_domain_id</code>.
The 24 least significant bits of the observation_domain_id field will
be the datapath's key.
</p>
<p>
The observation_point_id will be set to the first 32 bits of the
logical flow's UUID.
</p>
<p>
Note: This key is deprecated in favor of the value configured in the
<ref table="Sampling_App"/> table for the <code>drop</code>
application.
</p>
</column>
<column name="options" key="debug_drop_collector_set">
<p>
If set to a 32-bit number <code>ovn-northd</code> will add a
<code>sample</code> action to every logical flow that contains a
'drop' action. The sample action will have the specified
collector_set_id. The value must match that of the local OVS
configuration as described in <code>ovs-actions</code>(7).
</p>
</column>
<column name="options" key="use_common_zone" type='{"type": "boolean"}'>
Default value is <code>false</code>. If set to <code>true</code>
the SNAT and DNAT happens in common zone, instead of happening in
separate zones, depending on the configuration. However, this option
breaks traffic when there is configuration of DGP + LB + SNAT on
this LR. The value <code>true</code> should be used only in case
of HWOL compatibility with GDP.
</column>
<column name="options" key="northd-backoff-interval-ms">
Maximum interval that the northd incremental engine is delayed by
in milliseconds. Setting the value to nonzero delays the next northd
engine run by the previous run time, capped by the specified value.
If the value is zero the engine won't be delayed at all.
The recommended period is smaller than 500 ms, beyond that the latency
of SB changes would be very noticeable.
</column>
<column name="options" key="vxlan_mode">
By default if at least one chassis in OVN cluster has VXLAN encap,
northd will run in a <code>VXLAN mode</code>. See man
ovn-architecture(7) <code>Tunnel Encapsulations</code> paragraph for
more details. In case VXLAN encaps are needed on chassis only to
support HW VTEP functionality and main encap type is GENEVE or STT, set
this option to <code>false</code> to use default
non-<code>VXLAN mode</code> tunnel IDs allocation logic.
</column>
<column name="options" key="always_tunnel"
type='{"type": "boolean"}'>
<p>
If set to true, then the traffic destined to a VIF of a provider
logical switch (having a localnet port) will be tunnelled instead
of sending it via the localnet port. This option will be useful
if CMS wants to connect overlay logical switches (without
localnet port) and provider logical switches to a router. Without
this option set, the traffic path will be a mix of tunnelling and
localnet ports (since routing is distributed) resulting in the
leakage of the router port mac address to the upstream switches
and undefined behavior if NATting is involed. This option is
disabled by default.
</p>
</column>
<group title="Options for configuring interconnection route advertisement">
<p>
These options control how routes are advertised between OVN
deployments for interconnection. If enabled, <code>ovn-ic</code>
from different OVN deployments exchanges routes between each other
through the global <ref db="OVN_IC_Southbound"/> database. Only
routers with ports connected to interconnection transit switches
participate in route advertisement. For each of these routers, there
are two types of routes to be advertised:
</p>
<p>
Firstly, the static routes configured in the router are advertised.
</p>
<p>
Secondly, the <code>networks</code> configured in the logical router
ports that are not on the transit switches are advertised. These
are considered as directly connected subnets on the router.
</p>
<p>
Link local prefixes (IPv4 169.254.0.0/16 and IPv6 FE80::/10)
are never advertised.
</p>
<p>
The learned routes are added to the
<ref column="static_routes" table="Logical_Router"/> column of the
<ref table="Logical_Router"/> table, with
<code>external_ids:ic-learned-route</code> set to the uuid
of the row in <ref table="Route" db="OVN_IC_Southbound"/>
table of the <ref db="OVN_IC_Southbound"/> database.
</p>
<column name="options" key="ic-route-adv">
A boolean value that enables route advertisement to the global
<ref db="OVN_IC_Southbound"/> database. Default is
<code>false</code>.
</column>
<column name="options" key="ic-route-learn">
A boolean value that enables route learning from the global
<ref db="OVN_IC_Southbound"/> database. Default is
<code>false</code>.
</column>
<column name="options" key="ic-route-adv-default">
A boolean value that enables advertising default route to the global
<ref db="OVN_IC_Southbound"/> database. Default is
<code>false</code>. This option takes effect only when option
<code>ic-route-adv</code> is <code>true</code>.
</column>
<column name="options" key="ic-route-learn-default">
A boolean value that enables learning default route from the global
<ref db="OVN_IC_Southbound"/> database. Default is
<code>false</code>. This option takes effect only when option
<code>ic-route-learn</code> is <code>true</code>.
</column>
<column name="options" key="ic-route-denylist">
A string value contains a list of CIDRs delimited by ",". A route
will not be advertised or learned if the route's prefix belongs to
any of the CIDRs listed.
</column>
</group>
</group>
<group title="Connection Options">
<column name="connections">
Database clients to which the Open vSwitch database server should
connect or on which it should listen, along with options for how these
connections should be configured. See the <ref table="Connection"/>
table for more information.
</column>
<column name="ssl">
Global SSL configuration.
</column>
</group>
<group title="Security Configurations">
<column name="ipsec">
Tunnel encryption configuration. If this column is set to be true, all
OVN tunnels will be encrypted with IPsec.
</column>
</group>
<group title="Read-only Options">
<column name="options" key="max_tunid">
<p>
The maximum supported tunnel ID. Depends on types of encapsulation
enabled in the cluster.
</p>
</column>
</group>
</table>
<table name="Sample_Collector" title="Sample_Collector">
<column name="id">
Sample collector unique id used for differentiating collectors that use
the same <code>set_id</code> with different <code>probability</code>
values. The supported value range for IDs is <code>1-255</code>.
</column>
<column name="name">Name of the sample collector.</column>
<column name="probability">
Sampling probability for this collector. It must be an integer number
between 0 and 65535. A value of 0 corresponds to no packets being
sampled while a value of 65535 corresponds to all packets being sampled.
</column>
<column name="set_id">
The 8-bit integer identifier of the set of of collectors to send
packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's
database schema.
</column>
<column name="external_ids">
See <em>External IDs</em> at the beginning of this document.
</column>
</table>
<table name="Sample" title="Sample">
<p>
This table describes a Sampling configuration. Entries in other tables
might be associated with Sample entries to indicate how the sample
should be generated.
For an example, see <ref table="ACL"/>.
</p>
<column name="collectors">
A list of references to <ref table="Sample_Collector"/> records to be
used when generating samples (e.g., IPFIX). A sample can be sent to
multiple collectors simultaneously.
</column>
<column name="metadata">
Will be used as Observation Point ID in every sample. The Observation
Domain ID will be generated by ovn-northd and includes the logical
datapath key as the least significant 24 bits and the sampling
application type (e.g., drop debugging) as the 8 most significant bits.
</column>
</table>
<table name="Copp" title="Control plane protection">
<p>
This table is used to define control plane protection policies, i.e.,
associate entries from table <ref table="Meter"/> to control protocol
names.
</p>
<column name="name">
CoPP name.
</column>
<column name="meters" key="arp">
Rate limiting meter for ARP packets (request/reply) used for learning
neighbors.
</column>
<column name="meters" key="arp-resolve">
Rate limiting meter for packets that require resolving the next-hop
(through ARP).
</column>
<column name="meters" key="dhcpv4-opts">
Rate limiting meter for packets that require adding DHCPv4 options.
</column>
<column name="meters" key="dhcpv6-opts">
Rate limiting meter for packets that require adding DHCPv6 options.
</column>
<column name="meters" key="dns">
Rate limiting meter for DNS query packets that need to be replied to.
</column>
<column name="meters" key="event-elb">
Rate limiting meter for empty load balancer events.
</column>
<column name="meters" key="icmp4-error">
Rate limiting meter for packets that require replying with an ICMP
error.
</column>
<column name="meters" key="icmp6-error">
Rate limiting meter for packets that require replying with an ICMPv6
error.
</column>
<column name="meters" key="igmp">
Rate limiting meter for IGMP packets.
</column>
<column name="meters" key="nd-na">
Rate limiting meter for ND neighbor advertisement packets used for
learning neighbors.
</column>
<column name="meters" key="nd-ns">
Rate limiting meter for ND neighbor solicitation packets used for
learning neighbors.
</column>
<column name="meters" key="nd-ns-resolve">
Rate limiting meter for packets that require resolving the next-hop
(through ND).
</column>
<column name="meters" key="nd-ra-opts">
Rate limiting meter for packets that require adding ND router
advertisement options.
</column>
<column name="meters" key="tcp-reset">
Rate limiting meter for packets that require replying with TCP RST
packet.
</column>
<column name="meters" key="bfd">
Rate limiting meter for BFD packets.
</column>
<column name="meters" key="reject">
Rate limiting meter for packets that trigger a reject action
</column>
<column name="meters" key="svc-monitor">
Rate limiting meter for packets that are arriving to service
monitor MAC address.
</column>
<column name="external_ids">
See <em>External IDs</em> at the beginning of this document.
</column>
</table>
<table name="Logical_Switch" title="L2 logical switch">
<p>
Each row represents one L2 logical switch.
</p>
<p>
There are two kinds of logical switches, that is, ones that fully
virtualize the network (overlay logical switches) and ones that provide
simple connectivity to physical networks (bridged logical switches).
They work in the same way when providing connectivity between logical
ports on same chassis, but differently when connecting remote logical
ports. Overlay logical switches connect remote logical ports by tunnels,
while bridged logical switches provide connectivity to remote ports by
bridging the packets to directly connected physical L2 segments with the
help of <code>localnet</code> ports. Each bridged logical switch has
one or more <code>localnet</code> ports, which have only one special
address <code>unknown</code>.
</p>
<column name="ports">
<p>
The logical ports connected to the logical switch.
</p>
<p>
It is an error for multiple logical switches to include the same
logical port.
</p>
</column>
<column name="load_balancer">
Set of load balancers associated to this logical switch.
</column>
<column name="load_balancer_group">
Set of load balancers groups associated to this logical switch.
</column>
<column name="acls">
Access control rules that apply to packets within the logical switch.
</column>
<column name="qos_rules">
QoS marking and metering rules that apply to packets within the
logical switch.
</column>
<column name="dns_records">
This column defines the DNS records to be used for resolving internal
DNS queries within the logical switch by the native DNS resolver.
Please see the <ref table="DNS"/> table.
</column>
<column name="forwarding_groups">
Groups a set of logical port endpoints for traffic going out of the
logical switch.
</column>
<group title="Naming">
<p>
These columns provide names for the logical switch. From OVN's
perspective, these names have no special meaning or purpose other than
to provide convenience for human interaction with the database.
There is no requirement for the name to be unique. (For a unique
identifier for a logical switch, use its row UUID.)
</p>
<p>
(Originally, <ref column="name"/> was intended to serve the purpose of
a human-friendly name, but the Neutron integration used it to uniquely
identify its own switch object, in the format
<code>neutron-<var>uuid</var></code>. Later on, Neutron started
propagating the friendly name of a switch as <ref column="external_ids"
key="neutron:network_name"/>. Perhaps this can be cleaned up someday.)
</p>
<column name="name">
A name for the logical switch.
</column>
<column name="external_ids" key="neutron:network_name">
Another name for the logical switch.
</column>
</group>
<group title="IP Address Assignment">
<p>
These options control automatic IP address management (IPAM) for ports
attached to the logical switch. To enable IPAM for IPv4, set <ref
column="other_config" key="subnet"/> and optionally <ref
column="other_config:exclude_ips"/>. To enable IPAM for IPv6, set
<ref column="other_config" key="ipv6_prefix"/>. IPv4 and IPv6 may
be enabled together or separately.
</p>
<p>
To request dynamic address assignment for a particular port, use the
<code>dynamic</code> keyword in the <ref table="Logical_Switch_Port"
column="addresses"/> column of the port's <ref
table="Logical_Switch_Port"/> row. This requests both an IPv4 and an
IPv6 address, if IPAM for IPv4 and IPv6 are both enabled.
</p>
<column name="other_config" key="subnet">
Set this to an IPv4 subnet, e.g. <code>192.168.0.0/24</code>, to enable
<code>ovn-northd</code> to automatically assign IP addresses within
that subnet.
</column>
<column name="other_config" key="exclude_ips">
<p>
To exclude some addresses from automatic IP address management, set
this to a list of the IPv4 addresses or <code>..</code>-delimited
ranges to exclude. The addresses or ranges should be a subset of
those in <ref column="other_config" key="subnet"/>.
</p>
<p>
Whether listed or not, <code>ovn-northd</code> will never allocate
the first or last address in a subnet, such as 192.168.0.0 or
192.168.0.255 in 192.168.0.0/24.
</p>
<p>
Examples:
</p>
<ul>
<li><code>192.168.0.2 192.168.0.10</code></li>
<li><code>192.168.0.4 192.168.0.30..192.168.0.60 192.168.0.110..192.168.0.120</code></li>
<li><code>192.168.0.110..192.168.0.120 192.168.0.25..192.168.0.30 192.168.0.144</code></li>
</ul>
</column>
<column name="other_config" key="ipv6_prefix">
Set this to an IPv6 prefix to enable <code>ovn-northd</code> to
automatically assign IPv6 addresses using this prefix. The assigned
IPv6 address will be generated using the IPv6 prefix and the MAC
address (converted to an IEEE EUI64 identifier) of the port. The IPv6
prefix defined here should be a valid IPv6 address ending with
<code>::</code>.
<p>
Examples:
</p>
<ul>
<li><code>aef0::</code></li>
<li><code>bef0:1234:a890:5678::</code></li>
<li><code>8230:5678::</code></li>
</ul>
</column>
<column name="other_config" key="dhcp_relay_port">
If set to the name of logical switch port of type <code>router</code>
then, DHCP Relay is enabled for this logical switch provided the
corresponding <ref table="Logical_Router_Port"/> has DHCP Relay
configured.
</column>
<column name="other_config" key="mac_only" type='{"type": "boolean"}'>
Value used to request to assign L2 address only if neither subnet
nor ipv6_prefix are specified
</column>
<column name="other_config" key="fdb_age_threshold"
type='{"type": "integer", "minInteger": 0, "maxInteger": 4294967295}'>
FDB aging <code>threshold</code> value in seconds. FDB exceeding
this timeout will be automatically removed. The value defaults
to 0, which means disabled.
</column>
<column name="other_config" key="ct-zone-limit"
type='{"type": "integer", "minInteger": 0,
"maxInteger": 4294967295}'>
CT zone <code>limit</code> value for given
<ref table="Logical_Switch"/>. This value will be propagated to all
<ref table="Logical_Switch_Port"/> when configured, but can be
overwritten individually per <ref table="Logical_Switch_Port"/>. The
value 0 means unlimited. When the option is not present the limit
is not set and the zone limit is derived from OvS default datapath
limit.
</column>
</group>
<group title="IP Multicast Snooping Options">
<p>
These options control IP Multicast Snooping configuration of the
logical switch. To enable IP Multicast Snooping set
<ref column="other_config" key="mcast_snoop"/> to true. To enable IP
Multicast Querier set <ref column="other_config" key="mcast_querier"/>
to true. If IP Multicast Querier is enabled
<ref column="other_config" key="mcast_eth_src"/> and
<ref column="other_config" key="mcast_ip4_src"/> must be set.
</p>
<column name="other_config" key="mcast_snoop"
type='{"type": "boolean"}'>
Enables/disables IP Multicast Snooping on the logical switch.
Default: <code>false</code>.
</column>
<column name="other_config" key="mcast_querier"
type='{"type": "boolean"}'>
Enables/disables IP Multicast Querier on the logical switch.
Only applicable if <ref column="other_config" key="mcast_snoop"/>
is enabled.
Default: <code>true</code>.
</column>
<column name="other_config" key="mcast_flood_unregistered"
type='{"type": "boolean"}'>
Determines whether unregistered multicast traffic should be flooded
or not. Only applicable if
<ref column="other_config" key="mcast_snoop"/> is enabled.
Default: <code>false</code>.
</column>
<column name="other_config" key="mcast_table_size"
type='{"type": "integer", "minInteger": 1, "maxInteger": 32766}'>
Number of multicast groups to be stored. Default: 2048.
</column>
<column name="other_config" key="mcast_idle_timeout"
type='{"type": "integer", "minInteger": 15, "maxInteger": 3600}'>
Configures the IP Multicast Snooping group idle timeout (in seconds).
Default: 300 seconds.
</column>
<column name="other_config" key="mcast_query_interval"
type='{"type": "integer", "minInteger": 1, "maxInteger": 3600}'>
Configures the IP Multicast Querier interval between queries (in
seconds). Default:
<ref column="other_config" key="mcast_idle_timeout"/> / 2.
</column>
<column name="other_config" key="mcast_query_max_response"
type='{"type": "integer", "minInteger": 1, "maxInteger": 10}'>
Configures the value of the "max-response" field in the multicast
queries originated by the logical switch. Default: 1 second.
</column>
<column name="other_config" key="mcast_eth_src">
Configures the source Ethernet address for queries originated by the
logical switch.
</column>
<column name="other_config" key="mcast_ip4_src">
Configures the source IPv4 address for queries originated by the
logical switch.
</column>
<column name="other_config" key="mcast_ip6_src">
Configures the source IPv6 address for queries originated by the
logical switch.
</column>
</group>
<group title="Interconnection">
<column name="other_config" key="interconn-ts"
type='{"type": "string"}'>
The <ref table="Transit_Switch" column="name" db="OVN_IC_Northbound"/>
of corresponding transit switch in <ref db="OVN_IC_Northbound"/>
database. This kind of logical switch is created and controlled
by <code>ovn-ic</code>.
</column>
</group>
<group title="Tunnel Key">
<column name="other_config" key="requested-tnl-key"
type='{"type": "integer", "minInteger": 1, "maxInteger": 16777215}'>
Configures the datapath tunnel key for the logical switch. Usually
this is not needed because <code>ovn-northd</code> will assign an
unique key for each datapath by itself. However, if it is configured,
<code>ovn-northd</code> honors the configured value. The typical use
case is for interconnection: the tunnel keys for transit switches need
to be unique globally, so they are maintained in the global
<ref db="OVN_IC_Southbound"/> database, and <code>ovn-ic</code> simply
syncs the value from <ref db="OVN_IC_Southbound"/> through this config.
</column>
</group>
<column name="copp">
<p>
The control plane protection policy from table <ref table="Copp"/>
used for metering packets sent to <code>ovn-controller</code> from
ports of this logical switch.
</p>
</column>
<group title="Other options">
<column name="other_config" key="vlan-passthru"
type='{"type": "boolean"}'>
Determines whether VLAN tagged incoming traffic should be allowed. Note
that this may have security implications when enabled for a logical
switch with a tag=0 localnet port. If not properly isolated from other
localnet ports, fabric traffic that belongs to other tagged networks may
be passed through such a port.
</column>
<column name="other_config" key="broadcast-arps-to-all-routers"
type='{"type": "boolean"}'>
Determines whether arp requests and ipv6 neighbor solicitations should
be sent to all routers and other switchports (default) or if it should
only be sent to switchports where the ip/mac address is unknown.
Setting this to false can significantly reduce the load if the logical
switch can receive arp requests for ips it does not know about.
However setting this to false also means that garps are no longer
forwarded to all routers and therefor the mac bindings of the routers
are no longer updated.
</column>
</group>
<group title="Common Columns">
<column name="external_ids">
See <em>External IDs</em> at the beginning of this document.
</column>
</group>
</table>
<table name="Logical_Switch_Port" title="L2 logical switch port">
<p>
A port within an L2 logical switch.
</p>
<group title="Core Features">
<column name="name">
<p>
The logical port name.
</p>
<p>
For entities (VMs or containers) that are spawned in the hypervisor,
the name used here must match those used in the <ref key="iface-id"
table="Interface" column="external_ids" db="Open_vSwitch"/> in the
<ref db="Open_vSwitch"/> database's <ref table="Interface"
db="Open_vSwitch"/> table, because hypervisors use <ref key="iface-id"
table="Interface" column="external_ids" db="Open_vSwitch"/> as a lookup
key to identify the network interface of that entity.
</p>
<p>
For containers that share a VIF within a VM, the name can be any
unique identifier. See <code>Containers</code>, below, for more
information.
</p>
<p>
A logical switch port may not have the same name as a logical router
port, but the database schema cannot enforce this.
</p>
</column>
<column name="type">
<p>
Specify a type for this logical port. Logical ports can be used to
model other types of connectivity into an OVN logical switch. The
following types are defined:
</p>
<dl>
<dt>(empty string)</dt>
<dd>
A VM (or VIF) interface.
</dd>
<dt><code>router</code></dt>
<dd>
A connection to a logical router. The value of <ref
column="options" key="router-port"/> specifies the <ref
column="name"/> of the <ref table="Logical_Router_Port"/>
to which this logical switch port is connected.
</dd>
<dt><code>localnet</code></dt>
<dd>
A connection to a locally accessible network from
<code>ovn-controller</code> instances that have a corresponding
bridge mapping. A logical switch can have multiple
<code>localnet</code> ports attached. This type is used to model
direct connectivity to existing networks. In this case, each
chassis should have a mapping for one of the physical networks
only. Note: nothing said above implies that a chassis cannot be
plugged to multiple physical networks as long as they belong to
different switches.