Open vSwitch FAQ (一)
Basic Configuration
Q: How do I configure a port as an access port?
A: Add "tag=VLAN" to your "ovs-vsctl add-port" command. For example, the following commands configure br0 with eth0 as a trunk port (the default) and tap0 as an access port for VLAN 9:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
ovs-vsctl add-port br0 tap0 tag=9
If you want to configure an already added port as an access port, use "ovs-vsctl set", e.g.:
ovs-vsctl set port tap0 tag=9
Q: How do I configure a port as a SPAN port, that is, enable mirroring of all traffic to that port?
A: The following commands configure br0 with eth0 and tap0 as trunk ports. All traffic coming in or going out on eth0 or tap0 is also mirrored to tap1; any traffic arriving on tap1 is dropped:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
ovs-vsctl add-port br0 tap0
ovs-vsctl add-port br0 tap1 \
-- --id=@p get port tap1 \
-- --id=@m create mirror name=m0 select-all=true output-port=@p \
-- set bridge br0 mirrors=@m
To later disable mirroring, run:
ovs-vsctl clear bridge br0 mirrors
Q: Does Open vSwitch support configuring a port in promiscuous mode?
A: Yes. How you configure it depends on what you mean by "promiscuous mode":
Conventionally, "promiscuous mode" is a feature of a network interface card. Ordinarily, a NIC passes to the CPU only the packets actually destined to its host machine. It discards the rest to avoid wasting memory and CPU cycles. When promiscuous mode is enabled, however, it passes every packet to the CPU. On an old-style shared-media or hub-based network, this allows the host to spy on all packets on the network. But in the switched networks that are almost everywhere these days, promiscuous mode doesn't have much effect, because few packets not destined to a host are delivered to the host's NIC.
This form of promiscuous mode is configured in the guest OS of the VMs on your bridge, e.g. with "ifconfig".
The VMware vSwitch uses a different definition of "promiscuous mode". When you configure promiscuous mode on a VMware vNIC, the vSwitch sends a copy of every packet received by the vSwitch to that vNIC. That has a much bigger effect than just enabling promiscuous mode in a guest OS. Rather than getting a few stray packets for which the switch does not yet know the correct destination, the vNIC gets every packet. The effect is similar to replacing the vSwitch by a virtual hub.
This "promiscuous mode" is what switches normally call "port mirroring" or "SPAN". For information on how to configure SPAN, see "How do I configure a port as a SPAN port, that is, enable mirroring of all traffic to that port?"
Q: How do I configure a DPDK port as an access port?
A: Firstly, you must have a DPDK-enabled version of Open vSwitch.
If your version is DPDK-enabled it will support the --dpdk argument on the command line and will display lines with "EAL:..." during startup when --dpdk is supplied.
Secondly, when adding a DPDK port, unlike a system port, the type for the interface must be specified. For example;
ovs-vsctl add-br br0
ovs-vsctl add-port br0 dpdk0 -- set Interface dpdk0 type=dpdk
Finally, it is required that DPDK port names begin with 'dpdk'.
See INSTALL.DPDK.md for more information on enabling and using DPDK with Open vSwitch.
Q: How do I configure a VLAN as an RSPAN VLAN, that is, enable mirroring of all traffic to that VLAN?
A: The following commands configure br0 with eth0 as a trunk port and tap0 as an access port for VLAN 10. All traffic coming in or going out on tap0, as well as traffic coming in or going out on eth0 in VLAN 10, is also mirrored to VLAN 15 on eth0. The original tag for VLAN 10, in cases where one is present, is dropped as part of mirroring:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
ovs-vsctl add-port br0 tap0 tag=10
ovs-vsctl \
-- --id=@m create mirror name=m0 select-all=true select-vlan=10 \
output-vlan=15 \
-- set bridge br0 mirrors=@m
To later disable mirroring, run:
ovs-vsctl clear bridge br0 mirrors
Mirroring to a VLAN can disrupt a network that contains unmanaged switches. See ovs-vswitchd.conf.db(5) for details. Mirroring to a GRE tunnel has fewer caveats than mirroring to a VLAN and should generally be preferred.
Q: Can I mirror more than one input VLAN to an RSPAN VLAN?
A: Yes, but mirroring to a VLAN strips the original VLAN tag in favor of the specified output-vlan. This loss of information may make the mirrored traffic too hard to interpret.
To mirror multiple VLANs, use the commands above, but specify a comma-separated list of VLANs as the value for select-vlan. To mirror every VLAN, use the commands above, but omit select-vlan and its value entirely.
When a packet arrives on a VLAN that is used as a mirror output VLAN, the mirror is disregarded. Instead, in standalone mode, OVS floods the packet across all the ports for which the mirror output VLAN is configured. (If an OpenFlow controller is in use, then it can override this behavior through the flow table.) If OVS is used as an intermediate switch, rather than an edge switch, this ensures that the RSPAN traffic is distributed through the network.
Mirroring to a VLAN can disrupt a network that contains unmanaged switches. See ovs-vswitchd.conf.db(5) for details. Mirroring to a GRE tunnel has fewer caveats than mirroring to a VLAN and should generally be preferred.
Q: How do I configure mirroring of all traffic to a GRE tunnel?
A: The following commands configure br0 with eth0 and tap0 as trunk ports. All traffic coming in or going out on eth0 or tap0 is also mirrored to gre0, a GRE tunnel to the remote host 192.168.1.10; any traffic arriving on gre0 is dropped:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
ovs-vsctl add-port br0 tap0
ovs-vsctl add-port br0 gre0 \
-- set interface gre0 type=gre options:remote_ip=192.168.1.10 \
-- --id=@p get port gre0 \
-- --id=@m create mirror name=m0 select-all=true output-port=@p \
-- set bridge br0 mirrors=@m
To later disable mirroring and destroy the GRE tunnel:
ovs-vsctl clear bridge br0 mirrors
ovs-vcstl del-port br0 gre0
Q: Does Open vSwitch support ERSPAN?
A: No. ERSPAN is an undocumented proprietary protocol. As an alternative, Open vSwitch supports mirroring to a GRE tunnel (see above).
Q: How do I connect two bridges?
A: First, why do you want to do this? Two connected bridges are not much different from a single bridge, so you might as well just have a single bridge with all your ports on it.
If you still want to connect two bridges, you can use a pair of patch ports. The following example creates bridges br0 and br1, adds eth0 and tap0 to br0, adds tap1 to br1, and then connects br0 and br1 with a pair of patch ports.
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
ovs-vsctl add-port br0 tap0
ovs-vsctl add-br br1
ovs-vsctl add-port br1 tap1
ovs-vsctl \
-- add-port br0 patch0 \
-- set interface patch0 type=patch options:peer=patch1 \
-- add-port br1 patch1 \
-- set interface patch1 type=patch options:peer=patch0
Bridges connected with patch ports are much like a single bridge. For instance, if the example above also added eth1 to br1, and both eth0 and eth1 happened to be connected to the same next-hop switch, then you could loop your network just as you would if you added eth0 and eth1 to the same bridge (see the "Configuration Problems" section below for more information).
If you are using Open vSwitch 1.9 or an earlier version, then you need to be using the kernel module bundled with Open vSwitch rather than the one that is integrated into Linux 3.3 and later, because Open vSwitch 1.9 and earlier versions need kernel support for patch ports. This also means that in Open vSwitch 1.9 and earlier, patch ports will not work with the userspace datapath, only with the kernel module.
Q: How do I configure a bridge without an OpenFlow local port? (Local port in the sense of OFPP_LOCAL)
A: Open vSwitch does not support such a configuration. Bridges always have their local ports.
Implementation Details
Q: I hear OVS has a couple of kinds of flows. Can you tell me about them?
A: Open vSwitch uses different kinds of flows for different purposes:
OpenFlow flows are the most important kind of flow. OpenFlow controllers use these flows to define a switch's policy. OpenFlow flows support wildcards, priorities, and multiple tables.
When in-band control is in use, Open vSwitch sets up a few "hidden" flows, with priority higher than a controller or the user can configure, that are not visible via OpenFlow. (See the "Controller" section of the FAQ for more information about hidden flows.)
The Open vSwitch software switch implementation uses a second kind of flow internally. These flows, called "datapath" or "kernel" flows, do not support priorities and comprise only a single table, which makes them suitable for caching. (Like OpenFlow flows, datapath flows do support wildcarding, in Open vSwitch 1.11 and later.) OpenFlow flows and datapath flows also support different actions and number ports differently.
Datapath flows are an implementation detail that is subject to change in future versions of Open vSwitch. Even with the current version of Open vSwitch, hardware switch implementations do not necessarily use this architecture.
Users and controllers directly control only the OpenFlow flow table. Open vSwitch manages the datapath flow table itself, so users should not normally be concerned with it.
Q: Why are there so many different ways to dump flows?
A: Open vSwitch has two kinds of flows (see the previous question), so it has commands with different purposes for dumping each kind of flow:
ovs-ofctl dump-flows <br>
dumps OpenFlow flows, excluding hidden flows. This is the most commonly useful form of flow dump. (Unlike the other commands, this should work with any OpenFlow switch, not just Open vSwitch.)ovs-appctl bridge/dump-flows <br>
dumps OpenFlow flows, including hidden flows. This is occasionally useful for troubleshooting suspected issues with in-band control.ovs-dpctl dump-flows [dp]
dumps the datapath flow table entries for a Linux kernel-based datapath. In Open vSwitch 1.10 and later, ovs-vswitchd merges multiple switches into a single datapath, so it will show all the flows on all your kernel-based switches. This command can occasionally be useful for debugging.ovs-appctl dpif/dump-flows <br>
, new in Open vSwitch 1.10, dumps datapath flows for only the specified bridge, regardless of the type.
Q: How does multicast snooping works with VLANs?
A: Open vSwitch maintains snooping tables for each VLAN.
Performance
Q: I just upgraded and I see a performance drop. Why?
A: The OVS kernel datapath may have been updated to a newer version than the OVS userspace components. Sometimes new versions of OVS kernel module add functionality that is backwards compatible with older userspace components but may cause a drop in performance with them. Especially, if a kernel module from OVS 2.1 or newer is paired with OVS userspace 1.10 or older, there will be a performance drop for TCP traffic.
Updating the OVS userspace components to the latest released version should fix the performance degradation.
To get the best possible performance and functionality, it is recommended to pair the same versions of the kernel module and OVS userspace.
Open vSwitch FAQ (一)的更多相关文章
- Open vSwitch FAQ (二)
Configuration Problems Q: I created a bridge and added my Ethernet port to it, using commands like t ...
- Open vSwitch FAQ (三)
Quality of Service (QoS) Q: How do I configure Quality of Service (QoS)? A: Suppose that you want to ...
- [转]UOS 中的虚拟网络设备
随着网络技术,虚拟化技术的发展,越来越多的高级网络设备被加入了到了 Linux 中,这些设备在 UOS 中起到了广泛而关键的作用,包括 Open vSwitch.TAP 设备.Veth 设备等等,梳理 ...
- [cloud][OVS][sdn] Open vSwitch 初步了解
What is Open vSwitch? Open vSwitch is a production quality, multilayer virtual switch licensed under ...
- 启用 Open vSwitch - 每天5分钟玩转 OpenStack(127)
Linux Bridge 和 Open vSwitch 是目前 OpenStack 中使用最广泛的两种虚机交换机技术. 前面各章节我们已经学习了如何用 Linux Bridge 作为 ML2 mech ...
- Google软件构建工具Bazel FAQ
Google软件构建工具Bazel FAQ 本文是我的翻译,原文在这里.欢迎转载,转载请注名本文作者和原始链接 注:如果想了解Bazel的原理,可以看看我之前翻译的Google Blaze原理及使用方 ...
- 领域驱动设计常见问题FAQ
本文出处:http://www.cqrs.nu/Faq What is a domain? The field for which a system is built. Airport managem ...
- Neutron 理解 (2): 使用 Open vSwitch + VLAN 组网 [Netruon Open vSwitch + VLAN Virutal Network]
学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GR ...
- Neutron 理解 (3): Open vSwitch + GRE/VxLAN 组网 [Netruon Open vSwitch + GRE/VxLAN Virutal Network]
学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GR ...
随机推荐
- javaMail创建邮件和发送邮件总结
(注: 本文是参考http://www.cnblogs.com/xdp-gacl/p/4216311.html. 感谢博主的精彩的描述) 一, 前期的准备 1, 导入 mail.jar 二, 操作步骤 ...
- Protocol Buffers in HBase
For early Hbase developers, it is often a nightmare to understand how the different modules speak am ...
- iOS只执行一次的方法
IOS开发(64)之GCD任务最多只执行一次 1 前言 使用 dispatch_once 函数 在 APP 的生命周期内来保证你想确保每段代码只执行一次,即使它在代码的不同地方多次调用(比如单例的初始 ...
- $lookup
db.orders.aggregate([ { $lookup: { from: "inventory", localField: "item", foreig ...
- 【NOIP2015】提高day2解题报告
题目: P1981跳石头 描述 一年一度的“跳石头”比赛又要开始了!这项比赛将在一条笔直的河道中进行,河道中分布着一些巨大岩石.组委会已经选择好了两块岩石作为比赛起点和终点.在起点和终点之间,有 N ...
- 面试题目-c和c++的区别
在很大程度上,标准C++是标准C的超集.实际上,所有C程序也是C++程序,然而,两者之间有少量区别.下面简要介绍一下最重要的区别. 1. 在C++中,局部变量可以在一个程序块内在任何地方声明,在 ...
- [mr440] 崎岖的山区
极类似动归的广搜?反正各种算法傻傻分不清…写之前叹了一句,好久不写广搜了啊!呵呵真的写了好久,大约一个钟头? f[i,j,0]表示到点(i,j)且最后一步为下降的最少步数,f[i,j,1]就是上升.莫 ...
- IPAD2 5.1.1越狱后的屏幕不能自动旋转~~~
己顶,出现这问题的原因是因为越狱安装了插件的原因.问题解决了,大家没有遇到类似的问题吗?问题出在大家都装了一个SBSettings的插件,解决办法就是在这个插件的ISO 5+ Notification ...
- 关于强制类型转换(c语言)
因为今天看的代码中用到了结构体的强制类型转换,就很想了解一下结构体的强制类型转换是怎样的. 一个结构体如下: 在下面这段代码中rbuf->reqCmdBuf是一个空指针,首先将这个空指针赋值给一 ...
- Tomcat 网站部署(三)
一.Tomcat的部署方式有以下两种 1.自动部署 2.虚拟目录 二.自动部署 文件必须放在放在webapps就可以了,可以用这样访问 http://localhost:8080/放在webapps目 ...