HP OpenFlow Switches. Abstract

Transcription

1 HP Switches Astract Applicale Products HP Switch 3500 series HP Switch 3800 series HP Switch 5400 series, v1 and v2 modules HP Switch 6200 series HP Switch 6600 series HP Switch 8200 series, v1 and v2 modules HP Part Numer: Pulished: Septemer 2012 Edition: 1

2 Copyright 2012 Hewlett-Packard Development Company, L.P. Conidential computer sotware. Valid license rom HP required or possession, use or copying. Consistent with FAR and , Commercial Computer Sotware, Computer Sotware Documentation, and Technical Data or Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The inormation contained herein is suject to change without notice. The only warranties or HP products and services are set orth in the express warranty statements accompanying such products and services. Nothing herein should e construed as constituting an additional warranty. HP shall not e liale or technical or editorial errors or omissions contained herein. UNIX is a registered trademark o The Open Group. Acknowledgments This product contains protocol support unctionality as provided in Open vswitch code licensed under the Apache Sotware License v2.0 and availale at The ull text o the Apache Sotware License v2.0 is contained in the License Inormation document availale at Warranty For the sotware end user license agreement and the hardware limited warranty inormation or HP Networking products, visit networking/support.

3 Contents 1 Introduction...5 Conceptual overview...5 architecture...6 eatures and eneits...7 Administrative methods...8 Supported RFCs and standards...8 Interoperaility Coniguring...12 Coniguration overview...13 Command syntax...13 Preparing or coniguration...13 Conigure VLANs...14 Veriy Routing...14 Conigure ports...14 Coniguring...14 Virtualization Mode...15 Port Coniguration...15 coniguration...16 Aggregation Mode coniguration...17 Enale or Disale...17 Conigure instances...17 Conigure instance memers...18 instance mode...18 Flow location...19 Sotware and hardware rate limiting...19 Conigure listener ports...20 Conigure controller ports...20 instance connection interruption mode...21 controller set up...21 Associate instance with controller...22 Setting maximum acko interval or an instance...22 Policy engine resources...23 Backing up your coniguration (optional) Administering...24 Monitoring...24 Setting statistics reresh rate...24 Viewing inormation...24 Viewing instances...26 Viewing resources...27 Viewing controllers...27 Viewing instance attriutes Trouleshooting...31 Diagnostic Tools Overview and Usage...31 Deug...31 Log iles and trace iles overview...32 Error messages...32 Interoperaility error messages...32 Controller error messages...32 VLAN error messages...33 Instance error messages...33 Contents 3

4 Miscellaneous error messages...34 Reporting prolems Support and other resources...36 Contacting HP...36 Beore you contact HP...36 HP contact inormation...36 Suscription service...36 Documents...36 Wesites...37 Typographic conventions...37 Customer sel repair Documentation eedack...39 A Flow classiication on v1 and v2 modules...40 Flow match on v1 modules...40 Flow match on v2 modules...40 Key dierences in hardware acceleration etween v1 and v2 modules...41 Flow actions supported in hardware...41 When would a low e supported in hardware?...42 B Implementation Notes...43 's inluence on CPU generated packets...43 Strip VLAN action not supported...43 Aggregate mode does not support OFPT_PACKET_OUT...43 Events that change the Operational Status o the instance...43 supports IP address masking...44 DUT matches and processes incoming untagged packets or VLAN id...45 Virtualization mode verses Aggregation mode VLAN tags in packet_in messages...45 Glossary...46 Index Contents

5 1 Introduction This document descries the general steps and individual commands or enaling operation. In the deault coniguration, is disaled on the switch. This document provides the ollowing: General steps or coniguration command syntax descriptions, including show commands trouleshooting commands and deug actions This document only covers the additional eatures and commands or administering on certain HP switches that use sotware version K or later, see Applicale Products (page 1). For more inormation aout upgrading sotware, see the Sotware Management chapter in the Management and Coniguration Guide or your HP switch. Conceptual overview is a programmale open-standard network protocol that uses lexile matching rules to classiy and manage network traic into lows. deines a set o actions that network devices can take to manage these lows. An controller deines and communicates policies to speciy traic ehavior on switches. This document descries switch administration. separates the control plane (that decides how traic must e orwarded) rom the data plane (that implements how traic is orwarded). is ased on an Ethernet switch, with an internal low-tale, and a standardized interace to add and remove low entries via an external controller. is a sotware environment that allows or experimentation o networking protocols and traic lows without interrupting the operation o the production network. traic can e separated rom the rest o the traic on the network per VLAN segregate, so that non- traic will not e impacted y. implementation on HP Switches separates traic and production traic y the use o instances. Traic within an instance will not inluence or degrade production traic. coniguration commands are applied per-instance. Figure 1 Switch and controller Controller Controlled Data / Rules Data / Rules Data / Rules HP Switch HP Switch HP Switch Conceptual overview 5

6 HP implementation complies with Switch Speciication v1.0.0 (Decemer 31, 2009). For limitations on the HP implementation, see Supported RFCs and standards (page 8). For more inormation see the Open Networking Foundation wesite at architecture can e conigured to separate production traic rom traic, or just traic using either the Virtualization or Aggregation Mode. Virtualization Virtualization carries production VLANs as well as VLANs that elong to instances conigured on the switch. Each Instance is independent and has its own coniguration and controller connection. A VLAN can e a memer o an instance. Figure 2 Virtualization mode Controller Server Host Port 1 Port 2 Non-/Controller VLAN Production VLANs VLAN HP Switch Aggregation The Aggregation mode puts all the VLANs on the switch into one instance, except the Management VLAN and a VLAN to communicate to the controller. It can e thought o as a use case where in a la environment the controller would manage all the switching and routing or the switch. NOTE: traic. When Aggregation is conigured, there is only traic. There is no production 6 Introduction

7 Figure 3 Aggregation mode One instance: All VLANS except Controller and Management VLAN Controller Server Host Port 1 Port 2 Management VLAN Controller VLAN VLAN10 through VLAN 100 VLAN 2 VLAN 1 HP Switch Figure 4 Example network with production non-, production, and experimental port 1 Port 2 Port 3 Port 5 VLAN 110 VLAN 120 Non- VLANs Non- network Production Experimental port 48 VLAN Trunk port 1 VLAN 110 VLAN 120 port 1 Management port 4 Non- VLANs Single Instance Pure Switch port 24 (VLAN Trunk) port 2 port 3 Non- network port 5 port 6 port 7 port 8 port 9 Controller eatures and eneits enales user to: eatures and eneits 7

8 Enale or disale Create instances and conigure controller connections Display related coniguration supports high availaility: The low tale will e preserved across a Management Module ailover The coniguration is synced across rom the AMM to the SMM Availaility o Conig support to retain coniguration across a reoot includes tools or limiting resources: Support or limiting the percentage o policy engine resources that may e used y Support or rate-limiting the amount o traic that gets sent to the CPU and rom there to the controller Support or rate-limiting the amount o traic that gets orwarded y the policy engine rules programmed y Support or hardware-only mode such that only lows that can e programmed into hardware will e accepted rom the controller. modes o operation: Support or hardware-only mode such that only lows that can e programmed into hardware will e accepted rom the controller. Support or active mode (deault) where new lows get sent to the controller y the switch. Support or passive mode where new lows no longer get sent to the controller ut are handled normally handled y the switch. IPv6 and Controlling IPv6 traic using is not supported as rules cannot match on IPv6 header ields per Speciication IPv6 traic on non- VLANs will ehave as expected. For more inormation on coniguring IPv6 traic, see the IPv6 Coniguration Guide or your switch. Administrative methods This document provides the HP CLI commands or coniguring and administering HP switches. controllers include utilities or monitoring, administering, and trouleshooting switch. For example, the OpenvSwitch controller distriution includes the utility ovs-octl. The utility can show the current state o a switch, that supports, including eatures, coniguration and tale entries. Other controllers have similar utilities; see the documentation or your controller or the complete command set. Supported RFCs and standards HP implementation complies with Switch Speciication v1.0.0 (Decemer 31, 2009) rom the Open Networking Foundation, with some dierences. Unsupported eatures Encrypted controller to switch connection via TLS is not supported. TABLE action is not supported. IN_PORT action is not supported. You cannot send out the packet on the port that it arrived on. The enqueue action per the spec is not supported. 8 Introduction

9 nl Handling o IP Fragments: OFPC_IP_REASM/OFPC_FRAG_REASM is not supported. The low emergency cache implementation is not supported. The Strip VLAN header action per the spec is not supported. Some commands or port modiication rom a controller are not supported OFPPC_PORT_DOWN OFPPC_NO_STP OFPPC_NO_RECV OFPPC_NO_RECV_STP OFPPC_NO_FWD NOTE: When the aove commands are sent rom the controller, an error message is returned to the controller: OFPET_PORT_MOD_FAILED Hardware dierences etween v1 & v2 Modules aect eature unctionality, see Flow classiication on v1 and v2 modules (page 40) or details. Interoperaility HP Switch eatures and interoperaility with y aect on eature or application Aect Feature can override 1 Feature 802.1X MAC Auth MAC Lockout MAC Lockdown Port Security We Auth Feature can override 2 ACLs Port, VLAN, Router, IDM variants IDM Feature can override 3 Feature cannot e conigured i is used Rate Limiting Management VLAN NOTE: Management VLAN cannot e conigured as a memer VLAN o an instance and vice versa. Q-in-Q Remote Mirror Endpoint TR Mode Feature cannot e conigured i is used 4 can override this eature 5 Meshing DHCP Snooping DHCPv4 client DHCPv4 r ela Interoperaility 9

10 DHCPv6 client DNS Ping SNTP Telnet client and server TFTP TimeP Traceroute UDP roadcast orwarder can override this eature 5 BGP DHCPv6 relay Dynamic ARP Protection Dynamic IP Lockdown IGMP Proxy IGMPv2 IGMPv3 MLDv1 MLDv2 OSPFv2 OSPFv3 PIM-DM PIM-SM RA Guard RIP Static Multicast Routes Static Routes Virus Throttling VRRP does not aect this eature does not aect this eature 6 Support existing L2, L3, security, HA, QoS unctionalities Distriuted Trunking GVRP LACP Loop Protect sflow UDLD does not aect this eature 7 STP loop guard BPDU guard MSTP 10 Introduction

11 1 These authentication eatures still unction in an instance and ports o an instance. The security eatures take a irst look at the packet in VLS eore sending the packets to. 2 Any ACL entry that sets a drop it in hardware (TCAM) would always win over the TCAM entry to copy traic to the CPU such that packets on an instance could get dropped in hardware due to an ACL entry and would never e ale to see those packets. 3 Rate Limiting may e applied to limit traic as well as other traic. uses a orm o rate limiter to limit the RSTP traic that gets to the CPU. 4 Enaling meshing can reak the distinction etween VLANs and non- VLANs. STP PVST 5 The controller could set up a low to match a protocol header and an action to drop the matching packets. This could lead to the protocol s packets never making it to the protocol handling code in the sotware data path. This would cause the protocol to reak on the instance. The controller could set up a low to match a protocol header and a NORMAL action in sotware or the matching packets. In such a case, the protocol s packets will e taken out y in the sotware data path ut reintroduced ater examining the sotware low tale. Though this action may not reak the protocol, it would introduce an additional latency eore the protocol code gets the protocol s packets. 6 Protocol packets will not e sent through the sotware data path. 7 Port up or down events are sent to the controller to keep the controller aware o availale ports on the switch. can not override STP, RSTP, or MSTP decisions. Interoperaility 11

12 2 Coniguring Tale 1 Summary o commands Command syntax Description Deault CLI page reerence openlow Entering context n/a 13 openlow instance instance-name Entering instance context n/a 13 openlow [ enale disale ] [no] openlow enale Enale disaled 17 openlow instance { instance-name aggregate } { enale disale } [no] openlow instance { instance-name aggregate } enale Conigure instances no instances 17 [no] openlow instance instance-name memer vlan vlan-id Conigure instance memers no memers 18 openlow instance { instance-name aggregate } mode { active passive } instance mode active 18 [no] openlow instance { instance-name aggregate } low-location hardware-only Flow location Sotware and hardware 19 openlow instance { instance-name aggregate } limit { hardware-rate kps sotware-rate pps } Sotware and hardware rate limiting 19 hardware-rate kps 0 kps sotware-rate pps 100 pps [no] openlow instance { instance-name aggregate } listen-port [ tcp-port ] [ oom ] Conigure listener ports port openlow controller-id ID ip ip-address [ port tcp-port ] controller-interace { vlan vlan-id oom } [no] openlow controller-id ID controller set up n/a 21 [no] openlow instance { instance-name aggregate } controller-id Controller-List Associate instance with controller n/a Coniguring

13 Tale 1 Summary o commands (continued) Command syntax Description Deault CLI page reerence openlow instance { instance-name aggregate } max-acko-interval secs Setting maximum acko interval or an instance 60 seconds 22 openlow limit policy-engine-usage Max-Percent Policy engine resources 100% 23 Coniguration overview General steps or coniguring : 1. Enale 2. Conigure instances 3. Conigure instance memers 4. Set instance mode 5. Set Flow location 6. Conigure sotware and hardware rate limiting 7. Conigure listener ports 8. Conigure controller ports 9. Conigure policy engine resources Command syntax Command syntax shown in this document uses the complete command syntax, however you can also enter the context and enter commands directly. Entering context You can use the openlow command options rom the coniguration level y eginning the command with openlow, or rom the openlow context level y typing just the command option. Syntax: openlow Enters context Entering instance context You can use the instance instance-name command options rom the coniguration level y eginning the command with openlow, or rom the openlow instance context level y typing just the command option. Syntax: openlow instance instance-name Enters instance context instance-name instance name Preparing or coniguration Plan your network including production and VLANs, instances, controller ports, listening ports, naming and numering strategy. Coniguration overview 13

14 Plan the numer o VLANs conigured or versus non-. works on an instance only when is enaled on the instance as well as gloally on the switch. NOTE: A maximum o 128 instances can e conigured. A maximum o 512 IP VLANs are supported. A maximum o 2048 VLANs are supported. Conigure VLANs Veriy Routing Conigure all VLANs and Production VLANs & veriy reachaility. For inormation on coniguring and veriying VLANs, see the Advanced Traic Management Guide or your switch. Conigure and veriy network routing. For inormation on coniguring and veriying routing, see the Multicast and Routing Guide or your switch. Conigure ports Conirm Production and physical and logical ports. For inormation on coniguring and veriying ports, see the Management and Coniguration Guide or your switch. Coniguring traic can e separated rom the rest o the traic on the network per VLAN, so that non- traic will not e impacted y. NOTE: I multiple commands to the same TCP port are received rom multiple controllers, the last command takes priority. can e conigured or Virtualization Mode or Aggregation Mode. Virtualization Mode Each instance is independent and has its own coniguration and controller connection. Some VLANs are designated as memers o instances while other VLANs are not. The VLANs that are not memers o instances could e thought o as VLANs carrying production traic. Aggregation Mode Provides a single instance that includes all o the VLANs conigured on the switch except the VLAN(s) that connect to the controller(s) and the Management VLAN on the switch. Production traic is not allowed. NOTE: It is not possile to mix aggregation and virtualization modes o operation. 14 Coniguring

15 Figure 5 Supported VLAN Modes Controller Controller Controller VLAN VLAN VLAN VLAN VLAN VLAN HP Switch HP Switch Virtualization Mode Aggregation Mode Virtualization Mode With Virtualization Mode, some VLANs can e designated as memers o instances. Each instance is independent and has its own coniguration and controller connection. Each instance can have one memer VLAN. Normal operation requires the presence o at least one VLAN that is not managed y. The non- VLANs are used to run the controller connections. Non- VLAN(s) can also e used or any traic that is not supposed to e managed y, reerred to as production traic. Typical networks use VLAN 1 as the Management VLAN. A Management VLAN cannot e a memer o an instance. A Management VLAN can e conigured as a controller VLAN. VLANs are not shared among instances. In addition to these, another VLAN is designated as the controller VLAN through which the switch communicates via the protocol to the remote controller. NOTE: The controller VLAN could e the Deault VLAN as well. It is a requirement that the traic that elongs to one instance should e contained within that instance and should not propagate to other instances or to Production VLANs. NOTE: Speciying a valid VLAN that is not yet conigured as a memer VLAN o an instance will not e an error, however when that VLAN is conigured will start working on that instance. Port Coniguration Switch ports are assigned to VLANs (see Virtualization Mode (page 15), ut ports can not e assigned directly to an instance. A port can e part o multiple VLANs when using tagged mode, which means that a port can e part o multiple instances and non- VLANs. For more inormation aout coniguring interaces (ports), see the Port Status and Coniguration chapter in the Management and Coniguration Guide or your HP switch. Coniguring 15

16 coniguration Example 1 displaying the status o all ports HP Switch(conig)# show interaces Status and Counters - Port Status Intrusion MDI Flow Bcast Port Type Alert Enaled Status Mode Mode Ctrl Limit /1000T No Yes Down Auto Auto o /1000T No Yes Down 1000FDx Auto o /1000T No Yes Down 1000FDx Auto o /1000T No Yes Down 1000FDx Auto o /1000T No Yes Down 1000FDx Auto o /1000T No Yes Down 1000FDx Auto o 0 Example 2 displaying the coniguration o all ports HP Switch(conig)# show interaces conig Port Settings Port Type Enaled Mode Flow Ctrl MDI /1000T Yes Auto Disale Auto 2 100/1000T Yes Auto Disale Auto 3 100/1000T Yes Auto Disale Auto 4 100/1000T Yes Auto Disale Auto 5 100/1000T Yes Auto Disale Auto 6 100/1000T Yes Auto Disale Auto Example 3 displaying the port statistics counters HP Switch(conig)# show interaces rie Status and Counters - Port Status Intrusion MDI Flow Bcast Port Type Alert Enaled Status Mode Mode Ctrl Limit GE-T No Yes Up 1000FDx MDIX o GE-T No Yes Down 10GigFD MDI o GE-T No Yes Down 10GigFD MDIX o GE-T No Yes Down 10GigFD Auto o GE-T No Yes Down 10GigFD Auto o GE-T No Yes Down 10GigFD Auto o GE-T No Yes Down 10GigFD Auto o GE-T No Yes Down 10GigFD Auto o 0 Example 4 displaying the VLANs associated with a port HP Switch(conig)# show vlans ports 1 3 Status and Counters - VLAN Inormation - or ports 1 3 VLAN ID Name Status Voice Jumo DEFAULT_VLAN Port-ased No Yes 10 VLAN10 Port-ased No No 15 VLAN15 Port-ased No No Coniguration o is done via the switch CLI. To change the coniguration, it is necessary 16 Coniguring

17 to e in the coniguration context using the conig command. Some commands can e executed in or in the instance context, see Command syntax (page 13). There can e multiple instances, and each instance is ound to a speciic VLAN. The coniguration o is done on a per-instance asis. NOTE: Ensure that each VLAN used in commands elow is already deined. See Virtualization Mode (page 15) or inormation on how to create a VLAN or check currently deined VLANs. Aggregation Mode coniguration Aggregation Mode enales the switch to have only a single aggregated instance managing all the VLANs within the switch. It impacts the way is managed inside the switch. NOTE: It is not possile to mix aggregation and virtualization modes o operation. In aggregated mode, all VLANs on the switch are managed y a single instance. Because the control traic cannot e in-and, speciic controller VLANs such as VLANs over which the controllers may e reached are excluded rom aggregation. The Management VLAN, i deined on the switch, is also excluded rom aggregation. In Aggregation Mode the instance manages all VLANs except the controller VLANs and Management VLAN. NOTE: An aggregate instance cannot e created when named instances exist. Enale or Disale Enaling or disaling gloally. Syntax: openlow [ enale disale ] [no] openlow enale enale Enales gloally. disale Disales gloally. NOTE: Using no openlow without any additional parameters deletes all conigurations. A warning message to conirm this command is provided. NOTE: instance parameters cannot e changed when enaled. Conigure instances Conigures an instance. NOTE: When an instance is enaled, a policy-engine resource is used to direct traic on an VLAN to the module. For a named instance to e enaled, a listen port or a controller, and a memer VLAN has to have een added to the instance. To enale an aggregate instance, a listen-port or a controller has to have een added to the instance. For coniguring Aggregation Mode, see Aggregation Mode coniguration (page 17) Enale or Disale 17

18 For coniguring Virtualization Mode, see Virtualization Mode (page 15) Syntax: openlow instance { instance-name aggregate } [ enale disale ] [no] openlow instance { instance-name aggregate } enale The no orm o the command deletes all conigurations or the instance. instance-name Creates an instance. Instance names can have a maximum length o 32 case-insensitive alphanumeric characters, numerals, and underscore. aggregate Creates an instance which includes all the VLANs except the Management VLAN and the controller VLANs. See Aggregation Mode coniguration (page 17) or details on the use o this parameter. enale Enales the named instance or named aggregate. disale Disales the named instance or named aggregate. Conigure instance memers Conigures instance memers. Only one VLAN can e added as a memer o an instance. The same VLAN cannot e added as a memer o multiple instances. The Management VLAN cannot e added to an instance as a memer VLAN. A Controller VLAN cannot e added to an instance as a memer VLAN. Syntax: [no] openlow instance instance-name memer vlan vlan-id instance-name Add a memer to this instance. vlan vlan-id Adds the VLAN to the named instance. instance mode can work either in active mode or passive mode. Active mode New packets o a low that the switch isn t aware o are sent to the controller. Passive mode There is one-way communication rom the controller to the switch. Packets that do not match any low in the low tale on the switch will not get sent to the controller. Such packets o new lows get handled normally y the switch. This command sets the operation mode or an instance. 18 Coniguring

19 Syntax: openlow instance { instance-name aggregate } mode { active passive } Flow location instance instance-name Sets the mode or the named instance. aggregate Sets the mode or the aggregate instance. active New lows get redirected to the controller or the instance. Deault: active. passive New lows are not sent to the controller or the instance. This command sets the location o lows or this instance or the aggregate. By deault, lows are located in hardware and sotware. In hardware-only mode, lows are programmed only in hardware. Syntax: [no] openlow instance { instance-name aggregate } low-location hardware-only instance-name Sets low location or the named instance. aggregate Sets low location or the aggregate instance. hardware-only Set the location o lows to hardware only. Deault: Sotware and hardware. NOTE: An error is returned to the controller i the low cannot e added in hardware and the low-location is set as hardware-only. NOTE: Flows that have an action to orward to multiple ports or all ports o a VLAN, such as lood, cannot e hardware accelerated. Such lows will e handled in sotware. Changing low location to hardware-only will aect those lows. For example, i a low is added with action as FLOOD it can only go in sotware. This results in a perormance penalty, or the low not eing programmed at all i running in hardware-only mode. I a packet is sent to a controller and it asks the switch to FLOOD, it will still e programmed in sotware. Sotware and hardware rate limiting You can speciy the limit o resources that can e used y an instance. Each instance has completely independent rate limiters that can e set separately. Syntax: openlow instance { instance-name aggregate } limit { hardware-rate kps sotware-rate pps } Flow location 19

20 instance-name Sets sotware and hardware rate limiting or the named instance. aggregate Sets sotware and hardware rate limiting or the aggregate instance. kps Limit the andwidth that can e utilized y an instance. Deault: 0 kps. Range 0 10,000,000 kps. pps Conigures the instance packet rate limit. This limits the numer o packets per second per module that this instance can send to the sotware path. Deault: 100 pps. Range: 1 10,000 pps. NOTE: Increasing the sotware rate limit will increase CPU consumption and may impact the system perormance. NOTE: I the sotware rate limit is speciied eyond 1000 pps the elow warning is displayed: Increasing the sotware rate limit would increase CPU consumption and may impact the system perormance. Conigure listener ports Conigures an port to listen or incoming connections rom an controller. Syntax: [no] openlow instance { instance-name aggregate } listen-port [ tcp-port ] [ oom ] instance-name Sets the listen port or the named instance. aggregate Sets the listen port or the aggregate instance. tcp-port Speciy the port to listen on. Deault: Port numer Range: Port numer oom Conigure to listen through the OOBM port. Only applicale or switches that have a separate out-o-and management (OOBM) port. Conigure controller ports An controller is conigured gloally under context and associated to an instance under instance context. See Command syntax (page 13) or more inormation. The controller traic can not e in-and. controller traic can not transit on a VLAN managed y, and must transit on a VLAN not managed y. The controller traic and traic can transit on the same port, as long as they use dierent VLANs. The VLAN chosen or the controller traic depends entirely on the IP address o the controller, and no speciic coniguration is needed. For this reason, the switch should have a proper 20 Coniguring

21 IP coniguration, and the controller address must e part o a sunet that is not on an VLAN. For inormation on how to either manually assign an IP address to the switch or set it up to perorm DHCP queries, see the Coniguring IP Addressing chapter in the Basic Operation Guide or your HP switch. Each instance can e controlled y up to three controllers and each generates commands and data lows etween an switch and the controller. instance connection interruption mode You can set the type o ehavior when the switch loses connection with the controller. Syntax: [no] openlow instance connection-interruption-mode { ail-secure ail-standalone } ail-secure I the switch loses connection with all o the controllers, packets and messages destined to the current controller are dropped. Flows continue to expire according to their time-outs. Deault: ail-secure ail-standalone I the switch loses connection with all o the controllers, packets and messages o new lows ehave as a legacy switch or router would. Existing lows o this instance are removed. controller set up A controller is identiied y its IP address and a connection port. You can have up to two dierent controllers on the same IP address, using dierent ports. controllers can e added or deleted using this command. Syntax: openlow controller-id ID ip ip-address [ port tcp-port ] controller-interace { vlan vlan-id oom } [no] openlow controller-id ID A maximum o three controller connections are supported per instance. ID controller identiication numer. The no orm o the command with this parameter removes the identiied controller, i the controller is not in use y any instances. Range: ip-address controller IP address. tcp-port Optional: Speciy the interace through which to connect to a controller. Deault: Port numer Range: Port numers controller-interace The no orm o the command with this parameter deletes the controller connection. Conigure controller ports 21

22 vlan-id Connect to the controller through the identiied VLAN. NOTE: A VLAN that is a memer o an instance cannot e added as an controller interace. oom Connect to the controller through the OOBM interace. Only applicale or switches that have a separate out-o-and management (OOBM) port. Associate instance with controller Once an controller is set up, each instance needs to e associated to a controller. Syntax: [no] openlow instance { instance-name aggregate } controller-id Controller-List Up to three controllers can e speciied per instance or aggregate. The no orm o the command with this parameter removes the identiied controllers. instance-name Sets controller or the named instance. aggregate Sets controller or the aggregate instance. Controller-List controller ID to e associated with the instance. Up to three controllers can e associated. Example 5 associating with multiple Controllers To associate controllers 1, 5, and 100 to instance test, use the ollowing command: HPswitch(conig)# openlow instance test controller-id NOTE: An controller that is associated with an instance cannot e deleted. Setting maximum acko interval or an instance You can speciy the maximum interval etween two consecutive attempts to connect to a controller y an instance. The interval etween two consecutive attempts increases exponentially until it reaches the speciied value. All susequent attempts use the speciied value. Syntax: openlow instance { instance-name aggregate } max-acko-interval secs instance-name Sets the acko interval or the named instance. aggregate Sets the acko interval or the aggregate instance. secs Deault: 60 seconds. Range: seconds. 22 Coniguring

23 Policy engine resources You can limit the percentage o policy engine resources used y so that it does not impact other unctions that use policy engine resources. The percentage is the maximum percentage o policy engine resources that may e used y, not a guaranteed amount. The limit can only e set when is disaled gloally. Syntax: openlow limit policy-engine-usage Max-Percent Max-Percent Deault: 50%. Range: 0 100%. Speciying 0% means that no resources will e allocated or. By deault, the policy engine resource usage is set at 50% to avoid oversuscriing resources and impacting perormance. In addition to, the policy engine resource can e used y Access Control Lists, Quality o Service, Identity Driven Management, Virus Throttling, Mirroring, Policy Based Routing, and some other eatures. Using the deault 50% resource usage setting, the 8200zl and 5400zl switches with v1 zl modules, and the 3500/3500yl, 6200yl, and 6600 switches can support approvimately 1000 rules in hardware while the 8200zl and 5400zl switches with v2 zl modules and the 3800 switches can support up to 1000 rules in hardware. Additional rules eyond the hardware limit will e processed y sotware. To increase the numer o lows eyond the deault 50% setting, use the Openlow limit policy-engine-usage command descried aove. Since several eatures, including, ACL, and QoS, also can use the policy engine resources, ensure that any new setting you conigure does not exceed the total policy engine resources. For example, i all policy engine resources are in use, rules will no longer e added in hardware and the switch will deny attempts to conigure ACLs via the CLI. To determine the resource usage on your switch, see Viewing resources (page 27) and the appendix titled Monitoring Resources in the latest Management and Coniguration Guide or your switch. Backing up your coniguration (optional) Dual management module in E8200 platorms is supported. Flow coniguration is synchronized across management modules and low tale preserved during switchover. See the Chassis Redundancy chapter in the Management and Coniguration Guide or your switch. Policy engine resources 23

24 3 Administering Tale 2 Summary o commands Command syntax Description Deault CLI page reerence openlow hardware-statistics reresh-rate secs statistics reresh rate 20 seconds 24 show openlow [ resources controllers instance instance-name [[ port-statistics ] lows [ low-type ] limiters ] ] Viewing inormation n/a 24 show openlow instance { instance-name aggregate } Viewing instances n/a 26 show openlow resources Viewing resources n/a 27 show openlow controllers Viewing controllers n/a 27 show openlow instance instance-name [ port-statistics lows [ low-type ] ] Viewing instance attriutes n/a 28 Monitoring can e monitored at several levels o inormation and the rate at which the inormation rom the hardware is rereshed can e conigured. Setting statistics reresh rate You can choose the maximum time eore the statistics are rereshed rom the hardware. Syntax: openlow hardware-statistics reresh-rate secs secs The hardware statistics reresh rate or. Viewing inormation Deault: 20 seconds. Range: seconds. NOTE: A value o 0 means that the hardware will no longer e polled to update the statistics. You can display inormation or all instances, ports, and lows. The returned inormation includes the version supported. Syntax: show openlow [ resources controllers instance instance-name [[ port-statistics ] lows [ low-type ] ] ] Show inormation. 24 Administering

25 resources Shows resource utilization. See Viewing resources (page 27). controllers Shows controllers conigured or. See Viewing controllers (page 27) instance-name Instance inormation can e otained or ports or lows. See Viewing instance attriutes (page 28) or more inormation. port-statistics Shows port statistics. lows low-type Shows the low tale entries or a particular instance. The various lows that can e shown using the low-type are: destination-ip Show lows matching the destination IP address. destination-mac Show lows matching the destination MAC address. destination-port Show lows matching the destination port. ether-type Show lows matching the EtherType. ip-protocol Show lows matching the IP protocol. ip-tos-its Show lows matching the IP ToS its. source-ip Show lows matching the source IP address. source-mac Show lows matching the source MAC address. source-port Show lows matching the source port. vlan-id Show lows matching the VLAN ID. vlan-priority Show lows matching the VLAN priority. Monitoring 25

26 Example 6 shows the conigurations or all instances HP Switch(conig)# show openlow Version 1.0 : Enaled Max. Policy Engine Usage (%) : 100 Hw. Stats. Reresh Rate : 20 secs Instance Inormation No. o No. o Instance Name Oper. Status H/W Flows S/W Flows openlowinstance Up 1 0 Viewing instances You can display the inormation or a speciic instance. This includes the memerships o the instance, the controllers and listen-port or that instance and other relevant inormation. Syntax: show openlow instance { instance-name aggregate } instance-name Displays the coniguration or a speciic instance. The Operational Status can e Down due to: The memer VLAN o the instance does not exist on the switch The controller VLAN o the instance does not exist on the switch When multiple controllers connect over multiple controller VLANs, the operational status will e Down when none o the controller VLANs exist on the switch The memer VLAN is down, or example when all ports on the memer VLAN are down Example 7 show instance 26 Administering HP Switch(conig)# show openlow instance openlowinstance Instance Name : openlowinstance Admin. Status : Enaled Memer List : VLAN 5 Listen Port : 6633 Oper. Status : Up Datapath ID : a8d9ec0 Mode : Active Flow Location : Hardware and Sotware No. o Hw Flows : 0 No. o Sw Flows : 0 Hw. Rate Limit (kps) : 0 Sw. Rate Limit (pps) : 100 Conn. Interrupt Mode : Fail-secure Maximum Backo Interval : 60 seconds No controllers associated with this instance. I controllers are associated with the instance, then the ollowing tale appears

27 Controller-ID Connection Status Connection State Connected Active 11 Disconnected Void 13 Connected Idle Possile connection states are Active, Idle, Backo, Connecting, or Void. Possile connection status values are Connected or Disconnected. Viewing resources You can show the resources. Syntax: show openlow resources Example 8 show resources HP Switch(conig)# show openlow resources Resource usage in Policy Enorcement Engine Rules Rules Used Slots Availale ACL QoS IDM VT Mirr PBR OF Other A F Meters Meters Used Slots Availale ACL QoS IDM VT Mirr PBR OF Other A F Application Port Ranges Application Port Ranges Used Slots Availale ACL QoS IDM VT Mirr PBR OF Other A F o 8 Policy Engine management resources used. Key: ACL = Access Control Lists QoS = Device & Application Port Priority, QoS Policies, ICMP rate limits IDM = Identity Driven Management VT = Virus Throttling locks Mirr = Mirror Policies, Remote Intelligent Mirror endpoints PBR = Policy Based Routing Policies OF = Other = Management VLAN, DHCP Snooping, ARP Protection, Jumo IP-MTU, Transparent Mode, RA Guard. Resource usage includes resources actually in use, or reserved or uture use y the listed eature. Internal dedicated-purpose resources, such as port andwidth limits or VLAN QoS priority, are not included. Viewing controllers You can display controllers conigured or use y. Syntax: show openlow controllers Monitoring 27

28 Example 9 show controllers HP Switch(conig)# show openlow controllers Controller Inormation Controller Id IP Address Port Interace VLAN 6 Viewing instance attriutes You can view inormation on a speciic instance. Syntax: show openlow instance instance-name [ port-statistics lows [ low-type ] ] port-statistics Shows port statistics. lows low-type Shows the low tale entries or a particular instance. The various lows that can e shown using the low-type are: destination-ip Show lows matching the destination IP address. destination-mac Show lows matching the destination MAC address. destination-port Show lows matching the destination port. ether-type Show lows matching the EtherType. ip-protocol Show lows matching the IP protocol. ip-tos-its Show lows matching the IP ToS its. source-ip Show lows matching the source IP address. source-mac Show lows matching the source MAC address. source-port Show lows matching the source port. vlan-id Show lows matching the VLAN ID. vlan-priority Show lows matching the VLAN priority. 28 Administering

29 Example 10 show instance port statistics HP Switch(conig)# show openlow instance openlowinstance port-statistics Port Statistics Numer o Ports : 1 Port : 23 Collisions : 0 Rx Packets : 169 Tx Packets : 80 Rx Bytes : Tx Bytes : Rx Dropped : 0 Tx Dropped : 0 Rx Errors : 0 Tx Errors : 0 Frame Errors : 0 CRC Errors : 0 Overrun Errors : 0 Example 11 show instance lows HP Switch(conig)# show openlow instance openlowinstance lows Flow Tale Flow 1 Incoming Port : 0 Ethernet Type : IP Source MAC : Destination MAC : VLAN ID : 0 VLAN priority : Source IP : Destination IP : IP Protocol : UDP IP ToS Bits : 0 Source Port : 67 Destination Port : 68 Priority : Duration : 2 secs Idle Timeout : 60 secs Hard Timeout : 0 secs Packet Count : 0 Byte Count : 0 Flow Location : Hardware Actions : Normal Monitoring 29

30 Example 12 show instance lows or a speciic VLAN show openlow instance myinst1 lows vlan-id 5 Flow Tale Flow 1 Incoming Port : 24 Ethernet Type : IP Source MAC : acde Destination MAC : VLAN ID : 5 VLAN Priority : 0 Source IP : Destination IP : IP Protocol : TCP IP ToS Bits : 0 Source Port : 23 Destination Port : 0 Priority : Duration : 4 secs Idle Timeout : 800 secs Hard Timeout : 0 secs Packet Count : 1080 Byte Count : Flow Location : Sotware Actions Modiy Destination IP : Modiy Source IP : Modiy Source MAC : Modiy Destination MAC : Modiy VLAN ID : 123 Modiy NW Tos : 123 Output : 24 Flow 2 Incoming Port : 0 Ethernet Type : IP Source MAC : Destination MAC : VLAN ID : 5 VLAN Priority : 0 Source IP : Destination IP : IP Protocol : 0x00 IP ToS Bits : 0 Source Port : 0 Destination Port : 0 Priority : Duration : 10 secs Idle Timeout : 60 secs Hard Timeout : 0 secs Packet Count : 0 Byte Count : 0 Flow Location : Hardware Actions Normal 30 Administering

31 4 Trouleshooting Tale 3 Summary o commands Command syntax Description Deault CLI page reerence deug openlow { packets [ rx tx ] events } Displaying packets or events n/a 31 Diagnostic Tools Overview and Usage Various commands and error messages are availale. Deug You can display either protocol packets or event description. NOTE: The deug openlow packets option only displays protocol packets exchanged etween the switch and the controller. Syntax: deug openlow { packets [ rx tx ] events } packets Display all packets. rx tx Display packets received y the switch rom the controller. Display packets sent rom the switch to the controller. events Display events like low addition, low deletion, low modiication, enale and disale o and other inormation. Diagnostic Tools Overview and Usage 31

32 Example 13 Deug logs Flow deletion mofctrltask: DBG Flow deletion: idle_timeout=60,dl_type=0x0800,in_port=27,dl_vlan=65535,dl_vlan_pcp=0, dl_src=00:50:56:9:5:0a,dl_dst=00:50:56:9:19:92,nw_src= ,nw_dst= , icmp_type=0,icmp_code=0,actions=output:26 Flow addition mofctrltask: DBG Flow addition: idle_timeout=60,dl_type=0x0800,in_port=27,dl_vlan=65535,dl_vlan_pcp=0, dl_src=00:50:56:9:5:0a,dl_dst=00:50:56:9:19:92,nw_src= ,nw_dst= , icmp_type=0,icmp_code=0,actions=output:26 Flow expiry mofctrltask: DBG Flow expiry: idle_timeout=1200,dl_type=0x0800,nw_src= ,nw_dst= , actions=mod_nw_src: Log iles and trace iles overview Other error cases are availale when an existing low is sent as a re-add y the controller or when the controller asks or a certain low to e deleted ut that low is not ound in the low tale. Error messages Interoperaility error messages Enaling when Meshing is enaled: cannot e enaled when meshing is conigured. Enaling Meshing when is enaled: Meshing cannot e conigured when is enaled. Enaling when Q-in-Q is enaled: cannot e enaled when Q-in-Q is conigured. Enaling Q-in-Q when is enaled: Q-in-Q cannot e conigured when is enaled. Enaling Transparent Mode (TRmode) when is enaled: Transparent Mode cannot e enaled when is enaled. Enaling when Transparent Mode is enaled: cannot e enaled when Transparent Mode is enaled. Enaling Remote Mirror Endpoint when is enaled: Remote Mirror Endpoint cannot e conigured when is enaled. Enaling when Remote Mirror Endpoint is enaled: cannot e enaled when Remote Mirror Endpoint is conigured. Controller error messages An attempt to delete a controller that has not een conigured: HP-8206zl(vlan-3)# no openlow controller-id 2Controller-ID not ound. ID is missing 32 Trouleshooting

33 Speciying a port out o range: Invalid port. Valid range is Trying to conigure a controller that already exists or modiying the parameters o an existing controller: A controller is already conigured with this ID. Controllers associated with an instance cannot e deleted: Controller cannot e removed when in use y an instance. VLAN error messages Speciying a memer VLAN as a controller VLAN: The speciied VLAN is already memer o instance instance-name and thereore cannot e added as controller interace. Speciying a VLAN that is already a part o a dierent instance: The VLAN speciied is already a memer o another instance, instance-name. Speciying more than one VLAN per instance: Only one VLAN can e conigured as a memer o an instance. Speciying a VLAN that is outside the allowed VLAN range: Invalid Input : VLAN-ID When the user tries to add the Management VLAN to an instance: The management VLAN cannot e a memer o an instance. When the user tries to conigure an instance VLAN as Management VLAN: Management VLAN cannot e conigured. VLAN <n> is memer o an instance. Trying to add a VLAN that is a controller interace or VLAN: Controller interace cannot e added as memer VLAN. When a dynamic VLAN is added as a memer VLAN: Dynamic VLAN cannot e added as a memer VLAN. Adding a controller interace as memer VLAN: Controller interace cannot e added as memer VLAN. Instance error messages Attempt to enale a named instance without a listen port or controller, and a memer VLAN: A listen port or a controller, and a memer VLAN must e added to the named instance eore enaling it. Attempt to enale an aggregate instance without a listen port or controller: A listen-port or a controller must e added to the aggregate instance eore enaling it. Coniguring an instance when the maximum numer o instances is already conigured: Error messages 33

34 Maximum numer o instances (128) already conigured. Coniguring an instance with a name that exceeds the maximum length requirement: Maximum length o the instance-name is 32 characters. Trying to create an aggregate instance when a named instance already exists on the switch: An aggregate instance cannot e created when named instances exist. Trying to create a named instance when an aggregate instance is already conigured: Named instances cannot e created when an aggregate instance exists. Trying to delete a nonexistent instance: Instance not ound. Attempt to enale an instance without coniguring a listen port or a controller: A listen-port or a controller, and a memer VLAN must e added to the named instance eore enaling it. Trying to delete a memer which does not elong to this instance: VLAN VLAN-ID is not a memer o this instance. Trying to modiy the acko interval when the instance is enaled: Instance coniguration cannot e modiied when the instance is enaled. Only alphanumeric characters, numerals and underscore is allowed in the instance name: Invalid name. Only alphanumeric characters and underscore are allowed. Miscellaneous error messages I the user tries to set policy engine resource usage when is enaled: Policy Engine usage can e set only when is disaled. Reporting prolems I you are unale to solve a prolem with, do the ollowing: 1. Read the release notes or to see i the prolem is known. I it is, ollow the solution oered to solve the prolem. 2. Determine whether the product is still under warranty or whether your company purchased support services or the product. Your operations manager can supply you with the necessary inormation. 3. Access HP Support Center and search the technical knowledge dataases to determine i the prolem you are experiencing has already een reported. The type o documentation and resources you have access to depend on your level o entitlement. NOTE: The HP Support Center at HP Support Center oer peer-to-peer support to solve prolems and are ree to users ater registration. I this is a new prolem or i you need additional help, log your prolem with the HP Support Center, either on line through the support case manager at HP Support Center, or y calling HP Support. I your warranty has expired or i you do not have a valid support contract or 34 Trouleshooting

35 your product, you can still otain support services or a ee, ased on the amount o time and material required to solve your prolem. 4. I you are requested to supply any inormation pertaining to the prolem, gather the necessary inormation and sumit it. The ollowing sections descrie some o the inormation that you might e asked to sumit. Reporting prolems 35

36 5 Support and other resources Contacting HP Beore you contact HP Be sure to have the ollowing inormation availale eore you call contact HP: Technical support registration numer (i applicale) Product serial numer Product model name and numer Product identiication numer Applicale error message Add-on oards or hardware Third-party hardware or sotware Operating system type and revision level HP contact inormation For the name o the nearest HP authorized reseller: See the Contact HP worldwide (in English) wepage at en/wwcontact.html. For HP technical support: In the United States, or contact options see the Contact HP United States wepage at welcome.hp.com/country/us/en/contact_us.html. To contact HP y phone: Suscription service Documents Call HP-INVENT ( ). This service is availale 24 hours a day, 7 days a week. For continuous quality improvement, calls may e recorded or monitored. I you have purchased a Care Pack (service upgrade), call For more inormation aout Care Packs, see the HP wesite at In other locations, see the Contact HP worldwide (in English) wepage at welcome.hp.com/country/us/en/wwcontact.html. HP recommends that you register your product at the Suscrier's Choice or Business wesite at Ater registering, you will receive notiication o product enhancements, new driver versions, irmware updates, and other product resources. You can ind additional switch documents rom the Manuals page o the HP Business Support Center wesite at Additional documentation or your HP Switch may include: Access Security Guide Advanced Traic Management Guide Basic Operation Guide IPv6 Coniguration Guide 36 Support and other resources

37 Wesites Management and Coniguration Guide Multicast and Routing Guide HP product wesites are availale or additional inormation. HP Switch Networking we site: HP Technical Support wesite: Typographic conventions This document uses the ollowing typographical conventions: %, $, or # A percent sign represents the C shell system prompt. A dollar sign represents the system prompt or the Bourne, Korn, and POSIX shells. A numer sign represents the superuser prompt. audit(5) A manpage. The manpage name is audit, and it is located in Section 5. Command A command name or qualiied command phrase. Computer output Text displayed y the computer. Ctrl+x A key sequence. A sequence such as Ctrl+x indicates that you must hold down the key laeled Ctrl while you press another key or mouse utton. ENVIRONMENT VARIABLE The name o an environment variale, or example, PATH. ERROR NAME The name o an error, usually returned in the errno variale. Key The name o a keyoard key. Return and Enter oth reer to the same key. Term The deined use o an important word or phrase. User input Commands and other text that you type. Variale The name o a placeholder in a command, unction, or other syntax display that you replace with an actual value. [ ] { }... The contents are optional in syntax. I the contents are a list separated y, you must choose one o the items. The contents are required in syntax. I the contents are a list separated y, you must choose one o the items. The preceding element can e repeated an aritrary numer o times. Indicates the continuation o a code example. Wesites 37

38 Separates items in a list o choices. WARNING A warning calls attention to important inormation that i not understood or ollowed will result in personal injury or nonrecoverale system prolems. CAUTION A caution calls attention to important inormation that i not understood or ollowed will result in data loss, data corruption, or damage to hardware or sotware. IMPORTANT This alert provides essential inormation to explain a concept or to complete a task NOTE A note contains additional inormation to emphasize or supplement important points o the main text. Customer sel repair HP products are designed with many Customer Sel Repair parts to minimize repair time and allow or greater lexiility in perorming deective parts replacement. I during the diagnosis period HP (or HP service providers or service partners) identiies that the repair can e accomplished y the use o a Customer Sel Repair part, HP will ship that part directly to you or replacement. There are two categories o Customer Sel Repair parts: Mandatory Parts or which Customer Sel Repair is mandatory. I you request HP to replace these parts, you will e charged or the travel and laor costs o this service. Optional Parts or which Customer Sel Repair is optional. These parts are also designed or customer sel repair. I, however, you require that HP replace them or you, there may or may not e additional charges, depending on the type o warranty service designated or your product. NOTE: Some HP parts are not designed or Customer Sel Repair. In order to satisy the customer warranty, HP requires that an authorized service provider replace the part. These parts are identiied as No in the Illustrated Parts Catalog. Based on availaility and where geography permits, Customer Sel Repair parts will e shipped or next usiness day delivery. Same day or our-hour delivery may e oered at an additional charge where geography permits. I assistance is required, you can call the HP Technical Support Center and a technician will help you over the telephone. HP speciies in the materials shipped with a replacement Customer Sel Repair part whether a deective part must e returned to HP. In cases where it is required to return the deective part to HP, you must ship the deective part ack to HP within a deined period o time, normally ive (5) usiness days. The deective part must e returned with the associated documentation in the provided shipping material. Failure to return the deective part may result in HP illing you or the replacement. With a Customer Sel Repair, HP will pay all shipping and part return costs and determine the courier/carrier to e used. For more inormation aout the HP Customer Sel Repair program, contact your local service provider. For the North American program, visit the HP wesite at selrepair. 38 Support and other resources

39 6 Documentation eedack HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedack Include the document title and part numer, version numer, or the URL when sumitting your eedack. 39

40 A Flow classiication on v1 and v2 modules Hardware dierences etween v1 & v2 Modules aect low match capailities. For additional inormation aout v1 & v2 Modules, compatiility and inter-operation o v2 zl Modules with v1 zl Modules in a chassis switch, see the latest Release Notes or your switch in the Compatiility Mode section, and the HP 8200 zl, 5400 zl, 3500, and 6200 yl Switch Series Technical Overview White Paper, 4AA0-5388ENW.pd availale on the HP Switch Networking we site at Flow match on v1 modules Tale 4 Flow match on v1 modules Flow type VLAN ID a VLAN PCP In_Port c Ethernet Type Source MAC d Destination MAC e Source IP Destination IP IP ToS IP Prot. Source Port Destination Port V1 module low location VLAN PCP 0 7 sotware L2 MAC MAC sotware Ethertype Non-IP g Non-IP sotware Ethertype IP h i IP i i hardware a c d e g h i VLAN + Port i i i i i i i i i i A low that just matches the VLAN-ID and IN_PORT can e in hardware provided no other ield is speciied. I the VLAN-PCP ield is speciied with a valid value, then that low will e in sotware. A low that just matches the VLAN-ID and IN_PORT can e in hardware provided no other ield is speciied. I the source MAC address is speciied, the low will e in sotware. I the destination MAC address is speciied, the low will e in sotware. Wildcard It does not matter i this ield is speciied or not in the low. I the Ethertype is non-ip, the low will e in sotware. I the Ethertype is IP, the low can e in hardware provided the VLAN PCP and/or any MAC address ield is not speciied. Blank This ield MUST NOT e present in the low or is not applicale. Flow match on v2 modules Tale 5 Flow match on v2 modules hardware Flow type VLAN ID VLAN Pty In_Port Ethernet Type Source MAC Destination MAC Source IP Destination IP IP ToS IP Prot. Source Port Destination Port V2 module low location VLAN ID a VLAN PCP a c c c c c c c c c hardware In_Port a Ethertype IP d IP c c hardware Ethertype IP e IP sotware Ethertype Non-IP Non-IP c c c c c c hardware 40 Flow classiication on v1 and v2 modules

41 Tale 5 Flow match on v2 modules (continued) Ethertype Non-IP g Non-IP sotware a c d e g h No Ethertype h c sotware A low that matches the VLAN-ID, VLAN-PCP and IN_PORT with all other ields eing lank will e in hardware. Wildcard It does not matter i this ield is speciied or not in the low. Blank This ield MUST NOT e present in the low or is not applicale. I the Ethertype is IP, the MAC address ields must not e speciied or the low to e in hardware. I the Ethertype is IP and any MAC address ields is speciied, the low will e in sotware. I the Ethertype is non-ip, the low can match against MAC address ields also in hardware provided the IP address ields are not speciied. I the Ethertype is non-ip and any o the IP ields are speciied, the low will e in sotware. I the Ethertype ields is lank and any o the MAC address ields or IP address ields are speciied, the low will e in sotware. Key dierences in hardware acceleration etween v1 and v2 modules VLAN-PCP cannot e matched in hardware on v1 modules. This is possile in v2 modules. Flows with a non-ip Ethertype cannot e matched in hardware on v1 modules. Flows with a MAC address speciied cannot e matched in hardware on v1 modules. Such lows can e matched in hardware on v2 modules provided the Ethertype o such lows is non-ip. Flow actions supported in hardware Only certain actions can e supported in hardware y the v1 and v2 modules. The tale elow lists the actions and whether that action is supported in hardware or not. Tale 6 Flow actions supported in hardware Action Supported in Drop: hardware Forward: To a single port To a set o ports Normal Local Flood All hardware sotware hardware sotware sotware sotware Modiy: VLAN-ID VLAN-PCP Source MAC address Destination MAC address Source IP address Destination IP address IP TOS Source port (Transport layer) sotware hardware sotware sotware sotware sotware hardware sotware Key dierences in hardware acceleration etween v1 and v2 modules 41

42 Tale 6 Flow actions supported in hardware (continued) Destination port (Transport layer) Strip VLAN tag such as 802.1q header 1 Unsupported in neither hardware nor sotware sotware Unsupported 1 When would a low e supported in hardware? I a low has multiple actions and one o these actions is supported in sotware, then the low will e supported in sotware only. I a low can e matched in hardware ut has an action that can e supported only in sotware, then the low will e supported in sotware only. For a low to e supported in hardware, the match and actions must e supported in hardware. 42 Flow classiication on v1 and v2 modules

43 B Implementation Notes This section documents some o the ehaviors exhiited during the implementation o. These ehaviors were exposed during testing and may include unit, conormance, integration, interoperaility, stress and system testing. 's inluence on CPU generated packets In some cases, the CPU generated packets will e eected y the TCAM rules. Speciication does not clearly outline the ehavior or CPU generated packets. One example o such a case is when a rule is in place with the in_portas a wild-card ut has a SRC IP address that matches the IP address conigured on the switch. Strip VLAN action not supported does not allow Strip VLAN action as the underlying hardware cannot support this correctly or all cases. When presented with this challenge, the ollowing messages may appear: The Strip VLAN tag or Strip 802.1Q tag action will not e supported y this release. : DUT ails to strip VLAN while looding to Tagged ports. Aggregate mode does not support OFPT_PACKET_OUT implementation cannot support OFPT_PACKET_OUT messages received rom the controller when in the Aggregate mode. Aggregate Mode supports OFPT_PACKET_OUT, ut it is rather restricted. I the data rame sent in Packet_Out contains the VLAN Tag, VLAN ID present in tag is used to send the packet out. I VLAN ID is not present, an attempt is made to send the packet out untagged. In this case it depends on how that port is conigured [tagged/untagged] as to whether the packet may or may not go out. LOCAL is not supported as output port or Packet_out, irrespective o the mode. NORMAL support with packet_out is limited to packets that need to e orwarded, not ones meant locally or the switch. For Example i the OFPT_PACKET_OUT command is to e sent out o port 3 and port 3 is a memer o multiple VLANs, then the switch would not know which VLAN to send the packet out o. Another issue is with the FLOOD action. I the OFPT_PACKET_OUT is sent with the FLOOD action, then the switch would not know which VLAN to lood the packet out o. Events that change the Operational Status o the instance The Oper. Status ield indicates the operational status o the instance and can e either up or down. The operational status will e down when either the memer VLAN o the instance does not exist on the switch or the controller VLAN o the instance does not exist on the switch. In the case when multiple controllers connect over multiple controller VLANs, the operational status will e down when none o the controller VLANs exist on the switch. When the memer VLAN is down - all ports on the memer VLAN are down. For example, the show openlow instance displays all the instance related inormation as ollows: show openlow instance <test> NOTE: Note that or purposes o this example the instance <test> has een created. Instance Name : Test Admin. Status : Enaled Memer List : VLAN 3 Listen Port : 6633 Oper. Status : Down Datapath ID : Mode : Active 's inluence on CPU generated packets 43

44 Flow Location : Hardware and Sotware No. o Hw Flows : 0 No. o Sw Flows : 0 Hw. Rate Limit : 0 kps Sw. Rate Limit : 100 pps Conn. Interrupt Mode : Fail-Secure Maximum Backo Interval : 60 seconds Controller Id Connection Status Connection State Disconnected Backo supports IP address masking supports IP sunet mask. Controllers can speciy the sunet mask associated with an IP address and sent to the Openlow switch. The switch accepts the IP address with the sunet mask and associates any packets coming with the sunet mask with the rule. For example the K implementation supports the aility to match on IP address and sunet mask when the controller programs such lows. Consider this example where the ovs-octl utility is used to add a low that matches on a network source address o with a sunet mask o /24. Note that here is the IP address o the switch which has an listen port open on port openlow@openlow-uuntu-08:~$ ovs-octl add-low nl tcp: :6633 ip,nw_src= /24,actions=output:1 To veriy that this low has een installed on the switch, we run the ovs-octl command and veriy the output. openlow@openlow-uuntu-08:~$ ovs-octl dump-lows tcp: :6633 NXST_FLOW reply (xid=0x4): cookie=0x0, duration=13.535s, tale=0, n_packets=0, n_ytes=0, ip,nw_src= /24 actions=output:1 The show openlow instance t1 lows command when executed on the switch (HP-8206zl) displays the ollowing: Figure 6 Show Instance Note that the output o the command show openlow instance t1 lows does not display the sunet mask ut displays the Source IP as This is the result o comining the IP address and sunet mask sent y the controller in the low. This is a known display issue that will get ixed in a susequent release. 44 Implementation Notes