Package org.opendaylight.vtn.manager

The VTN Manager provides a network virtualization support with multi-tenancy.

See: Description

Interface Summary

Interface	Description
VTNManager	OSGi service interface associated with VTN Manager service.

Exception Summary

Exception	Description
VTNException	VTNException is an exception for notifying errors caused by the VTN Manager.

Package org.opendaylight.vtn.manager Description

The VTN Manager provides a network virtualization support with multi-tenancy.

Function overview

VTN

The VTN Manager manages the virtual network at VTN (Virtual Tenant Network) level. At least one VTN should be created for setting up virtual network using the VTN Manager.

VTN is a virtual network environment inside the network manager by the OpenDaylight controller. The VTN Manager sets up virtual network environment inside VTN by configuring virtual network elements (virtual node) like vBridge in VTN. If multiple VTNs are created, then networks inside different VTNs are managed as different individual networks.

vBridge

vBridge is a virtual layer 2 switch inside VTN, and it represents one virtual broadcast domain. Virtual network environment in VTN is enabled when one or more vBridges are created inside VTN, and vBridge and physical network are mapped.

Following functionalities are provided at this point in time for mapping vBridge and physical network.

• VLAN mapping
• Port mapping
• MAC mapping (Helium onwards)

vBridge status

vBridge can have the following internal status.

UNKNOWN

This shows the state wherein physical network is not mapped to vBridge. vBridge status will be UNKNOWN if all the following conditions are met.

• No VLAN mapping is configured in vBridge.
• No MAC mapping is configured in vBridge.
• Port mapping is not set for all the enabled virtual interfaces inside vBridge.

DOWN

This shows the state wherein the physical network mapped to vBridge is not operating correctly. If any of the following conditions are met, then vBridge status will be DOWN.

• Physical switch is configured in the VLAN mapping done on vBridge and that physical switch is meeting any one of the following conditions.
  • Physical switch does not exist.
  • All the ports of the physical switch are connected to some other physical switch.
  • Except for the ports that connect two physical switches, no other ports are operational.
• MAC mapping is set on vBridge and the target host for MAC mapping is not yet detected.
• One or more than one interface out of the enabled virtual interfaces inside vBridge is in DOWN state.
• There is no reachable route available while configuring networks routes mapped to vBridge.

UP

This shows the state wherein the physical network mapped to the vBridge is operating correctly.

VLAN mapping

VLAN mapping functionality is used for mapping VLAN network to any specified vBridge. It is possible to set one or more than one VLAN mapping to one vBridge.

While configuring VLAN mapping, specify the VLAN ID that is to be mapped to vBridge.

• If 0 is set as VLAN ID, then the ethernet frames that have no VLAN tag get mapped to vBridge.
  • If the physical switch receives an ethernet frame that does not have VLAN tag, then it is treated as an input against this vBridge.
  • VLAN tag is removed if an ethernet frame is output to this vBridge.
• If a value greater than 0 and less than 4096 is specified as VLAN ID, then ethernet frames that have the same VLAN ID inside the VLAN tag get mapped to this vBridge.
  • If the physical switch receives an ethernet frame that has this VLAN ID set inside the VLAN tag, then it is treated as an input against this vBridge.
  • VLAN tag is added and the corresponding VLAN ID is configured when ethernet frame is output to this vBridge.

Also, it is possible to specify one physical switch for VLAN mapping. If the node identifier (node-id) corresponding to physical switch is specified during VLAN mapping, then only the input and output of that physical switch is mapped to vBridge. If a physical switch is not specified, then it will be used for all the physical switches recognized by the OpenDaylight controller.

Further, if the same VLAN ID specified with and without the physical switch are set to different vBridges, higher priority will be given to the VLAN mapping specified with the physical switch. E.g., let us assume that vBridge is configured as shown below.

• Create a vBridge with the name bridge_1 and configure VLAN mapping with the VLAN ID 1 and the physical switch switch-1.
• Create a vBridge with the name bridge_2 and configure VLAN mapping with the VLAN ID 1.

Following will be the behavior in this case.

• Ethernet frames with VLAN ID 1 will be mapped to bridge_1 if they are detected at physical switch switch-1.
• Other Ethernet frames with VLAN ID 1, which are not detected at switch-1, will be mapped to bridge_2.

Please note the following caution while configuring VLAN mapping.

• VLAN, mapped by VLAN mapping, will be exclusive for that vBridge. It is not possible to configure VLAN mapping with the same settings to another vBridge.
• Input and output against the internal ports (ports that are connected to other switches) of the switch will not be managed by VLAN mapping.
  • Even if the internal port of the switch receives an ethernet frame that has the VLAN ID specified in the VLAN mapping, that ethernet frame is not treated as an input against this vBridge.
  • Ethernet frame is not output to the internal port when it is output to this vBridge.
• VLAN mapping is not used on the VLAN network over a switch port which has been mapped using Port mapping.
• VLAN mapping is not used on the VLAN network over a switch port which has detected a host mapped with MAC mapping.

MAC mapping

MAC mapping functionality is used to associate vBridge with any specified host and it is supported from Helium onwards. Only one MAC mapping can be configured on one vBridge. However, it is possible to associate multiple hosts to vBridge by using one MAC mapping.

A combination of MAC address of host and VLAN ID is specified to map hosts in MAC mapping.

• If 0 is specified as VLAN ID, MAC addresses detected over untagged network will be mapped to vBridge.
• If VLAN ID equal to or more than 1 and equal to or less than 4095 is specified, MAC addresses detected over the specified VLAN will be mapped to vBridge.

MAC mapping has the following two access control lists. Host is specified in MAC mapping by setting host information to these access control lists.

Map Allow list

Set the list of hosts which are to be mapped with MAC mapping.

• Following MAC addresses cannot be set.
  • 0
  • Broadcast address
  • Multi-cast address
• If MAC address is not specified in the host information, all the hosts detected over the specified VLAN will be mapped.
• Host information set in Map Allow list will become exclusive to that vBridge. It is not possible to set the same host information to a different MAC mapping.
• It is not possible to set multiple host information with the same MAC address inside the same Map Allow list. E.g., if host information specified with MAC address A and VLAN ID 1 is set in the Map Allow list, it will not be possible to add host information having MAC address A with a VLAN ID different from 1 to that Map Allow list.

Map Deny list

Set the list of hosts which are not mapped with MAC mapping. This is used to exclude specific hosts from mapping when host information set in Map Allow list does not specify any MAC address.

• Following MAC addresses cannot be set.
  • 0
  • Broadcast address
  • Multi-cast address
• As against Map Allow list, it is mandatory to specify MAC address.
• Map Deny list is evaluated before Map Allow list. If the same host information is specified in both Map Allow list and Map Deny list of the same MAC mapping, that host will not be mapped using the MAC mapping.

If host information with and without MAC address are configured in different MAC mapping respectively, settings with MAC address specified are given higher priority. E.g., let us assume that vBridge is configured as shown below.

• Create vBridge with the name bridge_1 and configure MAC address A and VLAN ID 1 in the allow access list of MAC mapping.
• Create vBridge with the name bridge_2 and configure VLAN ID 1 in the allow access list of MAC mapping.

Following behavior will be seen in this case.

• Host with MAC address A, on the VLAN with VLAN ID 1, will be mapped to bridge_1.
• All hosts with MAC addresses other than A, on the VLAN with VLAN ID 1, will be mapped to bridge_2.

Activation of MAC mapping

As against VLAN mapping etc., MAC mapping will not be activated just by configuring it. The mapping with a host is activated when a packet sent from the host specified in MAC mapping is detected for the first time. Also, when broadcast packets are sent towards MAC mapping, the packet will be sent only to the VLAN over the switch ports that have detected a host with which mapping is activated.

E.g., let us assume that a network isconfigured as shown below.

• Following hosts are connected to one physical switch.
  • Host with MAC address A is connected to the VLAN over port-1 which has the VLAN ID 10.
  • Host with MAC address B is connected to the VLAN over port-2 which has the VLAN ID 20.
• MAC mapping is configured on a vBridge with the name bridge_1, and following host information is configured in Map Allow list.
  • MAC address A, VLAN ID 10
  • MAC address B, VLAN ID 20

Here, following will be the behavior if the host with MAC address A sends a broadcast packet.

1. Broadcast packets with source MAC address A and VLAN ID 10 is detected at the switch port port-1 and it is notified to VTN Manager.
2. VTN Manager maps the received packet to bridge_1 and mapping is activated between the host having MAC address A and VLAN ID 10.
3. VTN Manager will try to send the received packet to switch ports that are connected to hosts with which MAC mapping is activated. However, since there are no hosts with which the mapping is activated, except for the host which sent the broadcast packet, the packet is discarded.

After that, following will be the behavior if host with MAC address B sends a broadcast packet.

1. Broadcast packets with source MAC address B and VLAN ID 20 is detected at the switch port port-2 and it is notified to VTN Manager.
2. VTN Manager will map the received packet to bridge_1 and mapping is activated between the host having MAC address B and VLAN ID 20.
3. VTN Manager will try to send the received packet to switch ports that are connected to hosts with which MAC mapping is activated. If we leave out the port which received the packet, only port-1 is connected to a host with which MAC mapping is activated. Therefore, broadcast packet is sent only to port-1.
   • VLAN ID is overwritten to 10.

Once the MAC mapping with the host is activated, the combination of physical switch port, which detected that host, and VLAN ID will be exclusive for that vBridge. In the above mentioned example, following switch port and VLAN ID combinations will be exclusive to bridge_1.

• Port port-1, VLAN ID 10
• Port port-2, VLAN ID 20

E.g., in the above case, let us assume that there is a host with MAC address C over the VLAN of port-1 and VLAN ID 10. Here, configure MAC address C and VLAN ID 10 on the Map Allow list of bridge_1, and after that when a packet sent from MAC address C is detected, mapping is activated between the host with MAC address C and bridge_1.

However, if a different vBridge bridge_2 is created, and MAC address C and VLAN ID 10 are configured in the Map Allow list of bridge_2, the mapping with bridge_2 will not be activated even if the packet sent from the host with MAC address C is detected. This is because port port-1 and VLAN ID 10 is exclusive to bridge_1. Therefore, packet sent from MAC address C is discarded.

Further, MAC mapping will not be used for hosts detected over a VLAN which is mapped using Port mapping.

Mapping, activated by MAC mapping, between vBridge and host will be removed at the following instances.

• When MAC mapping is deleted.
• When the vBridge on which the MAC mapping is set is deleted.
• When the VTN that contains the vBridge where MAC mapping is set is deleted.
• When MAC mapping settings are changed, and the mapped host is removed from the mapping target of MAC mapping.
• When the switch to which the mapped host is connected is deleted.
• When switch port to which the mapped host is connected is deleted.
• When link down is detected at the switch port to which the mapped host is connected.
• When the switch port to which the mapped host is connected is mapped to virtual interface with Port mapping.

Duplicate settings of VLAN mapping

If a host on which MAC mapping is applied is detected over a VLAN, mapped with VLAN mapping, MAC mapping will be given higher priority.

E.g., let us assume that a network is configured as shown below.

• Host with MAC address A is connected to the untagged network over physical port port-1 of switch switch-1.
• Create vBridge with the name bridge_1 and configure MAC mapping.
  • Configure MAC address A and VLAN ID 0 to Map Allow list.
• Create vBridge with the name bridge_2 and configure VLAN mapping.
  • Specify 0 in VLAN ID.

Following behavior will be seen in such a case.

• Untagged packet sent by the host with MAC address A will be mapped using the MAC mapping of bridge_1.
• Untagged packet sent by hosts with MAC addresses other than A will be mapped using the VLAN mapping of bridge_2.

Limitations

MAC mapping maps physical network with vBridge at host level but, when broadcast packet is sent towards MAC mapping, it is transmitted in the VLAN over switch port. Therefore, broadcast packet may be sent to hosts that are not mapped by MAC mapping.

E.g., let us assume that a network is configured as shown below.

• Following hosts are connected to one physical switch.
  • Two hosts with MAC addresses A and B are connected to the untagged network over the port port-1.
  • Host with MAC address C is connected to the untagged network over the port port-2.
• Configure MAC mapping to vBridge with the name bridge_1.
  • Configure following host information in Map Allow list.
    • VLAN ID 0
  • Configure following host information in Map Deny list.
    • MAC address B, VLAN ID 0

In this case, packets sent by host with MAC address A or C will be mapped to bridge_1 but packets sent by host with MAC address B will not be mapped to bridge_1. Also, if untagged unicast packets with the destination MAC address B are detected, they will be discarded.

However, if the host with MAC address C sends broadcast packet, it will be forwarded to the untagged network over port-1 and broadcast packet will be delivered to host with MAC address B as well.

MAC address table

Each vBridge owns a MAC address table to learn MAC addresses detected in the vBridge. The following information is stored in the MAC address table when an input is detected from the physical network mapped to the vBridge.

• Source MAC address of ethernet frame.
• Port of the physical switch that received ethernet frame.
• VLAN ID inside the ethernet frame.

Further, if source MAC address information of ethernet frame is registered in the MAC address table, and the physical switch port that received the ethernet frame and VLAN ID is different from the information in MAC address table, then the information inside MAC address table is updated to the information of the received ethernet frame.

If a unicast packet is sent to vBridge and that packet is notified to OpenFlow controller, then the VTN Manager checks whether the destination MAC address is registered in the MAC address table. Following flow entries are configured on the related physical switches only when it is found in the MAC address table.

• VLAN ID inside ethernet frame is overwritten with the VLAN ID stored inside the MAC address table.
• Route to port of the physical switch, which is stored inside MAC address table, is configured on each switch.

If the destination MAC address is not found in the MAC address table, then this ethernet frame is sent to all the physical networks mapped to vBridge.

• VLAN ID can be overwritten according to the setting of port mapping and VLAN mapping.

Only destination MAC address is used as the search key while searching inside MAC address table. Thus, it is necessary to configure vBridge in such a manner that ethernet frames that have the same MAC address as the source address and different VLAN IDs configured do not flow to the same vBridge.

For example, let us assume that the following vBridge and network devices are configured.

• Create a vBridge with the name bridge_1 and map VLAN ID 1 and 2 by using VLAN mapping.
• Configure A:1 and A:2 alias for network interface of host having the MAC address A, and allocate VLAN ID 1 and 2 to each of the aliases.

If the above configurations are done, then ethernet frames that have the source MAC address A and different VLAN IDs will be treated as an input of bridge_1.

• When a packet is sent from alias A:1, then an ethernet frame that has source MAC address as A and VLAN ID 1 will be input to bridge_1.
• When a packet is sent from alias A:2, then an ethernet frame that has source MAC address as A and VLAN ID 2 will be input to bridge_1.

Configuring vBridges in the above manner results in undefined behavior.

MAC address aging

The VTN Manager carries out the MAC address aging process periodically against MAC addresses stored in the MAC address table. If the MAC address inside the MAC address table is not referred since the last aging process, then that MAC address information is deleted from the MAC address table.

Interval of the MAC address aging is configurable per vBridge. 600 seconds is the default value for the aging interval. That is, when we use default settings, if the MAC address information inside MAC address table is not referred for some time, then it will be deleted earliest by 600 seconds and latest by 1200 seconds.

vTerminal

vTerminal is isolated input and output terminal inside VTN. vTerminal can have only one virtual interface, and it can map a physical switch port by port mapping.

vTerminal is always used in conjunction with redirection by flow filter.

• An incoming packet from the virtual interface inside the vTerminal is always dropped unless it is redirected to other virtual node by flow filter.
• A packet is never routed to the virtual interface inside the vTerminal unless flow filter redirects the packet to that interface.

vTerminal status

vTerminal can have the following internal status.

UNKNOWN

This shows the state wherein physical network is not mapped to vTerminal. vTerminal status will be UNKNOWN if any of the following conditions are met.

• No virtual interface is configured in vTerminal.
• A virtual interface inside vTerminal is disabled.
• Port mapping is not configured in a virtual interface inside vTerminal.

DOWN

This shows the state wherein the physical network mapped to vTerminal is not operating correctly. If an enabled virtual interface inside vTerminal is in DOWN state, then vTerminal status will be DOWN.

UP

This shows the state wherein the physical network mapped to the vTerminal is operating correctly.

Virtual interface

Virtual interface shows the input and output interface that could be set in virtual node of VTN. At this point in time, it is possible to set virtual interface to vBridge and vTerminal.

It is possible to dynamically enable or disable virtual interface. If a virtual interface is disabled, then all the inputs from that virtual interface will be ignored. Also, there will be no output against that virtual interface.

Virtual interface status

Virtual interface can have the following internal status.

UNKNOWN

This is a state wherein other network elements are not mapped to virtual interface.

DOWN

This is a state wherein the network elements mapped to virtual interface are not operating. It will be in DOWN state even when the virtual interface is disabled.

UP

This is a state wherein the network elements mapped to virtual interface are operating.

vBridge interface status

Status of the virtual interface configured in vBridge is decided as follows.

• If the virtual interface is disabled, then interface state will be DOWN unconditionally.
  • However, state of the disabled virtual interface will not affect the status of vBridge to which that interface belongs.
• Status of the enabled virtual interface is decided on the following basis.
  • It will be UNKNOWN state when port mapping is not configured in the virtual interface.
  • It will be DOWN when port of the physical switch mapped by port mapping meets any of the following conditions.
    • Port of the physical switch is not operating.
    • Port of the physical switch is connected to another physical switch.
  • It will be in UP state when port of physical switch mapped by port mapping is operating.

vTerminal interface status

Status of the virtual interface configured in vTerminal is decided as vBridge interface status is decided.

Port mapping

Port mapping functionality is used to map port of physical switch to virtual interface of vBridge. Only one port mapping can be set for one virtual interface. If you want to map ports of multiple physical switches to one vBridge, then it is necessary to create multiple virtual interfaces in the vBridge and configure port mapping against each virtual interface.

While configuring port mapping, specify a pair of physical switch port and VLAN ID that is to be mapped.

• If 0 is set as VLAN ID, then the ethernet frames that have no VLAN tag get mapped to vBridge interface.
  • If the specified port of the physical switch receives an ethernet frame that does not have VLAN tag, then it will be treated as an input against this vBridge interface.
  • VLAN tag is removed when ethernet frame is output to this vBridge interface.
• If a value greater than 0 and less than 4096 is specified as VLAN ID, then ethernet frames that have the same VLAN ID inside the VLAN tag get mapped to this vBridge interface.
  • If the specified port of the physical switch receives an ethernet frame that has this VLAN ID set inside the VLAN tag, then it is treated as an input against this vBridge interface.
  • VLAN tag is added and the corresponding VLAN ID is configured when ethernet frame is output to this vBridge interface.

Please note the following caution while configuring port mapping.

• Combination of the physical switch port and VLAN ID (including 0) that was specified during port mapping, will be exclusive to that vBridge interface. It is not possible to map the combination of physical switch port and VLAN ID to another vBridge interface if it has been already mapped to a vBridge interface.
• Input and output against the internal ports (ports that are connected to another switch) of a switch will not be managed by port mapping.
  • If the internal port of switch is mapped to virtual interface with port mapping, then that interface will be in DOWN state and there will be no input and output of ethernet frame.

Duplicate setting of VLAN mapping

Port mapping settings will be given higher priority if the same VLAN network, which was set in port mapping, is mapped to another vBridge using VLAN mapping.

For example, let us assume that two vBridges with the names bridge_1 and bridge_2 are configured like shown below.

• Configure port mapping in bridge_1
  • Specify physical port port-1 of switch switch-1.
  • Specify 10 in VLAN ID.
• Configure VLAN mapping in bridge_2
  • Do not specify physica switch.
  • Specify 10 in VLAN ID.

In this case, it will operate like below.

• If the physical port port-1 of switch switch-1 receives an ethernet frame with VLAN ID 10, then that ethernet frame is treated as an input against bridge_1.
  • It is never treated as input against bridge_2.
• If any port, except for the physical port port-1 of switch switch-1, receives an ethernet frame with VLAN ID 10, then that ethernet frame is treated as an input against bridge_2.

Duplicate setting of MAC mapping

If a host set in MAC mapping is detected over VLAN network set in Port mapping, Port mapping settings will be prioritized. If MAC mapping is already activated with the host connected to this VLAN network, all MAC mappings will get deactivated.

E.g., let us assume that a network is configured as shown below.

• Host with MAC address A is connected to untagged network over physical port port-1 of switch switch-1.
• Create vBridge with the name bridge_1 and configure MAC mapping.
  • Configure MAC address A and VLAN ID 0 to Map Allow list.

Further, newly create the following vBridge.

• Create vBridge with the name bridge_2 and configure Port mapping.
  • Specify physical port port-1 of switch switch-1
  • Specify 0 in VLAN ID.

Following behavior will be there in this case.

• When the Port mapping of bridge_2 is set, all the MAC mappings activated on the untagged network over physical port port-1 of switch switch-1 will get deactivated.
• Packets sent by host with MAC address A will be mapped according to the Port mapping on bridge_2.

Flow Condition

A flow condition is a named list of flow match conditions, and it is used to select packets. Each flow match condition must have a match index, which is an unique index in a flow condition. When a flow condition tests a packet, flow match conditions in a flow condition are evaluated in ascending order of match indices. A packet is selected if at least one flow match condition matches the packet.

Flow conditions are shared with all the VTNs.

Flow Filter

Flow filter provides packet filtering feature for packets forwarded in VTN. Flow filter can not only filter out the specified packets but also modify the specified packets.

Each flow filter must specify a flow condition by name. If a packet matches the condition described by the flow condition in a flow filter, then actions configured in the same flow filter is applied to that packet.

Type of flow filter

There are three types of flow filter as follows.

PASS

Let the packet through the virtual node if the packet matches the flow condition configured in a flow filter. This type of flow filter can be used to modify the specified packets.

DROP

Discard the packet if the packet matches the flow condition configured in a flow filter.

REDIRECT

Forward the packet to another virtual interface in the same VTN if the packet matches the flow condition configured in a flow filter. This type of flow filter also can modify the matched packet. See description about packet redirection for more details.

Flow action list

Flow action list is a list of rules to modify packet.

• When a PASS or a REDIRECT flow filter is applied to a packet, flow actions configured in the same flow filter are applied to the packet in order.
• Although a DROP flow filter can have flow actions, they will be always ignored.

Note that modification done by flow actions in a flow filter is visible to succeeding evaluation of flow filters.

Place to configure flow filter

One or more flow filters can be configured in virtual node in VTN as a list, and it is evaluated when a packet is forwarded to the virtual node. Each flow filter has a unique index in the list, and they are evaluated in ascending order of indices, and only the first matched flow filter is applied to the packet. If none of flow filter in the list matches the packet, then the VTN Manager lets the packet through the virtual node without modifying the packet.

Flow filter can be configured in the following places.

VTN

Flow filters in this list are evaluated when an incoming packet is mapped to the VTN. Note that the VTN flow filter list is evaluated only once before other flow filter lists are evaluated.

vBridge (input)

Flow filters in this list are evaluated when a packet is forwarded to the specified vBridge. This list is evaluated at the following instances.

• When a packet is forwarded from the virtual interface to the vBridge.
• When an incoming packet is mapped to the vBridge by VLAN mapping or MAC mapping.

vBridge (output)

Flow filters in this list are evaluated when a packet is going to be transmitted to the physical network mapped to the vBridge by VLAN mapping or MAC mapping. Note that this list is not evaluated when a packet is forwarded to the virtual interface in the same vBridge.

vBridge interface (input)

Flow filters in this list are evaluated when a packet is forwarded to the specified virtual interface in the vBridge. This list is evaluated at the following instances.

• When an incoming packet is mapped to the vBridge interface by port mapping.
• When a packet is redirected by another flow filter to the vBridge interface as an incoming packet.

vBridge interface (output)

Flow filters in this list are evaluated when a packet is going to be transmitted to the physical network mapped to the virtual interface in the vBridge. This list is evaluated at the following instances.

• When a packet is forwarded from the vBridge to the virtual interface.
• When a packet is redirected by another flow filter to the vBridge interface as an outgoing packet.

vTerminal interface (input)

Flow filters in this list are evaluated when a packet is forwarded to the specified virtual interface in the vTerminal. This list is evaluated at the following instances.

• When an incoming packet is mapped to the vTerminal interface by port mapping.
• When a packet is redirected by another flow filter to the vTerminal interface as an incoming packet.

vTerminal is an isolated input/output terminal. So an incoming packet is always discarded unless it is redirected to another virtual interface by the flow filter.

vTerminal interface (output)

Flow filters in this list are evaluated when a packet is going to be transmitted to the physical network mapped to the virtual interface in the vTerminal.

This list is evaluated only when a packet is redirected by another flow filter to the vTerminal interface as an outgoing packet.

Packet redirection

A REDIRECT flow filter forwards the packet to another virtual interface in the same VTN. A REDIRECT flow filter has the following configurations.

Destination virtual interface

The location of the destination virtual interface must be configured in every REDIRECT flow filter.

• Self-redirection (specifying the virtual interface that contains the REDIRECT flow filter itself as the destination) is always forbidden.
• If the specified destination node does not exist, every packets matched to that REDIRECT flow filter will be discarded.

Direction

Every REDIRECT flow filter must choose the direction of the packet redirection, input or output.

• input means that a redirected packet should be treated as an incoming packet as if it is forwarded or mapped to the specified virtual interface.

  A list of flow filters for incoming packets configured in the destination virtual interface is evaluated against the redirected packet. If the flow filter passes the packet, the packet is forwarded to the virtual node which contains the destination virtual interface.

  • If the destination virtual interface is attached to the vBridge, then the packet is routed according to the vBridge configuration. Note that the source MAC address of the redirected packet is never learned into the MAC address table in the vBridge.
  • If the destination virtual interface is attached to the vTerminal, then the packet is always discarded. In other words, the packet is always discarded unless the packet is redirected to another interface by the flow filter configured in the destination virtual interface.

• output means that a redirected packet should be treated as an outgoing packet as if it is going to be transmitted to the physical network mapped to the specified virtual interface.

  A list of flow filters for outgoing packets configured in the destination virtual interface is evaluated against the redirected packet. If the flow filter passes the packet, the packet is transmitted to the physical network mapped to the virtual interface by port mapping. Note that the packet is discarded if the port mapping is not configured in the virtual interface.

Packet loop detection

REDIRECT flow filter should be configured not to cause the packet loop. The number of virtual node hops per a flow (the number of packet redirections per a flow) is limited to 100. If the number of virtual node hops exceeds the limit, it is treated as the packet loop and then the packet is discarded.

Limitations

Applications for setting flow entry

The VTN manager cannot successfully build an isolated virtual network environment if an application that sets flow entry to switch is running because this might be inconsistent with flow entry set by the VTN manager.

Limitations on flow filter

Broadcast/Multicast packet

Basically, flow filter can be applied to unicast packets. So flow filter ignores broadcast and multicast packets except for DROP flow filter.

For example, a broadcast packet is mapped to the VTN, flow filters in the VTN flow filter are evaluated as follows.

• A flow filter is ignored if its type is PASS or REDIRECT.
• A flow filter is evaluated if its type is DROP. It the broadcast packet matches that flow filter, then the packet is discarded.

If an unicast packet is mapped to the vBridge, and its destination MAC address is not learned in the vBridge, the packet is broadcasted to all physical network elements mapped to the vBridge. In that case all REDIRECT flow filters configured in the vBridge and vBridge interface for outgoing packets are ignored.

Self-originated packet

Flow filters never affect packets originated by the VTN Manager.

Packet sent to the controller

Flow filters never affect packets sent to the controller. If the destination MAC address of the packet is equal to the controller's MAC address, the VTN Manager ignores all flow filters.

Fragmented layer 4 packet

A flow condtition which specifies layer 4 protocol header fields (e.g. TCP/UDP port, ICMP type and code) never matches fragments of layer 4 packet except the first fragment because layer protocol header is present only in the first fragment. If a flow filter is configured with such a flow condition, it will never be applied to fragments of layer 4 packet except the first fragment.