2 Licensed under the Apache License, Version 2.0 (the "License"); you may
3 not use this file except in compliance with the License. You may obtain
4 a copy of the License at
6 http://www.apache.org/licenses/LICENSE-2.0
8 Unless required by applicable law or agreed to in writing, software
9 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10 WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11 License for the specific language governing permissions and limitations
14 Convention for heading levels in Open vSwitch documentation:
16 ======= Heading 0 (reserved for the title in a document)
22 Avoid deeper levels because they do not render well.
28 Q: Why does OVN use STT and Geneve instead of VLANs or VXLAN (or GRE)?
30 A: OVN implements a fairly sophisticated packet processing pipeline in
31 "logical datapaths" that can implement switching or routing functionality.
32 A logical datapath has an ingress pipeline and an egress pipeline, and each
33 of these pipelines can include logic based on packet fields as well as
34 packet metadata such as the logical ingress and egress ports (the latter
35 only in the egress pipeline).
37 The processing for a logical datapath can be split across hypervisors. In
38 particular, when a logical ingress pipeline executes an "output" action,
39 OVN passes the packet to the egress pipeline on the hypervisor (or, in the
40 case of output to a logical multicast group, hypervisors) on which the
41 logical egress port is located. If this hypervisor is not the same as the
42 ingress hypervisor, then the packet has to be transmitted across a physical
45 This situation is where tunneling comes in. To send the packet to another
46 hypervisor, OVN encapsulates it with a tunnel protocol and sends the
47 encapsulated packet across the physical network. When the remote
48 hypervisor receives the tunnel packet, it decapsulates it and passes it
49 through the logical egress pipeline. To do so, it also needs the metadata,
50 that is, the logical ingress and egress ports.
52 Thus, to implement OVN logical packet processing, at least the following
53 metadata must pass across the physical network:
55 * Logical datapath ID, a 24-bit identifier. In Geneve, OVN uses the VNI to
56 hold the logical datapath ID; in STT, OVN uses 24 bits of STT's 64-bit
59 * Logical ingress port, a 15-bit identifier. In Geneve, OVN uses an option
60 to hold the logical ingress port; in STT, 15 bits of the context ID.
62 * Logical egress port, a 16-bit identifier. In Geneve, OVN uses an option
63 to hold the logical egress port; in STT, 16 bits of the context ID.
65 See ``ovn-architecture(7)``, under "Tunnel Encapsulations", for details.
67 Together, these metadata require 24 + 15 + 16 = 55 bits. GRE provides 32
68 bits, VXLAN provides 24, and VLAN only provides 12. Most notably, if
69 logical egress pipelines do not match on the logical ingress port, thereby
70 restricting the class of ACLs available to users, then this eliminates 15
71 bits, bringing the requirement down to 40 bits. At this point, one can
72 choose to limit the size of the OVN logical network in various ways, e.g.:
74 * 16 bits of logical datapaths + 16 bits of logical egress ports. This
75 combination fits within a 32-bit GRE tunnel key.
77 * 12 bits of logical datapaths + 12 bits of logical egress ports. This
78 combination fits within a 24-bit VXLAN VNI.
80 * It's difficult to identify an acceptable compromise for a VLAN-based
83 These compromises wouldn't suit every site, since some deployments
84 may need to allocate more bits to the datapath or egress port
87 As a side note, OVN does support VXLAN for use with ASIC-based top of rack
88 switches, using ``ovn-controller-vtep(8)`` and the OVSDB VTEP schema
89 described in ``vtep(5)``, but this limits the features available from OVN
90 to the subset available from the VTEP schema.
projects / ovs.git / blob