OVS Faucet Tutorial筆記（下）

官方文檔：

OVS Faucet Tutorial

5、Routing

Faucet Router 通過控制器模擬三層網關，提供 ARP 應答、路由轉發功能。

5.1 控制器配置

5.1.1 編輯控制器yaml文件，增加router配置

root@server1:~/faucet/inst# vi faucet.yaml
dps:switch-1:dp_id: 0x1timeout: 8000arp_neighbor_timeout: 3600interfaces:1:native_vlan: 1002:native_vlan: 1003:native_vlan: 1004:native_vlan: 2005:native_vlan: 200
vlans:100:faucet_vips: ["10.100.0.254/24"]200:faucet_vips: ["10.200.0.254/24"]
routers:router-1:vlans: [100, 200]

配置了兩個 VLAN，并為每個 VLAN 指定了一個虛擬網關地址（faucet_vips），用于三層路由。

這意味著 Faucet 會在每個 VLAN 上充當默認網關：

VLAN 100 的主機默認網關是 10.100.0.254

VLAN 200 的主機默認網關是 10.200.0.254

定義了一個邏輯路由器 router-1，連接 VLAN 100 和 VLAN 200。

這啟用了 VLAN 間的三層互聯（即路由），比如 VLAN 100 的主機可以訪問 VLAN 200。

5.1.2 進入ovs沙箱

root@server1:~/ovs# tutorial/ovs-sandbox

5.1.3?開啟實時日志查看

開啟tail -f實時查看faucet、ovs的日志輸出：

1、開啟實時ovs log:
開新窗口1，/root/ovs/sandbox目錄下，執行：
root@server1:~/ovs/sandbox# echo -n > ovs-vswitchd.log
root@server1:~/ovs/sandbox# tail -f ovs-vswitchd.log | grep -v -e "OFPT_ECHO_REQUEST" -e "OFPT_ECHO_REPLY"2、開啟實時faucet log:
開新窗口2，/root/faucet/inst目錄下，執行：
root@server1:~/faucet/inst# echo -n > faucet.log
root@server1:~/faucet/inst# tail -f faucet.log另外，為了方便查看日志，可以在執行每個命令之前，在log窗口輸入文本提示用來分隔輸出內容，比如：
>>docker restart faucet......................

5.1.4?重啟控制器

Faucet 重新加載其配置：

root@server1:~/faucet/inst# docker exec faucet pkill -HUP -f faucet.faucet

或者

root@server1:~/faucet/inst# docker restart faucet
faucet

faucet log?

>>docker restart faucet......................
Jun 08 22:20:57 faucet INFO     version 1.10.11
Jun 08 22:20:57 faucet INFO     Reloading configuration
Jun 08 22:20:57 faucet INFO     configuration /etc/faucet/faucet.yaml changed, analyzing differences
Jun 08 22:20:57 faucet INFO     Add new datapath DPID 1 (0x1)
Jun 08 22:20:57 faucet.valve INFO     DPID 1 (0x1) switch-1 IPv4 routing is active on VLAN 100 vid:100 untagged: Port 1,Port 2,Port 3 with VIPs ['10.100.0.254/24']
Jun 08 22:20:57 faucet.valve INFO     DPID 1 (0x1) switch-1 IPv4 routing is active on VLAN 200 vid:200 untagged: Port 4,Port 5 with VIPs ['10.200.0.254/24']

5.1.5?創建ovs-sandbox bridge，連接控制器

ovs-sandbox創建的ovs bridge，每次重啟，都需要重新建立。

如果需要，重新創建ovs bridge:

ovs-vsctl add-br br0 \
? ? ? ? ?-- set bridge br0 other-config:datapath-id=0000000000000001 \
? ? ? ? ?-- add-port br0 p1 -- set interface p1 ofport_request=1 \
? ? ? ? ?-- add-port br0 p2 -- set interface p2 ofport_request=2 \
? ? ? ? ?-- add-port br0 p3 -- set interface p3 ofport_request=3 \
? ? ? ? ?-- add-port br0 p4 -- set interface p4 ofport_request=4 \
? ? ? ? ?-- add-port br0 p5 -- set interface p5 ofport_request=5 \
? ? ? ? ?-- set-controller br0 tcp:127.0.0.1:6653 \
? ? ? ? ?-- set controller br0 connection-mode=out-of-band

1、進入ovs-sandbox，創建ovs bridge, br0root@server1:~/ovs# ovs-vsctl add-br br0 \
>          -- set bridge br0 other-config:datapath-id=0000000000000001 \
>          -- add-port br0 p1 -- set interface p1 ofport_request=1 \
>          -- add-port br0 p2 -- set interface p2 ofport_request=2 \
>          -- add-port br0 p3 -- set interface p3 ofport_request=3 \
>          -- add-port br0 p4 -- set interface p4 ofport_request=4 \
>          -- add-port br0 p5 -- set interface p5 ofport_request=5 \
>          -- set-controller br0 tcp:127.0.0.1:6653 \
>          -- set controller br0 connection-mode=out-of-band2、輸入簡化格式命令：
dump-flows () {ovs-ofctl -OOpenFlow13 --names --no-stat dump-flows "$@" \| sed 's/cookie=0x5adc15c0, //'
}save-flows () {ovs-ofctl -OOpenFlow13 --no-names --sort dump-flows "$@"
}diff-flows () {ovs-ofctl -OOpenFlow13 diff-flows "$@" | sed 's/cookie=0x5adc15c0 //'
}

ovs bridge創建成功，并成功連接控制器，控制器會下發相應的流表。?

faucet log

>>ovs-vsctl addbr br0 ...................... 
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 port desc stats
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 delta in up state: set() => {1, 2, 3, 4, 5, 4294967294}
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 1 fabricating ADD status True
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 status change: Port 1 up status True reason ADD state 0
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 1 (1) up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 100 vid:100 untagged: Port 1,Port 2,Port 3
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 2 fabricating ADD status True
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 status change: Port 2 up status True reason ADD state 0
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 2 (2) up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 100 vid:100 untagged: Port 1,Port 2,Port 3
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 3 fabricating ADD status True
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 status change: Port 3 up status True reason ADD state 0
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 3 (3) up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 100 vid:100 untagged: Port 1,Port 2,Port 3
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 4 fabricating ADD status True
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 status change: Port 4 up status True reason ADD state 0
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 4 (4) up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 200 vid:200 untagged: Port 4,Port 5
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 5 fabricating ADD status True
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 status change: Port 5 up status True reason ADD state 0
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 5 (5) up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 200 vid:200 untagged: Port 4,Port 5
Jun 08 22:24:51 faucet.valve ERROR    DPID 1 (0x1) switch-1 send_flow_msgs: DP not up
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Cold start configuring DP
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 1 (1) configured
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 2 (2) configured
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 3 (3) configured
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 4 (4) configured
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Port 5 (5) configured
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 100 vid:100 untagged: Port 1,Port 2,Port 3
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 200 vid:200 untagged: Port 4,Port 5
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 table ID 0 table config match_types: (('eth_dst', True), ('eth_type', False), ('in_port', False), ('vlan_vid', False)) name: vlan next_tables: ['eth_src'] output: True set_fields: ('vlan_vid',) size: 32 vlan_port_scale: 3
table ID 1 table config match_types: (('eth_dst', True), ('eth_src', False), ('eth_type', False), ('in_port', False), ('vlan_vid', False)) miss_goto: eth_dst name: eth_src next_tables: ['ipv4_fib', 'vip', 'eth_dst', 'flood'] output: True set_fields: ('vlan_vid', 'eth_dst') size: 64 table_id: 1 vlan_port_scale: 4.1
table ID 2 table config dec_ttl: True match_types: (('eth_type', False), ('ipv4_dst', True), ('vlan_vid', False)) name: ipv4_fib next_tables: ['vip', 'eth_dst', 'flood'] output: True set_fields: ('eth_dst', 'eth_src', 'vlan_vid') size: 32 table_id: 2 vlan_port_scale: 3.1
table ID 3 table config match_types: (('arp_tpa', False), ('eth_dst', False), ('eth_type', False), ('icmpv6_type', False), ('ip_proto', False)) name: vip next_tables: ['eth_dst', 'flood'] output: True size: 32 table_id: 3 vlan_scale: 8
table ID 4 table config exact_match: True match_types: (('eth_dst', False), ('vlan_vid', False)) miss_goto: flood name: eth_dst output: True size: 64 table_id: 4 vlan_port_scale: 4.1
table ID 5 table config match_types: (('eth_dst', True), ('in_port', False), ('vlan_vid', False)) name: flood output: True size: 96 table_id: 5 vlan_port_scale: 8.0

關于OVS網橋與Faucet的連接日志已在前文詳述，流表的具體說明如下。??

5.2 下發流表

5.2.1 控制器下發流表日志

ovs bridge成功連接控制器后，控制器根據yaml文件里ovs bridge配置，下發相關流表。

faucet.log

Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 Configuring VLAN 200 vid:200 untagged: Port 4,Port 5
Jun 08 22:24:51 faucet.valve INFO     DPID 1 (0x1) switch-1 table ID 0 table config match_types: (('eth_dst', True), ('eth_type', False), ('in_port', False), ('vlan_vid', False)) name: vlan next_tables: ['eth_src'] output: True set_fields: ('vlan_vid',) size: 32 vlan_port_scale: 3
table ID 1 table config match_types: (('eth_dst', True), ('eth_src', False), ('eth_type', False), ('in_port', False), ('vlan_vid', False)) miss_goto: eth_dst name: eth_src next_tables: ['ipv4_fib', 'vip', 'eth_dst', 'flood'] output: True set_fields: ('vlan_vid', 'eth_dst') size: 64 table_id: 1 vlan_port_scale: 4.1
table ID 2 table config dec_ttl: True match_types: (('eth_type', False), ('ipv4_dst', True), ('vlan_vid', False)) name: ipv4_fib next_tables: ['vip', 'eth_dst', 'flood'] output: True set_fields: ('eth_dst', 'eth_src', 'vlan_vid') size: 32 table_id: 2 vlan_port_scale: 3.1
table ID 3 table config match_types: (('arp_tpa', False), ('eth_dst', False), ('eth_type', False), ('icmpv6_type', False), ('ip_proto', False)) name: vip next_tables: ['eth_dst', 'flood'] output: True size: 32 table_id: 3 vlan_scale: 8
table ID 4 table config exact_match: True match_types: (('eth_dst', False), ('vlan_vid', False)) miss_goto: flood name: eth_dst output: True size: 64 table_id: 4 vlan_port_scale: 4.1
table ID 5 table config match_types: (('eth_dst', True), ('in_port', False), ('vlan_vid', False)) name: flood output: True size: 96 table_id: 5 vlan_port_scale: 8.0

控制器一共下發了Table0~5。

Table 編號	名稱	功能描述	備注
Table 0	vlan	Ingress VLAN processing	打上 VLAN 標簽（入口 VLAN 處理）
Table 1	eth_src	Ingress L2 processing, MAC learning	MAC 地址學習（二層入口處理）
Table 2	ipv4_fib	L3 forwarding for IPv4	路由表，進行 IPv4 的三層轉發
Table 3	vip	Virtual IP processing (e.g., for router IP addresses by Faucet)	處理發給路由器自身（MAC 或 IP）的報文
Table 4	eth_dst	Egress L2 processing	根據目的 MAC 地址進行二層轉發（出口二層處理）
Table 5	flood	Flooding for BUM packets	處理 BUM（廣播、未知單播、多播）報文并進行泛洪

下面是對這個 OpenFlow 流表結構的中文解釋，這是典型的 Faucet 控制器下發給 Open vSwitch（OVS）的多表處理流程：
? 表 0（vlan）：入口 VLAN 處理

作用： 對進入的報文進行 VLAN 分類和檢查。

處理內容：

檢查報文是否帶有 VLAN 標簽，如果沒有可能加標簽。

驗證 VLAN 是否允許，不允許則丟棄。

合法的 VLAN 報文進入下一表。

? 表 1（eth_src）：二層源地址學習處理

作用： 學習源 MAC 地址，用于構建轉發表。

處理內容：

將源 MAC 和入口端口關聯，寫入轉發表。

可選：過濾非法 MAC 地址。

報文繼續進入下一處理表。

? 表 2（ipv4_fib）：三層 IPv4 路由處理

作用： 根據 IPv4 目的地址進行 L3 轉發。

處理內容：

匹配目的 IP 地址，查找 FIB（Forwarding Information Base）。

設置下一跳 MAC、出接口等。

若為特殊 IP（如虛擬網關 IP），跳轉到 vip 表。

否則，繼續進入下一表。

? 表 3（vip）：虛擬 IP 處理

作用： 處理虛擬網關 IP（如虛擬路由器接口 IP）。

處理內容：

回應 ARP 請求（如果目標 IP 是虛擬網關 IP）。

處理 ICMP（如 ping 路由器）。

可將報文發給控制器，模擬網關行為。

? 表 4（eth_dst）：二層目的地址處理

作用： 根據目的 MAC 地址選擇出端口。

處理內容：

查找目的 MAC 地址對應的端口。

找到則輸出。

未知 MAC 可跳轉到泛洪表。

? 表 5（flood）：廣播/泛洪處理

作用： 用于 ARP、DHCP 等廣播流量處理。

處理內容：

向 VLAN 內的所有端口泛洪。

支持未知單播轉廣播等策略。

此時也可以查看~/ovs/sandbox/ovs-vswitchd.log流表下發的相關日志。

5.2.2 OVS查看新增加的流表

新下發的流表（和flows1比較）

diff-flows flows1 br0 | grep '^+'

root@server1:~/ovs# diff-flows flows1 br0 | grep '^+'
+table=1 priority=16384,arp,dl_vlan=100 actions=goto_table:3
+table=1 priority=16384,arp,dl_vlan=200 actions=goto_table:3
+table=1 priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2
+table=1 priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2
+table=1 priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:4
+table=1 priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:4
+table=1 priority=0 actions=goto_table:4
+table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3
+table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3
+table=2 priority=0 actions=drop
+table=3 priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64
+table=3 priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64
+table=3 priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64
+table=3 priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194
+table=3 priority=12319,arp actions=goto_table:4
+table=3 priority=12316,ip actions=CONTROLLER:194,goto_table:4
+table=3 priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174
+table=3 priority=12318,icmp actions=CONTROLLER:194,goto_table:4
+table=4 priority=0 actions=goto_table:5
+table=5 priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=drop
+table=5 priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=drop
+table=5 priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:1,output:2,output:3
+table=5 priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:4,output:5
+table=5 priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=drop
+table=5 priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:1,output:2,output:3
+table=5 priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:1,output:2,output:3
+table=5 priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:4,output:5
+table=5 priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:4,output:5
+table=5 priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:1,output:2,output:3
+table=5 priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:4,output:5
+table=5 priority=8192,dl_vlan=100 actions=pop_vlan,output:1,output:2,output:3
+table=5 priority=8192,dl_vlan=200 actions=pop_vlan,output:4,output:5
+table=5 priority=0 actions=drop
root@server1:~/ovs#

?其中：

+table=1 priority=16384,arp,dl_vlan=100 actions=goto_table:3
+table=1 priority=16384,arp,dl_vlan=200 actions=goto_table:3
+table=1 priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2
+table=1 priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2

表1主要用于mac地址學習。

arp流量，先發到表3，查看是不是發給路由器自己的；

ip流量，如果目的mac是0e:00:00:00:00:01，這是網關mac，發到表2查詢路由表。

+table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3
+table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3
+table=2 priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3

表2是路由表：
ip流量，如果目的ip是網關IP，轉到表3處理

ip流量，如果目的ip屬于本地網段，轉到表3處理

+table=3 priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64
+table=3 priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64
+table=3 priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64
+table=3 priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194
+table=3 priority=12319,arp actions=goto_table:4
+table=3 priority=12316,ip actions=CONTROLLER:194,goto_table:4
+table=3 priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174
+table=3 priority=12318,icmp actions=CONTROLLER:194,goto_table:4

表3主要處理發給自己的二層或者三層流量：

arp流量，如果是查詢網關IP的mac，發給控制器處理；

arp流量，如果是發給網關mac的，發給控制器處理

ip流量，如果目的mac是網關mac的，發給控制器處理

其他arp，發給表4

其他IP流量，發給控制器，同時發給表4

Performance is clearly going to be poor if every packet that needs to be routed has to go to the controller, but it’s unlikely that’s the full story. In the next section, we’ll take a closer look.

刪除的流表（和flows1比較）

root@server1:~/ovs# diff-flows flows1 br0 | grep '^-'
-table=1 priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:2
-table=1 priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:2
-table=1 priority=0 actions=goto_table:2
-table=2 priority=0 actions=goto_table:3
-table=3 priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=drop
-table=3 priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=drop
-table=3 priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:1,output:2,output:3
-table=3 priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:4,output:5
-table=3 priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=drop
-table=3 priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:1,output:2,output:3
-table=3 priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:1,output:2,output:3
-table=3 priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:4,output:5
-table=3 priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:4,output:5
-table=3 priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:1,output:2,output:3
-table=3 priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:4,output:5
-table=3 priority=8192,dl_vlan=100 actions=pop_vlan,output:1,output:2,output:3
-table=3 priority=8192,dl_vlan=200 actions=pop_vlan,output:4,output:5
root@server1:~/ovs#

完整流表（命名為flows2）

root@server1:~/ovs# dump-flows br0priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=4096,in_port=p5,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=0 actions=droptable=1, priority=20490,dl_type=0x9000 actions=droptable=1, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=droptable=1, priority=20480,dl_src=0e:00:00:00:00:01 actions=droptable=1, priority=16384,arp,dl_vlan=100 actions=goto_table:3table=1, priority=16384,arp,dl_vlan=200 actions=goto_table:3table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:4table=1, priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:4table=1, priority=0 actions=goto_table:4table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=0 actions=droptable=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64table=3, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194table=3, priority=12319,arp actions=goto_table:4table=3, priority=12316,ip actions=CONTROLLER:194,goto_table:4table=3, priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174table=3, priority=12318,icmp actions=CONTROLLER:194,goto_table:4table=3, priority=0 actions=droptable=4, priority=0 actions=goto_table:5table=5, priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=droptable=5, priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=droptable=5, priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p4,output:p5table=5, priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=droptable=5, priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8192,dl_vlan=100 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8192,dl_vlan=200 actions=pop_vlan,output:p4,output:p5table=5, priority=0 actions=drop
root@server1:~/ovs#

?保存流表flows2

root@server1:~/ovs# save-flows br0 > flows2

5.3 模擬測試

主機10.100.0.1和主機10.200.0.1相互通信，假設之前沒有通信，通常的通信過程為：

主機 10.100.0.1 向路由器 10.100.0.254 發送 ARP 請求。（請求網關的MAC）
路由器向主機發送 ARP 應答。（應答網關的MAC）
主機 10.100.0.1 向 10.200.0.1 發送 IP 數據包。（目的MAC為網關MAC）
路由器向端口 p4 和 p5（即承載 10.200.0.<x> 網絡的端口）廣播 ARP 請求。（路由器暫時不知道10.200.0.1的MAC，請求10.200.0.1的MAC）主機 10.200.0.1 向路由器發送 ARP 應答。（應答10.200.0.1的MAC）
然后，路由器將之前緩存在本地的 IP 數據包發送給 10.200.0.1，或者最終 10.100.0.1 超時并重新發送該數據包。（源MAC為網關10.200.0.254的MAC）

Step 1: Host ARP for Router（模擬主機1發arp request）

如果之前沒有開啟日志，建議開啟日志方便查看：

ovs log：
root@server1:~/ovs/sandbox# tail -f ovs-vswitchd.log | grep -v -e "OFPT_ECHO_REQUEST" -e "OFPT_ECHO_REPLY"faucet log:
root@server1:~/faucet/inst# tail -f faucet.log

模擬?IP 地址為 10.100.0.1 的主機向其網關路由器 10.100.0.254 發出的 ARP 請求。

root@server1:~/ovs# ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,dl_type=0x806,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff,arp_op=1 -generate
Flow: arp,in_port=1,vlan_tci=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ffbridge("br0")
-------------0. in_port=1,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4196->vlan_vidgoto_table:11. arp,dl_vlan=100, priority 16384, cookie 0x5adc15c0goto_table:33. arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254, priority 12320, cookie 0x5adc15c0CONTROLLER:64Final flow: arp,in_port=1,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff
Megaflow: recirc_id=0,eth,arp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254
Datapath actions: push_vlan(vid=100,pcp=0),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0x5adc15c0,controller_id=0,max_len=64))
root@server1:~/ovs#

通過匹配flows2:

?priority= 4096, in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1

?table=1, priority= 16384, arp,dl_vlan=100 actions=goto_table:3

?table=3, priority= 12320, arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64

一些字段解釋：
字段名全稱中文解釋
arp_spa ARP Sender Protocol Address 發送方的 IP 地址（誰在發 ARP）
arp_tpa ARP Target Protocol Address 目標 IP 地址（誰的 MAC 我要找）
arp_sha ARP Sender Hardware Address 發送方的 MAC 地址
arp_tha ARP Target Hardware Address 目標的 MAC 地址（填廣播或未知）

字段名	全稱	中文解釋
`arp_spa`	ARP Sender Protocol Address	發送方的 IP 地址（誰在發 ARP）
`arp_tpa`	ARP Target Protocol Address	目標 IP 地址（誰的 MAC 我要找）
`arp_sha`	ARP Sender Hardware Address	發送方的 MAC 地址
`arp_tha`	ARP Target Hardware Address	目標的 MAC 地址（填廣播或未知）

?ovs log

step1:>>>>>>>>>>>>>>>>>>>>ovs log2025-06-08T22:37:08.824Z|00456|vconn|DBG|tcp:127.0.0.1:6653: sent (Success): OFPT_PACKET_IN (OF1.3) (xid=0x0): table_id=3 cookie=0x5adc15c0 total_len=46 in_port=1 (via action) data_len=46 (unbuffered)
arp,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff
2025-06-08T22:37:08.832Z|00457|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd360239e): ADD table:4 priority=8192,dl_vlan=100,dl_dst=00:01:02:03:04:05 cookie:0x5adc15c0 idle:11972 out_port:0 actions=pop_vlan,output:1
2025-06-08T22:37:08.832Z|00458|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd360239f): ADD table:2 priority=12320,ip,dl_vlan=200,nw_dst=10.100.0.1 cookie:0x5adc15c0 out_port:0 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4
2025-06-08T22:37:08.832Z|00459|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a0): ADD table:2 priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.1 cookie:0x5adc15c0 out_port:0 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4
2025-06-08T22:37:08.832Z|00460|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a1): ADD table:1 priority=8191,in_port=1,dl_vlan=100,dl_src=00:01:02:03:04:05 cookie:0x5adc15c0 hard:7972 out_port:0 actions=goto_table:4
2025-06-08T22:37:08.832Z|00461|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a2): in_port=CONTROLLER actions=output:1 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=00:01:02:03:04:05,arp_spa=10.100.0.254,arp_tpa=10.100.0.1,arp_op=2,arp_sha=0e:00:00:00:00:01,arp_tha=00:01:02:03:04:05
2025-06-08T22:37:18.833Z|00465|connmgr|INFO|br0<->tcp:127.0.0.1:6653: 4 flow_mods 10 s ago (4 adds)

交換機收到一個 ARP 請求報文，并將其作為 OFPT_PACKET_IN 消息發送給控制器。

控制器根據該 ARP 請求，向交換機下發了多條 OFPT_FLOW_MOD 消息，用于修改交換機的流表，以實現對后續報文的轉發規則。

控制器還發送了一個 OFPT_PACKET_OUT 消息，向交換機指定端口發送了一個 ARP 應答報文。

faucet log

step1:>>>>>>>>>>>>>>>>>>>>faucet logJun 08 22:37:08 faucet.valve INFO     DPID 1 (0x1) switch-1 L2 learned on Port 1 00:01:02:03:04:05 (L2 type 0x0806, L2 dst ff:ff:ff:ff:ff:ff, L3 src 10.100.0.1, L3 dst 10.100.0.254) Port 1 VLAN 100 (1 hosts total)
Jun 08 22:37:08 faucet.valve INFO     DPID 1 (0x1) switch-1 Adding new route 10.100.0.1/32 via 10.100.0.1 (00:01:02:03:04:05) on VLAN 100
Jun 08 22:37:08 faucet.valve INFO     DPID 1 (0x1) switch-1 Resolve response to 10.100.0.254 from 00:01:02:03:04:05 (L2 type 0x0806, L2 dst ff:ff:ff:ff:ff:ff, L3 src 10.100.0.1, L3 dst 10.100.0.254) Port 1 VLAN 100

主機 10.100.0.1 加入網絡后，發送 ARP 請求廣播詢問網關 10.100.0.254：

Faucet 控制器看到這個廣播后，學習了主機的 MAC 地址和 IP；

為該主機動態添加了一條 /32 的路由；

準備回復主機的 ARP 請求，告訴主機網關的 MAC 地址（通常是 Faucet 虛擬路由接口的 MAC）。

新下發的流表（和flows2比較）

root@server1:~/ovs# diff-flows flows2 br0 | grep '^+' 
+table=1 priority=8191,in_port=1,dl_vlan=100,dl_src=00:01:02:03:04:05 hard_timeout=7902 actions=goto_table:4
+table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4
+table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4
+table=4 priority=8192,dl_vlan=100,dl_dst=00:01:02:03:04:05 idle_timeout=11902 actions=pop_vlan,output:1
root@server1:~/ovs#

+表1：主機1發出的二層報文，源地址已經學習過了，直接轉到表4處理。（優先級比較低）

+表2：處理發往主機1的IP報文

+表4：處理目的mac為主機1的報文，從P1端口轉發出去

刪除的流表（和flows2比較）

root@server1:~/ovs# diff-flows flows2 br0 | grep '^-'
root@server1:~/ovs#

?完整流表flow3

root@server1:~/ovs# dump-flows br0priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=4096,in_port=p5,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=0 actions=droptable=1, priority=20490,dl_type=0x9000 actions=droptable=1, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=droptable=1, priority=20480,dl_src=0e:00:00:00:00:01 actions=droptable=1, priority=16384,arp,dl_vlan=100 actions=goto_table:3table=1, priority=16384,arp,dl_vlan=200 actions=goto_table:3table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, hard_timeout=7831, priority=8191,in_port=p1,dl_vlan=100,dl_src=00:01:02:03:04:05 actions=goto_table:4table=1, priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:4table=1, priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:4table=1, priority=0 actions=goto_table:4table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=0 actions=droptable=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64table=3, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194table=3, priority=12319,arp actions=goto_table:4table=3, priority=12316,ip actions=CONTROLLER:194,goto_table:4table=3, priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174table=3, priority=12318,icmp actions=CONTROLLER:194,goto_table:4table=3, priority=0 actions=droptable=4, idle_timeout=11831, priority=8192,dl_vlan=100,dl_dst=00:01:02:03:04:05 actions=pop_vlan,output:p1table=4, priority=0 actions=goto_table:5table=5, priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=droptable=5, priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=droptable=5, priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p4,output:p5table=5, priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=droptable=5, priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8192,dl_vlan=100 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8192,dl_vlan=200 actions=pop_vlan,output:p4,output:p5table=5, priority=0 actions=drop
root@server1:~/ovs#

保存流表flows3

root@server1:~/ovs# save-flows br0 > flows3

Step 2: Router Sends ARP Reply（控制器發出arp reply）

在接口 p1 上啟用數據包捕獲（Packet Capture）功能，并將捕獲的數據包寫入到文件 p1.pcap 中。

root@server1:~/ovs# ovs-vsctl set interface p1 options:pcap=p1.pcap

主機1再次發送ARP報文，請求網關mac：

root@server1:~/ovs# ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,dl_type=0x806,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff,arp_op=1 -generate
Flow: arp,in_port=1,vlan_tci=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ffbridge("br0")
-------------0. in_port=1,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4196->vlan_vidgoto_table:11. arp,dl_vlan=100, priority 16384, cookie 0x5adc15c0goto_table:33. arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254, priority 12320, cookie 0x5adc15c0CONTROLLER:64Final flow: arp,in_port=1,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff
Megaflow: recirc_id=0,eth,arp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254
Datapath actions: push_vlan(vid=100,pcp=0),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=2,rule_cookie=0x5adc15c0,controller_id=0,max_len=64))
root@server1:~/ovs#

?ovs log

step2:>>>>>>>>>>>>>>>>>>>>2025-06-08T22:38:35.723Z|00497|vconn|DBG|tcp:127.0.0.1:6653: sent (Success): OFPT_PACKET_IN (OF1.3) (xid=0x0): table_id=3 cookie=0x5adc15c0 total_len=46 in_port=1 (via action) data_len=46 (unbuffered)
arp,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.100.0.1,arp_tpa=10.100.0.254,arp_op=1,arp_sha=00:01:02:03:04:05,arp_tha=ff:ff:ff:ff:ff:ff
2025-06-08T22:38:35.725Z|00498|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a2): in_port=CONTROLLER actions=output:1 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=00:01:02:03:04:05,arp_spa=10.100.0.254,arp_tpa=10.100.0.1,arp_op=2,arp_sha=0e:00:00:00:00:01,arp_tha=00:01:02:03:04:05

Open vSwitch將ARP請求轉發至控制器處理。

控制器發送ARP響應給Open vSwitch，并通過端口P1轉發該響應。

faucet log

step2:>>>>>>>>>>>>>>>>>>>>(沒有下發流表的動作，因為已經在step1下發過了）

顯示 p1.pcap 文件中所有抓到的數據包內容

root@server1:~/ovs/sandbox# tcpdump -evvvr p1.pcap 
reading from file p1.pcap, link-type EN10MB (Ethernet), snapshot length 1518
23:31:49.561713 0e:00:00:00:00:01 (oui Unknown) > 00:01:02:03:04:05 (oui Unknown), ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 10.100.0.254 is-at 0e:00:00:00:00:01 (oui Unknown), length 46

顯示的是一個 ARP 響應（Reply）報文

root@server1:~/ovs# for i in 2 3 4 5; do ovs-vsctl set interface p$i options:pcap=p$i.pcap; done

對 p2~p5 都啟用抓包?

Step 3: Host Sends IP Packet（模擬主機1發包給主機2）

Step 3/4: 主機1發送IP報文到主機2；控制器發送arp request

模擬從主機10.100.0.1發送IP報文到主機10.200.0.1，目的mac為網關mac。

root@server1:~/ovs# ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,udp,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_ttl=64 -generate
Flow: udp,in_port=1,vlan_tci=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=0bridge("br0")
-------------0. in_port=1,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4196->vlan_vidgoto_table:11. ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01, priority 16384, cookie 0x5adc15c0goto_table:22. ip,dl_vlan=100,nw_dst=10.200.0.0/24, priority 12312, cookie 0x5adc15c0goto_table:33. ip,dl_dst=0e:00:00:00:00:01, priority 12317, cookie 0x5adc15c0CONTROLLER:194Final flow: udp,in_port=1,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=0
Megaflow: recirc_id=0,eth,udp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_dst=10.200.0.0/25,nw_frag=no
Datapath actions: push_vlan(vid=100,pcp=0),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=6,rule_cookie=0x5adc15c0,controller_id=0,max_len=194))
root@server1:~/ovs#

匹配流表flows3：

priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1

table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2?

table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3

table=3, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194

在table 3中，該數據包卻被發送至控制器。這是因為Faucet尚未解析出目標主機10.200.0.1的mac地址，隨后控制器會發出ARP請求。我們將在下一步驟中具體查看。

ovs log

step3:>>>>>>>>>>>>>>>>>>>>2025-06-08T22:39:34.485Z|00521|vconn|DBG|tcp:127.0.0.1:6653: sent (Success): OFPT_PACKET_IN (OF1.3) (xid=0x0): table_id=3 cookie=0x5adc15c0 total_len=110 in_port=1 (via action) data_len=110 (unbuffered)
udp,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=0 udp_csum:62d
2025-06-08T22:39:34.488Z|00522|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a3): ADD table:2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 cookie:0x5adc15c0 hard:748 out_port:0 actions=drop
2025-06-08T22:39:34.488Z|00523|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a4): ADD table:2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 cookie:0x5adc15c0 hard:748 out_port:0 actions=drop
2025-06-08T22:39:34.488Z|00524|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a5): in_port=CONTROLLER actions=output:5,output:4 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.200.0.254,arp_tpa=10.200.0.1,arp_op=1,arp_sha=0e:00:00:00:00:01,arp_tha=00:00:00:00:00:00
2025-06-08T22:39:41.614Z|00527|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a6): in_port=CONTROLLER actions=output:4,output:5 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.200.0.254,arp_tpa=10.200.0.1,arp_op=1,arp_sha=0e:00:00:00:00:01,arp_tha=00:00:00:00:00:00
2025-06-08T22:39:44.488Z|00528|connmgr|INFO|br0<->tcp:127.0.0.1:6653: 2 flow_mods 10 s ago (2 adds)
2025-06-08T22:39:48.580Z|00531|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a7): in_port=CONTROLLER actions=output:5,output:4 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.200.0.254,arp_tpa=10.200.0.1,arp_op=1,arp_sha=0e:00:00:00:00:01,arp_tha=00:00:00:00:00:00
2025-06-08T22:39:59.770Z|00536|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a8): in_port=CONTROLLER actions=output:5,output:4 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.200.0.254,arp_tpa=10.200.0.1,arp_op=1,arp_sha=0e:00:00:00:00:01,arp_tha=00:00:00:00:00:00
2025-06-08T22:40:17.638Z|00543|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_PACKET_OUT (OF1.3) (xid=0xd36023a9): in_port=CONTROLLER actions=output:5,output:4 data_len=60
arp,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.200.0.254,arp_tpa=10.200.0.1,arp_op=1,arp_sha=0e:00:00:00:00:01,arp_tha=00:00:00:00:00:00

2025-06-08T22:39:34.485Z|00521|vconn|DBG|tcp:127.0.0.1:6653: sent (Success): OFPT_PACKET_IN (OF1.3) (xid=0x0): table_id=3 cookie=0x5adc15c0 total_len=110 in_port=1 (via action) data_len=110 (unbuffered)
udp,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=0 udp_csum:62d

把主機1發送到主機2的IP報文發到控制器處理

2025-06-08T22:39:34.488Z|00522|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a3): ADD table:2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 cookie:0x5adc15c0 hard:748 out_port:0 actions=drop
2025-06-08T22:39:34.488Z|00523|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023a4): ADD table:2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 cookie:0x5adc15c0 hard:748 out_port:0 actions=drop

由于控制器需要獲得主機2的mac地址，才能正常通信。所以暫時丟棄后續去往主機2的數據包。

接下來控制器發送arp 請求，從端口4、5發出。

faucet log?

step3:>>>>>>>>>>>>>>>>>>>>Jun 07 23:39:55 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 (1 flows) on VLAN 200
Jun 07 23:40:00 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 2 (last attempt was 5s ago; 1 flows) on VLAN 200
Jun 07 23:40:07 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 3 (last attempt was 6s ago; 1 flows) on VLAN 200
Jun 07 23:40:19 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 4 (last attempt was 11s ago; 1 flows) on VLAN 200
Jun 07 23:40:38 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 5 (last attempt was 18s ago; 1 flows) on VLAN 200
Jun 07 23:41:19 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 6 (last attempt was 41s ago; 1 flows) on VLAN 200
Jun 07 23:42:27 faucet.valve INFO     DPID 1 (0x1) switch-1 resolving 10.200.0.1 retry 7 (last attempt was 68s ago; 1 flows) on VLAN 200

faucet日志反映發送arp request，嘗試解析10.200.0.1的mac地址。

新下發的流表（和flows3比較）

root@server1:~/ovs# diff-flows flows3 br0 | grep '^+'
+table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 hard_timeout=700 actions=drop
+table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 hard_timeout=700 actions=drop
root@server1:~/ovs#

只是table 2下發了兩條流表，暫時丟棄發往10.200.0.1的報文。?

刪除的流表（和flows3比較）

root@server1:~/ovs# diff-flows flows3 br0 | grep '^-'
root@server1:~/ovs#

完整流表flows4

root@server1:~/ovs# dump-flows br0priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=4096,in_port=p5,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=0 actions=droptable=1, priority=20490,dl_type=0x9000 actions=droptable=1, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=droptable=1, priority=20480,dl_src=0e:00:00:00:00:01 actions=droptable=1, priority=16384,arp,dl_vlan=100 actions=goto_table:3table=1, priority=16384,arp,dl_vlan=200 actions=goto_table:3table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, hard_timeout=7831, priority=8191,in_port=p1,dl_vlan=100,dl_src=00:01:02:03:04:05 actions=goto_table:4table=1, priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:4table=1, priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:4table=1, priority=0 actions=goto_table:4table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, hard_timeout=696, priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 actions=droptable=2, hard_timeout=696, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 actions=droptable=2, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=0 actions=droptable=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64table=3, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194table=3, priority=12319,arp actions=goto_table:4table=3, priority=12316,ip actions=CONTROLLER:194,goto_table:4table=3, priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174table=3, priority=12318,icmp actions=CONTROLLER:194,goto_table:4table=3, priority=0 actions=droptable=4, idle_timeout=11831, priority=8192,dl_vlan=100,dl_dst=00:01:02:03:04:05 actions=pop_vlan,output:p1table=4, priority=0 actions=goto_table:5table=5, priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=droptable=5, priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=droptable=5, priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p4,output:p5table=5, priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=droptable=5, priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8192,dl_vlan=100 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8192,dl_vlan=200 actions=pop_vlan,output:p4,output:p5table=5, priority=0 actions=drop
root@server1:~/ovs#

?保存流表flows4

root@server1:~/ovs# save-flows br0 > flows4

?Step 4: Router Broadcasts ARP Request（控制器發出arp request）

路由器（控制器承擔這個功能）需要知道10.200.0.1的以太網地址。它知道，如果這臺機器存在，它一定連接在端口p4或p5上，因為這些端口配置為VLAN 200。

P4抓包

root@server1:~/ovs/sandbox# tcpdump -evvvr p4.pcap
reading from file p4.pcap, link-type EN10MB (Ethernet), snapshot length 1518
23:39:55.249797 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:00.263948 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:07.166306 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:19.152026 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:38.141315 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:41:19.242195 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:42:27.827128 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:43:34.840761 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:44:42.830534 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:45:48.901490 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
root@server1:~/ovs/sandbox#

日志顯示從P4端口發出了arp request。?

?P5抓包

root@server1:~/ovs/sandbox# tcpdump -evvvr p5.pcap
reading from file p5.pcap, link-type EN10MB (Ethernet), snapshot length 1518
23:39:55.249810 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:00.263960 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:07.166322 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:19.152042 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:40:38.141327 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:41:19.242207 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:42:27.827197 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:43:34.840806 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:44:42.830547 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
23:45:48.901522 0e:00:00:00:00:01 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 10.200.0.1 tell 10.200.0.254, length 46
root@server1:~/ovs/sandbox#

P3抓包

（P3屬于vlan100，不屬于vlan200，所以沒有抓包信息）

root@server1:~/ovs/sandbox# tcpdump -evvvr p3.pcap
reading from file p3.pcap, link-type EN10MB (Ethernet), snapshot length 1518
root@server1:~/ovs/sandbox#

Step 5: Host 2 Sends ARP Reply（模擬主機2發arp reply）

Faucet控制器發送了一個ARP請求，所以可以模擬發送一個ARP回復：

root@server1:~/ovs/sandbox# ovs-appctl ofproto/trace br0 in_port=p4,dl_src=00:10:20:30:40:50,dl_dst=0e:00:00:00:00:01,dl_type=0x806,arp_spa=10.200.0.1,arp_tpa=10.200.0.254,arp_sha=00:10:20:30:40:50,arp_tha=0e:00:00:00:00:01,arp_op=2 -generate
Flow: arp,in_port=4,vlan_tci=0x0000,dl_src=00:10:20:30:40:50,dl_dst=0e:00:00:00:00:01,arp_spa=10.200.0.1,arp_tpa=10.200.0.254,arp_op=2,arp_sha=00:10:20:30:40:50,arp_tha=0e:00:00:00:00:01bridge("br0")
-------------0. in_port=4,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4296->vlan_vidgoto_table:11. arp,dl_vlan=200, priority 16384, cookie 0x5adc15c0goto_table:33. arp,dl_dst=0e:00:00:00:00:01, priority 12320, cookie 0x5adc15c0CONTROLLER:64Final flow: arp,in_port=4,dl_vlan=200,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:10:20:30:40:50,dl_dst=0e:00:00:00:00:01,arp_spa=10.200.0.1,arp_tpa=10.200.0.254,arp_op=2,arp_sha=00:10:20:30:40:50,arp_tha=0e:00:00:00:00:01
Megaflow: recirc_id=0,eth,arp,in_port=4,dl_src=00:10:20:30:40:50,dl_dst=0e:00:00:00:00:01
Datapath actions: push_vlan(vid=200,pcp=0),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=7,rule_cookie=0x5adc15c0,controller_id=0,max_len=64))
root@server1:~/ovs/sandbox#

通過比較完整流表（flows4），匹配的流表為：

priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1

table=1, priority=16384,arp,dl_vlan=200 actions=goto_table:3

table=3, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64

處理邏輯：收到arp報文，轉到table3處理。

ovs log

step5:>>>>>>>>>>>>>>>>>>>>2025-06-08T22:41:25.569Z|00571|vconn|DBG|tcp:127.0.0.1:6653: sent (Success): OFPT_PACKET_IN (OF1.3) (xid=0x0): table_id=3 cookie=0x5adc15c0 total_len=46 in_port=4 (via action) data_len=46 (unbuffered)
arp,dl_vlan=200,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:10:20:30:40:50,dl_dst=0e:00:00:00:00:01,arp_spa=10.200.0.1,arp_tpa=10.200.0.254,arp_op=2,arp_sha=00:10:20:30:40:50,arp_tha=0e:00:00:00:00:01
2025-06-08T22:41:25.573Z|00572|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023ab): ADD table:4 priority=8192,dl_vlan=200,dl_dst=00:10:20:30:40:50 cookie:0x5adc15c0 idle:11931 out_port:0 actions=pop_vlan,output:4
2025-06-08T22:41:25.573Z|00573|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023ac): ADD table:2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 cookie:0x5adc15c0 out_port:0 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4
2025-06-08T22:41:25.573Z|00574|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023ad): ADD table:2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 cookie:0x5adc15c0 out_port:0 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4
2025-06-08T22:41:25.573Z|00575|vconn|DBG|tcp:127.0.0.1:6653: received: OFPT_FLOW_MOD (OF1.3) (xid=0xd36023ae): ADD table:1 priority=8191,in_port=4,dl_vlan=200,dl_src=00:10:20:30:40:50 cookie:0x5adc15c0 hard:7931 out_port:0 actions=goto_table:4
2025-06-08T22:41:35.574Z|00578|connmgr|INFO|br0<->tcp:127.0.0.1:6653: 4 flow_mods 10 s ago (4 adds)

模擬主機2發出的arp reply發給控制器
表4添加條目，mac 00:10:20:30:40:50和端口4映射
表2添加條目，發給10.200.0.1的報文，修改相應的源/目mac。
表1添加條目，源mac 00:10:20:30:40:50的主機發出的報文的處理方式，注意優先級比較低。

faucet log

step5:>>>>>>>>>>>>>>>>>>>>Jun 08 22:41:25 faucet.valve INFO     DPID 1 (0x1) switch-1 L2 learned on Port 4 00:10:20:30:40:50 (L2 type 0x0806, L2 dst 0e:00:00:00:00:01, L3 src 10.200.0.1, L3 dst 10.200.0.254) Port 4 VLAN 200 (1 hosts total)
Jun 08 22:41:25 faucet.valve INFO     DPID 1 (0x1) switch-1 Adding new route 10.200.0.1/32 via 10.200.0.1 (00:10:20:30:40:50) on VLAN 200
Jun 08 22:41:25 faucet.valve INFO     DPID 1 (0x1) switch-1 Received advert for 10.200.0.1 from 00:10:20:30:40:50 (L2 type 0x0806, L2 dst 0e:00:00:00:00:01, L3 src 10.200.0.1, L3 dst 10.200.0.254) Port 4 VLAN 200

新下發的流表（和flow4比較）

root@server1:~/ovs# diff-flows flows4 br0 | grep '^+'
+table=1 priority=8191,in_port=4,dl_vlan=200,dl_src=00:10:20:30:40:50 hard_timeout=7972 actions=goto_table:4
+table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4
+table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4
+table=4 priority=8192,dl_vlan=200,dl_dst=00:10:20:30:40:50 idle_timeout=11972 actions=pop_vlan,output:4
root@server1:~/ovs#

刪除的流表（和flows4比較）

root@server1:~/ovs# diff-flows flows4 br0 | grep '^-'
-table=2 priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 hard_timeout=646 actions=drop
-table=2 priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 hard_timeout=646 actions=drop
root@server1:~/ovs#

完整流表flows5

root@server1:~/ovs# dump-flows br0priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=4096,in_port=p5,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:1priority=0 actions=droptable=1, priority=20490,dl_type=0x9000 actions=droptable=1, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=droptable=1, priority=20480,dl_src=0e:00:00:00:00:01 actions=droptable=1, priority=16384,arp,dl_vlan=100 actions=goto_table:3table=1, priority=16384,arp,dl_vlan=200 actions=goto_table:3table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:2table=1, hard_timeout=7991, priority=8191,in_port=p1,dl_vlan=100,dl_src=00:01:02:03:04:05 actions=goto_table:4table=1, hard_timeout=7972, priority=8191,in_port=p4,dl_vlan=200,dl_src=00:10:20:30:40:50 actions=goto_table:4table=1, priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:4table=1, priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:4table=1, priority=0 actions=goto_table:4table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:3table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.100.0.1 actions=dec_ttl,set_field:4196->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:01:02:03:04:05->eth_dst,goto_table:4table=2, priority=12320,ip,dl_vlan=100,nw_dst=10.200.0.1 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:3table=2, priority=0 actions=droptable=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64table=3, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64table=3, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194table=3, priority=12319,arp actions=goto_table:4table=3, priority=12316,ip actions=CONTROLLER:194,goto_table:4table=3, priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174table=3, priority=12318,icmp actions=CONTROLLER:194,goto_table:4table=3, priority=0 actions=droptable=4, idle_timeout=11991, priority=8192,dl_vlan=100,dl_dst=00:01:02:03:04:05 actions=pop_vlan,output:p1table=4, idle_timeout=11972, priority=8192,dl_vlan=200,dl_dst=00:10:20:30:40:50 actions=pop_vlan,output:p4table=4, priority=0 actions=goto_table:5table=5, priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=droptable=5, priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=droptable=5, priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p4,output:p5table=5, priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=droptable=5, priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p4,output:p5table=5, priority=8192,dl_vlan=100 actions=pop_vlan,output:p1,output:p2,output:p3table=5, priority=8192,dl_vlan=200 actions=pop_vlan,output:p4,output:p5table=5, priority=0 actions=drop
root@server1:~/ovs#

保存流表flows5

root@server1:~/ovs# save-flows br0 > flows5
root@server1:~/ovs#

?Step 6: IP Packet Delivery（模擬主機1發包給主機2）

首先看p4端口沒有發出的報文，說明之前主機1發給主機2的報文到目前沒有發出去過。

root@server1:~/ovs/sandbox# tcpdump -evvvr p4.pcap ip        
reading from file p4.pcap, link-type EN10MB (Ethernet), snapshot length 1518
root@server1:~/ovs/sandbox#

?模擬主機1發給主機2報文，完整的報文：

root@server1:~/ovs# ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,udp,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_ttl=64 -generate
Flow: udp,in_port=1,vlan_tci=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=0bridge("br0")
-------------0. in_port=1,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4196->vlan_vid  <--設置為vlan200goto_table:11. ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01, priority 16384, cookie 0x5adc15c0goto_table:22. ip,dl_vlan=100,nw_dst=10.200.0.1, priority 12320, cookie 0x5adc15c0dec_ttlset_field:4296->vlan_vidset_field:0e:00:00:00:00:01->eth_srcset_field:00:10:20:30:40:50->eth_dstgoto_table:44. dl_vlan=200,dl_dst=00:10:20:30:40:50, priority 8192, cookie 0x5adc15c0pop_vlanoutput:4Final flow: udp,in_port=1,vlan_tci=0x0000,dl_src=0e:00:00:00:00:01,dl_dst=00:10:20:30:40:50,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=63,nw_frag=no,tp_src=0,tp_dst=0
Megaflow: recirc_id=0,eth,udp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_dst=10.200.0.1,nw_ttl=64,nw_frag=no
Datapath actions: set(eth(src=0e:00:00:00:00:01,dst=00:10:20:30:40:50)),set(ipv4(ttl=63)),4
root@server1:~/ovs#

匹配流表flows5：
priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:1

table=1, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:2?

table=2, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.1 actions=dec_ttl,set_field:4296->vlan_vid,set_field:0e:00:00:00:00:01->eth_src,set_field:00:10:20:30:40:50->eth_dst,goto_table:4

table=4, idle_timeout=11897, priority=8192,dl_vlan=200,dl_dst=00:10:20:30:40:50 actions=pop_vlan,output:p4

Finally, we have working IP packet forwarding!

ovs log

step6:>>>>>>>>>>>>>>>>>>>>
(沒有日志輸出）

faucet log

step6:>>>>>>>>>>>>>>>>>>>>
(沒有日志輸出）

新下發的流表（和flows5比較）

root@server1:~/ovs# diff-flows flows5 br0 | grep '^+'
（沒有新增加）

刪除的流表（和flows5比較）

root@server1:~/ovs# diff-flows flows5 br0 | grep '^-'
（沒有刪除）

?5.4 性能問題

? Megaflow 的作用：

OVS 會將控制層配置的 OpenFlow 精細規則組合成一條 更粗粒度的匹配項（megaflow entry），緩存到內核 datapath 中；
每次有新流量進入，只要符合這個 megaflow 的組合，就可以 直接命中 datapath 緩存，不再上送到用戶態；
不需要頻繁查表、組合動作、重裝規則 → 顯著提升轉發性能（減少控制平面與內核之間通信，減少CPU負擔）；

Megaflow：

Megaflow: recirc_id=0,eth,udp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_dst=10.200.0.1,nw_ttl=64,nw_frag=no

datapath action:

Datapath actions: set(eth(src=0e:00:00:00:00:01,dst=00:10:20:30:40:50)),set(ipv4(ttl=63)),4

另外，雖然在 OpenFlow 控制平面下發的動作中，包含了：

push_vlan：給數據包打上 VLAN tag；
mod_vlan_vid：修改 VLAN ID；
pop_vlan：移除 VLAN tag；

這是一個完整的 VLAN 封裝—修改—去封裝流程。

但是我們在 datapath 層看到的實際執行動作中：

沒有出現任何 VLAN 相關的動作（push/pop/mod）。

這是因為：

OVS 的流表轉換引擎（flow translation layer）在將 OpenFlow 規則編譯成 datapath 動作時，會對一系列動作進行優化；
如果動作之間抵消了（例如你剛 push 又 pop，沒有留下任何痕跡），就會被認為是無效的；
這類動作會被**“優化掉”（optimize out）**，不再生成實際執行代碼。

優化的結果：

生成的 datapath cache entry 更精簡；
數據包命中 datapath cache 時，只需執行必要動作，減少 CPU 指令數；
提高了 轉發性能和處理效率。

6、ACLs

（和之前的測試相互獨立，所以ovs bridge的流表可能和之前不一致）

6.1 編輯控制器yaml文件，增加ACL配置

root@server1:~/faucet/inst# vi faucet.yaml 
root@server1:~/faucet/inst# cat faucet.yaml 
dps:switch-1:dp_id: 0x1timeout: 8000arp_neighbor_timeout: 3600interfaces:1:native_vlan: 100acl_in: 12:native_vlan: 1003:native_vlan: 1004:native_vlan: 2005:native_vlan: 200
vlans:100:faucet_vips: ["10.100.0.254/24"]200:faucet_vips: ["10.200.0.254/24"]
routers:router-1:vlans: [100, 200]
acls:1:- rule:dl_type: 0x800nw_proto: 6tcp_dst: 8080actions:allow: 0- rule:actions:allow: 1
root@server1:~/faucet/inst#

其中 端口 1 應用了 ACL 1，用于流量控制。

ACL 控制規則：

第一條規則：禁止訪問 TCP 目標端口為 8080 的 IPv4 報文；

第二條規則：默認允許其他所有流量；

ACL 1 僅應用在 端口 1，所以這個控制只對端口 1 的入方向生效。

6.2 重啟控制器

root@server1:~/ovs# docker restart faucet

或者：

docker exec faucet pkill -HUP -f faucet.faucet

6.3 完整流表flows6

root@server1:~/ovs# dump-flows br0priority=20480,tcp,in_port=p1,tp_dst=8080 actions=droppriority=20480,in_port=p2 actions=goto_table:1priority=20480,in_port=p3 actions=goto_table:1priority=20480,in_port=p4 actions=goto_table:1priority=20480,in_port=p5 actions=goto_table:1priority=20479,in_port=p1 actions=goto_table:1priority=0 actions=droptable=1, priority=4096,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:2table=1, priority=4096,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:2table=1, priority=4096,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4196->vlan_vid,goto_table:2table=1, priority=4096,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:2table=1, priority=4096,in_port=p5,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4296->vlan_vid,goto_table:2table=1, priority=0 actions=droptable=2, priority=20490,dl_type=0x9000 actions=droptable=2, priority=20480,dl_src=ff:ff:ff:ff:ff:ff actions=droptable=2, priority=20480,dl_src=0e:00:00:00:00:01 actions=droptable=2, priority=16384,arp,dl_vlan=100 actions=goto_table:4table=2, priority=16384,arp,dl_vlan=200 actions=goto_table:4table=2, priority=16384,ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01 actions=goto_table:3table=2, priority=16384,ip,dl_vlan=200,dl_dst=0e:00:00:00:00:01 actions=goto_table:3table=2, priority=4096,dl_vlan=100 actions=CONTROLLER:96,goto_table:5table=2, priority=4096,dl_vlan=200 actions=CONTROLLER:96,goto_table:5table=2, priority=0 actions=goto_table:5table=3, priority=12320,ip,dl_vlan=100,nw_dst=10.100.0.254 actions=goto_table:4table=3, priority=12320,ip,dl_vlan=200,nw_dst=10.200.0.254 actions=goto_table:4table=3, priority=12312,ip,dl_vlan=200,nw_dst=10.100.0.0/24 actions=goto_table:4table=3, priority=12312,ip,dl_vlan=100,nw_dst=10.100.0.0/24 actions=goto_table:4table=3, priority=12312,ip,dl_vlan=200,nw_dst=10.200.0.0/24 actions=goto_table:4table=3, priority=12312,ip,dl_vlan=100,nw_dst=10.200.0.0/24 actions=goto_table:4table=3, priority=0 actions=droptable=4, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.100.0.254 actions=CONTROLLER:64table=4, priority=12320,arp,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.200.0.254 actions=CONTROLLER:64table=4, priority=12320,arp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:64table=4, priority=12317,ip,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:194table=4, priority=12319,arp actions=goto_table:5table=4, priority=12316,ip actions=CONTROLLER:194,goto_table:5table=4, priority=12319,icmp,dl_dst=0e:00:00:00:00:01 actions=CONTROLLER:174table=4, priority=12318,icmp actions=CONTROLLER:194,goto_table:5table=4, priority=0 actions=droptable=5, priority=0 actions=goto_table:6table=6, priority=8240,dl_dst=01:00:0c:cc:cc:cc actions=droptable=6, priority=8240,dl_dst=01:00:0c:cc:cc:cd actions=droptable=6, priority=8240,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p1,output:p2,output:p3table=6, priority=8240,dl_vlan=200,dl_dst=ff:ff:ff:ff:ff:ff actions=pop_vlan,output:p4,output:p5table=6, priority=8236,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0 actions=droptable=6, priority=8216,dl_vlan=100,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=6, priority=8216,dl_vlan=100,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=6, priority=8216,dl_vlan=200,dl_dst=01:80:c2:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=6, priority=8216,dl_vlan=200,dl_dst=01:00:5e:00:00:00/ff:ff:ff:00:00:00 actions=pop_vlan,output:p4,output:p5table=6, priority=8208,dl_vlan=100,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p1,output:p2,output:p3table=6, priority=8208,dl_vlan=200,dl_dst=33:33:00:00:00:00/ff:ff:00:00:00:00 actions=pop_vlan,output:p4,output:p5table=6, priority=8192,dl_vlan=100 actions=pop_vlan,output:p1,output:p2,output:p3table=6, priority=8192,dl_vlan=200 actions=pop_vlan,output:p4,output:p5table=6, priority=0 actions=drop
root@server1:~/ovs#

? Faucet/OVS Flow Tables 功能歸納表

Table 編號名稱/用途匹配字段示例動作/作用功能說明
0 Port ACL in_port, tcp_dst=8080 drop、goto_table:1 入端口ACL匹配表：處理端口入口的ACL規則（如 TCP 8080 禁止）
1 VLAN Tagging in_port, vlan_tci push_vlan, set_field, goto_table:2 打 VLAN 標簽表：給 untagged 報文打上 native VLAN 標簽
2 VLAN/ARP處理 & Flood控制 dl_type, dl_vlan, dl_src, dl_dst goto_table:3/4/5、drop、CONTROLLER VLAN 檢查、非法報文丟棄、L2 Flood 前處理
3 Routing (L3 Forwarding) ip, dl_vlan, nw_dst goto_table:4 L3 路由匹配表：目標 IP 是其他 VLAN 的，通過 router 處理
4 VIP/ARP/IP 特殊處理 arp, ip, icmp CONTROLLER, goto_table:5 Faucet VIP、自身ARP響應、ICMP處理表
5 轉發決策入口 默認所有包 goto_table:6 轉發前的中轉表（空邏輯，主要是分層結構清晰）
6 Flood & Multicast 轉發 dl_vlan, dl_dst pop_vlan, output, drop 最終轉發/廣播控制表，做 VLAN pop 并 output 到正確端口

Table 編號	名稱/用途	匹配字段示例	動作/作用	功能說明
0	Port ACL	`in_port`, `tcp_dst=8080`	`drop`、`goto_table:1`	入端口ACL匹配表：處理端口入口的ACL規則（如 TCP 8080 禁止）
1	VLAN Tagging	`in_port`, `vlan_tci`	`push_vlan`, `set_field`, `goto_table:2`	打 VLAN 標簽表：給 untagged 報文打上 native VLAN 標簽
2	VLAN/ARP處理 & Flood控制	`dl_type`, `dl_vlan`, `dl_src`, `dl_dst`	`goto_table:3/4/5`、`drop`、`CONTROLLER`	VLAN 檢查、非法報文丟棄、L2 Flood 前處理
3	Routing (L3 Forwarding)	`ip`, `dl_vlan`, `nw_dst`	`goto_table:4`	L3 路由匹配表：目標 IP 是其他 VLAN 的，通過 router 處理
4	VIP/ARP/IP 特殊處理	`arp`, `ip`, `icmp`	`CONTROLLER`, `goto_table:5`	Faucet VIP、自身ARP響應、ICMP處理表
5	轉發決策入口	默認所有包	`goto_table:6`	轉發前的中轉表（空邏輯，主要是分層結構清晰）
6	Flood & Multicast 轉發	`dl_vlan`, `dl_dst`	`pop_vlan`, `output`, `drop`	最終轉發/廣播控制表，做 VLAN pop 并 output 到正確端口

6.4?增加Table 0：端口 ACL 入方向訪問控制

 priority=20480,tcp,in_port=p1,tp_dst=8080 actions=droppriority=20480,in_port=p2 actions=goto_table:1priority=20480,in_port=p3 actions=goto_table:1priority=20480,in_port=p4 actions=goto_table:1priority=20480,in_port=p5 actions=goto_table:1priority=20479,in_port=p1 actions=goto_table:1priority=0 actions=drop

OpenFlow 流表輸出印證了 Faucet 如何把 YAML 中配置的 ACL 和接口邏輯 編譯成具體的 OpenFlow 規則。

priority=20480,tcp,in_port=p1,tp_dst=8080 actions=drop
這條是 ACL 規則編譯而來，對應 YAML 中的：
acls:1:- rule:dl_type: 0x800nw_proto: 6tcp_dst: 8080actions:allow: 0
意思是：匹配從端口 p1（也就是你配置中接口 1）進入的 TCP 報文，目標端口是 8080，直接丟棄。

6.5 ACL帶來的性能問題

Megaflow 是 OVS 的一種通配緩存機制，它把多個 OpenFlow flow 匹配路徑的最終 datapath 動作集合緩存起來。
一旦某條報文觸發完整的匹配路徑（所有表、所有匹配字段），OVS 會把這個路徑結果以 Megaflow 形式緩存下來，供后續相同類型的報文直接復用。

🚨 性能隱患：字段匹配粒度影響緩存命中

問題：某個 flow 匹配字段越多，Megaflow 也必須包括這些字段 → 會導致緩存粒度更細、命中率更低

舉例：

Flow 1 僅匹配 in_port
- Megaflow 只需 match in_port，大部分流量都能復用這條路徑。
Flow 2 加了 nw_proto=6 和 tp_dst=8080 的匹配
- 即使大多數流量不是 TCP 8080，只要 packet 碰到這條規則，
- 后續生成的 Megaflow 也必須包括 nw_proto 和 tp_dst 這些字段，
- 結果導致緩存命中條件變復雜、Megaflow 數量急劇增多。

📉 性能下降的表現：

Megaflow cache 中條目數增多，hash 查找變慢；
大量低命中的 Megaflow 占用緩存空間；
對 CPU 資源占用提升顯著；
控制器和 datapath 間通信變頻繁。

ACL的本質是對數據包的多個字段（如源/目的IP、源/目的端口、協議類型、VLAN ID等）進行精確或范圍匹配。當ACL規則非常多（尤其是在大規模網絡中）且匹配條件非常細粒度時，設備在處理每個數據包時都需要遍歷這些復雜的規則，這會顯著增加查找時間。

如果ACL對TCP目的端口這樣的高基數（2^16次方，可能值多）字段進行精確匹配，為了區分不同端口，巨流（一種緩存優化）將無法有效聚合流量。OVS可能需要為每個獨特的TCP目的端口生成單獨的巨流，導致巨流數量爆炸式增長。

OVS在實際設計中已經采取了一些優化措施來緩解這個問題。以下為舉例說明：

root@server1:~/ovs# ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,tcp,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_ttl=64,tp_dst=80 -generate
Flow: tcp,in_port=1,vlan_tci=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0bridge("br0")
-------------0. in_port=1, priority 20479, cookie 0x5adc15c0goto_table:11. in_port=1,vlan_tci=0x0000/0x1fff, priority 4096, cookie 0x5adc15c0push_vlan:0x8100set_field:4196->vlan_vidgoto_table:22. ip,dl_vlan=100,dl_dst=0e:00:00:00:00:01, priority 16384, cookie 0x5adc15c0goto_table:33. ip,dl_vlan=100,nw_dst=10.200.0.0/24, priority 12312, cookie 0x5adc15c0goto_table:44. ip,dl_dst=0e:00:00:00:00:01, priority 12317, cookie 0x5adc15c0CONTROLLER:194Final flow: tcp,in_port=1,dl_vlan=100,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_src=10.100.0.1,nw_dst=10.200.0.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0
Megaflow: recirc_id=0,eth,tcp,in_port=1,dl_src=00:01:02:03:04:05,dl_dst=0e:00:00:00:00:01,nw_dst=10.200.0.0/25,nw_frag=no,tp_dst=0x0/0xf000
Datapath actions: push_vlan(vid=100,pcp=0),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0x5adc15c0,controller_id=0,max_len=194))

端口 80 在 0x0000/0xf000 范圍

端口 8080 在 0x1000/0xf000 范圍

它們落在不同 megaflow 里，不會相互污染緩存

這個 trace 輸出以及隨后的解釋展示了 OVS 在Megaflow層面的一種智能優化。為了避免因TCP目的端口的細粒度匹配而導致性能下降，OVS 能夠為 TCP 目的端口生成帶有掩碼的巨流，只匹配端口值的關鍵位（例如最高幾位），從而有效地將多個邏輯上不同的端口分組到少數幾個巨流中，顯著減少了巨流的數量，提高了緩存性能和整體轉發效率。