Conflict Management between OpenFlow and CLI Configurations

The physical configurations of the FDB table and routing table of Openflow should not conflict with the CLI configurations. This means that Openflow can install a flow in the routing table at the same time that legacy network installs a flow in routing table without conflicts. If these configurations conflict, the later configuration will fail.

Firewall filters and OpenFlow TCAM Flows may conflict. For instance, the OpenFlow rule could be dropping a specific type of packet when the Firewall filters are forwarding them. In this case, both rules are performed concurrently and independently, and the results of the matches are merged. When there are no conflicting results, all results are applied. When there are overlapping and conflicting results, the conflicted parts of the result are selected based on priorities. DROP action has the highest priority, followed by REDIRECT, REPLACE, and TCAM slice number. (OpenFlow rules and Firewall rules are places in different TCAM Slices.)

In CrossFlow mode, the ACL filter has a higher priority than that of Openflow flow entry.

Because arp works in different group with ip,so if there is one or more openflow ports, the arp packets will be dropped because drop actions has the highest priority.And you can add a flow like this:ovs-ofctl add-flow br0 priority=1,actions=normal

Default Drop In OpenFlow

There is a default drop flow in the system when user enables Crossflow mode, and this drop flow only applies to the Openflow ports.

Other Limitations

From PicOS-2.6, some ports can work within both the legacy network domain and the Openflow domain. We call these ports Crossflow ports.

If user enables multi-table and configures L2/L3 flow entry on the Openflow port, traffic from the legacy port can also match the L2/L3 flow entry and be forward on the Openflow port.

If packets can match TCAM flow entry and route table at the same time, the TCAM flow entry has the higher priority. Because the packets must go through FIB table, if there is no mod-src-mac in the TCAM flow entry, the packets will be modified by the src-mac in FIB table then go out as a TCAM flow entry.

If a packet needs match to a Crossflow port, it must have in_port in match field when adding flow.