Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


vRouter Command Line Utilities


This section describes the shell prompt utilities available for examining the state of the vrouter kernel module in Contrail.

The most useful commands for inspecting the Contrail vrouter module are summarized in the following table.




Inspect vrouter interfaces associated with the vrouter module.


Display active flows in a system.


Display next hop statistics for a particular VRF.


Display routes in a VRF.


Inspect packet drop counters in the vrouter.


Display the input label map programmed into the vrouter.


Display the mirror table entries.


Display the vxlan table entries.


Display the next hops that the vrouter knows.


Display all command options available for the current command.

The following sections describe each of the vrouter utilities in detail.

vif Command

The vrouter requires vrouter interfaces (vif) to forward traffic. Use the vif command to see the interfaces that are known by the vrouter.


Having interfaces only in the OS (Linux) is not sufficient for forwarding. The relevant interfaces must be added to vrouter. Typically, the set up of interfaces is handled by components like nova-compute or vrouter agent.

Example: vif --list

Table 1: vif Fields

vif Output Field



The vrouter assigned name, where 0 is the router id and X is the index allocated to the interface within the vrouter.

OS: pkt0

The pkt0 (in this case) is the name of the actual OS (Linux) visible interface name. For physical interfaces, the speed and the duplex settings are also displayed.


Type:Virtual HWaddr:00:00:5e:00:01:00 IPaddr:0

The type of interface and its IP address, as defined by vrouter. The values can be different from what is seen in the OS. Types defined by vrouter include:

  • Virtual – Interface of a virtual machine (VM).

  • Physical – Physical interface (NIC) in the system.

  • Host – An interface toward the host.

  • Agent – An interface used to trap packets to the vrouter agent when decisions need to be made for the forwarding path.


Vrf:65535 Flags:L3 MTU:1514 Ref:2

The identifier of the vrf to which the interface is assigned, the flags set on the interface, the MTU as understood by vrouter, and a reference count of how many individual entities actually hold reference to the interface (mainly of debugging value).

Flag options identify that the following are enabled for the interface:

  • P - ​Policy

  • L3 - ​Layer 3 forwarding

  • L2 - ​Layer 2 bridging

  • X - Cross connect mode, only set on physical and host interfaces, indicating that packets are moved between physical and host directly, with minimal intervention by vrouter. Typically set when the agent is not alive or not in good shape.

  • ​Mt - Mirroring transmit direction

  • ​ Mr - Mirroring receive direction​

  • Tc - ​Checksum offload on the transmit side. Valid only on the physical interface.


RX packets:60 bytes:4873 errors:0

Packets received by vrouter from this interface.


TX packets:21 bytes:2158 errors:0

Packets transmitted out by vrouter on this interface.

vif Options

Use vif –-help to display all options available for the vif command. Following os a brief description of each option.


It is not recommended to use the following options unless you are very experienced with the system utilities.




Creates a ‘Host’ interface with name <intf_name> and mac <mac> on the host kernel. The ‘vhost0’ interface that you see on Linux is a typical example of invocation of this command.


Adds the existing interfaces in the host OS to vrouter, with type and flag options.


Deletes the interface from vrouter. The <intf_id> is the vrouter interface id as given by vif0/X, where X is the iID


Displays a specific interface. The <intf_id> is the vrouter interface id, unless the command is appended by the ‘—kernel’ option, in which case the ID can be the kernel ID.


Set working parameters of an interface. The only ones supported are the vlan id and the vrf. The vlan id as understood by vrouter differs from what one typically expects, and is relevant as of now only for interfaces of service instances.


Display all of the interfaces of which the vrouter is aware.


Display all options available for the current command.

flow Command

Use the flow command to display all active flows in a system.

Example: flow -l

Use -l to list everything in the flow table. The -l is the only relevant debugging option.

​Each record in the flow table listing displays the index of the record, the source ip: source port, the destination ip: destination port, the inet protocol, and the source vrf to which the flow belongs.

Each new flow has to be approved by the vrouter agent. The agent does this by setting actions for each flow. There are three main actions associated with a flow table entry: Forward (‘F’), Drop (‘D’), and Nat (‘N’).

For NAT, there are additional flags indicating the type of NAT to which the flow is subject, including: SNAT (S), DNAT (D), source port translation (Ps), and destination port translation (Pd).

S(nh) indicates the source nexthop index used for the RPF check to validate that the traffic is from a known source. If the packet must go to an ECMP destination, E:X is also displayed, where ‘X’ indicates the destination to be used through the index within the ECMP next hop.

The Statistics field indicates the Packets/Bytes that hit this flow entry.

There is a Mirror Index field if the traffic is mirrored, listing the indices into the mirror table (which can be dumped by using mirror –-dump).

If there is an explicit association between the forward and the reverse flows, as is the case with NAT, you will see a double arrow in each of the records with either side of the arrow displaying the flow index for that direction.

Example: flow -r

Use -r to view all of the flow setup rates.

Example: flow --help

Use --help to display all options available for the flow command.

vrfstats Command

Use vrfstats to display statistics per next hop for a vrf. It is typically used to determine if packets are hitting the expected next hop.

Example: vrfstats --dump

The —dump option displays the statistics for all vrfs that have seen traffic. In the following example, there was traffic only in Vrf 0 (the public vrf). Receives shows the number of packets that came in the fabric destined to this location. Encaps shows the number of packets destined to the fabric.

If there is VM traffic going out on the fabric, the respective tunnel counters will increment. ​

Example: vrfstats --get 0​

Use --get 0 to retrieve statistics for a particular vrf.

​Example: ​vrfstats --help

rt Command

Use the rt command to display all routes in a vrf.

Example: rt --dump

The following example displays inet family routes for vrf 0.

In this example output, the first line displays the routing table that is being dumped. In 0/0/unicast, the first 0 is for the router id, the next 0 is for the vrf id, and unicast identifies the unicast table. The vrouter maintains separate tables for unicast and multicast routes. ​ By default, if the —table option is not specified, only the unicast table is dumped.

Each record in the table output specifies the destination prefix length, the parent route prefix length from which this route has been expanded, the flags for the route, the MPLS label if the destination is a VM in another location, and the next hop id. To understand the second field “PPL”, it is good to keep in mind that the unicast routing table is internally implemented as an ‘mtrie’.

The Flags field can have two values. L indicates that the label field is valid, and H indicates that vroute should proxy arp for this IP.

The Nexthop field indicates the next hop ID to which the route points.

Example: rt --dump --table mcst

To dump the multicast table, use the —table option with mcst as the argument.

dropstats Command

Use the dropstats command to see packet drop counters in vrouter.

Example: dropstats

dropstats ARP Block

GARP packets from VMs are dropped by vrouter, an expected behavior. In the example output, the first counter GARP indicates how many packets were dropped.

ARP requests that are not handled by vrouter are dropped, for example, requests for a system that is not a host. These drops are counted by ARP notme counters.

The Invalid ARPs counter is incremented when the Ethernet protocol is ARP, but the ARP operation was neither a request nor a response.

dropstats Interface Block

Invalid IF counters are incremented normally during transient conditions, and should not be a concern.

Trap No IF counters are incremented when vrouter is not able to find the interface to trap the packets to vrouter agent, and should not happen in a working system.

IF TX Discard and IF RX Discard counters are incremented when vrouter is not in a state to transmit and receive packets, and typically happens when vrouter goes through a reset state or when the module is unloaded.

IF Drop counters indicate packets that are dropped in the interface layer. The increase can typically happen when interface settings are wrong.

dropstats Flow Block

When packets go through flow processing, the first packet in a flow is cached and the vrouter agent is notified so it can take actions on the packet according to the policies configured. If more packets arrive after the first packet but before the agent makes a decision on the first packet, then those new packets are dropped. The dropped packets are tracked by the Flow unusable counter.

The Flow No Memory counter increments when the flow block doesn't have enough memory to perform internal operations.

The Flow Table Full counter increments when the vrouter cannot install a new flow due to lack of available slots. A particular flow can only go in certain slots, and if all those slots are occupied, packets are dropped. It is possible that the flow table is not full, but the counter might increment.

The Flow NAT no rflow counter tracks packets that are dropped when there is no reverse flow associated with a forward flow that had action set as NAT. For NAT, the vrouter needs both forward and reverse flows to be set properly. If they are not set, packets are dropped.

The Flow Action Drop counter tracks packets that are dropped due to policies that prohibit a flow.

The Flow Action Invalid counter usually does not increment in the normal course of time, and can be ignored.

The Flow Invalid Protocol usually does not increment in the normal course of time, and can be ignored.

The Flow Queue Limit Exceeded usually does not increment in the normal course of time, and can be ignored.

dropstats Miscellaneous Operational Block

The Discard counter tracks packets that hit a discard next hop. For various reasons interpreted by the agent and during some transient conditions, a route can point to a discard next hop. When packets hit that route, they are dropped.

The TTL Exceeded counter increments when the MPLS time-to-live goes to zero.

The Mcast Clone Fail happens when the vrouter is not able to replicate a packet for flooding.

The Cloned Original is an internal tracking counter. It is harmless and can be ignored.

The Invalid NH counter tracks the number of packets that hit a next hop that was not in a state to be used (usually in transient conditions) or a next hop that was not expected, or no next hops when there was a next hop expected. Such increments happen rarely, and should not continuously increment.

The Invalid Label counter tracks packets with an MPLS label unusable by vrouter because the value is not in the expected range.

The Invalid Protocol ​typically increments when the IP header is corrupt.

The Rewrite Fail counter tracks the number of times vrouter was not able to write next hop rewrite data to the packet.

The Invalid Mcast Source tracks the multicast packets that came from an unknown or unexpected source and thus were dropped.

The Duplicated counter tracks the number of duplicate packets that are created after dropping the original packets. An original packet is duplicated when generic send offload (GSO) is enabled in the vRouter or the original packet is unable to include the header information of the vRouter agent.

The Invalid Source counter tracks the number of packets that came from an invalid or unexpected source and thus were dropped.

The remaining counters are of value only to developers.

mpls Command

The mpls utility command displays the input label map that has been programmed in the vrouter.

Example: mpls --dump

The —dump command dumps the complete label map. The output is divided into two columns. The first field is the label and the second is the next hop corresponding to the label. When an MPLS packet with the specified label arrives in the vrouter, it uses the next hop corresponding to the label to forward the packet.

You can inspect the operation on nh 9 as follows:

The nh output shows that the next hop directs the packet to go out on the interface with index 3 (Oif:3) with the given rewrite data.

To check the index of 3, use the following:

The -get 3 output shows that the index of 3 corresponds to a tap interface that goes to a VM.

You can also dump individual entries in the map using the —get option, as follows:

Example: mpls -help

mirror Command

Use the mirror command to dump the mirror table entries.

Example: Inspect Mirroring

The following example inspects a mirror configuration where traffic is mirrored from network vn1 ( to network vn2 ( A ping is run from to, where both IPs are valid VM IPs, then the flow table is listed:

In the example output, Mirror Index:0 is listed, it is the index to the mirror table. The mirror table can be dumped with the —dump option, as follows:

The mirror table entries point to next hops. In the example, the index 0 points to next hop 18. The References indicate the number of flow entries that point to this entry.

A next hop get operation on ID 18 is performed as follows:

The nh --get output shows that mirrored packets go to a system with IP The packets are tunneled as a UDP datagram and sent to the destination. Vrf:-1 indicates that a lookup has to be done in the source Vrf for the destination.

You can also get an individual mirror table entry using the —get option, as follows:

Example: mirror --help

vxlan Command

The vxlan command can be used to dump the vxlan table. The vxlan table maps a network ID to a next hop, similar to an MPLS table.

If a packet comes with a vxlan header and if the VNID is one of those in the table, the vrouter will use the next hop identified to forward the packet.

Example: vxlan --dump​

Example: vxlan --get

You can use the —get option to dump a specific entry, as follows:

Example: vxlan --help

nh Command

The nh command enables you to inspect the next hops that are known by the vrouter. Next hops tell the vrouter the next location to send a packet in the path to its final destination. The processing of the packet differs based on the type of the next hop. The next hop types are described in the following table.

Next Hop Type



Indicates that the packet is destined for itself and the vrouter should perform Layer 4 protocol processing. As an example, all packets destined to the host IP will hit the receive next hop in the default VRF. Similarly, all traffic destined to the VMs hosted by the server and tunneled inside a GRE will hit the receive next hop in the default VRF first, because the outer packet that carries the traffic to the VM is that of the server.

Encap (Interface)

Used only to determine the outgoing interface and the Layer 2 information. As an example, when two VMs on the same server communicate with each other, the routes for each of them point to an encap next hop, because the only information needed is the Layer 2 information to send the packet to the tap interface of the destination VM. A packet destined to a VM hosted on one server from a VM on a different server will also hit an encap next hop, after tunnel processing.


Encapsulates VM traffic in a tunnel and sends it to the server that hosts the destination VM. There are different types of tunnel next hops, based on the type of tunnels used. Vrouter supports two main tunnel types for Layer 3 traffic: MPLSoGRE and MPLSoUDP. For Layer 2 traffic, a VXLAN tunnel is used. A typical tunnel next hop indicates the kind of tunnel, the rewrite information, the outgoing interface, and the source and destination server IPs.


A catch-all next hop. If there is no route for a destination, the packet hits the discard next hop, which drops the packet.


Used by the agent to lazy install Layer 2 rewrite information.


Groups a set of next hops, called component next hops or sub next hops. Typically used when multi-destination distribution is needed, for example for multicast, ECMP, and so on.


A VXLAN tunnel is used for Layer 2 traffic. A typical tunnel next hop indicates the kind of tunnel, the rewrite information, the outgoing interface, and the source and destination server IPs.

Example: nh --list

Example: nh --get

Use the --get option to display information for a single next hop.

Example: nh --help