Network ‐ OVS Physical Port Health Check

Description

This rule checks if OVS physical ports are properly configured on all OVS bridges with physical ports. It verifies that physical ports exist, are UP, and have no IP address assigned (IP addressing should only be on the bridge, not physical ports).

The rule supports multi-bridge setups and validates ALL physical ports across ALL bridges. It fails if any physical port is DOWN or has an IPv4 address. Supports all port types: bonded interfaces, ethernet interfaces, and named interfaces.

Prerequisites

• OpenShift cluster with OVN-Kubernetes networking
• Open vSwitch installed and configured
• Physical network interface attached to OVS bridge
• Commands: ovs-vsctl, ip

Impact

Physical port issues cause severe networking problems:

If Port is DOWN:

• Complete network loss - No traffic can flow through OVS
• Node isolation - Node cannot communicate with cluster
• Pod communication failure - All pod networking fails
• Node NotReady state - Kubelet loses API server connectivity

If Port has IP Address (Misconfiguration):

• Routing conflicts - Traffic may bypass OVS datapath
• OVN traffic not processed - Packets don't go through OVN pipeline
• Incorrect packet forwarding - Layer 2/3 processing broken
• Intermittent connectivity - Some traffic works, some doesn't

Root Cause

Common scenarios causing physical port issues:

• Port link down - Physical cable unplugged, switch port disabled, driver failure, or hardware fault
• IP address on physical port - IP configured on wrong interface during installation or NetworkManager profile misconfigured
• Physical port not found - OVS bridge created without physical ports or port removed from bridge
• Mixed states in bonded configuration - One physical port down in bonded setup or partial failure

Diagnostics

Check OVS physical port status and configuration:

# List ports on bridge (replace <bridge-name> with your bridge, e.g., br-ex)
ovs-vsctl list-ports <bridge-name>

# List ALL hardware-backed physical interfaces on the node
# Physical NICs (have device symlink):
ls -d /sys/class/net/*/device 2>/dev/null

# Bond interfaces (have bonding directory):
ls -d /sys/class/net/*/bonding 2>/dev/null

# Team interfaces (have team directory):
ls -d /sys/class/net/*/team 2>/dev/null

# List all actual VLAN interfaces on the node:
ls /proc/net/vlan/*

# Check physical port link state (replace <port-name> with interface from list above, e.g., bond0)
ip link show <port-name>

# Check physical port IP addressing (should have NO IPv4 address)
ip addr show <port-name>

Key points:

• The rule checks ALL bridges with physical ports
• Physical ports should be UP with no IPv4 address
• The bridge should have the IP address

Resources

• Red Hat KB Article 6988145 - ovs-configure.sh connects wrong interface to br-ex upon reboot
• Red Hat KB Article 4277661 - Node NotReady: ovs, sdn or sync pod not getting started
• Open vSwitch - Installation guide
• OpenShift - OVN-Kubernetes network provider
• NetworkManager - OVS interface settings