Packets that do not match any of the flow table entries programmed by the controller are subject to a default action. The default action is configurable in the CLI using the no-match-action command. Three possible no-match actions are supported: drop, fall-through (packets are forwarded with regular processing by the router), and packet-in.
The packet-in action causes packets that do not match entries in the flow table, as programmed by the OpenFlow controller, to be extracted and sent to the controller in a flow-controlled manner. Because EQUAL is supported, packet-in messages are sent to all controllers in the UP state. To protect the controller, only the first packet of a specific 5-tuple flow (source IP address, destination IP address, source port, destination port, protocol) to which the no-match action is applied is sent to the controller. This 5-tuple flow context ages out after 10 s. Each switch instance maintains contexts for up to 8192 outstanding packet-in messages to the controller. If the packet-in action is used, an auxiliary channel should be enabled for packet-in processing (using the aux-channel-enable command). A count of packets to which packet-in is applied is also available through the OpenFlow channel statistics.