1. DSR Cloud Installation Guide
  2. Application VIP Failover Options (OpenStack)
  3. Disable Port Security

G.6 Disable Port Security

This section describes an option that rather than extending the set of source IP addresses that are associated with a Neutron port, as is done with the allowed-address-pairs extension, to disable the Neutron anti-spoofing filter rules for a given port. This option allows all IP packets originating from the VM instance to be propagated no matter whether the source IP address in the packet matches the IP address associated with the Neutron port or not. This option relies upon the Neutron port security extension that is available starting with the OpenStack Kilo release.

The three sub-sections that follow describe the OpenStack configuration requirements for this option, how to use this option after a VM instance has already booted, and how to use this option before a VM instance has booted.

OpenStack Configuration Requirements

The Neutron port security extension needs to be enabled for this method to work. For the procedure to enable the port security extension see the ML2 Port Security Extension Wiki page.

Note:

Enabling the port security extension when there are already existing networks within the OpenStack cloud causes all network related requests into Neutron to fail due to a known bug in Neutron. There is a fix identified for this bug that is part of the Liberty release and is scheduled to be backported to the Kilo 2015.1.2 release. In the meantime, this option is only non-disruptive when working with a new cloud deployment where the cloud administrator can enable this feature before any networks and VM instances that use those networks are created. The port security extension can be enabled in an already deployed OpenStack cloud, but all existing networks, subnets, ports, and so on, need to be deleted before enabling the port security extension. This typically means all VM instances also need to be deleted as well, but a knowledgeable cloud administrator may be able to do the following to limit the disruption of enabling the port security extension:
  • Record the current IP address assignments for all VM instances
  • Remove the network interfaces from any existing VM instances
  • Delete the Neutron resources
  • Enable the port security extension
  • Recreate the previously defined Neutron resources (networks, subnets, ports, and so on)
  • Re-add the appropriate network interfaces to the VMs
Depending on the number of VM instances running in the cloud, this procedure may or may not be practical.