1. Subscriber Data Server Cloud Installation Guide
  2. Appendix
  3. Application VIP Failover Options (OpenStack)
  4. After a VM Instance has been Booted: Port Security

A.4.8 After a VM Instance has been Booted: Port Security

To disable port security for a port after it has already been associated with a VM instance, run one or both of the following commands to use the port security option. First, if the VM instance with which the existing port is associated has any associated security groups (run nova list-secgroup <VM instance name> to verify), then run the following command for each of the security group(s) associated with the VM instance:
# nova remove-secgroup <VM instance name> <Security group name>
where:
  • <VM instance name>

    Identifies the name of the VM instance for which the identified security group name should be deleted.

  • <Security group name>

    Identifies the name of the security group that should be removed from the VM instance.

For example: To remove the default security group from a VM instance named testvm4 then run the following command:
# nova remove-secgroup testvm4 default
Once any security groups associated with VM instance to which the Neutron port is assigned have been removed, then the Neutron port(s) associated with the target VM instance must be updated to disable port security on those ports. The command to disable port security for a specific Neutron port is:
# neutron port-update <Port ID> -- port-security-enabled=false

where, <Port ID>

Identifies the ID of the port within Neutron which can be determined by listing the ports, neutron port-list, or if the port is named then the port ID can be obtained directly in the above command with a sequence such as $(neutron port-show –f value –F id <Port Name>).

For example: To indicate to Neutron that port security should be disabled for a port with an ID of 6d48b5f2-d185-4768-b5a4-c0d1d8075e41, then run the following command:
# neutron port-update 6d48b5f2-d185-4768-b5a4-c0d1d8075e41 --port-security-enabled=false

If the port-update command succeeds, within the VM instance with which the 6d48b5f2-d185-4768-b5a4-c0d1d8075e41 port is associated, the application managed VIPs can now be added to the network interface within the VM instance associated with the port. The network traffic using that VIP address should now propagate.