Ask Your Question
0

port security impact on fragmentation

asked 2019-11-14 15:04:45 -0600

demirayar gravatar image

updated 2019-11-19 04:44:46 -0600

I have a question about the relation between port security and fragmentation. In the setup, the provider network type is vxlan and its MTU value is 1450 (which is the default one). The VMs which use this provider network has the MTU 1500 by default. When the ping is tried to send with bigger size (bigger than 1500), it fails. First I thought that it is normal since VM level and network MTUs are different. Then I recommend to change the MTU on VM level to 1450 which is the same as provider network, but again the ping fails. If the port security is disabled, then pings for the larger packet sizes are successful and they are fragmented. "df_default" is set to "true" I believe because I saw that DF flag in tcpdump output. My question is in cases where a “don’t fragment” flag is attached to the IP header, is the packet dropped by port security in OpenStack?

The openstack version is Mitaka and it uses ovs.

edit retag flag offensive close merge delete

Comments

Just a quick comment, you mention that disabling port security allows ping to work. Are you sure that you dont have a security group thats not allowing ICMP traffic?

srelf gravatar imagesrelf ( 2019-11-15 13:37:30 -0600 )edit

Yes, ICMP traffic is allowed on the security group. Actually the fat size ping is not working, the ping with the size lower than 1422 is working.

demirayar gravatar imagedemirayar ( 2019-11-17 12:24:37 -0600 )edit

2 answers

Sort by » oldest newest most voted
0

answered 2019-11-19 05:34:32 -0600

the provider network type is vxlan and its MTU value is 1450

always consider to assign VM to MTU size as 1400 , because open stack will take 50 bites header (To add tunnel for VXLAN when traffic leaves VM) on top.

edit flag offensive delete link more
0

answered 2019-11-18 10:02:23 -0600

If the DF bit is set in the header, then the neutron router will drop the packet.

Have you tried ping with the 'want fragmentation' flag? ping -M want ...

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-11-14 15:04:45 -0600

Seen: 146 times

Last updated: Nov 19 '19