port security impact on fragmentation
I have a question about the relation between port security and fragmentation. In the setup, the provider network type is vxlan and its MTU value is 1450 (which is the default one). The VMs which use this provider network has the MTU 1500 by default. When the ping is tried to send with bigger size (bigger than 1500), it fails. First I thought that it is normal since VM level and network MTUs are different. Then I recommend to change the MTU on VM level to 1450 which is the same as provider network, but again the ping fails. If the port security is disabled, then pings for the larger packet sizes are successful and they are fragmented. "df_default" is set to "true" I believe because I saw that DF flag in tcpdump output. My question is in cases where a “don’t fragment” flag is attached to the IP header, is the packet dropped by port security in OpenStack?
The openstack version is Mitaka and it uses ovs.
Just a quick comment, you mention that disabling port security allows ping to work. Are you sure that you dont have a security group thats not allowing ICMP traffic?
Yes, ICMP traffic is allowed on the security group. Actually the fat size ping is not working, the ping with the size lower than 1422 is working.