Ask Your Question
0

FIP with port_security_enabled

asked 2020-01-13 01:20:00 -0500

mr-han gravatar image

I bind security group to FIP port , but security group policy does not take effect Is the security group only applicable to virtual machines port ?

 neutron  port-show 60b5486e-d6d7-49b4-a11d-0750d4b32866

| binding:vif_type      | unbound                                                                              |
| binding:vnic_type     | normal                                                                               |
| created_at            | 2020-01-13T06:44:59Z                                                                 |
| description           |                                                                                      |
| device_id             | c4a2bab2-8916-4b48-8b3e-1084657ddce7                                                 |
| device_owner          | network:floatingip                                                                   |
| extra_dhcp_opts       |                                                                                      |
| fixed_ips             | {"subnet_id": "bc3734ef-508d-4f7b-b352-bb114b816c97", "ip_address": "192.168.32.77"} |
| id                    | 60b5486e-d6d7-49b4-a11d-0750d4b32866                                                 |
| mac_address           | fa:16:3e:3d:26:af                                                                    |
| name                  |                                                                                      |
| network_id            | 9f2ca3c4-6339-4153-a97b-ac816005185b                                                 |
| port_security_enabled | True                                                                                 |
| project_id            |                                                                                      |
| qos_policy_id         |                                                                                      |
| revision_number       | 4                                                                                    |
| security_groups       | cd3647c1-9f27-400b-bff0-7a0a84c6902a                                                 |
| status                | N/A                                                                                  |
| tags                  |                                                                                      |
| tenant_id             |                                                                                      |
| updated_at            | 2020-01-13T06:50:51Z                                                                 |
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by » oldest newest most voted
0

answered 2020-01-13 01:28:33 -0500

piyushsrivastava gravatar image

modify /etc/neutron/plugins/ml2/ml2_conf.ini

extension_drivers = port_security

Restart neutron and create new test port with port-security-enabled=True.

edit flag offensive delete link more

Comments

It is normal for security groups to be applied to virtual machines. Only bind security group to FIP port , but security group policy does not take effect

mr-han gravatar imagemr-han ( 2020-01-13 03:46:05 -0500 )edit

what u mean by not take effect exactly ? You mean even though by applying policy to FIP port, traffic is crossing port is that correct what I understood

piyushsrivastava gravatar imagepiyushsrivastava ( 2020-01-13 04:52:06 -0500 )edit

Even if I apply the drop policy in FIP port, the traffic can still pass, But VM port can't pass

mr-han gravatar imagemr-han ( 2020-01-13 19:28:08 -0500 )edit

I am trying to reproduce your issue, Can you please describe drop policy, Which release you are on?

piyushsrivastava gravatar imagepiyushsrivastava ( 2020-01-14 09:27:44 -0500 )edit
  • create VM with security group allowed all policy
  • neutron security-group-create drop_policy ( default without ingress policy)
  • neutron floatingip-associate
  • neutron port-update FIP_PORT --security-group drop_policy --port_security_enabled True
mr-han gravatar imagemr-han ( 2020-01-14 19:35:12 -0500 )edit
see more comments

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-13 01:20:00 -0500

Seen: 80 times

Last updated: Jan 13 '20

Related questions

How do I ssh to an OpenStack instance?

neutron agent-list error

cannot ping vm from outside network

Mystery subnet

multiple fixed-ip without filter

Router Interfaces Down

Not able to create LBaaS pool

Cause for strange network config?

Neutron net-create: Unable to create the network. No tenant network is available for allocation.

[ovs] br-ex confusion and neutron network