Ask Your Question
0

FIP with port_security_enabled

asked 2020-01-13 01:20:00 -0500

mr-han gravatar image

I bind security group to FIP port , but security group policy does not take effect Is the security group only applicable to virtual machines port ?

 neutron  port-show 60b5486e-d6d7-49b4-a11d-0750d4b32866

| binding:vif_type      | unbound                                                                              |
| binding:vnic_type     | normal                                                                               |
| created_at            | 2020-01-13T06:44:59Z                                                                 |
| description           |                                                                                      |
| device_id             | c4a2bab2-8916-4b48-8b3e-1084657ddce7                                                 |
| device_owner          | network:floatingip                                                                   |
| extra_dhcp_opts       |                                                                                      |
| fixed_ips             | {"subnet_id": "bc3734ef-508d-4f7b-b352-bb114b816c97", "ip_address": "192.168.32.77"} |
| id                    | 60b5486e-d6d7-49b4-a11d-0750d4b32866                                                 |
| mac_address           | fa:16:3e:3d:26:af                                                                    |
| name                  |                                                                                      |
| network_id            | 9f2ca3c4-6339-4153-a97b-ac816005185b                                                 |
| port_security_enabled | True                                                                                 |
| project_id            |                                                                                      |
| qos_policy_id         |                                                                                      |
| revision_number       | 4                                                                                    |
| security_groups       | cd3647c1-9f27-400b-bff0-7a0a84c6902a                                                 |
| status                | N/A                                                                                  |
| tags                  |                                                                                      |
| tenant_id             |                                                                                      |
| updated_at            | 2020-01-13T06:50:51Z                                                                 |
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by » oldest newest most voted
0

answered 2020-01-13 01:28:33 -0500

piyushsrivastava gravatar image

modify /etc/neutron/plugins/ml2/ml2_conf.ini

extension_drivers = port_security

Restart neutron and create new test port with port-security-enabled=True.

edit flag offensive delete link more

Comments

It is normal for security groups to be applied to virtual machines. Only bind security group to FIP port , but security group policy does not take effect

mr-han gravatar imagemr-han ( 2020-01-13 03:46:05 -0500 )edit

what u mean by not take effect exactly ? You mean even though by applying policy to FIP port, traffic is crossing port is that correct what I understood

piyushsrivastava gravatar imagepiyushsrivastava ( 2020-01-13 04:52:06 -0500 )edit

Even if I apply the drop policy in FIP port, the traffic can still pass, But VM port can't pass

mr-han gravatar imagemr-han ( 2020-01-13 19:28:08 -0500 )edit

I am trying to reproduce your issue, Can you please describe drop policy, Which release you are on?

piyushsrivastava gravatar imagepiyushsrivastava ( 2020-01-14 09:27:44 -0500 )edit
  • create VM with security group allowed all policy
  • neutron security-group-create drop_policy ( default without ingress policy)
  • neutron floatingip-associate
  • neutron port-update FIP_PORT --security-group drop_policy --port_security_enabled True
mr-han gravatar imagemr-han ( 2020-01-14 19:35:12 -0500 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-13 01:20:00 -0500

Seen: 27 times

Last updated: Jan 13

Related questions

How to connect the VM to the internet

cannot ping 203.0.113.101 icehouse

How does neutron manage its iptables config?

admin prohibited in ping from instance

Grizzly Linuxbridge CentOS6.4 NAT issue

OpenStack Neutron agent-list not alive

enabling the lbaasv2 in kilo with packages.

How to implement HA in neutron for Openstack queens ?

security group not found for project

kolla-ansible creating br-ex on compute node