Ask Your Question

Issue in routing traffic through the VM(port-security)

asked 2016-04-17 15:01:44 -0500

dtiwari gravatar image

We are trying to have a setup of VMs(as shown below), where we are trying to route the traffic through the VM-2.

VM-1 (eth0) -------subnet-1----------(eth0) VM-2 (eth1)-----------subnet-2----------(eth0) VM-3

VM2 has has two network interfaces : eth0(subnet-1) & eth1 (subnet-2). VM-1 has one interface: eth-0(subnet-1) & VM-3 also has one interface: eth-0(subnet-2).

We want to ping from VM-1 to VM-3, so we added a route on VM1 by 'ip route' command : for subnet-2 via VM-2(as a gateway). Similarly, we have also added a route on VM-3 for subnet-1. We also enabled traffic-forwarding on VM2.

But we are not able to ping from VM1 to VM3. All the VMs are on same compute nodes.

On the compute node, I am able to see ICMP request packets on tap interface of VM1(eth0). On VM2, I could also see ICMP request packets on tap interface of eth1. But I am not able to see any ICMP packet on qvb interface of eth1.

We suspected that packets are being dropped by the bridge ( of eth1 interface of VM-2) because of the IP tables rule. So as a experiment, we flushed all the iptables rules on the compute node and the ping started working successfully.

After some reading, we found about port-security: (

The above link explains why the packets are getting dropped.

So we wanted to know, if there is a way we could make the ping work without flushing the iptables rules.

Our Openstack is of series Kilo, release 2015.1.1.

Is there a way by which we could disable port-security in our network(or interfaces) ? The above link on port-security talks about a --port-security-enabled=False option for neutron port-update command.

But we are not able to see any such option with neutron port-update command.

Could someone please let us know, which version of Openstack/Neutron has the --port-security-enabled option in the command line.

Also in the documentation, there is also an --allowed-address-pair option in neutron port-update command. By this we could assign additional allowed ip-address/mac-address to an interface. But this option is also not present in our neutron port-update command.

At last, it would be great to have any thoughts on how we could make our network setup work. And on which version of Openstack we could find options like --port-security-enabled or --allowed-address-pair ?


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2017-06-28 14:10:28 -0500

sxc731 gravatar image

According to this blog post and this bug report, the port_security extension driver is supported as of Kilo.

I've seen many cases with OpenStack where the CLI lags behind the implementation of the feature. In such cases, it's usually possible to interact with the feature by using the lower level REST API. I have documented such an example (not specifically related to this issue) here.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-04-17 14:55:51 -0500

Seen: 594 times

Last updated: Jun 28 '17