Back to bug 1385338
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Nir Yechiel | 2016-10-16 10:56:13 UTC | Summary | VLAN aware VMs (Neutron trunk ports) - full support | [RFE] [Neutron] VLAN aware VMs (Neutron trunk ports) - full support |
| Nir Yechiel | 2016-10-16 10:57:06 UTC | Keywords | FutureFeature, Triaged | |
| Priority | unspecified | high | ||
| Target Release | --- | 11.0 (Ocata) | ||
| Target Milestone | --- | rc | ||
| Assaf Muller | 2016-10-16 22:23:54 UTC | Assignee | amuller | jlibosva |
| Nir Yechiel | 2016-10-18 13:43:02 UTC | Status | NEW | ASSIGNED |
| Toni Freger | 2016-11-07 13:27:25 UTC | Keywords | TestOnly | |
| Nir Yechiel | 2016-12-14 10:47:34 UTC | Target Milestone | rc | Upstream M2 |
| Ofer Blaut | 2016-12-18 09:03:58 UTC | CC | oblaut | |
| Scott Lewis | 2016-12-19 16:21:32 UTC | CC | sclewis | |
| Flags | needinfo?(nyechiel) | |||
| Nir Yechiel | 2016-12-19 17:54:38 UTC | Flags | needinfo?(nyechiel) | |
| Scott Lewis | 2016-12-19 18:06:01 UTC | Keywords | TestOnly | |
| Nir Yechiel | 2016-12-20 14:22:49 UTC | Target Milestone | Upstream M2 | Upstream M3 |
| nlevinki | 2016-12-26 11:46:19 UTC | CC | nlevinki | |
| Assaf Muller | 2017-01-06 19:27:42 UTC | Status | ASSIGNED | ON_DEV |
| Assaf Muller | 2017-01-27 17:05:33 UTC | Status | ON_DEV | ON_QA |
| Assaf Muller | 2017-01-27 17:06:16 UTC | Link ID | OpenStack gerrit 418867 | |
| Assaf Muller | 2017-01-27 17:11:35 UTC | Fixed In Version | openstack-neutron-10.0.0-0.20170121135214.4f70513.1.el7ost | |
| Mike Burns | 2017-01-27 17:20:18 UTC | Status | ON_QA | MODIFIED |
| CC | mburns | |||
| errata-xmlrpc | 2017-01-30 13:17:57 UTC | Status | MODIFIED | ON_QA |
| Martin Lopes | 2017-02-13 04:21:36 UTC | Blocks | 1421550 | |
| Toni Freger | 2017-02-15 05:45:37 UTC | QA Contact | tfreger | astafeye |
| JP Jung | 2017-03-13 19:25:39 UTC | Blocks | 1431810 | |
| Bertrand | 2017-04-14 10:06:41 UTC | CC | brault | |
| Blocks | 1336839 | |||
| Lucy Bopf | 2017-04-21 01:52:07 UTC | CC | jlibosva, lbopf | |
| Flags | needinfo?(jlibosva) | |||
| Jakub Libosvar | 2017-04-21 08:59:56 UTC | See Also | https://bugzilla.redhat.com/show_bug.cgi?id=1444368 | |
| Jakub Libosvar | 2017-04-21 13:18:18 UTC | CC | astafeye | |
| Doc Text | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to subports is correctly handled. | |||
| Doc Type | If docs needed, set a value | Known Issue | ||
| Flags | needinfo?(jlibosva) | needinfo?(astafeye) | ||
| Alexander Stafeyev | 2017-04-23 09:15:03 UTC | Flags | needinfo?(astafeye) | |
| Ofer Blaut | 2017-04-26 08:52:06 UTC | Depends On | 1444368 | |
| Ofer Blaut | 2017-04-26 08:56:54 UTC | Flags | needinfo?(nyechiel) | |
| Ofer Blaut | 2017-04-26 13:08:48 UTC | Depends On | 1435956 | |
| Jakub Libosvar | 2017-04-27 07:29:47 UTC | Doc Text | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to subports is correctly handled. | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on the parent port and subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to ports is correctly handled. |
| Alexander Stafeyev | 2017-04-27 07:33:26 UTC | Depends On | 1435956, 1444368 | |
| Doc Text | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on the parent port and subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to ports is correctly handled. | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to subports is correctly handled. |
||
| Alexander Stafeyev | 2017-04-27 07:38:41 UTC | Depends On | 1444368 | |
| Alexander Stafeyev | 2017-04-27 07:39:42 UTC | Depends On | 1435956 | |
| Jakub Libosvar | 2017-04-27 07:40:38 UTC | Doc Text | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to subports is correctly handled. | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on the parent port and subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to all ports is correctly handled. |
| Franck Baudin | 2017-04-27 14:28:47 UTC | CC | fbaudin | |
| Nir Yechiel | 2017-05-03 12:32:32 UTC | Flags | needinfo?(nyechiel) | |
| Ofer Blaut | 2017-05-03 12:43:46 UTC | Status | ON_QA | VERIFIED |
| Alexander Stafeyev | 2017-05-08 13:03:34 UTC | Link ID | Launchpad 1689300 | |
| Depends On | 1448829 | |||
| errata-xmlrpc | 2017-05-17 19:35:20 UTC | Status | VERIFIED | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2017-05-17 15:35:20 UTC | |||
| Charelle Collett | 2017-05-18 05:43:06 UTC | CC | ccollett | |
| Doc Text | Cause: In order to implement security groups trunk feature with neutron-openvswitch-agent requires openvswitch firewall driver. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. Consequence: In case subport have the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. Workaround (if any): The workaround to achieve working traffic to both subports and parent port while ports have the same MAC address is to disable port-security on the parent port and subports. e.g. to disable port security on port with UUID 12345, it's needed to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered and protected against ip/mac/arp spoofing. Result: With disabled port security traffic to all ports is correctly handled. | To implement the security groups trunk feature with neutron-openvswitch-agent, openvswitch firewall driver is required. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node. As a result, if a subport has the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports. A workaround to achieve correctly handled traffic is to disable port-security on the parent port and subports. For example, to disable port security on port with UUID 12345, you need to remove security groups associated with the port: openstack port set --no-security-group --disable-port-security 12345 Note that no security groups rules will be applied to that port and traffic will not be filtered or protected against ip/mac/arp spoofing. |
||
| Franck Baudin | 2017-05-19 05:52:39 UTC | Blocks | 1452467 |
Back to bug 1385338