Bug 1385338
| Summary: | [RFE] [Neutron] VLAN aware VMs (Neutron trunk ports) - full support | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Nir Yechiel <nyechiel> | |
| Component: | openstack-neutron | Assignee: | Jakub Libosvar <jlibosva> | |
| Status: | CLOSED ERRATA | QA Contact: | Alexander Stafeyev <astafeye> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 10.0 (Newton) | CC: | amuller, astafeye, brault, ccollett, chrisw, fbaudin, jlibosva, lbopf, mburns, nlevinki, nyechiel, oblaut, sclewis, srevivo | |
| Target Milestone: | Upstream M3 | Keywords: | FutureFeature, Triaged | |
| Target Release: | 11.0 (Ocata) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-neutron-10.0.0-0.20170121135214.4f70513.1.el7ost | Doc Type: | Known Issue | |
| Doc Text: |
To implement the security groups trunk feature with neutron-openvswitch-agent, openvswitch firewall driver is required. This driver currently contains a bug 1444368 where ingress traffic is wrongly matched if there are two ports with same MAC address on different network segment on the same compute node.
As a result, if a subport has the same MAC address as its parent port, ingress traffic won't be matched correctly for one of the ports.
A workaround to achieve correctly handled traffic is to disable port-security on the parent port and subports.
For example, to disable port security on port with UUID 12345, you need to remove security groups associated with the port:
openstack port set --no-security-group --disable-port-security 12345
Note that no security groups rules will be applied to that port and traffic will not be filtered or protected against ip/mac/arp spoofing.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1431810 1452467 (view as bug list) | Environment: | ||
| Last Closed: | 2017-05-17 19:35:20 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1435956, 1444368, 1448829 | |||
| Bug Blocks: | 1336839, 1421550, 1431810, 1452467 | |||
|
Description
Nir Yechiel
2016-10-16 10:54:21 UTC
Link to previous, RHOSP 10 BZ (tech preview offering): https://bugzilla.redhat.com/show_bug.cgi?id=1281567 Link to related OSP director BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1371842 The RFE is only pending on the scenario test in patch 418867 and ensuring we have a QECI job set up for RHEL guests that runs the Neutron Tempest scenario tests. Therefor flipping to ON_QA. A bug to make OVS firewall working with VLAN aware VMs feature doesn't have a fix in upstream yet. The relevant bug is: https://bugs.launchpad.net/neutron/+bug/1626010 In any case, note that the OVS firewall driver won't be fully supported before RHOSP 12 and is currently in tech preview. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245 |