Bug 1412827 - [Docs] Provide better warning about MAC filtering, for Egress Router
Summary: [Docs] Provide better warning about MAC filtering, for Egress Router
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: ---
Assignee: Ashley Hardin
QA Contact: Meng Bo
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-12 22:03 UTC by Eric Rich
Modified: 2020-02-14 18:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-21 17:53:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Eric Rich 2017-01-12 22:03:28 UTC 
Document URL: https://docs.openshift.com/container-platform/3.3/admin_guide/managing_pods.html#admin-guide-limit-pod-access-egress-router

Section Number and Name: Limiting Pod Access with an Egress Router

Describe the issue: 

If a cloud provider or visualization platform does allow outbound requests on the default gateway from "MAC/IP" combinations that are not directly mapped to what the hypervisor defined, you will see this issue, because the "hypervisor router or switch" will reject traffic from these interfaces.

Most (or all) cloud providers / visualization platforms implement some form of MAC filter on at the networking layer. This restriction/configuration make it impossible for you to use the egress router functionality because traffic leaving the egress router simply gets dropped by the cloud provider or visualization platform because (like stated above) it is not coming from the defined IP/MAC that the guest VM was created with. 

Suggestions for improvement: 

Improve the warning (that right now is openstack specific), to ensure that MAC filtering is disable. 

For RHEV this would mean turning off options like: 

>> set EnableMACAntiSpoofingFilterRules to false
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.2/html/Administration_Guide/Red_Hat_Enterprise_Virtualization_Manager_configuration_options_explanations_limitations_and_best_practices.html

For vmware this would mean following something like: 

    http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_40_u1/esx_server_config/securing_an_esx_configuration/c_securing_virtual_switch_ports.html

>> The following shows that this filtering happens by default: 
>> http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_40_u1/esx_server_config/securing_an_esx_configuration/c_forged_transmissions.html
   
For OpenSTack this would mean configuring: 

>> https://access.redhat.com/solutions/2803331 

  This is already provided in the explanation (warning today). 

Additional information:
Comment 2 Ashley Hardin 2017-02-02 17:22:45 UTC 
Work in progress: https://github.com/openshift/openshift-docs/pull/3641
Comment 3 Meng Bo 2017-02-13 10:22:28 UTC 
The doc looks good.

Verify the bug.
Comment 4 openshift-github-bot 2017-02-13 12:41:25 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/dcfccff4a089150ad1f7957bb9d045fc158db8ee
Bug 1412827, Added more information about disabling MAC filtering for the Egress Router

https://github.com/openshift/openshift-docs/commit/97af5a379c51dd3159e4c9aa027bd69f643c1663
Merge pull request #3641 from ahardin-rh/mac-filtering

Bug 1412827, Added more information about disabling MAC filtering for the Egress Router
Comment 5 Ashley Hardin 2017-02-21 17:53:34 UTC 
Content is now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-manage-pods#admin-guide-limit-pod-access-egress-router
Note You need to log in before you can comment on or make changes to this bug.