Description of problem:
Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-agent will handle them.
Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network.
Outgoing traffic is dropped in br-ex though..
Vague details here (it's all we have so far):
This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).
This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320
100% if neutron-openvswitch-agent is down or broken
Steps to Reproduce:
1. stop neutron-openvswitch-agent
2. create a new router
The network node router ports will be inserted to br-int but left as untagged (trunk)
Ports are left on a dead vlan (4095) which will have no connectivity to other ports until they are finally tagged by agent.
Please note that such vlan is handled internally by openvswitch as a normal vlan and traffic could still happen over all local ports on 4095, although this is much less severe
This also serves as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1558336 where the issues becomes much worse were untagged ports exist in the system.
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828