Thanks Eduard. All the neutron ports belong to the same security group(s)? Can you paste the output of "openstack security group show <sgid>" for each sgid which the VMs belong to? I think this is related to: https://bugzilla.redhat.com/show_bug.cgi?id=1622469
Verified on 13.0-RHEL-7/2019-04-10.1 with openvswitch-2.9.0-103.el7fdp.x86_64 Scenario: Created 5 tenants. For each tenant created a router each with 2 internal networks. Created a security group for each tenant. Each security group with maximal number of rules (100) Connected VMs to each network. On 2 VMs executed a script got from Numan (https://paste.fedoraproject.org/paste/3iuxYe9TLqPBNJ6u0sHyTw) that sends multiple dhcp packets. Verified that ovn-controller is able to handle these multiple dhcp requests from VMs without any delay. CPU load was not high (15-20%). Verified that it is possible to run new instances when ovn-controller is under load. No issues with applying security groups observed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0926