diff options
author | Bartek Grzybowski <b.grzybowski@partner.samsung.com> | 2019-09-12 09:51:34 +0200 |
---|---|---|
committer | Daniel Rose <dr695h@att.com> | 2019-09-12 13:08:24 +0000 |
commit | f1d0a8be232f7b6a4076acbe32dab8e15856c41e (patch) | |
tree | 496757646c1d382a9700a54b5a4ea8338d54bea6 | |
parent | 73b02ed6a0c8c8942f2740034d6a2546a6551932 (diff) |
Add remarks related to Openstack's port security on vCPE
Extended anti-spoofing related notes with some hints on
dealing with Neutron's Port Security Extension Driver
which in some cases may prevent VNFs to function properly.
Change-Id: Icf4f44b8cbcaa70621bf21d5b72ff552be80d4e2
Issue-ID: DOC-549
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
-rw-r--r-- | docs/docs_vCPE.rst | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/docs/docs_vCPE.rst b/docs/docs_vCPE.rst index 6a4b1b2db..c6534b821 100644 --- a/docs/docs_vCPE.rst +++ b/docs/docs_vCPE.rst @@ -195,5 +195,6 @@ Known Issues and Workaround 3) In some Openstack environments (e.g. Ocata version), there is an issue with DHCP anti-spoofing rules preventing BRG to receive DHCP reply (Option 82) from DHCP. By default Openstack neutron is using *IptablesFirewallDriver*, which is actively inserting *Prevent DHCP Spoofing by VM* rules into linuxbridge firewall rules. This feature should prevent mailicious traffic from rogue VM inside Openstack, however it's affecting also vCPE usecase. Manual tweaking of fw rules is not persistent and those rules are automatically regenerated, but one can disable this logic by switching to *neutron.agent.firewall.NoopFirewallDriver*. More details can be found on https://codesomniac.com/2017/07/how-to-run-a-dhcp-server-as-openstack-instance/ - **NOTE:** To propagate change in firewall_driver one need to restart neutron-linuxbridge-agent and also openstack-nova-compute services. + **NOTE:** To propagate change in firewall_driver one needs to restart neutron-linuxbridge-agent and also openstack-nova-compute services. + Additionally Neutron's Port Security Extension Driver is by default preventing any routing functions of an instance (be it a router or VNF). Hence for smoothest vCPE experience it's advised to either disable the packet filtering by setting port_security_enabled flag for a network/port to "False" or alternatively add allowed_address_pairs to relevant VNFs ports with appropriate network prefixes. Port security driver can be also disabled globally, for more insight into Port Security Extension Driver please visit https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver |