From f1d0a8be232f7b6a4076acbe32dab8e15856c41e Mon Sep 17 00:00:00 2001 From: Bartek Grzybowski Date: Thu, 12 Sep 2019 09:51:34 +0200 Subject: Add remarks related to Openstack's port security on vCPE Extended anti-spoofing related notes with some hints on dealing with Neutron's Port Security Extension Driver which in some cases may prevent VNFs to function properly. Change-Id: Icf4f44b8cbcaa70621bf21d5b72ff552be80d4e2 Issue-ID: DOC-549 Signed-off-by: Bartek Grzybowski --- docs/docs_vCPE.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/docs_vCPE.rst b/docs/docs_vCPE.rst index 6a4b1b2db..c6534b821 100644 --- a/docs/docs_vCPE.rst +++ b/docs/docs_vCPE.rst @@ -195,5 +195,6 @@ Known Issues and Workaround 3) In some Openstack environments (e.g. Ocata version), there is an issue with DHCP anti-spoofing rules preventing BRG to receive DHCP reply (Option 82) from DHCP. By default Openstack neutron is using *IptablesFirewallDriver*, which is actively inserting *Prevent DHCP Spoofing by VM* rules into linuxbridge firewall rules. This feature should prevent mailicious traffic from rogue VM inside Openstack, however it's affecting also vCPE usecase. Manual tweaking of fw rules is not persistent and those rules are automatically regenerated, but one can disable this logic by switching to *neutron.agent.firewall.NoopFirewallDriver*. More details can be found on https://codesomniac.com/2017/07/how-to-run-a-dhcp-server-as-openstack-instance/ - **NOTE:** To propagate change in firewall_driver one need to restart neutron-linuxbridge-agent and also openstack-nova-compute services. + **NOTE:** To propagate change in firewall_driver one needs to restart neutron-linuxbridge-agent and also openstack-nova-compute services. + Additionally Neutron's Port Security Extension Driver is by default preventing any routing functions of an instance (be it a router or VNF). Hence for smoothest vCPE experience it's advised to either disable the packet filtering by setting port_security_enabled flag for a network/port to "False" or alternatively add allowed_address_pairs to relevant VNFs ports with appropriate network prefixes. Port security driver can be also disabled globally, for more insight into Port Security Extension Driver please visit https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver -- cgit 1.2.3-korg