Open Stack

  Hi,

    I have a discussion about port security setting.

  The recommended sequence of operations:
   1. Create a neutron port (with port security disabled).
   2. Launch the monitoring VM and attach it to this port.
   3. Create a tap-service instance whose destination port
      is the monitoring VM's port.

  But, a monitoring VM can receive mirrored packets without
  disabling port security in our site.

  What I found:
   1) In case of port security is enabled, entries to enforce
      anti IP spoofing are set into iptables of a linux bridge
      when a VM is launched.

      It looks like this:
       INPUT:
        Chain neutron-openvswi-s12345678-9 (1 references)
        RETURN  all  -- 192.168.1.10 anywhere  MAC aa:bb:cc:dd:ee:ff /* 
Allow traffic from defined IP/MAC pairs. */
        DROP    all  -- anywhere      anywhere  /* Drop traffic without 
an IP/MAC allow rule. */

      Note that these entries are effective for only egress
      direction from the VM.

   2) On the other hand, mac learning mechanism will drop
      ingress packets if destination mac address doesn't match
      the monitoring VM.

      During tap-service creation process, mac address learning
      is disabled (at line 251 in 
neutron_taas/services/taas/drivers/linux/ovs_taas.py).
      Therefore, a monitoring VM can receive mirrored packets
      from source VMs.

  As a result, I think the 1st operation (disabling port security)
  is not required for a monitoring VM to receive mirrored packets.

  Is my understand right?

  Regards,
  Soichi Shigeta