Search

Chapter 19. Configuring allowed address pairs

download PDF

19.1. Overview of allowed address pairs

An allowed address pair is when you identify a specific MAC address, IP address, or both to allow network traffic to pass through a port regardless of the subnet. When you define allowed address pairs, you are able to use protocols like VRRP (Virtual Router Redundancy Protocol) that float an IP address between two VM instances to enable fast data plane failover.

Note

The allowed-address pairs extension is currently supported only by the ML2 and Open vSwitch plug-ins.

You define allowed address pairs using the Red Hat OpenStack Platform command-line client openstack port command.

Important

Be aware that you should not use the default security group with a wider IP address range in an allowed address pair. Doing so can allow a single port to bypass security groups for all other ports within the same network.

For example, this command impacts all ports in the network and bypasses all security groups:

# openstack port set --allowed-address mac_address=3e:37:09:4b,ip_address=0.0.0.0/0 9e67d44eab334f07bf82fa1b17d824b6
Note

With an ML2/OVN mechanism driver network back end, it is possible to create VIPs. However, the IP address assigned to a bound port using allowed_address_pairs, should match the virtual port IP address (/32).

If you use a CIDR format IP address for the bound port allowed_address_pairs instead, port forwarding is not configured in the back end, and traffic fails for any IP in the CIDR expecting to reach the bound IP port.

Additional resources

19.2. Creating a port and allowing one address pair

Creating a port with an allowed address pair enables network traffic to flow through the port regardless of the subnet.

Prerequisites

  • You are using an ML2/OVS plug-in.
Important

Do not use the default security group with a wider IP address range in an allowed address pair. Doing so can allow a single port to bypass security groups for all other ports within the same network.

Procedure

  • Use the following command to create a port and allow one address pair:

    # openstack port create <port-name> --network <network> --allowed-address mac_address=<mac-address>,ip_address=<ip-cidr>

Additional resources

19.3. Adding allowed address pairs

You can add an allowed address pair to a port to enable network traffic to flow through the port regardless of the subnet.

Prerequisites

  • You are using an ML2/OVS plug-in.
Important

Do not use the default security group with a wider IP address range in an allowed address pair. Doing so can allow a single port to bypass security groups for all other ports within the same network.

Procedure

  • Use the following command to add allowed address pairs:

    # openstack port set <port-uuid> --allowed-address mac_address=<mac_address>,ip_address=<ip_cidr>
    Note

    You cannot set an allowed-address pair that matches the mac_address and ip_address of a port. This is because such a setting has no effect since traffic matching the mac_address and ip_address is already allowed to pass through the port.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.