Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 6. Configuring allowed address pairs

In Red Hat OpenStack Services on OpenShift (RHOSO) networking environments, you can use allowed address pairs to define additonal IP/MAC combinations on a port. With allowed address pairs, you can use protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover.

In an allowed address pair, you identify a specific MAC address, IP address, or both to allow network traffic to pass through a port regardless of the subnet. When you define allowed address pairs, you are able to use protocols like Virtual Router Redundancy Protocol (VRRP) that float an IP address between two VM instances to enable fast data plane failover. A port whose IP address is a member of an allowed address pair of another port is referred to as a virtual port (vport).

You define allowed address pairs using the OpenStack command-line client openstack port command.

This section contains the following topics:

6.1. Usage rules for allowed address pairs
Copy link

When using allowed address pairs in Red Hat OpenStack Services on OpenShift (RHOSO) networking environments, you must follow these rules:

  • When creating a VM instance, do not bind the instance to a virtual port (vport). Instead, use a port whose IP address is not a member of another port’s allowed address pair.

    Binding a vport to an instance prevents the instance from spawning and produces an error message similar to the following:

    Sample output
    WARNING nova.virt.libvirt.driver [req-XXXX - - - default default] \
[instance: XXXXXXXXX] Timeout waiting for [('network-vif-plugged', \
'XXXXXXXXXX')] for instance with vm_state building and task_state \
spawning.: eventlet.timeout.Timeout: 300 seconds

  • Since RHOSO 18.0.17, Feature Release 5, ML2/OVN supports Virtual Router Redundancy Protocol version 3 (VRRPv3) and allowed address pairs with virtual MAC addresses.

    You must use virtual MAC addresses within this range:

    • IPv4 VRRP: 00:00:5e:00:01:XX (prefix 00:00:5e:00:01)

    • IPv6 VRRP: 00:00:5e:00:02:XX (prefix 00:00:5e:00:02)

      If you use virtual MAC addresses outside this range, ovn-northd discards the LSP port security with a message similar to the following:

      Sample output
      invalid syntax 'fa:16:3e:d6:f4:4c' in port security for LSP \
2cbcc5e3-0afe-4237-8743-078b30ce3e4b: Invalid VRRPv3 MAC

  • Do not use the default security group with an IP address outside the range in an allowed address pair.

    Doing so can allow a single port to bypass security groups for all other ports within the same network.

  • Do not use a CIDR format IP address for the bound port allowed_address_pairs. If you use a CIDR format IP address for the bound port, port forwarding is not configured in the network, and inbound traffic fails for the bound port.

In Red Hat OpenStack Services on OpenShift (RHOSO) networking environments, you can add an allowed address pair to a port to enable network traffic to flow through the port regardless of the subnet.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient

  • Ensure that you follow the rules when using allowed address pairs.

    For more information, see Section 6.1, “Usage rules for allowed address pairs”.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Use the following command to add allowed address pairs: 

    $ openstack port set --allowed-address mac-address=<mac_address>,ip-address=<ip_cidr> <port>
    Note

    You cannot set an allowed-address pair that matches the mac_address and ip_address of a port. This is because such a setting has no effect since traffic matching the mac_address and ip_address is already allowed to pass through the port.

6.3. Creating a port and allowing one address pair
Copy link

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you can create a port with an allowed address pair to enable network traffic to flow through the port regardless of the subnet.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient

  • Ensure that you follow the rules when using allowed address pairs.

    For more information, see Section 6.1, “Usage rules for allowed address pairs”.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Use the following command to create a port and allow one address pair: 

    $ openstack port create --network <network> --allowed-address \
mac-address=<mac_address>,ip-address=<ip_cidr> <port_name>
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top