Disabling Port Security on Neutron Networks
Security groups are user-configurable collections of rules that have been configured to allow traffic to the applied instance. Any traffic not explicitly allowed by a security group is denied, by default. In addition to user-defined security groups, Neutron applies a default set of rules which prevent instances or virtual machines (VM) on the network from acting as DHCP servers. The rules also prevent IP and MAC spoofing by requiring instances to source traffic from the IP and MAC address combination assigned to the instance by Neutron.
By default, these security protections are enforced when you add a new Neutron network. Neutron allows these security protections to be disabled on a per-port basis through a feature called 'port security'.
When you disable port security, the protection provided by these rules is removed which may introduce security vulnerabilities to your environment. However, in certain situations it may be necessary to disable port security.
For example, if you want a VM to operate as a DHCP server you must disable port security for the network on which the VM communicates.
When security groups are enabled they introduce additional network overhead during both instance and port creation, and traffic forwarding which may negatively affect network performance when working at scale with numerous ports and a large number of virtual machines. In this scenario, you may want to disable port security to improve the network performance by removing the overhead associated with security groups.
Note: You cannot assign a security group to a port on which port security has been disabled.
Disable Port Security Through Clarity UI
Port security is enabled, by default, while adding a Neutron network.
If you are a self-service user, you can disable port security on one or more networks in your tenant. If you are an admin user, you can disable port security on one or more networks for any tenant.
Before you can disable port security on an existing network, you must first dissociate any security group that has been associated with the network.
Once this is done, follow the steps given below to disable network port security on an existing Neutron network.
- Log in to Platform9 Clarity UI.
- Navigate to Networks>Networks tab.
- Select the check box for an existing network.
- Click Edit Network seen above the list of networks.
- Clear the Apply Port Security Groups check box.
- Click Update Network.
Port security is disabled for the selected network when you click Update Network.
June 21, 2017