Hi I'm Bartek and I cooperate with Michal on vCPE.
I managed to find the root cause of the issue which is security groups in Openstack. Although they are turned off for network and for port of the vBRG and vBNG VNF, neutron still applies anti spoofing rules in iptables: > > > > > Chain neutron-linuxbri-oab4fd8e9-1 (2 references) > > > > (...) > 2618 833K DROP udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp spt:67 dpt:68 /* Prevent DHCP Spoofing by VM. */ > (...) > > "neutron-linuxbri-oab4fd8e9-1" is a chain associated with tap interface of vBNG which is proxying DHCPOFFERs to vBNG, thus this traffic is being dropped as "spoofed". Once this rule is deleted vBRG gets it's lease from dhcp server. Nova probably cleans/adds those rules upon restart and there's a brief period of time when the rules aren't applied and that reveals why the packets eventually "sneaked" by. Anti spoofing rules shouldn't be applied as we have "port_security_enabled -> False", but there seems to be a bug: https://bugzilla.redhat.com/show_bug.cgi?id=1406263 fixed in this errata: https://access.redhat.com/errata/RHBA-2017:0314 In our Openstack version it should be fixed but for some reason it's still hitting us. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#18755): https://lists.onap.org/g/onap-discuss/message/18755 Mute This Topic: https://lists.onap.org/mt/33034144/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
