MAC learning for VMware Integrated OpenStack with NSX-V removes port security and security groups. With an NSX-V deployment, the connectivity for multiple MAC addresses behind a single vNIC is provided by enabling forged transmit as well as promiscuous mode. The guest must request promiscuous mode.
- Log in to the OpenStack Management Server.
- Enable MAC learning and disable port security features.
neutron port-update <port_id> --port-security-enabled false --no-security-groups neutron port-update <port_id> --mac-learning-enabled true
To return to the default setting, enable the port security feature, apply a security group, and disable MAC learning.
neutron port-update <port_id> --mac-learning-enabled false neutron port-update <port_id> --port-security-enabled true --security-group <security_group>
Note that there are limitations to this approach:
With an NSX-V deployment, configuring promiscuous mode on a port results in a performance penalty because vNICs that request promiscuous mode receive a copy of every packet.
Since a combination of forged transmit and promiscuous mode enables connectivity to multiple MAC addresses, if the VM migrates with vMotion, no RARP requests are generated for the multiple MAC addresses behind a single vNIC. This can result in a loss of connectivity.