MAC learning for VMware Integrated OpenStack with NSX-V removes port security and security groups. With an NSX-V deployment, the connectivity for multiple MAC addresses behind a single vNIC is provided by enabling forged transmit as well as promiscuous mode. The guest must request promiscuous mode.

Procedure

  1. Log in to the OpenStack Management Server.
  2. Enable MAC learning and disable port security features.
    neutron port-update <port_id> --port-security-enabled false --no-security-groups
    neutron port-update <port_id> --mac-learning-enabled true

    To return to the default setting, enable the port security feature, apply a security group, and disable MAC learning.

    neutron port-update <port_id> --mac-learning-enabled false
    neutron port-update <port_id> --port-security-enabled true --security-group <security_group>

    Note that there are limitations to this approach:

    • With an NSX-V deployment, configuring promiscuous mode on a port results in a performance penalty because vNICs that request promiscuous mode receive a copy of every packet.

    • Since a combination of forged transmit and promiscuous mode enables connectivity to multiple MAC addresses, if the VM migrates with vMotion, no RARP requests are generated for the multiple MAC addresses behind a single vNIC. This can result in a loss of connectivity.