By default, Neutron applies antispoofing rules to all ports to ensure that unexpected or undesired traffic cannot originate from or pass through a port. This includes rules that prohibit instances from running DHCP servers or acting as routers. To address the latter, the
allowed-address-pairs extension can be used to allow additional subnets and MAC addresses through the port. However, additional functionality may be required that cannot be addressed by the
In Kilo, the
port security extension was introduced for the ML2 plugin that allows all packet filtering to be disabled on a port. This is especially useful when deploying instances for NFV purposes. The
port security extension requires additional configuration, which will be discussed in the following sections.