Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] Configuring and verifying AAP from CLI

0

0

Article ID: KB33573 KB Last Updated: 20 Dec 2018Version: 1.0
Summary:

An allowed address pair (AAP) extension is an OpenStack feature. According to openstack.org, “The allowed address pair extension extends the port attribute to enable you to specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass through a port regardless of the subnet associated with the network.”

Contrail supports this feature. For a brief introduction about the feature and to know how to configure it from GUI, see Service Chain Version 2 with Port Tuple.

This article demonstrates how to configure AAP via the Command Line Interface (CLI).

 

Solution:

To list all VMI/ports configured with a specific AAP:

root@cont101:~#
neutron port-list \
    -c mac_address -c fixed_ips -c binding:host_id \
    -c allowed_address_pairs -c id | \
    grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t

02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

To apply an AAP to one VMI/port:

root@cont101:~#
neutron port-update 76437055-f294-4640-ba8c-d9744c12d649 \
    --allowed-address-pairs type=dict list=true \
    ip_address=4.4.4.200
Updated port: 76437055-f294-4640-ba8c-d9744c12d649
 

To verify:

root@cont101:~#
neutron port-list \
    -c mac_address -c fixed_ips -c binding:host_id
    -c allowed_address_pairs -c id | \
    grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t

02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:76:43:70:55:f2  "4.4.4.10"}  bcomp79  u'4.4.4.200',  76437055-f294-4640-ba8c-d9744c12d649  <<<< newly added VMI
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

To delete an AAP from a VMI/port:

curl -i http://172.18.101.100:9696/v2.0/ports/76437055-f294-4640-ba8c-d9744c12d649.json \
    -X PUT -H "X-Auth-Token: `keystone token-get | awk '/ id / {print $4}'`" \
    -H "Content-Type: application/json" -H "Accept: application/json"  \
    -H "User-Agent: python-neutronclient" \
    -d '{"port": {"allowed_address_pairs": []}}'

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 735
X-Openstack-Request-Id: req-02055cd3-86f3-4188-8e70-2301d2bcd7ad
Date: Wed, 12 Dec 2018 17:28:35 GMT

{
    "port": {
        "admin_state_up": true,
        "allowed_address_pairs": [],
        "binding:host_id": "bcomp79",
        "binding:vif_details": {
            "port_filter": true
        },
        "binding:vif_type": "vrouter",
        "binding:vnic_type": "normal",
        "device_id": "d90f3dce-746b-4eab-8251-e1768a0e3aea",
        "device_owner": "compute:bComp79-Kern",
        "fixed_ips": [
            {
                "ip_address": "4.4.4.10",
                "subnet_id": "90da5d13-4e7a-4c9c-b496-2450eed96625"
            }
        ],
        "id": "76437055-f294-4640-ba8c-d9744c12d649",
        "mac_address": "02:76:43:70:55:f2",
        "name": "76437055-f294-4640-ba8c-d9744c12d649",
        "network_id": "704049de-6cad-4d2f-8920-b066ac9a9f1b",
        "port_security_enabled": true,
        "security_groups": [
            "69446014-a3d8-4bd7-a8e6-ec4a3055253e"
        ],
        "status": "ACTIVE",
        "tenant_id": "ede15b5d21eb4401bd2a56e8d373aa71"
    }
}
 

To verify the deletion:

root@cont101:~#
neutron port-list -c mac_address -c fixed_ips -c binding:host_id -c allowed_address_pairs -c id     | grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t
02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

For more details about creating and listing AAP, see "Allowed Address Pairs."

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search