Knowledge Search


×
 

[Contrail] Configuring and verifying AAP from CLI

  [KB33573] Show Article Properties


Summary:

An allowed address pair (AAP) extension is an OpenStack feature. According to openstack.org, “The allowed address pair extension extends the port attribute to enable you to specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass through a port regardless of the subnet associated with the network.”

Contrail supports this feature. For a brief introduction about the feature and to know how to configure it from GUI, see Service Chain Version 2 with Port Tuple.

This article demonstrates how to configure AAP via the Command Line Interface (CLI).

 

Solution:

To list all VMI/ports configured with a specific AAP:

root@cont101:~#
neutron port-list \
    -c mac_address -c fixed_ips -c binding:host_id \
    -c allowed_address_pairs -c id | \
    grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t

02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

To apply an AAP to one VMI/port:

root@cont101:~#
neutron port-update 76437055-f294-4640-ba8c-d9744c12d649 \
    --allowed-address-pairs type=dict list=true \
    ip_address=4.4.4.200
Updated port: 76437055-f294-4640-ba8c-d9744c12d649
 

To verify:

root@cont101:~#
neutron port-list \
    -c mac_address -c fixed_ips -c binding:host_id
    -c allowed_address_pairs -c id | \
    grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t

02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:76:43:70:55:f2  "4.4.4.10"}  bcomp79  u'4.4.4.200',  76437055-f294-4640-ba8c-d9744c12d649  <<<< newly added VMI
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

To delete an AAP from a VMI/port:

curl -i http://172.18.101.100:9696/v2.0/ports/76437055-f294-4640-ba8c-d9744c12d649.json \
    -X PUT -H "X-Auth-Token: `keystone token-get | awk '/ id / {print $4}'`" \
    -H "Content-Type: application/json" -H "Accept: application/json"  \
    -H "User-Agent: python-neutronclient" \
    -d '{"port": {"allowed_address_pairs": []}}'

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 735
X-Openstack-Request-Id: req-02055cd3-86f3-4188-8e70-2301d2bcd7ad
Date: Wed, 12 Dec 2018 17:28:35 GMT

{
    "port": {
        "admin_state_up": true,
        "allowed_address_pairs": [],
        "binding:host_id": "bcomp79",
        "binding:vif_details": {
            "port_filter": true
        },
        "binding:vif_type": "vrouter",
        "binding:vnic_type": "normal",
        "device_id": "d90f3dce-746b-4eab-8251-e1768a0e3aea",
        "device_owner": "compute:bComp79-Kern",
        "fixed_ips": [
            {
                "ip_address": "4.4.4.10",
                "subnet_id": "90da5d13-4e7a-4c9c-b496-2450eed96625"
            }
        ],
        "id": "76437055-f294-4640-ba8c-d9744c12d649",
        "mac_address": "02:76:43:70:55:f2",
        "name": "76437055-f294-4640-ba8c-d9744c12d649",
        "network_id": "704049de-6cad-4d2f-8920-b066ac9a9f1b",
        "port_security_enabled": true,
        "security_groups": [
            "69446014-a3d8-4bd7-a8e6-ec4a3055253e"
        ],
        "status": "ACTIVE",
        "tenant_id": "ede15b5d21eb4401bd2a56e8d373aa71"
    }
}
 

To verify the deletion:

root@cont101:~#
neutron port-list -c mac_address -c fixed_ips -c binding:host_id -c allowed_address_pairs -c id     | grep 4.4.4.200 | awk '{print $2,$7,$9,$12,$16}' | column -t
02:34:80:64:76:01  "4.4.4.6"}   bcomp79  u'4.4.4.200',  34806476-011d-4b26-b18d-cf34aa3cabea
02:c0:62:15:1d:3f  "4.4.4.11"}  bcomp80  u'4.4.4.200',  c062151d-3f1b-46c3-9364-098f4700f2cf
02:1c:6a:93:ae:c2  "4.4.4.4"}   bcomp79  u'4.4.4.200',  1c6a93ae-c298-4a0d-90d1-145a0b2fa6b0
 

For more details about creating and listing AAP, see "Allowed Address Pairs."

 

Related Links: