SR-IOV Spoof Check control for Tungsten Fabric

Available since MOSK 24.2 TechPreview

MOSK provides the capability to enable SR-IOV Spoof Check control with the Neutron Tungsten Fabric backend.

The capability can be useful for certain network configurations. For example, you might need to allow traffic from a virtual function interface even when its MAC address does not match the MAC address inside the virtual machine. In this scenario, known as MAC spoofing, disabling spoof check enables the traffic to pass through regardless of the MAC address mismatch.

Caution

Certain NICs and drivers may not handle the spoofchk setting. For example, the Intel 82599ES NIC paired with the ixgbe driver disregards the spoofchk setting when VLAN tagging is enabled. Therefore, ensure compatibility with your hardware configuration regarding spoofchk handling before proceeding.

To enable SR-IOV Spoof Check control for Tungsten Fabric, enable SR-IOV interfaces handling by Nova os-vif plugin in the OpenStackDeployment custom resource:

services:
  compute:
    nova:
      values:
        conf:
          nova:
            workarounds:
              pass_hwveb_ports_to_os_vif_plugin: true

Now, you can enable and disable spoof checking for certain SR-IOV ports through the OpenStack CLI. To disable spoof checking on an SR-IOV port:

openstack port set --no-security-group --disable-port-security <SRIOV-PORT>

To enable spoof checking on an SR-IOV port:

openstack port set --enable-port-security <SRIOV-PORT>

See also

• OpenStack official documentation: Enable spoofchk control for SR-IOV ports

• Tungsten Fabric official documentation: SR-IOV

• Mirantis Container Cloud Operations Guide: Create a custom bare metal host profile