SR-IOV Spoof Check control for Tungsten Fabric¶
Available since MOSK 24.2 TechPreview
MOSK provides the capability to enable SR-IOV Spoof Check control with the Neutron Tungsten Fabric backend.
The capability can be useful for certain network configurations. For example, you might need to allow traffic from a virtual function interface even when its MAC address does not match the MAC address inside the virtual machine. In this scenario, known as MAC spoofing, disabling spoof check enables the traffic to pass through regardless of the MAC address mismatch.
Caution
Certain NICs and drivers may not handle the spoofchk
setting.
For example, the Intel 82599ES NIC paired with the ixgbe driver disregards
the spoofchk
setting when VLAN tagging is enabled. Therefore, ensure
compatibility with your hardware configuration regarding spoofchk
handling before proceeding.
To enable SR-IOV Spoof Check control for Tungsten Fabric, enable SR-IOV
interfaces handling by Nova os-vif
plugin in the OpenStackDeployment
custom resource:
services:
compute:
nova:
values:
conf:
nova:
workarounds:
pass_hwveb_ports_to_os_vif_plugin: true
Now, you can enable and disable spoof checking for certain SR-IOV ports through the OpenStack CLI. To disable spoof checking on an SR-IOV port:
openstack port set --no-security-group --disable-port-security <SRIOV-PORT>
To enable spoof checking on an SR-IOV port:
openstack port set --enable-port-security <SRIOV-PORT>