Juniper Openstack

[Contrail Fabric]: Default security group config pushed by DM not allowing ARP

Bug #1758437 reported by chhandak on 2018-03-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	Fix Committed	Critical	Suresh Balineni	Juniper Openstack r5.0.0

Bug Description

When DM is pushing default security group config it is only allowing ether type IPV4 and IPv6. It is not allowing ether type arp

Current config we are pushing
------------------------------
root@5d2-qfx1# run show configuration groups __contrail__ firewall
/* Firewalls Configuration */
family ethernet-switching {
    filter sg-filter-IPv4-default-d66d7066-4a46-4a02-8b37-ed10287a7bf5 {
        term ether-type {
            from {
                ether-type ipv4;
            }
            then accept;
        }
    }
    filter sg-filter-IPv6-default-5d8f7193-6a38-4ca8-b2b9-08a465300b52 {
        term ether-type {
            from {
                ether-type ipv6;
            }
            then accept;
        }
    }
}

Configuration to allow ARP
---------------------------
root@5d2-qfx1# run show configuration groups __contrail__ firewall
/* Firewalls Configuration */
family ethernet-switching {
    filter sg-filter-IPv4-default-d66d7066-4a46-4a02-8b37-ed10287a7bf5 {
        term ether-type {
            from {
                ether-type [ ipv4 arp ]; >>>> ARP
            }
            then accept;
        }
    }
    filter sg-filter-IPv6-default-5d8f7193-6a38-4ca8-b2b9-08a465300b52 {
        term ether-type {
            from {
                ether-type ipv6;
            }
            then accept;
        }
    }
}

Tags:

chhandak (chhandak) on 2018-03-23

Changed in juniperopenstack:
importance:	Undecided → High
importance:	High → Critical
assignee:	nobody → Suresh Balineni (sbalineni)
milestone:	none → r5.0.0
information type:	Proprietary → Public

Jeba Paulaiyan (jebap) on 2018-03-23

tags:

added: blocker

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-27: [Review update] master

Review in progress for https://review.opencontrail.org/41109
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-03-28: A change has been merged

Reviewed: https://review.opencontrail.org/41109
Committed: http://github.com/Juniper/contrail-controller/commit/b3309359cbd5c93cefe9db7f241f76365c03c619
Submitter: Rudra Rugge (<email address hidden>)
Branch: master

commit b3309359cbd5c93cefe9db7f241f76365c03c619
Author: sbalineni <email address hidden>
Date: Tue Mar 27 10:40:03 2018 -0700

[DM]: Configure ACLs on QFX only if there are terms

Change-Id: I8c6f63ec7671f168402f24ce80e5f952ef37018f
Closes-Bug: #1758437

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.