Skip to main content
Manage traffic filtering (port security)
Last update:

Manage traffic filtering (port security)

To assign a security group to a port, you must first enable port security. You can enable network traffic filtering or on a separate port.

Enable network traffic filtering

carefully

We do not recommend that you enable traffic filtering on existing networks where you are running load balancer or cluster databases This can lead to balancer failures and disrupt cloud database replication. Create a new private network or public subnet and enable network-level traffic filtering in it.

Enabling traffic filtering on a network will not affect its existing ports — if filtering has been disabled on a port, it will not be enabled. On existing ports, you must enable traffic filtering separately for each port.

If traffic filtering is enabled at the network level, all new ports on the network will by default be created with filtering enabled and default security group. You can assign a different security group when creating a port.

  1. Open the OpenStack CLI.

  2. Enable network traffic filtering:

    openstack network set \
      --enable-port-security \
      <network>

    Specify <network> — ID or network name, can be viewed with the command openstack network list.

Enable traffic filtering on a port

  1. Open the OpenStack CLI.

  2. Enable traffic filtering for the port:

    openstack port set \
      --security-group <security_group> \
      --enable-port-security \
      <port>

    Specify:

    • <security_group> — ID or security group name, can be viewed using the command openstack security group list. If you do not assign a group, all port traffic will be blocked;
    • <port> — ID or port name, can be viewed with the command openstack port list.

Turn off network traffic filtering

Turning off traffic filtering on a network will not affect its existing ports — if filtering has been enabled on a port, it will not be turned off. On existing ports, you must disable traffic filtering separately for each port. New ports on the network will be created with filtering disabled by default.

  1. Open the OpenStack CLI.

  2. Turn off traffic filtering for the network:

    openstack network set \
      --disable-port-security \
      <network>

    Specify <network> — ID or network name, can be viewed with the command openstack network list.

Disable traffic filtering on a port

Before disabling traffic filtering on a port, you must remove all security groups from the port.

  1. Open the OpenStack CLI.

  2. Remove the security groups from the port:

    openstack port set \
      --no-security-group
      <port>

    Specify <port> — ID or port name, can be viewed with the command openstack port list.

  3. Disable traffic filtering for the port:

    openstack port set \
      --disable-port-security \
      <port>

    Specify <port> — ID or port name, can be viewed with the command openstack port list.