diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index a55eed2260..88e59c3637 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -114,6 +114,9 @@ openstack_logging_debug: "False"
 
 openstack_region_name: "RegionOne"
 
+# Optionally allow Kolla to set sysctl values
+set_sysctl: "yes"
+
 # Valid options are [ novnc, spice ]
 nova_console: "novnc"
 
diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml
index 633e96c6f6..d5e3711a66 100755
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@@ -17,6 +17,7 @@
 
 - name: Allowing non-local IP binding
   sysctl: name="net.ipv4.ip_nonlocal_bind" value=1 sysctl_set=yes
+  when: set_sysctl | bool
 
 - name: Ensuring config directory exists
   file:
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 5a99aa95fc..a0fe2f92c1 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -1,14 +1,18 @@
 ---
 - name: Allowing IP forwarding on network node
   sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes
-  when: inventory_hostname in groups['neutron-agents']
+  when:
+    - set_sysctl | bool
+    - inventory_hostname in groups['neutron-agents']
 
 - name: Disabling reverse path filter on network node
   sysctl: name="net.ipv4.conf.{{ item }}.rp_filter" value=0 sysctl_set=yes
   with_items:
     - "all"
     - "default"
-  when: inventory_hostname in groups['neutron-agents']
+  when:
+    - set_sysctl | bool
+    - inventory_hostname in groups['neutron-agents']
 
 - include: ../../config.yml
   vars:
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index 29f308e5df..a98b38e0e6 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -4,14 +4,18 @@
   with_items:
     - "iptables"
     - "ip6tables"
-  when: inventory_hostname in groups['compute']
+  when:
+    - set_sysctl | bool
+    - inventory_hostname in groups['compute']
 
 - name: Disabling reverse path filter on compute node
   sysctl: name="net.ipv4.conf.{{ item }}.rp_filter" value=0 sysctl_set=yes
   with_items:
     - "all"
     - "default"
-  when: inventory_hostname in groups['neutron-agents']
+  when:
+    - set_sysctl | bool
+    - inventory_hostname in groups['neutron-agents']
 
 - include: ../../config.yml
   vars: