Adds Port Security section to the Admin Guide

Added a short "Disabling port security" section to the admin guide. The section describes the use case for the port security extension and how to use it in practice. Change-Id: Ia263fd1a77a9884a159127389a0f5fcd8bd6798f Closes-Bug: #1330849
2016-08-25 16:46:52 -04:00 · 2016-08-25 16:46:52 -04:00 · e3404f4fdf
commit e3404f4fdf
parent c811432465
1 changed files with 42 additions and 0 deletions
--- a/doc/admin-guide/source/networking-adv-features.rst
+++ b/doc/admin-guide/source/networking-adv-features.rst
@ -413,6 +413,48 @@ basic security group operations:

          $ neutron port-update --no-security-groups PORT_ID

+Disabling port security
+-----------------------
+
+Security groups and anti-spoofing rules can be problematic for some
+applications. MAC anti-spoofing prevents applications from sending or receiving
+packets with source or destination addresses that do not match the configured
+address of a port. For example, multicast packets use a multicast group address
+as the destination address rather than the address of the virtual machine.
+While all security groups can be removed from a port, disabling MAC
+anti-spoofing requires the port security extension.
+
+.. note::
+
+   - By default port security is enabled on every port.
+
+   - All security groups must be removed from a port before disabling port
+     security.
+
+This table shows example neutron commands to selectively disable or enable
+port security for a single port:
+
+.. list-table:: **Port security operations**
+   :widths: 30 50
+   :header-rows: 1
+
+   * - Operation
+     - Command
+   * - Disable port security on a port.
+     - .. code-block:: console
+
+          $ neutron port-update --port-security-enabled=False PORT_ID
+   * - Enable port security on a port.
+     - .. code-block:: console
+
+          $ neutron port-update --port-security-enabled=True PORT_ID
+
+Port security can also be disabled when a port is created using
+``port_security_enabled`` attribute.
+
+The ``port_security_enabled`` attribute can also be used at the network level
+to disable port security by default for all ports in a specific network.
+
 Basic Load-Balancer-as-a-Service operations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~