From e3404f4fdf560fa2df1278bbd50cfa921305c41f Mon Sep 17 00:00:00 2001
From: Matt Caulfield <mcaulfie@cisco.com>
Date: Thu, 25 Aug 2016 16:46:52 -0400
Subject: [PATCH] Adds Port Security section to the Admin Guide

Added a short "Disabling port security" section to the admin guide.
The section describes the use case for the port security extension
and how to use it in practice.

Change-Id: Ia263fd1a77a9884a159127389a0f5fcd8bd6798f
Closes-Bug: #1330849
---
 .../source/networking-adv-features.rst        | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/doc/admin-guide/source/networking-adv-features.rst b/doc/admin-guide/source/networking-adv-features.rst
index 9ac8121c16..3d57496d4b 100644
--- a/doc/admin-guide/source/networking-adv-features.rst
+++ b/doc/admin-guide/source/networking-adv-features.rst
@@ -413,6 +413,48 @@ basic security group operations:
 
           $ neutron port-update --no-security-groups PORT_ID
 
+Disabling port security
+-----------------------
+
+Security groups and anti-spoofing rules can be problematic for some
+applications. MAC anti-spoofing prevents applications from sending or receiving
+packets with source or destination addresses that do not match the configured
+address of a port. For example, multicast packets use a multicast group address
+as the destination address rather than the address of the virtual machine.
+While all security groups can be removed from a port, disabling MAC
+anti-spoofing requires the port security extension.
+
+.. note::
+
+   - By default port security is enabled on every port.
+
+   - All security groups must be removed from a port before disabling port
+     security.
+
+This table shows example neutron commands to selectively disable or enable
+port security for a single port:
+
+.. list-table:: **Port security operations**
+   :widths: 30 50
+   :header-rows: 1
+
+   * - Operation
+     - Command
+   * - Disable port security on a port.
+     - .. code-block:: console
+
+          $ neutron port-update --port-security-enabled=False PORT_ID
+   * - Enable port security on a port.
+     - .. code-block:: console
+
+          $ neutron port-update --port-security-enabled=True PORT_ID
+
+Port security can also be disabled when a port is created using
+``port_security_enabled`` attribute.
+
+The ``port_security_enabled`` attribute can also be used at the network level
+to disable port security by default for all ports in a specific network.
+
 Basic Load-Balancer-as-a-Service operations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~