Neutron Allowed address pairs

Allowed address pairs

Allowed-address-pairs allow you to specify one or multiple mac_address/ip_address (CIDR) pairs that is allowed to pass through a port regardless of subnet. This enables the use of protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover. 

By default, only traffic associated with the subnet in your project will be allowed to pass though your servers network interface (neutron port). Adding 'allowed address pairs' enables us to specify other subnets that will be allowed to pass through the port regardless of our subnet, like a remote VPN subnet.

If you're configuring an OpenVPN server you will have to allow the virtual tunnels subnet here.
If you're configuring an IPsec Site to Site VPN you will have to allow the remote subnet you specify in your phase 2 configuration.

Take note of your servers local IP that you want to add allowed-address-pairs to.
Go to Network -> Networks -> default-network and find the port with the same IP.
Click on the ports id and then go to the tab Allowed Address Pairs.


Click on the button Add Allowed Address Pair and enter your subnet (ex., you can leave the MAC Address field empty.

You can always come back to this part later if you're still not sure which subnet you're going to use.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.