By default, Neutron applies antispoofing rules to all ports to ensure that unexpected or undesired traffic cannot originate from or pass through a port. This includes rules that prohibit instances from running DHCP servers or acting as routers. To address the latter, the allowed-address-pairs extension can be used to allow additional subnets and MAC addresses through the port. However, additional functionality may be required that cannot be addressed by the allowed-address-pairs extension.

In Kilo, the port security extension was introduced for the ML2 plugin that allows all packet filtering to be disabled on a port. This is especially useful when deploying instances for NFV purposes. The port security extension requires ...