Skip to main content
IMHCloud Logo
Back to support home

Managing Ports in OpenStack Horizon

Introduction

Ports represent the connection points between instances and networks in OpenStack. Each port functions as a virtual network interface card with its own MAC address, IP address, and security settings. Understanding port management is essential for configuring advanced networking scenarios, troubleshooting connectivity issues, and implementing security policies.

This guide covers viewing ports on networks, creating ports with specific IP addresses, configuring port properties, managing security settings, and working with allowed address pairs. Most port operations can be performed through the Horizon dashboard, with CLI alternatives provided for automation and scripting workflows.

Understanding OpenStack Ports

In OpenStack Neutron (the networking service), a port is a logical entity that represents a network attachment point. Think of a port as a virtual Ethernet jack where you can plug in an instance or other network device.

Key Port Properties:

  • MAC Address: Unique hardware address assigned to the port
  • IP Address: One or more IP addresses from the connected subnet
  • Security Groups: Firewall rules controlling inbound and outbound traffic
  • Admin State: Whether the port is administratively enabled or disabled
  • Port Security: Whether MAC/IP spoofing protection is enabled
  • Allowed Address Pairs: Additional MAC/IP combinations the port can use

When Ports Are Created Automatically:

OpenStack creates ports automatically when you:

  • Launch an instance and select networks during creation
  • Attach a network interface to a running instance
  • Create certain network resources like routers or load balancers

When to Create Ports Manually:

You may need to create ports manually when:

  • Reserving specific IP addresses before launching instances
  • Pre-configuring security groups and network settings
  • Creating ports for external systems or network appliances
  • Implementing complex networking with allowed address pairs or port forwarding

How to View Ports in Horizon Dashboard

Viewing All Ports in Your Project

  1. Log in to the OpenStack Horizon dashboard
  2. Navigate to Project > Network > Networks
  3. Click on the network name you want to examine
  4. Select the Ports tab

The ports list shows each port on the selected network with its name, fixed IP address(es), attached device (if any), status, and admin state.

Viewing Port Details

  1. From the ports list, click on a port name
  2. The port detail page displays:
  • Overview information (ID, name, status, network, MAC address)
  • Fixed IP addresses and subnets
  • Security groups attached to the port
  • Device owner and device ID (if attached to an instance)
  • Admin state (up or down)
  • Port security status
  • Allowed address pairs (if configured)

Identifying Port Types

Instance Ports:

  • Device Owner shows compute:nova or similar
  • Device ID contains the instance UUID
  • These ports are attached to running virtual machines

Router Ports:

  • Device Owner shows network:router_interface or network:router_gateway
  • These connect routers to networks

DHCP Ports:

  • Device Owner shows network:dhcp
  • Used by the DHCP service to assign IP addresses

Unattached Ports:

  • Device Owner and Device ID are empty
  • Available for manual attachment to instances

How to Create a Port in Horizon Dashboard

Creating a Basic Port

  1. Navigate to Project > Network > Networks
  2. Click on the target network name
  3. Select the Ports tab
  4. Click Create Port button
  5. Configure the port settings:
  • Name: Enter a descriptive name (e.g., web-server-port)
  • Admin State: Leave as "UP" for normal operation
  • Device ID: Leave blank (will be set when attached to a device)
  • Device Owner: Leave blank (will be set automatically)
  1. Click Create

The port is created with an automatically assigned IP address from the network's subnet allocation pool.

Creating a Port with a Specific IP Address

  1. Navigate to Project > Network > Networks
  2. Click on the target network name
  3. Select the Ports tab
  4. Click Create Port button
  5. Configure basic settings (name, admin state)
  6. In the Fixed IP Addresses section:
  • Click Add Fixed IP
  • Select the subnet from the dropdown
  • Enter the desired IP address in the "IP Address" field
  • The IP must be within the subnet's range and not already allocated
  1. Click Create

Important: The specified IP address must be available (not in use by another port) and within the subnet's allocation pool or outside the pool but within the subnet CIDR range.

Creating a Port with Multiple IP Addresses

Some use cases require a port with multiple IP addresses on different subnets:

  1. Follow the steps above to create a port
  2. In the Fixed IP Addresses section:
  • Click Add Fixed IP for each additional IP address
  • Select the subnet for each IP
  • Specify the IP address or leave blank for automatic assignment
  1. Click Create

This configuration is useful for instances that need to communicate on multiple subnets through a single interface.

How to Edit Port Properties in Horizon Dashboard

Changing Port Name

  1. Navigate to Project > Network > Networks
  2. Click on the network containing the port
  3. Go to the Ports tab
  4. Click the dropdown menu next to the port
  5. Select Edit Port
  6. Update the Name field
  7. Click Submit

Changing Admin State

The admin state controls whether the port is enabled or disabled at the network level.

  1. From the ports list, click the dropdown menu next to the port
  2. Select Edit Port
  3. Change the Admin State toggle:
  • UP: Port is enabled and can pass traffic
  • DOWN: Port is administratively disabled
  1. Click Submit

Setting admin state to DOWN effectively disables network connectivity for the port without deleting it. This is useful for temporarily isolating an instance or testing network configurations.

Modifying Security Groups

Security groups act as virtual firewalls, controlling which traffic can enter or leave through the port.

  1. Navigate to the port's detail page or edit screen
  2. In the Security Groups section:
  • The currently assigned security groups are listed
  • To add a security group: Click Edit Port and select additional groups
  • To remove a security group: Edit the port and deselect the group
  1. Click Submit

Important: Every port must have at least one security group. If you remove all security groups, OpenStack will apply the default security group automatically.

Common Security Group Patterns:

  • Web servers: Assign groups allowing ports 80 (HTTP) and 443 (HTTPS)
  • Database servers: Assign groups allowing only internal network access on database ports
  • Management interfaces: Assign restrictive groups allowing only SSH from specific source IPs

How to Configure Port Security in Horizon Dashboard

Port security provides anti-spoofing protection by preventing ports from using MAC or IP addresses other than those assigned. This prevents instances from impersonating other systems or launching certain types of network attacks.

Viewing Port Security Status

Port security status is visible on the port detail page under the port security field. By default, port security is enabled on newly created ports.

Disabling Port Security

When to Disable Port Security:

Disable port security for:

  • Network appliances that need to handle traffic for multiple IP addresses (load balancers, firewalls)
  • High availability configurations using virtual IP addresses that float between instances
  • Network monitoring or analysis tools that need to capture traffic in promiscuous mode
  • Complex routing scenarios where the port forwards traffic for other addresses

How to Disable Port Security:

Port security can only be modified using the OpenStack CLI. The Horizon dashboard does not currently provide a UI option for this setting.

See the CLI section below for instructions on disabling port security.

Security Implications:

Disabling port security removes anti-spoofing protections. Only disable port security when necessary for your specific use case, and ensure other security controls (security groups, network segmentation) are properly configured.

How to Configure Allowed Address Pairs in Horizon Dashboard

Allowed address pairs enable a port to send and receive traffic for MAC/IP address combinations beyond its assigned addresses. This provides flexibility for advanced networking while keeping port security enabled.

Common Use Cases:

  • Virtual IP addresses in high availability clusters
  • Network appliances that proxy or NAT traffic
  • Containers or nested virtualization where multiple systems share one port
  • Floating IP implementations in custom networking setups

Adding Allowed Address Pairs via CLI

Horizon dashboard does not provide a UI for managing allowed address pairs. Use the OpenStack CLI for this configuration:

See the CLI section below for instructions on configuring allowed address pairs.

How to Delete a Port in Horizon Dashboard

  1. Navigate to Project > Network > Networks
  2. Click on the network containing the port
  3. Go to the Ports tab
  4. Select the checkbox next to the port(s) you want to delete
  5. Click Delete Ports button
  6. Confirm the deletion

Important Restrictions:

  • You cannot delete ports that are currently attached to active devices (instances, routers, etc.)
  • Detach the port from the device first, then delete it
  • System ports (DHCP, router interfaces) are protected and cannot be deleted through the normal interface

Cleaning Up Unused Ports:

Periodically review your ports list and delete unused ports to:

  • Free up IP addresses in your subnet allocation pools
  • Reduce clutter in the network interface
  • Ensure accurate network documentation

How to Manage Ports Using OpenStack CLI

Installing and Configuring the CLI

Before using the OpenStack CLI, ensure it's installed and configured:

1pip install python-openstackclient

Set up authentication with environment variables or an OpenStack RC file:

1source openstack-rc.sh

Listing Ports

List all ports in your project:

1openstack port list

List ports on a specific network:

1openstack port list --network <network-name-or-id>

List ports attached to a specific instance:

1openstack port list --server <instance-name-or-id>

Filter ports by fixed IP address:

1openstack port list --fixed-ip ip-address=<ip-address>

Viewing Port Details

Show detailed information for a specific port:

1openstack port show <port-id-or-name>

This displays all port properties including MAC address, IP addresses, security groups, admin state, port security status, and allowed address pairs.

Show port details in JSON format (useful for scripting):

1openstack port show <port-id-or-name> -f json

Creating a Port

Create a port with automatic IP assignment:

1openstack port create --network <network-name-or-id> <port-name>

Create a port with a specific IP address:

1openstack port create \
2  --network <network-name-or-id> \
3  --fixed-ip subnet=<subnet-name-or-id>,ip-address=<ip-address> \
4  <port-name>

Create a port with multiple IP addresses:

1openstack port create \
2  --network <network-name-or-id> \
3  --fixed-ip subnet=<subnet-1-id>,ip-address=<ip-1> \
4  --fixed-ip subnet=<subnet-2-id>,ip-address=<ip-2> \
5  <port-name>

Create a port and assign security groups:

1openstack port create \
2  --network <network-name-or-id> \
3  --security-group <security-group-1> \
4  --security-group <security-group-2> \
5  <port-name>

Editing Port Properties

Change port name:

1openstack port set --name <new-name> <port-id-or-name>

Set admin state to down (disable port):

1openstack port set --disable <port-id-or-name>

Set admin state to up (enable port):

1openstack port set --enable <port-id-or-name>

Update security groups (replaces existing assignments):

1openstack port set \
2  --security-group <security-group-1> \
3  --security-group <security-group-2> \
4  <port-id-or-name>

Add a security group without removing existing ones:

1# First get current security groups
2openstack port show <port-id> -c security_group_ids -f value
3

4# Then set all groups including the new one
5openstack port set \
6  --security-group <existing-group-1> \
7  --security-group <existing-group-2> \
8  --security-group <new-group> \
9  <port-id-or-name>

Remove all security groups (will apply default group automatically):

1openstack port set --no-security-group <port-id-or-name>

Disabling Port Security

Disable port security (removes anti-spoofing protection):

1openstack port set --no-security-group --disable-port-security <port-id-or-name>

Important: You must remove security groups before disabling port security. If security groups are attached, the disable operation will fail.

Enable port security:

1openstack port set --enable-port-security <port-id-or-name>

Verify port security status:

1openstack port show <port-id-or-name> -c port_security_enabled

Configuring Allowed Address Pairs

Add an allowed address pair:

1openstack port set \
2  --allowed-address ip-address=<additional-ip-address> \
3  <port-id-or-name>

Add an allowed address pair with MAC address:

1openstack port set \
2  --allowed-address ip-address=<ip-address>,mac-address=<mac-address> \
3  <port-id-or-name>

Add multiple allowed address pairs:

1openstack port set \
2  --allowed-address ip-address=<ip-1> \
3  --allowed-address ip-address=<ip-2> \
4  <port-id-or-name>

Remove all allowed address pairs:

1openstack port set --no-allowed-address <port-id-or-name>

Common Allowed Address Pair Patterns:

Virtual IP for high availability:

1# Primary instance port
2openstack port set --allowed-address ip-address=<virtual-ip> <port-1-id>
3

4# Secondary instance port
5openstack port set --allowed-address ip-address=<virtual-ip> <port-2-id>

Subnet range for proxy or NAT device:

1openstack port set --allowed-address ip-address=<subnet-cidr> <port-id>

Example for entire private subnet:

1openstack port set --allowed-address ip-address=10.0.1.0/24 <port-id>

Deleting a Port

Delete a single port:

1openstack port delete <port-id-or-name>

Delete multiple ports:

1openstack port delete <port-1-id> <port-2-id> <port-3-id>

Important: You cannot delete ports that are currently attached to devices. Detach the port first:

1openstack server remove port <instance-id> <port-id>
2openstack port delete <port-id>

Attaching and Detaching Ports

Attach an existing port to an instance:

1openstack server add port <instance-name-or-id> <port-id-or-name>

Detach a port from an instance:

1openstack server remove port <instance-name-or-id> <port-id-or-name>

Important: You cannot detach the primary network interface (the port created when the instance was launched). Every instance must have at least one port attached.

Troubleshooting Port Issues

Port Shows as "Down" Status

Symptoms: Port status shows "DOWN" instead of "ACTIVE" even though connected to an instance.

Resolution steps:

  1. Check admin state:
1openstack port show <port-id> -c admin_state_up

If admin state is False, enable it:

1openstack port set --enable <port-id>
  1. Verify the attached device (instance) is running:
1openstack server show <instance-id> -c status
  1. Check network agent health:
1openstack network agent list
  1. Restart the instance's networking service or reboot if necessary

Cannot Create Port with Specific IP Address

Symptoms: Port creation fails with "IP address already allocated" error.

Resolution:

  1. Verify the IP is not already in use:
1openstack port list --fixed-ip ip-address=<ip-address>
  1. Check if the IP is outside the subnet's allocation pool:
1openstack subnet show <subnet-id> -c allocation_pools

If the IP is outside the allocation pool but within the subnet range, it should still be usable unless allocated to another port.

  1. Check for conflicts with DHCP reserved addresses:
1openstack subnet show <subnet-id> -c gateway_ip

Ensure your desired IP does not conflict with the gateway IP or DNS nameserver IPs.

Security Group Rules Not Working

Symptoms: Traffic is blocked even though security group rules appear correct.

Resolution:

  1. Verify security groups are attached to the port:
1openstack port show <port-id> -c security_group_ids
  1. Review the actual security group rules:
1openstack security group rule list <security-group-id>
  1. Check if port security is enabled:
1openstack port show <port-id> -c port_security_enabled

If port security is disabled, security group rules will not be enforced.

  1. Verify rules allow both directions if needed (ingress and egress)
  2. Check that remote IP matches your source address:
1curl ifconfig.me  # Check your current public IP

Allowed Address Pairs Not Working

Symptoms: Traffic from allowed IP addresses is still being dropped.

Resolution:

  1. Verify allowed address pairs are configured:
1openstack port show <port-id> -c allowed_address_pairs
  1. Ensure port security is enabled (allowed address pairs require port security):
1openstack port show <port-id> -c port_security_enabled
  1. Check that security group rules allow traffic for the additional addresses
  2. Verify the application inside the instance is actually configured to use the additional IP address:
1ip addr show  # Inside the instance
  1. For virtual IPs in HA configurations, ensure the clustering software (Keepalived, Pacemaker, etc.) is correctly configured

Cannot Delete Port

Symptoms: Port deletion fails with "Port in use" error.

Common causes:

  1. Port is attached to an active instance
  2. Port is being used by a router
  3. Port is a DHCP or system port

Resolution:

  1. Check what device owns the port:
1openstack port show <port-id> -c device_owner -c device_id
  1. If attached to an instance, detach it first:
1openstack server remove port <instance-id> <port-id>
  1. If attached to a router interface:
1openstack router remove subnet <router-id> <subnet-id>
  1. System ports (DHCP, router gateway) cannot be deleted directly and are managed automatically by OpenStack

Best Practices

Pre-create ports for IP address management: When you need specific IP addresses, create ports before launching instances. This ensures predictable IP allocation and simplifies network documentation.

Use descriptive port names: Name ports based on their purpose and the instance they'll attach to (e.g., web-server-01-public, db-primary-mgmt). This simplifies troubleshooting and network audits.

Apply security groups at port creation: Assign appropriate security groups when creating ports rather than relying on defaults. This implements security-by-design.

Document allowed address pairs: Maintain records of which ports use allowed address pairs and why. This prevents confusion during troubleshooting and ensures the configuration is preserved during infrastructure changes.

Disable port security only when necessary: Keep port security enabled unless you have a specific requirement. When disabling, document the reason and ensure compensating security controls are in place.

Clean up unused ports: Periodically review and delete ports that are no longer attached to devices. Unused ports consume IP addresses and create clutter.

Use CLI for automation: For repetitive port operations or infrastructure-as-code deployments, use the OpenStack CLI or APIs with automation tools like Ansible or Terraform.

Monitor port status: Include port status checks in your monitoring systems. Alert on unexpected status changes or ports that fail to reach ACTIVE state.

Plan IP addressing before deployment: Design your network IP allocation strategy before creating instances. Reserve IP ranges for specific purposes (application servers, databases, load balancers) to maintain organization.

Advanced Port Configurations

Port Trunking for VLAN Support

Port trunking allows a single port to carry traffic for multiple VLANs, useful for network appliances or nested virtualization:

1openstack network trunk create --parent-port <port-id> <trunk-name>
2openstack network trunk set --subport port=<subport-id>,segmentation-type=vlan,segmentation-id=<vlan-id> <trunk-name>

Quality of Service (QoS) Policies

Apply QoS policies to ports to enforce bandwidth limits or prioritize traffic:

1# Create QoS policy
2openstack qos policy create <policy-name>
3openstack qos bandwidth limit rule create --max-kbps <limit> <policy-id>
4

5# Apply to port
6openstack port set --qos-policy <policy-id> <port-id>

Direct Port Binding for Performance

Some OpenStack deployments support SR-IOV or hardware offload for improved network performance:

1openstack port create --network <network-id> --vnic-type direct <port-name>

Check with your OpenStack administrator for available vNIC types and their requirements.

Conclusion

Port management in OpenStack provides fine-grained control over network connectivity, security, and IP address allocation. By understanding how to create, configure, and troubleshoot ports, you can implement advanced networking configurations that meet your application requirements.

Start with basic port operations in the Horizon dashboard for everyday tasks, then leverage the CLI for automation and advanced configurations like allowed address pairs and port security management. Always test connectivity after port changes and document your network topology for future reference.

For further assistance with OpenStack networking and port management, consult your cloud provider's documentation or contact technical support for deployment-specific guidance.