New Question

neutron security group not take effect in hyperv

asked 2015-04-24 04:19:20 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

Hi, all

I had deployed OpenStack and Hyper-v in my lab. Instance can get ip address from neutron dhcp-agent, and other functions also worked well.

But when creating or updating security_group rule, it takes no effect.

I trace the code, when updating a security group rule in dashboard, evently will call addvirtresource method in, meanwhile it will call AddResourceSettings [1] of class MsvmVirtualSystemManagementService. From the log, the retun vaule of AddResourceSettings is 0 , which means Completed with No Error.

But in powershell, with the command Get-VMNetworkAdapterAcl -VMName, there shows nothing about the updated rules.

I'm not sure this operation is asynchronously synchronously? Give me some advice about dealing with it next.

Hope for your answers, thanks!


edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted

answered 2015-04-24 18:10:07 +0300

Claudiu Belu gravatar image


From what I can tell, you are using Windows Hyper-V / Server 2012, not 2012 R2, by the fact that you are trying to Get-VMNetworkAdapterAcl, instead of Get-VMNetworkAdapterExtendedAcl.

Security Groups is fully supported only on Windows Hyper-V / Server 2012 R2, while it only has partial support on Windows Hyper-V / Server 2012 (no ports, no protocols, only sourceaddress / destinationaddress).

Best regards,

Claudiu Belu

edit flag offensive delete link more

answered 2015-04-25 18:09:57 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.


I'm using Server 2012 R2. It's my mistake using Get-VMNetworkAdapterAcl. After I'm using Get-VMNetworkAdapterExtendedAcl in my two hyperv nodes.In one node, I got the acls about instance, but the acls rules are not the same with neutron security_group rule. And the rule takes no effect. In another node, get extended acls shows nothing.

what are the default extended acl about hyperv? How should I do next? Thank you.

edit flag offensive delete link more


Hi, the extended ACLs are added per port per VM, and each port has its own set of ACLs. It is normal for a host that has no instance on it to yield nothing when Get-VMNetworkAdapterAcl is executed. Neutron also adds a few default security group rules (typically all ingress + dhcp rules).

Claudiu Belu gravatar imageClaudiu Belu ( 2016-11-09 20:00:39 +0300 )edit

answered 2015-04-24 15:18:31 +0300

alexpilotti gravatar image

What OS version are you using? 2012 R2?

edit flag offensive delete link more


Hi I'm using Server 2012 R2.

hellochosen gravatar imagehellochosen ( 2015-04-25 18:10:12 +0300 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

1 follower


Asked: 2015-04-24 04:19:20 +0300

Seen: 231 times

Last updated: Apr 25 '15