diff --git a/neutron/plugins/vmware/plugins/base.py b/neutron/plugins/vmware/plugins/base.py index e57b38e5ae..98485da5bf 100644 --- a/neutron/plugins/vmware/plugins/base.py +++ b/neutron/plugins/vmware/plugins/base.py @@ -1674,10 +1674,11 @@ class NsxPluginV2(addr_pair_db.AllowedAddressPairsMixin, if port_id: port_data = self.get_port(context, port_id) # If security groups are present we need to remove them as - # this is a router port. + # this is a router port and disable port security. if port_data['security_groups']: self.update_port(context, port_id, - {'port': {'security_groups': []}}) + {'port': {'security_groups': [], + psec.PORTSECURITY: False}}) nsx_switch_id, nsx_port_id = nsx_utils.get_nsx_switch_and_port_id( context.session, self.cluster, port_id) # Unplug current attachment from lswitch port diff --git a/neutron/tests/unit/vmware/test_nsx_plugin.py b/neutron/tests/unit/vmware/test_nsx_plugin.py index c0b1097b02..e5a6c602a1 100644 --- a/neutron/tests/unit/vmware/test_nsx_plugin.py +++ b/neutron/tests/unit/vmware/test_nsx_plugin.py @@ -1008,6 +1008,7 @@ class TestL3NatTestCase(L3NatTest, # fetch port and confirm no security-group on it. body = self._show('ports', p['port']['id']) self.assertEqual(body['port']['security_groups'], []) + self.assertFalse(body['port']['port_security_enabled']) # clean-up self._router_interface_action('remove', r['router']['id'],