[NSX-V] Allow VIP-like address if allow_multiple_address_pairs=True

When this flag is enabled, spoofguard restrictions do not apply,
therefore the same IP address can be used in allowed address pairs
for multiple ports on the same logical switch.

Change-Id: Idb5175451b2aa0bec631511c68c7b404e782d8d7

vmware_nsx/plugins/nsx_v/plugin.py

@@ -1997,12 +1997,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                 raise n_exc.InvalidInput(error_message=msg)
 
     def _validate_address_pairs(self, context, attrs, db_port):
-        self._validate_unique_address_pair_across_network(
-            context, db_port, attrs[addr_apidef.ADDRESS_PAIRS])
         network_port_security = self._get_network_security_binding(
             context, db_port['network_id'])
-        if (not cfg.CONF.nsxv.allow_multiple_ip_addresses and
+        if not (cfg.CONF.nsxv.allow_multiple_ip_addresses and
                 not network_port_security):
+            self._validate_unique_address_pair_across_network(
+                 context, db_port, attrs[addr_apidef.ADDRESS_PAIRS])
             for ap in attrs[addr_apidef.ADDRESS_PAIRS]:
                 # Check that the IP address is a subnet
                 if len(ap['ip_address'].split('/')) > 1: