The end cmd PING is correct. But I think you didn't set the ip address in the vm to simulate the scenario of allowed-address-pair I will show the details about that in devstack. 1.neutron port-create private --name port1 --allowed-address-pair ip_address=10.0.0.20 +-----------------------+-------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | {"ip_address": "10.0.0.20", "mac_address": "fa:16:3e:6c:b8:a9"} | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | created_at | 2017-06-14T06:25:24Z | | description | | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "5b81483d-f2cb-4ebf-b283-db6a85253808", "ip_address": "10.0.0.6"} | | | {"subnet_id": "0908db76-619d-44dd-a7b9-b144498303c3", "ip_address": "fd67:fab0:e3b1:0:f816:3eff:fe6c:b8a9"} | | id | f953e147-004e-4bd5-9010-2fd46adf524b | | mac_address | fa:16:3e:6c:b8:a9 | | name | port1 | | network_id | 18f6a39e-60f8-4045-b152-9803b7571779 | | port_security_enabled | True | | project_id | 0d494454370c4b5da9e298ba8fee6ac2 | | revision_number | 9 | | security_groups | 7639863e-157a-4f2f-b34e-ece25a3d4d2a | | status | DOWN | | tags | | | tenant_id | 0d494454370c4b5da9e298ba8fee6ac2 | | updated_at | 2017-06-14T06:25:25Z | +-----------------------+-------------------------------------------------------------------------------------------------------------+ 2.neutron port-create private --name port2 --fixed-ip ip_address=10.0.0.20 +-----------------------+-------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | created_at | 2017-06-14T06:27:50Z | | description | | | device_id | | | device_owner | | | extra_dhcp_opts | | | fixed_ips | {"subnet_id": "5b81483d-f2cb-4ebf-b283-db6a85253808", "ip_address": "10.0.0.20"} | | | {"subnet_id": "0908db76-619d-44dd-a7b9-b144498303c3", "ip_address": "fd67:fab0:e3b1:0:f816:3eff:fe92:b3c3"} | | id | aeaf7b7a-0eba-4bca-ad3a-1c7726def0de | | mac_address | fa:16:3e:92:b3:c3 | | name | port2 | | network_id | 18f6a39e-60f8-4045-b152-9803b7571779 | | port_security_enabled | True | | project_id | 0d494454370c4b5da9e298ba8fee6ac2 | | revision_number | 8 | | security_groups | 7639863e-157a-4f2f-b34e-ece25a3d4d2a | | status | DOWN | | tags | | | tenant_id | 0d494454370c4b5da9e298ba8fee6ac2 | | updated_at | 2017-06-14T06:27:50Z | +-----------------------+-------------------------------------------------------------------------------------------------------------+ 3.now the router namespace arp is like: ip netns exec qrouter-58aa2d9f-4ade-43e1-b9ae-5a45014be2a6 arp -a ? (10.0.0.10) at fa:16:3e:3d:a5:53 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.2) at fa:16:3e:0f:6c:09 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.3) at fa:16:3e:e4:5b:04 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.12) at fa:16:3e:c9:a7:7b [ether] PERM on qr-1ac4656b-dd 4.nova boot --flavor 1 --image cirros-0.3.4-x86_64 --nic port-id=f953e147-004e-4bd5-9010-2fd46adf524b test_vm1 5.now the router namespace arp is like: root@compute2:~# ip netns exec qrouter-58aa2d9f-4ade-43e1-b9ae-5a45014be2a6 arp -a ? (10.0.0.6) at fa:16:3e:6c:b8:a9 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.10) at fa:16:3e:3d:a5:53 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.2) at fa:16:3e:0f:6c:09 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.20) at fa:16:3e:6c:b8:a9 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.3) at fa:16:3e:e4:5b:04 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.12) at fa:16:3e:c9:a7:7b [ether] PERM on qr-1ac4656b-dd 6.Now we can login the test_vm1, and test to ping 10.0.0.1, also test to ping it with src ip 10.0.0.20 after 'ip add add 10.0.0.20/26 dev eth0'. Both of them will be OK. 7. Maintain to ping 10.0.0.1 with src ip 10.0.0.20 in vm1 7.nova boot --flavor 1 --image cirros-0.3.4-x86_64 --nic port-id=aeaf7b7a-0eba-4bca-ad3a-1c7726def0de[port2] vm2 8.root@compute2:~# ip netns exec qrouter-58aa2d9f-4ade-43e1-b9ae-5a45014be2a6 arp -a ? (10.0.0.6) at fa:16:3e:6c:b8:a9 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.10) at fa:16:3e:3d:a5:53 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.2) at fa:16:3e:0f:6c:09 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.20) at fa:16:3e:92:b3:c3 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.3) at fa:16:3e:e4:5b:04 [ether] PERM on qr-1ac4656b-dd ? (10.0.0.12) at fa:16:3e:c9:a7:7b [ether] PERM on qr-1ac4656b-dd 9.Find vm1 Ping cmd hang, there is no more Ping response. 10. Capture the packets on qr-port. ip netns exec qrouter-58aa2d9f-4ade-43e1-b9ae-5a45014be2a6 tcpdump -ei qr-1ac4656b-dd 03:51:34.701899 fa:16:3e:6c:b8:a9 (oui Unknown) > fa:16:3e:71:23:db (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.20 > 10.0.0.1: ICMP echo request, id 5633, seq 34, length 64 03:51:34.701942 fa:16:3e:71:23:db (oui Unknown) > fa:16:3e:92:b3:c3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.20: ICMP echo reply, id 5633, seq 34, length 64 03:51:35.702010 fa:16:3e:6c:b8:a9 (oui Unknown) > fa:16:3e:71:23:db (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.20 > 10.0.0.1: ICMP echo request, id 5633, seq 35, length 64 03:51:35.702039 fa:16:3e:71:23:db (oui Unknown) > fa:16:3e:92:b3:c3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.20: ICMP echo reply, id 5633, seq 35, length 64 03:51:36.702091 fa:16:3e:6c:b8:a9 (oui Unknown) > fa:16:3e:71:23:db (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.20 > 10.0.0.1: ICMP echo request, id 5633, seq 36, length 64 03:51:36.702137 fa:16:3e:71:23:db (oui Unknown) > fa:16:3e:92:b3:c3 (oui Unknown), ethertype IPv4 (0x0800), length 98: 10.0.0.1 > 10.0.0.20: ICMP echo reply, id 5633, seq 36, length 64