diff --git a/manifests/agents/ml2/ovs.pp b/manifests/agents/ml2/ovs.pp
index d8a989955..d8c3b9896 100644
--- a/manifests/agents/ml2/ovs.pp
+++ b/manifests/agents/ml2/ovs.pp
@@ -140,6 +140,11 @@
 #   groups or not.
 #   Defaults to $::os_service_default
 #
+# [*permitted_ethertypes*]
+#   (optional) List of additional ethernet types to be configured
+#   on the firewall.
+#   Defaults to $::os_service_default
+#
 # [*minimize_polling*]
 #  (optional) Minimize polling by monitoring ovsdb for interface
 #  changes. (boolean value)
@@ -182,6 +187,7 @@ class neutron::agents::ml2::ovs (
   $purge_config               = false,
   $enable_dpdk                = false,
   $enable_security_group      = $::os_service_default,
+  $permitted_ethertypes       = $::os_service_default,
   $minimize_polling           = $::os_service_default,
   $tunnel_csum                = $::os_service_default,
   # DEPRECATED
@@ -203,6 +209,13 @@ class neutron::agents::ml2::ovs (
     fail('vhost user socket directory for ovs agent must be set when DPDK is enabled')
   }
 
+  if ! is_service_default($permitted_ethertypes) {
+    validate_legacy(Array, 'validate_array', $permitted_ethertypes)
+    neutron_agent_ovs {
+      'securitygroup/permitted_ethertypes':   value => join($permitted_ethertypes, ',');
+    }
+  }
+
   if $manage_vswitch {
     if $enable_dpdk {
       require ::vswitch::dpdk
diff --git a/releasenotes/notes/add-permitted-ethertypes-a5e8f47e85ed8992.yaml b/releasenotes/notes/add-permitted-ethertypes-a5e8f47e85ed8992.yaml
new file mode 100644
index 000000000..30c0216df
--- /dev/null
+++ b/releasenotes/notes/add-permitted-ethertypes-a5e8f47e85ed8992.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support for configuring security group permitted_ethertypes on the
+    Neutron OVS agent.
diff --git a/spec/classes/neutron_agents_ml2_ovs_spec.rb b/spec/classes/neutron_agents_ml2_ovs_spec.rb
index d17eaad3f..3db926299 100644
--- a/spec/classes/neutron_agents_ml2_ovs_spec.rb
+++ b/spec/classes/neutron_agents_ml2_ovs_spec.rb
@@ -55,6 +55,7 @@ describe 'neutron::agents::ml2::ovs' do
         with_value(p[:firewall_driver])
       should contain_neutron_agent_ovs('securitygroup/enable_security_group').\
         with_value(['<SERVICE DEFAULT>'])
+      should_not contain_neutron_agent_ovs('securitygroup/permitted_ethertypes')
       should contain_neutron_agent_ovs('ovs/tunnel_bridge').with_ensure('absent')
       should contain_neutron_agent_ovs('ovs/local_ip').with_ensure('absent')
       should contain_neutron_agent_ovs('ovs/int_peer_patch_port').with_ensure('absent')
@@ -93,6 +94,15 @@ describe 'neutron::agents::ml2::ovs' do
       end
     end
 
+    context 'when supplying permitted ethertypes' do
+      before :each do
+        params.merge!(:permitted_ethertypes => ['0x4008', '0x5'])
+      end
+      it 'should configured ethertypes' do
+        should contain_neutron_agent_ovs('securitygroup/permitted_ethertypes').with_value('0x4008,0x5')
+      end
+    end
+
     context 'when supplying a firewall driver' do
       before :each do
         params.merge!(:firewall_driver => false)