- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Limiting access to MAD BFD addresses
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2012 04:56 PM
11-06-2012 04:56 PM
Limiting access to MAD BFD addresses
Hi all,
I've got a 5500-EI IRF stack which i've configured MAD BFD on for IRF split brain detection. I've found that despite not having a normal IP address on the VLAN dedicated to MAD BFD, i can still ping the master's IP address from other VLANs. I want to prevent this, so i've added packet filters to that VLAN interface. However this doesn't work - i can still ping the MAD IPs, and the ACL is never triggered.
Can anyone suggest a workaround? A config excerpt follows.
[hp5500]dis cur
...
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 24
irf member 2 priority 12
...
acl number 3000 name madbfd
hardware-count enable
step 10
rule 10 permit ip source 10.1.1.0 0.0.0.255 counting
rule 10000 deny ip counting
...
vlan 123
description MAD BFD for IRF Monitoring
name madbfd
...
interface Vlan-interface123
description MAD BFD for IRF Monitoring
packet-filter 3000 inbound
packet-filter 3000 outbound
mad bfd enable
mad ip address 10.1.23.1 255.255.255.0 member 1
mad ip address 10.1.23.2 255.255.255.0 member 2
...
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2012 08:03 AM
11-11-2012 08:03 AM
Re: Limiting access to MAD BFD addresses
I think you could put you packet filter in the inbound direction of other VLAN interfaces or routed interfaces to block traffic destined for the MAD IPs. To block just pings, set protocol in the ACL rule to icmp.
BFD MAD VLAN can only be used for MAD purpose. IRF configuration guide has recommended not configuring any other features on the BFD MAD VLAN interface or ports in it. If configured, they either do not take effect or might cause problems.
Hope that helps.
pombeiiwm