Limiting access to MAD BFD addresses

paulgear · ‎11-06-2012

Hi all,

I've got a 5500-EI IRF stack which i've configured MAD BFD on for IRF split brain detection. I've found that despite not having a normal IP address on the VLAN dedicated to MAD BFD, i can still ping the master's IP address from other VLANs. I want to prevent this, so i've added packet filters to that VLAN interface. However this doesn't work - i can still ping the MAD IPs, and the ACL is never triggered.

Can anyone suggest a workaround? A config excerpt follows.

[hp5500]dis cur

...

irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 24
irf member 2 priority 12
...

acl number 3000 name madbfd
hardware-count enable
step 10
rule 10 permit ip source 10.1.1.0 0.0.0.255 counting
rule 10000 deny ip counting
...

vlan 123
description MAD BFD for IRF Monitoring
name madbfd
...
interface Vlan-interface123
description MAD BFD for IRF Monitoring
packet-filter 3000 inbound
packet-filter 3000 outbound
mad bfd enable
mad ip address 10.1.23.1 255.255.255.0 member 1
mad ip address 10.1.23.2 255.255.255.0 member 2
...

Regards,
Paul

pombeii · ‎11-11-2012

I think you could put you packet filter in the inbound direction of other VLAN interfaces or routed interfaces to block traffic destined for the MAD IPs. To block just pings, set protocol in the ACL rule to icmp.

BFD MAD VLAN can only be used for MAD purpose. IRF configuration guide has recommended not configuring any other features on the BFD MAD VLAN interface or ports in it. If configured, they either do not take effect or might cause problems.

Hope that helps.

pombeiiwm

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Limiting access to MAD BFD addresses

Limiting access to MAD BFD addresses

Re: Limiting access to MAD BFD addresses