Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Limiting access to MAD BFD addresses

paulgear
Esteemed Contributor

Limiting access to MAD BFD addresses

Hi all,

 

I've got a 5500-EI IRF stack which i've configured MAD BFD on for IRF split brain detection.  I've found that despite not having a normal IP address on the VLAN dedicated to MAD BFD, i can still ping the master's IP address from other VLANs.  I want to prevent this, so i've added packet filters to that VLAN interface.  However this doesn't work - i can still ping the MAD IPs, and the ACL is never triggered.

 

Can anyone suggest a workaround?  A config excerpt follows.

 

[hp5500]dis cur

...

 

 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 24
 irf member 2 priority 12
...

acl number 3000 name madbfd
 hardware-count enable
 step 10
 rule 10 permit ip source 10.1.1.0 0.0.0.255 counting
 rule 10000 deny ip counting
...

vlan 123
 description MAD BFD for IRF Monitoring
 name madbfd
...
interface Vlan-interface123
 description MAD BFD for IRF Monitoring
 packet-filter 3000 inbound
 packet-filter 3000 outbound
 mad bfd enable
 mad ip address 10.1.23.1 255.255.255.0 member 1
 mad ip address 10.1.23.2 255.255.255.0 member 2
...

Regards,
Paul
1 REPLY
pombeii
Frequent Advisor

Re: Limiting access to MAD BFD addresses

I think you could put you packet filter in the inbound direction of other VLAN interfaces or routed interfaces to block traffic destined for the MAD IPs.  To block just pings, set protocol in the ACL rule to icmp.

 

BFD MAD VLAN can only be used for MAD purpose. IRF configuration guide has recommended not configuring any other features on the BFD MAD VLAN interface or ports in it. If configured, they either do not take effect or might cause problems.

 

Hope that helps.

 

pombeiiwm