Comware Based
Showing results for 
Search instead for 
Did you mean: 

Limiting access to MAD BFD addresses

Esteemed Contributor

Limiting access to MAD BFD addresses

Hi all,


I've got a 5500-EI IRF stack which i've configured MAD BFD on for IRF split brain detection.  I've found that despite not having a normal IP address on the VLAN dedicated to MAD BFD, i can still ping the master's IP address from other VLANs.  I want to prevent this, so i've added packet filters to that VLAN interface.  However this doesn't work - i can still ping the MAD IPs, and the ACL is never triggered.


Can anyone suggest a workaround?  A config excerpt follows.


[hp5500]dis cur



 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 24
 irf member 2 priority 12

acl number 3000 name madbfd
 hardware-count enable
 step 10
 rule 10 permit ip source counting
 rule 10000 deny ip counting

vlan 123
 description MAD BFD for IRF Monitoring
 name madbfd
interface Vlan-interface123
 description MAD BFD for IRF Monitoring
 packet-filter 3000 inbound
 packet-filter 3000 outbound
 mad bfd enable
 mad ip address member 1
 mad ip address member 2

Frequent Advisor

Re: Limiting access to MAD BFD addresses

I think you could put you packet filter in the inbound direction of other VLAN interfaces or routed interfaces to block traffic destined for the MAD IPs.  To block just pings, set protocol in the ACL rule to icmp.


BFD MAD VLAN can only be used for MAD purpose. IRF configuration guide has recommended not configuring any other features on the BFD MAD VLAN interface or ports in it. If configured, they either do not take effect or might cause problems.


Hope that helps.