I received a call from a customer asking if it was possible to lock a comware configuration, or better : lock the configuration on an interface.
What happened ? Well, nothing bad, since the test was done in a lab environment, but it was something like:
- we need to add a new vlan on a core IRF system
- we need to configure a range of ports as vlan trunks and permit the new vlan on these trunks
So, there you go:
vlan 10 interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24 port link-type trunk port trunk permit vlan 10 quit
No big deal, however …
On the core IRF, MAD BFD was configured (as it should be on every core IRF), so the MAD BFD configuration is:
- define new vlan
- assign L2 interfaces to vlan
- disable STP on these L2 interfaces
- define L3 vlan
- set MAD BFD IP Address for each member
These steps had been followed, and let’s assume in this example that interfaces g1/0/24 and g2/0/24 were assigned to the BFD VLAN.
Original g1/0/24 configuration (g2/0/24 would be similar):
interface GigabitEthernet1/0/24 port link-mode bridge port access vlan 4001 undo stp enable
So this was working fine, up to the moment the new vlan was defined:
interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24 port link-type trunk port trunk permit vlan 10
At that moment the 2 BFD MAD interfaces (g1/0/24 and g2/0/24) were made trunk ports and vlan 10 was allowed.
And by the way: STP was disabled on the BFD VLAN interfaces, so you can imagine what happened …
So this was the reason to ask for a “locked” configuration.
Solution : RBAC
The direct answer was: No, locking an interface configuration is not possible (at least as far as I know)
There is however a workaround to achieve a similar result, by using RBAC.
Note: Role Based Access Control is only available on Comware7 devices.
Using RBAC, a custom user role can be defined, and the network admin can control access to:
- features : read/write/execute
- cli commands
- VRF (VPN instances in Comware lingo)
So a new role for the “almost full admin” can be defined, allowing all features RWX on all vlans and interfaces, except the g1/0/24, g2/0/24 and vlan 4001 (sample BFD VLAN).
These are the commands for the sysadmin role:
role name sysadmin # allow all features RWX rule 1 permit read write execute feature # control vlan access, permit all except vlan 4001 vlan policy deny permit vlan 1 to 4000 permit vlan 4002 to 4094 # control interface access, permit all except MAD BFD interfaces interface policy deny permit interface GigabitEthernet1/0/1 to GigabitEthernet1/0/23 permit interface GigabitEthernet2/0/1 to GigabitEthernet2/0/23 #
Next define a new user and assign the new role:
# local-user sysadmin password simple hp service-type ssh telnet terminal authorization-attribute user-role sysadmin # # Sample output: [HP]local-user sysadmin New local user added. [HP-luser-manage-sysadmin]password simple hp [HP-luser-manage-sysadmin]service-type ssh telnet terminal [HP-luser-manage-sysadmin]authorization-attribute user-role sysadmin [HP-luser-manage-sysadmin]
Be careful with the default assigned role network-operator, make sure to remove it, since role permissions can be merged:
[HP-luser-manage-sysadmin]dis this # local-user sysadmin class manage password hash $h$6$MD1/Ooe0ixXN+RyN$RLAVvFbZ67tIz0ZS5e6UONL49r549MY3bfZcwQCrcVg89e/4nea0dEJ/tfKQKwt91oYbkcARqVlQXWGEA9u1fA== service-type ssh telnet terminal authorization-attribute user-role sysadmin authorization-attribute user-role network-operator #
So remove the default role:
[HP-luser-manage-sysadmin]undo authorization-attribute user-role network-operator
And finally, make sure the line vty is configured with authentication mode scheme
[HP]line vty 0 63 [HP-line-vty0-63]authentication-mode scheme [HP-line-vty0-63]quit [HP]
So when you connect with the sysadmin user, you will be able to perform all actions on the devices, except when the actions are related to the g1/0/24 g2/0/24 or vlan 4001:
[HP] # access to BFD MAD interface restricted [HP]int g1/0/24 Permission denied. # access to BFD MAD interface restricted when using range [HP]int range g1/0/1 to g1/0/24 Permission denied. # range command works for the other interfaces [HP]int range g1/0/1 to g1/0/23 [HP-if-range]dis this # interface GigabitEthernet1/0/1 port link-mode bridge shutdown # return # any config change can be applied to the other interfaces [HP-if-range]undo shut [HP-if-range]port link-type trunk # but permit vlan all (tries to add port to vlan 4001) fails [HP-if-range]port trunk permit vlan all Permission denied. Configuration terminated because it failed on GigabitEthernet1/0/1. # permit all other vlans works fine: [HP-if-range]port trunk permit vlan 1 to 4000 [HP-if-range]port trunk permit vlan 4002 to 4094 [HP-if-range]
This is a basic example of what can be done with RBAC.