RBAC : Protecting the BFD MAD Vlan

I received a call from a customer asking if it was possible to lock a comware configuration, or better : lock the configuration on an interface.

What happened ? Well, nothing bad, since the test was done in a lab environment, but it was something like:

  • we need to add a new vlan on a core IRF system
  • we need to configure a range of ports as vlan trunks and permit the new vlan on these trunks

So, there you go:

vlan 10
interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24
 port link-type trunk
 port trunk permit vlan 10

No big deal, however …


On the core IRF, MAD BFD was configured (as it should be on every core IRF), so the MAD BFD configuration is:

  • define new vlan
  • assign L2 interfaces to vlan
  • disable STP on these L2 interfaces
  • define L3 vlan
  • set MAD BFD IP Address for each member

These steps had been followed, and let’s assume in this example that interfaces g1/0/24 and g2/0/24 were assigned to the BFD VLAN.

Original g1/0/24 configuration (g2/0/24 would be similar):

interface GigabitEthernet1/0/24
 port link-mode bridge
 port access vlan 4001
 undo stp enable

So this was working fine, up to the moment the new vlan was defined:

interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24
 port link-type trunk
 port trunk permit vlan 10

At that moment the 2 BFD MAD interfaces (g1/0/24 and g2/0/24) were made trunk ports and vlan 10 was allowed.

And by the way: STP was disabled on the BFD VLAN interfaces, so you can imagine what happened …

So this was the reason to ask for a “locked” configuration.

Solution : RBAC

The direct answer was: No, locking an interface configuration is not possible (at least as far as I know)

There is however a workaround to achieve a similar result, by using RBAC.

Note: Role Based Access Control is only available on Comware7 devices.

Using RBAC, a custom user role can be defined, and the network admin can control access to:

  • vlans
  • interfaces
  • features : read/write/execute
  • cli commands
  • VRF (VPN instances in Comware lingo)

So a new role for the “almost full admin” can be defined, allowing all features RWX on all vlans and interfaces, except the g1/0/24, g2/0/24 and vlan 4001 (sample BFD VLAN).

These are the commands for the sysadmin role:

role name sysadmin
 # allow all features RWX
 rule 1 permit read write execute feature
 # control vlan access, permit all except vlan 4001 
 vlan policy deny
  permit vlan 1 to 4000
  permit vlan 4002 to 4094
 # control interface access, permit all except MAD BFD interfaces
 interface policy deny
  permit interface GigabitEthernet1/0/1 to GigabitEthernet1/0/23
  permit interface GigabitEthernet2/0/1 to GigabitEthernet2/0/23

Next define a new user and assign the new role:

local-user sysadmin 
 password simple hp
 service-type ssh telnet terminal
 authorization-attribute user-role sysadmin

# Sample output:

[HP]local-user sysadmin
New local user added.
[HP-luser-manage-sysadmin]password simple hp
[HP-luser-manage-sysadmin]service-type ssh telnet terminal
[HP-luser-manage-sysadmin]authorization-attribute user-role sysadmin

Be careful with the default assigned role network-operator, make sure to remove it, since role permissions can be merged:

[HP-luser-manage-sysadmin]dis this
local-user sysadmin class manage
 password hash $h$6$MD1/Ooe0ixXN+RyN$RLAVvFbZ67tIz0ZS5e6UONL49r549MY3bfZcwQCrcVg89e/4nea0dEJ/tfKQKwt91oYbkcARqVlQXWGEA9u1fA==
 service-type ssh telnet terminal
 authorization-attribute user-role sysadmin
 authorization-attribute user-role network-operator

So remove the default role:

[HP-luser-manage-sysadmin]undo authorization-attribute user-role network-operator

And finally, make sure the line vty is configured with authentication mode scheme

[HP]line vty 0 63
[HP-line-vty0-63]authentication-mode scheme

Let’s verify

So when you connect with the sysadmin user, you will be able to perform all actions on the devices, except when the actions are related to the g1/0/24 g2/0/24 or vlan 4001:


# access to BFD MAD interface restricted
[HP]int g1/0/24
Permission denied.

# access to BFD MAD interface restricted when using range
[HP]int range g1/0/1 to g1/0/24
Permission denied.

# range command works for the other interfaces
[HP]int range g1/0/1 to g1/0/23
[HP-if-range]dis this
interface GigabitEthernet1/0/1
 port link-mode bridge

# any config change can be applied to the other interfaces
[HP-if-range]undo shut
[HP-if-range]port link-type trunk

# but permit vlan all (tries to add port to vlan 4001) fails
[HP-if-range]port trunk permit vlan all
Permission denied.
Configuration terminated because it failed on GigabitEthernet1/0/1.

# permit all other vlans works fine:
[HP-if-range]port trunk permit vlan 1 to 4000
[HP-if-range]port trunk permit vlan 4002 to 4094

This is a basic example of what can be done with RBAC.


This entry was posted in Comware7 and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s