RBAC : Protecting the BFD MAD Vlan

Posted on April 3, 2014 by Peter Debruyne

I received a call from a customer asking if it was possible to lock a comware configuration, or better : lock the configuration on an interface.

What happened ? Well, nothing bad, since the test was done in a lab environment, but it was something like:

  • we need to add a new vlan on a core IRF system
  • we need to configure a range of ports as vlan trunks and permit the new vlan on these trunks

So, there you go:

vlan 10
interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24
 port link-type trunk
 port trunk permit vlan 10
 quit

No big deal, however …

MAD BFD

On the core IRF, MAD BFD was configured (as it should be on every core IRF), so the MAD BFD configuration is:

  • define new vlan
  • assign L2 interfaces to vlan
  • disable STP on these L2 interfaces
  • define L3 vlan
  • set MAD BFD IP Address for each member

These steps had been followed, and let’s assume in this example that interfaces g1/0/24 and g2/0/24 were assigned to the BFD VLAN.

Original g1/0/24 configuration (g2/0/24 would be similar):

interface GigabitEthernet1/0/24
 port link-mode bridge
 port access vlan 4001
 undo stp enable

So this was working fine, up to the moment the new vlan was defined:

interface range g1/0/1 to g1/0/24 g2/0/1 to g2/0/24
 port link-type trunk
 port trunk permit vlan 10

At that moment the 2 BFD MAD interfaces (g1/0/24 and g2/0/24) were made trunk ports and vlan 10 was allowed.

And by the way: STP was disabled on the BFD VLAN interfaces, so you can imagine what happened …

So this was the reason to ask for a “locked” configuration.

Solution : RBAC

The direct answer was: No, locking an interface configuration is not possible (at least as far as I know)

There is however a workaround to achieve a similar result, by using RBAC.

Note: Role Based Access Control is only available on Comware7 devices.

Using RBAC, a custom user role can be defined, and the network admin can control access to:

  • vlans
  • interfaces
  • features : read/write/execute
  • cli commands
  • VRF (VPN instances in Comware lingo)

So a new role for the “almost full admin” can be defined, allowing all features RWX on all vlans and interfaces, except the g1/0/24, g2/0/24 and vlan 4001 (sample BFD VLAN).

These are the commands for the sysadmin role:

role name sysadmin
 # allow all features RWX
 rule 1 permit read write execute feature
 # control vlan access, permit all except vlan 4001 
 vlan policy deny
  permit vlan 1 to 4000
  permit vlan 4002 to 4094
 # control interface access, permit all except MAD BFD interfaces
 interface policy deny
  permit interface GigabitEthernet1/0/1 to GigabitEthernet1/0/23
  permit interface GigabitEthernet2/0/1 to GigabitEthernet2/0/23
#

Next define a new user and assign the new role:

#
local-user sysadmin 
 password simple hp
 service-type ssh telnet terminal
 authorization-attribute user-role sysadmin
#

# Sample output:

[HP]local-user sysadmin
New local user added.
[HP-luser-manage-sysadmin]password simple hp
[HP-luser-manage-sysadmin]service-type ssh telnet terminal
[HP-luser-manage-sysadmin]authorization-attribute user-role sysadmin
[HP-luser-manage-sysadmin]

Be careful with the default assigned role network-operator, make sure to remove it, since role permissions can be merged:

[HP-luser-manage-sysadmin]dis this
#
local-user sysadmin class manage
 password hash $h$6$MD1/Ooe0ixXN+RyN$RLAVvFbZ67tIz0ZS5e6UONL49r549MY3bfZcwQCrcVg89e/4nea0dEJ/tfKQKwt91oYbkcARqVlQXWGEA9u1fA==
 service-type ssh telnet terminal
 authorization-attribute user-role sysadmin
 authorization-attribute user-role network-operator
#

So remove the default role:

[HP-luser-manage-sysadmin]undo authorization-attribute user-role network-operator

And finally, make sure the line vty is configured with authentication mode scheme

[HP]line vty 0 63
[HP-line-vty0-63]authentication-mode scheme
[HP-line-vty0-63]quit
[HP]

Let’s verify

So when you connect with the sysadmin user, you will be able to perform all actions on the devices, except when the actions are related to the g1/0/24 g2/0/24 or vlan 4001:

[HP]

# access to BFD MAD interface restricted
[HP]int g1/0/24
Permission denied.

# access to BFD MAD interface restricted when using range
[HP]int range g1/0/1 to g1/0/24
Permission denied.

# range command works for the other interfaces
[HP]int range g1/0/1 to g1/0/23
[HP-if-range]dis this
#
interface GigabitEthernet1/0/1
 port link-mode bridge
 shutdown
 #
return

# any config change can be applied to the other interfaces
[HP-if-range]undo shut
[HP-if-range]port link-type trunk

# but permit vlan all (tries to add port to vlan 4001) fails
[HP-if-range]port trunk permit vlan all
Permission denied.
Configuration terminated because it failed on GigabitEthernet1/0/1.

# permit all other vlans works fine:
[HP-if-range]port trunk permit vlan 1 to 4000
[HP-if-range]port trunk permit vlan 4002 to 4094
[HP-if-range]

This is a basic example of what can be done with RBAC.

 

This entry was posted in Comware7 and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s