[c-nsp] Nexus 7000 MSDP peering policy woes

Christopher.Marget at usc-bt.com Christopher.Marget at usc-bt.com
Wed Aug 11 18:01:18 EDT 2010


I'm trying to implement PBR-filtering of MSDP messages from a Nexus 7000 running 5.0(2a), and I'm starting to think that the route-map is being interpreted wrong.

The relevant parts of the configuration are:

feature msdp
feature pbr
ip msdp originator-id loopback0
ip msdp peer W.X.Y.Z connect-source loopback0
ip msdp sa-policy W.X.Y.Z MSDP-INTRA-BUILDING-POLICY in
ip msdp sa-policy W.X.Y.Z MSDP-INTRA-BUILDING-POLICY out

ip access-list PERMIT-IP-ANY-ANY
 permit ip any any

route-map MSDP-INTRA-BUILDING-POLICY deny 10
  match ip address PERMIT-IP-ANY-ANY
route-map MSDP-INTRA-BUILDING-POLICY deny 20
  match ip address MSDP-FORBIDDEN-MC-GROUPS
route-map MSDP-INTRA-BUILDING-POLICY permit 30
  match ip address RFC-2365-GLOBAL-GROUPS
route-map MSDP-INTER-ENTERPRISE-POLICY deny 40

Next, I enable 'debug ip msdp' and 'debug ip msdp policy', and switch on a multicast source.  The debug output indicates that only the first line (deny 10) of the route-map is being evaluated:

2010 Aug 12 00:02:40.689445 msdp: librpm [7070] ========== RPM Evaluation starting for policy MSDP-INTRA-BUILDING-POLICY ==========
2010 Aug 12 00:02:40.689482 msdp: librpm [7070] **** Evaluating (rmap MSDP-INTRA-BUILDING-POLICY - seq 10 - cmd RPM_MATCH_IP_ADDR_ACL) ****
2010 Aug 12 00:02:40.689512 msdp: librpm [7070] **** Evaluation result (seq 10 - cmd RPM_MATCH_IP_ADDR_ACL):RPM_MATCH_IGNORE ****
2010 Aug 12 00:02:40.689562 msdp: librpm [7070] EVAL context->flag 0x0000001b
2010 Aug 12 00:02:40.689668 msdp: librpm [7070] Policy eval. returning action handle 0x00000000
2010 Aug 12 00:02:40.689698 msdp: librpm [7070] ========== RPM Evaluation result RPM_MATCH_REJECT ==========
2010 Aug 12 00:02:40.689743 msdp: [7070] (default-base) Entire outgoing SA to peer W.X.Y.Z filtered

So far, so good.  'deny 10' matches everything, so the next line of the route-map didn't get evaluated, and the announcement for this new multicast source is filtered.

Now I'll insert an earlier 'deny' line into the route-map, this time with an ACL that matches nothing:

ip access-list DENY-IP-ANY-ANY
 deny ip any any

route-map MSDP-INTRA-BUILDING-POLICY deny 5
  match ip address DENY-IP-ANY-ANY

Clear all of the mroutes, and fire the source back up.  Debug says:

2010 Aug 12 00:40:53.064084 msdp: librpm [7070] ========== RPM Evaluation starting for policy MSDP-INTRA-BUILDING-POLICY ==========
2010 Aug 12 00:40:53.064121 msdp: librpm [7070] **** Evaluating (rmap MSDP-INTRA-BUILDING-POLICY - seq 5 - cmd RPM_MATCH_IP_ADDR_ACL) ****
2010 Aug 12 00:40:53.064152 msdp: librpm [7070] **** Evaluation result (seq 5 - cmd RPM_MATCH_IP_ADDR_ACL):RPM_MATCH_IGNORE ****
2010 Aug 12 00:40:53.064181 msdp: librpm [7070] EVAL context->flag 0x0000005b
2010 Aug 12 00:40:53.064211 msdp: librpm [7070] Policy eval. returning action handle 0x00000000
2010 Aug 12 00:40:53.064238 msdp: librpm [7070] ========== RPM Evaluation result RPM_MATCH_REJECT ==========
2010 Aug 12 00:40:53.064282 msdp: [7070] (default-base) Entire outgoing SA to peer 10.255.255.228 filtered

Now, the earlier line (deny 5) in the route-map is being matched even though the ACL matches nothing (DENY-IP-ANY-ANY).

The route-map isn't getting evaluated beyond the first deny line in either case.

Could this possibly be correct behavior?


More information about the cisco-nsp mailing list