[c-nsp] Nexus 7000 MSDP peering policy woes

Lincoln Dale ltd at cisco.com
Wed Aug 11 18:44:34 EDT 2010


g'day,

On 12/08/2010, at 8:26 AM, <Christopher.Marget at usc-bt.com> wrote:
> I'm trying to implement PBR-filtering of MSDP messages from a Nexus 7000 running 5.0(2a), and I'm starting to think that the route-map is being interpreted wrong.
> 
> The relevant parts of the configuration are:
> 
> feature msdp
> feature pbr
> ip msdp originator-id loopback0
> ip msdp peer W.X.Y.Z connect-source loopback0
> ip msdp sa-policy W.X.Y.Z MSDP-INTRA-BUILDING-POLICY in
> ip msdp sa-policy W.X.Y.Z MSDP-INTRA-BUILDING-POLICY out
[..]

while there are clueful folks on this list that know N7K and NX-OS, i don't think cisco-nsp is an appropriate replacement for talking to the TAC.

but regardless, i _think_ what you're likely happening is that the route-map policy is in fact NOT being applied, because of the presence of 'deny' statements in the ACL.

for example, what do you expect the outcome to be of a "route-map (whatever) deny" that uses an IP access-list that also has 'deny ip' on it?
a deny of a deny is a what? :)

historically a route-map with a 'deny' ACL invoked a "logical OR" operation which is often not actually what people desired or wanted.
for that reason we don't currently support "IP access-list deny" when being matched by a route-map.

if this was PBR or VACL then when you tried to apply the VACL/PBR to an interface, you should get an error message.  maybe you aren't seeing the same thing for MSDP.


cheers,

lincoln.


More information about the cisco-nsp mailing list