[c-nsp] Nexus 7000 MSDP peering policy woes
Christopher.Marget at usc-bt.com
Christopher.Marget at usc-bt.com
Wed Aug 11 19:26:54 EDT 2010
> while there are clueful folks on this list that know N7K and NX-OS, i
> don't think cisco-nsp is an appropriate replacement for talking to the
> TAC.
Perhaps not. I appreciate your reply, and hope my query isn't widely considered as inappropriate.
> but regardless, i _think_ what you're likely happening is that the
> route-map policy is in fact NOT being applied, because of the presence
> of 'deny' statements in the ACL.
No deny statements are allowed in the ACL in this context? I'll need some time to absorb this :-)
My intended configuration does not include a deny, still filters the traffic. Maybe I have my policy logic (or perhaps my head) upside-down?
> for example, what do you expect the outcome to be of a "route-map
> (whatever) deny" that uses an IP access-list that also has 'deny ip' on
> it?
> a deny of a deny is a what? :)
I expected the route-map to move beyond sequence 5 (deny nothing), and then evaluate sequence 10.
Of course, I concede that the "deny nothing" business is not useful, I got there by trying to build a simple illustration of what I was seeing. The real ACL does not include a deny, other than the implicit one (I assume it is still there), and I'm still not seeing the route map get evaluated past sequence 10:
2010 Aug 12 02:07:30.387585 msdp: [7070] (default-base) Originating SA message with data for (10.27.147.5, 239.192.1.1), IP length: 1344
2010 Aug 12 02:07:30.387804 msdp: librpm [7070] ========== RPM Evaluation starting for policy MSDP-INTRA-BUILDING-POLICY ==========
2010 Aug 12 02:07:30.387824 msdp: librpm [7070] **** Evaluating (rmap MSDP-INTRA-BUILDING-POLICY - seq 10 - cmd RPM_MATCH_IP_ADDR_ACL) ****
2010 Aug 12 02:07:30.387841 msdp: librpm [7070] **** Evaluation result (seq 10 - cmd RPM_MATCH_IP_ADDR_ACL):RPM_MATCH_IGNORE ****
2010 Aug 12 02:07:30.387857 msdp: librpm [7070] EVAL context->flag 0x0000005b
2010 Aug 12 02:07:30.387875 msdp: librpm [7070] Policy eval. returning action handle 0x00000000
2010 Aug 12 02:07:30.387890 msdp: librpm [7070] ========== RPM Evaluation result RPM_MATCH_REJECT ==========
2010 Aug 12 02:07:30.387919 msdp: [7070] (default-base) Entire outgoing SA to peer 10.255.255.228 filtered
N7K-A# undebug all
N7K-A# sho route-map MSDP-INTRA-BUILDING-POLICY
route-map MSDP-INTRA-BUILDING-POLICY, deny, sequence 10
Match clauses:
ip address (access-lists): MSDP-FORBIDDEN-MC-GROUPS
Set clauses:
route-map MSDP-INTRA-BUILDING-POLICY, permit, sequence 20
Match clauses:
ip address (access-lists): RFC-2365-GLOBAL-GROUPS
Set clauses:
N7K-A# sho ip access-lists MSDP-FORBIDDEN-MC-GROUPS
IP access list MSDP-FORBIDDEN-MC-GROUPS
10 permit ip any 224.0.0.0/24
20 permit ip any 239.255.0.0/16
N7K-A#
The ACL matched by sequence 20 doesn't have any deny either.
> historically a route-map with a 'deny' ACL invoked a "logical OR"
> operation which is often not actually what people desired or wanted.
> for that reason we don't currently support "IP access-list deny" when
> being matched by a route-map.
>
> if this was PBR or VACL then when you tried to apply the VACL/PBR to an
> interface, you should get an error message. maybe you aren't seeing
> the same thing for MSDP.
It MSDP did not complain (nor did the debugs) when I applied the policy with ACL deny.
Thanks Lincoln. I will be talking to TAC in the morning :-)
/chris
More information about the cisco-nsp
mailing list