> while there are clueful folks on this list that know N7K and NX-OS, i > don't think cisco-nsp is an appropriate replacement for talking to the > TAC.
Perhaps not. I appreciate your reply, and hope my query isn't widely considered as inappropriate. > but regardless, i _think_ what you're likely happening is that the > route-map policy is in fact NOT being applied, because of the presence > of 'deny' statements in the ACL. No deny statements are allowed in the ACL in this context? I'll need some time to absorb this :-) My intended configuration does not include a deny, still filters the traffic. Maybe I have my policy logic (or perhaps my head) upside-down? > for example, what do you expect the outcome to be of a "route-map > (whatever) deny" that uses an IP access-list that also has 'deny ip' on > it? > a deny of a deny is a what? :) I expected the route-map to move beyond sequence 5 (deny nothing), and then evaluate sequence 10. Of course, I concede that the "deny nothing" business is not useful, I got there by trying to build a simple illustration of what I was seeing. The real ACL does not include a deny, other than the implicit one (I assume it is still there), and I'm still not seeing the route map get evaluated past sequence 10: 2010 Aug 12 02:07:30.387585 msdp: [7070] (default-base) Originating SA message with data for (10.27.147.5, 239.192.1.1), IP length: 1344 2010 Aug 12 02:07:30.387804 msdp: librpm [7070] ========== RPM Evaluation starting for policy MSDP-INTRA-BUILDING-POLICY ========== 2010 Aug 12 02:07:30.387824 msdp: librpm [7070] **** Evaluating (rmap MSDP-INTRA-BUILDING-POLICY - seq 10 - cmd RPM_MATCH_IP_ADDR_ACL) **** 2010 Aug 12 02:07:30.387841 msdp: librpm [7070] **** Evaluation result (seq 10 - cmd RPM_MATCH_IP_ADDR_ACL):RPM_MATCH_IGNORE **** 2010 Aug 12 02:07:30.387857 msdp: librpm [7070] EVAL context->flag 0x0000005b 2010 Aug 12 02:07:30.387875 msdp: librpm [7070] Policy eval. returning action handle 0x00000000 2010 Aug 12 02:07:30.387890 msdp: librpm [7070] ========== RPM Evaluation result RPM_MATCH_REJECT ========== 2010 Aug 12 02:07:30.387919 msdp: [7070] (default-base) Entire outgoing SA to peer 10.255.255.228 filtered N7K-A# undebug all N7K-A# sho route-map MSDP-INTRA-BUILDING-POLICY route-map MSDP-INTRA-BUILDING-POLICY, deny, sequence 10 Match clauses: ip address (access-lists): MSDP-FORBIDDEN-MC-GROUPS Set clauses: route-map MSDP-INTRA-BUILDING-POLICY, permit, sequence 20 Match clauses: ip address (access-lists): RFC-2365-GLOBAL-GROUPS Set clauses: N7K-A# sho ip access-lists MSDP-FORBIDDEN-MC-GROUPS IP access list MSDP-FORBIDDEN-MC-GROUPS 10 permit ip any 224.0.0.0/24 20 permit ip any 239.255.0.0/16 N7K-A# The ACL matched by sequence 20 doesn't have any deny either. > historically a route-map with a 'deny' ACL invoked a "logical OR" > operation which is often not actually what people desired or wanted. > for that reason we don't currently support "IP access-list deny" when > being matched by a route-map. > > if this was PBR or VACL then when you tried to apply the VACL/PBR to an > interface, you should get an error message. maybe you aren't seeing > the same thing for MSDP. It MSDP did not complain (nor did the debugs) when I applied the policy with ACL deny. Thanks Lincoln. I will be talking to TAC in the morning :-) /chris _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/