Hi,
Please read my original post from the following thread to understand the reason behind my questions here:
https://community.cisco.com/t5/routing/inter-vrf-pbr-blackhole-safeguard/m-p/5162204#M402727
Since, as you can read in the responses of the thread above, the only way to avoid traffic blackholes via PBR is basically to be extremely careful when "manipulating" it, and we don't live in an utopic world where humans make no mistakes, I'm now turning to automation to avoid this recurring impactful issue.
Before I start talking about automation I must say that I have 0 experience with it and I'm mentioning netconf because that's the only Cisco-compatible automation protocol I know, but any other way/protocol would be fine with me too as long as it works with Cisco (IOS XE v16 and newer to be more accurate).
I have the following ideas for automation to avoid traffic blackholes via PBR happening due to RM sequences not matching any existing ACL:
For implementations of new RM sequences, my idea was to get netconf to check the ACL matched in a RM sequence exists by looking up all existing ACLs within the router running cfg. And, if it doesn't, either prevent the implementation or give a warning/error message.
For deletions of ACLs involved in PBR/matched in RM sequences, I had in mind to get netconf to make sure that the ACL isn't matched anywhere by looking up keywords "match ip address ACLNAME" from the router running cfg. And, if it is, again, either prevent the deletion or give a warning/error message.
But I don't even know if it's possible/achievable, is it?
Or is there any other/better way?
