09-10-2012 11:16 AM - edited 03-01-2019 07:10 AM
Does anyone know if a later version of NX-OS will be able to differentiate between "deny" vs "permit" in NX-OS QoS ACLs? The NX-OS QoS documentation states that the permit and deny keywords are ignored for the purposes of matching in QoS class-maps.
Here is the recent Cisco references.
and
I tested the N7K, and it does indeed ignore the
permit and deny keywords. (DIscussion here, if you are interested...Deny Equals Permit in NX-OS QoS ACLs
The impact - for QoS class-maps, both the deny and permit statements in the example below are matched:
!
ip access-list test
permit any 10.0.1.0 0.0.0.255
deny ip any any
This behavior does not follow what happens on 6500s and other IOS devices.
09-10-2012 02:25 PM
No, it will remain the same, all ACL in the policy-map/class-map will be match.
Regards,
jerry
09-10-2012 02:31 PM
Jerry -
Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?
Carole
09-10-2012 03:37 PM
I believe it has to do with the ASIC architecture. In your situation, you want to match in scavenger class (permit ACL).
Regards,
jerry
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: