Need differentiated support for "deny" vs "permit" in NX-OS QoS ACLs

carwarner · ‎09-10-2012

Does anyone know if a later version of NX-OS will be able to differentiate between "deny" vs "permit" in NX-OS QoS ACLs? The NX-OS QoS documentation states that the permit and deny keywords are ignored for the purposes of matching in QoS class-maps.

Here is the recent Cisco references.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/qos/configuration/guide/classification.html#wp1124010

and

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/qos/513_n2_1/b_Cisco_Nexus_5000_QoS_Config_Guide_513_N2_1_chapter_010.html#task_1135158

I tested the N7K, and it does indeed ignore the

permit and deny keywords. (DIscussion here, if you are interested...Deny Equals Permit in NX-OS QoS ACLs

The impact - for QoS class-maps, both the deny and permit statements in the example below are matched:

!
ip access-list test
  permit any 10.0.1.0 0.0.0.255
  deny ip any any

This behavior does not follow what happens on 6500s and other IOS devices.

Jerry Ye · ‎09-10-2012

No, it will remain the same, all ACL in the policy-map/class-map will be match.

Regards,

jerry

carwarner · ‎09-10-2012

Jerry -

Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?

Carole

Jerry Ye · ‎09-10-2012

I believe it has to do with the ASIC architecture. In your situation, you want to match in scavenger class (permit ACL).

Regards,

jerry