Does anyone know if a later version of NX-OS will be able to differentiate between "deny" vs "permit" in NX-OS QoS ACLs? The NX-OS QoS documentation states that the permit and deny keywords are ignored for the purposes of matching in QoS class-maps.
Here is the recent Cisco references.
I tested the N7K, and it does indeed ignore the
permit and deny keywords. (DIscussion here, if you are interested...Deny Equals Permit in NX-OS QoS ACLs
The impact - for QoS class-maps, both the deny and permit statements in the example below are matched:
ip access-list test
permit any 10.0.1.0 0.0.0.255
deny ip any any
This behavior does not follow what happens on 6500s and other IOS devices.
Any idea why? This breaks the ability to use moderately complex ACLs. For example - how would you configure scavenger class traffic to ignore some traffic, and mark other?