Switching

Using Deny ACEs in your PBR ACL on your Nexus 7k

Tony Mattke · 2013.08.19 · 1 min read

Quite a while ago I had a need for some network duct tape… Policy Based Routing while useful should only IMHO be used as a temporary fix. But as you know, temporary things soon become part of production and they end up staying around far too long. But I digress. I had a need for some PBR, but soon found out that NX-OS had no support for deny entries in your ACL. This can pose an issue depending on the amount of destinations needed. Mine needed to match everything on the internet, minus RFC1918, and some internal VPN routes and such. Over time, I ended up having to rewrite this 100 line ACL several times, until I saw that NX-OS 6.1(3) had support for deny statements.

I was so excited, I immediately rewrote my ACL into a very svelte 20 lines including remarks. My change window came, I applied my ACL, and was faced with an error message. Luckily, I quickly figured out that we need to enable the ability to use denies.

text
nexus-7010(config)# hardware access-list allow deny ace

Honestly, I just wanted to get this bit of info out there as I haven’t really seen information on it. Let me know if you see any issues in your deployments.

More in Switching
Tags :
comments powered by Disqus

Related Posts

Fundamentals

The Unofficial JNCIE-ENT Prep Guide

Some of you may have heard that Jeff Fry has published his Unofficial JNCIE-ENT Prep Guide, but how many of you have purchased it yet?

2014.11.07 · 1 min
Automation & Tools

Using the Cisco IOS Archive Command

The Cisco IOS archive command is not only very useful in keeping configuration archives, but it can also be used to log commands entered into the router, along with their user …

2010.06.07 · 3 min
Routing

Layer 2 Ethernet transport over OpenVPN

One of the things I used to deploy frequently at my previous position was transport for other ISPs and businesses.

2009.05.14 · 1 min