Networking

Using Deny ACEs in your PBR ACL on your Nexus 7k

Tony Mattke · 2013.08.19 · 1 min read

Quite a while ago I had a need for some network duct tape… Policy Based Routing while useful should only IMHO be used as a temporary fix. But as you know, temporary things soon become part of production and they end up staying around far too long. But I digress. I had a need for some PBR, but soon found out that NX-OS had no support for deny entries in your ACL. This can pose an issue depending on the amount of destinations needed. Mine needed to match everything on the internet, minus RFC1918, and some internal VPN routes and such. Over time, I ended up having to rewrite this 100 line ACL several times, until I saw that NX-OS 6.1(3) had support for deny statements.

I was so excited, I immediately rewrote my ACL into a very svelte 20 lines including remarks. My change window came, I applied my ACL, and was faced with an error message. Luckily, I quickly figured out that we need to enable the ability to use denies.

text
nexus-7010(config)# hardware access-list allow deny ace

Honestly, I just wanted to get this bit of info out there as I haven’t really seen information on it. Let me know if you see any issues in your deployments.

More in Networking
Tags :

Related Posts

2011.09.01 Networking 4 min read

Network Duct Tape Gone Wrong

As many of you may know, I’m in the middle of a huge network redesign, last week our new firewalls finally arrived and it became time for us to start migrating services onto the edge network I’ve been …

2014.10.15 Networking 4 min read

AS-Path Filtering

Before we get into the how, let’s talk about the why.

2012.06.21 Networking 4 min read

Cisco Nexus 2000: A Love/Hate Relationship

My feelings towards the Nexus 2000 Fabric Extender (FEX) are hardly a secret. The myriad of design choices and platform limitations present engineers with some rather difficult decisions.