Networking

Using Deny ACEs in your PBR ACL on your Nexus 7k

Tony Mattke · 2013.08.19 · 1 min read

Quite a while ago I had a need for some network duct tape… Policy Based Routing while useful should only IMHO be used as a temporary fix. But as you know, temporary things soon become part of production and they end up staying around far too long. But I digress. I had a need for some PBR, but soon found out that NX-OS had no support for deny entries in your ACL. This can pose an issue depending on the amount of destinations needed. Mine needed to match everything on the internet, minus RFC1918, and some internal VPN routes and such. Over time, I ended up having to rewrite this 100 line ACL several times, until I saw that NX-OS 6.1(3) had support for deny statements.

I was so excited, I immediately rewrote my ACL into a very svelte 20 lines including remarks. My change window came, I applied my ACL, and was faced with an error message. Luckily, I quickly figured out that we need to enable the ability to use denies.

text
nexus-7010(config)# hardware access-list allow deny ace

Honestly, I just wanted to get this bit of info out there as I haven’t really seen information on it. Let me know if you see any issues in your deployments.

More in Networking

Related Posts

Networking · 4 min read

Network Duct Tape Gone Wrong

2011.09.01

As many of you may know, I’m in the middle of a huge network redesign, last week our new firewalls finally arrived and it became time for us to start migrating services onto the edge network I’ve been …

Networking · 3 min read

Policy Based Routing

2010.04.05

Policy based routing is the process of altering a packets path based on criteria other than the destination address, commonly referred to as ‘policy routing’.

Networking · 4 min read

IOS ACL Resequencing

2009.11.23

This is one of those tricks you wish you learned about 10 years ago, but never did. You know how easy it is to mess up a nice looking access list.