Configuring A Deny Ace - Cisco Nexus 7000 Series Configuration Manual

Configuring Classification
Procedure
Step 1
Step 2
Step 3
Example
This example shows how to display the ACL class-map configuration:
switch# show class-map class_acl

Configuring a Deny ACE

You can configure the device to support deny access control entries (ACEs) in a sequence for the following
sequence-based features: VACL, policy-based routing (PBR), and QoS. When deny ACEs are enabled, the
traffic that matches a deny ACE (an ACL rule with the deny keyword) in a class-map-acl is recursively
matched against subsequent class-map-acls until it hits a permit ACE.
Before you begin
Ensure that you are in the correct VDC (or use the switchto vdc command).
Procedure
Step 1
Step 2
Step 3
Step 4
Command or Action
switch# configure terminal
switch(config)# class-map [type qos]
[match-any | match-all] class-map-name
switch(config-cmap-qos)# match access-group
name acl-name
Command or Action
switch# configure terminal
switch(config)# [no] hardware access-list
allow deny ace
(Optional) switch(config)# show
running-config aclmgr
(Optional) switch(config)# copy
running-config startup-config
Cisco Nexus 7000 Series NX-OS Quality of Service Configuration Guide
Configuring a Deny ACE
Purpose
Enters global configuration mode.
Creates or accesses the class map named
class-map-name and enters class-map mode.
The class map name can contain alphabetic,
hyphen, or underscore characters, is case
sensitive, and can be up to 40 characters.
Configures the traffic class by matching packets
based on the acl-name. The permit and deny
ACL keywords are ignored in the matching.
The device does not support the no form of this
command.
Purpose
Enters global configuration mode.
Enables support for deny ACEs in a sequence.
Displays the ACL configuration.
Saves this configuration change.
33