Unanswered Question
Mar 12th, 2008

I want to know whether the QoS ACL supports deny statement.

Here is the scenario: I have 6500 running in native mode. The QoS configured on it marks all outbound ssl and web traffic to CS3. I have a new requirement to mark ssl and web traffic for a few particular subnets to Default CS0.

I am thinking of applying DENY statement for those subnets in the named QOS ACL on top. It will put the traffic for these subnets in default class??? DENY statement will be followed by the the other permit statements which I currently have.

Is this the correct implementation approach?? Any recommendations or thoughts!!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Wed, 03/12/2008 - 10:41


It would be helpful to see your config but if you don't match them in any acl then they will be grouped into the class class-default so you don't need to explicitly deny them as such.


fawad.alam Wed, 03/12/2008 - 11:16

Here is the config:

class-map match-any SILVER-CLASS

match access-group name SILVER-TRAFFIC

policy-map cust2provider-QOS


set dscp cs5


set dscp cs4


set dscp cs2

class class-default

set dscp default

ip access-list extended SILVER-TRAFFIC

deny tcp any eq www

deny tcp any eq 443

permit tcp any eq www

permit tcp any eq 443

This is the proposed config. I want to mark http and https traffic for subnet with default dscp 0.

The current config (last 2 acl lines ) mark all http & https with CS2.

Jon Marshall Wed, 03/12/2008 - 11:29

Okay that makes more sense.

Yes it will work as you want. The will not be matched in the SILVER-TRAFFIC class and will fall through to the class-default.



fawad.alam Wed, 03/12/2008 - 18:22

hi Jon,

I just found a reference to it in qos config guide for cat 2970 and now i am not little doubtful after reading this. According to this guide after matching the deny statement it will continue to check ACL and in my case it will find a permit and as I understand it the traffic will still be be marked with CS2.


**Classification Based on QoS ACLs **

You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs:

•If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.

•If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed.

•If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing occurs on the packet, and the switch offers best-effort service to the packet.



Jon Marshall Thu, 03/13/2008 - 00:47

Hi Fawad

Okay, i tested this in our lab and it works as i suggested. This was tested on a 2600 router, i can retest on a 3560 switch if needed.

From what you posted

"If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed"

Note that it does not say the next ACE (Access control Entry) but the next ACL. So it is saying stop processing that ACL and move onto the next ACL which may well be contained under another class map entry.

So when it hits the deny it stops running through that ACL, does not mark the packet and moves on in the policy map. If you had a BRONZE class configured which did match the packet it would be marked accordingly. But after SILVER you only have class-default so your packet gets processed in there.




This Discussion