Preview Tool

Cisco Bug: CSCur03167 - Deny statement in QoS marking ACL programmed as permit

Last Modified

Dec 14, 2020

Products (7)

  • Cisco Nexus 9000 Series Switches
  • Cisco Nexus 9516 Switch
  • Cisco Nexus 9396PX Switch
  • Cisco Nexus 9504 Switch
  • Cisco Nexus 3164Q Switch
  • Cisco Nexus 9508 Switch
  • Cisco Nexus 93128TX Switch

Known Affected Releases


Description (partial)

Traffic that should not be matched by an ACL referenced in a QoS policy to mark traffic via a deny statement is incorrectly being marked.

An ACL configured with a deny statement to prevent this traffic from being matched is used to classify traffic in a QoS policy designed to mark traffic:

ip access-list TEST
  10 deny icmp host host
ip access-list TEST_2
  10 permit ip host host

class-map type qos match-any TEST_CLASS1
  match access-group name TEST
class-map type qos match-any TEST_CLASS2
  match access-group name TEST_2
policy-map type qos TEST
  class TEST_CLASS1
    set dscp 40
    set qos-group 3
  class TEST_CLASS2
    set dscp 8
    set qos-group 0

interface Ethernet4/31
  service-policy type qos input TEST
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.