ACL issue for QoS

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I am trying to classify traffic on ingress port/vlan and remark DSCP values in them. Not sure if I use only "if" statement or "if match any/all" statement? What is the difference between any and all?

I also got an error while trying to use the ACL via a policy file.

"Error: Policy Test has syntax errors 
Line 4 : Attribute source-address already exists as a match statement in Acl entry. "

CLI given below:-

SWT-01 # vi qos-1.pol
entry replace_DSCP_40 {
if match all {
 source-address 10.53.5.16/29 ;
 source-address 10.53.5.24/29 ;
 source-address 10.53.5.32/30 ;
 source-address 10.53.5.36/30 ;
 source-address 10.53.5.40/30 ;
 source-address 10.53.5.44/30 ;
 source-address 10.53.5.48/28 ;
 source-address 10.53.5.64/28 ;
 source-address 10.53.5.80/30 ;
 source-address 10.53.5.84/30 ;
 source-address 10.53.5.88/30 ;
 source-address 10.53.5.92/30 ;
 }
then {
    qosprofile qp8 ;
    replace-dscp  ;
}
}

configure diffserv replacement qp8 code-point 40

configure access-list qos-1 VLAN/PORT [ingress|egress]

save
Photo of Sumanta Ghosh

Sumanta Ghosh

  • 458 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Patrick Voss

Patrick Voss, Employee

  • 11,474 Points 10k badge 2x thumb
Hello Sumanta,

You will need to make those individual entries. You cannot have multiple match conditions be the same in one entry.
Photo of OscarK

OscarK, ESE

  • 7,702 Points 5k badge 2x thumb
You can only use match statement source-address once in every entry. The only ACL where it is possible to have multiple match statements with the same keyword are nlri match statements that are used in bgp for example.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Sumanta,

"if match all" means all match condition lines must be true to take the defined action
"if match any" means just 1 line must be true to take the defined action

For access-list you cannot repeat the same match condition. That means you have to create 1 rule for each IP (using the same .pol file).

Example:

entry replace_DSCP_40_a {
if match all {
 source-address 10.53.5.16/29 ;
 }
then {
    qosprofile qp8 ;
    replace-dscp  ;
}
}
entry replace_DSCP_40_b {
if match all {
 source-address 10.53.5.24/29 ;
 }
then {
    qosprofile qp8 ;
    replace-dscp  ;
}
}
entry replace_DSCP_40_c {
if match all {
 source-address 10.53.5.32/30 ;
 }
then {
    qosprofile qp8 ;
    replace-dscp  ;
}
}

And so on...
Photo of Sumanta Ghosh

Sumanta Ghosh

  • 458 Points 250 badge 2x thumb
Hi All

Many thanks for all your help. I'll try accordingly and let you know.