This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ACL issue for QoS

ACL issue for QoS

Sumanta_Ghosh
New Contributor

ā€Ž09-21-2016 11:22 AM

I am trying to classify traffic on ingress port/vlan and remark DSCP values in them. Not sure if I use only "if" statement or "if match any/all" statement? What is the difference between any and all?

I also got an error while trying to use the ACL via a policy file.

"Error: Policy Test has syntax errors
Line 4 : Attribute source-address already exists as a match statement in Acl entry. "

CLI given below:-

SWT-01 # vi qos-1.pol
entry replace_DSCP_40 {
if match all {
source-address 10.53.5.16/29 ;
source-address 10.53.5.24/29 ;
source-address 10.53.5.32/30 ;
source-address 10.53.5.36/30 ;
source-address 10.53.5.40/30 ;
source-address 10.53.5.44/30 ;
source-address 10.53.5.48/28 ;
source-address 10.53.5.64/28 ;
source-address 10.53.5.80/30 ;
source-address 10.53.5.84/30 ;
source-address 10.53.5.88/30 ;
source-address 10.53.5.92/30 ;
}
then {
qosprofile qp8 ;
replace-dscp ;
}
}

configure diffserv replacement qp8 code-point 40

configure access-list qos-1 VLAN/PORT [ingress|egress]

save

0 Kudos
4 REPLIES 4

Sumanta_Ghosh
New Contributor

ā€Ž09-21-2016 12:47 PM

Hi All

Many thanks for all your help. I'll try accordingly and let you know.
0 Kudos

Henrique
Extreme Employee

ā€Ž09-21-2016 11:37 AM

Hi Sumanta,

"if match all" means all match condition lines must be true to take the defined action
"if match any" means just 1 line must be true to take the defined action

For access-list you cannot repeat the same match condition. That means you have to create 1 rule for each IP (using the same .pol file).

Example:

entry replace_DSCP_40_a {
if match all {
source-address 10.53.5.16/29 ;
}
then {
qosprofile qp8 ;
replace-dscp ;
}
}
entry replace_DSCP_40_b {
if match all {
source-address 10.53.5.24/29 ;
}
then {
qosprofile qp8 ;
replace-dscp ;
}
}
entry replace_DSCP_40_c {
if match all {
source-address 10.53.5.32/30 ;
}
then {
qosprofile qp8 ;
replace-dscp ;
}
}

And so on...
0 Kudos

OscarK
Extreme Employee

ā€Ž09-21-2016 11:29 AM

You can only use match statement source-address once in every entry. The only ACL where it is possible to have multiple match statements with the same keyword are nlri match statements that are used in bgp for example.

0 Kudos

Patrick_Voss
Extreme Employee

ā€Ž09-21-2016 11:28 AM

Hello Sumanta,

You will need to make those individual entries. You cannot have multiple match conditions be the same in one entry.
0 Kudos
GTM-P2G8KFN