https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27821#M4134 Hi Sumanta,<BR /> <BR /> <B>"if match all"</B> means all match condition lines must be true to take the defined action<BR /> <B>"if match any"</B> means just 1 line must be true to take the defined action<BR /> <BR /> For access-list you cannot repeat the same match condition. That means you have to create 1 rule for each IP (using the same .pol file).<BR /> <BR /> <B>Example:</B><BR /> <B></B><BR /> entry replace_DSCP_40_a {<BR /> if match all {<BR /> source-address 10.53.5.16/29 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> entry replace_DSCP_40_b {<BR /> if match all {<BR /> source-address 10.53.5.24/29 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> entry replace_DSCP_40_c {<BR /> if match all {<BR /> source-address 10.53.5.32/30 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> <BR /> And so on...<BR /> Wed, 21 Sep 2016 18:37:00 GMT Henrique 2016-09-21T18:37:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27818#M4131 I am trying to classify traffic on ingress port/vlan and remark DSCP values in them. Not sure if I use only "if" statement or "if match any/all" statement? What is the difference between any and all?<BR /> <BR /> I also got an error while trying to use the ACL via a policy file.<BR /> <BR /> "Error: Policy Test has syntax errors <BR /> Line 4 : Attribute source-address already exists as a match statement in Acl entry. "<BR /> <BR /> CLI given below:-<BR /> <BR /> SWT-01 # vi qos-1.pol<BR /> entry replace_DSCP_40 {<BR /> if match all {<BR /> source-address <A href="http://10.53.5.16/29" target="_blank" rel="nofollow noreferrer noopener">10.53.5.16/29</A> ;<BR /> source-address <A href="http://10.53.5.24/29" target="_blank" rel="nofollow noreferrer noopener">10.53.5.24/29</A> ;<BR /> source-address <A href="http://10.53.5.32/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.32/30</A> ;<BR /> source-address <A href="http://10.53.5.36/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.36/30</A> ;<BR /> source-address <A href="http://10.53.5.40/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.40/30</A> ;<BR /> source-address <A href="http://10.53.5.44/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.44/30</A> ;<BR /> source-address <A href="http://10.53.5.48/28" target="_blank" rel="nofollow noreferrer noopener">10.53.5.48/28</A> ;<BR /> source-address <A href="http://10.53.5.64/28" target="_blank" rel="nofollow noreferrer noopener">10.53.5.64/28</A> ;<BR /> source-address <A href="http://10.53.5.80/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.80/30</A> ;<BR /> source-address <A href="http://10.53.5.84/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.84/30</A> ;<BR /> source-address <A href="http://10.53.5.88/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.88/30</A> ;<BR /> source-address <A href="http://10.53.5.92/30" target="_blank" rel="nofollow noreferrer noopener">10.53.5.92/30</A> ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> <BR /> configure diffserv replacement qp8 code-point 40<BR /> <BR /> configure access-list qos-1 VLAN/PORT [ingress|egress]<BR /> <BR /> save<BR /> <BR /> Wed, 21 Sep 2016 18:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27818#M4131 Sumanta_Ghosh 2016-09-21T18:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27819#M4132 Hello Sumanta,<BR /> <BR /> You will need to make those individual entries. You cannot have multiple match conditions be the same in one entry. Wed, 21 Sep 2016 18:28:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27819#M4132 Patrick_Voss 2016-09-21T18:28:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27820#M4133 You can only use match statement source-address once in every entry. The only ACL where it is possible to have multiple match statements with the same keyword are nlri match statements that are used in bgp for example.<BR /> <BR /> Wed, 21 Sep 2016 18:29:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27820#M4133 OscarK 2016-09-21T18:29:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27821#M4134 Hi Sumanta,<BR /> <BR /> <B>"if match all"</B> means all match condition lines must be true to take the defined action<BR /> <B>"if match any"</B> means just 1 line must be true to take the defined action<BR /> <BR /> For access-list you cannot repeat the same match condition. That means you have to create 1 rule for each IP (using the same .pol file).<BR /> <BR /> <B>Example:</B><BR /> <B></B><BR /> entry replace_DSCP_40_a {<BR /> if match all {<BR /> source-address 10.53.5.16/29 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> entry replace_DSCP_40_b {<BR /> if match all {<BR /> source-address 10.53.5.24/29 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> entry replace_DSCP_40_c {<BR /> if match all {<BR /> source-address 10.53.5.32/30 ;<BR /> }<BR /> then {<BR /> qosprofile qp8 ;<BR /> replace-dscp ;<BR /> }<BR /> }<BR /> <BR /> And so on...<BR /> Wed, 21 Sep 2016 18:37:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27821#M4134 Henrique 2016-09-21T18:37:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27822#M4135 Hi All<BR /> <BR /> Many thanks for all your help. I'll try accordingly and let you know.<BR /> Wed, 21 Sep 2016 19:47:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/acl-issue-for-qos/m-p/27822#M4135 Sumanta_Ghosh 2016-09-21T19:47:00Z