Hi Zeeshan,
While configuring an acl, we need to ensure that the match conditions do not get repeated under the same entry.
For example, the entry,
entry CRITICAL {
if match any {
dscp 24;
dscp 36;
}
then {
meter METER_SNID_CRITICAL ;
qosprofile QP3 ;
count CRITICAL ;
}
}
should be converted to 2 different entries.
entry CRITICAL {
if match any {
dscp 24;
}
then {
meter METER_SNID_CRITICAL ;
qosprofile QP3 ;
count CRITICAL ;
}
}
entry CRITICAL1 {
if match any {
dscp 36;
}
then {
meter METER_SNID_CRITICAL ;
qosprofile QP3 ;
count CRITICAL ;
}
}
Regarding the rule evaluation, all the rules are evaluated at the same time.
Snippet from the user guide under the rule evaluation section.
When there are multiple rule entries applied to an interface, evaluation proceeds as follows:
• A packet is compared to all the rule entry match conditions at the same time.
• For each rule where the packet matches all the match conditions, the action and any action
modifiers in the then statement are taken. If there are any actions or action modifiers that conflict
(deny vs. permit, etc), only the one with higher precedence is taken.
• If a packet matches no rule entries in the ACL, it is permitted.