カテゴリ:

QoSの設定ではIP Precedence(Type of Serviceの先頭3ビット)やDSCP(Type of Serviceの先頭6ビット)を使いますが、実際のパケットに設定されていることを、どのようにして確認すればいいのでしょうか。ここではアクセスリストを利用する方法を紹介ます。

拡張アクセスリストを利用します。matchで該当のprecedenceを指定しますが、最後にlogを利用することで確認が用意になります。最終行のpermitを省くとパケットは全く通過できなくなるので注意が必要です。

R1(config)#ip access-list extended CHECK_PRECEDENCE
R1(config-ext-nacl)#deny ip any any precedence ?
  <0-7>           Precedence value
  critical        Match packets with critical precedence (5)
  flash           Match packets with flash precedence (3)
  flash-override  Match packets with flash override precedence (4)
  immediate       Match packets with immediate precedence (2)
  internet        Match packets with internetwork control precedence (6)
  network         Match packets with network control precedence (7)
  priority        Match packets with priority precedence (1)
  routine         Match packets with routine precedence (0)

R1(config-ext-nacl)#deny ip any any precedence priority ?
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  option      Match packets with given IP Options value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  ttl         Match packets with given TTL value
  <cr>

R1(config-ext-nacl)#deny ip any any precedence priority log
R1(config-ext-nacl)#deny ip any any precedence immediate log
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#do show ip access-lists CHECK_PRECEDENCE
Extended IP access list CHECK_PRECEDENCE
    10 deny ip any any precedence priority log
    20 deny ip any any precedence immediate log
    30 permit ip any any
R1(config-ext-nacl)#int f0/0
R1(config-if)#ip access-group CHECK_PRECEDENCE in
R1(config-if)#do sh ip int f0/0 | i Inbound
  Inbound  access list is CHECK_PRECEDENCE

もちろん、通常のpingはそのまま実行されます。

R2#ping 12.12.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms

ではこのアクセスリストにTOS値を指定してpingを実行します。外部からのパケットでないとアクセスリストは反応しないので注意してください。ここでは隣接するR2から実行します。

まずType of serviceで32を指定して実行します。32は001となるため、IP Precedenceのpriorityが利用されます。

R2#ping
Protocol [ip]:
Target IP address: 12.12.12.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 32
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R1(config-if)#
Mar  7 07:09:54.575: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 1 packet
Mar  7 07:15:18.459: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 4 packets
R1(config-if)#do show ip access-lists CHECK_PRECEDENCE
Extended IP access list CHECK_PRECEDENCE
    10 deny ip any any precedence priority log (5 matches)
    20 deny ip any any precedence immediate log
    30 permit ip any any (627 matches)

次にType of service 64を指定して実行します。64は010となるため、IP Precedenceのimmediateが利用されます。違いを分かりやすくするために、リピート回数を4にしています。

R2#ping
Protocol [ip]:
Target IP address: 12.12.12.1
Repeat count [5]: 4
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 64
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 4, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
U.U.
Success rate is 0 percent (0/4)

R1(config-if)#
Mar  7 07:23:18.459: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 4 packets
R1(config-if)#do show ip access-lists CHECK_PRECEDENCE
Extended IP access list CHECK_PRECEDENCE
    10 deny ip any any precedence priority log (5 matches)
    20 deny ip any any precedence immediate log (4 matches)
    30 permit ip any any (813 matches)

同じような手順で、アクセスリストでDSCPを利用することも可能です。

R1(config-if)# ip access-list extended CHECK_PRECEDENCE
R1(config-ext-nacl)#25 deny ip any any dscp ?
  <0-63>   Differentiated services codepoint value
  af11     Match packets with AF11 dscp (001010)
  af12     Match packets with AF12 dscp (001100)
  af13     Match packets with AF13 dscp (001110)
  af21     Match packets with AF21 dscp (010010)
  af22     Match packets with AF22 dscp (010100)
  af23     Match packets with AF23 dscp (010110)
  af31     Match packets with AF31 dscp (011010)
  af32     Match packets with AF32 dscp (011100)
  af33     Match packets with AF33 dscp (011110)
  af41     Match packets with AF41 dscp (100010)
  af42     Match packets with AF42 dscp (100100)
  af43     Match packets with AF43 dscp (100110)
  cs1      Match packets with CS1(precedence 1) dscp (001000)
  cs2      Match packets with CS2(precedence 2) dscp (010000)
  cs3      Match packets with CS3(precedence 3) dscp (011000)
  cs4      Match packets with CS4(precedence 4) dscp (100000)
  cs5      Match packets with CS5(precedence 5) dscp (101000)
  cs6      Match packets with CS6(precedence 6) dscp (110000)
  cs7      Match packets with CS7(precedence 7) dscp (111000)
  default  Match packets with default dscp (000000)
  ef       Match packets with EF dscp (101110)

R1(config-ext-nacl)#25 deny ip any any dscp af43 log

R2よりTOS値152(100110)でpingをリピート回数6で実行しました。

R1(config-ext-nacl)#
Mar  7 07:30:18.463: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 6 packets
R1(config-ext-nacl)#do show ip access-lists CHECK_PRECEDENCE
Extended IP access list CHECK_PRECEDENCE
    10 deny ip any any precedence priority log (5 matches)
    20 deny ip any any precedence immediate log (8 matches)
    25 deny ip any any dscp af43 log (6 matches)
    30 permit ip any any (1077 matches)