QoSの設定でIP Precedence値を確認する方法
- カテゴリ:
- Cisco
QoSの設定ではIP Precedence(Type of Serviceの先頭3ビット)やDSCP(Type of Serviceの先頭6ビット)を使いますが、実際のパケットに設定されていることを、どのようにして確認すればいいのでしょうか。ここではアクセスリストを利用する方法を紹介ます。
拡張アクセスリストを利用します。matchで該当のprecedenceを指定しますが、最後にlogを利用することで確認が用意になります。最終行のpermitを省くとパケットは全く通過できなくなるので注意が必要です。
R1(config)#ip access-list extended CHECK_PRECEDENCE R1(config-ext-nacl)#deny ip any any precedence ? <0-7> Precedence value critical Match packets with critical precedence (5) flash Match packets with flash precedence (3) flash-override Match packets with flash override precedence (4) immediate Match packets with immediate precedence (2) internet Match packets with internetwork control precedence (6) network Match packets with network control precedence (7) priority Match packets with priority precedence (1) routine Match packets with routine precedence (0) R1(config-ext-nacl)#deny ip any any precedence priority ? fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface option Match packets with given IP Options value time-range Specify a time-range tos Match packets with given TOS value ttl Match packets with given TTL value <cr> R1(config-ext-nacl)#deny ip any any precedence priority log R1(config-ext-nacl)#deny ip any any precedence immediate log R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#do show ip access-lists CHECK_PRECEDENCE Extended IP access list CHECK_PRECEDENCE 10 deny ip any any precedence priority log 20 deny ip any any precedence immediate log 30 permit ip any any R1(config-ext-nacl)#int f0/0 R1(config-if)#ip access-group CHECK_PRECEDENCE in R1(config-if)#do sh ip int f0/0 | i Inbound Inbound access list is CHECK_PRECEDENCE |
もちろん、通常のpingはそのまま実行されます。
R2#ping 12.12.12.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms |
ではこのアクセスリストにTOS値を指定してpingを実行します。外部からのパケットでないとアクセスリストは反応しないので注意してください。ここでは隣接するR2から実行します。
まずType of serviceで32を指定して実行します。32は001となるため、IP Precedenceのpriorityが利用されます。
R2#ping Protocol [ip]: Target IP address: 12.12.12.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: 32 Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R1(config-if)# Mar 7 07:09:54.575: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 1 packet Mar 7 07:15:18.459: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 4 packets R1(config-if)#do show ip access-lists CHECK_PRECEDENCE Extended IP access list CHECK_PRECEDENCE 10 deny ip any any precedence priority log (5 matches) 20 deny ip any any precedence immediate log 30 permit ip any any (627 matches) |
次にType of service 64を指定して実行します。64は010となるため、IP Precedenceのimmediateが利用されます。違いを分かりやすくするために、リピート回数を4にしています。
R2#ping Protocol [ip]: Target IP address: 12.12.12.1 Repeat count [5]: 4 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: Type of service [0]: 64 Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 4, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds: U.U. Success rate is 0 percent (0/4) R1(config-if)# Mar 7 07:23:18.459: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 4 packets R1(config-if)#do show ip access-lists CHECK_PRECEDENCE Extended IP access list CHECK_PRECEDENCE 10 deny ip any any precedence priority log (5 matches) 20 deny ip any any precedence immediate log (4 matches) 30 permit ip any any (813 matches) |
同じような手順で、アクセスリストでDSCPを利用することも可能です。
R1(config-if)# ip access-list extended CHECK_PRECEDENCE R1(config-ext-nacl)#25 deny ip any any dscp ? <0-63> Differentiated services codepoint value af11 Match packets with AF11 dscp (001010) af12 Match packets with AF12 dscp (001100) af13 Match packets with AF13 dscp (001110) af21 Match packets with AF21 dscp (010010) af22 Match packets with AF22 dscp (010100) af23 Match packets with AF23 dscp (010110) af31 Match packets with AF31 dscp (011010) af32 Match packets with AF32 dscp (011100) af33 Match packets with AF33 dscp (011110) af41 Match packets with AF41 dscp (100010) af42 Match packets with AF42 dscp (100100) af43 Match packets with AF43 dscp (100110) cs1 Match packets with CS1(precedence 1) dscp (001000) cs2 Match packets with CS2(precedence 2) dscp (010000) cs3 Match packets with CS3(precedence 3) dscp (011000) cs4 Match packets with CS4(precedence 4) dscp (100000) cs5 Match packets with CS5(precedence 5) dscp (101000) cs6 Match packets with CS6(precedence 6) dscp (110000) cs7 Match packets with CS7(precedence 7) dscp (111000) default Match packets with default dscp (000000) ef Match packets with EF dscp (101110) R1(config-ext-nacl)#25 deny ip any any dscp af43 log |
R2よりTOS値152(100110)でpingをリピート回数6で実行しました。
R1(config-ext-nacl)# Mar 7 07:30:18.463: %SEC-6-IPACCESSLOGDP: list CHECK_PRECEDENCE denied icmp 12.12.12.2 -> 12.12.12.1 (0/0), 6 packets R1(config-ext-nacl)#do show ip access-lists CHECK_PRECEDENCE Extended IP access list CHECK_PRECEDENCE 10 deny ip any any precedence priority log (5 matches) 20 deny ip any any precedence immediate log (8 matches) 25 deny ip any any dscp af43 log (6 matches) 30 permit ip any any (1077 matches) |
コメント
コメント一覧 (1)