Solved: Re: viewing ToS byte with debug command

tato386 · ‎09-23-2003

Is there any way that I can determine if ToS is being used on packets using the debug features of router based IOS?

Thanks,

Diego

tsettle · ‎09-23-2003

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 ?

dscp Match packets with given dscp value

fragments Check non-initial fragments

log Log matches against this entry

log-input Log matches against this entry, including input interface

precedence Match packets with given precedence value

time-range Specify a time-range

tos Match packets with given TOS value

In the acl above if I want to match on dscp 32 then I can specify that (same as TOS=128 in an extended ping). The tos option above is for specific tos bits in the ip header, so be careful not to confuse it. Use ? in config mode to see what I mean.

Examples:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 dscp 32

Ok, included below...

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 tos ?

<0-15> Type of service value

max-reliability Match packets with max reliable TOS (2)

max-throughput Match packets with max throughput TOS (4)

min-delay Match packets with min delay TOS (8)

min-monetary-cost Match packets with min monetary cost TOS (1)

normal Match packets with normal TOS (0)

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 dscp ?

<0-63> Differentiated services codepoint value

af11 Match packets with AF11 dscp (001010)

af12 Match packets with AF12 dscp (001100)

af13 Match packets with AF13 dscp (001110)

af21 Match packets with AF21 dscp (010010)

af22 Match packets with AF22 dscp (010100)

af23 Match packets with AF23 dscp (010110)

af31 Match packets with AF31 dscp (011010)

af32 Match packets with AF32 dscp (011100)

af33 Match packets with AF33 dscp (011110)

af41 Match packets with AF41 dscp (100010)

af42 Match packets with AF42 dscp (100100)

af43 Match packets with AF43 dscp (100110)

cs1 Match packets with CS1(precedence 1) dscp (001000)

cs2 Match packets with CS2(precedence 2) dscp (010000)

cs3 Match packets with CS3(precedence 3) dscp (011000)

cs4 Match packets with CS4(precedence 4) dscp (100000)

cs5 Match packets with CS5(precedence 5) dscp (101000)

cs6 Match packets with CS6(precedence 6) dscp (110000)

cs7 Match packets with CS7(precedence 7) dscp (111000)

default Match packets with default dscp (000000)

ef Match packets with EF dscp (101110)

View solution in original post

tsettle · ‎09-23-2003

You can debug ip packet against an access-list that matches the ToS you are expecting. Hits will show it's marked. Or with more caution you could debug ip packet detail dump against an acl to see the actual frame.

debug ip packet [access-list-number] [detail] [dump]

If the packet is switched in hardware you will not catch it using this method. You will need to rely on policy counters and/or sniffer capture to verify. Of course you can apply same steps above to routers on either side of the one under inspection and verify pings through are marked.

tato386 · ‎09-23-2003

How do you incorporate ToS into an ACL? I thought you could only do protocols like TCP, UDP, port numbers and so on.

Diego

tsettle · ‎09-23-2003

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 ?

dscp Match packets with given dscp value

fragments Check non-initial fragments

log Log matches against this entry

log-input Log matches against this entry, including input interface

precedence Match packets with given precedence value

time-range Specify a time-range

tos Match packets with given TOS value

In the acl above if I want to match on dscp 32 then I can specify that (same as TOS=128 in an extended ping). The tos option above is for specific tos bits in the ip header, so be careful not to confuse it. Use ? in config mode to see what I mean.

Examples:

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 dscp 32

Ok, included below...

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 tos ?

<0-15> Type of service value

max-reliability Match packets with max reliable TOS (2)

max-throughput Match packets with max throughput TOS (4)

min-delay Match packets with min delay TOS (8)

min-monetary-cost Match packets with min monetary cost TOS (1)

normal Match packets with normal TOS (0)

Router(config)#access-list 101 permit ip host 1.1.1.1 host 2.2.2.2 dscp ?

<0-63> Differentiated services codepoint value

af11 Match packets with AF11 dscp (001010)

af12 Match packets with AF12 dscp (001100)

af13 Match packets with AF13 dscp (001110)

af21 Match packets with AF21 dscp (010010)

af22 Match packets with AF22 dscp (010100)

af23 Match packets with AF23 dscp (010110)

af31 Match packets with AF31 dscp (011010)

af32 Match packets with AF32 dscp (011100)

af33 Match packets with AF33 dscp (011110)

af41 Match packets with AF41 dscp (100010)

af42 Match packets with AF42 dscp (100100)

af43 Match packets with AF43 dscp (100110)

cs1 Match packets with CS1(precedence 1) dscp (001000)

cs2 Match packets with CS2(precedence 2) dscp (010000)

cs3 Match packets with CS3(precedence 3) dscp (011000)

cs4 Match packets with CS4(precedence 4) dscp (100000)

cs5 Match packets with CS5(precedence 5) dscp (101000)

cs6 Match packets with CS6(precedence 6) dscp (110000)

cs7 Match packets with CS7(precedence 7) dscp (111000)

default Match packets with default dscp (000000)

ef Match packets with EF dscp (101110)

tato386 · ‎09-24-2003

I had no idea I could use the tos parameter in an ACL. I am only used to using eq www and eq telnet. I guess that I should use the ? command more ;)

Thanks,

Diego