10-04-2009 11:58 PM - edited 03-06-2019 07:59 AM
hi all. I am confused with the following issue pls guide me.
I have defined this acl
access-list 113 per icmp host 10.0.0.1 host 10.0.0.2 echo tos 3 log
access-list 113 per ip an an
Now from R1(10.0.0.1) i did an extended ping to R2(10.0.0.2) setting TOS bits to value 3 but no matches are detected in
show access-list 113.
Following is what i did
R1#ping
Protocol [ip]:
Target IP address: 10.0.0.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 3
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
R1#
On R2
R2#sh access-lists 113
Extended IP access list 113
10 permit icmp host 10.0.0.1 host 10.0.0.2 echo tos 3 log
20 permit ip any any (12812 matches)
R2#
I dont know if i have misunderstood tos byte or what but i think if i am setting tos bits to be 3, then why not its setting it ?
Originally i tested it via windows wireshark and got confused when tos bit wasnt being set properly
Pls guide me
10-05-2009 12:10 AM
Hello Ovais,
when you specify the TOS byte you need to specify the byte value.
so if you want match packets with IP precedence 3:
3 -> 01100000 as tos byte = 96 decimal
32*ip prec value is the rule
then to test it you need to set ip precedence using extented commands in ping
ping
Protocol [ip]:
Target IP address: 10.55.0.32
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 96
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.55.0.32, timeout is 2 seconds:
!!!!!
Also packets locally generated on the router are not processed by an outbound ACL on the device
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide