From: Niche (jackyliu419@gmail.com)
Date: Tue Nov 15 2005 - 23:53:15 GMT-3
Hi Daniel,
Just my personal method for your reference, apply a simple ACL on the
destination interface (match icmp & match ip precedence value) then do the
ping test and you can "sh ip access-list" and check the counting. For
extensive checking, use the log-input with the ACL.
P.S. Remember use "permit ip any any" at the end of your ACL in production
network =).
Cheers~
Jacky Liu
On 11/16/05, Daniel Berlinski <Daniel.Berlinski@telecom.co.nz> wrote:
>
> Still on this Marking issue. Please someone have a look and let me know if
> I'm testing/configuring this correctly:
>
> Trying to mark ICMP packets from VLAN12 with precedence 5 e other traffic
> with precedence 3.
>
> Now I have the policy map applied on a trunk port. Scenario is:
> SW1 (Root bridge for VLAN 12) --- TRUNK --- SW2 (Root port is fa0/13 for
> VLAN 12)
>
> The configs are as follows:
>
> SW2:
>
> mls qos
>
> access-list 170 permit icmp any any echo
> access-list 170 permit icmp any any echo-reply
>
> class-map match-any ICMP
> match access-group 170
> class-map match-all VLAN12
> match vlan 12
> match class-map ICMP
>
> policy-map MARKING
> class VLAN12
> set ip precedence 5
>
> interface FastEthernet0/13
> switchport mode dynamic desirable
> mls qos cos 3
> service-policy input MARKING
>
> interface Vlan12
> ip address 20.20.12.8 <http://20.20.12.8>
255.255.255.0<http://255.255.255.0>
>
>
> SW1:
>
> mls qos
>
> interface FastEthernet0/13
> switchport mode dynamic desirable
> mls qos trust cos
>
> interface Vlan12
> ip address 20.20.12.7 <http://20.20.12.7>
255.255.255.0<http://255.255.255.0>
>
> SVI vlan 12 is being used for testing.
>
> Checking method:
> Created a VLAN access-map on SW1 as follows:
>
> vlan access-map MARKING 10
> action forward
> match ip address 150
>
> vlan filter MARKING vlan-list 12
>
> access-list 150 permit icmp any any echo precedence critical
> access-list 150 permit icmp any any echo-reply precedence critical
> access-list 150 permit ip any any
>
>
> I'm pinging 20.20.12.7 <http://20.20.12.7> from SW2. All echoes area
> sourced using SVI VLAN12 of SW2 (20.20.12.8 <http://20.20.12.8>).
> Rack1SW2#ping
> Protocol [ip]:
> Target IP address: 20.20.12.7 <http://20.20.12.7>
> Repeat count [5]: 1000000
> Datagram size [100]:
> Timeout in seconds [2]: 1
> Extended commands [n]: y
> Source address or interface: vlan12
> Type of service [0]:
> Set DF bit in IP header? [no]:
> Validate reply data? [no]:
> Data pattern [0xABCD]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Sweep range of sizes [n]:
>
> On SW1 I only see the following
> Rack1SW1(config-ext-nacl)#do sh ip access-list 150
> Extended IP access list 150
> permit icmp any any echo precedence critical
> permit icmp any any echo-reply precedence critical
> permit ip any any
>
> What am I missing?
> Thanks
>
>
>
>
>
>
> This communication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
purposes
> of the Electronic Transactions Act 2002.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3