management traffic QoS on Tunnel interfaces
Andrey Khomyakov
khomyakov.andrey at gmail.com
Mon Jul 29 21:09:55 UTC 2013
Looks like exactly what I'm looking for, but for some reason doesn't work.
Below produces 0 packet match.
ip ssh prec 2
class-map match-any SSH
match ip dscp cs2
match ip precedence 2
As a test I also tried this:
ip access-list extended Management_Access
remark Play nice with router management traffic
permit tcp any range 22 telnet any
permit tcp any any range 22 telnet
class-map match-any management
match access-group name Management_Access
policy-map Mark-Local-SSH
class management
set ip dscp cs2
ip local policy route-map Mark-Local-SSH
---
Later on this matches 0 packets in both cases
class-map match-any SSH
match ip dscp cs2
match ip precedence 2
--Andrey
On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch at gmail.com> wrote:
> Newer IOS support setting precedence or DSCP for outbound SSH:
>
> ip ssh prec 2
>
>
> Thanks,
>
> Chuck
>
> -----Original Message-----
> From: Andrey Khomyakov [mailto:khomyakov.andrey at gmail.com]
> Sent: Monday, July 29, 2013 12:07 PM
> To: Nanog
> Subject: management traffic QoS on Tunnel interfaces
>
> Hi all,
> I have been trying to come up with a qos policy (or rather where to apply
> it) for reserving some bandwidth for management traffic to the local router
> The setup is that a remote route is a spoke to a DMVPN network, thus has a
> couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
> I have no issue working out service policy for transiting traffic, however,
> I can't wrap my head around how to reserve some bandwidth for the locally
> originated SSH traffic (managing the router).
>
> I'd like to mark ssh response packets from the local router (1.1.1.1) with
> CS2,so i can match them in the tunnel policy shown below.
>
> Has anyone come across this task before?
>
> interface Loopback0
> ip address 1.1.1.1 255.255.255.255
>
> interface Tunnel0
> ip address 2.2.2.2 255.255.255.0
> qos pre-classify
> <snip>
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel protection ipsec profile protect-gre shared !
> interface FastEthernet0/0
> desc DSL/Cable/FiOS
> ip address 3.3.3.3 255.255.255.0
> bandwidth 768
> bandwidth receive 1500
> service-policy output SHAPE-OUT-768
> !
> class-map match-any SSH
> match ip dscp cs2
> !
> policy-map SHAPE-OUT-768
> class class-default
> shape average 768000
> service-policy SSH
> !
> service-policy SSH
> class SSH
> bandwidth percent 5
> class class-default
> fair-queue
> queue-limit 15 packets
>
>
>
> --Andrey
>
>
More information about the NANOG
mailing list