management traffic QoS on Tunnel interfaces

Andrey Khomyakov khomyakov.andrey at
Mon Jul 29 16:07:19 UTC 2013

Hi all,
I have been trying to come up with a qos policy (or rather where to apply
it) for reserving some bandwidth for management traffic to the local router
The setup is that a remote route is a spoke to a DMVPN network, thus has a
couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
I have no issue working out service policy for transiting traffic, however,
I can't wrap my head around how to reserve some bandwidth for the locally
originated SSH traffic (managing the router).

I'd like to mark ssh response packets from the local router ( with
CS2,so i can match them in the tunnel policy shown below.

Has anyone come across this task before?

interface Loopback0
ip address

interface Tunnel0
ip address
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared
interface FastEthernet0/0
desc DSL/Cable/FiOS
ip address
bandwidth 768
bandwidth receive 1500
service-policy output SHAPE-OUT-768
class-map match-any SSH
match ip dscp cs2
policy-map SHAPE-OUT-768
 class class-default
 shape average 768000
 service-policy SSH
service-policy SSH
 class SSH
   bandwidth percent 5
 class class-default
   queue-limit 15 packets


More information about the NANOG mailing list