management traffic QoS on Tunnel interfaces

Chuck Church chuckchurch at
Mon Jul 29 19:47:15 UTC 2013

Newer IOS support setting precedence or DSCP for outbound SSH:

ip ssh prec 2



-----Original Message-----
From: Andrey Khomyakov [mailto:khomyakov.andrey at] 
Sent: Monday, July 29, 2013 12:07 PM
To: Nanog
Subject: management traffic QoS on Tunnel interfaces

Hi all,
I have been trying to come up with a qos policy (or rather where to apply
it) for reserving some bandwidth for management traffic to the local router
The setup is that a remote route is a spoke to a DMVPN network, thus has a
couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
I have no issue working out service policy for transiting traffic, however,
I can't wrap my head around how to reserve some bandwidth for the locally
originated SSH traffic (managing the router).

I'd like to mark ssh response packets from the local router ( with
CS2,so i can match them in the tunnel policy shown below.

Has anyone come across this task before?

interface Loopback0
ip address

interface Tunnel0
ip address
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile protect-gre shared !
interface FastEthernet0/0
desc DSL/Cable/FiOS
ip address
bandwidth 768
bandwidth receive 1500
service-policy output SHAPE-OUT-768
class-map match-any SSH
match ip dscp cs2
policy-map SHAPE-OUT-768
 class class-default
 shape average 768000
 service-policy SSH
service-policy SSH
 class SSH
   bandwidth percent 5
 class class-default
   queue-limit 15 packets


More information about the NANOG mailing list