management traffic QoS on Tunnel interfaces
Andrey Khomyakov
khomyakov.andrey at gmail.com
Mon Jul 29 20:11:42 UTC 2013
Darren,
My understanding that qos-preclassify will only copy ToS header from
original packet to encrypted packet. Since service-policy is applied to the
physical interface and is looking at already encrypted traffic, ACLs won't
see the original source/destination
Andrey
--Andrey
On Mon, Jul 29, 2013 at 12:31 PM, Darren O'Connor <darrenoc at outlook.com>wrote:
> In this class you are matching:
>
> class-map match-any SSH
> match ip dscp cs2
>
> Why not just match an ACL for SSH traffic from the local router back to your management range?
>
>
>
> > From: khomyakov.andrey at gmail.com
> > Date: Mon, 29 Jul 2013 12:07:19 -0400
> > Subject: management traffic QoS on Tunnel interfaces
> > To: nanog at nanog.org
>
> >
> > Hi all,
> > I have been trying to come up with a qos policy (or rather where to apply
> > it) for reserving some bandwidth for management traffic to the local
> router
> > The setup is that a remote route is a spoke to a DMVPN network, thus has
> a
> > couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
> > I have no issue working out service policy for transiting traffic,
> however,
> > I can't wrap my head around how to reserve some bandwidth for the locally
> > originated SSH traffic (managing the router).
> >
> > I'd like to mark ssh response packets from the local router (1.1.1.1)
> with
> > CS2,so i can match them in the tunnel policy shown below.
> >
> > Has anyone come across this task before?
> >
> > interface Loopback0
> > ip address 1.1.1.1 255.255.255.255
> >
> > interface Tunnel0
> > ip address 2.2.2.2 255.255.255.0
> > qos pre-classify
> > <snip>
> > tunnel source FastEthernet0/0
> > tunnel mode gre multipoint
> > tunnel protection ipsec profile protect-gre shared
> > !
> > interface FastEthernet0/0
> > desc DSL/Cable/FiOS
> > ip address 3.3.3.3 255.255.255.0
> > bandwidth 768
> > bandwidth receive 1500
> > service-policy output SHAPE-OUT-768
> > !
> > class-map match-any SSH
> > match ip dscp cs2
> > !
> > policy-map SHAPE-OUT-768
> > class class-default
> > shape average 768000
> > service-policy SSH
> > !
> > service-policy SSH
> > class SSH
> > bandwidth percent 5
> > class class-default
> > fair-queue
> > queue-limit 15 packets
> >
> >
> >
> > --Andrey
>
More information about the NANOG
mailing list