management traffic QoS on Tunnel interfaces

• Previous message (by thread): management traffic QoS on Tunnel interfaces
• Next message (by thread): WEBCAST: ISOC @ IETF – Improving Internet Experience: All Together Now
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a diff router in the path.

-Jon

On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov <khomyakov.andrey at gmail.com> wrote:

> Looks like exactly what I'm looking for, but for some reason doesn't work.
> Below produces 0 packet match.
> 
> ip ssh prec 2
> 
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
> 
> 
> As a test I also tried this:
> 
> 
> 
> ip access-list extended Management_Access
> remark Play nice with router management traffic
> permit tcp any range 22 telnet any
> permit tcp any any range 22 telnet
> 
> class-map match-any management
> match access-group name Management_Access
> 
> policy-map Mark-Local-SSH
> class management
> set ip dscp cs2
> 
> ip local policy route-map Mark-Local-SSH
> 
> ---
> Later on this matches 0 packets in both cases
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
> 
> 
> 
> 
> 
> --Andrey
> 
> 
> On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch at gmail.com> wrote:
> 
>> Newer IOS support setting precedence or DSCP for outbound SSH:
>> 
>> ip ssh prec 2
>> 
>> 
>> Thanks,
>> 
>> Chuck
>> 
>> -----Original Message-----
>> From: Andrey Khomyakov [mailto:khomyakov.andrey at gmail.com]
>> Sent: Monday, July 29, 2013 12:07 PM
>> To: Nanog
>> Subject: management traffic QoS on Tunnel interfaces
>> 
>> Hi all,
>> I have been trying to come up with a qos policy (or rather where to apply
>> it) for reserving some bandwidth for management traffic to the local router
>> The setup is that a remote route is a spoke to a DMVPN network, thus has a
>> couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
>> I have no issue working out service policy for transiting traffic, however,
>> I can't wrap my head around how to reserve some bandwidth for the locally
>> originated SSH traffic (managing the router).
>> 
>> I'd like to mark ssh response packets from the local router (1.1.1.1) with
>> CS2,so i can match them in the tunnel policy shown below.
>> 
>> Has anyone come across this task before?
>> 
>> interface Loopback0
>> ip address 1.1.1.1 255.255.255.255
>> 
>> interface Tunnel0
>> ip address 2.2.2.2 255.255.255.0
>> qos pre-classify
>> <snip>
>> tunnel source FastEthernet0/0
>> tunnel mode gre multipoint
>> tunnel protection ipsec profile protect-gre shared !
>> interface FastEthernet0/0
>> desc DSL/Cable/FiOS
>> ip address 3.3.3.3 255.255.255.0
>> bandwidth 768
>> bandwidth receive 1500
>> service-policy output SHAPE-OUT-768
>> !
>> class-map match-any SSH
>> match ip dscp cs2
>> !
>> policy-map SHAPE-OUT-768
>> class class-default
>> shape average 768000
>> service-policy SSH
>> !
>> service-policy SSH
>> class SSH
>>  bandwidth percent 5
>> class class-default
>>  fair-queue
>>  queue-limit 15 packets
>> 
>> 
>> 
>> --Andrey
>> 
>> 

• Previous message (by thread): management traffic QoS on Tunnel interfaces
• Next message (by thread): WEBCAST: ISOC @ IETF – Improving Internet Experience: All Together Now
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]