Re: management traffic QoS on Tunnel interfaces

[Jon Mitchell <jrmitche () puck nether net>]

On some platforms locally generated traffic bypasses egress intf ACL/QoS, try your test with an ACL on ingress on a 
diff router in the path.

-Jon

On Jul 29, 2013, at 11:09 PM, Andrey Khomyakov <khomyakov.andrey () gmail com> wrote:

> Looks like exactly what I'm looking for, but for some reason doesn't work.
> Below produces 0 packet match.
>
> ip ssh prec 2
>
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
>
>
> As a test I also tried this:
>
>
>
> ip access-list extended Management_Access
> remark Play nice with router management traffic
> permit tcp any range 22 telnet any
> permit tcp any any range 22 telnet
>
> class-map match-any management
> match access-group name Management_Access
>
> policy-map Mark-Local-SSH
> class management
> set ip dscp cs2
>
> ip local policy route-map Mark-Local-SSH
>
> ---
> Later on this matches 0 packets in both cases
> class-map match-any SSH
> match ip dscp cs2
> match ip precedence 2
>
>
>
>
>
> --Andrey
>
>
> On Mon, Jul 29, 2013 at 3:47 PM, Chuck Church <chuckchurch () gmail com> wrote:
>
> > Newer IOS support setting precedence or DSCP for outbound SSH:
> >
> > ip ssh prec 2
> >
> >
> > Thanks,
> >
> > Chuck
> >
> > -----Original Message-----
> > From: Andrey Khomyakov [mailto:khomyakov.andrey () gmail com]
> > Sent: Monday, July 29, 2013 12:07 PM
> > To: Nanog
> > Subject: management traffic QoS on Tunnel interfaces
> >
> > Hi all,
> > I have been trying to come up with a qos policy (or rather where to apply
> > it) for reserving some bandwidth for management traffic to the local router
> > The setup is that a remote route is a spoke to a DMVPN network, thus has a
> > couple of ipsec gre tunnel interfaces and a Lo0 for management (ssh).
> > I have no issue working out service policy for transiting traffic, however,
> > I can't wrap my head around how to reserve some bandwidth for the locally
> > originated SSH traffic (managing the router).
> >
> > I'd like to mark ssh response packets from the local router (1.1.1.1) with
> > CS2,so i can match them in the tunnel policy shown below.
> >
> > Has anyone come across this task before?
> >
> > interface Loopback0
> > ip address 1.1.1.1 255.255.255.255
> >
> > interface Tunnel0
> > ip address 2.2.2.2 255.255.255.0
> > qos pre-classify
> > <snip>
> > tunnel source FastEthernet0/0
> > tunnel mode gre multipoint
> > tunnel protection ipsec profile protect-gre shared !
> > interface FastEthernet0/0
> > desc DSL/Cable/FiOS
> > ip address 3.3.3.3 255.255.255.0
> > bandwidth 768
> > bandwidth receive 1500
> > service-policy output SHAPE-OUT-768
> > !
> > class-map match-any SSH
> > match ip dscp cs2
> > !
> > policy-map SHAPE-OUT-768
> > class class-default
> > shape average 768000
> > service-policy SSH
> > !
> > service-policy SSH
> > class SSH
> >  bandwidth percent 5
> > class class-default
> >  fair-queue
> >  queue-limit 15 packets
> >
> >
> >
> > --Andrey